Roderick Johnstone via FreeIPA-users wrote:
> On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote:
>> Roderick Johnstone via FreeIPA-users wrote:
>>> Hi
>>> Our freeipa certificates need to be renewed due to passing their expiry
>>> dates.
>>> While some certificates have renewed ok, the ipaCert and
>>> auditSigningCert are renewing but the new certificates have the wrong
>>> Subject.
>>> Environment is:
>>> serverA (CRL, first, master) RHEL 7.3, ipa 4.4
>>> serverB (replica) RHEL 7.3, ipa 4.4
>>> serverC (replica) RHEL 7.4, ipa 4.5
>>> Once there are renewed certificates with the wrong Subject present,
>>> there are various problems with renewing the remaining certificates,
>>> which I think might be related to the bad Subject:
>>> 1) When just ipaCert has the wrong subject no further renewals happen
>>> 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd
>>> service will not start and no further renewals happen.
>>> I've been round the following loop many times on ServerA, our first
>>> master:
>>> 1) Restore good certificates from backup
>>> 2) Put the clock back to a time when certificates are all valid
>>> 3) Resubmit certificates for renewal
>>> Each time the ipaCert renews it has the same wrong Subject. The wrong
>>> Subject includes the host name of one of our ipa client systems.
>>> Each time the auditSigningCert renews it has the same wrong Subject but
>>> a different subject to the ipaCert. The wrong Subject in this case
>>> includes the host name of a system which has never been an ipa client,
>>> but might have been added and removed with ipa host-add and ipa host-del
>>> for testing something, a while ago.
>>> As far as I can see, the "cert_subject" is set correctly in the file
>>> /var/lib/certmonger/<request id> until the point at which the
>>> certificate is actually renewed.
>>> I'd be very grateful for some pointers as to which configuration options
>>> and logs to check through to resolve this problem on our production
>>> system.
>>> If its of any relevance we did change which server is the first master
>>> some time ago.
>> I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what
>> the subject is.
> I'm not seeing any obvious CSR fields in the
> /etc/pki/pki-tomcat/ca/CS.cfg file.

> The CSR in the certmonger requests file for the auditSigningCert seems
> to be showing with the correct Subject. This is different from the bad
> subject showing in the requests file field:
> cert_subject=

The value of cert_subject comes from the issued certificate.

> and the Subject which is showing in the 'getcert list' output (which is
> the same as that in the cert_subject= field.>
> I'm not quite sure what this all means.

It is displayed from the data within the tracked certmonger request.

certmonger logs to syslog so you can check there or you can stop the
process and run it manually with: certmonger -n -d 9 2>&1 | tee

That will provide a lot of debugging output that may show what is going on.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to