[Freeipa-users] Expired Certs

Dmitri Pal dpal at redhat.com
Fri Apr 10 21:40:53 UTC 2015 

On 04/10/2015 03:58 PM, John Williams wrote:
> I've inhereted an IPA infrastructure for a group in my organization. 
>  So I've got a RHEL instance with a IPA 3.0.0 server with expired certs.
>
> [root at ipa ~]# rpm -qa | grep ipa-server
> ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
> ipa-server-3.0.0-26.el6_4.2.x86_64
> [root at ipa ~]#
>
>
> [root at ipa ~]# getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20130404232110':
> status: CA_UNREACHABLE
> ca-error: Error 7 connecting to 
> http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to 
> server.
> stuck: no
> key pair storage: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin='242557339296'
> certificate: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IDEF
> subject: CN=CA Audit,O=IDEF
> expires: 2017-02-15 19:26:38 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130404232111':
> status: CA_UNREACHABLE
> ca-error: Error 7 connecting to 
> http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to 
> server.
> stuck: no
> key pair storage: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin='242557339296'
> certificate: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IDEF
> subject: CN=OCSP Subsystem,O=IDEF
> expires: 2017-02-15 19:25:38 UTC
> eku: id-kp-OCSPSigning
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130404232112':
> status: CA_UNREACHABLE
> ca-error: Error 7 connecting to 
> http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to 
> server.
> stuck: no
> key pair storage: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
> cert-pki-ca',token='NSS Certificate DB',pin='242557339296'
> certificate: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IDEF
> subject: CN=CA Subsystem,O=IDEF
> expires: 2017-02-15 19:25:38 UTC
> key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130404232113':
> status: CA_UNREACHABLE
> ca-error: Error 7 connecting to 
> http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to 
> server.
> stuck: no
> key pair storage: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IDEF
> subject: CN=IPA RA,O=IDEF
> expires: 2017-02-15 19:25:38 UTC
> key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130404232114':
> status: CA_UNREACHABLE
> ca-error: Error 7 connecting to 
> http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to 
> server.
> stuck: no
> key pair storage: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
> cert-pki-ca',token='NSS Certificate DB',pin='242557339296'
> certificate: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IDEF
> subject: CN=ipa.infra.idef,O=IDEF
> expires: 2017-02-15 19:25:38 UTC
> key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130404232127':
> status: CA_UNREACHABLE
> ca-error: Error setting up ccache for "host" service on client using 
> default keytab: Cannot contact any KDC for realm 'IDEF'.
> stuck: no
> key pair storage: 
> type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS 
> Certificate DB',pinfile='/etc/dirsrv/slapd-IDEF/pwdfile.txt'
> certificate: 
> type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS 
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IDEF
> subject: CN=ipa.infra.idef,O=IDEF
> expires: 2015-04-05 23:21:26 UTC
> key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130404232155':
> status: CA_UNREACHABLE
> ca-error: Error setting up ccache for "host" service on client using 
> default keytab: Cannot contact any KDC for realm 'IDEF'.
> stuck: no
> key pair storage: 
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate: 
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IDEF
> subject: CN=ipa.infra.idef,O=IDEF
> expires: 2015-04-05 23:21:54 UTC
> key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130404232517':
> status: CA_UNREACHABLE
> ca-error: Error setting up ccache for "host" service on client using 
> default keytab: Cannot contact any KDC for realm 'IDEF'.
> stuck: no
> key pair storage: 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IDEF
> subject: CN=ipa.infra.idef,O=IDEF
> expires: 2015-04-05 23:25:17 UTC
> key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> Now, I've tried following the instructions under the following link 
> for fixing expired certs:
>
> https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
>
> However, I run into a many issues, first I don't know what the <pin> 
> is referenced very early on the instruction set.
>
> I Googled a bit an saw some advice about rolling the clock back, then 
> restarting certmonger to renew the certs. Here is the output of that 
> process.
>
> [root at ipa ~]# date
> Thu Apr 10 00:13:51 EDT 2014
> [root at ipa ~]# /etc/init.d/certmonger restart
> Stopping certmonger:       [  OK  ]
> Starting certmonger:       [  OK  ]
> [root at ipa ~]#
>
> That did not work.
>
>
> Here are some errors from syslog
>
> Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host" 
> service on client using default keytab: Cannot contact any KDC for 
> realm 'MyORG'.
> Apr 10 00:13:57 ipa certmonger: Error 7 connecting to 
> http://myhost.mydomain.com:9180/ca/ee/ca/profileSubmit: Couldn't 
> connect to server.
> Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host" 
> service on client using default keytab: Cannot contact any KDC for 
> realm 'MyORG'.
> Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host" 
> service on client using default keytab: Cannot contact any KDC for 
> realm 'MyORG'.
>
> Any ideas would greatly be appreciated.
>
> Thanks.
>
>
>
Check if your KDC started OK.
Check krb5kdc.log

More troubleshooting tips here: http://www.freeipa.org/page/Troubleshooting

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150410/faa41571/attachment.htm>

More information about the Freeipa-users mailing list