[Freeipa-users] Certificate renewal issues for dogtag GUI (9443/9444/9445 ports)

Martin Kosek mkosek at redhat.com
Tue May 12 06:23:04 UTC 2015 

On 05/11/2015 05:14 PM, Thibaut Pouzet wrote:
> Hi !
> 
> I am running into a weird problem with my IPA Server, and the
> certificates management. My setup is :
> CentOS 6.6
> pki-ca-9.0.3-38.el6_6.noarch
> ipa-server-3.0.0-42.el6.centos.x86_64
> Linux ipa_server 2.6.32-504.16.2.el6.x86_64 #1 SMP Wed Apr 22 06:48:29
> UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
> 
> The server has been installed two years ago, and all the certificates on
> the master server expired this month. (2 year validity). Apparently,
> they were not properly tracked by certmonger, so they were not renewed.
> 
> By doing some getcert stop-tracking, then getcert start-tracking xxxx, I
> was able to track 8 of the 9 certificates that I can display with
> getcert list on this server.
> 
> There is one that remains expired, despite all the efforts I put into
> renewing it. This is the one used for the pki-ca administration pages
> reachable on ports 9443, 9444 and 9445. Here is its status after trying
> to resubmit it :
> getcert resubmit -i 20150511145941 -K HTTP/ipa_server
> getcert list -i 20150511145941
> 
> Number of certificates and requests being tracked: 9.
> Request ID '20150511145941':
>         status: CA_UNREACHABLE
>         ca-error: Server at https://ipa_server/ipa/xml failed request,
> will retry: 4301 (RPC failed at server.  Certificate operation cannot be
> completed: FAILURE (Invalid Request)).
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin='1234'
>         certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=ipa_domain
>         subject: CN=ipa_server,O=ipa_domain
>         expires: 2015-04-09 04:58:33 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
> 
> 
> I tried to stop tracking it, and then tracking it again, with no luck :
> getcert start-tracking -d "/var/lib/pki-ca/alias" -n "subsystemCert
> cert-pki-ca" -t "NSS Certificate DB" -P 1234 -r -c IPA
> 
> I changed the trust settings as well, still not working :
> sh-4.1# certutil -M -n "Server-Cert cert-pki-ca" -d
> /var/lib/pki-ca/alias -t u,u,Pu
> 
> sh-4.1# certutil -L -d /var/lib/pki-ca/alias
> Certificate Nickname                                         Trust
> Attributes
> SSL,S/MIME,JAR/XPI
> ocspSigningCert cert-pki-ca                                  u,u,u
> subsystemCert cert-pki-ca                                    u,u,u
> auditSigningCert cert-pki-ca                                 u,u,Pu
> caSigningCert cert-pki-ca                                    CTu,Cu,Cu
> Server-Cert cert-pki-ca                                      u,u,Pu
> 
> However, I find this error in different places :
> ca-error: Server at "http://ipa_server:9180/ca/ee/ca/profileSubmit"
> replied: Invalid Request
> 
> sh-4.1# ipa user-show admin
> ipa: ERROR: Missing or invalid HTTP Referer, https://ipa_server/ipa/xml
> 
> Sometimes, I also get it with "ipa cert-show 1", sometimes I don't.
> 
> Sometimes its status changes even though I don't think I've done anything :
> ca-error: Server at https://ipa_server/ipa/xml failed request, will
> retry: 911 (RPC failed at server.  Missing or invalid HTTP Referer,
> https://ipa_server/ipa/xml).
> 
> And I can find inside /var/log/pki-ca/debug these lines :
> [11/May/2015:20:38:49][http-9180-1]: EnrollProfile: parsePKCS10:
> signature verification enabled
> [11/May/2015:20:38:49][http-9180-1]: EnrollProfile: parsePKCS10
> org.mozilla.jss.NoSuchTokenException
> [11/May/2015:20:38:49][http-9180-1]: EnrollProfile: parsePKCS10
> restoring thread token
> Invalid Request
>         at
> com.netscape.cms.profile.common.EnrollProfile.parsePKCS10(EnrollProfile.java:953)
>         at
> com.netscape.cms.profile.common.EnrollProfile.createRequests(EnrollProfile.java:102)
>         at
> com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:1001)
>         at
> com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:501)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>         at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>         at
> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>         at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>         at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>         at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>         at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>         at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>         at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>         at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>         at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
>         at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>         at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>         at java.lang.Thread.run(Thread.java:701)
> 
> 
> There is the BLOB inside the logs, containing the CSR, and I can read it
> with openssl so it is correctly formatted :
> 
> Certificate Request:
>     Data:
>         Version: 0 (0x0)
>         Subject: O=ipa_domain, CN=ipa_server
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>                     00:b8:d6:d3:51:c0:4c:ce:2a:c1:1b:b7:60:a3:6a:
>                     04:ec:6d:75:94:c4:b9:b5:4a:40:3a:be:d5:12:d8:
>                     77:af:a2:8e:a4:5a:47:cf:3b:4d:7a:8a:13:2b:1a:
>                     93:c0:f3:a5:ae:25:44:86:56:72:d9:73:9e:e3:22:
>                     0e:7c:66:64:87:f7:b1:06:2f:c5:ca:7d:b6:3f:9e:
>                     67:9e:b3:5b:72:56:bd:12:e6:65:65:8b:b3:5a:5d:
>                     53:94:a2:d7:be:53:97:59:9d:c4:2e:1a:79:b5:c2:
>                     d1:ac:85:90:04:0b:1b:c6:27:fb:82:46:88:c1:31:
>                     38:83:1d:a8:83:bc:a3:a9:fa:3e:de:91:e0:84:d6:
>                     00:cb:e1:80:38:61:55:4c:60:6b:d7:55:7c:5d:88:
>                     f6:c2:bf:42:57:3b:82:30:2b:29:b9:84:93:90:60:
>                     c6:1a:f4:3a:45:fa:04:69:60:c0:86:33:02:4d:69:
>                     04:07:e0:37:36:b2:2f:ae:6d:28:5a:86:90:65:30:
>                     b3:9b:5f:e4:8d:f2:d1:dd:1b:6a:02:23:fb:07:7e:
>                     0d:e0:f0:64:1a:34:8c:2d:f5:db:63:22:82:6f:e4:
>                     53:72:c1:dc:9a:e9:37:4c:f0:3b:39:d4:31:d6:b9:
>                     62:c4:93:2d:30:47:f4:4a:2f:76:fc:08:f4:82:28:
>                     1b:fb
>                 Exponent: 65537 (0x10001)
>         Attributes:
>             friendlyName             :unable to print attribute
>         Requested Extensions:
>             X509v3 Key Usage:
>                 Digital Signature, Non Repudiation, Key Encipherment,
> Data Encipherment
>             X509v3 Subject Alternative Name:
>                 othername:<unsupported>, othername:<unsupported>
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication
>             X509v3 Basic Constraints: critical
>                 CA:FALSE
>             X509v3 Subject Key Identifier:
>                 2E:41:D7:91:F0:F4:AA:F6:3D:C0:0C:6B:89:DB:23:6C:90:DA:0E:C7
>     Signature Algorithm: sha256WithRSAEncryption
>          53:36:9a:b6:e8:90:a1:3f:99:cf:85:64:9d:1c:ff:40:ad:f4:
>          31:53:03:81:0c:37:5e:3d:d2:a2:c1:fb:1c:6c:68:f9:c8:cd:
>          b9:45:38:be:b1:17:ac:63:7b:a7:46:ca:64:1a:d3:4a:c2:63:
>          ca:64:ca:39:01:e4:5f:3b:6c:86:de:23:0e:12:04:be:2b:f7:
>          22:1c:ac:0f:91:56:87:b2:95:20:a6:2d:10:f9:98:e5:51:46:
>          c8:b0:71:20:85:98:a3:35:c4:ef:fd:55:20:5e:a9:01:ed:3b:
>          99:5f:43:8a:85:b1:c7:3d:94:1d:d6:4b:87:3b:1a:72:c4:7b:
>          35:5c:65:11:e2:7f:ba:72:d8:63:ab:f6:a1:6f:b0:73:0b:c5:
>          c7:ca:2a:da:eb:b3:d0:64:75:7d:c3:9a:f5:b3:e7:d1:7b:e2:
>          b0:ab:68:87:a2:fd:71:19:92:49:b5:e0:72:32:d8:cd:b7:f3:
>          c9:a2:92:0d:20:65:c7:4a:5a:e7:d4:2a:e5:50:f1:63:44:97:
>          2c:c5:27:c4:2e:38:be:4f:02:33:91:f5:7d:2d:ab:75:7b:09:
>          f7:86:0d:ac:3b:b7:c9:5e:00:96:49:e4:b1:f5:19:d2:1b:e6:
>          68:d6:e9:51:5b:9b:ec:d4:b3:e6:fd:e3:ee:7f:84:c3:e6:9b:
>          cb:11:d8:48
> 
> And here I am, with this expired certificate still being served on my
> server...
> 
> If anyone has any clue on what's going on, I would be really grateful !
> 
> Cheers,
> 

Thanks for the report. This is out of my expertise unfortunately, I am CCing
developers from Dogtag, hoping they can help.

More information about the Freeipa-users mailing list