[Freeipa-users] Certificate system unavailable
Lucas Yamanishi
lyamanishi at sesda3.com
Thu Aug 7 18:41:56 UTC 2014
On 08/07/2014 01:25 PM, Rob Crittenden wrote:
> Lucas Yamanishi wrote:
>> Hello, I'm a bit of a pickle with the PKI system. I have three
>> replicas, but only one contains the CA. I realize how poor a decision
>> it was to do that. I plan to create more complete replicas, but right
>> now I can't even create a replica file, much less a full replica.
>>
>> The problem started when the CA subsystem certificates expired. I read
>> several threads explaining how to roll back time and renew them, but I
>> then discovered that the host and HTTP certificates for the server were
>> missing. I checked for backups, but we erroneously did not cover those
>> files. Because they are missing I was unable to rewnew any certificates.
>>
>> Is there a way to manually create host and service certificates? When I
>> search for this, the "manual" procedure listed in the documentation
>> requires `ipa cert-request` which does not work. I did try installing a
>> self-signed cert for HTTP with `ipa-server-certinstall`. That changed
>> the errors, but the commands still fail. The pki-ca services is running
>> OK, as far as I can tell.
>>
>> I also tried adding a CA instance to one of the other replicas with
>> `ipa-ca-install`, but it failed during the configuration phase.
> The subsystem certificate renewal should be independent of the web (and
> host) certificates. I'd focus on getting the CA back up, then we can see
> about getting a new web server certificate.
>
> Can you share the output of: getcert list
>
> You'll probably want to obfuscate the output as it contains the PIN to
> the private key database of the CA.
>
> rob
Here you go. I've also included `certutil -L` outputs.
The *auditSigningCert* I tried resubmitting with the time rolled back.
The post-save command was also updated, because it wasn't done a year or
two back when it replaced our old CRL-signer.
`getcert list`:
```
Number of certificates and requests being tracked: 7.
Request ID '20130321103859':
status: CA_UNREACHABLE
ca-error: Error 35 connecting to
https://badca.example.com:9443/ca/agent/ca/profileReview: SSL connect error.
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='XXXXXXXXXXXX'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2014-07-31 21:29:35 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130321103900':
status: NEED_GUIDANCE
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='XXXXXXXXXXXX'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2014-07-31 21:29:33 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/restart_pkicad
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130321103901':
status: NEED_GUIDANCE
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='XXXXXXXXXXXX'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2014-07-31 21:29:34 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/restart_pkicad
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130321103902':
status: NEED_GUIDANCE
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2014-07-31 21:30:34 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20130321103903':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='XXXXXXXXXXXX'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=badca.example.com,O=EXAMPLE.COM
expires: 2016-07-03 23:53:02 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20140724160403':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=badca.example.com,O=EXAMPLE.COM
expires: 2016-07-28 18:28:51 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
EXAMPLE-COM
track: yes
auto-renew: yes
Request ID '20140807180016':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=badca.example.com,O=EXAMPLE.COM
expires: 2016-07-25 23:53:04 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
track: yes
auto-renew: yes
```
`certutil -L -d /var/lib/pki-ca/alias`:
```
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,u,u
auditSigningCert cert-pki-ca u,u,Pu
Server-Cert cert-pki-ca u,u,u
```
`certutil -L -d /etc/httpd/alias` (most of these were re-added after
`ipa-server-certinstall` removed them):
```
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
badca.example.com - self-signed CTu,Cu,u
EXAMPLE.COM IPA CA CT,C,
ipaCert u,u,u
Server-Cert ,,
```
`certutil -L -d /etc/pki/nssdb`:
```
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
badca.example.com - self-signed CT,C,C
IPA CA CT,C,C
```
--
-----
*question everything*learn something*answer nothing*
------------
Lucas Yamanishi
------------------
Systems Administrator, ADNET Systems, Inc.
NASA Space and Earth Science Data Analysis (606.9)
7515 Mission Drive, Suite A100
Lanham, MD 20706 * 301-352-4646 * 0xD354B2CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140807/318efc25/attachment.htm>
More information about the Freeipa-users
mailing list