[Freeipa-users] renewing cert and migrating free-ipa 3.1
Rob Crittenden
rcritten at redhat.com
Tue Apr 18 14:07:20 UTC 2017
Umarzuki Mochlis wrote:
> Now users complaining that passwords that have been reset cannot be
> used to log in.
Passwords are completely unrelated to expired certificates.
Wow, this is really quite an old install.
The error message about communicating with CMS suggests that the CA
isn't really up. The dogtag debug log may contain more details on that.
What is the output when you use ipactl to restart the services? I have
the feeling it is catching an error that your manual restart is not.
I'd also not set the date back so far. It won't hurt but it will be the
starting date for new certificates so you'd be cheating yourself out of
8 or so months.
I'd also look at the RA agent cert to be sure it is currently correct:
$ ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b
uid=ipara,ou=People,o=ipaca description
$ certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
The description field from the ldapsearch has the format:
2;<serial number>;<issuer subject>;<subject>
The serial numbers should match. Don't do anything if they don't, just
report back the result.
rob
> I also tried resubmit getcert but 2 resubmit failed
>
> [root at ipa ~]# getcert list
> Number of certificates and requests being tracked: 7.
> Request ID '20130112120226':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=DOA.GOV.MY
> subject: CN=CA Audit,O=DOA.GOV.MY
> expires: 2016-11-24 16:19:25 UTC
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130112120227':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=DOA.GOV.MY
> subject: CN=OCSP Subsystem,O=DOA.GOV.MY
> expires: 2016-11-24 16:18:25 UTC
> eku: id-kp-OCSPSigning
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130112120228':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=DOA.GOV.MY
> subject: CN=CA Subsystem,O=DOA.GOV.MY
> expires: 2016-11-24 16:18:25 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130112120229':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=DOA.GOV.MY
> subject: CN=IPA RA,O=DOA.GOV.MY
> expires: 2016-11-24 16:18:25 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20130112120230':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=DOA.GOV.MY
> subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
> expires: 2016-11-24 16:18:25 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_pkicad
> "Server-Cert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130112120232':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server. Certificate operation cannot be completed: Unable to
> communicate with CMS (Internal Server Error)).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=DOA.GOV.MY
> subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
> expires: 2016-12-16 16:18:27 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DOMAIN-COM-MY
> track: yes
> auto-renew: yes
> Request ID '20130112120734':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server. Certificate operation cannot be completed: Unable to
> communicate with CMS (Internal Server Error)).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=DOA.GOV.MY
> subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
> expires: 2016-12-16 16:18:27 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
> What are my options?
>
>
> 2017-03-03 21:20 GMT+08:00 Umarzuki Mochlis <umarzuki at gmail.com>:
>> At first ip-getcert list hows certificate error
>>
>> ca-error: Server failed request, will retry: -504 (libcurl failed to
>> execute the HTTP POST transaction, explaining: Peer's Certificate has
>> expired.).
>>
>> but after I changed ipa server's date to before expirate date, it shows
>>
>> ca-error: Server failed request, will retry: -504 (libcurl failed to
>> execute the HTTP POST transaction, explaining: couldn't connect to
>> host).
>>
>> when I tried to start ipa with "service ipa start", all services would
>> fail, so I need to start one by one
>>
>> systemctl start dirsrv at DOMAIN-COM-MY.service
>> systemctl status dirsrv at DOMAIN-COM-MY.service
>> systemctl start krb5kdc.service
>> systemctl status krb5kdc.service
>> systemctl start kadmin.service
>> systemctl status kadmin.service
>> systemctl start ipa_memcached.service
>> systemctl status ipa_memcached.service
>> systemctl start pki-tomcatd at pki-tomcat.service
>> systemctl status pki-tomcatd at pki-tomcat.service
>>
>>
>> # tail /var/log/messages
>> Jan 3 17:32:26 ipa systemd[1]: Starting PKI Tomcat Server pki-tomcat...
>> Jan 3 17:32:29 ipa systemd[1]: Started PKI Tomcat Server pki-tomcat.
>> Jan 3 17:33:08 ipa certmonger[476]: 2016-01-03 17:33:08 [476] Server
>> failed request, will retry: -504 (libcurl failed to execute the HTTP
>> POST transaction, explaining: couldn't connect to host).
>> Jan 3 17:33:12 ipa certmonger[476]: 2016-01-03 17:33:12 [476] Server
>> failed request, will retry: -504 (libcurl failed to execute the HTTP
>> POST transaction, explaining: couldn't connect to host).
>>
>> 2017-03-03 13:20 GMT+08:00 Umarzuki Mochlis <umarzuki at gmail.com>:
>>> After httpd failed to start even with "NSSEnforceValidCerts off" in
>>> /etc/httpd/conf.d/nss.conf
>>> It used to work for a while since we use this only for zimbra but
>>> today it won't start anymore.
>>>
>>> We are not using commercial certs, so which steps should I follow to
>>> renew certs?
>>>
>>> It seems CA has expired more than 2 weeks ago.
>>>
>>> # ipa-getcert list
>>> Number of certificates and requests being tracked: 7.
>>> Request ID '20130112120232':
>>> status: CA_UNREACHABLE
>>> ca-error: Server failed request, will retry: -504 (libcurl
>>> failed to execute the HTTP POST transaction, explaining: Peer's
>>> Certificate has expired.).
>>> stuck: yes
>>> key pair storage:
>>> type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
>>> Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
>>> certificate:
>>> type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
>>> Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
>>> subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
>>> expires: 2016-12-16 16:18:27 UTC
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>>> DOMAIN-COM-MY
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20130112120734':
>>> status: CA_UNREACHABLE
>>> ca-error: Server failed request, will retry: -504 (libcurl
>>> failed to execute the HTTP POST transaction, explaining: Peer's
>>> Certificate has expired.).
>>> stuck: yes
>>> key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
>>> subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
>>> expires: 2016-12-16 16:18:27 UTC
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>> track: yes
>>> auto-renew: yes
>>>
>>> # rpm -qa | grep ipa
>>> freeipa-admintools-3.1.0-2.fc18.x86_64
>>> freeipa-server-3.1.0-2.fc18.x86_64
>>> libipa_hbac-python-1.9.3-1.fc18.x86_64
>>> python-iniparse-0.4-6.fc18.noarch
>>> freeipa-client-3.1.0-2.fc18.x86_64
>>> freeipa-server-selinux-3.1.0-2.fc18.x86_64
>>> freeipa-python-3.1.0-2.fc18.x86_64
>>> libipa_hbac-1.9.3-1.fc18.x86_64
>
More information about the Freeipa-users
mailing list