[Freeipa-users] Expired certs not auto renewed by Cermonger
Rob Crittenden
rcritten at redhat.com
Thu May 2 21:17:02 UTC 2013
Toasted Penguin wrote:
> Yes that helped fix 2012092520027 (thank you!!)
>
> But I am still seeing an error with:
>
> Request ID '20120615190133':
> status: CA_UNCONFIGURED
> ca-error: Error setting up ccache for local "host" service using default
> keytab.
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
> Certificate DB'
> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
> CA: IPA
> issuer:
> subject:
> expires: unknown
> track: yes
> auto-renew: yes
>
> I noticed that the request ID doesn't show up
> in /var/lib/certmonger/requests/, does that make a difference?
The request ID usually, but not always matches the name of the request
files.
We don't usually issue a Server-Cert for an IPA server. Could this be a
remnant of an older client install?
Is there a Server-Cert in /etc/pki/nssdb? certutil -L -d /etc/pki/nssdb
rob
>
> David
>
>
> On Thu, May 2, 2013 at 2:35 PM, Nalin Dahyabhai <nalin at redhat.com
> <mailto:nalin at redhat.com>> wrote:
>
> On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote:
> > /etc/ipa/ca.crt was issued by O=CTIDATA.NET <http://CTIDATA.NET>,
> CN=Certificate Authority
> >
> > All the certs monitored by Certmonger show the same issuer.
>
> Ok, good. (If that hadn't been the case, I wouldn't have had an
> explanation to offer.)
>
> > Wasn't getting anything back when running the ipahost script you
> provided,
> > ran ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=`
> and echo
> > $ipahost shows nothing so I just ran the openssl section manually:
>
> Hmm. Curious. That might be a leftover from having different releases
> installed at various times on my test box. Thanks for continuing on.
>
> > openssl s_client -CAfile /etc/ipa/ca.crt -connect
> ipa01.ctidata.net:https
> > -showcerts < /dev/null
> >
> > Results:
> > CONNECTED(00000003)
> > depth=1 O = CTIDATA.NET <http://CTIDATA.NET>, CN = Certificate
> Authority
> > verify return:1
> > depth=0 O = CTIDATA.NET <http://CTIDATA.NET>, CN =
> ipa01.ctidata.net <http://ipa01.ctidata.net>
> > verify error:num=10:certificate has expired
> > notAfter=Mar 24 19:56:36 2013 GMT
> > verify return:1
> > depth=0 O = CTIDATA.NET <http://CTIDATA.NET>, CN =
> ipa01.ctidata.net <http://ipa01.ctidata.net>
> > notAfter=Mar 24 19:56:36 2013 GMT
> > verify return:1
> > ---
> > Certificate chain
> > 0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net
> <http://CTIDATA.NET/CN=ipa01.ctidata.net>
> > i:/O=CTIDATA.NET/CN=Certificate
> <http://CTIDATA.NET/CN=Certificate> Authority
> > -----BEGIN CERTIFICATE-----
> > #####
> > -----END CERTIFICATE-----
> > 1 s:/O=CTIDATA.NET/CN=Certificate
> <http://CTIDATA.NET/CN=Certificate> Authority
> > i:/O=CTIDATA.NET/CN=Certificate
> <http://CTIDATA.NET/CN=Certificate> Authority
> > -----BEGIN CERTIFICATE-----
> > ####
> > -----END CERTIFICATE-----
> > ---
> > Server certificate
> > subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net
> <http://CTIDATA.NET/CN=ipa01.ctidata.net>
> > issuer=/O=CTIDATA.NET/CN=Certificate
> <http://CTIDATA.NET/CN=Certificate> Authority
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 1959 bytes and written 463 bytes
> > ---
> > New, TLSv1/SSLv3, Cipher is AES256-SHA
> > Server public key is 2048 bit
> > Secure Renegotiation IS supported
> > Compression: NONE
> > Expansion: NONE
> > SSL-Session:
> > Protocol : TLSv1
> > Cipher : AES256-SHA
> > Session-ID: #####
> > Session-ID-ctx:
> > Master-Key: ####
> > Key-Arg : None
> > Krb5 Principal: None
> > PSK identity: None
> > PSK identity hint: None
> > Start Time: 1367518514
> > Timeout : 300 (sec)
> > Verify return code: 10 (certificate has expired)
> > ---
> > DONE
>
> Yup, that's the problem: the IPA server's certificate wasn't able to be
> replaced while it was still valid, and now it can no longer ask itself
> for a new one.
>
> With 2.1.4, I think the simplest way to sort this is to stop the
> services (ipactl stop; service certmonger stop), roll the system date
> back, start the services up again, possibly use 'ipa-getcert resubmit'
> to force updating (it should happen automatically, but forcing it to
> happen a second time won't hurt). Then shut things down, set the
> correct time on the clock, and bring everything back up again.
>
> Hopefully there's a smarter way to do it, but I'm blanking on it if
> there is one.
>
> HTH,
>
> Nalin
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list