On Thu, Jul 13, 2017 at 10:57:59AM +1000, Fraser Tweedale wrote:
> On Wed, Jul 12, 2017 at 05:37:54PM +0200, Karl Forner via FreeIPA-users wrote:
> > Hello,
> > 
> > I'm getting desperate, I'm still unable to fix my expired certificates on
> > my freeIPA master.
> > 
> > Summary:
> > 
> >    -  I discovered that my web ui SSL certificate had expired.
> >    -   the certificate lives in /etc/httpd/alias, is named Server-Cert
> >    -   for some reason, it is not tracked by ipa-getcert  list
> >    -   from the web-ui, Authentication --> certificates fail:
> >       -  IPA Error 4301: CertificateOperationError
> >       -   Certificate operation cannot be completed: Unable to communicate
> >       with CMS (Internal Server Error)
> >    -   I tried to set the system time back in time -> was unable to get
> >    kinit credentials (revoked)
> >
> This seems odd.  You are performing `kinit` on the affected master,
> right?  After changing the time, did you restart IPA and execute
> `kdestroy -A` before trying to `kinit`?
> 
> >    -   I tried to set certmonger to track the expired certificate:
> >       - ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert -p
> >       /etc/httpd/alias/pwdfile.txt
> >       - status from ipa-getcert  list:
> >          -  ca-error: Unable to determine principal name for signing
> >          request.
> >
> You need some additional options to `ipa-getcert start-tracking`:
> 
>   -D <dnsname>         # SAN dnsName (for RFC 2818 compliance)
>   -K HTTP/<dnsname>    # kerberos principal name
> 
> >       - I followed some instructions to manually renew the certificates.
> >    - at one point I need ipa cert-request to sign the request.
> >       - but the ipa cert commands do not work, e.g.
> >       - ipa cert-find
> >       ipa: ERROR: cert validation failed for "CN=ipa.quartzbio.com,O=
> >       QUARTZBIO.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate
> >       has expired.)
> >       ipa: ERROR: Certificate operation cannot be completed: Unable to
> >       communicate with CMS (Not Found)
> > 
> > What could/should I do !?!?
> > 
> > Is is possible to manually renew the certificate using only certutil ?
> > 
> Yes.  certutil(1) can do it.  The NSSDB with the IPA CA signing cert
> is /etc/pki/pki-tomcat/alias.  I don't know the arcane incantation
> of certutil(1) required, but hopefully the manpage will be useful.
> This should be an absolute last resort.  Be very careful to:
> 
> - choose a serial number that has not already been used and is not
>   likely to be used in the lifetime of the deployment (IPA uses
>   sequential serial numbers so pick something large and random and
>   you should be OK).
> 
> - make sure Dogtag is NOT RUNNING when you use certutil in a way
>   that accesses Dogtag NSSDB.
> 
> Good luck!
> 
Hi Karl,

I found additional context to what has happened in your earlier
thread.  I replied there but so that it does not get missed I will
summarise here too.  If I got any facts wrong please correct me:

- You needed to renew the HTTP certificate on a master, which for
  some reason was not being tracked by certmonger

- You used ipa-cacert-renew to try to renew the HTTP certificate.
  This was the wrong thing to do (don't feel back, we all make
  mistakes and certificates are a confusing field).  This command
  apparently succeeded, causing the CA certificate to be renewed.

- The HTTP certificate was still invalid, because while the CA cert
  was renewed, it was not renewed.

- The HTTP cert being invalid, even when you add the certmonger
  tracking request, Certmonger cannot renew it, because certmonger
  tries to renew it *through the IPA framework*, and the HTTP cert
  is invalid.

- So you roll back the time.  Now things are failing all over the
  place due to invalid certs.  This is most likely because the time
  is now earlier than the notBefore time of the (renewed) CA
  certificate.

- To (partially) recover, you should retrieve a copy of the previous
  CA certificate (from Dogtag's LDAP database if necessary) and
  reinstall that, replacing the newer CA certificate.

- Then you should be able to roll back the time to when the HTTP
  cert was valid, and renew whatever certs need renewal via
  Certmonger (adding the tracking requests if they are missing,
  which seems to be the root cause of this problem).

Hope that helps; if I am mistaken about the above facts or you think
I am way off track please provide whatever additional info you feel
may help.

Cheers,
Fraser
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to