On Wed, Jul 12, 2017 at 05:37:54PM +0200, Karl Forner via FreeIPA-users wrote:
> Hello,
> 
> I'm getting desperate, I'm still unable to fix my expired certificates on
> my freeIPA master.
> 
> Summary:
> 
>    -  I discovered that my web ui SSL certificate had expired.
>    -   the certificate lives in /etc/httpd/alias, is named Server-Cert
>    -   for some reason, it is not tracked by ipa-getcert  list
>    -   from the web-ui, Authentication --> certificates fail:
>       -  IPA Error 4301: CertificateOperationError
>       -   Certificate operation cannot be completed: Unable to communicate
>       with CMS (Internal Server Error)
>    -   I tried to set the system time back in time -> was unable to get
>    kinit credentials (revoked)
>
This seems odd.  You are performing `kinit` on the affected master,
right?  After changing the time, did you restart IPA and execute
`kdestroy -A` before trying to `kinit`?

>    -   I tried to set certmonger to track the expired certificate:
>       - ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert -p
>       /etc/httpd/alias/pwdfile.txt
>       - status from ipa-getcert  list:
>          -  ca-error: Unable to determine principal name for signing
>          request.
>
You need some additional options to `ipa-getcert start-tracking`:

  -D <dnsname>         # SAN dnsName (for RFC 2818 compliance)
  -K HTTP/<dnsname>    # kerberos principal name

>       - I followed some instructions to manually renew the certificates.
>    - at one point I need ipa cert-request to sign the request.
>       - but the ipa cert commands do not work, e.g.
>       - ipa cert-find
>       ipa: ERROR: cert validation failed for "CN=ipa.quartzbio.com,O=
>       QUARTZBIO.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate
>       has expired.)
>       ipa: ERROR: Certificate operation cannot be completed: Unable to
>       communicate with CMS (Not Found)
> 
> What could/should I do !?!?
> 
> Is is possible to manually renew the certificate using only certutil ?
> 
Yes.  certutil(1) can do it.  The NSSDB with the IPA CA signing cert
is /etc/pki/pki-tomcat/alias.  I don't know the arcane incantation
of certutil(1) required, but hopefully the manpage will be useful.
This should be an absolute last resort.  Be very careful to:

- choose a serial number that has not already been used and is not
  likely to be used in the lifetime of the deployment (IPA uses
  sequential serial numbers so pick something large and random and
  you should be OK).

- make sure Dogtag is NOT RUNNING when you use certutil in a way
  that accesses Dogtag NSSDB.

Good luck!

> 
> Thanks for any help.
> 
> Karl
> 
> P.S
> 
> this runs in a freeipa-server docker container.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to