On 01/30/2018 02:02 PM, Christof Schulze via FreeIPA-users wrote:
Hi,

Now the roof is on fire, all certificates are synced on all masters since a long time ago.

The not renewing certificates in /etc/pki/pki-tomcat/alias have now expired
      "subsystemCert cert-pki-ca" , "ocspSigningCert cert-pki-ca" ,
      "/var/lib/ipa/ra-agent.pem"

The "auditSigningCert cert-pki-ca" certificate is the only one which has been renewed. (Old Serial Number: 5 (0x5), New Serial Number: 536739845 (0x1ffe0005) valid till 2020)

The userCertificate in (uid=ipara,ou=people,o=ipaca) and the IPA RA certificate in /var/lib/ipa/ra-agent.pem are matching and expired.


pki-tomcat can no longer access the ldap.

    slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)


Is there some way this situation can be solved?
Hi,

you need first to identify who is your renewal master and start repairing this machine. You can use ipa config-show or a direct ldapsearch as described here (https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Identifying_current_first_master) to find the renewal master.

On the renewal master, check if the certificates have been properly renewed. If it is not the case, you will need to chase the failure by checking SE linux AVCs or errors in the journal produced by certmonger. The renewal master really needs to be repaired first, as it is the source containing some certs that will later be downloaded by the other masters.

Flo


Thanks

Christof Schulze



Request ID '20171206120336':
     status: MONITORING
     stuck: no
    key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set     certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
     CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH     subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
     expires: 2020-01-19 13:22:53 UTC
     key usage: digitalSignature,nonRepudiation
     pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
     track: yes
     auto-renew: yes
Request ID '20171206120337':
     status: MONITORING
     stuck: no
    key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set     certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
     CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH     subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
     expires: 2018-01-29 12:00:44 UTC
     key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
     eku: id-kp-OCSPSigning
     pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
     track: yes
     auto-renew: yes
Request ID '20171206120338':
     status: MONITORING
     stuck: no
    key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set     certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
     CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH     subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
     expires: 2018-01-29 12:00:44 UTC
    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
     track: yes
     auto-renew: yes
Request ID '20171206120340':
     status: MONITORING
     stuck: no
     key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
     certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
     CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH     subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
     expires: 2018-01-29 12:01:11 UTC
    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
     post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
     track: yes
     auto-renew: yes


On 30.01.2018 00:40, Fraser Tweedale via FreeIPA-users wrote:
On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,

some certificates on our freeipa-cluster (3 servers) are have been not
renewed till now, 2 hours before expiring. Can this be a problem?

Some of the certificates, the ones expiring  show "ca-error: Invalid cookie:
'' in the "getcert list" output, what makes me nervous.

We also have the problem when certmonger can not reach the CA CA_UNREACHABLE after restarting a freeipa-server. But when we restart the certmonger.server
after everything being up again everything looks good.

Maybe you can give me some advice what to check and which logs you else
would need.


Thanks

Christof Schulze

Hi Christof,

Yes, it is a problem.  They should have been renewed before now.
The errors in `getcert list' output show that there has been a
problem.

First, check that all certificates are valid, all certificates have
been synced across all masters using `ipa-certupdate` on each
master.  You should also check that the userCertificate attribute in
entry:

   uid=ipara,ou=people,o=ipaca

matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem

Also check that your topology has correct renewal master
configuration.  ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local
with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)).  It should
return exactly one entry and it must be a valid, active master.

HTH,
Fraser

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to