[Freeipa-users] Replica Cert failed to renew ...

Martin Kosek mkosek at redhat.com
Wed Aug 6 14:07:35 UTC 2014 

Right, the processing route may not seem obvious. certmonger uses the server
from /etc/ipa/default.conf. This server does not necessarily need to also run
CA, we count with that option.

When certmonger wants to renew or request a certificate, it calls cert-request
API call on that server. The API call calls Dogtag backend which checks if the
server is a CA powered IPA. If it is not, it picks any other master where CA
*is* installed and connects that for the certificate operation. Check
_select_any_master in ipaserver/plugins/dogtag.py if you are interested about
the code.

Does that help?

Martin

On 08/06/2014 12:16 AM, Matt Bryant wrote:
> Hmmm so question here .. our domain was originally installed as a 2.x and
> upgraded to 3.x  .. I installed the replicas using the ipa-replica-prepare etc
> but the CA dirsrv instance was never copied over or started on the replicas (ie
> no slapd-PKI-* around) .. yet /etc/ipa/defaults.conf points to the replica
> itself for certmonger - so not sure how that will work given there is no CA
> copy running on the replica ..
> 
> In the end the process followed was to change the xmlrpc_uri to the original
> master and delete and resubit the cert request for Server-Cert for slapd &
> httpd/alias we get an up to date cert ... not sure if anything else broken by
> doing that though ...
> 
> I assume maybe the replcia install/mgmt under 2.x was slightly or perhaps
> majorly different ...
> 
> rgds
> 
> Matt
> 
> On 31/07/2014 6:21 pm, Martin Kosek wrote:
>> (Adding back the users list as this may be interesting for everyone)
>>
>> Ok, the steps suggested below should help. If the DS does not want to start at
>> all because of the expired certificate, you can also edit
>> /etc/dirsrv/slapd-YOUR-REALM/dse.ldif and edit it manually (only when dirsrv
>> service is stopped).
>>
>> Martin
>>
>> On 07/31/2014 09:53 AM, Matt Bryant wrote:
>>> Martin,
>>>
>>> Correct in that the replica does not have a CA and the version being run is
>>>
>>> $ rpm -qa ipa-server
>>> ipa-server-3.0.0-25.el6.x86_64
>>>
>>> restarted the services and get
>>>
>>> Starting dirsrv:
>>>      SERVER-IPA...[31/Jul/2014:18:00:15 +1000] - SSL alert:
>>> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of
>>> family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 -
>>> Peer's Certificate has expired.)
>>>
>>> so I think it is just dealing with an expired cert ... so will try the other
>>> steps suggested  ..
>>>
>>> rgds
>>>
>>> Matt Bryant
>>>
>>> On 31/07/14 17:33, Martin Kosek wrote:
>>>> On 07/31/2014 07:49 AM, Matt Bryant wrote:
>>>>> All,
>>>>>
>>>>> Got an issue with an IPA replica in that the certs in /etc/httpd/alias &
>>>>> /etc/dirsrv/slapd-IPA-REALM have expired.
>>>> I assume that this replica does not have a CA and we are only dealing with
>>>> service HTTPD and DIRSRV service certificates.
>>>>
>>>>> Have tried setting date back before expiry on the replica and doing an
>>>>> 'ipa-getcert resubmit -i <id>' but that hasn't worked it looks like the CA
>>>>> master is actually rejecting it since the havent set the date back on that
>>>>> server.
>>>>>
>>>>> Error am getting on replica is ...
>>>>>
>>>>> Request ID '20120719044839':
>>>>>       status: CA_UNREACHABLE
>>>>>       ca-error: Server failed request, will retry: -504 (libcurl failed to
>>>>> execute the HTTP POST transaction.  Peer certificate cannot be authenticated
>>>>> with known CA certificates).
>>>> Isn't this rather a problem that the replica does not trust the master server
>>>> HTTPD certificate because it's certificates are not valid from replica POV?
>>>>
>>>>> is there any way of forcing a re-newel or manual process for updating these
>>>>> certs .. ???
>>>> If this is just a replica without PKI, I would suggest synchronizing the time
>>>> back with the master CA server and restarting all the services.
>>>>
>>>> If the HTTPD service does not want to start, follow chapter "⁠25.2.2. Starting
>>>> IdM with Expired Certificates" in
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html
>>>>
>>>>
>>>> and then try to resubmit the certificates so that they can be renewed on the
>>>> master. Do not forget to revert the above configuration changes when you are
>>>> done.
>>>>
>>>> Also, what version of FreeIPA are you running?
>>>>
>>>> HTH,
>>>> Martin
>

More information about the Freeipa-users mailing list