[Freeipa-users] Certificate renewal issues for dogtag GUI (9443/9444/9445 ports)
Thibaut Pouzet
thibaut.pouzet at lyra-network.com
Tue Jun 9 09:32:19 UTC 2015
Le 05/06/2015 22:19, Endi Sukma Dewata a écrit :
> On 5/19/2015 3:54 AM, Thibaut Pouzet wrote:
>> Hi,
>>
>> It appeared that the NSS DB had fips enabled due to the troubleshooting
>> of an old problem :
>>
>> # modutil -dbdir /var/lib/pki-ca/alias/ -list
>>
>> Listing of PKCS #11 Modules
>> -----------------------------------------------------------
>> 1. NSS Internal FIPS PKCS #11 Module
>> slots: 1 slot attached
>> status: loaded
>>
>> slot: NSS FIPS 140-2 User Private Key Services
>> token: NSS FIPS 140-2 Certificate DB
>> -----------------------------------------------------------
>>
>> I disabled it : modutil -dbdir /var/lib/pki-ca/alias -fips false
>>
>> And no longer have the stack trace in the debug logs while re-sumbitting
>> the certificate with certmonger.
>>
>> This is a first step in this certificate renewal, as I still cannot
>> renew it, I have a new error :
>> status: CA_UNREACHABLE
>> ca-error: Error 60 connecting to
>> https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate
>> cannot be authenticated with known CA certificates.
>>
>> This looks like a chicken and egg problem, the certificate served on
>> ipa_server:9443 is the one that needs to be renewed. I tried to step
>> back in time when the certificate was still valid with no luck.
>>
>> So if anyone has an idea here...
>>
>> Cheers,
>
> Hi,
>
> Is this still a problem? Per discussion with Rob it doesn't seem to be
> an issue with Dogtag itself.
>
> I suppose you are following this instruction:
> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
>
> Could you post the full getcert list output? Also after you reset the
> clock back and try the renewal again could you post the error messages
> that you get?
>
> Hopefully the IPA team will be able to troubleshoot further. Thanks.
>
Hi Endi,
Indeed, this is still a problem for this server. I did not had any new
idea on how to troubleshoot this issue unfortunately... Here is what you
asked :
With ntp running, date is now :
$ sudo getcert list -c dogtag-ipa-renew-agent
Number of certificates and requests being tracked: 9.
Request ID '20150511123414':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='640188994674'
certificate:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=ipa_domain
subject: CN=CA Audit,O=ipa_domain
expires: 2017-04-10 05:34:30 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150511123614':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with known CA certificates.
stuck: no
key pair storage:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='640188994674'
certificate:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=ipa_domain
subject: CN=CA Subsystem,O=ipa_domain
expires: 2015-04-09 04:58:34 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150511123705':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=ipa_domain
subject: CN=IPA RA,O=ipa_domain
expires: 2017-04-18 07:11:38 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150513074100':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with known CA certificates.
stuck: no
key pair storage:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='640188994674'
certificate:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=ipa_domain
subject: CN=ipa_server,O=ipa_domain
expires: 2015-04-09 04:58:33 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150107225544':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with known CA certificates.
stuck: no
key pair storage:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='640188994674'
certificate:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=ipa_domain
subject: CN=OCSP Subsystem,O=ipa_domain
expires: 2015-04-09 04:58:33 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
I set the date to before the expiration date of the certificate, and do
ipa getcert resubmit -i 20150513074100 :
$ sudo getcert list -c dogtag-ipa-renew-agent
Number of certificates and requests being tracked: 9.
Request ID '20150511123414':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='640188994674'
certificate:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=ipa_domain
subject: CN=CA Audit,O=ipa_domain
expires: 2017-04-10 05:34:30 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150511123614':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with known CA certificates.
stuck: no
key pair storage:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='640188994674'
certificate:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=ipa_domain
subject: CN=CA Subsystem,O=ipa_domain
expires: 2015-04-09 04:58:34 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150511123705':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=ipa_domain
subject: CN=IPA RA,O=ipa_domain
expires: 2017-04-18 07:11:38 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150513074100':
status: NEED_TO_SUBMIT
ca-error: Error 35 connecting to
https://ipa_server:9443/ca/agent/ca/profileReview: SSL connect error.
stuck: no
key pair storage:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='640188994674'
certificate:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=ipa_domain
subject: CN=ipa_server,O=ipa_domain
expires: 2015-04-09 04:58:33 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150107225544':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with known CA certificates.
stuck: no
key pair storage:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='640188994674'
certificate:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=ipa_domain
subject: CN=OCSP Subsystem,O=ipa_domain
expires: 2015-04-09 04:58:33 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Nothing inside /var/log/pki-ca/debug regarding this resubmit request
Cheers,
--
Thibaut Pouzet
Lyra Network
Ingénieur Systèmes et Réseaux
(+33) 5 31 22 40 08
www.lyra-network.com
More information about the Freeipa-users
mailing list