[Freeipa-users] Replica created with expired certs
Rob Crittenden
rcritten at redhat.com
Fri Sep 30 08:53:10 UTC 2016
Jim Richard wrote:
> Can I and how…
>
> delete all certs for all hosts
>
> I mean, we only use FreeIPA for user login/sssd
>
> That said, do we even need those certs?
There is no simple answer, really.
Yes, you can deleted all certs for all hosts (not recommended as some of
those are for IPA services). I doubt it would do anything positive and
if the certificate is tracked by certmonger on the client it would
eventually renew.
Do you need the certs? Only you would know that, but chances are the
vast majority aren't being used.
In 3.0 when a client is registered a host certificate is obtained for
it. This certificate was never used and in 4.something it isn't
requested at all unless an option is passed to ipa-client-install.
rob
>
>
>
> <http://www.placeiq.com/><http://www.placeiq.com/><http://www.placeiq.com/>
> Jim Richard
> <https://twitter.com/placeiq><https://twitter.com/placeiq><https://twitter.com/placeiq>
> <https://www.facebook.com/PlaceIQ><https://www.facebook.com/PlaceIQ>
> <https://www.linkedin.com/company/placeiq><https://www.linkedin.com/company/placeiq>
> SYSTEM ADMINISTRATOR III
> /(646) 338-8905 /
>
>
> <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-a!
dvertising
-initiative-nai-as-100th-member/>PlaceIQ:Location
> Data Accuracy
> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>
>
>
>
>> On Sep 29, 2016, at 8:53 PM, Jim Richard <jrichard at placeiq.com
>> <mailto:jrichard at placeiq.com>> wrote:
>>
>> another interesting thing, my httpd/error_logs are constantly getting
>> spammed with: (I removed the stuff between the single quotes)
>>
>> Notice those names don’t match, should they?
>>
>> Me thinks not since those “principal=“ items are ALMOST all hosts that
>> no longer exist in the FreeIPA system. I rare few do exist.
>>
>> So, that’s weird :)
>>
>> [Thu Sep 29 20:44:59 2016] [error] ipa: INFO:
>> host/aerospike-cl1-203.nym1.placeiq.net at PLACEIQ.NET
>> <mailto:host/aerospike-cl1-203.nym1.placeiq.net at placeiq.net>:
>> cert_request(u’…………………..',
>> principal=u'host/sbtt-nyc1-028.thum01.nym1.placeiq.net at PLACEIQ.NET
>> <mailto:principal=u'host/sbtt-nyc1-028.thum01.nym1.placeiq.net at placeiq.net>',
>> add=True): CertificateOperationError
>>
>> [Thu Sep 29 20:45:06 2016] [error] ipa: INFO:
>> host/aerospike-cl2-210.nym1.placeiq.net at PLACEIQ.NET
>> <mailto:host/aerospike-cl2-210.nym1.placeiq.net at placeiq.net>:
>> cert_request(u’…………………..',
>> principal=u'host/017.prod07.nym1.placeiq.net at PLACEIQ.NET
>> <mailto:principal=u'host/017.prod07.nym1.placeiq.net at placeiq.net>',
>> add=True): CertificateOperationError
>>
>> [Thu Sep 29 20:45:09 2016] [error] ipa: INFO:
>> host/adsgateway-14.nym1.placeiq.net at PLACEIQ.NET
>> <mailto:host/adsgateway-14.nym1.placeiq.net at placeiq.net>:
>> cert_request(u’……………………...',
>> principal=u'host/025.prod07.nym1.placeiq.net at PLACEIQ.NET
>> <mailto:principal=u'host/025.prod07.nym1.placeiq.net at placeiq.net>',
>> add=True): CertificateOperationError
>>
>> [Thu Sep 29 20:45:29 2016] [error] ipa: INFO:
>> host/ttsandbox-022.nym1.placeiq.net at PLACEIQ.NET
>> <mailto:host/ttsandbox-022.nym1.placeiq.net at placeiq.net>:
>> cert_request(u’……………………….',
>> principal=u'host/sbtt-nyc1-022.thum01.nym1.placeiq.net at PLACEIQ.NET
>> <mailto:principal=u'host/sbtt-nyc1-022.thum01.nym1.placeiq.net at placeiq.net>',
>> add=True): CertificateOperationError
>>
>>
>>
>>
>>
>>
>> <http://www.placeiq.com/><http://www.placeiq.com/><http://www.placeiq.com/>
>> Jim Richard
>> <https://twitter.com/placeiq><https://twitter.com/placeiq><https://twitter.com/placeiq>
>> <https://www.facebook.com/PlaceIQ><https://www.facebook.com/PlaceIQ>
>> <https://www.linkedin.com/company/placeiq><https://www.linkedin.com/company/placeiq>
>> SYSTEM ADMINISTRATOR III
>> /(646) 338-8905 /
>>
>>
>> <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-!
advertisin
g-initiative-nai-as-100th-member/>PlaceIQ:Location
>> Data Accuracy
>> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>
>>
>>
>>
>>> On Sep 29, 2016, at 8:11 AM, Rob Crittenden <rcritten at redhat.com
>>> <mailto:rcritten at redhat.com>> wrote:
>>>
>>> Natxo Asenjo wrote:
>>>> hi Jim,
>>>>
>>>> On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard <jrichard at placeiq.com
>>>> <mailto:jrichard at placeiq.com>
>>>> <mailto:jrichard at placeiq.com>> wrote:
>>>>
>>>> Thanks Rob, that worked.
>>>>
>>>> Still on the subject of certs, any idea how to solve this error:
>>>>
>>>> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
>>>> certificate/key database is in an old, unsupported format.
>>>>
>>>> I see that in the gui when querying hosts as well as from cli when I
>>>> ipa-show or ipa-find
>>>>
>>>>
>>>> I have had this too, and we did not find a solution (search my recent
>>>> posts on the archives). As a workaround I have created replicas and
>>>> decommissioned the older replicas.
>>>
>>> On the one hand I'm glad this fixed it for you. On the other it is a
>>> rather unsatisfying answer. Unfortunately NSS doesn't always provide
>>> the most context with its error messages. This error is usually seen
>>> when one tries to open a non-existent database, which in this case is
>>> a very strange thing, especially since it goes from working to
>>> non-working in the same apache process over a few minutes.
>>>
>>> I'm not sure how I'd troubleshoot this if it were easily
>>> reproducible. I suspect we'd need to figure out which database cannot
>>> be found (most likely /etc/httpd/alias) and go from there. An strace
>>> is a brute-force way to see the file open but finding the right
>>> process to attach to is a bit of an art.
>>>
>>> rob
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>
>
More information about the Freeipa-users
mailing list