On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via FreeIPA-users 
wrote:
> Hi,
> 
> some certificates on our freeipa-cluster (3 servers) are have been not
> renewed till now, 2 hours before expiring. Can this be a problem?
> 
> Some of the certificates, the ones expiring  show "ca-error: Invalid cookie:
> '' in the "getcert list" output, what makes me nervous.
> 
> We also have the problem when certmonger can not reach the CA CA_UNREACHABLE
> after restarting a freeipa-server. But when we restart the certmonger.server
> after everything being up again everything looks good.
> 
> Maybe you can give me some advice what to check and which logs you else
> would need.
> 
> 
> Thanks
> 
> Christof Schulze
> 
Hi Christof,

Yes, it is a problem.  They should have been renewed before now.
The errors in `getcert list' output show that there has been a
problem.

First, check that all certificates are valid, all certificates have
been synced across all masters using `ipa-certupdate` on each
master.  You should also check that the userCertificate attribute in
entry:

  uid=ipara,ou=people,o=ipaca

matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem

Also check that your topology has correct renewal master
configuration.  ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local
with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)).  It should
return exactly one entry and it must be a valid, active master.

HTH,
Fraser

> 
> 
> 
> 
> -- 
> Christof Schulze
> 
> Institute of Materials Simulation (WW8)
> Department of Materials Science
> Friedrich-Alexander-University Erlangen-Nürnberg
> Dr.-Mack-Str. 77,
> 90762 Fürth, Germany
> 
> Tel: 0911/65078-65069
> Email: christof.schu...@ww.uni-erlangen.de

> Number of certificates and requests being tracked: 9.
> Request ID '20170927064701':
>       status: MONITORING
>       stuck: no
>       key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
>       certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
>       CA: SelfSign
>       issuer: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
> FAU,C=DE,L=FUERTH
>       subject: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
> FAU,C=DE,L=FUERTH
>       expires: 2018-09-27 06:47:01 UTC
>       principal name: krbtgt/xxxkd.fau...@xxxkd.fau.de
>       certificate template/profile: KDCs_PKINIT_Certs
>       pre-save command:
>       post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
>       track: yes
>       auto-renew: yes
> Request ID '20171206120336':
>       status: MONITORING
>       ca-error: Invalid cookie: ''
>       stuck: no
>       key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>       certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>       CA: dogtag-ipa-ca-renew-agent
>       issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) 
> - FAU,C=DE,E=g...@example.com,L=FUERTH
>       subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
> FAU,C=DE,E=g...@example.com,L=FUERTH
>       expires: 2018-01-29 12:00:45 UTC
>       key usage: digitalSignature,nonRepudiation
>       pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>       post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "auditSigningCert cert-pki-ca"
>       track: yes
>       auto-renew: yes
> Request ID '20171206120337':
>       status: MONITORING
>       ca-error: Invalid cookie: ''
>       stuck: no
>       key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>       certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>       CA: dogtag-ipa-ca-renew-agent
>       issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) 
> - FAU,C=DE,E=g...@example.com,L=FUERTH
>       subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
> FAU,C=DE,E=g...@example.com,L=FUERTH
>       expires: 2018-01-29 12:00:44 UTC
>       key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>       eku: id-kp-OCSPSigning
>       pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>       post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "ocspSigningCert cert-pki-ca"
>       track: yes
>       auto-renew: yes
> Request ID '20171206120338':
>       status: MONITORING
>       ca-error: Invalid cookie: ''
>       stuck: no
>       key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>       certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
> cert-pki-ca',token='NSS Certificate DB'
>       CA: dogtag-ipa-ca-renew-agent
>       issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) 
> - FAU,C=DE,E=g...@example.com,L=FUERTH
>       subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
> FAU,C=DE,E=g...@example.com,L=FUERTH
>       expires: 2018-01-29 12:00:44 UTC
>       key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>       eku: id-kp-serverAuth,id-kp-clientAuth
>       pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>       post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "subsystemCert cert-pki-ca"
>       track: yes
>       auto-renew: yes
> Request ID '20171206120339':
>       status: MONITORING
>       stuck: no
>       key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>       certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>       CA: dogtag-ipa-ca-renew-agent
>       issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) 
> - FAU,C=DE,E=g...@example.com,L=FUERTH
>       subject: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute 
> (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
>       expires: 2036-02-09 12:00:40 UTC
>       key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>       pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>       post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "caSigningCert cert-pki-ca"
>       track: yes
>       auto-renew: yes
> Request ID '20171206120340':
>       status: MONITORING
>       ca-error: Invalid cookie: ''
>       stuck: no
>       key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>       certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>       CA: dogtag-ipa-ca-renew-agent
>       issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) 
> - FAU,C=DE,E=g...@example.com,L=FUERTH
>       subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
> FAU,C=DE,E=g...@example.com,L=FUERTH
>       expires: 2018-01-29 12:01:11 UTC
>       key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>       eku: id-kp-serverAuth,id-kp-clientAuth
>       pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>       post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>       track: yes
>       auto-renew: yes
> Request ID '20171206120341':
>       status: MONITORING
>       stuck: no
>       key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>       certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
> cert-pki-ca',token='NSS Certificate DB'
>       CA: dogtag-ipa-ca-renew-agent
>       issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) 
> - FAU,C=DE,E=g...@example.com,L=FUERTH
>       subject: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
> FAU,C=DE,E=g...@example.com,L=FUERTH
>       expires: 2018-07-29 13:05:20 UTC
>       key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>       eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
>       pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>       post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "Server-Cert cert-pki-ca"
>       track: yes
>       auto-renew: yes
> Request ID '20171206120345':
>       status: MONITORING
>       stuck: no
>       key pair storage: 
> type=NSSDB,location='/etc/dirsrv/slapd-XXXKD-FAU-DE',nickname='Server-Cert',token='NSS
>  Certificate DB',pinfile='/etc/dirsrv/slapd-XXXKD-FAU-DE/pwdfile.txt'
>       certificate: 
> type=NSSDB,location='/etc/dirsrv/slapd-XXXKD-FAU-DE',nickname='Server-Cert',token='NSS
>  Certificate DB'
>       CA: IPA
>       issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) 
> - FAU,C=DE,E=g...@example.com,L=FUERTH
>       subject: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
> FAU,C=DE,E=g...@example.com,L=FUERTH
>       expires: 2018-08-09 13:01:15 UTC
>       key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>       eku: id-kp-serverAuth,id-kp-clientAuth
>       pre-save command:
>       post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv 
> XXXKD-FAU-DE
>       track: yes
>       auto-renew: yes
> Request ID '20171206120351':
>       status: MONITORING
>       stuck: no
>       key pair storage: 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>       certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
> Certificate DB'
>       CA: IPA
>       issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) 
> - FAU,C=DE,E=g...@example.com,L=FUERTH
>       subject: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
> FAU,C=DE,E=g...@example.com,L=FUERTH
>       expires: 2018-08-09 13:01:17 UTC
>       key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>       eku: id-kp-serverAuth,id-kp-clientAuth
>       pre-save command:
>       post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>       track: yes
>       auto-renew: yes

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to