[Freeipa-users] IPA certificates expired, please help!
Linov Suresh
lsuresh at teloip.com
Fri Jul 15 20:42:36 UTC 2016
I logged into my IPA master, and found that the cert had expired again, we renewed these certificates about 18 months ago.
Our environment is CentOS 6.4 and IPA 3.0.0-26.
I followed the Redhat documentation, How do I manually renew Identity Management (IPA) certificates after they have expired? (Master IPA Server), https://access.redhat.com/solutions/643753 but no luck.
I have also changed "NSSEnforceValidCerts off" in /etc/httpd/conf.d/nss.conf and the nsslapd-validate-cert value is warn.
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w ******* -b cn=config | grep nsslapd-validate-cert
nsslapd-validate-cert: warn
Here is my getcert list,
[root at caer ~]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).
stuck: yes
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223300':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).
stuck: yes
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223316':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).
stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130519130741':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=CA Audit,O=TELOIP.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130742':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=OCSP Subsystem,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130743':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=CA Subsystem,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130744':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=RA Subsystem,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20130519130745':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Note:
I'm seeing two blobs in ipaCert, not sure this is because we already renewed the certificate about 18 months back.
[root at caer ~]# certutil -L -d /etc/httpd/alias -n ipaCert -a
-----BEGIN CERTIFICATE-----
MIIDbzCCAlegAwIBAgIBQDANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP
SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUxMDI0
MTQwOTQ5WhcNMTcxMDEzMTQwOTQ5WjAsMRMwEQYDVQQKEwpURUxPSVAuTkVUMRUw
EwYDVQQDEwxSQSBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDVI16akCv85Wgl3L+vF0hOb0G7NItC4bt77wsSqUCp6CRQQXyEt3NR/QuV
Ta/NPnHKLRDGVUHXxbhWNpC6e/gxrAC6aO3/XyqRWJG6WHqC4jMepz9vaeeYwTx1
MvH4JQMJtPY745Mu8cbL6xgPVJV2G2gaQyoJWnelPbmCAudF8WDZXXnMGR7zXv1U
2e9R+b0QgLrOUklWv+hW6tqgbhZONaITPcEA8byiXTizIa+vfICkSMZW6qYLpvh6
IEXMZ+CxkhGN101HiyrHKNIBUeXoCvIf1s6fTzJHIFgCpeDS2gymj8hbmSEItRfz
OK9xD3+3bP+ttgw3rxPKiKqCKNr/AgMBAAGjgZIwgY8wHwYDVR0jBBgwFoAUx5/Z
pwOfXZQ5KNwC42cBW+Y+bGIwPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFo
dHRwOi8vY2Flci50ZWxvaXAubmV0OjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTw
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOC
AQEAGxNLz7EQsdqTEzy1zf1KtpBKLEGdsst2OhzfAuPWQk/ZSVQHyaAgjOirUngG
1ZUmdPhsi+O9UVobLL/yBOnM6HUAsFG+kzk3Tkkfry2+U9goIZgri+LyPuZhK5A1
tczTcBinbSBF0XjJXCt6o3dq1BAf0Z/JazxV9NNDXoV0JHL6gHbZ66rN/ohBeSPB
uQSyLhFqZvVXbKw3sIahu9hfwfa+GBoJ7oQ/3sRXGE1iVbxaV8nOjHRbBAgOxgCU
XOZ3MshXy3eqMpoyFBcA7F9tKfFrHShL/VSk1W2xugXNQW7e+9vATLGLnmPRslLy
3fN5HM3Wmhjoya3C6rxXPpgGbQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDcTCCAlmgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP
SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0
MjIzMTUzWhcNMTMxMjAzMjIzMTUzWjAsMRMwEQYDVQQKEwpURUxPSVAuTkVUMRUw
EwYDVQQDEwxSQSBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDVI16akCv85Wgl3L+vF0hOb0G7NItC4bt77wsSqUCp6CRQQXyEt3NR/QuV
Ta/NPnHKLRDGVUHXxbhWNpC6e/gxrAC6aO3/XyqRWJG6WHqC4jMepz9vaeeYwTx1
MvH4JQMJtPY745Mu8cbL6xgPVJV2G2gaQyoJWnelPbmCAudF8WDZXXnMGR7zXv1U
2e9R+b0QgLrOUklWv+hW6tqgbhZONaITPcEA8byiXTizIa+vfICkSMZW6qYLpvh6
IEXMZ+CxkhGN101HiyrHKNIBUeXoCvIf1s6fTzJHIFgCpeDS2gymj8hbmSEItRfz
OK9xD3+3bP+ttgw3rxPKiKqCKNr/AgMBAAGjgZQwgZEwHwYDVR0jBBgwFoAUx5/Z
pwOfXZQ5KNwC42cBW+Y+bGIwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNo
dHRwOi8vY2Flci50ZWxvaXAubmV0OjkxODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMC
BPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUA
A4IBAQCSH1Qf7pIWL4krYbMvvPqoQddy4A1Rgc4pglhQwVb7UhzFuPoD+IcVk8LJ
KCA8mlWKpBw9vnCsbaIB1oIs7aFEvFJVb9G2TUJ/gzcbMlPfDJ1CdoBJgN/QDfqA
Az3k3av4U5rJc59KG5taV3nKcSRtLT2qiW939fgDWbUkAoyALlDg+v5kNgPVEvb0
oGBMypFL9LW6CcQJycde8nB6XnBPMFaPrJu4l1pThS7OfBFIwewpd72+JstiaIv5
tKMdREWFwZuiQ9NVX5E9pzTwgbi/9WbKSZgNl58L16zgwnZ0pnndDcNf/FXwwRKP
wm1YBfh+UyydiHHl/swLyV84vOXr
-----END CERTIFICATE-----
Your help is highly appreciated.
Regards,
Linov Suresh.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160715/11992ace/attachment.htm>
More information about the Freeipa-users
mailing list