<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
So in lieu of fixing these certs, is there an acceptable way to dump
them all and start over <i>without losing the contents of the IPA
database</i>? Or otherwise really screwing ourselves? <br>
<br>
We have a replica that's still up and running and we've switched
everyone over to talking to it, but we're at risk with just the one.<br>
<br>
Thanks!<br>
<br>
<br>
<div class="moz-cite-prefix">On 04/27/2016 06:05 AM, Bret Wortman
wrote:<br>
</div>
<blockquote cite="mid:57208EE1.3000006@damascusgrp.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
Was this at all informative?<br>
<br>
<div class="moz-cite-prefix">On 04/26/2016 02:06 PM, Bret Wortman
wrote:<br>
</div>
<blockquote cite="mid:571FAE1C.107@damascusgrp.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 04/26/2016 01:45 PM, Rob
Crittenden wrote:<br>
</div>
<blockquote cite="mid:571FA944.8040003@redhat.com" type="cite">Bret
Wortman wrote: <br>
<blockquote type="cite">I think I've found a deeper problem,
in that I can't update these <br>
because IPA simply won't start at all now. <br>
<br>
I mistyped one of these -- the 2016-03-11 is actually
2018-03-11, and <br>
2016-04-01 is actually 2036-04-01. <br>
<br>
As for the unknowns, the first says status: CA_REJECTED and
the error <br>
says "hostname in subject of request 'zw198.private.net'
does not match <br>
principal hostname 'private.net'", with stuck: yes. <br>
<br>
The second is similar, but for a different host. <br>
</blockquote>
<br>
Is it really a different host and why? I think we'd need to
see the full output to know what's going on. <br>
<br>
</blockquote>
<br>
Full output:<br>
<font face="Courier New, Courier, monospace"><br>
Number of certificates and requests being tracked: 10.<br>
Request ID '20140428181940':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PRIVATE-NET',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-PRIVATE-NET/pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PRIVATE-NET',nickname='Server-Cert',token='NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=PRIVATE.NET<br>
subject: CN=zsipa.private.net,O=PRIVATE.NET<br>
expires: 2018-04-02 13:04:51 UTC<br>
principal name: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:ldap/zsipa.private.net@PRIVATE.NET">ldap/zsipa.private.net@PRIVATE.NET</a><br>
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command: <br>
post-save command: <br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140428182016':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=PRIVATE.NET<br>
subject: CN=zsipa.private.net,O=PRIVATE.NET<br>
expires: 2018-04-02 13:04:31 UTC<br>
principal name: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:HTTP/zsipa.private.net@PRIVATE.NET">HTTP/zsipa.private.net@PRIVATE.NET</a><br>
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command: <br>
post-save command: <br>
track: yes<br>
auto-renew: yes<br>
Request ID '20150211141945':<br>
status: CA_REJECTED<br>
ca-error: Server at <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://zsipa.private.net/ipa/xml">https://zsipa.private.net/ipa/xml</a>
denied our request, giving up: 2100 (RPC failed at server.
Insufficient access: hostname in subject of request
'zw198.private.net' does not match principal hostname
'private.net').<br>
stuck: yes<br>
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'<br>
certificate:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'<br>
CA: IPA<br>
issuer: <br>
subject: <br>
expires: unknown<br>
pre-save command: <br>
post-save command: <br>
track: yes<br>
auto-renew: yes<br>
Request ID '20150816194107':<br>
status: CA_UNREACHABLE<br>
ca-error: Internal error<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='424151811070'<br>
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-ca-renew-agent<br>
issuer: CN=Certificate Authority,O=PRIVATE.NET<br>
subject: CN=CA Audit,O=PRIVATE.NET<br>
expires: 2016-04-17 18:19:19 UTC<br>
key usage: digitalSignature,nonRepudiation<br>
pre-save command: <br>
post-save command: <br>
track: yes<br>
auto-renew: yes<br>
Request ID '20150816194108':<br>
status: CA_UNREACHABLE<br>
ca-error: Internal error<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='424151811070'<br>
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-ca-renew-agent<br>
issuer: CN=Certificate Authority,O=PRIVATE.NET<br>
subject: CN=OCSP Subsystem,O=PRIVATE.NET<br>
expires: 2016-04-17 18:19:18 UTC<br>
key usage:
digitalSignature,nonRepudiation,keyCertSign,cRLSign<br>
eku: id-kp-OCSPSigning<br>
pre-save command: <br>
post-save command: <br>
track: yes<br>
auto-renew: yes<br>
Request ID '20150816194109':<br>
status: CA_UNREACHABLE<br>
ca-error: Internal error<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='424151811070'<br>
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-ca-renew-agent<br>
issuer: CN=Certificate Authority,O=PRIVATE.NET<br>
subject: CN=CA Subsystem,O=PRIVATE.NET<br>
expires: 2016-04-17 18:19:19 UTC<br>
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command: <br>
post-save command: <br>
track: yes<br>
auto-renew: yes<br>
Request ID '20150816194110':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='424151811070'<br>
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-ca-renew-agent<br>
issuer: CN=Certificate Authority,O=PRIVATE.NET<br>
subject: CN=Certificate Authority,O=PRIVATE.NET<br>
expires: 2036-04-01 20:16:39 UTC<br>
key usage:
digitalSignature,nonRepudiation,keyCertSign,cRLSign<br>
pre-save command: <br>
post-save command: <br>
track: yes<br>
auto-renew: yes<br>
Request ID '20150816194111':<br>
status: CA_UNREACHABLE<br>
ca-error: Internal error<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'<br>
CA: dogtag-ipa-ca-renew-agent<br>
issuer: CN=Certificate Authority,O=PRIVATE.NET<br>
subject: CN=IPA RA,O=PRIVATE.NET<br>
expires: 2016-04-17 18:19:35 UTC<br>
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command: <br>
post-save command: <br>
track: yes<br>
auto-renew: yes<br>
Request ID '20150816194112':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='424151811070'<br>
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=PRIVATE.NET<br>
subject: CN=zsipa.private.net,O=PRIVATE.NET<br>
expires: 2018-03-11 13:04:29 UTC<br>
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command: <br>
post-save command: <br>
track: yes<br>
auto-renew: yes<br>
Request ID '20151214165433':<br>
status: CA_REJECTED<br>
ca-error: Server at <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://zsipa.private.net/ipa/xml">https://zsipa.private.net/ipa/xml</a>
denied our request, giving up: 2100 (RPC failed at server.
Insufficient access: hostname in subject of request
'zsipa.private.net' does not match principal hostname '<a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="http://www.private.net"><a class="moz-txt-link-abbreviated" href="http://www.private.net">www.private.net</a></a>').<br>
stuck: yes<br>
key pair storage:
type=FILE,location='/etc/pki/tls/private/www.private.net.key'<br>
certificate:
type=FILE,location='/etc/pki/tls/certs/www.private.net.crt'<br>
CA: IPA<br>
issuer: <br>
subject: <br>
expires: unknown<br>
pre-save command: <br>
post-save command: <br>
track: yes<br>
auto-renew: yes</font><br>
<br>
<br>
<blockquote cite="mid:571FA944.8040003@redhat.com" type="cite">A
given host can only get certificates for itself or those
delegated to it. Hostnames are used for this enforcement so if
they don't line up you'll see this type of rejection. <br>
<br>
<blockquote type="cite"> <br>
No idea what's wrong with the rest, or why nothing will
start. Near as I <br>
can tell, Kerberos is failing to start, which is causing
everything else <br>
to go toes up. <br>
<br>
Early in the startup, in /var/log/messages, there's: <br>
<br>
ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code
may provide <br>
more information (No Kerberos credentials available) <br>
</blockquote>
<br>
Without more context it's hard to say. 389 is rather chatty
about things and of course when it starts it has no ticket so
it logs a bunch of stuff, eventually (hopefully) gets one, and
then shuts up. <br>
<br>
<blockquote type="cite"> <br>
After that, I get a jar file read pboelm on log4j.jar, then
a series of <br>
property setting attempts that don't find matching
properties. Then some <br>
cipher errors, then it looks like named starts up okay, and
everything <br>
pauses for about 5 minutes before it all comes crashing back
down. <br>
<br>
</blockquote>
<br>
I wouldn't get too hung up on particular services just yet.
Without valid certs things will fail and those problems will
cascade. I think we just need more details at this point. <br>
<br>
rob <br>
<br>
<blockquote type="cite"> <br>
Bret <br>
<br>
On 04/26/2016 12:40 PM, Petr Vobornik wrote: <br>
<blockquote type="cite">On 04/26/2016 06:00 PM, Bret Wortman
wrote: <br>
<blockquote type="cite"># getcert list | grep expires <br>
expires: 2018-04-02 13:04:51 UTC <br>
expires: 2018-04-02 13:04:31 UTC <br>
expires: unknown <br>
expires: 2016-04-17 18:19:19 UTC <br>
expires: 2016-04-17 18:19:18 UTC <br>
expires: 2016-04-17 18:19:19 UTC <br>
expires: 2016-04-01 20:16:39 UTC <br>
expires: 2016-04-17 18:19:35 UTC <br>
expires: 2016-03-11 13:04:29 UTC <br>
expires: unknown <br>
# <br>
<br>
So some got updated and most didn't. Is there a
recommended way to update these <br>
all? The system is still backdated to 3 April (ntpd
disabled) at this point. <br>
</blockquote>
It's usually good to start renewing(when it doesn't happen
automatically <br>
from some reason) with the cert which is about to expired
first, i.e. <br>
the one with "2016-03-11 13:04:29" <br>
<br>
The process is: <br>
- move date before the cert is about to expired <br>
- leave it up to certmonger or manually force resubmit by
`getcert <br>
resubmit -i $REQUEST_ID`, where request ID is in `getcert
list` output. <br>
<br>
I'm little worried about the fact that CA cert was renewed
at date which <br>
is after expiration of the other certs. <br>
<br>
Also the `expires: unknown` doesn't look good. Check
`getcert list` <br>
output for errors related to the cert. <br>
<br>
<br>
<blockquote type="cite"> <br>
Bret <br>
<br>
<br>
On 04/26/2016 11:46 AM, Petr Vobornik wrote: <br>
<blockquote type="cite">On 04/26/2016 03:26 PM, Bret
Wortman wrote: <br>
<blockquote type="cite">On our non-CA IPA server, this
is happening, in case it's related and illustrative:
<br>
<br>
# ipa host-del zw113.private.net <br>
ipa: ERROR: Certificate format error:
(SEC_ERROR_LEGACY_DATABASE) The <br>
certificate/key database is in an old, unsupported
format. <br>
# <br>
</blockquote>
I would start with checking on all IPA servers if and
what certificates <br>
are expired: <br>
# getcert list <br>
or short version to check if there are any: <br>
# getcert list | grep expires <br>
<br>
When CA cert is renewed, it is not automatically
transfered to clients. <br>
There one must run: <br>
# ipa-certupdate <br>
<br>
<blockquote type="cite">On 04/26/2016 09:24 AM, Bret
Wortman wrote: <br>
<blockquote type="cite">I rolled the date on the IPA
server in question back to April 1 and ran <br>
"ipa-cacert-manage renew", which said it completed
successfully. I rolled the <br>
date back to current and tried restarting ipa
using ipactl stop && ipactl <br>
start, but no joy. No more ca renewal errors, but
right after the pause I see <br>
this in /var/log/messages: <br>
<br>
systemd: kadmin.service: main process exited,
code=exited, <br>
status=2/INVALIDARGUMENT <br>
systemd: Unit kadmin.service entered failed state.
<br>
systemd: kadmin.service failed. <br>
<br>
I rebooted the server just in case, and it's still
getting stuck at the same <br>
place. ipa-otpd doesn't get around to starting. <br>
<br>
<br>
Bret <br>
<br>
After the several-minutes-long pause after ipactl
start outputs "Starting <br>
pki-tomcatd Service", I get the <br>
<br>
On 04/26/2016 08:14 AM, Bret Wortman wrote: <br>
<blockquote type="cite">I have an IPA server on a
private network which has apparently run into <br>
certificate issues this morning. It's been
running without issue for quite a <br>
while, and is on 4.1.4-1 on fedora 21. <br>
<br>
This morning, the gui started giving: <br>
<br>
IPA Error 907: NetworkError with description
"cannot connect to <br>
'<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://zsipa.private.net:443/ca/agent/ca/displayBySerial">https://zsipa.private.net:443/ca/agent/ca/displayBySerial</a>':
<br>
(SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer
rejected your certificate as expired." <br>
<br>
I dug into the logs and after trying to restart
ipa using ipactl, there was a <br>
length pause, then: <br>
<br>
dogtag-ipa-ca-renew-agent-submit: Updated
certificate not available <br>
certmonger: Certificate named "ipaCert" in token
"NSS Certificate DB" in <br>
database "/etc/httpd/alias" is no longer valid.
<br>
dogtag-ipa-ca-renew-agent-submit: Updated
certificate not available <br>
certmonger: Certificate named "ocspSigningCert
cert-pki-ca" in token "NSS <br>
Certificate DB" in database
"/etc/pki/pki-tomcat/alias" is no longer valid.
<br>
dogtag-ipa-ca-renew-agent-submit: Updated
certificate not available. <br>
named-pkcs11[3437]: client
192.168.208.205#57832: update <br>
'208.168.192.in-addr.arpa/IN' denied <br>
<br>
and then things start shutting down. I can't
start ipa at all using ipactl. <br>
<br>
So at present, our DNS is down. Authentication
should work for a while, but <br>
I'd like to get this working again as quickly as
possible. Any ideas? I deal <br>
with certificates so infrequently (like only
when something like this <br>
happens) that I'm not sure where to start. <br>
<br>
Thanks! <br>
<br>
<br>
-- <br>
*Bret Wortman* <br>
/Coming soon to Kickstarter.../ <br>
<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="http://wrapbuddies.co/"><http://wrapbuddies.co/></a>
<br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://wrapbuddies.co/">http://wrapbuddies.co/</a>
<br>
<br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<br>
</blockquote>
<br>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>