[Freeipa-users] IPA certificates expired, please help!
Petr Vobornik
pvoborni at redhat.com
Mon Jul 18 14:50:09 UTC 2016
On 07/18/2016 05:45 AM, Linov Suresh wrote:
> Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and
> certmonger. Look like certificates were renewed. But I'm getting a different
> error now,
>
> *ca-error: Internal error: no response to
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".*
Is PKI running? When you change the time, does restart of IPA help?
>
> [root at caer ~]# getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20111214223243':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET>
> subject: CN=caer.teloip.net <http://caer.teloip.net>,O=TELOIP.NET
> <http://TELOIP.NET>
> expires: 2016-07-18 15:54:36 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223300':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
> DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET>
> subject: CN=caer.teloip.net <http://caer.teloip.net>,O=TELOIP.NET
> <http://TELOIP.NET>
> expires: 2016-07-18 15:54:52 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223316':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET>
> subject: CN=caer.teloip.net <http://caer.teloip.net>,O=TELOIP.NET
> <http://TELOIP.NET>
> expires: 2016-07-18 15:55:04 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130519130741':
> status: MONITORING
> ca-error: Internal error: no response to
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET>
> subject: CN=CA Audit,O=TELOIP.NET <http://TELOIP.NET>
> expires: 2017-10-13 14:10:49 UTC
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130742':
> status: MONITORING
> ca-error: Internal error: no response to
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET>
> subject: CN=OCSP Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130743':
> status: MONITORING
> ca-error: Internal error: no response to
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET>
> subject: CN=CA Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130744':
> status: MONITORING
> ca-error: Internal error: no response to
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET>
> subject: CN=RA Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> Request ID '20130519130745':
> status: MONITORING
> ca-error: Internal error: no response to
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET>
> subject: CN=caer.teloip.net <http://caer.teloip.net>,O=TELOIP.NET
> <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv "TELOIP.NET
> <http://TELOIP.NET>"
> track: yes
> auto-renew: yes
> [root at caer ~]#
>
> Your help is highly appreciated!
>
>
>
> On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Linov Suresh wrote:
>
> I logged into my IPA master, and found that the cert had expired again,
> we renewed these certificates about 18 months ago.
>
> Our environment is CentOS 6.4 and IPA 3.0.0-26.
>
>
> I followed the Redhat documentation,How do I manually renew Identity
> Management (IPA) certificates after they have expired? (Master IPA
> Server), https://access.redhat.com/solutions/643753 but no luck.
>
>
> I have also changed the directive "NSSEnforceValidCerts off" in
> /etc/httpd/conf.d/nss.conf and the value of nsslapd-validate-cert is warn.
>
> ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w *******
> -b cn=config | grep nsslapd-validate-cert
>
> nsslapd-validate-cert: warn
>
> Here is my getcert list,
>
> [root at caer ~]# getcert list
>
>
> It looks like your CA subsystem certificates all renewed successfully it is
> just the webserver and LDAP certificates that need renewing so that's good.
>
> What I'd do is go back in time again to say Jan 20, 2016 and restart
> certmonger. That should make it retry the renewals.
>
> rob
>
>
>
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list