[Freeipa-users] Dogtag certs did not auto-renew, very stuck!

Rob Crittenden rcritten at redhat.com
Wed Feb 22 18:26:29 UTC 2017 

Peter Fern wrote:
> Okay, with much debugging and hoop-jumping, I can say that certmonger on
> Debian/Ubuntu is currently in a rather broken state, at least in a
> server role.
> 
> It links against libcurl3-nss, however on Debian/-derivs there is no
> build of nss-pem, so anything built against libcurl3-nss cannot parse
> PEM formatted certs.  This results in a failure to process the IPA CA
> from the filesystem, causing the certmonger agent to fail verification
> of the server cert, producing the curl 'Error 77 connecting to<url>: Problem
> with the SSL CA cert (path? access rights?)' return, which makes it
> impossible to renew certificates, and resulted in wedging my deployment
> as described.
> 
> Does the FreeIPA issue tracker accept distro-specific reports, or is
> there somewhere more appropriate I should be sending this?  As it
> stands, operating a CA on Debian/Ubuntu will break in painful and
> unexpected fashion, and should be avoided.

Very nice job in tracking this down.

You can certainly open a ticket against freeipa or certmonger but I
think this is more a packaging issue in Debian, et al (although granted
a very non-obvious one).

It's been many moons since I worked on nss-pem but from what I can tell
it should be buildable outside of NSS so can ship as a separate package.
You might try building it locally to see if it resolves the issues for
you. It resides at https://github.com/kdudka/nss-pem

I don't know who does the certmonger packaging, is that you Timo?

rob

> 
> On 21/02/17 23:36, Peter Fern wrote:
>> I don't know why the certs did not auto-renew originally, but now I am
>> very stuck trying to get my CA functional again.  I've tried setting the
>> clock back to a week or two before the certs were due to expire, but I'm
>> still having no luck getting the CA functional.
>>
>> This is a Ubuntu server, so some paths are different to what may be
>> found on RPM-based distros.  Any urgent help would be greatly
>> appreciated - I've been bashing against this for a couple of hours now
>> with no luck, and the hour is getting late.
>>
>> Below is my current (anonymized) `getcert list` of the problem certs,
>> where you will see my current ca-error:
>>
>> Request ID '20160616123036':
>>         status: CA_UNREACHABLE
>>         ca-error: Error 77 connecting to
>> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
>> with the SSL CA cert (path? access rights?).
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
>> Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
>>         certificate:
>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
>> Certificate DB'
>>         CA: dogtag-ipa-ca-renew-agent
>>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>         subject: CN=IPA RA,O=EXAMPLE.COM
>>         expires: 2017-02-11 05:52:26 UTC
>>         key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
>>         post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
>>         track: yes
>>         auto-renew: yes
>> Request ID '20160616123427':
>>         status: CA_UNREACHABLE
>>         ca-error: Error 77 connecting to
>> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
>> with the SSL CA cert (path? access rights?).
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-ca-renew-agent
>>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>         subject: CN=CA Audit,O=EXAMPLE.COM
>>         expires: 2017-02-11 05:52:03 UTC
>>         key usage: digitalSignature,nonRepudiation
>>         pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>> Request ID '20160616123428':
>>         status: CA_UNREACHABLE
>>         ca-error: Error 77 connecting to
>> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
>> with the SSL CA cert (path? access rights?).
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-ca-renew-agent
>>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>         subject: CN=OCSP Subsystem,O=EXAMPLE.COM
>>         expires: 2017-02-11 05:52:01 UTC
>>         key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>         eku: id-kp-OCSPSigning
>>         pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>> Request ID '20160616123429':
>>         status: CA_UNREACHABLE
>>         ca-error: Error 77 connecting to
>> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
>> with the SSL CA cert (path? access rights?).
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-ca-renew-agent
>>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>         subject: CN=CA Subsystem,O=EXAMPLE.COM
>>         expires: 2017-02-11 05:52:01 UTC
>>         key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
>> "subsystemCert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>>
>>
>>
>> All I get in the logs (with debug enabled) is:
>>
>> Jan 20 06:52:52 ipaserver.example.com
>> dogtag-ipa-ca-renew-agent-submit[2121]: Forwarding request to
>> dogtag-ipa-renew-agent
>> Jan 20 06:52:52 ipaserver.example.com
>> dogtag-ipa-renew-agent-submit[2307]: GET
>> https://ipaserver.example.com:8443/ca/agent/ca/profileReview?requestId=69960009&xml=true
>> Jan 20 06:52:52 ipaserver.example.com
>> dogtag-ipa-renew-agent-submit[2307]: (null)
>> Jan 20 06:52:52 ipaserver.example.com
>> dogtag-ipa-ca-renew-agent-submit[2121]: dogtag-ipa-renew-agent returned 3
>> Jan 20 06:52:52 ipaserver.example.com certmonger[2016]: 2017-01-20
>> 06:52:52 [2016] Error 77 connecting to
>> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem
>> with the SSL CA cert (path? access rights?).
>>
>

More information about the Freeipa-users mailing list