[Freeipa-users] Expired certs not auto renewed by Cermonger

Rob Crittenden rcritten at redhat.com
Thu May 2 21:17:02 UTC 2013 

Toasted Penguin wrote:
> Yes that helped fix 2012092520027 (thank you!!)
>
> But I am still seeing an error with:
>
> Request ID '20120615190133':
> status: CA_UNCONFIGURED
> ca-error: Error setting up ccache for local "host" service using default
> keytab.
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
> Certificate DB'
> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
> CA: IPA
> issuer:
> subject:
> expires: unknown
> track: yes
> auto-renew: yes
>
> I noticed that the request ID doesn't show up
> in /var/lib/certmonger/requests/, does that make a difference?

The request ID usually, but not always matches the name of the request 
files.

We don't usually issue a Server-Cert for an IPA server. Could this be a 
remnant of an older client install?

Is there a Server-Cert in /etc/pki/nssdb? certutil -L -d /etc/pki/nssdb

rob
>
> David
>
>
> On Thu, May 2, 2013 at 2:35 PM, Nalin Dahyabhai <nalin at redhat.com
> <mailto:nalin at redhat.com>> wrote:
>
>     On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote:
>      > /etc/ipa/ca.crt was issued by O=CTIDATA.NET <http://CTIDATA.NET>,
>     CN=Certificate Authority
>      >
>      > All the certs monitored by Certmonger show the same issuer.
>
>     Ok, good.  (If that hadn't been the case, I wouldn't have had an
>     explanation to offer.)
>
>      > Wasn't getting anything back when running the ipahost script you
>     provided,
>      > ran  ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=`
>     and echo
>      > $ipahost shows nothing so I just ran the openssl section manually:
>
>     Hmm.  Curious.  That might be a leftover from having different releases
>     installed at various times on my test box.  Thanks for continuing on.
>
>      > openssl s_client -CAfile /etc/ipa/ca.crt -connect
>     ipa01.ctidata.net:https
>      > -showcerts < /dev/null
>      >
>      > Results:
>      > CONNECTED(00000003)
>      > depth=1 O = CTIDATA.NET <http://CTIDATA.NET>, CN = Certificate
>     Authority
>      > verify return:1
>      > depth=0 O = CTIDATA.NET <http://CTIDATA.NET>, CN =
>     ipa01.ctidata.net <http://ipa01.ctidata.net>
>      > verify error:num=10:certificate has expired
>      > notAfter=Mar 24 19:56:36 2013 GMT
>      > verify return:1
>      > depth=0 O = CTIDATA.NET <http://CTIDATA.NET>, CN =
>     ipa01.ctidata.net <http://ipa01.ctidata.net>
>      > notAfter=Mar 24 19:56:36 2013 GMT
>      > verify return:1
>      > ---
>      > Certificate chain
>      >  0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net
>     <http://CTIDATA.NET/CN=ipa01.ctidata.net>
>      >    i:/O=CTIDATA.NET/CN=Certificate
>     <http://CTIDATA.NET/CN=Certificate> Authority
>      > -----BEGIN CERTIFICATE-----
>      > #####
>      > -----END CERTIFICATE-----
>      >  1 s:/O=CTIDATA.NET/CN=Certificate
>     <http://CTIDATA.NET/CN=Certificate> Authority
>      >    i:/O=CTIDATA.NET/CN=Certificate
>     <http://CTIDATA.NET/CN=Certificate> Authority
>      > -----BEGIN CERTIFICATE-----
>      > ####
>      > -----END CERTIFICATE-----
>      > ---
>      > Server certificate
>      > subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net
>     <http://CTIDATA.NET/CN=ipa01.ctidata.net>
>      > issuer=/O=CTIDATA.NET/CN=Certificate
>     <http://CTIDATA.NET/CN=Certificate> Authority
>      > ---
>      > No client certificate CA names sent
>      > ---
>      > SSL handshake has read 1959 bytes and written 463 bytes
>      > ---
>      > New, TLSv1/SSLv3, Cipher is AES256-SHA
>      > Server public key is 2048 bit
>      > Secure Renegotiation IS supported
>      > Compression: NONE
>      > Expansion: NONE
>      > SSL-Session:
>      >     Protocol  : TLSv1
>      >     Cipher    : AES256-SHA
>      >     Session-ID: #####
>      >     Session-ID-ctx:
>      >     Master-Key: ####
>      >     Key-Arg   : None
>      >     Krb5 Principal: None
>      >     PSK identity: None
>      >     PSK identity hint: None
>      >     Start Time: 1367518514
>      >     Timeout   : 300 (sec)
>      >     Verify return code: 10 (certificate has expired)
>      > ---
>      > DONE
>
>     Yup, that's the problem: the IPA server's certificate wasn't able to be
>     replaced while it was still valid, and now it can no longer ask itself
>     for a new one.
>
>     With 2.1.4, I think the simplest way to sort this is to stop the
>     services (ipactl stop; service certmonger stop), roll the system date
>     back, start the services up again, possibly use 'ipa-getcert resubmit'
>     to force updating (it should happen automatically, but forcing it to
>     happen a second time won't hurt).  Then shut things down, set the
>     correct time on the clock, and bring everything back up again.
>
>     Hopefully there's a smarter way to do it, but I'm blanking on it if
>     there is one.
>
>     HTH,
>
>     Nalin
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list