[Freeipa-users] IPA 2.2 Certificate Renewal issue
Rob Crittenden
rcritten at redhat.com
Wed Jun 1 03:56:04 UTC 2016
Kay Zhou Y wrote:
> Hi Rob,
>
> The status for ipaCert is MONITORING no matter before or after resubmit this request ID, as below:
>
> Request ID '20140605220249':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=DRUTT.COM
> subject: CN=IPA RA,O=DRUTT.COM
> expires: 2014-06-24 14:08:50 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> I have restarted ipa service before renewal since there is no pki-cad service in our env.
Oh. So unfortunately the version of certmonger you have has a bug where
the pre/post commands weren't displayed (it was only a display issue).
If you look in /var/lib/certmonger/requests/<id> you can find the source
for this output. See what the pre/post save command is for any of the CA
subsystem certs and I guess perhaps ipaCert. I need to see how they are
configured to do the renewal.
Maybe my memory is failing but I'd have sworn the CA process name was
pki-cad. ipactl restart will restart the world. Given that the certs are
expired you need to restart things when you go back in time. I saw that
you are tracking the subsystem certs on this master so the CA must be
installed.
> I have tried so many times for this processes, and I even want to recreate the ipaCert, but it failed.
Before you go poking too manually into things I'd strongly recommend
backing up the NSS databases first. You could easily break something.
> The references I used as below, but both of them are not available for my issue:(
> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
> http://www.freeipa.org/page/PKI
>
> and if it's feasible we modify the expiration date for these certs manually or recreate it directly ?
You can't change any attributes of a certificate without re-issuing it.
You can't issue a new cert without the CA up and I suspect it isn't up.
The cert may be in MONITORING when you go back in time because really,
it's fine as long as it isn't expired, so MONITORING is a-ok.
rob
>
> Thanks,
> BR//Kay
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Tuesday, May 31, 2016 11:10 PM
> To: Kay Zhou Y; freeipa-users at redhat.com
> Cc: Doris Hongmei; Xionglin Gu
> Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue
>
> Kay Zhou Y wrote:
>> Hi Rob,
>>
>> Thanks for your reply.
>>
>> And about your suggestion, actually I have done it. but it just renew the two 389-ds certs and Apache certs.
>> Since the ipaCert and subsystem certs are expired at 20140624, so I must roll back time before it. then begin to renew, but after I done this:
>>
>> "Let's force renewal on all of the certificates:
>> # for line in `getcert list | grep Request | cut -d "'" -f2`; do
>> getcert resubmit -i $line; done ..."
>>
>> According to the wiki, (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ). The CA subsystem c
ertificates will be renewed. But it did not.
>
> Ok, what state are the certificates in? When you go back in time are you restarting the pki-cad service before attempting to do the renewal?
>
>> Finally after I finish all action mentioned in the wiki page, I still can't renew ipaCert and other four CA subsystem certificates.
>> And the two 389-ds and apache certs will still expired after the date 20160623 ( expire date of ipaCert 20140624 + two years).
>>
>> If there is any other guide or doc about the ipaCert and CA subsystem certificates?
>
> Not really for IPA 2.x
>
> rob
>
>
>> Thanks a lot for your support!
>
>
>>
>> Thanks,
>> BR//Kay
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>> Sent: Friday, May 27, 2016 11:41 PM
>> To: Kay Zhou Y; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue
>>
>> Kay Zhou Y wrote:
>>> Hi,
>>>
>>> This is Kay.
>>>
>>> I am not sure if the email address is correct, and I am really
>>> appreciate if there is any help for my issue. it's baffling for few
>>> days, and the expire date is coming soon.. L
>>>
>>> There is a IPA 2.2 environment, and three "Server-Cert"(two 389-ds
>>> and the Apache certs) will be expired at 2016-06-05 22:03:17 UTC.
>>>
>>> Two years ago, these certs were renewed by other guys according to
>>> this
>>> document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>>>
>>> and it was successful then the certificates has been renewed until 20160605.
>>>
>>> But recently I want to renew it again since the expire date is coming.
>>> Then I follow the above guide, however things not go well.
>>
>> The problem looks to be because the IPA RA cert (ipaCert) isn't
>> matching what dogtag expects. See the wiki page starting at
>>
>> "For ipaCert, stored in /etc/httpd/alias you have another job to do..."
>>
>> You'll want to be sure that description correctly matches the certificate in the Apache database and confirm that the usercertificate value in LDAP matches the cert being presented.
>>
>> rob
>>
>>>
>>> As below, it's the 8 certs which certmonger are tracking:
>>>
>>> root at ecnshlx3039-test2(SH):~ #getcert list
>>>
>>> Number of certificates and requests being tracked: 8.
>>>
>>> Request ID '20120704140859':
>>>
>>> status: CA_UNREACHABLE
>>>
>>> ca-error: Server failed request, will retry: 4301 (RPC
>>> failed at server. Certificate operation cannot be completed:
>>> EXCEPTION (Invalid Credential.)).
>>>
>>> stuck: yes
>>>
>>> key pair storage:
>>> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Ce
>>> r
>>> t',token='NSS
>>> Certificate DB',pinfile='
>>> /etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt'
>>>
>>> certificate:
>>> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Ce
>>> r
>>> t',token='NSS
>>> Certificate DB'
>>>
>>> CA: IPA
>>>
>>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>>
>>> expires: 2016-06-05 22:03:17 UTC
>>>
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>
>>> pre-save command:
>>>
>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>>> DRUTT-COM
>>>
>>> track: yes
>>>
>>> auto-renew: yes
>>>
>>> Request ID '20120704140922':
>>>
>>> status: CA_UNREACHABLE
>>>
>>> ca-error: Server failed request, will retry: 4301 (RPC
>>> failed at server. Certificate operation cannot be completed:
>>> EXCEPTION (Invalid Credential.)).
>>>
>>> stuck: yes
>>>
>>> key pair storage:
>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
>>> ,token='NSS
>>> Certificate DB',pinfile='/e
>>> tc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>>>
>>> certificate:
>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
>>> ,token='NSS
>>> Certificate DB'
>>>
>>> CA: IPA
>>>
>>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>>
>>> expires: 2016-06-05 22:03:17 UTC
>>>
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>
>>> pre-save command:
>>>
>>> post-save command:
>>>
>>> track: yes
>>>
>>> auto-renew: yes
>>>
>>> Request ID '20120704141150':
>>>
>>> status: CA_UNREACHABLE
>>>
>>> ca-error: Server failed request, will retry: 4301 (RPC
>>> failed at server. Certificate operation cannot be completed:
>>> EXCEPTION (Invalid Credential.)).
>>>
>>> stuck: yes
>>>
>>> key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='
>>> N
>>> SS
>>> Certificate
>>> DB',pinfile='/etc/httpd/
>>> alias/pwdfile.txt'
>>>
>>> certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='
>>> N
>>> SS
>>> Certificate DB'
>>>
>>> CA: IPA
>>>
>>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>>
>>> expires: 2016-06-05 22:03:17 UTC
>>>
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>
>>> pre-save command:
>>>
>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>
>>> track: yes
>>>
>>> auto-renew: yes
>>>
>>> Request ID '20140605220249':
>>>
>>> status: MONITORING
>>>
>>> stuck: no
>>>
>>> key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate
>>> DB',pinfile='/etc/httpd/alia
>>> s/pwdfile.txt'
>>>
>>> certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB'
>>>
>>> CA: dogtag-ipa-renew-agent
>>>
>>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>> subject: CN=IPA RA,O=DRUTT.COM
>>>
>>> expires: 2014-06-24 14:08:50 UTC
>>>
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>
>>> pre-save command:
>>>
>>> post-save command:
>>>
>>> track: yes
>>>
>>> auto-renew: yes
>>>
>>> Request ID '20160527075219':
>>>
>>> status: MONITORING
>>>
>>> stuck: no
>>>
>>> key pair storage:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCer
>>> t
>>> cert-pki-ca',token='NSS Certificate
>>> DB ',pin='565569846212'
>>>
>>> certificate:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCer
>>> t cert-pki-ca',token='NSS Certificate DB'
>>>
>>> CA: dogtag-ipa-renew-agent
>>>
>>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>> subject: CN=CA Audit,O=DRUTT.COM
>>>
>>> expires: 2014-06-24 14:08:42 UTC
>>>
>>> pre-save command:
>>>
>>> post-save command:
>>>
>>> track: yes
>>>
>>> auto-renew: yes
>>>
>>> Request ID '20160527075220':
>>>
>>> status: MONITORING
>>>
>>> stuck: no
>>>
>>> key pair storage:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>>> cert-pki-ca',token='NSS Certificate
>>> DB' ,pin='565569846212'
>>>
>>> certificate:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>>
>>> CA: dogtag-ipa-renew-agent
>>>
>>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>> subject: CN=OCSP Subsystem,O=DRUTT.COM
>>>
>>> expires: 2014-06-24 14:08:41 UTC
>>>
>>> eku: id-kp-OCSPSigning
>>>
>>> pre-save command:
>>>
>>> post-save command:
>>>
>>> track: yes
>>>
>>> auto-renew: yes
>>>
>>> Request ID '20160527075221':
>>>
>>> status: MONITORING
>>>
>>> stuck: no
>>>
>>> key pair storage:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>> cert-pki-ca',token='NSS Certificate
>>> DB',p in='565569846212'
>>>
>>> certificate:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>>
>>> CA: dogtag-ipa-renew-agent
>>>
>>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>> subject: CN=CA Subsystem,O=DRUTT.COM
>>>
>>> expires: 2014-06-24 14:08:41 UTC
>>>
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>
>>> pre-save command:
>>>
>>> post-save command:
>>>
>>> track: yes
>>>
>>> auto-renew: yes
>>>
>>> Request ID '20160527075222':
>>>
>>> status: MONITORING
>>>
>>> stuck: no
>>>
>>> key pair storage:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>>> cert-pki-ca',token='NSS Certificate
>>> DB',pin ='565569846212'
>>>
>>> certificate:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>>> cert-pki-ca',token='NSS Certificate DB'
>>>
>>> CA: dogtag-ipa-renew-agent
>>>
>>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>>
>>> expires: 2014-06-24 14:08:41 UTC
>>>
>>> eku: id-kp-serverAuth
>>>
>>> pre-save command:
>>>
>>> post-save command:
>>>
>>> track: yes
>>>
>>> auto-renew: yes
>>>
>>> Follow all the steps in the guide, the result is just first three
>>> certificates are renewed to 20160622 if I set system time to
>>> 20140623(which the four CA subsystem certs and CA cert are valid).
>>>
>>> But other five are not renewed at all (the four CA subsystem certs
>>> and CA cert). there is no error information during these steps.
>>>
>>> I google a lot but still found nothing could resolve it. and then I
>>> found there was a similar thread:
>>> https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.h
>>> t
>>> ml
>>>
>>> But unfortunately the solution is not available for my issue either.
>>>
>>> Since I am not familiar with Freeipa, so it bothers me so much.
>>>
>>> Any help will be really appreciate. Thansks in advance!
>>>
>>> Thanks,
>>>
>>> BR//Kay
>>>
>>>
>>>
>>
>
More information about the Freeipa-users
mailing list