[Freeipa-users] Certificate Woes

Matt Chesler mchesler at chesent.com
Fri Mar 28 21:08:58 UTC 2014 

Hi all,

Our IPA instance started acting strangely earlier today.  I restarted the
IPA service on the primary node and things seemed to return to normal.
 Over the course of the day, we decided to add a third IPA server to our
environment.  When I attempted to perform the ipa-replica-prepare, I
received the following error:

[Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.

After some additional digging, I discovered that several certs appear to
have expired recently, despite the fact that auto-renew appears to be
enabled.  The original node no longer exists.  All of the posts I seem to
be able to find indicate that I need the CSR from the original host.  How
can I renew my IPA certs without the original master?  Below is the
scrubbed output of "getcert list".

Thanks in advance for any help!

-Matt

# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20131108192721':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.NET
subject: CN=ipa_server.example.com,O=EXAMPLE.NET
expires: 2015-11-09 17:22:30 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
track: yes
auto-renew: yes
Request ID '20131108192808':
status: NEED_GUIDANCE
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='598671221310'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=EXAMPLE.NET
subject: CN=CA Audit,O=EXAMPLE.NET
expires: 2014-03-22 21:25:52 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/restart_pkicad
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20131108192809':
status: NEED_GUIDANCE
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='598671221310'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=EXAMPLE.NET
subject: CN=OCSP Subsystem,O=EXAMPLE.NET
expires: 2014-03-22 21:25:50 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/restart_pkicad
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20131108192810':
status: NEED_GUIDANCE
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='598671221310'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=EXAMPLE.NET
subject: CN=CA Subsystem,O=EXAMPLE.NET
expires: 2014-03-22 21:25:51 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20131108192811':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='598671221310'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.NET
subject: CN=ipa_server.example.com,O=EXAMPLE.NET
expires: 2015-10-29 19:28:04 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20131108192901':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-NET/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.NET
subject: CN=ipa_server.example.com,O=EXAMPLE.NET
expires: 2015-11-09 17:22:29 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-NET
track: yes
auto-renew: yes
Request ID '20131108192951':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.NET
subject: CN=ipa_server.example.com,O=EXAMPLE.NET
expires: 2015-11-09 17:22:30 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20131108193035':
status: NEED_GUIDANCE
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=EXAMPLE.NET
subject: CN=IPA RA,O=EXAMPLE.NET
expires: 2014-03-22 21:26:43 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140328/e957ccc6/attachment.htm>

More information about the Freeipa-users mailing list