[Freeipa-users] certificates not renewing CA_UNREACHEABLE
Natxo Asenjo
natxo.asenjo at gmail.com
Tue Sep 20 12:36:17 UTC 2016
ok, so all certs are renewed (dogldap and http).
On Tue, Sep 20, 2016 at 11:49 AM, Natxo Asenjo <natxo.asenjo at gmail.com>
wrote:
>
>
> On Mon, Sep 19, 2016 at 5:27 PM, Rob Crittenden <rcritten at redhat.com>
> wrote:
>
>> Natxo Asenjo wrote:
>>
>>> hi,
>>>
>>>
>>> On Fri, Sep 16, 2016 at 4:22 PM, Rob Crittenden <rcritten at redhat.com
>>>
>> Ok, how about we work around the problem.
>>
>
> Gladly ;-)
>
>
>> Since it is failing on the revocation what you might try is removing the
>> userCertificate value from the ldap/kdc01.unix.iriszorg.nl service entry.
>>
>> I think this will work:
>>
>> $ ipa service-show ldap/kdc01.unix.iriszorg.nl |grep Serial
>> <note this down for later>
>>
>> $ ipa service-mod --certificate= ldap/kdc01.unix.iriszorg.nl
>>
>> If this doesn't work you can use ldapmodify to delete the usercertificate
>> value.
>>
>> This will remove the certificate value so there is nothing to revoke and
>> a new cert will be saved (hopefully).
>>
>> Now try to resubmit the request via certmonger.
>>
>> It if works then you can run ipa cert-revooke <old serial #>
>>
>> It isn't a great answer long-term because it is really just working
>> around the problem but it should get the certs renewed.
>>
>>
> ok, so I restarted the httpd service then I could use ipa service-show:
>
> $ ipa service-show ldap/kdc01.unix.iriszorg.nl |grep Serial
> Serial Number: 175
> Serial Number (hex): 0xAF
> bash-4.1$ ipa service-mod --certificate= ldap/kdc01.unix.iriszorg.nl
> ---------------------------------------------------------------
> Modified service "ldap/kdc01.unix.iriszorg.nl at UNIX.IRISZORG.NL"
> ---------------------------------------------------------------
> Principal: ldap/kdc01.unix.iriszorg.nl at UNIX.IRISZORG.NL
> Managed by: kdc01.unix.iriszorg.nl
>
>
> bash-4.1$ sudo ipa-getcert resubmit -i 20121107212513
> Resubmitting "20121107212513" to "IPA".
> bash-4.1$ sudo getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20121107212513':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server. Certificate operation cannot be completed: Failure decoding
> Certificate Signing Request).
> stuck: yes
> key pair storage: type=NSSDB,location='/etc/
> dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/
> dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
> subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
> expires: 2016-10-12 10:49:24 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib/ipa/certmonger/restart_dirsrv
> UNIX-IRISZORG-NL
> track: yes
> auto-renew: yes
>
>
>
> the certificate is gone:
> $ ipa service-show ldap/kdc01.unix.iriszorg.nl
> ipa: ERROR: Could not create log_dir u'/home/jose.admin/.ipa/log'
> Principal: ldap/kdc01.unix.iriszorg.nl at UNIX.IRISZORG.NL
> Keytab: True
> Managed by: kdc01.unix.iriszorg.nl
>
>
> But then I thought, what the hell, let's try again, restarted httpd,
> resubmitted it, and now it did work ;-)
>
> $ ipa service-show ldap/kdc01.unix.iriszorg.nl
> Principal: ldap/kdc01.unix.iriszorg.nl at UNIX.IRISZORG.NL
> Certificate: MIIDrDCCApSgAwIBAgICAPUwDQYJKo
> ZIhvcNAQELBQAwOzEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEeMBwGA1
> UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDkyMDA4MDY1OFoXDT
> E4MDkyMTA4MDY1OFowPDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEfMB
> 0GA1UEAxMWa2RjMDEudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQ
> EBBQADggEPADCCAQoCggEBAO2QVqrFRb/Q5dhkAi7BK29BJhqTvbaH3bNDLvhe1
> snyChdlr/AIwrJj/53Ti2eJ7u1BtV7u3gSwQ3/xJ0HwUZmOEQHCNDrjcGy+
> iw7lqkC5NaZ8AGt8bSTGWwnJvEGWrb3uEJzVZf+xB5eZa8vFXr+
> Jlcfoq8DbVZhX274pmpVfQOnRckD+AmncuEItHpcJCCHneF0QzA5DQqlTPUFerFm3F/iI/
> k6g9XbHQaNejcUYdhXpy9q0mEuBIIsEzTeNWTTEsUYX5TPVEsN3x2feA0icx
> R6bUTeg2BqSu7ZOuM55iBp3l0d9UAQ7W7yh76FI/Bqz8vIMdS6VsurPS4asLa8CAwEAAaO
> BuDCBtTAfBgNVHSMEGDAWgBSjl+SKLrjPPuoz8ryT1iPeqYQ2aDBEBggr
> BgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAGGKGh0dHA6Ly9rZGMwMS51bml4Lmly
> aXN6b3JnLm5sOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQ
> UFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUBIRsG98GBkIyB/
> BgQKloUlLEJeEwDQYJKoZIhvcNAQELBQADggEBAHN+ggklVf2uzaePwEI9rMObe0WZeOyCLZ
> xEtigDaJIHkq3GzkugxcG8ivD/LnuF0D8m07npfpIMC3QRUJQjFjz6E3rKtqau0QY0BO+
> Dwg1TzItQqXxgHtCqcQ7bmahj2AMPRNUXeZck0p/eueG4wj2kbLwTLU6cOfwnT4IOfszAS
> 9GCql6oQIXlOfG6i6DAodBpgWziDfIrRJsJi4ZE+FvJL/ImJDdW+
> En50UyGp0n31oMSDIxWf1bdWUctSEYhcy9JftzkitNm1FD+a1HzeYyuHthzlHHcSIXN/
> kXRSGktpe8VHE5XLtKnH92vmkMnyxZvE///2+ExHXIAOkwq3ck=
> Keytab: True
> Managed by: kdc01.unix.iriszorg.nl
> Subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
> Serial Number: 245
> Serial Number (hex): 0xF5
> Issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
> Not Before: Tue Sep 20 08:06:58 2016 UTC
> Not After: Fri Sep 21 08:06:58 2018 UTC
> Fingerprint (MD5): f8:d3:cb:6f:4c:ca:e4:f3:47:65:51:d3:2c:69:84:df
> Fingerprint (SHA1): e3:0a:66:19:d7:36:fe:c4:ff:58:
> bf:90:35:3e:0b:31:cb:a0:58:37
>
> So I could revoke the old one:
>
> $ ipa cert-revoke 175
> Revoked: True
>
>
> and now getcert list shows the certificate is ok:
>
> Number of certificates and requests being tracked: 8.
> Request ID '20121107212513':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/
> dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/
> dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
> subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
> expires: 2018-09-21 08:06:58 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib/ipa/certmonger/restart_dirsrv
> UNIX-IRISZORG-NL
> track: yes
> auto-renew: yes
>
>
> So one down, two to go, it seems.
>
>
>
>
> --
> Groeten,
> natxo
>
--
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160920/87ce3489/attachment.htm>
More information about the Freeipa-users
mailing list