[Freeipa-users] Confused with certificate renewal ipa-server-3.0.0.0-37.el6.x86_64
Rob Crittenden
rcritten at redhat.com
Thu Jan 8 18:54:49 UTC 2015
John Desantis wrote:
> Hello all,
>
> I didn't reply to the list, so I'll forward in my response.
>
>>>> The only remaining hiccup is now the replica's certmonger service
>>>> keeps dying while failing to re-issue the "ipaCert" in
>>>> /etc/httpd/alias. Log snippets are below:
>>>>
>>>> Jan 7 12:17:02 python: certmonger restarted httpd
>>>> Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS
>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved.
>>>> Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS
>>>> Certificate DB" in database "/etc/httpd/alias" is no longer valid.
>>>> Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS
>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not
>>>> saved.
>>>>
>>>> The IPA services are running and the machine can be accessed (queries
>>>> issued, web GUI, etc.)
>>>>
>>>> Would anyone have an idea of why a replica would have issues renewing
>>>> the "ipaCert"?
>>>
>>> CCing Jan to advise, he is the most experienced in this area.
>>
>> Would file corruption within the file of the "Request ID" in
>> /var/lib/certmonger/request have anything to do with this?
>>
>> autorenew=1
>> monitor=1
>> ca_name=dogtag-ipa-retrieve-agent-submit
>> ca_profile=ipaCert
>> submitted=20141228050011
>> cert=ESC[?1034h-----BEGIN CERTIFICATE-----
>>
>> I checked a few other random client nodes (and the master) and none of
>> them are showing this corruption in their requests.
>>
>> I attempted to fix the corruption (editing the file) and subsequently
>> restart certmonger with no luck.
>>
>> Thanks,
>> John DeSantis
>>
>
> Thanks,
> John DeSantis
>
> 2015-01-08 13:26 GMT-05:00 John Desantis <desantis at mail.usf.edu>:
>> Hello all,
>>
>>>> The only remaining hiccup is now the replica's certmonger service
>>>> keeps dying while failing to re-issue the "ipaCert" in
>>>> /etc/httpd/alias. Log snippets are below:
>>>>
>>>> Jan 7 12:17:02 python: certmonger restarted httpd
>>>> Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS
>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved.
>>>> Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS
>>>> Certificate DB" in database "/etc/httpd/alias" is no longer valid.
>>>> Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS
>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not
>>>> saved.
>>>>
>>>> The IPA services are running and the machine can be accessed (queries
>>>> issued, web GUI, etc.)
>>>>
>>>> Would anyone have an idea of why a replica would have issues renewing
>>>> the "ipaCert"?
>>>
>>> CCing Jan to advise, he is the most experienced in this area.
>>
>> Would file corruption within the file of the "Request ID" in
>> /var/lib/certmonger/request have anything to do with this?
>>
>> autorenew=1
>> monitor=1
>> ca_name=dogtag-ipa-retrieve-agent-submit
>> ca_profile=ipaCert
>> submitted=20141228050011
>> cert=ESC[?1034h-----BEGIN CERTIFICATE-----
>>
>> I checked a few other random client nodes (and the master) and none of
>> them are showing this corruption in their requests.
>>
>> I attempted to fix the corruption (editing the file) and subsequently
>> restart certmonger with no luck.
>>
>> Thanks,
>> John DeSantis
Ah, that sounds familiar. See https://fedorahosted.org/freeipa/ticket/4064
The change is quite small, you might try manually changing it.
Then a certmonger restart might fix it.
rob
>>
>>
>> 2015-01-08 8:10 GMT-05:00 Martin Kosek <mkosek at redhat.com>:
>>> On 01/07/2015 06:43 PM, John Desantis wrote:
>>>> Hello all,
>>>>
>>>> Just an update on this issue for anyone else who experiences a similar issue.
>>>>
>>>> It looks like the automatic renewal of the certificates failed on our
>>>> master due the certmonger service being "stuck". I stopped the
>>>> service, stopped IPA services, and then reset the date to a few days
>>>> prior to the expiration. I then (following a mailing list post)
>>>> restarted IPA and then certmonger. At this point, I checked the
>>>> status of the certificates and saw that they were changing. Only the
>>>> "Server-Cert" in /etc/httpd/alias was complaining this time of not
>>>> being able to contact the CA. Another certmonger service restart
>>>> corrected the issue.
>>>>
>>>> I can now re-provision nodes accordingly!
>>>
>>> Ok, good to hear!
>>>
>>>>
>>>> The only remaining hiccup is now the replica's certmonger service
>>>> keeps dying while failing to re-issue the "ipaCert" in
>>>> /etc/httpd/alias. Log snippets are below:
>>>>
>>>> Jan 7 12:17:02 python: certmonger restarted httpd
>>>> Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS
>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved.
>>>> Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS
>>>> Certificate DB" in database "/etc/httpd/alias" is no longer valid.
>>>> Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS
>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not
>>>> saved.
>>>>
>>>> The IPA services are running and the machine can be accessed (queries
>>>> issued, web GUI, etc.)
>>>>
>>>> Would anyone have an idea of why a replica would have issues renewing
>>>> the "ipaCert"?
>>>
>>> CCing Jan to advise, he is the most experienced in this area.
>>>
>>>>
>>>> Thank you,
>>>> John DeSantis
>>>>
>>>>
>>>> 2015-01-06 15:50 GMT-05:00 John Desantis <desantis at mail.usf.edu>:
>>>>> Hello all,
>>>>>
>>>>> Looking at the various online documentation regarding certificate renewals:
>>>>>
>>>>> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0
>>>>> http://www.freeipa.org/page/Certmonger
>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html
>>>>>
>>>>> I have to admit that I am completely confused on how to proceed given
>>>>> that the links above reference external CA's.
>>>>>
>>>>> The certificate was created in house (no external issuer) from what I
>>>>> can tell (openssl x509 -issuer and via IPA GUI).
>>>>>
>>>>> Thankfully(?), none of the certificates listed via 'getcert list' have
>>>>> a status of "CA_UNREACHABLE", although all of them state "NEED_CSR".
>>>>> I'll paste the contents below, sanitized of couse.
>>>>>
>>>>> # getcert list
>>>>> Number of certificates and requests being tracked: 8.
>>>>> Request ID '20130110185936':
>>>>> status: NEED_CSR
>>>>> stuck: no
>>>>> key pair storage:
>>>>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS
>>>>> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE.COM/pwdfile.txt'
>>>>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS
>>>>> Certificate DB'
>>>>> CA: IPA
>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>>>> subject: CN=ipa.example.com,O=EXAMPLE.COM
>>>>> expires: 2015-01-11 18:59:35 UTC
>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>>> pre-save command:
>>>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE.COM
>>>>> track: yes
>>>>> auto-renew: yes
>>>>> Request ID '20130110190008':
>>>>> status: NEED_CSR
>>>>> stuck: no
>>>>> key pair storage:
>>>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>>>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>>>>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>>>> Certificate DB'
>>>>> CA: IPA
>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>>>> subject: CN=ipa.example.com,O=EXAMPLE.COM
>>>>> expires: 2015-01-11 19:00:07 UTC
>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>>> pre-save command:
>>>>> post-save command:
>>>>> track: yes
>>>>> auto-renew: yes
>>>>> Request ID '20130110190034':
>>>>> status: NEED_CSR
>>>>> stuck: no
>>>>> key pair storage:
>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>>>> Certificate DB'
>>>>> CA: IPA
>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>>>> subject: CN=ipa.example.com,O=EXAMPLE.COM
>>>>> expires: 2015-01-11 19:00:34 UTC
>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>>> pre-save command:
>>>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>>> track: yes
>>>>> auto-renew: yes
>>>>> Request ID '20130410022007':
>>>>> status: NEED_CSR
>>>>> stuck: no
>>>>> key pair storage:
>>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>>>>> cert-pki-ca',token='NSS Certificate DB',pin='377154649534'
>>>>> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>>>>> cert-pki-ca',token='NSS Certificate DB'
>>>>> CA: dogtag-ipa-renew-agent
>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>>>> subject: CN=CA Audit,O=EXAMPLE.COM
>>>>> expires: 2014-12-31 18:58:42 UTC
>>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>>> "auditSigningCert cert-pki-ca"
>>>>> track: yes
>>>>> auto-renew: yes
>>>>> Request ID '20130410022008':
>>>>> status: NEED_CSR
>>>>> stuck: no
>>>>> key pair storage:
>>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>>>>> cert-pki-ca',token='NSS Certificate DB',pin='377154649534'
>>>>> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>>>>> cert-pki-ca',token='NSS Certificate DB'
>>>>> CA: dogtag-ipa-renew-agent
>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM
>>>>> expires: 2014-12-31 18:58:41 UTC
>>>>> eku: id-kp-OCSPSigning
>>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>>> "ocspSigningCert cert-pki-ca"
>>>>> track: yes
>>>>> auto-renew: yes
>>>>> Request ID '20130410022009':
>>>>> status: NEED_CSR
>>>>> stuck: no
>>>>> key pair storage:
>>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>>>> cert-pki-ca',token='NSS Certificate DB',pin='377154649534'
>>>>> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>>>> cert-pki-ca',token='NSS Certificate DB'
>>>>> CA: dogtag-ipa-renew-agent
>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM
>>>>> expires: 2014-12-31 18:58:41 UTC
>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>>> "subsystemCert cert-pki-ca"
>>>>> track: yes
>>>>> auto-renew: yes
>>>>> Request ID '20130410022010':
>>>>> status: NEED_CSR
>>>>> stuck: no
>>>>> key pair storage:
>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>>>> Certificate DB'
>>>>> CA: dogtag-ipa-renew-agent
>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>>>> subject: CN=IPA RA,O=EXAMPLE.COM
>>>>> expires: 2014-12-31 18:59:24 UTC
>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>>> pre-save command:
>>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>>>> track: yes
>>>>> auto-renew: yes
>>>>> Request ID '20130410022011':
>>>>> status: NEED_CSR
>>>>> stuck: no
>>>>> key pair storage:
>>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>>>>> cert-pki-ca',token='NSS Certificate DB',pin='377154649534'
>>>>> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>>>>> cert-pki-ca',token='NSS Certificate DB'
>>>>> CA: dogtag-ipa-renew-agent
>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>>>> subject: CN=ipa.example.com,O=EXAMPLE.COM
>>>>> expires: 2014-12-31 18:58:41 UTC
>>>>> eku: id-kp-serverAuth
>>>>> pre-save command:
>>>>> post-save command:
>>>>> track: yes
>>>>> auto-renew: yes
>>>>>
>>>>> This issue was manifest when I attempted to re-provision a client
>>>>> node. I'll paste the errors reported by Apache:
>>>>>
>>>>> [Tue Jan 06 14:14:47 2015] [error] Bad remote server certificate: -8181
>>>>> [Tue Jan 06 14:14:47 2015] [error] SSL Library Error: -8181
>>>>> Certificate has expired
>>>>> [Tue Jan 06 14:14:47 2015] [error] Re-negotiation handshake failed:
>>>>> Not accepted by client!?
>>>>>
>>>>> FWIW, all IPA services are running for now.
>>>>>
>>>>> Any guidance would certainly be appreciated! If more information is
>>>>> required, let me know and I'll paste it in a reply.
>>>>>
>>>>> Thank you,
>>>>> John DeSantis
>>>>
>>>
>
More information about the Freeipa-users
mailing list