On Fri, 20 Oct 2017 20:42:25 +0300
Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> 
wrote:

> On pe, 20 loka 2017, Harald Dunkel via FreeIPA-users wrote:
> >Hi folks,
> >
> >I had to replace the CA chain about 3 months ago, using
> >ipa-cacert-manage. Question:
> >
> >Does this affect freeipa's NIS support? Is there a hidden
> >certificate somewhere I missed to renew?  
> NIS does not utilize SSL as far as I know.
> 
> 

Are you sure? NIS has access to password information.

My problem is, that authentication appears to be broken on 
all NIS clients (2 AIX 6.1 hosts). The problem came up on 
Friday, 2017-10-20 at about 10:00 or 11:00.

Running getcert list on my ipa server I see certificates like

:
Request ID '20171020111318':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=example AG,C=DE
        subject: CN=CA Subsystem,O=example AG,C=DE
        expires: 2019-08-01 08:06:59 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes
:

Take a look at the Request ID:

# getcert list | grep 2017
Request ID '20171020111316':
Request ID '20171020111317':
Request ID '20171020111318':
Request ID '20171020111319':
Request ID '20171020111320':
Request ID '20171020111321':
Request ID '20171020111322':
Request ID '20171020111323':
Request ID '20171020111343':

Is this just a coincidence?


Every helpful comment is highly appreciated

Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to