[Freeipa-users] Dogtag certs did not auto-renew, very stuck!

Peter Fern freeipa at 0xc0dedbad.com
Wed Feb 22 07:48:20 UTC 2017 

Okay, with much debugging and hoop-jumping, I can say that certmonger on
Debian/Ubuntu is currently in a rather broken state, at least in a
server role.

It links against libcurl3-nss, however on Debian/-derivs there is no
build of nss-pem, so anything built against libcurl3-nss cannot parse
PEM formatted certs.  This results in a failure to process the IPA CA
from the filesystem, causing the certmonger agent to fail verification
of the server cert, producing the curl 'Error 77 connecting to<url>: Problem
with the SSL CA cert (path? access rights?)' return, which makes it
impossible to renew certificates, and resulted in wedging my deployment
as described.

Does the FreeIPA issue tracker accept distro-specific reports, or is
there somewhere more appropriate I should be sending this?  As it
stands, operating a CA on Debian/Ubuntu will break in painful and
unexpected fashion, and should be avoided.

On 21/02/17 23:36, Peter Fern wrote:
> I don't know why the certs did not auto-renew originally, but now I am
> very stuck trying to get my CA functional again.  I've tried setting the
> clock back to a week or two before the certs were due to expire, but I'm
> still having no luck getting the CA functional.
>
> This is a Ubuntu server, so some paths are different to what may be
> found on RPM-based distros.  Any urgent help would be greatly
> appreciated - I've been bashing against this for a couple of hours now
> with no luck, and the hour is getting late.
>
> Below is my current (anonymized) `getcert list` of the problem certs,
> where you will see my current ca-error:
>
> Request ID '20160616123036':
>         status: CA_UNREACHABLE
>         ca-error: Error 77 connecting to
> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
> with the SSL CA cert (path? access rights?).
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
>         certificate:
> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
> Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>         subject: CN=IPA RA,O=EXAMPLE.COM
>         expires: 2017-02-11 05:52:26 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
>         post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
>         track: yes
>         auto-renew: yes
> Request ID '20160616123427':
>         status: CA_UNREACHABLE
>         ca-error: Error 77 connecting to
> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
> with the SSL CA cert (path? access rights?).
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>         subject: CN=CA Audit,O=EXAMPLE.COM
>         expires: 2017-02-11 05:52:03 UTC
>         key usage: digitalSignature,nonRepudiation
>         pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20160616123428':
>         status: CA_UNREACHABLE
>         ca-error: Error 77 connecting to
> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
> with the SSL CA cert (path? access rights?).
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>         subject: CN=OCSP Subsystem,O=EXAMPLE.COM
>         expires: 2017-02-11 05:52:01 UTC
>         key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>         eku: id-kp-OCSPSigning
>         pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20160616123429':
>         status: CA_UNREACHABLE
>         ca-error: Error 77 connecting to
> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
> with the SSL CA cert (path? access rights?).
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>         subject: CN=CA Subsystem,O=EXAMPLE.COM
>         expires: 2017-02-11 05:52:01 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
>
>
>
> All I get in the logs (with debug enabled) is:
>
> Jan 20 06:52:52 ipaserver.example.com
> dogtag-ipa-ca-renew-agent-submit[2121]: Forwarding request to
> dogtag-ipa-renew-agent
> Jan 20 06:52:52 ipaserver.example.com
> dogtag-ipa-renew-agent-submit[2307]: GET
> https://ipaserver.example.com:8443/ca/agent/ca/profileReview?requestId=69960009&xml=true
> Jan 20 06:52:52 ipaserver.example.com
> dogtag-ipa-renew-agent-submit[2307]: (null)
> Jan 20 06:52:52 ipaserver.example.com
> dogtag-ipa-ca-renew-agent-submit[2121]: dogtag-ipa-renew-agent returned 3
> Jan 20 06:52:52 ipaserver.example.com certmonger[2016]: 2017-01-20
> 06:52:52 [2016] Error 77 connecting to
> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
> with the SSL CA cert (path? access rights?).
>

More information about the Freeipa-users mailing list