[Freeipa-users] Re: Expired certificate problem

Mon, 08 Jan 2018 08:57:52 -0800 


Il 08/01/2018 17:26, Rob Crittenden ha scritto:

Giulio Casella via FreeIPA-users wrote:

You need to stop ntpd, use date to go back when the web server cert is
still valid, then restart certmonger. That generally will do it.


Hi Rob,

I already tried with date few hours before expiration, with no luck: 
certmonger cannot perform cert update.



Queued requests remain in "SUBMITTING" status, I tried to launch 
certmonger in foreground (-d 10), here's a snippet of the output:



2018-01-08 01:17:08 [6000] Request9('20171205091409') ends in state 
'HAVE_CSR'

2018-01-08 01:17:08 [6000] Stopped Request9('20171205091409').

2018-01-08 01:17:09 [6235] Read value "0" from 
"/proc/sys/crypto/fips_enabled".

2018-01-08 01:17:09 [6235] Not attempting to set NSS FIPS mode.

2018-01-08 01:17:09 [6235] Skipping NSS internal slot (NSS Generic 
Crypto Services).

2018-01-08 01:17:09 [6235] Found token 'NSS Certificate DB'.

2018-01-08 01:17:09 [6235] Located a certificate with the key's nickname 
("Server-Cert").

2018-01-08 01:17:09 [6235] Located its private key.
2018-01-08 01:17:09 [6235] Recovered public key from private key.
2018-01-08 01:17:09 [6235] Key is an RSA key.
2018-01-08 01:17:09 [6235] Key size is 2048.

2018-01-08 01:17:10 [6251] Read value "0" from 
"/proc/sys/crypto/fips_enabled".

2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode.
2018-01-08 01:17:10 [6251] Found token 'NSS Generic Crypto Services'.

2018-01-08 01:17:10 [6251] Token is named "NSS Generic Crypto Services", 
not "NSS Certificate DB", skipping.

2018-01-08 01:17:10 [6251] Found token 'NSS Certificate DB'.
2018-01-08 01:17:10 [6251] Located the certificate "Server-Cert".

2018-01-08 01:17:10 [6251] Read value "0" from 
"/proc/sys/crypto/fips_enabled".

2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode.

2018-01-08 01:17:10 [6000] Request9('20171205091409') starts in state 
'HAVE_KEYINFO'
2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 
'NEED_CSR'

2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') now.
2018-01-08 01:17:10 [6000] Started Request9('20171205091409').

2018-01-08 01:17:10 [6000] Queuing FD 7 for Read for 
0x561b59c82750:0x561b59c98940.
2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 
'GENERATING_CSR'
2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') on 
traffic from 27.
2018-01-08 01:17:11 [6263] Read value "0" from 
"/proc/sys/crypto/fips_enabled".

2018-01-08 01:17:11 [6263] Not attempting to set NSS FIPS mode.

2018-01-08 01:17:11 [6263] Skipping NSS internal slot (NSS Generic 
Crypto Services).

2018-01-08 01:17:11 [6263] Found token 'NSS Certificate DB'.

2018-01-08 01:17:11 [6263] Located a certificate with the key's nickname 
("Server-Cert").

2018-01-08 01:17:11 [6263] Located its private key.
2018-01-08 01:17:11 [6263] Recovered public key from private key.

2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 
'HAVE_CSR'

2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now.

2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 
'NEED_TO_SUBMIT'

2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now.

2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 
'SUBMITTING'
2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') on 
traffic from 31.

^C2018-01-08 01:17:14 [6000] Got signal 2.
2018-01-08 01:17:14 [6000] Shutting down.

I'm stuck...

Thank you for your time.



rob



Is there a way to force update?

Here's my output of "getcert list":


Number of certificates and requests being tracked: 9.
Request ID '20170915095009':
         status: MONITORING
         stuck: no
         key pair storage:
type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
         certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
         CA: SelfSign
         issuer:
CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL
         subject:
CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL
         expires: 2018-09-15 09:50:10 UTC
         principal name:
krbtgt/LINUX.UNICLOUDIDATTICA.LOCAL@LINUX.UNICLOUDIDATTICA.LOCAL
         certificate template/profile: KDCs_PKINIT_Certs
         pre-save command:
         post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
         track: yes
         auto-renew: yes
Request ID '20171205091347':
         status: MONITORING
         stuck: no
         key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
         certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
         CA: dogtag-ipa-ca-renew-agent
         issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
         subject: CN=CA Audit,O=LINUX.UNICLOUDIDATTICA.LOCAL
         expires: 2019-11-21 07:19:44 UTC
         key usage: digitalSignature,nonRepudiation
         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
         track: yes
         auto-renew: yes
Request ID '20171205091349':
         status: MONITORING
         stuck: no
         key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS
Certificate DB',pin set
         certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS
Certificate DB'
         CA: dogtag-ipa-ca-renew-agent
         issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
         subject: CN=OCSP Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL
         expires: 2019-11-21 07:18:07 UTC
         eku: id-kp-OCSPSigning
         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
         track: yes
         auto-renew: yes
Request ID '20171205091350':
         status: MONITORING
         stuck: no
         key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
         certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
         CA: dogtag-ipa-ca-renew-agent
         issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
         subject: CN=CA Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL
         expires: 2019-11-21 07:19:43 UTC
         key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
         track: yes
         auto-renew: yes
Request ID '20171205091351':
         status: MONITORING
         stuck: no
         key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
         certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
         CA: dogtag-ipa-ca-renew-agent
         issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
         subject: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
         expires: 2038-01-08 00:16:58 UTC
         key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
         track: yes
         auto-renew: yes
Request ID '20171205091352':
         status: MONITORING
         stuck: no
         key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
         certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
         CA: dogtag-ipa-ca-renew-agent
         issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
         subject: CN=IPA RA,O=LINUX.UNICLOUDIDATTICA.LOCAL
         expires: 2019-11-21 07:18:14 UTC
         key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
         post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
         track: yes
         auto-renew: yes
Request ID '20171205091353':
         status: MONITORING
         stuck: no
         key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
         certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
         CA: dogtag-ipa-ca-renew-agent
         issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
         subject:
CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL
         expires: 2019-11-20 10:02:31 UTC
         key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
         track: yes
         auto-renew: yes
Request ID '20171205091357':
         status: CA_UNREACHABLE
         ca-error: Server at
https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will
retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining:  Peer's Certificate has expired.).
         stuck: no
         key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL/pwdfile.txt'
         certificate:
type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS
Certificate DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
         subject:
CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL
         expires: 2018-01-08 08:24:22 UTC
         key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command:
         post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
LINUX-UNICLOUDIDATTICA-LOCAL
         track: yes
         auto-renew: yes
Request ID '20171205091409':
         status: CA_UNREACHABLE
         ca-error: Server at
https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will
retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining:  Peer's Certificate has expired.).
         stuck: no
         key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
         subject:
CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL
         expires: 2018-01-08 08:33:05 UTC
         key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command:
         post-save command: /usr/libexec/ipa/certmonger/restart_httpd
         track: yes
         auto-renew: yes


Thanks in advance,
Giulio
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org




--
Giulio Casella                                    giulio at di.unimi.it
System and network architect
Computer Science Dept. - University of Milano
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org






















					Reply via email to