[Freeipa-users] Dogtag certs did not auto-renew, very stuck!
Rob Crittenden
rcritten at redhat.com
Wed Feb 22 18:26:29 UTC 2017
Peter Fern wrote:
> Okay, with much debugging and hoop-jumping, I can say that certmonger on
> Debian/Ubuntu is currently in a rather broken state, at least in a
> server role.
>
> It links against libcurl3-nss, however on Debian/-derivs there is no
> build of nss-pem, so anything built against libcurl3-nss cannot parse
> PEM formatted certs. This results in a failure to process the IPA CA
> from the filesystem, causing the certmonger agent to fail verification
> of the server cert, producing the curl 'Error 77 connecting to<url>: Problem
> with the SSL CA cert (path? access rights?)' return, which makes it
> impossible to renew certificates, and resulted in wedging my deployment
> as described.
>
> Does the FreeIPA issue tracker accept distro-specific reports, or is
> there somewhere more appropriate I should be sending this? As it
> stands, operating a CA on Debian/Ubuntu will break in painful and
> unexpected fashion, and should be avoided.
Very nice job in tracking this down.
You can certainly open a ticket against freeipa or certmonger but I
think this is more a packaging issue in Debian, et al (although granted
a very non-obvious one).
It's been many moons since I worked on nss-pem but from what I can tell
it should be buildable outside of NSS so can ship as a separate package.
You might try building it locally to see if it resolves the issues for
you. It resides at https://github.com/kdudka/nss-pem
I don't know who does the certmonger packaging, is that you Timo?
rob
>
> On 21/02/17 23:36, Peter Fern wrote:
>> I don't know why the certs did not auto-renew originally, but now I am
>> very stuck trying to get my CA functional again. I've tried setting the
>> clock back to a week or two before the certs were due to expire, but I'm
>> still having no luck getting the CA functional.
>>
>> This is a Ubuntu server, so some paths are different to what may be
>> found on RPM-based distros. Any urgent help would be greatly
>> appreciated - I've been bashing against this for a couple of hours now
>> with no luck, and the hour is getting late.
>>
>> Below is my current (anonymized) `getcert list` of the problem certs,
>> where you will see my current ca-error:
>>
>> Request ID '20160616123036':
>> status: CA_UNREACHABLE
>> ca-error: Error 77 connecting to
>> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
>> with the SSL CA cert (path? access rights?).
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
>> Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>> subject: CN=IPA RA,O=EXAMPLE.COM
>> expires: 2017-02-11 05:52:26 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
>> post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
>> track: yes
>> auto-renew: yes
>> Request ID '20160616123427':
>> status: CA_UNREACHABLE
>> ca-error: Error 77 connecting to
>> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
>> with the SSL CA cert (path? access rights?).
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>> subject: CN=CA Audit,O=EXAMPLE.COM
>> expires: 2017-02-11 05:52:03 UTC
>> key usage: digitalSignature,nonRepudiation
>> pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20160616123428':
>> status: CA_UNREACHABLE
>> ca-error: Error 77 connecting to
>> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
>> with the SSL CA cert (path? access rights?).
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM
>> expires: 2017-02-11 05:52:01 UTC
>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>> eku: id-kp-OCSPSigning
>> pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20160616123429':
>> status: CA_UNREACHABLE
>> ca-error: Error 77 connecting to
>> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
>> with the SSL CA cert (path? access rights?).
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>> subject: CN=CA Subsystem,O=EXAMPLE.COM
>> expires: 2017-02-11 05:52:01 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
>> "subsystemCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>>
>>
>>
>> All I get in the logs (with debug enabled) is:
>>
>> Jan 20 06:52:52 ipaserver.example.com
>> dogtag-ipa-ca-renew-agent-submit[2121]: Forwarding request to
>> dogtag-ipa-renew-agent
>> Jan 20 06:52:52 ipaserver.example.com
>> dogtag-ipa-renew-agent-submit[2307]: GET
>> https://ipaserver.example.com:8443/ca/agent/ca/profileReview?requestId=69960009&xml=true
>> Jan 20 06:52:52 ipaserver.example.com
>> dogtag-ipa-renew-agent-submit[2307]: (null)
>> Jan 20 06:52:52 ipaserver.example.com
>> dogtag-ipa-ca-renew-agent-submit[2121]: dogtag-ipa-renew-agent returned 3
>> Jan 20 06:52:52 ipaserver.example.com certmonger[2016]: 2017-01-20
>> 06:52:52 [2016] Error 77 connecting to
>> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
>> with the SSL CA cert (path? access rights?).
>>
>
More information about the Freeipa-users
mailing list