[Freeipa-users] Confused with certificate renewal ipa-server-3.0.0.0-37.el6.x86_64

John Desantis desantis at mail.usf.edu
Wed Jan 7 17:43:43 UTC 2015 

Hello all,

Just an update on this issue for anyone else who experiences a similar issue.

It looks like the automatic renewal of the certificates failed on our
master due the certmonger service being "stuck".  I stopped the
service, stopped IPA services, and then reset the date to a few days
prior to the expiration.  I then (following a mailing list post)
restarted IPA and then certmonger.  At this point, I checked the
status of the certificates and saw that they were changing.  Only the
"Server-Cert" in /etc/httpd/alias was complaining this time of not
being able to contact the CA.  Another certmonger service restart
corrected the issue.

I can now re-provision nodes accordingly!

The only remaining hiccup is now the replica's certmonger service
keeps dying while failing to re-issue the "ipaCert" in
/etc/httpd/alias.  Log snippets are below:

Jan  7 12:17:02 python: certmonger restarted httpd
Jan  7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS
Certificate DB" in database "/etc/httpd/alias" issued by CA and saved.
Jan  7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS
Certificate DB" in database "/etc/httpd/alias" is no longer valid.
Jan  7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS
Certificate DB" in database "/etc/httpd/alias" issued by CA but not
saved.

The IPA services are running and the machine can be accessed (queries
issued, web GUI, etc.)

Would anyone have an idea of why a replica would have issues renewing
the "ipaCert"?

Thank you,
John DeSantis


2015-01-06 15:50 GMT-05:00 John Desantis <desantis at mail.usf.edu>:
> Hello all,
>
> Looking at the various online documentation regarding certificate renewals:
>
> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0
> http://www.freeipa.org/page/Certmonger
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html
>
> I have to admit that I am completely confused on how to proceed given
> that the links above reference external CA's.
>
> The certificate was created in house (no external issuer) from what I
> can tell (openssl x509 -issuer and via IPA GUI).
>
> Thankfully(?), none of the certificates listed via 'getcert list' have
> a status of "CA_UNREACHABLE", although all of them state "NEED_CSR".
> I'll paste the contents below, sanitized of couse.
>
> # getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20130110185936':
> status: NEED_CSR
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE.COM/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=ipa.example.com,O=EXAMPLE.COM
> expires: 2015-01-11 18:59:35 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE.COM
> track: yes
> auto-renew: yes
> Request ID '20130110190008':
> status: NEED_CSR
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=ipa.example.com,O=EXAMPLE.COM
> expires: 2015-01-11 19:00:07 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130110190034':
> status: NEED_CSR
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=ipa.example.com,O=EXAMPLE.COM
> expires: 2015-01-11 19:00:34 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> Request ID '20130410022007':
> status: NEED_CSR
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='377154649534'
> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=CA Audit,O=EXAMPLE.COM
> expires: 2014-12-31 18:58:42 UTC
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130410022008':
> status: NEED_CSR
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='377154649534'
> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=OCSP Subsystem,O=EXAMPLE.COM
> expires: 2014-12-31 18:58:41 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130410022009':
> status: NEED_CSR
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='377154649534'
> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=CA Subsystem,O=EXAMPLE.COM
> expires: 2014-12-31 18:58:41 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130410022010':
> status: NEED_CSR
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=IPA RA,O=EXAMPLE.COM
> expires: 2014-12-31 18:59:24 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20130410022011':
> status: NEED_CSR
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin='377154649534'
> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=ipa.example.com,O=EXAMPLE.COM
> expires: 2014-12-31 18:58:41 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> This issue was manifest when I attempted to re-provision a client
> node.  I'll paste the errors reported by Apache:
>
> [Tue Jan 06 14:14:47 2015] [error] Bad remote server certificate: -8181
> [Tue Jan 06 14:14:47 2015] [error] SSL Library Error: -8181
> Certificate has expired
> [Tue Jan 06 14:14:47 2015] [error] Re-negotiation handshake failed:
> Not accepted by client!?
>
> FWIW, all IPA services are running for now.
>
> Any guidance would certainly be appreciated!  If more information is
> required, let me know and I'll paste it in a reply.
>
> Thank you,
> John DeSantis

More information about the Freeipa-users mailing list