[Freeipa-users] certificates expired - won't renew
sipazzo
sipazzo at yahoo.com
Sun Jul 31 19:24:18 UTC 2016
I set time back on master ca and was able to renew its certs except for one that has yet to expire but should have renewed. I tried to resubmit it but it still does not renew and status says NEED_CSR_GEN_TOKEN. We do have a go daddy cert we use as well but it is valid still. Is it because of the nickname mismatches? I am not sure how to fix that.
ipa1-example.com
Request ID '20140729215756':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa1.example.com,O=EXAMPLE.COM
expires: 2016-07-29 20:39:21 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM
track: yes
auto-renew: yes
certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
NWF_GD u,u,u
CN=Certificate Authority,O=EXAMPLE.COM CT,,C
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US CT,,C
GD_CA CT,,C
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US CT,,C
certutil -L -d /etc/dirsrv/slapd-PKI-IPA/
Certificate Nickname O=EXAMPLE.COM Trust Attributes
SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,
Server-Cert u,u,u
certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,
ipaCert u,u,u
Server-Cert u,u,u
My other servers had varying degrees of success with their expired certificates, I have one server that would not renew 6 of its certs, 1 that would not renew 2 of its certs and 1 that would not renew 1 of its certs. These are examples of the last two - I will save the one that won't renew 6 as I am hoping I can apply same steps to those failures.
ipa2.example.com - 2 won't renew - one CA_unreachable even after successful restart of services and one NEED_CSR_GEN_TOKEN
Request ID '20140729215756':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa2.example.com,O=EXAMPLE.COM
expires: 2016-07-29 20:39:21 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM
track: yes
auto-renew: yes
Request ID '20140729215712':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to https://ipa2.example.com:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.
stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa2.example.com,O=EXAMPLE.COM
expires: 2016-07-18 21:57:06 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
ipa3 - 1 won't renew NEED_CSR_GEN_TOKEN
Request ID '20140729215511':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa3.example.com,O=EXAMPLE.COM
expires: 2016-07-29 20:38:41 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM
track: yes
auto-renew: yes
From: sipazzo <sipazzo at yahoo.com>
To: Rob Crittenden <rcritten at redhat.com>; "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Sent: Friday, July 29, 2016 4:06 PM
Subject: Re: [Freeipa-users] certificates expired - won't renew
Rob you are awesome and I don't know what I would do without you. So I have two things going on obviously. Following your instructions it looks like the DM password has correctly been set. I cannot change the admin password as a test because I get the cert errors. I am going to retry setting dates back and requesting new certs again following some of the threads I have seen. Could you please just clarify two points? On my 4 servers all running as CAs do I only need to set the date back to prior to expired certs running ipa-getcert list or the earliest expired date when running getcert list? The getcert list shows certs that have been expired since June but the ipa-getcert shows more recent. Also, does it matter which servers I do first? Meaning should I set time back on my "master" CA first.
This is the expiration output info from my master:
[root at ipa2 ~]# ipa-getcert list | grep expires
expires: 2016-08-26 16:41:24 UTC
expires: 2016-08-26 16:41:23 UTC
expires: 2016-08-26 16:41:24 UTC
[root at ipa2 ~]# getcert list | grep expires
expires: 2016-08-26 16:41:24 UTC
expires: 2016-08-15 16:47:26 UTC
expires: 2016-08-26 16:41:23 UTC
expires: 2016-08-26 16:41:24 UTC
expires: 2016-06-06 23:36:29 UTC
expires: 2016-06-06 23:36:28 UTC
expires: 2016-06-06 23:36:28 UTC
expires: 2016-06-06 23:37:09 UTC
Again thank you, as always.
From: Rob Crittenden <rcritten at redhat.com>
To: sipazzo <sipazzo at yahoo.com>; "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Sent: Friday, July 29, 2016 2:10 PM
Subject: Re: [Freeipa-users] certificates expired - won't renew
sipazzo wrote:
> I have seen many threads on this so sorry to bring it up again but I
> have a freeipa domain, with 4 ipa servers running on redhat 6 version
> 3.0.0-50. The certificates are expired/expiring and will not renew and
> it is causing many issues for us. I have tried the many suggestions I
> have see in the archives such as changing the time to prior to
> expiration and attempting renew by resubmitting the requests but they
> never renew. An example of getcert list from the first server that expired:
>
> Number of certificates and requests being tracked: 8.
[snip]
> localhost log in /var/log/pki-ca have errors like:
> tail localhost.2016-07-29.log
> Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve invoke
> SEVERE: Servlet.service() for servlet caProfileSubmit threw exception
> java.io.IOException: CS server is not ready to serve.
> at
> com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.
>
> Debug log in /var/log/pki-cacd
> tail debug
> [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password
> store initialized before.
> [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password
> store initialized.
> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:
> netscape.ldap.LDAPException: error result (49)
> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to
> query sessionIds: java.io.IOException: Failed to connect to the internal
> database.
> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable:
> getSessionIds: Error in disconnecting from database:
> java.lang.NullPointerException
> [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password
> store initialized before.
> [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password
> store initialized.
> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:
> netscape.ldap.LDAPException: error result (49)
> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to
> query sessionIds: java.io.IOException: Failed to connect to the internal
> database.
> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable:
> getSessionIds: Error in disconnecting from database:
> java.lang.NullPointerException
>
>
> Performing most IPA commands results in errors such as ipa: ERROR: cert
> validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM"
> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
>
> Not sure if it is related but we lost our first IPA server some time ago
> and had to promote another to the CA master. Also, due to someone
> leaving the company at the beginning of the year we had to change the
> directory manager password. I followed all the directions to do so but
> it does not seem like it was a completely smooth transaction.
It is related. Your CA can't connect to its database. You must have
missed a step when updating the DM password.
As a goof I just tried it on my RHEL 6 install and it seems to work,
this is what I did:
# service dirsrv stop
# /usr/bin/pwdhash password
edit both /etc/dirsrv/slapd-REALM/dse.ldif and
/etc/dirsrv/slapd-PKI-IPA/dse.ldif to set nsslapd-rootpw
# service dirsrv start
Check both of the new passwords:
# ldapsearch -x -D "cn=directory manager" -W -s base -b ""
"objectclass=*"
# ldapsearch -h localhost -po 7389 -x -D "cn=directory manager" -W -s
base -b "" "objectclass=*"
Update internaldb value in /etc/pki-ca/password.conf with the new password.
Update and test the admin user password:
# ldappasswd -h localhost -ZZ -p 7389 -x -D "cn=Directory Manager" -W -S
uid=admin,ou=people,o=ipaca
# ldapsearch -h localhost -ZZ -p 7389 -x -D
"uid=admin,ou=people,o=ipaca" -W -b "" -s base
Restart the CA
# service pki-cad restart
Note that things _still_ aren't going to work so hot with all the
expired certs but if you go back in time you will at least have a chance
of renewing things.
rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160731/5804be65/attachment.htm>
More information about the Freeipa-users
mailing list