[Freeipa-users] Certificate expired/renew problems
Marc Wiatrowski
wia at iglass.net
Fri Jun 5 19:49:31 UTC 2015
Thank you John. I had tried that but you did give me some things to look
at.
I was able to get 2 of the certificates to renew by setting the date back
in time, a services restart, and issuing 'ipa-getcert resubmit -i <request
id>' This renewed the following 'Server-Cert' and 'ipaCert' but did not
'auditSigningCert cert-pki-ca' 'ocspSigningCert cert-pki-ca' or
'subsystemCert cert-pki-ca'
The admin web interface now gives 'ipa error 4301: Certificate operation
cannot be completed: Unable to communicate with CMS (Not Found)'
listing the certs shows an error along the lines of
Internal error: no response to "
http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true
".
If any of these are useful.
messages:
Jun 5 15:38:05 spider01o certmonger: Internal error: no response to "
http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true
".
httpd/error:
[Fri Jun 05 14:32:26 2015] [error] ipa: ERROR:
ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with
CMS (Not Found)
selftests.log:
8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SystemCertsVerification:
system certs verification failure
8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup
FAILED!
$ ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
$ certutil -L -d /var/lib/pki-ca/alias
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,u,u
auditSigningCert cert-pki-ca u,u,Pu
$ getcert list
Number of certificates and requests being tracked: 9.
Request ID '20131204194012':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=spider01o,O=IGLASS.NET
expires: 2017-05-28 18:03:59 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20141114162346':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=spider01o.iglass.net,O=IGLASS.NET
expires: 2016-11-14 16:22:37 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20141114162434':
status: MONITORING
ca-error: Internal error: no response to "
http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='x'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=spider01o.iglass.net,O=IGLASS.NET
expires: 2016-11-03 16:24:27 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20141114162522':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=spider01o.iglass.net,O=IGLASS.NET
expires: 2016-11-14 16:22:36 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20141114162610':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=spider01o.iglass.net,O=IGLASS.NET
expires: 2016-11-14 16:22:42 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150604181945':
status: MONITORING
ca-error: Internal error: no response to "
http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='x'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=CA Audit,O=IGLASS.NET
expires: 2015-05-31 18:48:55 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150604181956':
status: MONITORING
ca-error: Internal error: no response to "
http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=2&renewal=true&xml=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='x'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=OCSP Subsystem,O=IGLASS.NET
expires: 2015-05-31 18:48:54 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150604182006':
status: MONITORING
ca-error: Internal error: no response to "
http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=4&renewal=true&xml=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='x'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=CA Subsystem,O=IGLASS.NET
expires: 2015-05-31 18:48:54 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150604182012':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=IPA RA,O=IGLASS.NET
expires: 2017-05-25 13:58:36 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
thanks again. -Marc
On Fri, Jun 5, 2015 at 1:03 PM, John Desantis <desantis at mail.usf.edu> wrote:
> Marc,
>
> I experienced a similar issue earlier this year.
>
> Try restarting certmonger after temporarily changing the date back on
> the master. In our case that service had failed miserably and it
> didn't allow FreeIPA to renew the certificates properly.
>
> Our replicas however were hit with a bug [1] during this process. We
> applied the patched code and followed the same process and all was
> well.
>
> John DeSantis
>
> [1] https://fedorahosted.org/freeipa/ticket/4064
>
>
> 2015-06-05 11:12 GMT-04:00 Marc Wiatrowski <wia at iglass.net>:
> > hello,
> >
> > I've got a problem with expired certificates in my ipa/IdM setup. I
> believe
> > the root issue to be from the fact that when everything was first setup
> > about a year ago and everything was replicated from a first ipa server
> which
> > no longer exists. There are currently 3 ipa servers but none of them are
> > the original.
> >
> > Couple days ago I started getting errors similar to
> > '(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
> > certificate as expired' through the web management interface. After
> > investigating with 'getcert list' I found that several certificates
> expired
> > at 2015-05-31 18:48:55 UTC.
> >
> > I found
> > http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
> and
> > followed the procedure for ipa <4.0 and everything seemed to go as
> expected.
> > However this did not fix my issue.
> >
> > With more searching it looked like once the certificates are expired the
> > auto renew will not work. Finding
> >
> https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0
> > to try to manually renew I am stuck at the the beginning with 'Give the
> CSR
> > to your external CA.' I don't believe we had our certificates externally
> > signed. They are whatever the original install put in place. Setting
> the
> > date back in time reeks havoc on our environment so I'm reluctant to
> leave
> > it for to long. I can get what I believe is the original CSR from
> > /etc/pki-ca/CS.cfg but unsure what to do next or if this is even the
> road I
> > should be going down.
> >
> > Things seem to be working for the most part except trying to make
> updates.
> > Any help on what to do next, somewhere else to look, or if I'm going in
> the
> > right direction would be greatly appreciated.
> >
> > thanks,
> > Marc
> >
> > Info:
> > CentOS 6.5 with some current updates including
> > ipa-server-3.0.0-42.el6.centos.i686
> > certmonger-0.75.13-1.el6.i686
> >
> > $ getcert list-cas
> > CA 'SelfSign':
> > is-default: no
> > ca-type: INTERNAL:SELF
> > next-serial-number: 01
> > CA 'IPA':
> > is-default: no
> > ca-type: EXTERNAL
> > helper-location: /usr/libexec/certmonger/ipa-submit
> > CA 'certmaster':
> > is-default: no
> > ca-type: EXTERNAL
> > helper-location: /usr/libexec/certmonger/certmaster-submit
> > CA 'dogtag-ipa-renew-agent':
> > is-default: no
> > ca-type: EXTERNAL
> > helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
> > CA 'local':
> > is-default: no
> > ca-type: EXTERNAL
> > helper-location: /usr/libexec/certmonger/local-submit
> > CA 'dogtag-ipa-retrieve-agent-submit':
> > is-default: no
> > ca-type: EXTERNAL
> > helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit
> >
> > $ getcert list
> > Number of certificates and requests being tracked: 9.
> > Request ID '20131204194012':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > certificate:
> > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=IGLASS.NET
> > subject: CN=spider01o,O=IGLASS.NET
> > expires: 2015-12-05 19:40:13 UTC
> > key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20141114162346':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=IGLASS.NET
> > subject: CN=spider01o.iglass.net,O=IGLASS.NET
> > expires: 2016-11-14 16:22:37 UTC
> > key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20141114162434':
> > status: MONITORING
> > ca-error: Internal error: no response to
> > "
> http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true
> ".
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB',pin='x'
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=IGLASS.NET
> > subject: CN=spider01o.iglass.net,O=IGLASS.NET
> > expires: 2016-11-03 16:24:27 UTC
> > key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20141114162522':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=IGLASS.NET
> > subject: CN=spider01o.iglass.net,O=IGLASS.NET
> > expires: 2016-11-14 16:22:36 UTC
> > key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20141114162610':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=IGLASS.NET
> > subject: CN=spider01o.iglass.net,O=IGLASS.NET
> > expires: 2016-11-14 16:22:42 UTC
> > key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20150604181945':
> > status: CA_UNREACHABLE
> > ca-error: Error 35 connecting to
> > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect
> > error.
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='x'
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=IGLASS.NET
> > subject: CN=CA Audit,O=IGLASS.NET
> > expires: 2015-05-31 18:48:55 UTC
> > key usage: digitalSignature,nonRepudiation
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20150604181956':
> > status: CA_UNREACHABLE
> > ca-error: Error 35 connecting to
> > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect
> > error.
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='x'
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=IGLASS.NET
> > subject: CN=OCSP Subsystem,O=IGLASS.NET
> > expires: 2015-05-31 18:48:54 UTC
> > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> > eku: id-kp-OCSPSigning
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20150604182006':
> > status: CA_UNREACHABLE
> > ca-error: Error 35 connecting to
> > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect
> > error.
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB',pin='x'
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=IGLASS.NET
> > subject: CN=CA Subsystem,O=IGLASS.NET
> > expires: 2015-05-31 18:48:54 UTC
> > key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20150604182012':
> > status: CA_UNREACHABLE
> > ca-error: Error 35 connecting to
> > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect
> > error.
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=IGLASS.NET
> > subject: CN=IPA RA,O=IGLASS.NET
> > expires: 2015-05-31 18:49:37 UTC
> > key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> >
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150605/28c69381/attachment.htm>
More information about the Freeipa-users
mailing list