[Freeipa-users] Expired certs not auto renewed by Cermonger
Toasted Penguin
toastedpenguininfo at gmail.com
Thu May 2 21:13:51 UTC 2013
Yes that helped fix 2012092520027 (thank you!!)
But I am still seeing an error with:
Request ID '20120615190133':
status: CA_UNCONFIGURED
ca-error: Error setting up ccache for local "host" service using default
keytab.
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
track: yes
auto-renew: yes
I noticed that the request ID doesn't show up
in /var/lib/certmonger/requests/, does that make a difference?
David
On Thu, May 2, 2013 at 2:35 PM, Nalin Dahyabhai <nalin at redhat.com> wrote:
> On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote:
> > /etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority
> >
> > All the certs monitored by Certmonger show the same issuer.
>
> Ok, good. (If that hadn't been the case, I wouldn't have had an
> explanation to offer.)
>
> > Wasn't getting anything back when running the ipahost script you
> provided,
> > ran ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo
> > $ipahost shows nothing so I just ran the openssl section manually:
>
> Hmm. Curious. That might be a leftover from having different releases
> installed at various times on my test box. Thanks for continuing on.
>
> > openssl s_client -CAfile /etc/ipa/ca.crt -connect ipa01.ctidata.net:
> https
> > -showcerts < /dev/null
> >
> > Results:
> > CONNECTED(00000003)
> > depth=1 O = CTIDATA.NET, CN = Certificate Authority
> > verify return:1
> > depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net
> > verify error:num=10:certificate has expired
> > notAfter=Mar 24 19:56:36 2013 GMT
> > verify return:1
> > depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net
> > notAfter=Mar 24 19:56:36 2013 GMT
> > verify return:1
> > ---
> > Certificate chain
> > 0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net
> > i:/O=CTIDATA.NET/CN=Certificate Authority
> > -----BEGIN CERTIFICATE-----
> > #####
> > -----END CERTIFICATE-----
> > 1 s:/O=CTIDATA.NET/CN=Certificate Authority
> > i:/O=CTIDATA.NET/CN=Certificate Authority
> > -----BEGIN CERTIFICATE-----
> > ####
> > -----END CERTIFICATE-----
> > ---
> > Server certificate
> > subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net
> > issuer=/O=CTIDATA.NET/CN=Certificate Authority
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 1959 bytes and written 463 bytes
> > ---
> > New, TLSv1/SSLv3, Cipher is AES256-SHA
> > Server public key is 2048 bit
> > Secure Renegotiation IS supported
> > Compression: NONE
> > Expansion: NONE
> > SSL-Session:
> > Protocol : TLSv1
> > Cipher : AES256-SHA
> > Session-ID: #####
> > Session-ID-ctx:
> > Master-Key: ####
> > Key-Arg : None
> > Krb5 Principal: None
> > PSK identity: None
> > PSK identity hint: None
> > Start Time: 1367518514
> > Timeout : 300 (sec)
> > Verify return code: 10 (certificate has expired)
> > ---
> > DONE
>
> Yup, that's the problem: the IPA server's certificate wasn't able to be
> replaced while it was still valid, and now it can no longer ask itself
> for a new one.
>
> With 2.1.4, I think the simplest way to sort this is to stop the
> services (ipactl stop; service certmonger stop), roll the system date
> back, start the services up again, possibly use 'ipa-getcert resubmit'
> to force updating (it should happen automatically, but forcing it to
> happen a second time won't hurt). Then shut things down, set the
> correct time on the clock, and bring everything back up again.
>
> Hopefully there's a smarter way to do it, but I'm blanking on it if
> there is one.
>
> HTH,
>
> Nalin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130502/221f8df7/attachment.htm>
More information about the Freeipa-users
mailing list