[Freeipa-users] IPA 2.2 Certificate Renewal issue
Kay Zhou Y
kay.y.zhou at ericsson.com
Wed Jun 1 04:56:02 UTC 2016
Hi Rob,
1. I have made snapshots for this system for test, so NSS databases has been backed up.
2. For the pki-cad service, I can't find it in my system, it shows there is no such service.
but there is one service failed as below:
root at ecnshlx3039-test2(SH):requests #systemctl status pki-cad at pki-ca.service
pki-cad at pki-ca.service - PKI Certificate Authority Server pki-ca
Loaded: loaded (/lib/systemd/system/pki-cad at .service; enabled)
Active: failed (Result: exit-code) since Wed, 01 Jun 2016 06:28:53 +0200; 23min ago
Process: 2675 ExecStop=/usr/bin/pkicontrol stop ca %i (code=exited, status=1/FAILURE)
Process: 2525 ExecStart=/usr/bin/pkicontrol start ca %i (code=exited, status=0/SUCCESS)
Main PID: 2593 (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/pki-cad at .service/pki-ca
Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: pam_unix(runuser-l:session): session opened for user pkius...d=0)
Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: pam_unix(runuser-l:session): session closed for user pkiuser
Jun 01 06:28:52 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: pam_unix(runuser-l:session): session opened for user pkius...d=0)
Jun 01 06:28:53 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: pam_unix(runuser-l:session): session closed for user pkiuser
I can't start it normally, even the log just said:
Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: pki-cad at pki-ca.service: control process exited, code=exited status=1
Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: Unit pki-cad at pki-ca.service entered failed state.
I will google more to try to start it firstly.
3. About the source of the output for getcert list:
root at ecnshlx3039-test2(SH):requests #ll
total 64
-rw-------. 1 root root 5698 Jun 1 06:06 20120704140859
-rw-------. 1 root root 5695 Jun 1 06:06 20120704140922
-rw-------. 1 root root 5654 Jun 1 06:06 20120704141150
-rw-------. 1 root root 5107 Jun 1 06:39 20140605220249
-rw-------. 1 root root 4982 Jun 1 06:39 20160601043748
-rw-------. 1 root root 5144 Jun 1 06:39 20160601043749
-rw-------. 1 root root 5186 Jun 1 06:39 20160601043750
-rw-------. 1 root root 5126 Jun 1 06:39 20160601043751
root at ecnshlx3039-test2(SH):requests #
root at ecnshlx3039-test2(SH):requests #grep post_certsave_command *
20120704140859:post_certsave_command=/usr/lib64/ipa/certmonger/restart_dirsrv DRUTT-COM
20120704141150:post_certsave_command=/usr/lib64/ipa/certmonger/restart_httpd
root at ecnshlx3039-test2(SH):requests #grep pre_certsave_command *
root at ecnshlx3039-test2(SH):requests #
there are just two statements.
And this is the detail info for ipaCert:
root at ecnshlx3039-test2(SH):requests #cat 20140605220249
id=20140605220249
key_type=RSA
key_gen_type=RSA
key_size=2048
key_gen_size=2048
key_storage_type=NSSDB
key_storage_location=/etc/httpd/alias
key_token=NSS Certificate DB
key_nickname=ipaCert
key_pin_file=/etc/httpd/alias/pwdfile.txt
key_pubkey=3082010A02820101009B12FED4488180E1141CCF9264B5718E8B6FE8F6B5B5001819D49F722342500142D1169B601CD427FB68B08AE8272C4FC50B1730B665A2DB1AF3D1A31C09B8DFBCCC183AD0E87AED4A0B66B5806A3FA6C0807C747C1BA0A2D6B5756F5FB55BC96FD3BFAD8EC61C48C987B1F6CC42418A1500DF309097C1B6BA73C116C2BFCA005A0EF879BC16773A9AD66B9A0EDD802AFF32023927C4B071B17FD5F9EA8D760B2FC1CBCDE2336A141F8D1EA861B182815B8690D6956AA7BC2F342D928C8768ECA9CF43482595494E138295D5C6EC0E13B70BD533091D2C5AAF09563E37C0F0907443BA3291B7F0A0E1ABB0443FE0DE319EBD86D4FB47F89E941C55D84026BB0D0203010001
cert_storage_type=NSSDB
cert_storage_location=/etc/httpd/alias
cert_token=NSS Certificate DB
cert_nickname=ipaCert
cert_issuer=CN=Certificate Authority,O=DRUTT.COM
cert_serial=07
cert_subject=CN=IPA RA,O=DRUTT.COM
cert_spki=30820122300d06092a864886f70d01010105000382010f003082010a02820101009b12fed4488180e1141ccf9264b5718e8b6fe8f6b5b5001819d49f722342500142d1169b601cd427fb68b08ae8272c4fc50b1730b665a2db1af3d1a31c09b8dfbccc183ad0e87aed4a0b66b5806a3fa6c0807c747c1ba0a2d6b5756f5fb55bc96fd3bfad8ec61c48c987b1f6cc42418a1500df309097c1b6ba73c116c2bfca005a0ef879bc16773a9ad66b9a0edd802aff32023927c4b071b17fd5f9ea8d760b2fc1cbcde2336a141f8d1ea861b182815b8690d6956aa7bc2f342d928c8768eca9cf43482595494e138295d5c6ec0e13b70bd533091d2c5aaf09563e37c0f0907443ba3291b7f0a0e1abb0443fe0de319ebd86d4fb47f89e941c55d84026bb0d0203010001
cert_not_before=20120704140850
cert_not_after=20140624140850
cert_ku=1111
cert_eku=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
last_need_notify_check=20160601044851
last_need_enroll_check=20160601044851
template_subject=CN=IPA RA,O=DRUTT.COM
template_ku=1111
template_eku=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
csr=-----BEGIN NEW CERTIFICATE REQUEST-----
MIICxTCCAa0CAQAwJTESMBAGA1UEChMJRFJVVFQuQ09NMQ8wDQYDVQQDEwZJUEEg
UkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbEv7USIGA4RQcz5Jk
tXGOi2/o9rW1ABgZ1J9yI0JQAULRFptgHNQn+2iwiugnLE/FCxcwtmWi2xrz0aMc
CbjfvMwYOtDoeu1KC2a1gGo/psCAfHR8G6Ci1rV1b1+1W8lv07+tjsYcSMmHsfbM
QkGKFQDfMJCXwba6c8EWwr/KAFoO+Hm8Fnc6mtZrmg7dgCr/MgI5J8SwcbF/1fnq
jXYLL8HLzeIzahQfjR6oYbGCgVuGkNaVaqe8LzQtkoyHaOypz0NIJZVJThOCldXG
7A4TtwvVMwkdLFqvCVY+N8DwkHRDujKRt/Cg4auwRD/g3jGevYbU+0f4npQcVdhA
JrsNAgMBAAGgWzAWBgkqhkiG9w0BCRQxCRMHaXBhQ2VydDBBBgkqhkiG9w0BCQ4x
NDAyMA4GA1UdDwEBAAQEAwIE8DAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDQYJKoZIhvcNAQELBQADggEBAGJ4eO2RyDJoeH/Z4J/LYKN77wnyLSV5
Mkh95m3xdtweXIdymZvhsz7im3TxvPdAKj1Rs/j4Ux61vYbmGO66Y/b0TAbNJ5U9
px4Fj9UvfRXUYr/hyuA/Boo/hp2uvjBzhADSwrJare/cDcYGHsIcKVvXh1bbc0MO
1/c4ZqOSuMjYhR1dVKduCeY6CV3b+hK04lNjeMK+ENBxPNVD8v1ortYW6J9ihRXt
ndJQmP6w6LVb8Qal9mRqMcGgJ076pQtmbeyiTR8JfnzkBUi4dHt1Wq0FlzeiyZ9R
VVZ2KQYxA1X5Oo+WYbvWqQJM8hPx9HoHCo+qHrnDs08DeXwAGEC4FvU=
-----END NEW CERTIFICATE REQUEST-----
spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbEv7USIGA4RQcz5JktXGOi2/o9rW1ABgZ1J9yI0JQAULRFptgHNQn+2iwiugnLE/FCxcwtmWi2xrz0aMcCbjfvMwYOtDoeu1KC2a1gGo/psCAfHR8G6Ci1rV1b1+1W8lv07+tjsYcSMmHsfbMQkGKFQDfMJCXwba6c8EWwr/KAFoO+Hm8Fnc6mtZrmg7dgCr/MgI5J8SwcbF/1fnqjXYLL8HLzeIzahQfjR6oYbGCgVuGkNaVaqe8LzQtkoyHaOypz0NIJZVJThOCldXG7A4TtwvVMwkdLFqvCVY+N8DwkHRDujKRt/Cg4auwRD/g3jGevYbU+0f4npQcVdhAJrsNAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEAf4U/QkjxcliN+yXQuBpwobq6hPBmm2chMRpbCcGS86LxkrHLQtrBhxSyPSge+L+JQJAmwljrZz8oBZtevKOaRg/o9NSHOD2EHMiPMvQBty9SpVYedLuIe1EHfHH1dulq4bGK9SVD6lwGZskzPkJrWGaLogA+O3OrP7vUXX0OTGje6B1nwiL76jol8vz30tae35JLIYjcq3rAxI2ChCRCl0elmfsaN+sUEPxCFyeODUouQ/YGOY+564k5kNLpjryCvRr3H/LBnZn7JOnC+DQTzHfbdXtA8EewfbYJeAfHFPDMnYbaQKBAEwQMTQVIpYrHoy/oELajczzt4qgLvzDJbA==
state=MONITORING
autorenew=1
monitor=1
ca_name=dogtag-ipa-renew-agent
submitted=20160601044851
cert=-----BEGIN CERTIFICATE-----
MIIDZjCCAk6gAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKEwlEUlVU
VC5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMjA3MDQx
NDA4NTBaFw0xNDA2MjQxNDA4NTBaMCUxEjAQBgNVBAoTCURSVVRULkNPTTEPMA0G
A1UEAxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxL+
1EiBgOEUHM+SZLVxjotv6Pa1tQAYGdSfciNCUAFC0RabYBzUJ/tosIroJyxPxQsX
MLZlotsa89GjHAm437zMGDrQ6HrtSgtmtYBqP6bAgHx0fBugota1dW9ftVvJb9O/
rY7GHEjJh7H2zEJBihUA3zCQl8G2unPBFsK/ygBaDvh5vBZ3OprWa5oO3YAq/zIC
OSfEsHGxf9X56o12Cy/By83iM2oUH40eqGGxgoFbhpDWlWqnvC80LZKMh2jsqc9D
SCWVSU4TgpXVxuwOE7cL1TMJHSxarwlWPjfA8JB0Q7oykbfwoOGrsEQ/4N4xnr2G
1PtH+J6UHFXYQCa7DQIDAQABo4GRMIGOMB8GA1UdIwQYMBaAFDvMAkWhLf4hHZUr
O2IVSc64Y+C4MDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0cDovL2lw
YTEuZHJ1dHQuY29tOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAYoxpty9C
P4utdPQ4gGpQA/kLZquiGIWh7ELxEH43x42eu6wgubM7IBJ/nFyWsOYCnx3Znlv+
8aJduxQHq3zavhFpONqm+XRQ5aSofwgVru9fyR6AGBFaJ/2D3O1q1IAClzhMPLeM
4fbC48Gv9C2cohtmS6UNOuttBDPelowPaq7IfayEYg0fEpSFCn1fYOd0JcnvzRBP
EAboP231OWs/71CAqM4OimsSiDWtTITUadR7ZMe4ZyZ3kLesXbmJtteGklCpZbFc
TB27ZyiUAebxerGwcH7YgyOk5vQccQYC/nDg7NQMAQsqv4cJ2aeAmhyAWdmB3ctR
8NlRKYsmFG3nZw==
-----END CERTIFICATE-----
==========================================================================================================
4. "getcert list" result:
root at ecnshlx3039-test2(SH):requests #getcert list
Number of certificates and requests being tracked: 8.
Request ID '20120704140859':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request).
stuck: yes
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DRUTT.COM
subject: CN=ipa1.drutt.com,O=DRUTT.COM
expires: 2016-06-05 22:03:17 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DRUTT-COM
track: yes
auto-renew: yes
Request ID '20120704140922':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://ipa1.drutt.com:443/ca/agent/ca/displayBySerial': [Errno -8053] (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).
stuck: yes
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DRUTT.COM
subject: CN=ipa1.drutt.com,O=DRUTT.COM
expires: 2016-06-05 22:03:17 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20120704141150':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request).
stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DRUTT.COM
subject: CN=ipa1.drutt.com,O=DRUTT.COM
expires: 2016-06-05 22:03:17 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20140605220249':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DRUTT.COM
subject: CN=IPA RA,O=DRUTT.COM
expires: 2014-06-24 14:08:50 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20160601043748':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='565569846212'
certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DRUTT.COM
subject: CN=CA Audit,O=DRUTT.COM
expires: 2014-06-24 14:08:42 UTC
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20160601043749':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='565569846212'
certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DRUTT.COM
subject: CN=OCSP Subsystem,O=DRUTT.COM
expires: 2014-06-24 14:08:41 UTC
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20160601043750':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='565569846212'
certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DRUTT.COM
subject: CN=CA Subsystem,O=DRUTT.COM
expires: 2014-06-24 14:08:41 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20160601043751':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='565569846212'
certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DRUTT.COM
subject: CN=ipa1.drutt.com,O=DRUTT.COM
expires: 2014-06-24 14:08:41 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
thanks,
BR//Kay
-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: Wednesday, June 01, 2016 11:56 AM
To: Kay Zhou Y; freeipa-users at redhat.com
Cc: Doris Hongmei; Xionglin Gu
Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue
Kay Zhou Y wrote:
> Hi Rob,
>
> The status for ipaCert is MONITORING no matter before or after resubmit this request ID, as below:
>
> Request ID '20140605220249':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=DRUTT.COM
> subject: CN=IPA RA,O=DRUTT.COM
> expires: 2014-06-24 14:08:50 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> I have restarted ipa service before renewal since there is no pki-cad service in our env.
Oh. So unfortunately the version of certmonger you have has a bug where the pre/post commands weren't displayed (it was only a display issue).
If you look in /var/lib/certmonger/requests/<id> you can find the source for this output. See what the pre/post save command is for any of the CA subsystem certs and I guess perhaps ipaCert. I need to see how they are configured to do the renewal.
Maybe my memory is failing but I'd have sworn the CA process name was pki-cad. ipactl restart will restart the world. Given that the certs are expired you need to restart things when you go back in time. I saw that you are tracking the subsystem certs on this master so the CA must be installed.
> I have tried so many times for this processes, and I even want to recreate the ipaCert, but it failed.
Before you go poking too manually into things I'd strongly recommend backing up the NSS databases first. You could easily break something.
> The references I used as below, but both of them are not available for
> my issue:( http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
> http://www.freeipa.org/page/PKI
>
> and if it's feasible we modify the expiration date for these certs manually or recreate it directly ?
You can't change any attributes of a certificate without re-issuing it.
You can't issue a new cert without the CA up and I suspect it isn't up.
The cert may be in MONITORING when you go back in time because really, it's fine as long as it isn't expired, so MONITORING is a-ok.
rob
>
> Thanks,
> BR//Kay
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Tuesday, May 31, 2016 11:10 PM
> To: Kay Zhou Y; freeipa-users at redhat.com
> Cc: Doris Hongmei; Xionglin Gu
> Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue
>
> Kay Zhou Y wrote:
>> Hi Rob,
>>
>> Thanks for your reply.
>>
>> And about your suggestion, actually I have done it. but it just renew the two 389-ds certs and Apache certs.
>> Since the ipaCert and subsystem certs are expired at 20140624, so I must roll back time before it. then begin to renew, but after I done this:
>>
>> "Let's force renewal on all of the certificates:
>> # for line in `getcert list | grep Request | cut -d "'" -f2`; do
>> getcert resubmit -i $line; done ..."
>>
>> According to the wiki,
>> (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ). The CA
>> subsystem c
ertificates will be renewed. But it did not.
>
> Ok, what state are the certificates in? When you go back in time are you restarting the pki-cad service before attempting to do the renewal?
>
>> Finally after I finish all action mentioned in the wiki page, I still can't renew ipaCert and other four CA subsystem certificates.
>> And the two 389-ds and apache certs will still expired after the date 20160623 ( expire date of ipaCert 20140624 + two years).
>>
>> If there is any other guide or doc about the ipaCert and CA subsystem certificates?
>
> Not really for IPA 2.x
>
> rob
>
>
>> Thanks a lot for your support!
>
>
>>
>> Thanks,
>> BR//Kay
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>> Sent: Friday, May 27, 2016 11:41 PM
>> To: Kay Zhou Y; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue
>>
>> Kay Zhou Y wrote:
>>> Hi,
>>>
>>> This is Kay.
>>>
>>> I am not sure if the email address is correct, and I am really
>>> appreciate if there is any help for my issue. it's baffling for few
>>> days, and the expire date is coming soon.. L
>>>
>>> There is a IPA 2.2 environment, and three "Server-Cert"(two 389-ds
>>> and the Apache certs) will be expired at 2016-06-05 22:03:17 UTC.
>>>
>>> Two years ago, these certs were renewed by other guys according to
>>> this
>>> document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>>>
>>> and it was successful then the certificates has been renewed until 20160605.
>>>
>>> But recently I want to renew it again since the expire date is coming.
>>> Then I follow the above guide, however things not go well.
>>
>> The problem looks to be because the IPA RA cert (ipaCert) isn't
>> matching what dogtag expects. See the wiki page starting at
>>
>> "For ipaCert, stored in /etc/httpd/alias you have another job to do..."
>>
>> You'll want to be sure that description correctly matches the certificate in the Apache database and confirm that the usercertificate value in LDAP matches the cert being presented.
>>
>> rob
>>
>>>
>>> As below, it's the 8 certs which certmonger are tracking:
>>>
>>> root at ecnshlx3039-test2(SH):~ #getcert list
>>>
>>> Number of certificates and requests being tracked: 8.
>>>
>>> Request ID '20120704140859':
>>>
>>> status: CA_UNREACHABLE
>>>
>>> ca-error: Server failed request, will retry: 4301 (RPC
>>> failed at server. Certificate operation cannot be completed:
>>> EXCEPTION (Invalid Credential.)).
>>>
>>> stuck: yes
>>>
>>> key pair storage:
>>> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-C
>>> e
>>> r
>>> t',token='NSS
>>> Certificate DB',pinfile='
>>> /etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt'
>>>
>>> certificate:
>>> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-C
>>> e
>>> r
>>> t',token='NSS
>>> Certificate DB'
>>>
>>> CA: IPA
>>>
>>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>>
>>> expires: 2016-06-05 22:03:17 UTC
>>>
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>
>>> pre-save command:
>>>
>>> post-save command:
>>> /usr/lib64/ipa/certmonger/restart_dirsrv
>>> DRUTT-COM
>>>
>>> track: yes
>>>
>>> auto-renew: yes
>>>
>>> Request ID '20120704140922':
>>>
>>> status: CA_UNREACHABLE
>>>
>>> ca-error: Server failed request, will retry: 4301 (RPC
>>> failed at server. Certificate operation cannot be completed:
>>> EXCEPTION (Invalid Credential.)).
>>>
>>> stuck: yes
>>>
>>> key pair storage:
>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
>>> ,token='NSS
>>> Certificate DB',pinfile='/e
>>> tc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>>>
>>> certificate:
>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
>>> ,token='NSS
>>> Certificate DB'
>>>
>>> CA: IPA
>>>
>>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>>
>>> expires: 2016-06-05 22:03:17 UTC
>>>
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>
>>> pre-save command:
>>>
>>> post-save command:
>>>
>>> track: yes
>>>
>>> auto-renew: yes
>>>
>>> Request ID '20120704141150':
>>>
>>> status: CA_UNREACHABLE
>>>
>>> ca-error: Server failed request, will retry: 4301 (RPC
>>> failed at server. Certificate operation cannot be completed:
>>> EXCEPTION (Invalid Credential.)).
>>>
>>> stuck: yes
>>>
>>> key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='
>>> N
>>> SS
>>> Certificate
>>> DB',pinfile='/etc/httpd/
>>> alias/pwdfile.txt'
>>>
>>> certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='
>>> N
>>> SS
>>> Certificate DB'
>>>
>>> CA: IPA
>>>
>>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>>
>>> expires: 2016-06-05 22:03:17 UTC
>>>
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>
>>> pre-save command:
>>>
>>> post-save command:
>>> /usr/lib64/ipa/certmonger/restart_httpd
>>>
>>> track: yes
>>>
>>> auto-renew: yes
>>>
>>> Request ID '20140605220249':
>>>
>>> status: MONITORING
>>>
>>> stuck: no
>>>
>>> key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate
>>> DB',pinfile='/etc/httpd/alia
>>> s/pwdfile.txt'
>>>
>>> certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB'
>>>
>>> CA: dogtag-ipa-renew-agent
>>>
>>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>> subject: CN=IPA RA,O=DRUTT.COM
>>>
>>> expires: 2014-06-24 14:08:50 UTC
>>>
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>
>>> pre-save command:
>>>
>>> post-save command:
>>>
>>> track: yes
>>>
>>> auto-renew: yes
>>>
>>> Request ID '20160527075219':
>>>
>>> status: MONITORING
>>>
>>> stuck: no
>>>
>>> key pair storage:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCe
>>> r
>>> t
>>> cert-pki-ca',token='NSS Certificate
>>> DB ',pin='565569846212'
>>>
>>> certificate:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCe
>>> r t cert-pki-ca',token='NSS Certificate DB'
>>>
>>> CA: dogtag-ipa-renew-agent
>>>
>>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>> subject: CN=CA Audit,O=DRUTT.COM
>>>
>>> expires: 2014-06-24 14:08:42 UTC
>>>
>>> pre-save command:
>>>
>>> post-save command:
>>>
>>> track: yes
>>>
>>> auto-renew: yes
>>>
>>> Request ID '20160527075220':
>>>
>>> status: MONITORING
>>>
>>> stuck: no
>>>
>>> key pair storage:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCer
>>> t
>>> cert-pki-ca',token='NSS Certificate
>>> DB' ,pin='565569846212'
>>>
>>> certificate:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCer
>>> t cert-pki-ca',token='NSS Certificate DB'
>>>
>>> CA: dogtag-ipa-renew-agent
>>>
>>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>> subject: CN=OCSP Subsystem,O=DRUTT.COM
>>>
>>> expires: 2014-06-24 14:08:41 UTC
>>>
>>> eku: id-kp-OCSPSigning
>>>
>>> pre-save command:
>>>
>>> post-save command:
>>>
>>> track: yes
>>>
>>> auto-renew: yes
>>>
>>> Request ID '20160527075221':
>>>
>>> status: MONITORING
>>>
>>> stuck: no
>>>
>>> key pair storage:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>> cert-pki-ca',token='NSS Certificate
>>> DB',p in='565569846212'
>>>
>>> certificate:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>>
>>> CA: dogtag-ipa-renew-agent
>>>
>>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>> subject: CN=CA Subsystem,O=DRUTT.COM
>>>
>>> expires: 2014-06-24 14:08:41 UTC
>>>
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>
>>> pre-save command:
>>>
>>> post-save command:
>>>
>>> track: yes
>>>
>>> auto-renew: yes
>>>
>>> Request ID '20160527075222':
>>>
>>> status: MONITORING
>>>
>>> stuck: no
>>>
>>> key pair storage:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>>> cert-pki-ca',token='NSS Certificate
>>> DB',pin ='565569846212'
>>>
>>> certificate:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>>> cert-pki-ca',token='NSS Certificate DB'
>>>
>>> CA: dogtag-ipa-renew-agent
>>>
>>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>>
>>> expires: 2014-06-24 14:08:41 UTC
>>>
>>> eku: id-kp-serverAuth
>>>
>>> pre-save command:
>>>
>>> post-save command:
>>>
>>> track: yes
>>>
>>> auto-renew: yes
>>>
>>> Follow all the steps in the guide, the result is just first three
>>> certificates are renewed to 20160622 if I set system time to
>>> 20140623(which the four CA subsystem certs and CA cert are valid).
>>>
>>> But other five are not renewed at all (the four CA subsystem certs
>>> and CA cert). there is no error information during these steps.
>>>
>>> I google a lot but still found nothing could resolve it. and then I
>>> found there was a similar thread:
>>> https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.
>>> h
>>> t
>>> ml
>>>
>>> But unfortunately the solution is not available for my issue either.
>>>
>>> Since I am not familiar with Freeipa, so it bothers me so much.
>>>
>>> Any help will be really appreciate. Thansks in advance!
>>>
>>> Thanks,
>>>
>>> BR//Kay
>>>
>>>
>>>
>>
>
More information about the Freeipa-users
mailing list