[Freeipa-users] another certmonger question
Rob Crittenden
rcritten at redhat.com
Fri Sep 30 08:45:23 UTC 2016
Natxo Asenjo wrote:
>
>
> On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Natxo Asenjo wrote:
>
>
>
> On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>
>
> It's hard to say, it may in fact not be a problem.
>
> It is really a matter of what service the certificate(s)
> are related
> to. I'd look at the serial numbers and then correlate those
> to the
> issued certificates.
>
> I'd also do a service-find on the hostname to see if any
> services
> have certificates issued and with what serial numbers.
>
>
> I agree, it could be that. But just for testing I have created a vm,
> joined it to the domain and resubmitted the certificate.
>
> Now there are two valid host certificates with the same subject:
>
>
> $ ipa cert-find --subject=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>
> ----------------------
> 2 certificates matched
> ----------------------
> Serial number (hex): 0x3FFE0002
> Serial number: 1073610754
> Status: VALID
> Subject: CN=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> <http://UNIX.IRISZORG.NL>
>
> Serial number (hex): 0x3FFE0003
> Serial number: 1073610755
> Status: VALID
> Subject: CN=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> <http://throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> <http://UNIX.IRISZORG.NL>
> ----------------------------
> Number of entries returned 2
> ----------------------------
>
>
> So it certmonger in this centos 6.8 32bit host is renewing but not
> having the old certificate revoked.
>
>
> I'd check the Apache log to find the cert_request call to see if you
> can see if there are any issues raised. It should be doing a
> cert_revoke at the same time.
>
> Can you should how this certificate is being tracked?
>
>
> sure:
>
> $ sudo getcert list
> Number of certificates and requests being tracked: 1.
> Request ID '20160929100945':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate -
> throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB'
> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
> Machine Certificate - throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> subject: CN=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> expires: 2018-09-30 10:13:17 UTC
> principal name: host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> now, let's resubmit:
>
> $ sudo ipa-getcert resubmit -i 20160929100945
> Resubmitting "20160929100945" to "IPA".
> [jose.admin at throwaway ~]$ sudo getcert list
> Number of certificates and requests being tracked: 1.
> Request ID '20160929100945':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate -
> throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB'
> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
> Machine Certificate - throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> subject: CN=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> expires: 2018-09-30 20:41:28 UTC
> principal name: host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> so it has been successfully renewed.
>
> In the access_log of the kdc I see this:
>
> 172.20.4.228 - - [29/Sep/2016:22:41:27 +0200] "POST
> https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient
> HTTP/1.1" 200 1913
> 172.20.6.81 - host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>
> [29/Sep/2016:22:41:27 +0200] "POST /ipa/xml HTTP/1.1" 200 2929
>
> and in the error_log:
> [Thu Sep 29 22:41:28.626669 2016] [:error] [pid 4617] ipa: INFO:
> [xmlserver] host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>:
> cert_request(u'MIID6DCCAtACAQAwQDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEjMCEGA1UEAxMadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4jBk7V2D5pX12kYrr++lwsWq1UWHy6PM9O+B/GvxaI0JoARBrhR6MKI1Ev+DV2r5ukNNWHj5+/kKbtW9XI2XMZ9pIBSwG3SG4m9s3gQV3dGQjlRCcU+MgXiDxRtRy2Vdzd1fZ9xdB1txH3ZnZfceTosNw4Jp3bm/VtPChWJeN6K671FLRCzJkI1KrC+LHfGbvyTtOipB5O9t8RkN4Qh01r/rphPvt9Gh+/mTlHnmGP9+sseqHHsgv2fPvRQowpJDEytTX5w/8pLrUCATqJUYfxK5RDuwD1304p3WXDFLoU6p2xaR63h34muj1a5NV1CvQFqJapHB5B/w6uUbLzjg3AgMBAAGgggFhMHcGCSqGSIb3DQEJFDFqHmgASQBQAEEAIABNAGEAYwBoAGkAbgBlACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAALQAgAHQAaAByAG8AdwBhAHcAYQB5AC4AdQBuAGkAeAAuAGkAcgBpAHMAegBvAHIAZwAuAG4AbDCB5QYJKoZIhvcNAQkOMYHXMIHUMIGhBgNVHREBAQAEgZYwgZOgQAYKKwYBBAGCNxQCA6AyDDBob3N0L3Rocm93YXdheS51bml4LmlyaXN6b3JnLm5sQFVOSVguSVJJU1pPUkcuTkygTwYGKwYBBQICoEUwQ6ASGxBVTklYLklSSVNaT1JHLk5MoS0wK6ADAgEBoSQwIhsEaG9zdBsadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUgXWL3vdW/I31tQxv5YjyMZy4x8kw!
DQYJKoZIhv
cNAQELBQADggEBAD674/oGYlQTQDSvwf0muYoxBsj1dc6gnArw0JJpGVCNMv/J3FdgOLcOhxzZcOfZiQr4NdYoV+/6mISOhknMa4ErJhqSAWbUA+w3+lL3CHfdDtNueUjZRbPZezcC0rhAlnXBT7iakjuhE56WkZz7AihEU8RAvnZfSRi1mhehf3wFRYKWuzK9AW1DTY/uGMmHXiFtvINpfAJ3yL66xPwTj4087nz9w4YUqNyCX+hYL+7idCJeoMjDyCqYQpjFkdfZhRuNd+rrKWTgYvKN3w/5+ItefDCYy8py91V2kXS7BrsYjd+2YHtQ2AbjgIW2xpTr/+PetToZyL50oWCpduT5t+M=',
> principal=u'host/throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL
> <mailto:throwaway.unix.iriszorg.nl at UNIX.IRISZORG.NL>', add=True,
> version=u'2.51'): SUCCESS
>
> and now I have 3 valid certificates:
>
> $ ipa cert-find --subject=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> ----------------------
> 3 certificates matched
> ----------------------
> Serial number (hex): 0xFF9000D
> Serial number: 267976717
> Status: VALID
> Subject: CN=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
>
> Serial number (hex): 0x3FFE0002
> Serial number: 1073610754
> Status: VALID
> Subject: CN=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
>
> Serial number (hex): 0x3FFE0003
> Serial number: 1073610755
> Status: VALID
> Subject: CN=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> ----------------------------
> Number of entries returned 3
> ----------------------------
Ok, let me start by saying that this is not a bug in either certmonger
or dogtag. IPA is supposed to do the revocation in the cert_request command.
The steps IPA _should_ be taking are:
1. Figure out if we are doing a certificate for a host or a service.
2. See if the requester is allowed to manage this entry
3. Look at the entry to see if it has a usercertificate attribute. If so
revoke that serial number, then clear the usercertificate value in the
host or service entry (via service_mod or host_mod)
4. Request a new certificate
5. Update IPA with the new value
Does a certificate appear in ipa host-show throwaway.unix.iriszorg.nl,
and which certificate serial number?
rob
More information about the Freeipa-users
mailing list