[Freeipa-users] IPA certificates expired, please help!
Linov Suresh
linov.suresh at gmail.com
Mon Jul 18 03:45:04 UTC 2016
Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and
certmonger. Look like certificates were renewed. But I'm getting a
different error now,
*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
<http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true>".*
[root at caer ~]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
expires: 2016-07-18 15:54:36 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223300':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
expires: 2016-07-18 15:54:52 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223316':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
expires: 2016-07-18 15:55:04 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130519130741':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=CA Audit,O=TELOIP.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130742':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=OCSP Subsystem,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130743':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=CA Subsystem,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130744':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=RA Subsystem,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20130519130745':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv "
TELOIP.NET"
track: yes
auto-renew: yes
[root at caer ~]#
Your help is highly appreciated!
On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Linov Suresh wrote:
>
>> I logged into my IPA master, and found that the cert had expired again,
>> we renewed these certificates about 18 months ago.
>>
>> Our environment is CentOS 6.4 and IPA 3.0.0-26.
>>
>>
>> I followed the Redhat documentation,How do I manually renew Identity
>> Management (IPA) certificates after they have expired? (Master IPA
>> Server), https://access.redhat.com/solutions/643753 but no luck.
>>
>>
>> I have also changed the directive "NSSEnforceValidCerts off" in
>> /etc/httpd/conf.d/nss.conf and the value of nsslapd-validate-cert is warn.
>>
>> ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w *******
>> -b cn=config | grep nsslapd-validate-cert
>>
>> nsslapd-validate-cert: warn
>>
>> Here is my getcert list,
>>
>> [root at caer ~]# getcert list
>>
>
> It looks like your CA subsystem certificates all renewed successfully it
> is just the webserver and LDAP certificates that need renewing so that's
> good.
>
> What I'd do is go back in time again to say Jan 20, 2016 and restart
> certmonger. That should make it retry the renewals.
>
> rob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160717/4e73581d/attachment.htm>
More information about the Freeipa-users
mailing list