[Freeipa-users] Recovering from messed-up certs

Rob Crittenden rcritten at redhat.com
Tue Oct 28 15:27:58 UTC 2014 

Eric McCoy wrote:
> Sorry it took me so long to try this and get back to you.  I tried
> modifying that Python script and running it, and this is what I get:
> 
> Initializing API
> Setting up NSS databases
> Untracking existing Apache Server-Cert
> Issuing new cert
> Tracking Server-Cert
> ipa: ERROR: certmonger failed starting to track certificate: Nickname
> "Server-Cert" doesn't exist in NSS database "/etc/httpd/alias"
> 
> I checked and it's right.  The output of certutil -L -d /etc/httpd/alias
> is... confusing, actually.  So I got the above output.  Then I realized
> my Kerberos ticket was expired and I ought to get a new one.  When I did
> so, I retried the command and got the exact same output.  However, this
> time certutil's output is different:
> 
> # certutil -L -d /etc/httpd/alias
> 
> Certificate Nickname                                         Trust
> Attributes
>                                                             
> SSL,S/MIME,JAR/XPI
> 
> puppetmaster/hostname                     u,u,u
> REALMNAME IPA CA                                             CT,C,C
> ipaCert                                                      u,u,u
> Signing-Cert                                                 u,u,u
> puppetmaster/hostname                     u,u,u
> 
> The puppetmaster/hostname entry is in there twice.  The first attempt at
> newcert.py is still in my scroll buffer: the puppetmaster entry
> definitely only appears once until after this most recent run.  I'm
> starting to wonder if my attempts to create that puppetmaster cert
> somehow screwed up the database.

NSS apparently doesn't like two certificates with the same subject.
Nickname doesn't seem to matter in this case. I found this bug which is
mail specific but seems to cover the same problem:
https://bugzilla.mozilla.org/show_bug.cgi?id=278689

I think the only solution is to remove the puppetmaster cert. Does it
need to reside in the Apache database?

rob

> 
> 
> On Thu, Oct 23, 2014 at 4:05 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
> 
>     Eric McCoy wrote:
>     > Some nicknames changed to protect the innocent.  The
>     > puppetmaster/hostname cert is nominally unrelated, though its creation
>     > was contemporaneous with the disappearance of server-cert so I can't
>     > entirely rule it out.
>     >
>     > Certificate Nickname                                         Trust
>     > Attributes
>     >
>     > SSL,S/MIME,JAR/XPI
>     >
>     > puppetmaster/hostname                     u,u,u
>     > REALMNAME IPA CA                                             CT,C,C
>     > ipaCert                                                      u,u,u
>     > Signing-Cert                                                 u,u,u
> 
>     Ok, this is good. If we have ipaCert we can get a cert directly from the
>     CA like we do during installation.
> 
>     The attached python script should fix things up for you.
> 
>     Save it, modify it and replace subjectbase with what matches your
>     environment. You can get the base from an existing cert with:
> 
>     # certutil -L -d /etc/dirsrv/slapd-REALM -n Server-Cert |grep Subject
> 
>     Unless you changed it during installation it should be O=<REALM>
> 
>     Then just run the script:
> 
>     # python newcert.py
>     Initializing API
>     Setting up NSS databases
>     Untracking existing Apache Server-Cert
>     Issuing new cert
>     Tracking Server-Cert
> 
>     # service httpd start
> 
>     The only thing this script doesn't do is put this updated certificate in
>     the service record's LDAP entry.
> 
>     rob
> 
>     >
>     >
>     > On Thu, Oct 23, 2014 at 12:53 PM, Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com>
>     > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>     >
>     >     Eric McCoy wrote:
>     >     > Hi all,
>     >     >
>     >     > I somehow destroyed my primary IPA server's Server-Cert in
>     >     > /etc/httpd/alias.  I don't understand how or why it
>     happened, all
>     >     I know
>     >     > is that I went to restart Apache and it was gone.  Apache
>     won't start,
>     >     > of course, because the cert is missing.  I can't issue a new
>     cert
>     >     on the
>     >     > primary because Apache is down.  I tried using the
>     secondary, but it
>     >     > fails saying that it can't connect to the web server on the
>     primary
>     >     > (it's the same error message I get when I try to issue a
>     cert from the
>     >     > primary).  I can't figure out how to tell ipa-getcert et al. to
>     >     talk to
>     >     > the secondary and not the primary.  I'm not using DNS for
>     service
>     >     > discovery, so I'm not sure how the various tools figure out
>     where
>     >     things
>     >     > are.
>     >     >
>     >     > This is all on CentOS 6.5 with IPA 3.0.0-37.
>     >     >
>     >     >
>     >
>     >     What certs do you have in the database?
>     >
>     >     # certutil -L -d /etc/httpd/alias
>     >
>     >     rob
>     >
>     >
> 
>

More information about the Freeipa-users mailing list