Hi,

Here may be the problem, all are masters, the idm1 I am working on is the CA renewal master (checked ldap and config-show).

IPA masters: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de
IPA CA servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de
IPA NTP servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de
IPA CA renewal master: idm1.ww8kd.fau.de

But when checking the different points on the side linked by you. I can see:
All off them have
        ca.crl.MasterCRL.enableCRLUpdates=false
        ca.crl.MasterCRL.enableCRLCache=false

And all of them have the RewriteRule in the /etc/httpd/conf.d/ipa-pki-proxy.conf.

I remember years ago the original idm1 got roasted by some electrical surge. And I think it got cloned by one of the others (documentation would be king).

So all of them are clones and we don't have a CRL generation master.

The renewed "auditSigningCert cert-pki-ca" on the master didn't get replicated to the others.

Can I just promote idm1 to become CRL generation master by setting
        ca.crl.MasterCRL.enableCRLUpdates=true
        ca.crl.MasterCRL.enableCRLCache=true

And how to get new certificates?


And Thanks for your patience.


On 30.01.2018 14:26, Florence Blanc-Renaud wrote:
On 01/30/2018 02:02 PM, Christof Schulze via FreeIPA-users wrote:
Hi,

Now the roof is on fire, all certificates are synced on all masters since a long time ago.

The not renewing certificates in /etc/pki/pki-tomcat/alias have now expired
      "subsystemCert cert-pki-ca" , "ocspSigningCert cert-pki-ca" ,
      "/var/lib/ipa/ra-agent.pem"

The "auditSigningCert cert-pki-ca" certificate is the only one which has been renewed. (Old Serial Number: 5 (0x5), New Serial Number: 536739845 (0x1ffe0005) valid till 2020)

The userCertificate in (uid=ipara,ou=people,o=ipaca) and the IPA RA certificate in /var/lib/ipa/ra-agent.pem are matching and expired.


pki-tomcat can no longer access the ldap.

     slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected)


Is there some way this situation can be solved?
Hi,

you need first to identify who is your renewal master and start repairing this machine. You can use ipa config-show or a direct ldapsearch as described here (https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Identifying_current_first_master) to find the renewal master.

On the renewal master, check if the certificates have been properly renewed. If it is not the case, you will need to chase the failure by checking SE linux AVCs or errors in the journal produced by certmonger. The renewal master really needs to be repaired first, as it is the source containing some certs that will later be downloaded by the other masters.

Flo


Thanks

Christof Schulze



Request ID '20171206120336':
     status: MONITORING
     stuck: no
     key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set      certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
     CA: dogtag-ipa-ca-renew-agent
     issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH      subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
     expires: 2020-01-19 13:22:53 UTC
     key usage: digitalSignature,nonRepudiation
     pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
     post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
     track: yes
     auto-renew: yes
Request ID '20171206120337':
     status: MONITORING
     stuck: no
     key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set      certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
     CA: dogtag-ipa-ca-renew-agent
     issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH      subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
     expires: 2018-01-29 12:00:44 UTC
     key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
     eku: id-kp-OCSPSigning
     pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
     post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
     track: yes
     auto-renew: yes
Request ID '20171206120338':
     status: MONITORING
     stuck: no
     key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set      certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
     CA: dogtag-ipa-ca-renew-agent
     issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH      subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
     expires: 2018-01-29 12:00:44 UTC
     key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
     post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
     track: yes
     auto-renew: yes
Request ID '20171206120340':
     status: MONITORING
     stuck: no
     key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
     certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
     CA: dogtag-ipa-ca-renew-agent
     issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH      subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
     expires: 2018-01-29 12:01:11 UTC
     key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
     post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
     track: yes
     auto-renew: yes


On 30.01.2018 00:40, Fraser Tweedale via FreeIPA-users wrote:
On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,

some certificates on our freeipa-cluster (3 servers) are have been not
renewed till now, 2 hours before expiring. Can this be a problem?

Some of the certificates, the ones expiring  show "ca-error: Invalid cookie:
'' in the "getcert list" output, what makes me nervous.

We also have the problem when certmonger can not reach the CA CA_UNREACHABLE after restarting a freeipa-server. But when we restart the certmonger.server
after everything being up again everything looks good.

Maybe you can give me some advice what to check and which logs you else
would need.


Thanks

Christof Schulze

Hi Christof,

Yes, it is a problem.  They should have been renewed before now.
The errors in `getcert list' output show that there has been a
problem.

First, check that all certificates are valid, all certificates have
been synced across all masters using `ipa-certupdate` on each
master.  You should also check that the userCertificate attribute in
entry:

   uid=ipara,ou=people,o=ipaca

matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem

Also check that your topology has correct renewal master
configuration.  ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local
with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)).  It should
return exactly one entry and it must be a valid, active master.

HTH,
Fraser




--
Christof Schulze

Institute of Materials Simulation (WW8)
Department of Materials Science
Friedrich-Alexander-University Erlangen-Nürnberg
Dr.-Mack-Str. 77,
90762 Fürth, Germany

Tel: 0911/65078-65069
Email: christof.schu...@ww.uni-erlangen.de
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to