[Freeipa-users] Replica created with expired certs
Rob Crittenden
rcritten at redhat.com
Wed Sep 28 11:44:35 UTC 2016
Jim Richard wrote:
> I have a master with apparently correct, non expired certs but when I
> create a new replica master I end up with expired certs.
> How is this possible, why and of course, how do I fix?
I assume you are running IPA v3.0.0?
The problem is that the root CA stash isn't updated when a replica file
is prepared in that version (fixed in 3.3 IIRC). You can do this
manually with something like:
# PKCS12Export -d /var/lib/pki-ca/alias -p /root/dbpass -w /root/dmpass
-o /root/cacert.p12
where /root/dmpass is a file that contains the Directory Manager password.
Then rerun ipa-replica-prepare and things should work.
You can look at the certs in /root/cacert.p12 util pk12util to see the
change.
rob
>
> first set is the original master and the second is the certs I get on
> the new replica
>
> [root at sso-110:(NYM) nssdb]$ getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20140923213643':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile
> .txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net>
> subject: CN=sso-110.nym1.placeiq.net
> <http://sso-110.nym1.placeiq.net>,O=PLACEIQ.NET <http://placeiq.net>
> expires: 2018-08-28 10:36:04 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
> track: yes
> auto-renew: yes
> Request ID '20140923213732':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net>
> subject: CN=sso-110.nym1.placeiq.net
> <http://sso-110.nym1.placeiq.net>,O=PLACEIQ.NET <http://placeiq.net>
> expires: 2018-08-06 10:36:02 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20140923213814':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PLACEIQ-NET',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PLACEIQ-NET
> /pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PLACEIQ-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net>
> subject: CN=sso-110.nym1.placeiq.net
> <http://sso-110.nym1.placeiq.net>,O=PLACEIQ.NET <http://placeiq.net>
> expires: 2018-08-28 10:36:04 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> PLACEIQ-NET
> track: yes
> auto-renew: yes
> Request ID '20140923213856':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net>
> subject: CN=sso-110.nym1.placeiq.net
> <http://sso-110.nym1.placeiq.net>,O=PLACEIQ.NET <http://placeiq.net>
> expires: 2018-08-28 10:36:04 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> Request ID '20160119021025':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net>
> subject: CN=CA Audit,O=PLACEIQ.NET <http://placeiq.net>
> expires: 2017-10-26 04:38:19 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20160119021038':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net>
> subject: CN=OCSP Subsystem,O=PLACEIQ.NET <http://placeiq.net>
> expires: 2017-10-26 04:37:19 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20160119021055':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net>
> subject: CN=CA Subsystem,O=PLACEIQ.NET <http://placeiq.net>
> expires: 2017-10-26 04:37:19 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20160119021104':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net>
> subject: CN=IPA RA,O=PLACEIQ.NET <http://placeiq.net>
> expires: 2017-10-26 04:37:19 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
>
>
> The new replica:
>
> [root at sso-108:(NYM) ~]$ getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20160927191253':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile
> .txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net>
> subject: CN=sso-108.nym1.placeiq.net
> <http://sso-108.nym1.placeiq.net>,O=PLACEIQ.NET <http://placeiq.net>
> expires: 2018-09-28 19:10:33 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
> track: yes
> auto-renew: yes
> Request ID '20160927191452':
> status: CA_WORKING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-retrieve-agent-submit
> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net>
> subject: CN=CA Audit,O=PLACEIQ.NET <http://placeiq.net>
> expires: 2015-12-03 21:57:56 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/restart_pkicad
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20160927191453':
> status: CA_WORKING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-retrieve-agent-submit
> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net>
> subject: CN=OCSP Subsystem,O=PLACEIQ.NET <http://placeiq.net>
> expires: 2015-12-03 21:57:56 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/restart_pkicad
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20160927191454':
> status: CA_WORKING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-retrieve-agent-submit
> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net>
> subject: CN=CA Subsystem,O=PLACEIQ.NET <http://placeiq.net>
> expires: 2015-12-03 21:57:56 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/restart_pkicad
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20160927191455':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net>
> subject: CN=sso-108.nym1.placeiq.net
> <http://sso-108.nym1.placeiq.net>,O=PLACEIQ.NET <http://placeiq.net>
> expires: 2018-09-17 19:14:36 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20160927191540':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PLACEIQ-NET',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PLACEIQ-NET
> /pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PLACEIQ-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net>
> subject: CN=sso-108.nym1.placeiq.net
> <http://sso-108.nym1.placeiq.net>,O=PLACEIQ.NET <http://placeiq.net>
> expires: 2018-09-28 19:10:32 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> PLACEIQ-NET
> track: yes
> auto-renew: yes
> Request ID '20160927192114':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net>
> subject: CN=sso-108.nym1.placeiq.net
> <http://sso-108.nym1.placeiq.net>,O=PLACEIQ.NET <http://placeiq.net>
> expires: 2018-09-28 19:10:34 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> Request ID '20160927192146':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-retrieve-agent-submit
> issuer: CN=Certificate Authority,O=PLACEIQ.NET <http://placeiq.net>
> subject: CN=IPA RA,O=PLACEIQ.NET <http://placeiq.net>
> expires: 2017-10-26 04:37:19 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
>
>
>
>
> <http://www.placeiq.com/><http://www.placeiq.com/><http://www.placeiq.com/>
> Jim Richard
> <https://twitter.com/placeiq><https://twitter.com/placeiq><https://twitter.com/placeiq>
> <https://www.facebook.com/PlaceIQ><https://www.facebook.com/PlaceIQ>
> <https://www.linkedin.com/company/placeiq><https://www.linkedin.com/company/placeiq>
> SYSTEM ADMINISTRATOR III
> /(646) 338-8905 /
>
>
> <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-a!
dvertising
-initiative-nai-as-100th-member/>PlaceIQ:Location
> Data Accuracy
> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>
>
>
>
>
>
More information about the Freeipa-users
mailing list