[Freeipa-users] IPA 2.2 Certificate Renewal issue
Rob Crittenden
rcritten at redhat.com
Fri May 27 15:41:18 UTC 2016
Kay Zhou Y wrote:
> Hi,
>
> This is Kay.
>
> I am not sure if the email address is correct, and I am really
> appreciate if there is any help for my issue. it’s baffling for few
> days, and the expire date is coming soon.. L
>
> There is a IPA 2.2 environment, and three “Server-Cert”(two 389-ds and
> the Apache certs) will be expired at 2016-06-05 22:03:17 UTC.
>
> Two years ago, these certs were renewed by other guys according to this
> document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>
> and it was successful then the certificates has been renewed until 20160605.
>
> But recently I want to renew it again since the expire date is coming.
> Then I follow the above guide, however things not go well.
The problem looks to be because the IPA RA cert (ipaCert) isn't matching
what dogtag expects. See the wiki page starting at
"For ipaCert, stored in /etc/httpd/alias you have another job to do..."
You'll want to be sure that description correctly matches the
certificate in the Apache database and confirm that the usercertificate
value in LDAP matches the cert being presented.
rob
>
> As below, it’s the 8 certs which certmonger are tracking:
>
> root at ecnshlx3039-test2(SH):~ #getcert list
>
> Number of certificates and requests being tracked: 8.
>
> Request ID '20120704140859':
>
> status: CA_UNREACHABLE
>
> ca-error: Server failed request, will retry: 4301 (RPC failed
> at server. Certificate operation cannot be completed:
> EXCEPTION (Invalid Credential.)).
>
> stuck: yes
>
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='
> /etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O=DRUTT.COM
>
> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>
> expires: 2016-06-05 22:03:17 UTC
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> DRUTT-COM
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20120704140922':
>
> status: CA_UNREACHABLE
>
> ca-error: Server failed request, will retry: 4301 (RPC failed
> at server. Certificate operation cannot be completed:
> EXCEPTION (Invalid Credential.)).
>
> stuck: yes
>
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/e
> tc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O=DRUTT.COM
>
> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>
> expires: 2016-06-05 22:03:17 UTC
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command:
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20120704141150':
>
> status: CA_UNREACHABLE
>
> ca-error: Server failed request, will retry: 4301 (RPC failed
> at server. Certificate operation cannot be completed:
> EXCEPTION (Invalid Credential.)).
>
> stuck: yes
>
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate
> DB',pinfile='/etc/httpd/
> alias/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O=DRUTT.COM
>
> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>
> expires: 2016-06-05 22:03:17 UTC
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20140605220249':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate
> DB',pinfile='/etc/httpd/alia
> s/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O=DRUTT.COM
>
> subject: CN=IPA RA,O=DRUTT.COM
>
> expires: 2014-06-24 14:08:50 UTC
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command:
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20160527075219':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate
> DB ',pin='565569846212'
>
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O=DRUTT.COM
>
> subject: CN=CA Audit,O=DRUTT.COM
>
> expires: 2014-06-24 14:08:42 UTC
>
> pre-save command:
>
> post-save command:
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20160527075220':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate
> DB' ,pin='565569846212'
>
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O=DRUTT.COM
>
> subject: CN=OCSP Subsystem,O=DRUTT.COM
>
> expires: 2014-06-24 14:08:41 UTC
>
> eku: id-kp-OCSPSigning
>
> pre-save command:
>
> post-save command:
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20160527075221':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate
> DB',p in='565569846212'
>
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O=DRUTT.COM
>
> subject: CN=CA Subsystem,O=DRUTT.COM
>
> expires: 2014-06-24 14:08:41 UTC
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command:
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20160527075222':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate
> DB',pin ='565569846212'
>
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O=DRUTT.COM
>
> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>
> expires: 2014-06-24 14:08:41 UTC
>
> eku: id-kp-serverAuth
>
> pre-save command:
>
> post-save command:
>
> track: yes
>
> auto-renew: yes
>
> Follow all the steps in the guide, the result is just first three
> certificates are renewed to 20160622 if I set system time to
> 20140623(which the four CA subsystem certs and CA cert are valid).
>
> But other five are not renewed at all (the four CA subsystem certs and
> CA cert). there is no error information during these steps.
>
> I google a lot but still found nothing could resolve it. and then I
> found there was a similar thread:
> https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.html
>
> But unfortunately the solution is not available for my issue either.
>
> Since I am not familiar with Freeipa, so it bothers me so much.
>
> Any help will be really appreciate. Thansks in advance!
>
> Thanks,
>
> BR//Kay
>
>
>
More information about the Freeipa-users
mailing list