Giulio Casella via FreeIPA-users wrote:
> Hi,
> I've got a problem with certificate expiration. My setup is a CA-ful IPA
> installation, ipa-server-4.5.0-22 on a CentOS 7 host.
> 
> I've been able to run ipa-cacert-manage renew, setting date in the past,
> but server certs (dirsrv and httpd) are not updated.

ipa-cacert-manage is NOT how you renew server certificates. It is how
you renew the _CA_ certificate which is generally good for 20 years.

You need to stop ntpd, use date to go back when the web server cert is
still valid, then restart certmonger. That generally will do it.

rob

> 
> Is there a way to force update?
> 
> Here's my output of "getcert list":
> 
> 
> Number of certificates and requests being tracked: 9.
> Request ID '20170915095009':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
>         certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
>         CA: SelfSign
>         issuer:
> CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         subject:
> CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         expires: 2018-09-15 09:50:10 UTC
>         principal name:
> krbtgt/LINUX.UNICLOUDIDATTICA.LOCAL@LINUX.UNICLOUDIDATTICA.LOCAL
>         certificate template/profile: KDCs_PKINIT_Certs
>         pre-save command:
>         post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
>         track: yes
>         auto-renew: yes
> Request ID '20171205091347':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         subject: CN=CA Audit,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         expires: 2019-11-21 07:19:44 UTC
>         key usage: digitalSignature,nonRepudiation
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20171205091349':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS
> Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS
> Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         subject: CN=OCSP Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         expires: 2019-11-21 07:18:07 UTC
>         eku: id-kp-OCSPSigning
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20171205091350':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         subject: CN=CA Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         expires: 2019-11-21 07:19:43 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20171205091351':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         subject: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         expires: 2038-01-08 00:16:58 UTC
>         key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "caSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20171205091352':
>         status: MONITORING
>         stuck: no
>         key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>         certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         subject: CN=IPA RA,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         expires: 2019-11-21 07:18:14 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>         post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>         track: yes
>         auto-renew: yes
> Request ID '20171205091353':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         subject:
> CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         expires: 2019-11-20 10:02:31 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "Server-Cert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20171205091357':
>         status: CA_UNREACHABLE
>         ca-error: Server at
> https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will
> retry: -504 (libcurl failed to execute the HTTP POST transaction,
> explaining:  Peer's Certificate has expired.).
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS
> Certificate
> DB',pinfile='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL/pwdfile.txt'
>         certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         subject:
> CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         expires: 2018-01-08 08:24:22 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
> LINUX-UNICLOUDIDATTICA-LOCAL
>         track: yes
>         auto-renew: yes
> Request ID '20171205091409':
>         status: CA_UNREACHABLE
>         ca-error: Server at
> https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will
> retry: -504 (libcurl failed to execute the HTTP POST transaction,
> explaining:  Peer's Certificate has expired.).
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>         certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         subject:
> CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL
>         expires: 2018-01-08 08:33:05 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>         track: yes
>         auto-renew: yes
> 
> 
> Thanks in advance,
> Giulio
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to