Everyone of the nicknames have expired except for this one:

certutil -L -n "caSigningCert cert-pki-ca"      -d /var/lib/pki-ca/alias | grep 
Not
            Not Before: Thu Oct 20 11:44:18 2011
            Not After : Sun Oct 20 11:44:18 2019

Regards
Roger

-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Wednesday, October 30, 2013 4:29 PM
To: Vaede, Roger (Contractor); 'freeipa-devel@redhat.com'
Subject: Re: [Freeipa-devel] certificate renewal

Vaede, Roger (Contractor) wrote:
> The certificate that I tried to install was a self signed certificate.
> Here is the contents of the file:  /var/log/ipaserver-install.log
>
> 2013-10-21 11:42:44,031 DEBUG Loading StateFile from 
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2013-10-21 11:42:44,032 DEBUG Loading Index file from 
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2013-10-21 11:42:44,032 DEBUG httpd is configured
> 2013-10-21 11:42:44,032 DEBUG ipa_kpasswd is configured
> 2013-10-21 11:42:44,032 DEBUG dirsrv is configured
> 2013-10-21 11:42:44,033 DEBUG pki-cad is configured
> 2013-10-21 11:42:44,033 DEBUG pkids is configured
> 2013-10-21 11:42:44,033 DEBUG install is configured
> 2013-10-21 11:42:44,033 DEBUG krb5kdc is configured
> 2013-10-21 11:42:44,033 DEBUG ntpd is not configured
> 2013-10-21 11:42:44,033 DEBUG named is not configured
> 2013-10-21 11:42:44,033 DEBUG filestore has files

Ok, you have a dogtag CA. We didn't add support for automated renewal until IPA 
3.0. We need to see the state of the CA itself, its subsystem certificates.

To get the list of nicknames:

# certutil -L -d /var/lib/pki-ca/alias

Then for each one do:

# certutil -L -n <nickname> -d /var/lib/pki-ca/alias | grep Not

You don't need to post this necessarily, just look to see if they are already 
expired.

Like I said, we didn't tackle renewal until IPA 3.0. This required some work in 
certmonger as well as some changes within IPA. I don't know if the same 
procedures will work against an IPA 2 server. The bulk of the work is done by 
certmonger.

But first, see what the state of the CA and its subsystem certificates are, 
then we can see what we need to renew.

rob

>
>
> The (good) backup server here is the contents of the certificate:
>
> [root@xxxxx ~]# ipa-getcert list
> Number of certificates and requests being tracked: 2.
> Request ID '20111020180721':
>          status: MONITORING
>          stuck: no
>          key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-xxx 
> ',nickname='Server-Cert',token='NSS Certificate 
> DB',pinfile='/etc/dirsrv/slapd-xxxxx-xxx//pwdfile.txt'
>          certificate: 
> type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-xx',nickname='Server-Cert',token='NSS
>  Certificate DB'
>          CA: IPA
>          issuer: CN=Certificate Authority,O=xxxxxx.xxx
>          subject: CN=xxxxxxx.xxxxxx.xxx,O=xxxxxxx.xx
>          expires: 2015-09-23 17:46:26 UTC
>          eku: id-kp-serverAuth,id-kp-clientAuth
>          command:
>          track: yes
>          auto-renew: yes
> Request ID '20111020180816':
>          status: MONITORING
>          stuck: no
>          key pair storage: 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>          certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
> Certificate DB'
>          CA: IPA
>          issuer: CN=Certificate Authority,O=xxxxxx.xxx
>          subject: CN=xxxxxx.xxxx.xxx,O=xxxxxxx.xxx
>          expires: 2015-09-23 17:46:26 UTC
>          eku: id-kp-serverAuth,id-kp-clientAuth
>          command:
>          track: yes
>          auto-renew: yes
>
> regards
> Roger
>
>
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Wednesday, October 30, 2013 3:29 PM
> To: Vaede, Roger (Contractor); 'freeipa-devel@redhat.com'
> Subject: Re: [Freeipa-devel] certificate renewal
>
> Vaede, Roger (Contractor) wrote:
>> I did try to replace the certificate with a self signed one at one point but 
>> then I was getting an error saying the certificate wasn't valid.
>
> Ok, I need to get a better handle on how this was originally installed in 
> order to guide you. Can you look to see if /var/log/ipaserver-install.log 
> still exists? It should have the original arguments passed.
>
> What I need to know is if this was installed using a dogtag CA or if it was 
> installed as a selfsign server.
>
> rob
>
>>
>> Regards
>> Roger
>>
>> -----Original Message-----
>> From: Vaede, Roger (Contractor)
>> Sent: Wednesday, October 30, 2013 2:37 PM
>> To: 'Rob Crittenden'; 'freeipa-devel@redhat.com'
>> Subject: RE: [Freeipa-devel] certificate renewal
>>
>> I never installed freeipa, the person that installed it left the company.
>> I removed the request ID at one point by using the stop-tracking command 
>> then I used this command to reinstate them:
>> ipa-getcert start-tracking  -d  /var/lib/pki-ca/alias -n ServerCert 
>> -r
>>
>> Initially they expired around October 25th.
>>
>> Regards
>> Roger
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcrit...@redhat.com]
>> Sent: Wednesday, October 30, 2013 2:30 PM
>> To: Vaede, Roger (Contractor); 'freeipa-devel@redhat.com'
>> Subject: Re: [Freeipa-devel] certificate renewal
>>
>> Vaede, Roger (Contractor) wrote:
>>> I have two IPA servers, one primary and one is backup.  (Redhat 5)
>>
>> What version of ipa-server is this?
>>
>>> The primary servers certificate has expired.
>>>
>>> I am not able to renew it.
>>>
>>> I turned off the ssl on the clients and now the users can login.
>>>
>>> I did a lot of research on certificate renewal and I am lost at this point.
>>>
>>> I am able to make changes using the backup IPA server.
>>
>> This getcert output is quite strange. Did you start these tracking yourself?
>>
>> Did you replace the IPA CA certificate at some point?
>>
>> rob
>>
>>
>
>



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to