[Freeipa-users] certificates expired - won't renew

Rob Crittenden rcritten at redhat.com
Fri Jul 29 21:10:52 UTC 2016 

sipazzo wrote:
> I have seen many threads on this so sorry to bring it up again but I
> have a freeipa domain, with 4 ipa servers running on redhat 6 version
> 3.0.0-50. The certificates are expired/expiring and will not renew and
> it is causing many issues for us. I have tried the many suggestions I
> have see in the archives such as changing the time to prior to
> expiration and attempting renew by resubmitting the requests but they
> never renew. An example of getcert list from the first server that expired:
>
> Number of certificates and requests being tracked: 8.

[snip]

> localhost log in /var/log/pki-ca have errors like:
> tail localhost.2016-07-29.log
> Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve invoke
> SEVERE: Servlet.service() for servlet caProfileSubmit threw exception
> java.io.IOException: CS server is not ready to serve.
>      at
> com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441)
>      at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
>      at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>      at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>      at
> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
>      at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>      at org.
>
> Debug log in /var/log/pki-cacd
>   tail debug
> [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password
> store initialized before.
> [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password
> store initialized.
> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:
> netscape.ldap.LDAPException: error result (49)
> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to
> query sessionIds: java.io.IOException: Failed to connect to the internal
> database.
> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable:
> getSessionIds: Error in disconnecting from database:
> java.lang.NullPointerException
> [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password
> store initialized before.
> [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password
> store initialized.
> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:
> netscape.ldap.LDAPException: error result (49)
> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to
> query sessionIds: java.io.IOException: Failed to connect to the internal
> database.
> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable:
> getSessionIds: Error in disconnecting from database:
> java.lang.NullPointerException
>
>
> Performing most IPA commands results in errors such as ipa: ERROR: cert
> validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM"
> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
>
> Not sure if it is related but we lost our first IPA server some time ago
> and had to promote another to the CA master. Also, due to someone
> leaving the company at the beginning of the year we had to change the
> directory manager password. I followed all the directions to do so but
> it does not seem like it was a completely smooth transaction.

It is related. Your CA can't connect to its database. You must have 
missed a step when updating the DM password.

As a goof I just tried it on my RHEL 6 install and it seems to work, 
this is what I did:

# service dirsrv stop
# /usr/bin/pwdhash password

edit both /etc/dirsrv/slapd-REALM/dse.ldif and 
/etc/dirsrv/slapd-PKI-IPA/dse.ldif to set nsslapd-rootpw

# service dirsrv start

Check both of the new passwords:

# ldapsearch -x -D "cn=directory manager" -W -s base -b "" 
"objectclass=*"
# ldapsearch -h localhost -po 7389 -x -D "cn=directory manager" -W -s 
base -b "" "objectclass=*"

Update internaldb value in /etc/pki-ca/password.conf with the new password.

Update and test the admin user password:

# ldappasswd -h localhost -ZZ -p 7389 -x -D "cn=Directory Manager" -W -S 
uid=admin,ou=people,o=ipaca
# ldapsearch -h localhost -ZZ -p 7389 -x -D 
"uid=admin,ou=people,o=ipaca" -W -b "" -s base

Restart the CA

# service pki-cad restart

Note that things _still_ aren't going to work so hot with all the 
expired certs but if you go back in time you will at least have a chance 
of renewing things.

rob

More information about the Freeipa-users mailing list