[Freeipa-users] certificates expired - won't renew
sipazzo
sipazzo at yahoo.com
Fri Jul 29 23:06:00 UTC 2016
Rob you are awesome and I don't know what I would do without you. So I have two things going on obviously. Following your instructions it looks like the DM password has correctly been set. I cannot change the admin password as a test because I get the cert errors. I am going to retry setting dates back and requesting new certs again following some of the threads I have seen. Could you please just clarify two points? On my 4 servers all running as CAs do I only need to set the date back to prior to expired certs running ipa-getcert list or the earliest expired date when running getcert list? The getcert list shows certs that have been expired since June but the ipa-getcert shows more recent. Also, does it matter which servers I do first? Meaning should I set time back on my "master" CA first.
This is the expiration output info from my master:
[root at ipa2 ~]# ipa-getcert list | grep expires
expires: 2016-08-26 16:41:24 UTC
expires: 2016-08-26 16:41:23 UTC
expires: 2016-08-26 16:41:24 UTC
[root at ipa2 ~]# getcert list | grep expires
expires: 2016-08-26 16:41:24 UTC
expires: 2016-08-15 16:47:26 UTC
expires: 2016-08-26 16:41:23 UTC
expires: 2016-08-26 16:41:24 UTC
expires: 2016-06-06 23:36:29 UTC
expires: 2016-06-06 23:36:28 UTC
expires: 2016-06-06 23:36:28 UTC
expires: 2016-06-06 23:37:09 UTC
Again thank you, as always.
From: Rob Crittenden <rcritten at redhat.com>
To: sipazzo <sipazzo at yahoo.com>; "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Sent: Friday, July 29, 2016 2:10 PM
Subject: Re: [Freeipa-users] certificates expired - won't renew
sipazzo wrote:
> I have seen many threads on this so sorry to bring it up again but I
> have a freeipa domain, with 4 ipa servers running on redhat 6 version
> 3.0.0-50. The certificates are expired/expiring and will not renew and
> it is causing many issues for us. I have tried the many suggestions I
> have see in the archives such as changing the time to prior to
> expiration and attempting renew by resubmitting the requests but they
> never renew. An example of getcert list from the first server that expired:
>
> Number of certificates and requests being tracked: 8.
[snip]
> localhost log in /var/log/pki-ca have errors like:
> tail localhost.2016-07-29.log
> Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve invoke
> SEVERE: Servlet.service() for servlet caProfileSubmit threw exception
> java.io.IOException: CS server is not ready to serve.
> at
> com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.
>
> Debug log in /var/log/pki-cacd
> tail debug
> [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password
> store initialized before.
> [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password
> store initialized.
> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:
> netscape.ldap.LDAPException: error result (49)
> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to
> query sessionIds: java.io.IOException: Failed to connect to the internal
> database.
> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable:
> getSessionIds: Error in disconnecting from database:
> java.lang.NullPointerException
> [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password
> store initialized before.
> [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password
> store initialized.
> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:
> netscape.ldap.LDAPException: error result (49)
> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to
> query sessionIds: java.io.IOException: Failed to connect to the internal
> database.
> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable:
> getSessionIds: Error in disconnecting from database:
> java.lang.NullPointerException
>
>
> Performing most IPA commands results in errors such as ipa: ERROR: cert
> validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM"
> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
>
> Not sure if it is related but we lost our first IPA server some time ago
> and had to promote another to the CA master. Also, due to someone
> leaving the company at the beginning of the year we had to change the
> directory manager password. I followed all the directions to do so but
> it does not seem like it was a completely smooth transaction.
It is related. Your CA can't connect to its database. You must have
missed a step when updating the DM password.
As a goof I just tried it on my RHEL 6 install and it seems to work,
this is what I did:
# service dirsrv stop
# /usr/bin/pwdhash password
edit both /etc/dirsrv/slapd-REALM/dse.ldif and
/etc/dirsrv/slapd-PKI-IPA/dse.ldif to set nsslapd-rootpw
# service dirsrv start
Check both of the new passwords:
# ldapsearch -x -D "cn=directory manager" -W -s base -b ""
"objectclass=*"
# ldapsearch -h localhost -po 7389 -x -D "cn=directory manager" -W -s
base -b "" "objectclass=*"
Update internaldb value in /etc/pki-ca/password.conf with the new password.
Update and test the admin user password:
# ldappasswd -h localhost -ZZ -p 7389 -x -D "cn=Directory Manager" -W -S
uid=admin,ou=people,o=ipaca
# ldapsearch -h localhost -ZZ -p 7389 -x -D
"uid=admin,ou=people,o=ipaca" -W -b "" -s base
Restart the CA
# service pki-cad restart
Note that things _still_ aren't going to work so hot with all the
expired certs but if you go back in time you will at least have a chance
of renewing things.
rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160729/01ded39f/attachment.htm>
More information about the Freeipa-users
mailing list