[Freeipa-users] Cert Renewal

Ott, Dennis Dennis.Ott at mckesson.com
Wed Sep 3 21:28:23 UTC 2014 

The output of getcert list-cas from the replica is below. It contains both the 'renew' and the 'retrieve' items.

As previously stated, the services are not running on the replica. I have been nervous about starting them; not wanting to impact the functional master. But, it is sounding like starting them up is all I really need to do to fix things.

Would I need to set the date back on both systems? Will the certs renew more-or-less immediately, or will there be some lag after starting up the replica ipa service?



CA 'SelfSign':
        is-default: no
        ca-type: INTERNAL:SELF
        next-serial-number: 01
CA 'IPA':
        is-default: no
        ca-type: EXTERNAL
        helper-location: /usr/libexec/certmonger/ipa-submit
CA 'certmaster':
        is-default: no
        ca-type: EXTERNAL
        helper-location: /usr/libexec/certmonger/certmaster-submit
CA 'dogtag-ipa-renew-agent':
        is-default: no
        ca-type: EXTERNAL
        helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
CA 'dogtag-ipa-retrieve-agent-submit':
        is-default: no
        ca-type: EXTERNAL
        helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit



-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com] 
Sent: Wednesday, September 03, 2014 3:19 PM
To: Ott, Dennis; Freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Cert Renewal

Ott, Dennis wrote:
> I may need a little more direction here.
> 
> The output from getcert list-cas does not contain the string 'ca_renewal'. 
> 
> What does this indicate?

I don't have a 2 -> 3 updated server handy so I'm going on best guesses from reading the code.  It is probably ok. You really just need to be sure to have a CA that has a submit script of:
dogtag-ipa-retrieve-agent-submit and one for dogtag-ipa-renew-agent

What is the output from list-cas?

The way that CA renewal works is this:

- One CA, the first install by default, is marked as the CA renewal master. The only thing that distinguishes this master is the way the renewal scripts are configured. This CA does the actual renewal of the certificates and pushes the resulting public certs into a shared space in the IPA LDAP tree
- The other CA's monitor this area, via those two dotag-ipa-* scripts, and fetch and install updated certificates when one is available.

When a cert is in CA_WORKING state it means that an update should be available but isn't in the shared tree, so certmonger will try again in a few hours.

Assuming that certmonger is configured properly then it should just be a matter of getting the right certs added to the LDAP tree.

rob

> 
> 
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Tuesday, August 26, 2014 3:53 PM
> To: Ott, Dennis; Freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Cert Renewal
> 
> Ott, Dennis wrote:
>> No services are currently running on the replica (and I am hesitant to start them) but, my recollection is that I did the replica server installation with the --setup-ca option. Also, there are /var/lib/dirsrv/slapd-PKI-IPA/ and /etc/pki-ca/ directories in place on the replica.
>>
>> ipa-getcert list shows all certs with a status of: CA_UNREACHABLE 
>> (but then, the service is down. The master also gave this status, 
>> even with the service running, until I followed the cert renewal 
>> procedure.)
>>
>> So, with the replica running a CA, should I follow the same procedure that I used on the master? Anything else to look out for?
> 
> No, the procedure is slightly different on the replica.
> 
> You need to start by ensuring that certmonger has a CA type for renewal:
> 
> # getcert list-cas
> 
> Look for ca_renewal
> 
> Check the CA subsystem certs to see how they are configured.
> 
> The CA should be dogtag-ipa-retrieve-agent-submit for 
> "auditSigningCert cert-pki-ca", "ocspSigningCert cert-pki-ca" and 
> "subsystemCert cert-pki-ca" and a pre-save command of stop_pkicad and 
> a post-save a restart_pkicad PKI-IPA
> 
> The agent cert, ipaCert, should be using "dogtag-ipa-retrieve-agent-submit", a blank pre-save command and a post-save command of restart_httpd.
> 
> rob
> 
> 
>>
> 
>> Thanks.
>>
>> Dennis
>>
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>> Sent: Monday, August 25, 2014 6:37 PM
>> To: Ott, Dennis; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Cert Renewal
>>
>> Ott, Dennis wrote:
>>> I have an IPA setup, one master, one replica; originally installed 
>>> as v 2.x and later  updated to v 3.0. For whatever reasons, the 
>>> certs did not automatically renew and the services would no longer 
>>> start. I updated the certs manually on the master using the procedure shown at:
>>>
>>>  
>>>
>>> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>>>
>>>  
>>>
>>> The master is now functioning properly.
>>>
>>>  
>>>
>>>  
>>>
>>> At this point, the IPA service is still stopped on the replica. I 
>>> hesitate to start it for concern it could interfere with the 
>>> now-working master.
>>>
>>>  
>>>
>>> What would be the recommended method for returning the replica to service?
>>
>> It depends on whether the replica. Does it also run a CA? If not then you can try restarting the certmonger service. This should cause it to fetch new certificates for the other IPA servers. ipa-getcert list will show you the status, wait until they are all MONITORING.
>>
>> Once that works then you can safely restart the world. Any changes on the master will be replicated out, and vice versa.
>>
>> rob
>>
>

More information about the Freeipa-users mailing list