[Freeipa-users] CA: IPA certificates not renewing
Rob Crittenden
rcritten at redhat.com
Thu Jun 16 14:22:29 UTC 2016
Marc Wiatrowski wrote:
> Thanks Rob,
>
> Any suggestions on how make the CA aware of the current serial number?
Serial numbers are dolled out like uid numbers, by the 389-ds DNA
Plugin. So each CA that has ever issued a certificate has its own range,
hence the quite different serial number values.
Given that some issued certificates are unknown it stands to reason that
replication is broken between one or more masters. Fixing that should
resolve (most of) the other issues.
> Also started seeing the following error from two of the servers,
> spider01b and spider01o, but not spider01a when to navigate in the web
> gui. Though it doesn't appear to stop me from doing anything.
>
> IPA Error 4301
> Certificate operation cannot be completed: EXCEPTION (Invalid Crential.)
Dogtag does some of its access control by comparing the incoming client
certificate with an expected value in its LDAP database, in this case
uid=ipara,ou=People,o=ipaca. There you'll find a copy of the client
certificate and a description field that contains the expected serial #,
subject and issuer.
These are out-of-whack if you're getting Invalid Credentials. It could
be a number of things so I'd proceed cautiously. Given you have a
working master I'd use that as a starting point.
Look at the the RA cert is in /etc/httpd/alias:
# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
See if it is the same on all masters, it should be.
If it is, look at the uid=ipara entry on all the masters. Again, should
be the same.
Note that fixing this won't address any replication issues.
rob
>
> Marc
>
> On Tue, Jun 14, 2016 at 2:07 PM, Marc Wiatrowski <wia at iglass.net
> <mailto:wia at iglass.net>> wrote:
>
>
>
> On Tue, Jun 14, 2016 at 11:22 AM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>
> Marc Wiatrowski wrote:
>
> Hello, I'm having issues with the 3 ipa certificates of type
> CA: IPA
> renewing on 2 of 3 replicas. Particularly on the 2 that are
> not the CA
> master. The other 5 certificates from getcert list do renew
> and all
> certificates on the CA master do look to renew.
>
> Both servers running
> ipa-server-3.0.0-50.el6.centos.1.x86_64 I've done
> full updates and rebooted.
>
>
> Can you check on the replication status for each CA?
>
> $ ipa-csreplica-manage list -v ipa.example.com
> <http://ipa.example.com>
>
> The hostname is important because including that will show the
> agreements that host has. Do this for each master with a CA.
>
> The CA being asked to do the renewal is unaware of the current
> serial number so it is refusing to proceed.
>
> rob
>
>
>
> [root at spider01o]$ ipa-csreplica-manage list -v spider01a.iglass.net
> <http://spider01a.iglass.net>
> Directory Manager password:
>
> spider01b.iglass.net <http://spider01b.iglass.net>
> last init status: None
> last init ended: None
> last update status: 0 Replica acquired successfully: Incremental
> update succeeded
> last update ended: 2016-06-14 17:49:16+00:00
> spider01o.iglass.net <http://spider01o.iglass.net>
> last init status: None
> last init ended: None
> last update status: 0 Replica acquired successfully: Incremental
> update started
> last update ended: 2016-06-14 17:55:20+00:00
>
> [root at spider01o]$ ipa-csreplica-manage list -v spider01o.iglass.net
> <http://spider01o.iglass.net>
> Directory Manager password:
>
> spider01a.iglass.net <http://spider01a.iglass.net>
> last init status: None
> last init ended: None
> last update status: 0 Replica acquired successfully: Incremental
> update started
> last update ended: 2016-06-14 17:57:44+00:00
> spider01b.iglass.net <http://spider01b.iglass.net>
> last init status: None
> last init ended: None
> last update status: 0 Replica acquired successfully: Incremental
> update started
> last update ended: 2016-06-14 17:57:41+00:00
>
> [root at spider01o]$ ipa-csreplica-manage list -v spider01b.iglass.net
> <http://spider01b.iglass.net>
> Directory Manager password:
>
> spider01a.iglass.net <http://spider01a.iglass.net>
> last init status: 0 Total update succeeded
> last init ended: 2016-06-03 19:43:12+00:00
> last update status: 0 Replica acquired successfully: Incremental
> update succeeded
> last update ended: 2016-06-14 17:44:17+00:00
> spider01o.iglass.net <http://spider01o.iglass.net>
> last init status: 0 Total update succeeded
> last init ended: 2016-06-03 19:44:38+00:00
> last update status: 0 Replica acquired successfully: Incremental
> update started
> last update ended: 2016-06-14 17:57:53+00:00
> spider01a.iglass.net <http://spider01a.iglass.net>
> last init status: None
> last init ended: None
> last update status: 0 Replica acquired successfully: Incremental
> update succeeded
> last update ended: 2016-06-14 17:44:13+00:00
> spider01o.iglass.net <http://spider01o.iglass.net>
> last init status: None
> last init ended: None
> last update status: 0 Replica acquired successfully: Incremental
> update started
> last update ended: 2016-06-14 17:57:54+00:00
>
>
> Not sure what this is telling... This an issue with the last being
> doubled? Thanks
>
>
>
> The failed renews look like:
>
> [root at spider01a]$ getcert list -i 20141202144354
> Number of certificates and requests being tracked: 8.
> Request ID '20141202144354':
> status: CA_UNREACHABLE
> ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request,
> will retry: 4301 (RPC failed at server. Certificate operation cannot be
> completed: EXCEPTION (Certificate serial number 0x3ffe0010 not found)).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IGLASS.NET
> <http://iglass.net/> <http://IGLASS.NET <http://iglass.net/>>
> subject: CN=spider01a.iglass.net <http://spider01a.iglass.net/>
> <http://spider01a.iglass.net
> <http://spider01a.iglass.net/>>,O=IGLASS.NET
> <http://iglass.net/> <http://IGLASS.NET <http://iglass.net/>>
> expires: 2016-12-02 14:38:45 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
> track: yes
> auto-renew: yes
>
> [root at spider01a]$ getcert list -i 20141202144616
> Number of certificates and requests being tracked: 8.
> Request ID '20141202144616':
> status: CA_UNREACHABLE
> ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request,
> will retry: 4301 (RPC failed at server. Certificate operation cannot be
> completed: EXCEPTION (Certificate serial number 0x3ffe000f not found)).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IGLASS.NET
> <http://iglass.net/> <http://IGLASS.NET <http://iglass.net/>>
> subject: CN=spider01a.iglass.net <http://spider01a.iglass.net/>
> <http://spider01a.iglass.net
> <http://spider01a.iglass.net/>>,O=IGLASS.NET
> <http://iglass.net/> <http://IGLASS.NET <http://iglass.net/>>
> expires: 2016-12-02 14:38:43 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv IGLASS-NET
> track: yes
> auto-renew: yes
>
> [root at spider01a]$ getcert list -i 20141202144733
> Number of certificates and requests being tracked: 8.
> Request ID '20141202144733':
> status: CA_UNREACHABLE
> ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request,
> will retry: 4301 (RPC failed at server. Certificate operation cannot be
> completed: EXCEPTION (Certificate serial number 0x3ffe0011 not found)).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IGLASS.NET
> <http://iglass.net/> <http://IGLASS.NET <http://iglass.net/>>
> subject: CN=spider01a.iglass.net <http://spider01a.iglass.net/>
> <http://spider01a.iglass.net
> <http://spider01a.iglass.net/>>,O=IGLASS.NET
> <http://iglass.net/> <http://IGLASS.NET <http://iglass.net/>>
> expires: 2016-12-02 14:38:46 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
>
> From
> [root at spider01a]$ getcert resubmit -i 20141202144354
>
> On the replica issuing the resubmit
>
> ==> /var/log/httpd/access_log <==
> 192.168.176.2 - - [13/Jun/2016:15:49:32 -0400] "POST /ipa/xml HTTP/1.1"
> 401 1370
>
> ==> /var/log/httpd/error_log <==
> [Mon Jun 13 15:49:33 2016] [error] ipa: ERROR:
> ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Certificate
> serial number 0x3ffe0010 not found)
> [Mon Jun 13 15:49:33 2016] [error] ipa: INFO:
> host/spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>
> <mailto:spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>>:
> cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==',
> principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>
> <mailto:spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>>', add=True):
> CertificateOperationError
>
> ==> /var/log/httpd/access_log <==
> 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST
> /ca/agent/ca/displayBySerial HTTP/1.1" 200 262
> 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>
> <mailto:spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>> [13/Jun/2016:15:49:32 -0400]
> "POST /ipa/xml HTTP/1.1" 200 376
>
> ==> /var/log/pki-ca/system <==
> 2508.TP-Processor6 - [13/Jun/2016:15:49:33 EDT] [3] [3] Servlet
> caDisplayBySerial: Error encountered in DisplayBySerial. Error Record
> not found.
>
>
> On the CA master spider01o:
>
> ==> /var/log/httpd/access_log <==
> 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST /ipa/xml HTTP/1.1"
> 401 1370
>
> ==> krb5kdc.log <==
> Jun 13 15:49:34 spider01o.iglass.net
> <http://spider01o.iglass.net/> <http://spider01o.iglass.net
> <http://spider01o.iglass.net/>>
> krb5kdc[1963](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.177.2
> <http://192.168.177.2 <http://192.168.177.2/>>: ISSUE: authtime
> 1465847372, etypes {rep=18
> tkt=18 ses=18}, host/spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>
> <mailto:spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>> for
> ldap/spider01o.iglass.net at IGLASS.NET
> <mailto:spider01o.iglass.net at IGLASS.NET>
> <mailto:spider01o.iglass.net at IGLASS.NET
> <mailto:spider01o.iglass.net at IGLASS.NET>>
>
> ==> /var/log/httpd/error_log <==
> [Mon Jun 13 15:49:34 2016] [error] ipa: ERROR:
> ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Invalid
> Credential.)
> [Mon Jun 13 15:49:34 2016] [error] ipa: INFO:
> host/spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>
> <mailto:spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>>:
> cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==',
> principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>
> <mailto:spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>>', add=True):
> CertificateOperationError
>
> ==> /var/log/httpd/access_log <==
> 192.168.177.2 - - [13/Jun/2016:15:49:34 -0400] "POST
> /ca/agent/ca/displayBySerial HTTP/1.1" 200 235
> 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>
> <mailto:spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>> [13/Jun/2016:15:49:33 -0400]
> "POST /ipa/xml HTTP/1.1" 200 349
>
> ==> /var/log/pki-ca/system <==
> 2231.TP-Processor3 - [13/Jun/2016:15:49:34 EDT] [6] [3] Cannot
> authenticate agent with certificate Serial 0x5ffc0008 Subject DN CN=IPA
> RA,O=IGLASS.NET <http://iglass.net/> <http://IGLASS.NET
> <http://iglass.net/>>. Error: User not found
>
>
> I realize they expire at the end of the year, but I've had my
> certificates expire before and would rather not go through that again.
> Any idea on what's wrong or suggestions on where to look would be
> appreciated.
>
> Thanks,
> Marc
>
>
>
>
More information about the Freeipa-users
mailing list