[Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN
Adam Kaczka
akaczka86 at gmail.com
Fri May 13 22:01:02 UTC 2016
Hi all,
I have inherited a IPA system that has an expired cert and the old admins
have left; I followed (
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but running into
errors when I try to renew the CA certs even after time is reset. Also
tried the troubleshooting under (
http://www.freeipa.org/page/Troubleshooting#Authentication_Errors);
specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a >
/tmp/ra.crt" to add the cert in the database.
>From the output of getcert list, I see both CA_UNREACHABLE and
NEED_CSR_GEN_PIN. I followed redhat article here (
https://access.redhat.com/solutions/1142913) which verified key file
password is correct and I have reset time. However the NEED_CSR_GEN_PIN
status remains. My company actually has redhat support but when they built
this IPA whoever built it was using Centos 6 so I am out of luck here.
Would really appreciate any help since I am stuck at this point? What else
I can do at this point? e.g. Is generate a new CA cert necessary, etc.?
Version:
ipa-pki-ca-theme.noarch
9.0.3-7.el6 @base
ipa-pki-common-theme.noarch 9.0.3-7.el6
@base
ipa-pmincho-fonts.noarch 003.02-3.1.el6
@base
ipa-python.x86_64 3.0.0-47.el6.centos.2
@updates
ipa-server.x86_64 3.0.0-47.el6.centos.2
@updates
ipa-server-selinux.x86_64 3.0.0-47.el6.centos.2
@updates
Part of error logs from /var/log/pki-ca/debug after I reset clock; I see
these errors which I think is relevlant?:
[27/Dec/2015:14:12:01][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
Certificate object not found
[27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException
Certificate object not found
[27/Dec/2015:14:12:01][main]: CMSEngine.shutdown()
Result seems to show key file password is correct:
certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f
/etc/dirsrv/slapd-REALM-NET/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
and Certificate Services"
< 0> rsa ############################ NSS Certificate DB:Server-Cert
certutil -L -d /var/lib/pki-ca/alias
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca CTu,Cu,Cu
certutil -L -d /etc/httpd/alias
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
ipaCert u,u,u
REALM.COM IPA CA CT,C,
certutil -L -d /etc/dirsrv/slapd-REALM-COM
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
REALM.COM IPA CA CT,C,C
Output of getcert list:
Number of certificates and requests being tracked: 7.
Request ID '21135214223243':
status: CA_UNREACHABLE
ca-error: Server at https://host.example.net/ipa/xml failed
request, will retry: 4301 (RPC failed at server. Certificate oper
ation cannot be completed: Unable to communicate with CMS (Not Found)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfil
e='/etc/dirsrv/slapd-example-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=example.NET
subject: CN=host.example.net,O=example.NET
expires: 2016-03-29 14:09:46 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '21135214223300':
status: CA_UNREACHABLE
ca-error: Server at https://host.example.net/ipa/xml failed
request, will retry: 4301 (RPC failed at server. Certificate oper
ation cannot be completed: Unable to communicate with CMS (Not Found)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='
/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=example.NET
subject: CN=host.example.net,O=example.NET
expires: 2016-03-29 14:09:45 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130519130741':
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-
pki-ca&serial_num=61&renewal=true&xml=true".
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate
DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=example.NET
subject: CN=CA Audit,O=example.NET
expires: 2017-10-13 14:10:49 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130742':
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
m=60&renewal=true&xml=true".
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate D
B',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=example.NET
subject: CN=OCSP Subsystem,O=example.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130743':
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
m=62&renewal=true&xml=true".
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
,pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=example.NET
subject: CN=CA Subsystem,O=example.NET
expires: 2017-10-13 14:09:49 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130744':
status: MONITORING
ca-error: Internal error: no response to "
http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
m=64&renewal=true&xml=true".
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/al
ias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=example.NET
subject: CN=RA Subsystem,O=example.NET
expires: 2017-10-13 14:09:49 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20130519130745':
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
m=63&renewal=true&xml=true".
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',p
in set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=example.NET
subject: CN=host.example.net,O=example.NET
expires: 2017-10-13 14:09:49 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Regards, Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160513/751b69d6/attachment.htm>
More information about the Freeipa-users
mailing list