[Freeipa-users] another certmonger question

Natxo Asenjo natxo.asenjo at gmail.com
Thu Sep 29 20:46:56 UTC 2016 

On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Natxo Asenjo wrote:
>
>>
>>
>> On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>>
>>     It's hard to say, it may in fact not be a problem.
>>
>>     It is really a matter of what service the certificate(s) are related
>>     to. I'd look at the serial numbers and then correlate those to the
>>     issued certificates.
>>
>>     I'd also do a service-find on the hostname to see if any services
>>     have certificates issued and with what serial numbers.
>>
>>
>> I agree, it could be that. But just for testing I have created a vm,
>> joined it to the domain and resubmitted the certificate.
>>
>> Now there are two valid host certificates with the same subject:
>>
>>
>>   $ ipa cert-find --subject=throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>
>> ----------------------
>> 2 certificates matched
>> ----------------------
>>    Serial number (hex): 0x3FFE0002
>>    Serial number: 1073610754
>>    Status: VALID
>>    Subject: CN=throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
>> <http://UNIX.IRISZORG.NL>
>>
>>    Serial number (hex): 0x3FFE0003
>>    Serial number: 1073610755
>>    Status: VALID
>>    Subject: CN=throwaway.unix.iriszorg.nl
>> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
>> <http://UNIX.IRISZORG.NL>
>> ----------------------------
>> Number of entries returned 2
>> ----------------------------
>>
>>
>> So it certmonger in this centos 6.8 32bit host is renewing but not
>> having the old certificate revoked.
>>
>
> I'd check the Apache log to find the cert_request call to see if you can
> see if there are any issues raised. It should be doing a cert_revoke at the
> same time.
>
> Can you should how this certificate is being tracked?
>

sure:

$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160929100945':
    status: MONITORING
    stuck: no
    key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
Machine Certificate - throwaway.unix.iriszorg.nl',token='NSS Certificate DB'
    certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
Certificate - throwaway.unix.iriszorg.nl',token='NSS Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
    subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
    expires: 2018-09-30 10:13:17 UTC
    principal name: host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
    key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command:
    track: yes
    auto-renew: yes

now, let's resubmit:

$ sudo ipa-getcert resubmit -i 20160929100945
Resubmitting "20160929100945" to "IPA".
[jose.admin at throwaway ~]$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160929100945':
    status: MONITORING
    stuck: no
    key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
Machine Certificate - throwaway.unix.iriszorg.nl',token='NSS Certificate DB'
    certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
Certificate - throwaway.unix.iriszorg.nl',token='NSS Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
    subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
    expires: 2018-09-30 20:41:28 UTC
    principal name: host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
    key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command:
    track: yes
    auto-renew: yes

so it has been successfully renewed.

In the access_log of the kdc I see this:

172.20.4.228 - - [29/Sep/2016:22:41:27 +0200] "POST
https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient
HTTP/1.1" 200 1913
172.20.6.81 - host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
[29/Sep/2016:22:41:27 +0200] "POST /ipa/xml HTTP/1.1" 200 2929

and in the error_log:
[Thu Sep 29 22:41:28.626669 2016] [:error] [pid 4617] ipa: INFO:
[xmlserver] host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL:
cert_request(u'MIID6DCCAtACAQAwQDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEjMCEGA1UEAxMadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4jBk7V2D5pX12kYrr++lwsWq1UWHy6PM9O+B/GvxaI0JoARBrhR6MKI1Ev+DV2r5ukNNWHj5+/kKbtW9XI2XMZ9pIBSwG3SG4m9s3gQV3dGQjlRCcU+MgXiDxRtRy2Vdzd1fZ9xdB1txH3ZnZfceTosNw4Jp3bm/VtPChWJeN6K671FLRCzJkI1KrC+LHfGbvyTtOipB5O9t8RkN4Qh01r/rphPvt9Gh+/mTlHnmGP9+sseqHHsgv2fPvRQowpJDEytTX5w/8pLrUCATqJUYfxK5RDuwD1304p3WXDFLoU6p2xaR63h34muj1a5NV1CvQFqJapHB5B/w6uUbLzjg3AgMBAAGgggFhMHcGCSqGSIb3DQEJFDFqHmgASQBQAEEAIABNAGEAYwBoAGkAbgBlACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAALQAgAHQAaAByAG8AdwBhAHcAYQB5AC4AdQBuAGkAeAAuAGkAcgBpAHMAegBvAHIAZwAuAG4AbDCB5QYJKoZIhvcNAQkOMYHXMIHUMIGhBgNVHREBAQAEgZYwgZOgQAYKKwYBBAGCNxQCA6AyDDBob3N0L3Rocm93YXdheS51bml4LmlyaXN6b3JnLm5sQFVOSVguSVJJU1pPUkcuTkygTwYGKwYBBQICoEUwQ6ASGxBVTklYLklSSVNaT1JHLk5MoS0wK6ADAgEBoSQwIhsEaG9zdBsadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUgXWL3vdW/I31tQxv5YjyMZy4x8kwDQYJKoZIhvcNAQELBQADggEBAD674/oGYlQTQDSvwf0muYoxBsj1dc6gnArw0JJpGVCNMv/J3FdgOLcOhxzZcOfZiQr4NdYoV+/6mISOhknMa4ErJhqSAWbUA+w3+lL3CHfdDtNueUjZRbPZezcC0rhAlnXBT7iakjuhE56WkZz7AihEU8RAvnZfSRi1mhehf3wFRYKWuzK9AW1DTY/uGMmHXiFtvINpfAJ3yL66xPwTj4087nz9w4YUqNyCX+hYL+7idCJeoMjDyCqYQpjFkdfZhRuNd+rrKWTgYvKN3w/5+ItefDCYy8py91V2kXS7BrsYjd+2YHtQ2AbjgIW2xpTr/+PetToZyL50oWCpduT5t+M=',
principal=u'host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL', add=True,
version=u'2.51'): SUCCESS

and now I have 3 valid certificates:

$ ipa cert-find --subject=throwaway.unix.iriszorg.nl
----------------------
3 certificates matched
----------------------
  Serial number (hex): 0xFF9000D
  Serial number: 267976717
  Status: VALID
  Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL

  Serial number (hex): 0x3FFE0002
  Serial number: 1073610754
  Status: VALID
  Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL

  Serial number (hex): 0x3FFE0003
  Serial number: 1073610755
  Status: VALID
  Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
----------------------------
Number of entries returned 3
----------------------------


--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160929/3967f944/attachment.htm>

More information about the Freeipa-users mailing list