Hi,
Now the roof is on fire, all certificates are synced on all masters
since a long time ago.
The not renewing certificates in /etc/pki/pki-tomcat/alias have now expired
"subsystemCert cert-pki-ca" , "ocspSigningCert cert-pki-ca" ,
"/var/lib/ipa/ra-agent.pem"
The "auditSigningCert cert-pki-ca" certificate is the only one which has
been renewed. (Old Serial Number: 5 (0x5), New Serial Number: 536739845
(0x1ffe0005) valid till 2020)
The userCertificate in (uid=ipara,ou=people,o=ipaca) and the IPA RA
certificate in /var/lib/ipa/ra-agent.pem are matching and expired.
pki-tomcat can no longer access the ldap.
slapi_ldap_bind - Error: could not send startTLS request: error -1
(Can't contact LDAP server) errno 107 (Transport endpoint is not connected)
Is there some way this situation can be solved?
Thanks
Christof Schulze
Request ID '20171206120336':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=g...@example.com,L=FUERTH
subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) -
FAU,C=DE,E=g...@example.com,L=FUERTH
expires: 2020-01-19 13:22:53 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171206120337':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=g...@example.com,L=FUERTH
subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) -
FAU,C=DE,E=g...@example.com,L=FUERTH
expires: 2018-01-29 12:00:44 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171206120338':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=g...@example.com,L=FUERTH
subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) -
FAU,C=DE,E=g...@example.com,L=FUERTH
expires: 2018-01-29 12:00:44 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171206120340':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=g...@example.com,L=FUERTH
subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) -
FAU,C=DE,E=g...@example.com,L=FUERTH
expires: 2018-01-29 12:01:11 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
On 30.01.2018 00:40, Fraser Tweedale via FreeIPA-users wrote:
On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via FreeIPA-users
wrote:
Hi,
some certificates on our freeipa-cluster (3 servers) are have been not
renewed till now, 2 hours before expiring. Can this be a problem?
Some of the certificates, the ones expiring show "ca-error: Invalid cookie:
'' in the "getcert list" output, what makes me nervous.
We also have the problem when certmonger can not reach the CA CA_UNREACHABLE
after restarting a freeipa-server. But when we restart the certmonger.server
after everything being up again everything looks good.
Maybe you can give me some advice what to check and which logs you else
would need.
Thanks
Christof Schulze
Hi Christof,
Yes, it is a problem. They should have been renewed before now.
The errors in `getcert list' output show that there has been a
problem.
First, check that all certificates are valid, all certificates have
been synced across all masters using `ipa-certupdate` on each
master. You should also check that the userCertificate attribute in
entry:
uid=ipara,ou=people,o=ipaca
matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem
Also check that your topology has correct renewal master
configuration. ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local
with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)). It should
return exactly one entry and it must be a valid, active master.
HTH,
Fraser
--
Christof Schulze
Institute of Materials Simulation (WW8)
Department of Materials Science
Friedrich-Alexander-University Erlangen-Nürnberg
Dr.-Mack-Str. 77,
90762 Fürth, Germany
Tel: 0911/65078-65069
Email: christof.schu...@ww.uni-erlangen.de
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
