[Freeipa-users] Subsystem certs not renewed
Federico Nebiolo
iconeb at yahoo.it
Tue Oct 15 08:32:38 UTC 2013
Il 14/10/2013 17:01, Rob Crittenden ha scritto:
> Federico Nebiolo wrote:
>> Dear IPA users,
>>
>> My IPA 3.0 installation on CentOS 6.4 (coming from a 2.2 upgrade)
>> suddenly stopped working for the CA part.
>> I'm not sure this is the root of all the issues, but subsystem
>> certificates was expired and not renewed: getcert list gives a similar
>> output for all of them, and I don't know how to proceed.
>>
>> []# getcert list -c dogtag-ipa-renew-agent
>>
>> Request ID '20130902075915':
>> status: MONITORING
>> ca-error: No end-entity URL (-E) given, and no default known.
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=XXXX
>> subject: CN=RA Subsystem,O=XXXX
>> expires: 2013-10-11 07:44:12 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>> track: yes
>> auto-renew: yes
>>
>> Do you have any hints on how to solve?
>
> Try adding a host=<fqdn> to the [global] section in
> /etc/ipa/default.conf where host is the fqdn of your IPA master.
>
> I think you'll need to temporarily go back in time to the 11th for the
> renewal to succeed.
>
> You can force certmonger to try the renewal again with:
>
> # getcert resubmit -i 20130902075915
>
> You'll want to do this for all certs affected by this.
>
> If this works please let us know and we'll make sure that host exists in
> default.conf when upgrades happen.
>
> rob
Rob,
adding host=<fqdn> and moving the clock backward partially worked.
Now both "CN=RA Subsystem" and "CN=<fqdn>" certificates are renewed, but
certmonger is unable to renew "CN=CA Subsystem", "CN=CA Audit" and
"CN=OCSP Subsystem".
Certmonger error is an "Error 35 connecting to
https://<fqdn>:9443/ca/agent/ca/profileReview: SSL connect error": it
seems to me that selfsigned CA certificate in chain is not accepted by
certmonger, thus certificates are not renewed. Is there another
parameter I can specify to make dogtag-ipa-renew-agent accept its CA?
Many thanks again
federico
More information about the Freeipa-users
mailing list