On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh <linov.sur...@gmail.com
<mailto:linov.sur...@gmail.com>> wrote:
We have cloned and created another virtual server from the template.
Surprisingly this server certificates were also expired at the same
time as the previous, just lasted for a day.
This issue has something to do with the kerberos tickets?
I am new to IPA and your help is highly appreciated.
On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh
<linov.sur...@gmail.com <mailto:linov.sur...@gmail.com>> wrote:
*Update: my webserver and LDAP certificates were expired at
2016-07-18 15:54:36 UTC and the certificates are in
CA_UNREACHABLE state.*
*
*
*Could you please help us?
*
[root@caer tmp]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504
(libcurl failed to execute the HTTP POST transaction. Peer
certificate cannot be authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
<http://TELOIP.NET>
subject: CN=caer.teloip.net
<http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
*expires: 2016-07-18 15:54:36 UTC*
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223300':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504
(libcurl failed to execute the HTTP POST transaction. Peer
certificate cannot be authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
<http://TELOIP.NET>
subject: CN=caer.teloip.net
<http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
*expires: 2016-07-18 15:54:52 UTC*
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223316':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504
(libcurl failed to execute the HTTP POST transaction. Peer
certificate cannot be authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
<http://TELOIP.NET>
subject: CN=caer.teloip.net
<http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
*expires: 2016-07-18 15:55:04 UTC*
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130519130741':
status: MONITORING
ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
<http://TELOIP.NET>
subject: CN=CA Audit,O=TELOIP.NET <http://TELOIP.NET>
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130742':
status: MONITORING
ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
<http://TELOIP.NET>
subject: CN=OCSP Subsystem,O=TELOIP.NET <http://TELOIP.NET>
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130743':
status: MONITORING
ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
<http://TELOIP.NET>
subject: CN=CA Subsystem,O=TELOIP.NET <http://TELOIP.NET>
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130744':
status: MONITORING
ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
<http://TELOIP.NET>
subject: CN=RA Subsystem,O=TELOIP.NET <http://TELOIP.NET>
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20130519130745':
status: MONITORING
ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS
Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
<http://TELOIP.NET>
subject: CN=caer.teloip.net
<http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv "TELOIP.NET
<http://TELOIP.NET>"
track: yes
auto-renew: yes
On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh
<linov.sur...@gmail.com <mailto:linov.sur...@gmail.com>> wrote:
Yes, PKI is running and I don't see any errors in selftests,
I have followed https://access.redhat.com/solutions/643753
and restarted the PKI in step 10.
The only change which I made was clean
up userCertificate;binary before adding new
userCertificatein LDAP, which is step 12.
[root@caer ~]# /etc/init.d/pki-cad status
pki-ca (pid 8634) is running... [
OK ]
Unsecure Port = http://caer.teloip.net:9180/ca/ee/ca
Secure Agent Port =
https://caer.teloip.net:9443/ca/agent/ca
Secure EE Port = https://caer.teloip.net:9444/ca/ee/ca
Secure Admin Port =
https://caer.teloip.net:9445/ca/services
EE Client Auth Port =
https://caer.teloip.net:9446/ca/eeca/ca
PKI Console Port = pkiconsole
https://caer.teloip.net:9445/ca
Tomcat Port = 9701 (for shutdown)
PKI Instance Name: pki-ca
PKI Subsystem Type: Root CA (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: IPA
URL: https://caer.teloip.net:9445
==========================================================================
[root@caer ~]#
[root@caer ~]# tail -f /var/log/pki-ca/selftests.log
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
SelfTestSubsystem: loading all self test plugin logger
parameters
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
SelfTestSubsystem: loading all self test plugin instances
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
SelfTestSubsystem: loading all self test plugin instance
parameters
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
SelfTestSubsystem: loading self test plugins in on-demand order
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
SelfTestSubsystem: loading self test plugins in startup order
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
SelfTestSubsystem: Self test plugins have been successfully
loaded!
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]
SelfTestSubsystem: Running self test plugins specified to be
executed at startup:
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence:
CA is present
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]
SystemCertsVerification: system certs verification success
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]
SelfTestSubsystem: All CRITICAL self test plugins ran
SUCCESSFULLY at startup!
Your help is highly appreciated!
Linov Suresh
70 Forest Manor Rd.
Toronto
ON M2J 0A9
Mobile: +1 647 406 9438 <tel:%2B1%20647%20406%209438>
Linkedin: ca.linkedin.com/in/linov/
<http://ca.linkedin.com/in/linov/>
Website: http://mylinuxthoughts.blogspot.com
On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik
<pvobo...@redhat.com <mailto:pvobo...@redhat.com>> wrote:
On 07/18/2016 05:45 AM, Linov Suresh wrote:
> Thanks for the update Rob. I went back to Jan 20, 2016,
restarted CA and
> certmonger. Look like certificates were renewed. But I'm
getting a different
> error now,
>
> *ca-error: Internal error: no response to
>
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".*
Is PKI running? When you change the time, does restart
of IPA help?
>
> [root@caer ~]# getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20111214223243':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate
DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=caer.teloip.net
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> expires: 2016-07-18 15:54:36 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223300':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
> DB'
> CA: IPA
> issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=caer.teloip.net
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> expires: 2016-07-18 15:54:52 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223316':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=caer.teloip.net
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> expires: 2016-07-18 15:55:04 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130519130741':
> status: MONITORING
> ca-error: Internal error: no response to
>
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
> stuck: no
> key pair storage:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=CA Audit,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:10:49 UTC
> pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130742':
> status: MONITORING
> ca-error: Internal error: no response to
>
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
> stuck: no
> key pair storage:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=OCSP Subsystem,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-OCSPSigning
> pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130743':
> status: MONITORING
> ca-error: Internal error: no response to
>
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
> stuck: no
> key pair storage:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=CA Subsystem,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130744':
> status: MONITORING
> ca-error: Internal error: no response to
>
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate
DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=RA Subsystem,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
/usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> Request ID '20130519130745':
> status: MONITORING
> ca-error: Internal error: no response to
>
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
> stuck: no
> key pair storage:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=caer.teloip.net
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
"TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>"
> track: yes
> auto-renew: yes
> [root@caer ~]#
>
> Your help is highly appreciated!
>
>
>
> On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden
<rcrit...@redhat.com <mailto:rcrit...@redhat.com>
> <mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>> wrote:
>
> Linov Suresh wrote:
>
> I logged into my IPA master, and found that
the cert had expired again,
> we renewed these certificates about 18 months
ago.
>
> Our environment is CentOS 6.4 and IPA 3.0.0-26.
>
>
> I followed the Redhat documentation,How do
I manually renew Identity
> Management (IPA) certificates after they
have expired? (Master IPA
> Server),
https://access.redhat.com/solutions/643753 but no luck.
>
>
> I have also changed the directive
"NSSEnforceValidCerts off" in
> /etc/httpd/conf.d/nss.conf and the value of
nsslapd-validate-cert is warn.
>
> ldapsearch -x -h localhost -p 7389 -D
'cn=directory manager' -w *******
> -b cn=config | grep nsslapd-validate-cert
>
> nsslapd-validate-cert: warn
>
> Here is my getcert list,
>
> [root@caer ~]# getcert list
>
>
> It looks like your CA subsystem certificates all
renewed successfully it is
> just the webserver and LDAP certificates that
need renewing so that's good.
>
> What I'd do is go back in time again to say Jan
20, 2016 and restart
> certmonger. That should make it retry the renewals.
>
> rob
>
>
>
>
--
Petr Vobornik