[Freeipa-users] Problems with expired certificates
Rob Crittenden
rcritten at redhat.com
Mon Oct 21 19:40:43 UTC 2013
Tómas Edwardsson wrote:
> I'm having issues with expired certificates in /var/lib/pki-ca/alias which I'm quite unsure on how to fix. The ones that have expired are:
>
> subsystemCert cert-pki-ca
> Server-Cert cert-pki-ca
>
> According to "getcert list" the following 2 requests are stuck
The error code translates to:
CURLE_SSL_CACERT (60) Peer certificate cannot be authenticated with
known CA certificates.
Which is odd considering that other certificates in the same database
were renewed ok.
I suppose I'd rewind time to the day before expiration and run:
getcert resubmit -i <id> for each of these and see if it goes through.
rob
>
>
> Request ID '20130415234030':
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.
> stuck: yes
> key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='502532376322'
> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=D.LAN
> subject: CN=CA Subsystem,O=D.LAN
> expires: 2013-07-10 14:24:34 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
>
> Request ID '20130415234032':
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.
> stuck: yes
> key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='502532376322'
> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=D.LAN
> subject: CN=auth.d.lan,O=D.LAN
> expires: 2013-07-10 14:24:33 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
>
> Here is what I could find from some browsing with certutil:
>
> [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> subsystemCert cert-pki-ca u,u,u
> ocspSigningCert cert-pki-ca u,u,u
> caSigningCert cert-pki-ca CTu,Cu,Cu
> Server-Cert cert-pki-ca u,u,u
> auditSigningCert cert-pki-ca u,u,Pu
>
>
>
> [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "subsystemCert cert-pki-ca"|grep "Not After"
> Not After : Wed Jul 10 14:24:34 2013
> [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "ocspSigningCert cert-pki-ca"|grep "Not After"
> Not After : Mon Jun 29 00:00:55 2015
> [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "caSigningCert cert-pki-ca"|grep "Not After"
> Not After : Sun Jul 21 14:24:32 2019
> [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "Server-Cert cert-pki-ca"|grep "Not After"
> Not After : Wed Jul 10 14:24:33 2013
> [root at auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "auditSigningCert cert-pki-ca"|grep "Not After"
> Not After : Mon Jun 29 00:01:55 2015
>
>
>
> How can I renew the affected certificates?
>
> ---
> Tomas Edwardsson
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list