[Freeipa-users] RHEL 7 Upgrade experience so far
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Mon Jul 28 21:44:19 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 07/28/2014 12:56 PM, Rob Crittenden wrote:
> Erinn Looney-Triggs wrote:
>> On 07/28/2014 12:20 PM, Ade Lee wrote:
>>> On Mon, 2014-07-28 at 12:14 -0700, Erinn Looney-Triggs wrote:
>>>> On 07/28/2014 11:07 AM, Ade Lee wrote:
>>>>>>
>>>>>> No exceptions thrown in the journal.
>>>>>>
>>>>>> When investigating the cacert.p12 file that is bundled
>>>>>> up for the replica's I see two caSigningCert's. One is
>>>>>> the older one, before I renewed and one is the new,
>>>>>> valid, post renewal one. Are these the certs that are
>>>>>> used or are they requested from the primary much like the
>>>>>> servercert?
>>>>>
>>>>> I think the problem might be that there are two
>>>>> caSigningCerts, with presumably the same nickname. We need
>>>>> to try and generate a p12 file without the old pre-renewal
>>>>> signing cert.
>>>>>
>>>>> Does the master certdb contain both certs with the same
>>>>> nickname? If so, you could try to remove the old signing
>>>>> cert from the master certdb and then regenerate the pkcs12
>>>>> using PKCS12Export.
>>>>>
>>>>> Here is one way you could try to do this: 1. Export the
>>>>> caSigning cert from the certdb using pk12util. Check that
>>>>> only the latest cert/key has been exported. Make sure to
>>>>> note down the exact cert nickname. If so, then continue ..
>>>>> 2. Shut down the CA. 3. IMPORTANT: Back up the certdb. 4.
>>>>> Delete the caSigning cert from the certdb using certutil.
>>>>> You may have to do this twice to remove both certs. 5.
>>>>> Re-import the saved caSigningCert using pk12util. 6.
>>>>> Restart the CA.
>>>>>
>>>>>>
>>>>>> However, when examining the /etc/pki/pki-tomcat/alias db
>>>>>> there is no casigningcert, hence I suppose the failure.
>>>>>> So somewhere in there it is getting lost, I'll keep
>>>>>> looking but throw me any ideas.
>>>>>>
>>>>> By this, you are implying looking at the clone certdb,
>>>>> right? The cert should certainly still exist on the master.
>>>>> The cert not being in the clone certdb is because it fails
>>>>> to be imported from the PKCS12 file.
>>>>>
>>>>>
>>>>>> -Erinn
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>> Ok to make sure we are on the same page and I am not chasing
>>>> my own tail here, I am going to recap this as I understand
>>>> the issue now.
>>>>
>>>> Essentially, we get a cacert.p12 file on the master IPA
>>>> server that was generated using: PKCS12Export -d $ALIAS_PATH
>>>> -p /root/keydb_pin -w /root/dm_password -o /root/cacert.p12
>>>>
>>>> This cacert.p12 file contains multiple copies of
>>>> certificates, both expired and valid, for, well, multiple
>>>> aliases in fact not just the caSigningCert.
>>>>
>>>> Nevertheless, because of these multiple copies of the
>>>> caSigningCert we are venturing a guess that this is munging
>>>> up the ca clone on the replica (a fair guess I would say). So
>>>> there is probably a bug in here somewhere, either on the
>>>> exporting end, or on the importing end.
>>>>
>>>> So, I/we are trying to use the userspace tools to basically
>>>> clean up the NSS db to only have the valid copy of this
>>>> certificate.
>>>>
>>>> However, it appears to me that most of these tools are not
>>>> granular enough in their selection, the export everyhing with
>>>> an alias of 'caSigningCert cert-pki-ca' or delete all
>>>> instance of 'caSigningCert cert-pki-ca'. Kind of a
>>>> sledgehammer for a penny nail type thing. Does this sound
>>>> about right?
>>>>
>>>> If so, it looks like a more granular approach is warranted.
>>>> I'll be looking into python-nss as python is what I know best
>>>> to see if I can hack up something to whip the DB into proper
>>>> shape.
>>>>
>>>> Anything I am missing here? Sound like a reasonable
>>>> approach?
>>>>
>>> That sounds exactly right.
>>
>>> You could try deleting the cert using certutil -D (make sure
>>> to back up the certdb first) and see if it will delete one or
>>> both certificates. Or you could try renaming the cert nick
>>> using certutil and see if it renames just one.
>>
>>> Ade
>>>> -Erinn
>>>>
>>>>
>>
>>
>>
>> Ok, well I tried deleting it using certutil it deletes both, I
>> tried using keytool to see if it would work any better, no dice
>> there. I'll try the rename, but at this point I am not holding my
>> breath on that, it seems all operation are a bit too coarse. It
>> seems the assumption was being made that there would only be one
>> of each nickname. Which frankly makes me wonder how any of this
>> kept running after the renewal.
>>
>> For now I'll see what I can do on a copy of the db using python.
>
> It is a little strange that there are multiple 'caSigningCert
> cert-pki-ca' as this is the CA itself. It should be good for 20
> years and isn't something that the current renewal code handles
> yet.
>
> You probably won't have much luck with python-nss. It can handle
> reading PKCS#12 files but I don't believe it can write them (access
> to key material).
>
> I'm not sure why certutil didn't do the trick. This should work, if
> you want to give it another try. I'm assuming that /root/cacert.p12
> has the latest exported certs, adjust as necessary:
>
> # certutil -N -d /tmp/test # pk12util -i /root/cacert.p12 -d
> /tmp/test # certutil -D -d /tmp/test -n '<nickname>'
>
> certutil should delete the oldest cert first, it always has for
> me.
>
> rob
>
And finally there is a bug open from 11 years ago (!!) that defines
this problem: https://bugzilla.mozilla.org/show_bug.cgi?id=210941
It does explain to me why certutil and the like are doing what they
are doing picking the latest certificate, and why things are still
working in my instance.
I think NES is Netscape Enterprise Server?? Man this is ancient
history down in there.
Any which way it looks like there was never code implemented to
unambiguously identify a certificate, or if there is, it isn't user
facing.
- -Erinn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJT1sQrAAoJEFg7BmJL2iPO4CoH/iV+lnoLZe1ui0ihn5EvNM0O
ulgyZADLCPn/hXNcuc+//7jMSMA7qjlcopYFZedvK38HW5N8zpOENm387l4bYuVi
UzFz1EjyhN7fD6C0ZzgUCL2urLQ19/ete80IZ8bP0PqXdAAEtRiR94FaUuH4h+fj
Wx8z6IMnH0+B72jo+bCZqPeaDRD/rIxi23ahHOlwaqFa+W5UJ7kv2237FOpFysDE
AWDYna3Na/qu6EjB5CGef2UDOeEeIdSxD5XuDY2Dl7dZo7S9tsXJZQHXTtTfg3ZH
q8DHiK9j2eSaE4tukklfzrQB1cHi44hq4obRDnnFMW3mqHE0/oqhNyy/JG3zxbU=
=wV5O
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list