[Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN
Petr Vobornik
pvoborni at redhat.com
Mon May 16 10:28:42 UTC 2016
On 05/14/2016 12:01 AM, Adam Kaczka wrote:
> Hi all,
>
> I have inherited a IPA system that has an expired cert and the old admins have
> left; I followed (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but
> running into errors when I try to renew the CA certs even after time is reset.
> Also tried the troubleshooting under
> (http://www.freeipa.org/page/Troubleshooting#Authentication_Errors);
> specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt"
> to add the cert in the database.
>
> From the output of getcert list, I see both CA_UNREACHABLE and
> NEED_CSR_GEN_PIN. I followed redhat article here
> (https://access.redhat.com/solutions/1142913) which verified key file password
> is correct and I have reset time. However the NEED_CSR_GEN_PIN status remains.
> My company actually has redhat support but when they built this IPA whoever
> built it was using Centos 6 so I am out of luck here.
>
> Would really appreciate any help since I am stuck at this point? What else I
> can do at this point? e.g. Is generate a new CA cert necessary, etc.?
Hi,
you don't need to renew CA cert, it seems to be valid. But your server
cert is expired. It expired on 2016-03-29.
1. Move date back before this date, e.g., 2016-03-27.
2. Verify that IPA is running `ipactl status`. Maybe restart will be needed.
3. run `getcert list` to see if certmonger can communicate with CA
4. if certmonger doesn't renew the certs automatically, run `getcert
resubmit -i $certid` for the expired cert.
>
> Version:
> ipa-pki-ca-theme.noarch 9.0.3-7.el6 @base
> ipa-pki-common-theme.noarch 9.0.3-7.el6 @base
> ipa-pmincho-fonts.noarch 003.02-3.1.el6 @base
> ipa-python.x86_64 3.0.0-47.el6.centos.2 @updates
> ipa-server.x86_64 3.0.0-47.el6.centos.2 @updates
> ipa-server-selinux.x86_64 3.0.0-47.el6.centos.2 @updates
>
> Part of error logs from /var/log/pki-ca/debug after I reset clock; I see these
> errors which I think is relevlant?:
> [27/Dec/2015:14:12:01][main]: SigningUnit init: debug
> org.mozilla.jss.crypto.ObjectNotFoundException
> Certificate object not found
> [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException
> Certificate object not found
> [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown()
>
> Result seems to show key file password is correct:
> certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f
> /etc/dirsrv/slapd-REALM-NET/pwdfile.txt
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and
> Certificate Services"
> < 0> rsa ############################ NSS Certificate DB:Server-Cert
>
>
> certutil -L -d /var/lib/pki-ca/alias
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> ocspSigningCert cert-pki-ca u,u,u
> subsystemCert cert-pki-ca u,u,u
> Server-Cert cert-pki-ca u,u,u
> auditSigningCert cert-pki-ca u,u,Pu
> caSigningCert cert-pki-ca CTu,Cu,Cu
>
>
> certutil -L -d /etc/httpd/alias
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> Server-Cert u,u,u
> ipaCert u,u,u
> REALM.COM <http://REALM.COM> IPA CA CT,C,
>
>
> certutil -L -d /etc/dirsrv/slapd-REALM-COM
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> Server-Cert u,u,u
> REALM.COM <http://REALM.COM> IPA CA CT,C,C
>
>
> Output of getcert list:
>
> Number of certificates and requests being tracked: 7.
> Request ID '21135214223243':
> status: CA_UNREACHABLE
> ca-error: Server at https://host.example.net/ipa/xml failed request,
> will retry: 4301 (RPC failed at server. Certificate oper
> ation cannot be completed: Unable to communicate with CMS (Not Found)).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
> Certificate DB',pinfil
> e='/etc/dirsrv/slapd-example-NET//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=example.NET
> subject: CN=host.example.net <http://host.example.net>,O=example.NET
> expires: 2016-03-29 14:09:46 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '21135214223300':
> status: CA_UNREACHABLE
> ca-error: Server at https://host.example.net/ipa/xml failed request,
> will retry: 4301 (RPC failed at server. Certificate oper
> ation cannot be completed: Unable to communicate with CMS (Not Found)).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='
> /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
> DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=example.NET
> subject: CN=host.example.net <http://host.example.net>,O=example.NET
> expires: 2016-03-29 14:09:45 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130519130741':
> status: NEED_CSR_GEN_PIN
> ca-error: Internal error: no response to
> "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-
> pki-ca&serial_num=61&renewal=true&xml=true".
> stuck: yes
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate
> DB',pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=example.NET
> subject: CN=CA Audit,O=example.NET
> expires: 2017-10-13 14:10:49 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130742':
> status: NEED_CSR_GEN_PIN
> ca-error: Internal error: no response to
> "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> m=60&renewal=true&xml=true".
> stuck: yes
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate D
> B',pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=example.NET
> subject: CN=OCSP Subsystem,O=example.NET
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130743':
> status: NEED_CSR_GEN_PIN
> ca-error: Internal error: no response to
> "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> m=62&renewal=true&xml=true".
> stuck: yes
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> ,pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=example.NET
> subject: CN=CA Subsystem,O=example.NET
> expires: 2017-10-13 14:09:49 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130744':
> status: MONITORING
> ca-error: Internal error: no response to
> "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> m=64&renewal=true&xml=true".
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate
> DB',pinfile='/etc/httpd/al
> ias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=example.NET
> subject: CN=RA Subsystem,O=example.NET
> expires: 2017-10-13 14:09:49 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20130519130745':
> status: NEED_CSR_GEN_PIN
> ca-error: Internal error: no response to
> "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> m=63&renewal=true&xml=true".
> stuck: yes
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',p
> in set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=example.NET
> subject: CN=host.example.net <http://host.example.net>,O=example.NET
> expires: 2017-10-13 14:09:49 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
>
> Regards, Adam
>
>
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list