Roderick Johnstone via FreeIPA-users wrote:
> On 15/01/2018 20:07, Rob Crittenden via FreeIPA-users wrote:
>> Roderick Johnstone via FreeIPA-users wrote:
>>> On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote:
>>>> Roderick Johnstone via FreeIPA-users wrote:
>>>>> Hi
>>>>>
>>>>> Our freeipa certificates need to be renewed due to passing their
>>>>> expiry
>>>>> dates.
>>>>>
>>>>> While some certificates have renewed ok, the ipaCert and
>>>>> auditSigningCert are renewing but the new certificates have the wrong
>>>>> Subject.
>>>>>
>>>>> Environment is:
>>>>> serverA (CRL, first, master) RHEL 7.3, ipa 4.4
>>>>> serverB (replica) RHEL 7.3, ipa 4.4
>>>>> serverC (replica) RHEL 7.4, ipa 4.5
>>>>>
>>>>> Once there are renewed certificates with the wrong Subject present,
>>>>> there are various problems with renewing the remaining certificates,
>>>>> which I think might be related to the bad Subject:
>>>>>
>>>>> 1) When just ipaCert has the wrong subject no further renewals happen
>>>>>
>>>>> 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd
>>>>> service will not start and no further renewals happen.
>>>>>
>>>>> I've been round the following loop many times on ServerA, our first
>>>>> master:
>>>>>
>>>>> 1) Restore good certificates from backup
>>>>> 2) Put the clock back to a time when certificates are all valid
>>>>> 3) Resubmit certificates for renewal
>>>>>
>>>>> Each time the ipaCert renews it has the same wrong Subject. The wrong
>>>>> Subject includes the host name of one of our ipa client systems.
>>>>>
>>>>> Each time the auditSigningCert renews it has the same wrong Subject
>>>>> but
>>>>> a different subject to the ipaCert. The wrong Subject in this case
>>>>> includes the host name of a system which has never been an ipa client,
>>>>> but might have been added and removed with ipa host-add and ipa
>>>>> host-del
>>>>> for testing something, a while ago.
>>>>>
>>>>> As far as I can see, the "cert_subject" is set correctly in the file
>>>>> /var/lib/certmonger/<request id> until the point at which the
>>>>> certificate is actually renewed.
>>>>>
>>>>> I'd be very grateful for some pointers as to which configuration
>>>>> options
>>>>> and logs to check through to resolve this problem on our production
>>>>> system.
>>>>>
>>>>> If its of any relevance we did change which server is the first master
>>>>> some time ago.
>>>>
>>>> I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what
>>>> the subject is.
>>>
>>> I'm not seeing any obvious CSR fields in the
>>> /etc/pki/pki-tomcat/ca/CS.cfg file.
>>
>> foo.bar.certreq=
>>
>>> The CSR in the certmonger requests file for the auditSigningCert seems
>>> to be showing with the correct Subject. This is different from the bad
>>> subject showing in the requests file field:
>>> cert_subject=
>>
>> The value of cert_subject comes from the issued certificate.
>>
>>> and the Subject which is showing in the 'getcert list' output (which is
>>> the same as that in the cert_subject= field.>
>>> I'm not quite sure what this all means.
>>
>> It is displayed from the data within the tracked certmonger request.
>>
>> certmonger logs to syslog so you can check there or you can stop the
>> process and run it manually with: certmonger -n -d 9 2>&1 | tee
>> certmonger.log
>>
>> That will provide a lot of debugging output that may show what is
>> going on.
>
> I've restored certificate databases from backup and put the clock back
> to a time when certificates are valid and renewed the ocspSigining
> certificate with:
> getcert resubmit -N "CN=OCSP Subsystem,O=<REALM>" -i 20161124081302
>
> (I've previously tried without the -N with similar results)
>
> What I am seeing in the certmonger logs is:
>
>
> 2017-10-23 00:05:28 [438] Located the key 'ocspSigningCert cert-pki-ca'.
> 2017-10-23 00:05:28 [438] Converted private key 'ocspSigningCert
> cert-pki-ca' to public key.
> 2017-10-23 00:05:28 [439] Located the certificate "ocspSigningCert
> cert-pki-ca".
> 2017-10-23 00:05:28 [440] 0x1d Certificate named "ocspSigningCert
> cert-pki-ca" in token "NSS Certificate DB" in database
> "/etc/pki/pki-tomcat/alias" will not be valid after 20171025122401.
> 2017-10-23 00:05:28 [442] Located the key 'ocspSigningCert cert-pki-ca'.
> 2017-10-23 00:05:28 [442] Converted private key 'ocspSigningCert
> cert-pki-ca' to public key.
> 2017-10-23 00:05:28 [443] Located the certificate "ocspSigningCert
> cert-pki-ca".
> 2017-10-23 00:05:28 [444] Located the key 'ocspSigningCert cert-pki-ca'.
> 2017-10-23 00:05:28 [444] Converted private key 'ocspSigningCert
> cert-pki-ca' to public key.
> 2017-10-23 00:05:39 [581] Found a certificate with the same nickname but
> different subject, removing certificate "ocspSigningCert cert-pki-ca"
> with subject "CN=OCSP Subsystem,O=<REALM>".
> 2017-10-23 00:05:39 [581] Imported certificate "ocspSigningCert
> cert-pki-ca", got nickname "ocspSigningCert cert-pki-ca".
> 2017-10-23 00:05:39 [583] Located the certificate "ocspSigningCert
> cert-pki-ca".
> 2017-10-23 00:05:39 [48576] Adding hook
> "/usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert
> cert-pki-ca"" (0).
> 2017-10-23 00:10:43 [942] 0x1d Certificate named "ocspSigningCert
> cert-pki-ca" in token "NSS Certificate DB" in database
> "/etc/pki/pki-tomcat/alias" issued by CA and saved.
>
> I now have a date valid ocspSigningCertificate, but with the wrong
> subject, and a broken certificate system which will no longer start.
>
> ipactl status
> ...
> pki-tomcatd Service: STOPPED
>
> I can't renew other expired certificates.
>
> I also note that there is now no key for ocspSigningCertificate as shown
> by:
> certutil -K -d /etc/pki/pki-tomcat/alias
>
> I wonder if this is because the certificate subject changed? There was a
> key before the certificate renewed.
>
> The ca debug logs are showing:
>
> [23/Oct/2017:00:55:47][localhost-startStop-1]: Found cert by nickname:
> 'ocspSigningCert cert-pki-ca' with serial number: 268370108
> [23/Oct/2017:00:55:47][localhost-startStop-1]: converted to x509CertImpl
> [23/Oct/2017:00:55:47][localhost-startStop-1]: SigningUnit: Certificate
> object not found
> Certificate object not found
> at com.netscape.ca.SigningUnit.init(SigningUnit.java:184)
>
> Any help in repairing my broken ipa system will be much appreciated.
Sorry for the delay. I think my previous reading of the certmonger
csrgen code was wrong.
IIRC in your certmonger entry the cert_subject has the hostname value
right? Do you also have cert_subject_der?
You can decode that by:
1. Running a hex-to-bin, something hacky like this in python:
import binascii
hex_string = "<hex value>"
binary_string = binascii.unhexlify(hex_string)
fd = open("out", "wb")
fd.write(binary_string)
fd.close()
2. Run: openssl asn1parse -in out -inform der
I'm going to assume this also has the hostname encoded in it.
Can you try this:
1. Make a backup of the request file (just in case)
2. Remove cert_subject_der
3. Modify cert_subject to be CN=OCSP Subsystem,O=<YOUR_REALM>
3. Try the renewal again
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
