[Freeipa-users] IPA certificates expired, please help!
Linov Suresh
linov.suresh at gmail.com
Mon Jul 18 16:37:08 UTC 2016
*Update: my webserver and LDAP certificates were expired at 2016-07-18
15:54:36 UTC and the certificates are in CA_UNREACHABLE state.*
*Could you please help us? *
[root at caer tmp]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed
to execute the HTTP POST transaction. Peer certificate cannot be
authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
* expires: 2016-07-18 15:54:36 UTC*
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223300':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed
to execute the HTTP POST transaction. Peer certificate cannot be
authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
* expires: 2016-07-18 15:54:52 UTC*
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223316':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed
to execute the HTTP POST transaction. Peer certificate cannot be
authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
*expires: 2016-07-18 15:55:04 UTC*
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130519130741':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=CA Audit,O=TELOIP.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130742':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=OCSP Subsystem,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130743':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=CA Subsystem,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130744':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=RA Subsystem,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20130519130745':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv "
TELOIP.NET"
track: yes
auto-renew: yes
On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh <linov.suresh at gmail.com>
wrote:
> Yes, PKI is running and I don't see any errors in selftests, I have
> followed https://access.redhat.com/solutions/643753 and restarted the PKI
> in step 10.
>
> The only change which I made was clean up userCertificate;binary before
> adding new userCertificate in LDAP, which is step 12.
>
> [root at caer ~]# /etc/init.d/pki-cad status
> pki-ca (pid 8634) is running... [ OK ]
> Unsecure Port = http://caer.teloip.net:9180/ca/ee/ca
> Secure Agent Port = https://caer.teloip.net:9443/ca/agent/ca
> Secure EE Port = https://caer.teloip.net:9444/ca/ee/ca
> Secure Admin Port = https://caer.teloip.net:9445/ca/services
> EE Client Auth Port = https://caer.teloip.net:9446/ca/eeca/ca
> PKI Console Port = pkiconsole https://caer.teloip.net:9445/ca
> Tomcat Port = 9701 (for shutdown)
>
> PKI Instance Name: pki-ca
>
> PKI Subsystem Type: Root CA (Security Domain)
>
> Registered PKI Security Domain Information:
>
> ==========================================================================
> Name: IPA
> URL: https://caer.teloip.net:9445
>
> ==========================================================================
> [root at caer ~]#
> [root at caer ~]# tail -f /var/log/pki-ca/selftests.log
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:
> loading all self test plugin logger parameters
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:
> loading all self test plugin instances
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:
> loading all self test plugin instance parameters
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:
> loading self test plugins in on-demand order
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:
> loading self test plugins in startup order
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: Self
> test plugins have been successfully loaded!
> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: Running
> self test plugins specified to be executed at startup:
> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence: CA is present
> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SystemCertsVerification:
> system certs verification success
> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: All
> CRITICAL self test plugins ran SUCCESSFULLY at startup!
>
> Your help is highly appreciated!
>
>
> Linov Suresh
>
> 70 Forest Manor Rd.
> Toronto
> ON M2J 0A9
> Mobile: +1 647 406 9438
> Linkedin: ca.linkedin.com/in/linov/
> Website: http://mylinuxthoughts.blogspot.com
>
>
> On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik <pvoborni at redhat.com>
> wrote:
>
>> On 07/18/2016 05:45 AM, Linov Suresh wrote:
>> > Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and
>> > certmonger. Look like certificates were renewed. But I'm getting a
>> different
>> > error now,
>> >
>> > *ca-error: Internal error: no response to
>> > "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
>> ".*
>>
>> Is PKI running? When you change the time, does restart of IPA help?
>>
>> >
>> > [root at caer ~]# getcert list
>> > Number of certificates and requests being tracked: 8.
>> > Request ID '20111214223243':
>> > status: MONITORING
>> > stuck: no
>> > key pair storage:
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>> > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
>> > certificate:
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>> > Certificate DB'
>> > CA: IPA
>> > issuer: CN=Certificate Authority,O=TELOIP.NET <
>> http://TELOIP.NET>
>> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O=
>> TELOIP.NET
>> > <http://TELOIP.NET>
>> > expires: 2016-07-18 15:54:36 UTC
>> > eku: id-kp-serverAuth
>> > pre-save command:
>> > post-save command:
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20111214223300':
>> > status: MONITORING
>> > stuck: no
>> > key pair storage:
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate
>> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>> > certificate:
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate
>> > DB'
>> > CA: IPA
>> > issuer: CN=Certificate Authority,O=TELOIP.NET <
>> http://TELOIP.NET>
>> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O=
>> TELOIP.NET
>> > <http://TELOIP.NET>
>> > expires: 2016-07-18 15:54:52 UTC
>> > eku: id-kp-serverAuth
>> > pre-save command:
>> > post-save command:
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20111214223316':
>> > status: MONITORING
>> > stuck: no
>> > key pair storage:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > certificate:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> > Certificate DB'
>> > CA: IPA
>> > issuer: CN=Certificate Authority,O=TELOIP.NET <
>> http://TELOIP.NET>
>> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O=
>> TELOIP.NET
>> > <http://TELOIP.NET>
>> > expires: 2016-07-18 15:55:04 UTC
>> > eku: id-kp-serverAuth
>> > pre-save command:
>> > post-save command:
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130741':
>> > status: MONITORING
>> > ca-error: Internal error: no response to
>> > "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
>> ".
>> > stuck: no
>> > key pair storage:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
>> > certificate:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> > cert-pki-ca',token='NSS Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=TELOIP.NET <
>> http://TELOIP.NET>
>> > subject: CN=CA Audit,O=TELOIP.NET <http://TELOIP.NET>
>> > expires: 2017-10-13 14:10:49 UTC
>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> > "auditSigningCert cert-pki-ca"
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130742':
>> > status: MONITORING
>> > ca-error: Internal error: no response to
>> > "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
>> ".
>> > stuck: no
>> > key pair storage:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
>> > certificate:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> > cert-pki-ca',token='NSS Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=TELOIP.NET <
>> http://TELOIP.NET>
>> > subject: CN=OCSP Subsystem,O=TELOIP.NET <http://TELOIP.NET>
>> > expires: 2017-10-13 14:09:49 UTC
>> > eku: id-kp-OCSPSigning
>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> > "ocspSigningCert cert-pki-ca"
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130743':
>> > status: MONITORING
>> > ca-error: Internal error: no response to
>> > "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
>> ".
>> > stuck: no
>> > key pair storage:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
>> > certificate:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> > cert-pki-ca',token='NSS Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=TELOIP.NET <
>> http://TELOIP.NET>
>> > subject: CN=CA Subsystem,O=TELOIP.NET <http://TELOIP.NET>
>> > expires: 2017-10-13 14:09:49 UTC
>> > eku: id-kp-serverAuth,id-kp-clientAuth
>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> > "subsystemCert cert-pki-ca"
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130744':
>> > status: MONITORING
>> > ca-error: Internal error: no response to
>> > "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
>> ".
>> > stuck: no
>> > key pair storage:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate
>> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > certificate:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=TELOIP.NET <
>> http://TELOIP.NET>
>> > subject: CN=RA Subsystem,O=TELOIP.NET <http://TELOIP.NET>
>> > expires: 2017-10-13 14:09:49 UTC
>> > eku: id-kp-serverAuth,id-kp-clientAuth
>> > pre-save command:
>> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130745':
>> > status: MONITORING
>> > ca-error: Internal error: no response to
>> > "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
>> ".
>> > stuck: no
>> > key pair storage:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
>> > certificate:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> > cert-pki-ca',token='NSS Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=TELOIP.NET <
>> http://TELOIP.NET>
>> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O=
>> TELOIP.NET
>> > <http://TELOIP.NET>
>> > expires: 2017-10-13 14:09:49 UTC
>> > eku: id-kp-serverAuth,id-kp-clientAuth
>> > pre-save command:
>> > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv "
>> TELOIP.NET
>> > <http://TELOIP.NET>"
>> > track: yes
>> > auto-renew: yes
>> > [root at caer ~]#
>> >
>> > Your help is highly appreciated!
>> >
>> >
>> >
>> > On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden <rcritten at redhat.com
>> > <mailto:rcritten at redhat.com>> wrote:
>> >
>> > Linov Suresh wrote:
>> >
>> > I logged into my IPA master, and found that the cert had
>> expired again,
>> > we renewed these certificates about 18 months ago.
>> >
>> > Our environment is CentOS 6.4 and IPA 3.0.0-26.
>> >
>> >
>> > I followed the Redhat documentation,How do I manually renew
>> Identity
>> > Management (IPA) certificates after they have expired?
>> (Master IPA
>> > Server), https://access.redhat.com/solutions/643753 but no
>> luck.
>> >
>> >
>> > I have also changed the directive "NSSEnforceValidCerts off" in
>> > /etc/httpd/conf.d/nss.conf and the value of
>> nsslapd-validate-cert is warn.
>> >
>> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w
>> *******
>> > -b cn=config | grep nsslapd-validate-cert
>> >
>> > nsslapd-validate-cert: warn
>> >
>> > Here is my getcert list,
>> >
>> > [root at caer ~]# getcert list
>> >
>> >
>> > It looks like your CA subsystem certificates all renewed
>> successfully it is
>> > just the webserver and LDAP certificates that need renewing so
>> that's good.
>> >
>> > What I'd do is go back in time again to say Jan 20, 2016 and restart
>> > certmonger. That should make it retry the renewals.
>> >
>> > rob
>> >
>> >
>> >
>> >
>>
>>
>>
>> --
>> Petr Vobornik
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160718/dc888ff3/attachment.htm>
More information about the Freeipa-users
mailing list