[Freeipa-users] another certmonger question
Rob Crittenden
rcritten at redhat.com
Mon Oct 3 15:32:27 UTC 2016
Natxo Asenjo wrote:
>
>
> On Fri, Sep 30, 2016 at 10:45 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Natxo Asenjo wrote:
>
>
>
> On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>
> Natxo Asenjo wrote:
>
>
>
> On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
> <mailto:rcritten at redhat.com
> <mailto:rcritten at redhat.com> <mailto:rcritten at redhat.com
> <mailto:rcritten at redhat.com>>>> wrote:
>
>
> It's hard to say, it may in fact not be a problem.
>
> It is really a matter of what service the
> certificate(s)
> are related
> to. I'd look at the serial numbers and then
> correlate those
> to the
> issued certificates.
>
> I'd also do a service-find on the hostname to see
> if any
> services
> have certificates issued and with what serial numbers.
>
>
> I agree, it could be that. But just for testing I have
> created a vm,
> joined it to the domain and resubmitted the certificate.
>
> Now there are two valid host certificates with the same
> subject:
>
>
> $ ipa cert-find --subject=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>>
> ----------------------
> 2 certificates matched
> ----------------------
> Serial number (hex): 0x3FFE0002
> Serial number: 1073610754
> Status: VALID
> Subject: CN=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> <http://UNIX.IRISZORG.NL>
> <http://UNIX.IRISZORG.NL>
>
> Serial number (hex): 0x3FFE0003
> Serial number: 1073610755
> Status: VALID
> Subject: CN=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> <http://UNIX.IRISZORG.NL>
> <http://UNIX.IRISZORG.NL>
> ----------------------------
> Number of entries returned 2
> ----------------------------
>
>
> So it certmonger in this centos 6.8 32bit host is
> renewing but not
> having the old certificate revoked.
>
>
> I'd check the Apache log to find the cert_request call to
> see if you
> can see if there are any issues raised. It should be doing a
> cert_revoke at the same time.
>
> Can you should how this certificate is being tracked?
>
>
> sure:
>
> $ sudo getcert list
> Number of certificates and requests being tracked: 1.
> Request ID '20160929100945':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
> Certificate -
> throwaway.unix.iriszorg.nl <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>',token='NSS Certificate DB'
> certificate:
> type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
> Machine Certificate - throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> <http://UNIX.IRISZORG.NL>
> subject: CN=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> <http://UNIX.IRISZORG.NL>
> expires: 2018-09-30 10:13:17 UTC
> principal name:
> host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>>
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> now, let's resubmit:
>
> $ sudo ipa-getcert resubmit -i 20160929100945
> Resubmitting "20160929100945" to "IPA".
> [jose.admin at throwaway ~]$ sudo getcert list
> Number of certificates and requests being tracked: 1.
> Request ID '20160929100945':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
> Certificate -
> throwaway.unix.iriszorg.nl <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>',token='NSS Certificate DB'
> certificate:
> type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
> Machine Certificate - throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> <http://UNIX.IRISZORG.NL>
> subject: CN=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> <http://UNIX.IRISZORG.NL>
> expires: 2018-09-30 20:41:28 UTC
> principal name:
> host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>>
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> so it has been successfully renewed.
>
> In the access_log of the kdc I see this:
>
> 172.20.4.228 - - [29/Sep/2016:22:41:27 +0200] "POST
> https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient
> <https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient>
> HTTP/1.1" 200 1913
> 172.20.6.81 - host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>>
> [29/Sep/2016:22:41:27 +0200] "POST /ipa/xml HTTP/1.1" 200 2929
>
> and in the error_log:
> [Thu Sep 29 22:41:28.626669 2016 <tel:626669%202016>] [:error]
> [pid 4617] ipa: INFO:
> [xmlserver] host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>>:
> cert_request(u'MIID6DCCAtACAQAwQDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEjMCEGA1UEAxMadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4jBk7V2D5pX12kYrr++lwsWq1UWHy6PM9O+B/GvxaI0JoARBrhR6MKI1Ev+DV2r5ukNNWHj5+/kKbtW9XI2XMZ9pIBSwG3SG4m9s3gQV3dGQjlRCcU+MgXiDxRtRy2Vdzd1fZ9xdB1txH3ZnZfceTosNw4Jp3bm/VtPChWJeN6K671FLRCzJkI1KrC+LHfGbvyTtOipB5O9t8RkN4Qh01r/rphPvt9Gh+/mTlHnmGP9+sseqHHsgv2fPvRQowpJDEytTX5w/8pLrUCATqJUYfxK5RDuwD1304p3WXDFLoU6p2xaR63h34muj1a5NV1CvQFqJapHB5B/w6uUbLzjg3AgMBAAGgggFhMHcGCSqGSIb3DQEJFDFqHmgASQBQAEEAIABNAGEAYwBoAGkAbgBlACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAALQAgAHQAaAByAG8AdwBhAHcAYQB5AC4AdQBuAGkAeAAuAGkAcgBpAHMAegBvAHIAZwAuAG4AbDCB5QYJKoZIhvcNAQkOMYHXMIHUMIGhBgNVHREBAQAEgZYwgZOgQAYKKwYBBAGCNxQCA6AyDDBob3N0L3Rocm93YXdheS51bml4LmlyaXN6b3JnLm5sQFVOSVguSVJJU1pPUkcuTkygTwYGKwYBBQICoEUwQ6ASGxBVTklYLklSSVNaT1JHLk5MoS0wK6ADAgEBoSQwIhsEaG9zdBsadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUgXWL3vdW/I31tQxv5Yjy!
MZy4x8kw!
>
> DQYJKoZIhv
> cNAQELBQADggEBAD674/oGYlQTQDSvwf0muYoxBsj1dc6gnArw0JJpGVCNMv/J3FdgOLcOhxzZcOfZiQr4NdYoV+/6mISOhknMa4ErJhqSAWbUA+w3+lL3CHfdDtNueUjZRbPZezcC0rhAlnXBT7iakjuhE56WkZz7AihEU8RAvnZfSRi1mhehf3wFRYKWuzK9AW1DTY/uGMmHXiFtvINpfAJ3yL66xPwTj4087nz9w4YUqNyCX+hYL+7idCJeoMjDyCqYQpjFkdfZhRuNd+rrKWTgYvKN3w/5+ItefDCYy8py91V2kXS7BrsYjd+2YHtQ2AbjgIW2xpTr/+PetToZyL50oWCpduT5t+M=',
>
> principal=u'host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>>', add=True,
> version=u'2.51'): SUCCESS
>
> and now I have 3 valid certificates:
>
> $ ipa cert-find --subject=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>
> ----------------------
> 3 certificates matched
> ----------------------
> Serial number (hex): 0xFF9000D
> Serial number: 267976717
> Status: VALID
> Subject: CN=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> <http://UNIX.IRISZORG.NL>
>
> Serial number (hex): 0x3FFE0002
> Serial number: 1073610754
> Status: VALID
> Subject: CN=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> <http://UNIX.IRISZORG.NL>
>
> Serial number (hex): 0x3FFE0003
> Serial number: 1073610755
> Status: VALID
> Subject: CN=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> <http://UNIX.IRISZORG.NL>
> ----------------------------
> Number of entries returned 3
> ----------------------------
>
>
> Ok, let me start by saying that this is not a bug in either
> certmonger or dogtag. IPA is supposed to do the revocation in the
> cert_request command.
>
> The steps IPA _should_ be taking are:
>
> 1. Figure out if we are doing a certificate for a host or a service.
> 2. See if the requester is allowed to manage this entry
> 3. Look at the entry to see if it has a usercertificate attribute.
> If so revoke that serial number, then clear the usercertificate
> value in the host or service entry (via service_mod or host_mod)
> 4. Request a new certificate
> 5. Update IPA with the new value
>
> Does a certificate appear in ipa host-show
> throwaway.unix.iriszorg.nl <http://throwaway.unix.iriszorg.nl>, and
> which certificate serial number?
>
>
> $ ipa host-show throwaway
> Host name: throwaway.unix.iriszorg.nl <http://throwaway.unix.iriszorg.nl>
> Certificate:
> MIIE0DCCA7igAwIBAgIED/kADTANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MjA0MTI4WhcNMTgwOTMwMjA0MTI4WjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBw!
GA1UEAwwVQ
2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQB6KplOoHG5d2+3c5J/TSE/qxWkfObqPdpzYSMg5ma+PKL7ofuEgtozfoZfH/GXKIKtUpPZCJL2NQQKauagdIwto7PX184FcohCjJxHD30RRbc6q2rm3PE7Q1vDzSxW1ZCFELmpvK0XN4YX1tz6iaPgo2B7wuyhbZpT4Vd2itT1rOQ6cAnAB7BFhVNj5XDPDoMaHabtWRJVLlIOMeGyrZDUMxmoPys5g1c1SZM1ld+8+zdgqIVEsdTo9qThqPraTUi8GTjP4QvuQkLbnlFO6KQe5RqfbVXA0gKVWDtepY7h+cBQxMa/eHROFtnhW/w1+FdKHDPvOdj8aTF1tSIU2RYP,
>
> MIIE0DCCA7igAwIBAgIEP/4AAjANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MTAwOTUwWhcNMTgwOTMwMTAwOTUwWjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBw!
GA1UEAwwVQ
2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQCvTRaJrl3J7Ky4VkFVfkwIGoaxocXrllYSjXZzhzHV0zJtlVeQGmHwulyrEbEzaRuMqbXe7c8WseOgU/K+UwByGiZoyxUmHgBmu2mv8Cln48UbESEAm0py4hRMmE7UzIhsHzTAKjUfyQXujB21S+FYwd97QymGRgn7kJ2TtH99zslQO0kMC//LmctUxIfTOOcrBgOojIEpcbzTeWNcyuN5+MHr6H2DNUYQZpvnDBv7XVphrk7ACrh4ETeYW5E1fFl84CdSxWehhWILF6t2WdA4RSjvtg3zvMPL+uVU8w1aru33dMuCKqvMG3iaRrDjVZ4k9/36lpf4/r1PwKYxusvg,
>
> MIIE0DCCA7igAwIBAgIEP/4AAzANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MTAxMzE3WhcNMTgwOTMwMTAxMzE3WjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBw!
GA1UEAwwVQ
2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQCh6lySZa1AyUyP8AuaLUDj6X0Lt/tGS+ZIw/O248FVMJDwvLvkFUxOjTAK1mip0AHxkib+QtKqFgN9lbidnxeKFYNN2komTfLgFV+G+8kBIInxWbU1OsuYw4J6xCu5IE+F7jfdHX1yw6HSgDixYgKHe9mw+8HTbUR1a/ntZ90pmai8I7daem9bMrPHGSSChjcbjif6YNZ8ibmilqq0vw8CEwQopXFToO/mHfbXNDw6gJY5rKu19fWPi3VRQdQxKKtwY/gXg39q4FWBymDaMwjErC7G4AnGeeTYp4iFYZkfcjYvdxGXGF0CpLgunvcMMQ0rTYx5w1MrLbbnqjq1qBZO
> Principal name: host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>
> Password: False
> Keytab: True
> Managed by: throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> Subject: CN=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> Serial Number: 267976717
> Serial Number (hex): 0xFF9000D
> Issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> Not Before: Thu Sep 29 20:41:28 2016 UTC
> Not After: Sun Sep 30 20:41:28 2018 UTC
> Fingerprint (MD5): 52:a1:06:a1:39:27:bc:ed:dd:45:f5:36:32:11:99:c1
> Fingerprint (SHA1):
> 81:d4:01:5a:26:83:9c:c4:fb:76:fb:c3:29:cd:32:c1:8a:4c:eb:45
> SSH public key fingerprint:
> 61:66:4D:D7:E6:83:B3:31:BB:50:C3:28:11:79:FD:42 (ssh-rsa),
>
> 71:80:40:26:50:64:CD:FE:9A:FB:8D:DA:55:56:18:95 (ssh-dss)
>
>
> so it shows the three certificates but the serial is 267976717
Sadly I don't have much useful information for you. This is what I found.
usercertificate is a multi-valued LDAP attribute but IPA 3.0 only really
operates on the "first" value returned (I didn't look at more recent
versions). In this case it is the 267976717 cert. The other certs shown
without details are for the other serial numbers that cert-find is
reporting.
I can't see a way that this first usercertificate value isn't revoked
and removed upon renewal so I can't quite figure out how you got into
this state (and so easily as I understand it). I wasn't able to
reproduce it myself. Do you have any idea how wide-spread this is in
your infrastructure?
I can see that once in this state that any "extra" certs would just be
stuck there, never to be revoked.
rob
More information about the Freeipa-users
mailing list