[Freeipa-users] Dogtag certs did not auto-renew, very stuck!

Peter Fern freeipa at 0xc0dedbad.com
Tue Feb 21 12:36:40 UTC 2017 

I don't know why the certs did not auto-renew originally, but now I am
very stuck trying to get my CA functional again.  I've tried setting the
clock back to a week or two before the certs were due to expire, but I'm
still having no luck getting the CA functional.

This is a Ubuntu server, so some paths are different to what may be
found on RPM-based distros.  Any urgent help would be greatly
appreciated - I've been bashing against this for a couple of hours now
with no luck, and the hour is getting late.

Below is my current (anonymized) `getcert list` of the problem certs,
where you will see my current ca-error:

Request ID '20160616123036':
        status: CA_UNREACHABLE
        ca-error: Error 77 connecting to
https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
with the SSL CA cert (path? access rights?).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=IPA RA,O=EXAMPLE.COM
        expires: 2017-02-11 05:52:26 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
        post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes
Request ID '20160616123427':
        status: CA_UNREACHABLE
        ca-error: Error 77 connecting to
https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
with the SSL CA cert (path? access rights?).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=CA Audit,O=EXAMPLE.COM
        expires: 2017-02-11 05:52:03 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
        post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20160616123428':
        status: CA_UNREACHABLE
        ca-error: Error 77 connecting to
https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
with the SSL CA cert (path? access rights?).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=OCSP Subsystem,O=EXAMPLE.COM
        expires: 2017-02-11 05:52:01 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        eku: id-kp-OCSPSigning
        pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
        post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20160616123429':
        status: CA_UNREACHABLE
        ca-error: Error 77 connecting to
https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
with the SSL CA cert (path? access rights?).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=CA Subsystem,O=EXAMPLE.COM
        expires: 2017-02-11 05:52:01 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
        post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes



All I get in the logs (with debug enabled) is:

Jan 20 06:52:52 ipaserver.example.com
dogtag-ipa-ca-renew-agent-submit[2121]: Forwarding request to
dogtag-ipa-renew-agent
Jan 20 06:52:52 ipaserver.example.com
dogtag-ipa-renew-agent-submit[2307]: GET
https://ipaserver.example.com:8443/ca/agent/ca/profileReview?requestId=69960009&xml=true
Jan 20 06:52:52 ipaserver.example.com
dogtag-ipa-renew-agent-submit[2307]: (null)
Jan 20 06:52:52 ipaserver.example.com
dogtag-ipa-ca-renew-agent-submit[2121]: dogtag-ipa-renew-agent returned 3
Jan 20 06:52:52 ipaserver.example.com certmonger[2016]: 2017-01-20
06:52:52 [2016] Error 77 connecting to
https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
with the SSL CA cert (path? access rights?).

More information about the Freeipa-users mailing list