[Freeipa-users] IPA v3 Certificate not renewed

Junhe Jian jian at traffics.de
Thu Jun 4 15:24:42 UTC 2015 

Hi Rob,
i have only add NSSEnforceValidCerts off" to nss.conf.
ipa run last 2 years without problem since the certificate expired.

I loaded all the proxy modules in apache and restart httpd and certmonger.
Yeah, the certificates are renew

root at be-ipasrv httpd]# getcert list | grep status
        status: MONITORING
        status: MONITORING
        status: MONITORING
        status: MONITORING
        status: MONITORING
        status: MONITORING
        status: MONITORING
        status: MONITORING
[root at be-ipasrv httpd]# getcert list | grep expir
        expires: 2017-04-29 08:14:24 UTC
        expires: 2017-04-29 08:13:24 UTC
        expires: 2017-04-29 08:13:24 UTC
        expires: 2017-04-29 08:13:24 UTC
        expires: 2017-04-29 08:13:24 UTC
        expires: 2017-05-26 08:21:01 UTC
        expires: 2017-05-26 08:20:43 UTC
        expires: 2017-05-26 08:21:08 UTC

the other server with centos 6.6 and ipa-server-3.0.0-42.el6.centos.x86_64
I get error 


Request ID '20130528090822':
        status: CA_UNREACHABLE
        ca-error: Server at https://EXAMPLE.de/ipa/xml failed request, will retry: 907 (RPC failed at server.  cannot connect to 'https://EXAMPLE.de:443/ca/agent/ca/displayBySerial': [Errno -8053] (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).
        stuck: no
        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLEDE',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLEDE/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLEDE',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=EXAMPLE.DE
        subject: CN=EXAMPLE.de,O=EXAMPLE.DE
        expires: 2015-05-29 09:08:22 UTC
        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20130528090849':
        status: CA_UNREACHABLE
        ca-error: Server at https://EXAMPLE.de/ipa/xml failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: Failure decoding Certificate Signing Request).
        stuck: no
        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=EXAMPLE.DE
        subject: CN=EXAMPLE.de,O=EXAMPLE.DE
        expires: 2015-05-29 09:08:49 UTC
        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20130528090923':
        status: CA_UNREACHABLE
        ca-error: Server at https://EXAMPLE.de/ipa/xml failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: Failure decoding Certificate Signing Request).
        stuck: no
        key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=EXAMPLE.DE
        subject: CN=EXAMPLE.de,O=EXAMPLE.DE
        expires: 2015-05-29 09:09:23 UTC
        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

and http error log if i resubmit the id
[Tue May 26 10:01:31 2015] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_
r:httpd_t:s0
[Tue May 26 10:01:31 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue May 26 10:01:32 2015] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured
.
[Tue May 26 10:01:32 2015] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9"
[Tue May 26 10:01:32 2015] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-0
9-05"
[Tue May 26 10:01:32 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Tue May 26 10:01:32 2015] [notice] ModSecurity: LIBXML compiled version="2.7.6"
[Tue May 26 10:01:32 2015] [notice] Digest: generating secret for digest authentication ...
[Tue May 26 10:01:32 2015] [notice] Digest: done
[Tue May 26 10:01:33 2015] [notice] Apache/2.2.15 (Unix) mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.16.1 Basi
c ECC PHP/5.3.25 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations
[Tue May 26 10:01:34 2015] [error] ipa: INFO: *** PROCESS START ***
[Tue May 26 10:01:34 2015] [error] ipa: INFO: *** PROCESS START ***
[Tue May 26 10:02:36 2015] [error] Bad remote server certificate: -8181
[Tue May 26 10:02:36 2015] [error] SSL Library Error: -8181 Certificate has expired
[Tue May 26 10:02:36 2015] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue May 26 10:02:36 2015] [error] ipa: INFO: host/EXAMPLE.de at TIBET.TRAFFICS-SWIT
CH.DE: cert_request(u'MIID+zCCAuMCAQAwUDEhMB8GA1UEChMYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFMSswKQYDVQQDEyJiZS1
pcGFzcnYudGliZXQudHJhZmZpY3Mtc3dpdGNoLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAshxjlzWHlUYC262eB9BK
IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+ESYFZsPiuSXjjs9VmbgEmuM9Dz/4jIfVQXDA
ecGfcpDfLQxkMcRhaVaOHXwEGeM19xUig6s2kWa81T+TNwEKItNXmovQSpE+6cxpcT3rH00b89F/Z2vUIXagEJnJMuXEdqz3XpaXr6ahc
YXgCSDq7L8VSd7zbguEpWZmD0lZ8857+tVXz6LBHryko3n5qyTpwFJ5M/hd6FoJyWTDulCKaF20sHsOBp+P18YcLUmR8pHjA9LQ4m/4dd
5cG9yBwIDAQABoIIBZDAlBgkqhkiG9w0BCRQxGB4WAFMAZQByAHYAZQByAC0AQwBlAHIAdDCCATkGCSqGSIb3DQEJDjGCASowggEmMA4G
A1UdDwEBAAQEAwIE8DCBwQYDVR0RAQEABIG2MIGzoFAGCisGAQQBgjcUAgOgQgxAbGRhcC9iZS1pcGFzcnYudGliZXQudHJhZmZpY3Mtc
3dpdGNoLmRlQFRJQkVULlRSQUZGSUNTLVNXSVRDSC5ERaBfBgYrBgEFAgKgVTBToBobGFRJQkVULlRSQUZGSUNTLVNXSVRDSC5ERaE1MD
OgAwIBAaEsMCobBGxkYXAbImJlLWlwYXNydi50aWJldC50cmFmZmljcy1zd2l0Y2guZGUwIAYDVR0lAQEABBYwFAYIKwYBBQUHAwEGCCs
GAQUFBwMCMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFCvM2eOn/UvY2d4fFKR23C+YMyfrMA0GCSqGSIb3DQEBCwUAA4IBAQCDXHV+
c7ygZRTJrXFbDrhR/Mgz/CpX2HxtDTL9q2qUNjL73oDdHUAEF1i9MP/URw6ZUltA4FD5rXAT5K8t/MRnEHR7YLRCNMyM0SIb6HXC7Bo5Q
vA/kTPbJdwshjc52rMgOMf+Pa/ztUUBD+zH+8xsJKPRktQb/Ku3fbWZ/b2g5VpQj6jcjCKSKI/IF4C1r0Vl1Dz6P4v4zN3D0sjt/g57Zi
AzxwGmLUt4e3/KFKvi4o7UTgZam24pZqwqilAwYw4DRuYCg0wdhty8qBLVKyzxUG1IYkuXQUGOhWTlQwzyWEaCv6BR1N78egX5xpkP9hH
zxGJxVhsgrexerEL5sxTk', principal=u'ldap/EXAMPLE.de at EXAMPLE.DE', ad
d=True): NetworkError
[Tue May 26 10:02:38 2015] [error] Bad remote server certificate: -8181
[Tue May 26 10:02:38 2015] [error] SSL Library Error: -8181 Certificate has expired

Do you have a idea?

Thank you!
_____________________________________________
Best regards
Junhe Jian


-----Ursprüngliche Nachricht-----
Von: Rob Crittenden [mailto:rcritten at redhat.com] 
Gesendet: Donnerstag, 4. Juni 2015 17:04
An: Junhe Jian; freeipa-users at redhat.com
Betreff: Re: AW: [Freeipa-users] IPA v3 Certificate not renewed

Junhe Jian wrote:
> Hi Rob,
>
> i set the date in past "26 MAY 2015"
> and add "NSSEnforceValidCerts off" to nss.conf
>
> and resubmit the 3 ID
> [root at be-ipasrv httpd]# getcert resubmit -i 20130528090822 
> Resubmitting "20130528090822" to "IPA".
> [root at be-ipasrv httpd]# getcert resubmit -i 20130528090849 
> Resubmitting "20130528090849" to "IPA".
> [root at be-ipasrv httpd]# getcert resubmit -i 20130528090923 
> Resubmitting "20130528090923" to "IPA".
>
> Restart ipa and certmonger
>
> now I get error in http_error
>
> [Tue May 26 10:00:30 2015] [notice] SELinux policy enabled; httpd 
> running as context unconfined_u:system_r:httpd_t:s0 [Tue May 26 
> 10:00:30 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue May 26 10:00:31 2015] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured.
> [Tue May 26 10:00:31 2015] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9"
> [Tue May 26 10:00:31 2015] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
> [Tue May 26 10:00:31 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1"
> [Tue May 26 10:00:31 2015] [notice] ModSecurity: LIBXML compiled version="2.7.6"
> [Tue May 26 10:00:31 2015] [notice] Digest: generating secret for digest authentication ...
> [Tue May 26 10:00:31 2015] [notice] Digest: done [Tue May 26 10:00:32 
> 2015] [notice] Apache/2.2.15 (Unix) mod_auth_kerb/5.4 mod_nss/2.2.15 
> NSS/3.14.0.0 Basic ECC PHP/5.3.25 mod_wsgi/3.2 Python/2.6.6 configured 
> -- resuming normal operations [Tue May 26 10:00:33 2015] [error] ipa: 
> INFO: *** PROCESS START *** [Tue May 26 10:00:33 2015] [error] ipa: INFO: *** PROCESS START *** [Tue May 26 10:01:23 2015] [warn] proxy: No protocol handler was valid for the URL /ca/agent/ca/displayBySerial. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
> [Tue May 26 10:01:23 2015] [error] ipa: ERROR: 
> ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate 
> with CMS (Internal Server Error)

Have you changed your apache configuration? It looks that way. You need the proxy modules loaded.

rob

More information about the Freeipa-users mailing list