<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 08/07/2014 01:25 PM, Rob Crittenden
wrote:<br>
</div>
<blockquote cite="mid:53E3B680.2080901@redhat.com" type="cite">
<pre wrap="">Lucas Yamanishi wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hello, I'm a bit of a pickle with the PKI system. I have three
replicas, but only one contains the CA. I realize how poor a decision
it was to do that. I plan to create more complete replicas, but right
now I can't even create a replica file, much less a full replica.
The problem started when the CA subsystem certificates expired. I read
several threads explaining how to roll back time and renew them, but I
then discovered that the host and HTTP certificates for the server were
missing. I checked for backups, but we erroneously did not cover those
files. Because they are missing I was unable to rewnew any certificates.
Is there a way to manually create host and service certificates? When I
search for this, the "manual" procedure listed in the documentation
requires `ipa cert-request` which does not work. I did try installing a
self-signed cert for HTTP with `ipa-server-certinstall`. That changed
the errors, but the commands still fail. The pki-ca services is running
OK, as far as I can tell.
I also tried adding a CA instance to one of the other replicas with
`ipa-ca-install`, but it failed during the configuration phase.
</pre>
</blockquote>
<pre wrap="">The subsystem certificate renewal should be independent of the web (and
host) certificates. I'd focus on getting the CA back up, then we can see
about getting a new web server certificate.
Can you share the output of: getcert list
You'll probably want to obfuscate the output as it contains the PIN to
the private key database of the CA.
rob
</pre>
</blockquote>
<font face="Inconsolata">Here you go. I've also included `certutil
-L` outputs.<br>
<br>
The *auditSigningCert* I tried resubmitting with the time rolled
back. The post-save command was also updated, because it wasn't
done a year or two back when it replaced our old CRL-signer.<br>
<br>
`getcert list`:<br>
<br>
```</font><br>
<font face="Inconsolata">Number of certificates and requests being
tracked: 7.</font><br>
<font face="Inconsolata">Request ID '20130321103859':</font><br>
<font face="Inconsolata"> status: CA_UNREACHABLE</font><br>
<font face="Inconsolata"> ca-error: Error 35 connecting to
<a class="moz-txt-link-freetext" href="https://badca.example.com:9443/ca/agent/ca/profileReview">https://badca.example.com:9443/ca/agent/ca/profileReview</a>: SSL
connect error.</font><br>
<font face="Inconsolata"> stuck: yes</font><br>
<font face="Inconsolata"> key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='XXXXXXXXXXXX'</font><br>
<font face="Inconsolata"> certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'</font><br>
<font face="Inconsolata"> CA: dogtag-ipa-renew-agent</font><br>
<font face="Inconsolata"> issuer: CN=Certificate
Authority,O=EXAMPLE.COM</font><br>
<font face="Inconsolata"> subject: CN=CA Audit,O=EXAMPLE.COM</font><br>
<font face="Inconsolata"> expires: 2014-07-31 21:29:35 UTC</font><br>
<font face="Inconsolata"> pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad</font><br>
<font face="Inconsolata"> post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"</font><br>
<font face="Inconsolata"> track: yes</font><br>
<font face="Inconsolata"> auto-renew: yes</font><br>
<font face="Inconsolata">Request ID '20130321103900':</font><br>
<font face="Inconsolata"> status: NEED_GUIDANCE</font><br>
<font face="Inconsolata"> stuck: yes</font><br>
<font face="Inconsolata"> key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='XXXXXXXXXXXX'</font><br>
<font face="Inconsolata"> certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'</font><br>
<font face="Inconsolata"> CA:
dogtag-ipa-retrieve-agent-submit</font><br>
<font face="Inconsolata"> issuer: CN=Certificate
Authority,O=EXAMPLE.COM</font><br>
<font face="Inconsolata"> subject: CN=OCSP
Subsystem,O=EXAMPLE.COM</font><br>
<font face="Inconsolata"> expires: 2014-07-31 21:29:33 UTC</font><br>
<font face="Inconsolata"> eku: id-kp-OCSPSigning</font><br>
<font face="Inconsolata"> pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad</font><br>
<font face="Inconsolata"> post-save command:
/usr/lib64/ipa/certmonger/restart_pkicad "ocspSigningCert
cert-pki-ca"</font><br>
<font face="Inconsolata"> track: yes</font><br>
<font face="Inconsolata"> auto-renew: yes</font><br>
<font face="Inconsolata">Request ID '20130321103901':</font><br>
<font face="Inconsolata"> status: NEED_GUIDANCE</font><br>
<font face="Inconsolata"> stuck: yes</font><br>
<font face="Inconsolata"> key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='XXXXXXXXXXXX'</font><br>
<font face="Inconsolata"> certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'</font><br>
<font face="Inconsolata"> CA:
dogtag-ipa-retrieve-agent-submit</font><br>
<font face="Inconsolata"> issuer: CN=Certificate
Authority,O=EXAMPLE.COM</font><br>
<font face="Inconsolata"> subject: CN=CA
Subsystem,O=EXAMPLE.COM</font><br>
<font face="Inconsolata"> expires: 2014-07-31 21:29:34 UTC</font><br>
<font face="Inconsolata"> eku:
id-kp-serverAuth,id-kp-clientAuth</font><br>
<font face="Inconsolata"> pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad</font><br>
<font face="Inconsolata"> post-save command:
/usr/lib64/ipa/certmonger/restart_pkicad "subsystemCert
cert-pki-ca"</font><br>
<font face="Inconsolata"> track: yes</font><br>
<font face="Inconsolata"> auto-renew: yes</font><br>
<font face="Inconsolata">Request ID '20130321103902':</font><br>
<font face="Inconsolata"> status: NEED_GUIDANCE</font><br>
<font face="Inconsolata"> stuck: yes</font><br>
<font face="Inconsolata"> key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</font><br>
<font face="Inconsolata"> certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'</font><br>
<font face="Inconsolata"> CA:
dogtag-ipa-retrieve-agent-submit</font><br>
<font face="Inconsolata"> issuer: CN=Certificate
Authority,O=EXAMPLE.COM</font><br>
<font face="Inconsolata"> subject: CN=IPA RA,O=EXAMPLE.COM</font><br>
<font face="Inconsolata"> expires: 2014-07-31 21:30:34 UTC</font><br>
<font face="Inconsolata"> eku:
id-kp-serverAuth,id-kp-clientAuth</font><br>
<font face="Inconsolata"> pre-save command: </font><br>
<font face="Inconsolata"> post-save command:
/usr/lib64/ipa/certmonger/restart_httpd</font><br>
<font face="Inconsolata"> track: yes</font><br>
<font face="Inconsolata"> auto-renew: yes</font><br>
<font face="Inconsolata">Request ID '20130321103903':</font><br>
<font face="Inconsolata"> status: MONITORING</font><br>
<font face="Inconsolata"> stuck: no</font><br>
<font face="Inconsolata"> key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='XXXXXXXXXXXX'</font><br>
<font face="Inconsolata"> certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'</font><br>
<font face="Inconsolata"> CA: dogtag-ipa-renew-agent</font><br>
<font face="Inconsolata"> issuer: CN=Certificate
Authority,O=EXAMPLE.COM</font><br>
<font face="Inconsolata"> subject:
CN=badca.example.com,O=EXAMPLE.COM</font><br>
<font face="Inconsolata"> expires: 2016-07-03 23:53:02 UTC</font><br>
<font face="Inconsolata"> eku:
id-kp-serverAuth,id-kp-clientAuth</font><br>
<font face="Inconsolata"> pre-save command: </font><br>
<font face="Inconsolata"> post-save command: </font><br>
<font face="Inconsolata"> track: yes</font><br>
<font face="Inconsolata"> auto-renew: yes</font><br>
<font face="Inconsolata">Request ID '20140724160403':</font><br>
<font face="Inconsolata"> status: MONITORING</font><br>
<font face="Inconsolata"> stuck: no</font><br>
<font face="Inconsolata"> key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'</font><br>
<font face="Inconsolata"> certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB'</font><br>
<font face="Inconsolata"> CA: IPA</font><br>
<font face="Inconsolata"> issuer: CN=Certificate
Authority,O=EXAMPLE.COM</font><br>
<font face="Inconsolata"> subject:
CN=badca.example.com,O=EXAMPLE.COM</font><br>
<font face="Inconsolata"> expires: 2016-07-28 18:28:51 UTC</font><br>
<font face="Inconsolata"> eku:
id-kp-serverAuth,id-kp-clientAuth</font><br>
<font face="Inconsolata"> pre-save command: </font><br>
<font face="Inconsolata"> post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM</font><br>
<font face="Inconsolata"> track: yes</font><br>
<font face="Inconsolata"> auto-renew: yes</font><br>
<font face="Inconsolata">Request ID '20140807180016':</font><br>
<font face="Inconsolata"> status: MONITORING</font><br>
<font face="Inconsolata"> stuck: no</font><br>
<font face="Inconsolata"> key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'</font><br>
<font face="Inconsolata"> certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'</font><br>
<font face="Inconsolata"> CA: IPA</font><br>
<font face="Inconsolata"> issuer: CN=Certificate
Authority,O=EXAMPLE.COM</font><br>
<font face="Inconsolata"> subject:
CN=badca.example.com,O=EXAMPLE.COM</font><br>
<font face="Inconsolata"> expires: 2016-07-25 23:53:04 UTC</font><br>
<font face="Inconsolata"> eku:
id-kp-serverAuth,id-kp-clientAuth</font><br>
<font face="Inconsolata"> pre-save command: </font><br>
<font face="Inconsolata"> post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA</font><br>
<font face="Inconsolata"> track: yes</font><br>
<font face="Inconsolata"> auto-renew: yes</font><br>
<font face="Inconsolata">```<br>
<br>
`certutil -L -d /var/lib/pki-ca/alias`:<br>
<br>
```<br>
Certificate Nickname Trust
Attributes<br>
SSL,S/MIME,JAR/XPI<br>
<br>
ocspSigningCert cert-pki-ca u,u,u<br>
subsystemCert cert-pki-ca u,u,u<br>
caSigningCert cert-pki-ca
CTu,u,u<br>
auditSigningCert cert-pki-ca
u,u,Pu<br>
Server-Cert cert-pki-ca u,u,u<br>
```<br>
<br>
`certutil -L -d /etc/httpd/alias` (most of these were re-added
after `ipa-server-certinstall` removed them):<br>
<br>
```<br>
Certificate Nickname Trust
Attributes<br>
SSL,S/MIME,JAR/XPI<br>
<br>
badca.example.com - self-signed
CTu,Cu,u<br>
EXAMPLE.COM IPA CA
CT,C,<br>
ipaCert u,u,u<br>
Server-Cert ,,<br>
```<br>
<br>
`certutil -L -d /etc/pki/nssdb`:<br>
<br>
```<br>
Certificate Nickname Trust
Attributes<br>
SSL,S/MIME,JAR/XPI<br>
<br>
badca.example.com - self-signed
CT,C,C<br>
IPA CA
CT,C,C<br>
```<br>
</font><font face="Inconsolata"><br>
</font>
<pre class="moz-signature" cols="72">--
-----
*question everything*learn something*answer nothing*
------------
Lucas Yamanishi
------------------
Systems Administrator, ADNET Systems, Inc.
NASA Space and Earth Science Data Analysis (606.9)
7515 Mission Drive, Suite A100
Lanham, MD 20706 * 301-352-4646 * 0xD354B2CB</pre>
</body>
</html>