[Freeipa-users] Subsystem certs not renewed

Rob Crittenden rcritten at redhat.com
Tue Oct 15 17:37:49 UTC 2013 

Federico Nebiolo wrote:
> Il 14/10/2013 17:01, Rob Crittenden ha scritto:
>> Federico Nebiolo wrote:
>>> Dear IPA users,
>>>
>>> My IPA 3.0 installation on CentOS 6.4 (coming from a 2.2 upgrade)
>>> suddenly stopped working for the CA part.
>>> I'm not sure this is the root of all the issues, but subsystem
>>> certificates was expired and not renewed: getcert list gives a similar
>>> output for all of them, and I don't know how to proceed.
>>>
>>> []# getcert list -c dogtag-ipa-renew-agent
>>>
>>> Request ID '20130902075915':
>>>      status: MONITORING
>>>      ca-error: No end-entity URL (-E) given, and no default known.
>>>      stuck: no
>>>      key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>      certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB'
>>>      CA: dogtag-ipa-renew-agent
>>>      issuer: CN=Certificate Authority,O=XXXX
>>>      subject: CN=RA Subsystem,O=XXXX
>>>      expires: 2013-10-11 07:44:12 UTC
>>>      eku: id-kp-serverAuth,id-kp-clientAuth
>>>      pre-save command:
>>>      post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>>      track: yes
>>>      auto-renew: yes
>>>
>>> Do you have any hints on how to solve?
>>
>> Try adding a host=<fqdn> to the [global] section in
>> /etc/ipa/default.conf where host is the fqdn of your IPA master.
>>
>> I think you'll need to temporarily go back in time to the 11th for the
>> renewal to succeed.
>>
>> You can force certmonger to try the renewal again with:
>>
>> # getcert resubmit -i 20130902075915
>>
>> You'll want to do this for all certs affected by this.
>>
>> If this works please let us know and we'll make sure that host exists in
>> default.conf when upgrades happen.
>>
>> rob
>
> Rob,
> adding host=<fqdn> and moving the clock backward partially worked.
>
> Now both "CN=RA Subsystem" and "CN=<fqdn>" certificates are renewed, but
> certmonger is unable to renew "CN=CA Subsystem", "CN=CA Audit" and
> "CN=OCSP Subsystem".
>
> Certmonger error is an "Error 35 connecting to
> https://<fqdn>:9443/ca/agent/ca/profileReview: SSL connect error": it
> seems to me that selfsigned CA certificate in chain is not accepted by
> certmonger, thus certificates are not renewed. Is there another
> parameter I can specify to make dogtag-ipa-renew-agent accept its CA?

I'm not sure why it wouldn't accept the connection. Could it be that you 
didn't set time back far enough?

I think you can simulate things with something like:

# echo "" > /tmp/pw
# sslget -v -d /etc/pki/nssdb/ -w /tmp/pw -r /ca/ee/ca/getCertChain 
ipa.example.com:9443

You might try a similar command with curl, you  just need to create the 
sqlite equivalent first:

# certutil -A -d sql:/etc/pki/nssdb -n 'IPA CA' -t CT,CT, -a -i 
/etc/ipa/ca.crt
# curl -v https://ipa.example.com:9443/ca/ee/ca/getCertChain

Hopefully you'll get a more specific error message out of one of those.

rob

More information about the Freeipa-users mailing list