[Freeipa-users] Subsystem certs not renewed

Federico Nebiolo iconeb at yahoo.it
Tue Oct 15 08:32:38 UTC 2013 

Il 14/10/2013 17:01, Rob Crittenden ha scritto:
> Federico Nebiolo wrote:
>> Dear IPA users,
>>
>> My IPA 3.0 installation on CentOS 6.4 (coming from a 2.2 upgrade)
>> suddenly stopped working for the CA part.
>> I'm not sure this is the root of all the issues, but subsystem
>> certificates was expired and not renewed: getcert list gives a similar
>> output for all of them, and I don't know how to proceed.
>>
>> []# getcert list -c dogtag-ipa-renew-agent
>>
>> Request ID '20130902075915':
>>     status: MONITORING
>>     ca-error: No end-entity URL (-E) given, and no default known.
>>     stuck: no
>>     key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>     certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB'
>>     CA: dogtag-ipa-renew-agent
>>     issuer: CN=Certificate Authority,O=XXXX
>>     subject: CN=RA Subsystem,O=XXXX
>>     expires: 2013-10-11 07:44:12 UTC
>>     eku: id-kp-serverAuth,id-kp-clientAuth
>>     pre-save command:
>>     post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>     track: yes
>>     auto-renew: yes
>>
>> Do you have any hints on how to solve?
> 
> Try adding a host=<fqdn> to the [global] section in
> /etc/ipa/default.conf where host is the fqdn of your IPA master.
> 
> I think you'll need to temporarily go back in time to the 11th for the
> renewal to succeed.
> 
> You can force certmonger to try the renewal again with:
> 
> # getcert resubmit -i 20130902075915
> 
> You'll want to do this for all certs affected by this.
> 
> If this works please let us know and we'll make sure that host exists in
> default.conf when upgrades happen.
> 
> rob

Rob,
adding host=<fqdn> and moving the clock backward partially worked.

Now both "CN=RA Subsystem" and "CN=<fqdn>" certificates are renewed, but
certmonger is unable to renew "CN=CA Subsystem", "CN=CA Audit" and
"CN=OCSP Subsystem".

Certmonger error is an "Error 35 connecting to
https://<fqdn>:9443/ca/agent/ca/profileReview: SSL connect error": it
seems to me that selfsigned CA certificate in chain is not accepted by
certmonger, thus certificates are not renewed. Is there another
parameter I can specify to make dogtag-ipa-renew-agent accept its CA?

Many thanks again
federico

More information about the Freeipa-users mailing list