[Freeipa-users] certificates expired - won't renew
Rob Crittenden
rcritten at redhat.com
Mon Aug 1 14:17:00 UTC 2016
sipazzo wrote:
> I set time back on master ca and was able to renew its certs except for
> one that has yet to expire but should have renewed. I tried to resubmit
> it but it still does not renew and status says NEED_CSR_GEN_TOKEN. We do
> have a go daddy cert we use as well but it is valid still. Is it because
> of the nickname mismatches? I am not sure how to fix that.
There is no cert to renew. You replaced the IPA-issued certificates with
GoDaddy certs. The NSS_CSR_GEN_TOKEN is there because there is no
private key for a certificate named Server-Cert so certmonger doesn't
know what to do. To make this go away you can tell certmonger to stop
tracking this non-existent certificate with something like:
# ipa-getcert stop-tracking -i <request_id>
certmonger cannot auto-renew your GoDaddy certficate.
and see below.
>
> ipa1-example.com
>
> Request ID '20140729215756':
> status: NEED_CSR_GEN_TOKEN
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=ipa1.example.com,O=EXAMPLE.COM
> expires: 2016-07-29 20:39:21 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM
> track: yes
> auto-renew: yes
>
> certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> NWF_GD u,u,u
> CN=Certificate Authority,O=EXAMPLE.COM CT,,C
> OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\,
> Inc.,C=US CT,,C
> GD_CA CT,,C
> CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\,
> Inc.,L=Scottsdale,ST=Arizona,C=US CT,,C
>
>
> certutil -L -d /etc/dirsrv/slapd-PKI-IPA/
>
> Certificate Nickname
> O=EXAMPLE.COM Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> EXAMPLE.COM IPA CA CT,C,
> Server-Cert u,u,u
>
>
> certutil -L -d /etc/httpd/alias/
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> EXAMPLE.COM IPA CA CT,C,
> ipaCert u,u,u
> Server-Cert u,u,u
>
> My other servers had varying degrees of success with their expired
> certificates, I have one server that would not renew 6 of its certs, 1
> that would not renew 2 of its certs and 1 that would not renew 1 of its
> certs. These are examples of the last two - I will save the one that
> won't renew 6 as I am hoping I can apply same steps to those failures.
>
> *ipa2.example.com - 2 won't renew - one CA_unreachable even after
> successful restart of services and one NEED_CSR_GEN_TOKEN*
>
> Request ID '20140729215756':
> status: NEED_CSR_GEN_TOKEN
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=ipa2.example.com,O=EXAMPLE.COM
> expires: 2016-07-29 20:39:21 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM
> track: yes
> auto-renew: yes
I'm guessing same GoDaddy issue.
> Request ID '20140729215712':
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to
> https://ipa2.example.com:9443/ca/agent/ca/profileReview: Peer
> certificate cannot be authenticated with known CA certificates.
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=ipa2.example.com,O=EXAMPLE.COM
> expires: 2016-07-18 21:57:06 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
You should update certmonger. The version you have doesn't include the
pre/save commands in its output.
But going back in time should get this one renewed.
> *ipa3 - 1 won't renew NEED_CSR_GEN_TOKEN*
>
> Request ID '20140729215511':
> status: NEED_CSR_GEN_TOKEN
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=ipa3.example.com,O=EXAMPLE.COM
> expires: 2016-07-29 20:38:41 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM
> track: yes
> auto-renew: yes
More GoDaddy I assume.
rob
>
>
>
>
>
> ------------------------------------------------------------------------
> *From:* sipazzo <sipazzo at yahoo.com>
> *To:* Rob Crittenden <rcritten at redhat.com>; "freeipa-users at redhat.com"
> <freeipa-users at redhat.com>
> *Sent:* Friday, July 29, 2016 4:06 PM
> *Subject:* Re: [Freeipa-users] certificates expired - won't renew
>
> Rob you are awesome and I don't know what I would do without you. So I
> have two things going on obviously. Following your instructions it looks
> like the DM password has correctly been set. I cannot change the admin
> password as a test because I get the cert errors. I am going to retry
> setting dates back and requesting new certs again following some of the
> threads I have seen. Could you please just clarify two points? On my 4
> servers all running as CAs do I only need to set the date back to prior
> to expired certs running ipa-getcert list or the earliest expired date
> when running getcert list? The getcert list shows certs that have been
> expired since June but the ipa-getcert shows more recent. Also, does it
> matter which servers I do first? Meaning should I set time back on my
> "master" CA first.
>
> This is the expiration output info from my master:
>
> [root at ipa2 ~]# ipa-getcert list | grep expires
> expires: 2016-08-26 16:41:24 UTC
> expires: 2016-08-26 16:41:23 UTC
> expires: 2016-08-26 16:41:24 UTC
> [root at ipa2 ~]# getcert list | grep expires
> expires: 2016-08-26 16:41:24 UTC
> expires: 2016-08-15 16:47:26 UTC
> expires: 2016-08-26 16:41:23 UTC
> expires: 2016-08-26 16:41:24 UTC
> expires: 2016-06-06 23:36:29 UTC
> expires: 2016-06-06 23:36:28 UTC
> expires: 2016-06-06 23:36:28 UTC
> expires: 2016-06-06 23:37:09 UTC
>
>
> Again thank you, as always.
>
>
> ------------------------------------------------------------------------
> *From:* Rob Crittenden <rcritten at redhat.com>
> *To:* sipazzo <sipazzo at yahoo.com>; "freeipa-users at redhat.com"
> <freeipa-users at redhat.com>
> *Sent:* Friday, July 29, 2016 2:10 PM
> *Subject:* Re: [Freeipa-users] certificates expired - won't renew
>
> sipazzo wrote:
> > I have seen many threads on this so sorry to bring it up again but I
> > have a freeipa domain, with 4 ipa servers running on redhat 6 version
> > 3.0.0-50. The certificates are expired/expiring and will not renew and
> > it is causing many issues for us. I have tried the many suggestions I
> > have see in the archives such as changing the time to prior to
> > expiration and attempting renew by resubmitting the requests but they
> > never renew. An example of getcert list from the first server that
> expired:
> >
> > Number of certificates and requests being tracked: 8.
>
> [snip]
>
>
> > localhost log in /var/log/pki-ca have errors like:
> > tail localhost.2016-07-29.log
> > Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve
> invoke
> > SEVERE: Servlet.service() for servlet caProfileSubmit threw exception
> > java.io.IOException: CS server is not ready to serve.
> > at
> > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441)
> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> > at
> >
> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> > at org.
> >
> > Debug log in /var/log/pki-cacd
> > tail debug
> > [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password
> > store initialized before.
> > [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password
> > store initialized.
> > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:
> > netscape.ldap.LDAPException: error result (49)
> > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to
> > query sessionIds: java.io.IOException: Failed to connect to the internal
> > database.
> > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable:
> > getSessionIds: Error in disconnecting from database:
> > java.lang.NullPointerException
> > [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password
> > store initialized before.
> > [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password
> > store initialized.
> > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:
> > netscape.ldap.LDAPException: error result (49)
> > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to
> > query sessionIds: java.io.IOException: Failed to connect to the internal
> > database.
> > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable:
> > getSessionIds: Error in disconnecting from database:
> > java.lang.NullPointerException
> >
> >
> > Performing most IPA commands results in errors such as ipa: ERROR: cert
> > validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM"
> > ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
> >
> > Not sure if it is related but we lost our first IPA server some time ago
> > and had to promote another to the CA master. Also, due to someone
> > leaving the company at the beginning of the year we had to change the
> > directory manager password. I followed all the directions to do so but
> > it does not seem like it was a completely smooth transaction.
>
>
> It is related. Your CA can't connect to its database. You must have
> missed a step when updating the DM password.
>
> As a goof I just tried it on my RHEL 6 install and it seems to work,
> this is what I did:
>
> # service dirsrv stop
> # /usr/bin/pwdhash password
>
> edit both /etc/dirsrv/slapd-REALM/dse.ldif and
> /etc/dirsrv/slapd-PKI-IPA/dse.ldif to set nsslapd-rootpw
>
> # service dirsrv start
>
> Check both of the new passwords:
>
> # ldapsearch -x -D "cn=directory manager" -W -s base -b ""
> "objectclass=*"
> # ldapsearch -h localhost -po 7389 -x -D "cn=directory manager" -W -s
> base -b "" "objectclass=*"
>
> Update internaldb value in /etc/pki-ca/password.conf with the new password.
>
> Update and test the admin user password:
>
> # ldappasswd -h localhost -ZZ -p 7389 -x -D "cn=Directory Manager" -W -S
> uid=admin,ou=people,o=ipaca
> # ldapsearch -h localhost -ZZ -p 7389 -x -D
> "uid=admin,ou=people,o=ipaca" -W -b "" -s base
>
> Restart the CA
>
> # service pki-cad restart
>
> Note that things _still_ aren't going to work so hot with all the
> expired certs but if you go back in time you will at least have a chance
> of renewing things.
>
> rob
>
>
>
>
>
More information about the Freeipa-users
mailing list