[Freeipa-users] IPA certificates expired, please help!
Linov Suresh
linov.suresh at gmail.com
Mon Jul 18 16:00:33 UTC 2016
Yes, PKI is running and I don't see any errors in selftests, I have
followed https://access.redhat.com/solutions/643753 and restarted the PKI
in step 10.
The only change which I made was clean up userCertificate;binary before
adding new userCertificate in LDAP, which is step 12.
[root at caer ~]# /etc/init.d/pki-cad status
pki-ca (pid 8634) is running... [ OK ]
Unsecure Port = http://caer.teloip.net:9180/ca/ee/ca
Secure Agent Port = https://caer.teloip.net:9443/ca/agent/ca
Secure EE Port = https://caer.teloip.net:9444/ca/ee/ca
Secure Admin Port = https://caer.teloip.net:9445/ca/services
EE Client Auth Port = https://caer.teloip.net:9446/ca/eeca/ca
PKI Console Port = pkiconsole https://caer.teloip.net:9445/ca
Tomcat Port = 9701 (for shutdown)
PKI Instance Name: pki-ca
PKI Subsystem Type: Root CA (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: IPA
URL: https://caer.teloip.net:9445
==========================================================================
[root at caer ~]#
[root at caer ~]# tail -f /var/log/pki-ca/selftests.log
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: loading
all self test plugin logger parameters
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: loading
all self test plugin instances
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: loading
all self test plugin instance parameters
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: loading
self test plugins in on-demand order
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: loading
self test plugins in startup order
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: Self
test plugins have been successfully loaded!
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: Running
self test plugins specified to be executed at startup:
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence: CA is present
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SystemCertsVerification:
system certs verification success
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: All
CRITICAL self test plugins ran SUCCESSFULLY at startup!
Your help is highly appreciated!
Linov Suresh
70 Forest Manor Rd.
Toronto
ON M2J 0A9
Mobile: +1 647 406 9438
Linkedin: ca.linkedin.com/in/linov/
Website: http://mylinuxthoughts.blogspot.com
On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik <pvoborni at redhat.com> wrote:
> On 07/18/2016 05:45 AM, Linov Suresh wrote:
> > Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and
> > certmonger. Look like certificates were renewed. But I'm getting a
> different
> > error now,
> >
> > *ca-error: Internal error: no response to
> > "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
> ".*
>
> Is PKI running? When you change the time, does restart of IPA help?
>
> >
> > [root at caer ~]# getcert list
> > Number of certificates and requests being tracked: 8.
> > Request ID '20111214223243':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=TELOIP.NET <
> http://TELOIP.NET>
> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O=
> TELOIP.NET
> > <http://TELOIP.NET>
> > expires: 2016-07-18 15:54:36 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20111214223300':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=TELOIP.NET <
> http://TELOIP.NET>
> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O=
> TELOIP.NET
> > <http://TELOIP.NET>
> > expires: 2016-07-18 15:54:52 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20111214223316':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=TELOIP.NET <
> http://TELOIP.NET>
> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O=
> TELOIP.NET
> > <http://TELOIP.NET>
> > expires: 2016-07-18 15:55:04 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130741':
> > status: MONITORING
> > ca-error: Internal error: no response to
> > "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
> ".
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=TELOIP.NET <
> http://TELOIP.NET>
> > subject: CN=CA Audit,O=TELOIP.NET <http://TELOIP.NET>
> > expires: 2017-10-13 14:10:49 UTC
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "auditSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130742':
> > status: MONITORING
> > ca-error: Internal error: no response to
> > "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
> ".
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=TELOIP.NET <
> http://TELOIP.NET>
> > subject: CN=OCSP Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-OCSPSigning
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "ocspSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130743':
> > status: MONITORING
> > ca-error: Internal error: no response to
> > "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
> ".
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=TELOIP.NET <
> http://TELOIP.NET>
> > subject: CN=CA Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "subsystemCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130744':
> > status: MONITORING
> > ca-error: Internal error: no response to
> > "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
> ".
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate
> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=TELOIP.NET <
> http://TELOIP.NET>
> > subject: CN=RA Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130745':
> > status: MONITORING
> > ca-error: Internal error: no response to
> > "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
> ".
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=TELOIP.NET <
> http://TELOIP.NET>
> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O=
> TELOIP.NET
> > <http://TELOIP.NET>
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv "
> TELOIP.NET
> > <http://TELOIP.NET>"
> > track: yes
> > auto-renew: yes
> > [root at caer ~]#
> >
> > Your help is highly appreciated!
> >
> >
> >
> > On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden <rcritten at redhat.com
> > <mailto:rcritten at redhat.com>> wrote:
> >
> > Linov Suresh wrote:
> >
> > I logged into my IPA master, and found that the cert had expired
> again,
> > we renewed these certificates about 18 months ago.
> >
> > Our environment is CentOS 6.4 and IPA 3.0.0-26.
> >
> >
> > I followed the Redhat documentation,How do I manually renew
> Identity
> > Management (IPA) certificates after they have expired?
> (Master IPA
> > Server), https://access.redhat.com/solutions/643753 but no
> luck.
> >
> >
> > I have also changed the directive "NSSEnforceValidCerts off" in
> > /etc/httpd/conf.d/nss.conf and the value of
> nsslapd-validate-cert is warn.
> >
> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w
> *******
> > -b cn=config | grep nsslapd-validate-cert
> >
> > nsslapd-validate-cert: warn
> >
> > Here is my getcert list,
> >
> > [root at caer ~]# getcert list
> >
> >
> > It looks like your CA subsystem certificates all renewed
> successfully it is
> > just the webserver and LDAP certificates that need renewing so
> that's good.
> >
> > What I'd do is go back in time again to say Jan 20, 2016 and restart
> > certmonger. That should make it retry the renewals.
> >
> > rob
> >
> >
> >
> >
>
>
>
> --
> Petr Vobornik
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160718/28cc64fd/attachment.htm>
More information about the Freeipa-users
mailing list