<div dir="ltr">hello,<div><br></div><div>I've got a problem with expired certificates in my ipa/IdM setup.  I believe the root issue to be from the fact that when everything was first setup about a year ago and everything was replicated from a first ipa server which no longer exists.  There are currently 3 ipa servers but none of them are the original.</div><div><br></div><div>Couple days ago I started getting errors similar to '(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your</div><div>certificate as expired' through the web management interface.  After investigating with 'getcert list' I found that several certificates expired at 2015-05-31 18:48:55 UTC. </div><div><br></div><div>I found <a href="http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master">http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master</a> and followed the procedure for ipa <4.0 and everything seemed to go as expected.  However this did not fix my issue. </div><div><br></div><div>With more searching it looked like once the certificates are expired the auto renew will not work.  Finding  <a href="https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0">https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0</a> to try to manually renew I am stuck at the the beginning with 'Give the CSR to your external CA.'  I don't believe we had our certificates externally signed.  They are whatever the original install put in place.  Setting the date back in time reeks havoc on our environment so I'm reluctant to leave it for to long.  I can get what I believe is the original CSR from /etc/pki-ca/CS.cfg but unsure what to do next or if this is even the road I should be going down.</div><div><br></div><div>Things seem to be working for the most part except trying to make updates.  Any help on what to do next, somewhere else to look, or if I'm going in the right direction would be greatly appreciated. </div><div><br></div><div>thanks,</div><div>Marc</div><div><br></div><div>Info:</div><div>CentOS 6.5 with some current updates including</div><div>ipa-server-3.0.0-42.el6.centos.i686<br></div><div>certmonger-0.75.13-1.el6.i686<br></div><div><br></div><div>$ getcert list-cas<br></div><div><div>CA 'SelfSign':</div><div><span class="" style="white-space:pre">       </span>is-default: no</div><div><span class="" style="white-space:pre">     </span>ca-type: INTERNAL:SELF</div><div><span class="" style="white-space:pre">     </span>next-serial-number: 01</div><div>CA 'IPA':</div><div><span class="" style="white-space:pre">     </span>is-default: no</div><div><span class="" style="white-space:pre">     </span>ca-type: EXTERNAL</div><div><span class="" style="white-space:pre">  </span>helper-location: /usr/libexec/certmonger/ipa-submit</div><div>CA 'certmaster':</div><div><span class="" style="white-space:pre"> </span>is-default: no</div><div><span class="" style="white-space:pre">     </span>ca-type: EXTERNAL</div><div><span class="" style="white-space:pre">  </span>helper-location: /usr/libexec/certmonger/certmaster-submit</div><div>CA 'dogtag-ipa-renew-agent':</div><div><span class="" style="white-space:pre">      </span>is-default: no</div><div><span class="" style="white-space:pre">     </span>ca-type: EXTERNAL</div><div><span class="" style="white-space:pre">  </span>helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit</div><div>CA 'local':</div><div><span class="" style="white-space:pre">   </span>is-default: no</div><div><span class="" style="white-space:pre">     </span>ca-type: EXTERNAL</div><div><span class="" style="white-space:pre">  </span>helper-location: /usr/libexec/certmonger/local-submit</div><div>CA 'dogtag-ipa-retrieve-agent-submit':</div><div><span class="" style="white-space:pre"> </span>is-default: no</div><div><span class="" style="white-space:pre">     </span>ca-type: EXTERNAL</div><div><span class="" style="white-space:pre">  </span>helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit</div><div><br></div><div>$ getcert list</div><div>Number of certificates and requests being tracked: 9.</div><div>Request ID '20131204194012':</div><div><span class="" style="white-space:pre">     </span>status: MONITORING</div><div><span class="" style="white-space:pre"> </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">   </span>certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">        </span>CA: IPA</div><div><span class="" style="white-space:pre">    </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=spider01o,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">   </span>expires: 2015-12-05 19:40:13 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span class="" style="white-space:pre">        </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span class="" style="white-space:pre">     </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div><div>Request ID '20141114162346':</div><div><span class="" style="white-space:pre"> </span>status: MONITORING</div><div><span class="" style="white-space:pre"> </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'</div><div><span class="" style="white-space:pre">        </span>certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">     </span>CA: IPA</div><div><span class="" style="white-space:pre">    </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=<a href="http://spider01o.iglass.net">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>expires: 2016-11-14 16:22:37 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span class="" style="white-space:pre">        </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span class="" style="white-space:pre">     </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div><div>Request ID '20141114162434':</div><div><span class="" style="white-space:pre"> </span>status: MONITORING</div><div><span class="" style="white-space:pre"> </span>ca-error: Internal error: no response to "<a href="http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true">http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true</a>".</div><div><span class="" style="white-space:pre">    </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='x'</div><div><span class="" style="white-space:pre">        </span>certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">     </span>CA: dogtag-ipa-renew-agent</div><div><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=<a href="http://spider01o.iglass.net">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>expires: 2016-11-03 16:24:27 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span class="" style="white-space:pre">        </span>eku: id-kp-serverAuth</div><div><span class="" style="white-space:pre">      </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div><div>Request ID '20141114162522':</div><div><span class="" style="white-space:pre"> </span>status: MONITORING</div><div><span class="" style="white-space:pre"> </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt'</div><div><span class="" style="white-space:pre">  </span>certificate: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">  </span>CA: IPA</div><div><span class="" style="white-space:pre">    </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=<a href="http://spider01o.iglass.net">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>expires: 2016-11-14 16:22:36 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span class="" style="white-space:pre">        </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span class="" style="white-space:pre">     </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div><div>Request ID '20141114162610':</div><div><span class="" style="white-space:pre"> </span>status: MONITORING</div><div><span class="" style="white-space:pre"> </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div><div><span class="" style="white-space:pre">  </span>certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">      </span>CA: IPA</div><div><span class="" style="white-space:pre">    </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=<a href="http://spider01o.iglass.net">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>expires: 2016-11-14 16:22:42 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span class="" style="white-space:pre">        </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span class="" style="white-space:pre">     </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div><div>Request ID '20150604181945':</div><div><span class="" style="white-space:pre"> </span>status: CA_UNREACHABLE</div><div><span class="" style="white-space:pre">     </span>ca-error: Error 35 connecting to <a href="https://spider01o.iglass.net:9443/ca/agent/ca/profileReview">https://spider01o.iglass.net:9443/ca/agent/ca/profileReview</a>: SSL connect error.</div><div><span class="" style="white-space:pre">   </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='x'</div><div><span class="" style="white-space:pre">   </span>certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">        </span>CA: dogtag-ipa-renew-agent</div><div><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=CA Audit,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">    </span>expires: 2015-05-31 18:48:55 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation</div><div><span class="" style="white-space:pre"> </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div><div>Request ID '20150604181956':</div><div><span class="" style="white-space:pre"> </span>status: CA_UNREACHABLE</div><div><span class="" style="white-space:pre">     </span>ca-error: Error 35 connecting to <a href="https://spider01o.iglass.net:9443/ca/agent/ca/profileReview">https://spider01o.iglass.net:9443/ca/agent/ca/profileReview</a>: SSL connect error.</div><div><span class="" style="white-space:pre">   </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='x'</div><div><span class="" style="white-space:pre">    </span>certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre"> </span>CA: dogtag-ipa-renew-agent</div><div><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=OCSP Subsystem,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">      </span>expires: 2015-05-31 18:48:54 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign</div><div><span class="" style="white-space:pre">     </span>eku: id-kp-OCSPSigning</div><div><span class="" style="white-space:pre">     </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div><div>Request ID '20150604182006':</div><div><span class="" style="white-space:pre"> </span>status: CA_UNREACHABLE</div><div><span class="" style="white-space:pre">     </span>ca-error: Error 35 connecting to <a href="https://spider01o.iglass.net:9443/ca/agent/ca/profileReview">https://spider01o.iglass.net:9443/ca/agent/ca/profileReview</a>: SSL connect error.</div><div><span class="" style="white-space:pre">   </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='x'</div><div><span class="" style="white-space:pre">      </span>certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">   </span>CA: dogtag-ipa-renew-agent</div><div><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=CA Subsystem,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>expires: 2015-05-31 18:48:54 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span class="" style="white-space:pre">        </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span class="" style="white-space:pre">     </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div><div>Request ID '20150604182012':</div><div><span class="" style="white-space:pre"> </span>status: CA_UNREACHABLE</div><div><span class="" style="white-space:pre">     </span>ca-error: Error 35 connecting to <a href="https://spider01o.iglass.net:9443/ca/agent/ca/profileReview">https://spider01o.iglass.net:9443/ca/agent/ca/profileReview</a>: SSL connect error.</div><div><span class="" style="white-space:pre">   </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div><div><span class="" style="white-space:pre">      </span>certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">  </span>CA: dogtag-ipa-renew-agent</div><div><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=IPA RA,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">      </span>expires: 2015-05-31 18:49:37 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span class="" style="white-space:pre">        </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span class="" style="white-space:pre">     </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div></div><div><br></div></div>