[Freeipa-users] another certmonger question
Rob Crittenden
rcritten at redhat.com
Tue Sep 27 11:42:15 UTC 2016
Natxo Asenjo wrote:
> hi,
>
> after our upgrade from centos 6.8 to 7.2, when I renew a certificate
> using ipa-getcert resubmit -i xxxxxx the certificate is properly
> renewed, but the info on ipa host-show still shows the old certificate
> info. Is this normal?
>
> $ sudo getcert list | grep expires
> expires: 2018-09-27 19:46:03 UTC
>
> so that certificate has successfully been renewed, but this is the
> host's info:
>
> $ ipa host-show hostname | grep -i after
> Not After: Wed Jun 07 14:30:47 2017 UTC
>
> and I see there as well more than one certificate for that host:
>
> $ ipa cert-find --subject=hostname
> ----------------------
> 5 certificates matched
> ----------------------
> Serial number (hex): 0xFF90008
> Serial number: 267976712
> Status: VALID
> Subject: CN=hostname.unix.iriszorg.nl
> <http://hostname.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
>
> Serial number (hex): 0xFF90009
> Serial number: 267976713
> Status: VALID
> Subject: CN=hostname.unix.iriszorg.nl
> <http://hostname.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
>
> Serial number (hex): 0xFF9000A
> Serial number: 267976714
> Status: VALID
> Subject: CN=hostname.unix.iriszorg.nl
> <http://hostname.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
>
> Serial number (hex): 0xFFF001D
> Serial number: 268369949
> Status: REVOKED_EXPIRED
> Subject: CN=hostname.unix.iriszorg.nl
> <http://hostname.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
>
> Serial number (hex): 0xFFF0093
> Serial number: 268370067
> Status: REVOKED
> Subject: CN=hostname.unix.iriszorg.nl
> <http://hostname.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> ----------------------------
> Number of entries returned 5
> ----------------------------
>
> And three of them are still valid. As a comparison, another hosts which
> was installed about the same time also has 5 certificates, but 4 are
> revoked and the expires info of getcert list and of the valid
> certificate are the same.
>
> So how do I correct this?
It's hard to say, it may in fact not be a problem.
It is really a matter of what service the certificate(s) are related to.
I'd look at the serial numbers and then correlate those to the issued
certificates.
I'd also do a service-find on the hostname to see if any services have
certificates issued and with what serial numbers.
rob
More information about the Freeipa-users
mailing list