Scott Stevson via FreeIPA-users wrote:
> Thanks, Rob.
> 
> Unfortunately my test in staging resulted in an expired dogtag cert.  The 
> staging environment didn't have any certificates that were due to expire soon 
> so I updated the xmlrpc_server variable on one of the four IPA hosts we have 
> to another one in the same AWS region and restarted certmonger.  I then 
> resubmitted the cert request for one of the ID's I have and suddenly a cert 
> that was due to expire later this year is now expired as of 2016.
> 
> STAGING
> Request ID '20170124164909':
>       status: MONITORING
>       stuck: no
>       key pair storage: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>       certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate DB'
>       CA: dogtag-ipa-retrieve-agent-submit
>       issuer: CN=Certificate Authority,O=COMPANY.LOCAL
>       subject: CN=IPA RA,O=COMPANY.LOCAL
>       expires: 2016-12-07 03:35:22 UTC
>       key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>       eku: id-kp-serverAuth,id-kp-clientAuth
>       pre-save command:
>       post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>       track: yes
>       auto-renew: yes

For some things in IPA, like the Highlander, there can be only one.

An example of this is the CA responsible for renewing the CA subsystem
certificates (OCSP, the RA cert, etc).

During the renewal the updated certificates are stored in LDAP which is
replicated. The non-renewing masters monitor that location and fetch
updated certs from there.

So I'm guessing that the old cert is in LDAP and that got pulled down
for some reason, why I have no idea as certmonger should know better.
You can check to see what's in there by:

$ ldapsearch -Y GSSAPI -b 'cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com

This will show the current ipaCert in more detail:

# certutil -L -d /etc/httpd/alias -n ipaCert

You can compare this to the output of the various other staging masters.

> And for completeness, I'm pasting the output of getcert list on prod so you 
> can see the cert that's due to expire in its entirety.
> PROD
> Request ID '20150827000358':
>       status: MONITORING
>       ca-error: Server at 
> "http://server-ns-1.our.domain.local:9180/ca/ee/ca/profileSubmit"; replied: 1: 
> Server Internal Error
>       stuck: no
>       key pair storage: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>       certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate DB'
>       CA: dogtag-ipa-renew-agent
>       issuer: CN=Certificate Authority,O=COMPANY.LOCAL
>       subject: CN=IPA RA,O=COMPANY.LOCAL
>       expires: 2017-08-15 20:17:52 UTC
>       key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>       eku: id-kp-serverAuth,id-kp-clientAuth
>       pre-save command:
>       post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>       track: yes
>       auto-renew: yes
> 

I still think updating the xmlrpc_server is the way forward. I can't
explain the mix-up.

ipa config-show should show you the currently configured renewal master.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to