[Freeipa-users] Expired Certs
Dmitri Pal
dpal at redhat.com
Fri Apr 10 21:40:53 UTC 2015
On 04/10/2015 03:58 PM, John Williams wrote:
> I've inhereted an IPA infrastructure for a group in my organization.
> So I've got a RHEL instance with a IPA 3.0.0 server with expired certs.
>
> [root at ipa ~]# rpm -qa | grep ipa-server
> ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
> ipa-server-3.0.0-26.el6_4.2.x86_64
> [root at ipa ~]#
>
>
> [root at ipa ~]# getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20130404232110':
> status: CA_UNREACHABLE
> ca-error: Error 7 connecting to
> http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to
> server.
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='242557339296'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IDEF
> subject: CN=CA Audit,O=IDEF
> expires: 2017-02-15 19:26:38 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130404232111':
> status: CA_UNREACHABLE
> ca-error: Error 7 connecting to
> http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to
> server.
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='242557339296'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IDEF
> subject: CN=OCSP Subsystem,O=IDEF
> expires: 2017-02-15 19:25:38 UTC
> eku: id-kp-OCSPSigning
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130404232112':
> status: CA_UNREACHABLE
> ca-error: Error 7 connecting to
> http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to
> server.
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='242557339296'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IDEF
> subject: CN=CA Subsystem,O=IDEF
> expires: 2017-02-15 19:25:38 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130404232113':
> status: CA_UNREACHABLE
> ca-error: Error 7 connecting to
> http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to
> server.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IDEF
> subject: CN=IPA RA,O=IDEF
> expires: 2017-02-15 19:25:38 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130404232114':
> status: CA_UNREACHABLE
> ca-error: Error 7 connecting to
> http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to
> server.
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin='242557339296'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IDEF
> subject: CN=ipa.infra.idef,O=IDEF
> expires: 2017-02-15 19:25:38 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130404232127':
> status: CA_UNREACHABLE
> ca-error: Error setting up ccache for "host" service on client using
> default keytab: Cannot contact any KDC for realm 'IDEF'.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-IDEF/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IDEF
> subject: CN=ipa.infra.idef,O=IDEF
> expires: 2015-04-05 23:21:26 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130404232155':
> status: CA_UNREACHABLE
> ca-error: Error setting up ccache for "host" service on client using
> default keytab: Cannot contact any KDC for realm 'IDEF'.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IDEF
> subject: CN=ipa.infra.idef,O=IDEF
> expires: 2015-04-05 23:21:54 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130404232517':
> status: CA_UNREACHABLE
> ca-error: Error setting up ccache for "host" service on client using
> default keytab: Cannot contact any KDC for realm 'IDEF'.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IDEF
> subject: CN=ipa.infra.idef,O=IDEF
> expires: 2015-04-05 23:25:17 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> Now, I've tried following the instructions under the following link
> for fixing expired certs:
>
> https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
>
> However, I run into a many issues, first I don't know what the <pin>
> is referenced very early on the instruction set.
>
> I Googled a bit an saw some advice about rolling the clock back, then
> restarting certmonger to renew the certs. Here is the output of that
> process.
>
> [root at ipa ~]# date
> Thu Apr 10 00:13:51 EDT 2014
> [root at ipa ~]# /etc/init.d/certmonger restart
> Stopping certmonger: [ OK ]
> Starting certmonger: [ OK ]
> [root at ipa ~]#
>
> That did not work.
>
>
> Here are some errors from syslog
>
> Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host"
> service on client using default keytab: Cannot contact any KDC for
> realm 'MyORG'.
> Apr 10 00:13:57 ipa certmonger: Error 7 connecting to
> http://myhost.mydomain.com:9180/ca/ee/ca/profileSubmit: Couldn't
> connect to server.
> Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host"
> service on client using default keytab: Cannot contact any KDC for
> realm 'MyORG'.
> Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host"
> service on client using default keytab: Cannot contact any KDC for
> realm 'MyORG'.
>
> Any ideas would greatly be appreciated.
>
> Thanks.
>
>
>
Check if your KDC started OK.
Check krb5kdc.log
More troubleshooting tips here: http://www.freeipa.org/page/Troubleshooting
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150410/faa41571/attachment.htm>
More information about the Freeipa-users
mailing list