[Freeipa-users] IPA 2.2 Certificate Renewal issue
Rob Crittenden
rcritten at redhat.com
Tue May 31 15:10:13 UTC 2016
Kay Zhou Y wrote:
> Hi Rob,
>
> Thanks for your reply.
>
> And about your suggestion, actually I have done it. but it just renew the two 389-ds certs and Apache certs.
> Since the ipaCert and subsystem certs are expired at 20140624, so I must roll back time before it. then begin to renew, but after I done this:
>
> "Let's force renewal on all of the certificates:
> # for line in `getcert list | grep Request | cut -d "'" -f2`; do getcert resubmit -i $line; done
> ..."
>
> According to the wiki, (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ). The CA subsystem certificates will be renewed. But it did not.
Ok, what state are the certificates in? When you go back in time are you
restarting the pki-cad service before attempting to do the renewal?
> Finally after I finish all action mentioned in the wiki page, I still can't renew ipaCert and other four CA subsystem certificates.
> And the two 389-ds and apache certs will still expired after the date 20160623 ( expire date of ipaCert 20140624 + two years).
>
> If there is any other guide or doc about the ipaCert and CA subsystem certificates?
Not really for IPA 2.x
rob
> Thanks a lot for your support!
>
> Thanks,
> BR//Kay
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Friday, May 27, 2016 11:41 PM
> To: Kay Zhou Y; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue
>
> Kay Zhou Y wrote:
>> Hi,
>>
>> This is Kay.
>>
>> I am not sure if the email address is correct, and I am really
>> appreciate if there is any help for my issue. it's baffling for few
>> days, and the expire date is coming soon.. L
>>
>> There is a IPA 2.2 environment, and three "Server-Cert"(two 389-ds and
>> the Apache certs) will be expired at 2016-06-05 22:03:17 UTC.
>>
>> Two years ago, these certs were renewed by other guys according to
>> this
>> document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>>
>> and it was successful then the certificates has been renewed until 20160605.
>>
>> But recently I want to renew it again since the expire date is coming.
>> Then I follow the above guide, however things not go well.
>
> The problem looks to be because the IPA RA cert (ipaCert) isn't matching what dogtag expects. See the wiki page starting at
>
> "For ipaCert, stored in /etc/httpd/alias you have another job to do..."
>
> You'll want to be sure that description correctly matches the certificate in the Apache database and confirm that the usercertificate value in LDAP matches the cert being presented.
>
> rob
>
>>
>> As below, it's the 8 certs which certmonger are tracking:
>>
>> root at ecnshlx3039-test2(SH):~ #getcert list
>>
>> Number of certificates and requests being tracked: 8.
>>
>> Request ID '20120704140859':
>>
>> status: CA_UNREACHABLE
>>
>> ca-error: Server failed request, will retry: 4301 (RPC failed
>> at server. Certificate operation cannot be completed:
>> EXCEPTION (Invalid Credential.)).
>>
>> stuck: yes
>>
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cer
>> t',token='NSS
>> Certificate DB',pinfile='
>> /etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt'
>>
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cer
>> t',token='NSS
>> Certificate DB'
>>
>> CA: IPA
>>
>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>
>> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>
>> expires: 2016-06-05 22:03:17 UTC
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command:
>>
>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>> DRUTT-COM
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20120704140922':
>>
>> status: CA_UNREACHABLE
>>
>> ca-error: Server failed request, will retry: 4301 (RPC failed
>> at server. Certificate operation cannot be completed:
>> EXCEPTION (Invalid Credential.)).
>>
>> stuck: yes
>>
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
>> ,token='NSS
>> Certificate DB',pinfile='/e
>> tc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>>
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
>> ,token='NSS
>> Certificate DB'
>>
>> CA: IPA
>>
>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>
>> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>
>> expires: 2016-06-05 22:03:17 UTC
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command:
>>
>> post-save command:
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20120704141150':
>>
>> status: CA_UNREACHABLE
>>
>> ca-error: Server failed request, will retry: 4301 (RPC failed
>> at server. Certificate operation cannot be completed:
>> EXCEPTION (Invalid Credential.)).
>>
>> stuck: yes
>>
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N
>> SS
>> Certificate
>> DB',pinfile='/etc/httpd/
>> alias/pwdfile.txt'
>>
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N
>> SS
>> Certificate DB'
>>
>> CA: IPA
>>
>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>
>> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>
>> expires: 2016-06-05 22:03:17 UTC
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command:
>>
>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20140605220249':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate
>> DB',pinfile='/etc/httpd/alia
>> s/pwdfile.txt'
>>
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB'
>>
>> CA: dogtag-ipa-renew-agent
>>
>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>
>> subject: CN=IPA RA,O=DRUTT.COM
>>
>> expires: 2014-06-24 14:08:50 UTC
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command:
>>
>> post-save command:
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20160527075219':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate
>> DB ',pin='565569846212'
>>
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>>
>> CA: dogtag-ipa-renew-agent
>>
>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>
>> subject: CN=CA Audit,O=DRUTT.COM
>>
>> expires: 2014-06-24 14:08:42 UTC
>>
>> pre-save command:
>>
>> post-save command:
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20160527075220':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate
>> DB' ,pin='565569846212'
>>
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>>
>> CA: dogtag-ipa-renew-agent
>>
>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>
>> subject: CN=OCSP Subsystem,O=DRUTT.COM
>>
>> expires: 2014-06-24 14:08:41 UTC
>>
>> eku: id-kp-OCSPSigning
>>
>> pre-save command:
>>
>> post-save command:
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20160527075221':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate
>> DB',p in='565569846212'
>>
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB'
>>
>> CA: dogtag-ipa-renew-agent
>>
>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>
>> subject: CN=CA Subsystem,O=DRUTT.COM
>>
>> expires: 2014-06-24 14:08:41 UTC
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command:
>>
>> post-save command:
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20160527075222':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate
>> DB',pin ='565569846212'
>>
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB'
>>
>> CA: dogtag-ipa-renew-agent
>>
>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>
>> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>
>> expires: 2014-06-24 14:08:41 UTC
>>
>> eku: id-kp-serverAuth
>>
>> pre-save command:
>>
>> post-save command:
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Follow all the steps in the guide, the result is just first three
>> certificates are renewed to 20160622 if I set system time to
>> 20140623(which the four CA subsystem certs and CA cert are valid).
>>
>> But other five are not renewed at all (the four CA subsystem certs and
>> CA cert). there is no error information during these steps.
>>
>> I google a lot but still found nothing could resolve it. and then I
>> found there was a similar thread:
>> https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.ht
>> ml
>>
>> But unfortunately the solution is not available for my issue either.
>>
>> Since I am not familiar with Freeipa, so it bothers me so much.
>>
>> Any help will be really appreciate. Thansks in advance!
>>
>> Thanks,
>>
>> BR//Kay
>>
>>
>>
>
More information about the Freeipa-users
mailing list