[Freeipa-users] Certificate expired/renew problems
Marc Wiatrowski
wia at iglass.net
Fri Jun 5 15:12:01 UTC 2015
hello,
I've got a problem with expired certificates in my ipa/IdM setup. I
believe the root issue to be from the fact that when everything was first
setup about a year ago and everything was replicated from a first ipa
server which no longer exists. There are currently 3 ipa servers but none
of them are the original.
Couple days ago I started getting errors similar to
'(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired' through the web management interface. After
investigating with 'getcert list' I found that several certificates expired
at 2015-05-31 18:48:55 UTC.
I found
http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master and
followed the procedure for ipa <4.0 and everything seemed to go as
expected. However this did not fix my issue.
With more searching it looked like once the certificates are expired the
auto renew will not work. Finding
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0
to try to manually renew I am stuck at the the beginning with 'Give the CSR
to your external CA.' I don't believe we had our certificates externally
signed. They are whatever the original install put in place. Setting the
date back in time reeks havoc on our environment so I'm reluctant to leave
it for to long. I can get what I believe is the original CSR
from /etc/pki-ca/CS.cfg but unsure what to do next or if this is even the
road I should be going down.
Things seem to be working for the most part except trying to make updates.
Any help on what to do next, somewhere else to look, or if I'm going in the
right direction would be greatly appreciated.
thanks,
Marc
Info:
CentOS 6.5 with some current updates including
ipa-server-3.0.0-42.el6.centos.i686
certmonger-0.75.13-1.el6.i686
$ getcert list-cas
CA 'SelfSign':
is-default: no
ca-type: INTERNAL:SELF
next-serial-number: 01
CA 'IPA':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/ipa-submit
CA 'certmaster':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/certmaster-submit
CA 'dogtag-ipa-renew-agent':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
CA 'local':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/local-submit
CA 'dogtag-ipa-retrieve-agent-submit':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit
$ getcert list
Number of certificates and requests being tracked: 9.
Request ID '20131204194012':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=spider01o,O=IGLASS.NET
expires: 2015-12-05 19:40:13 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20141114162346':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=spider01o.iglass.net,O=IGLASS.NET
expires: 2016-11-14 16:22:37 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20141114162434':
status: MONITORING
ca-error: Internal error: no response to "
http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='x'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=spider01o.iglass.net,O=IGLASS.NET
expires: 2016-11-03 16:24:27 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20141114162522':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=spider01o.iglass.net,O=IGLASS.NET
expires: 2016-11-14 16:22:36 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20141114162610':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=spider01o.iglass.net,O=IGLASS.NET
expires: 2016-11-14 16:22:42 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150604181945':
status: CA_UNREACHABLE
ca-error: Error 35 connecting to
https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect
error.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='x'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=CA Audit,O=IGLASS.NET
expires: 2015-05-31 18:48:55 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150604181956':
status: CA_UNREACHABLE
ca-error: Error 35 connecting to
https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect
error.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='x'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=OCSP Subsystem,O=IGLASS.NET
expires: 2015-05-31 18:48:54 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150604182006':
status: CA_UNREACHABLE
ca-error: Error 35 connecting to
https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect
error.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='x'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=CA Subsystem,O=IGLASS.NET
expires: 2015-05-31 18:48:54 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150604182012':
status: CA_UNREACHABLE
ca-error: Error 35 connecting to
https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect
error.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=IPA RA,O=IGLASS.NET
expires: 2015-05-31 18:49:37 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150605/566ffe9a/attachment.htm>
More information about the Freeipa-users
mailing list