Christof Schulze via FreeIPA-users wrote:
> Hi,
> 
> Here may be the problem, all are masters, the idm1 I am working on is
> the CA renewal master (checked ldap and config-show).
> 
> IPA masters: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de
> IPA CA servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de
> IPA NTP servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de
> IPA CA renewal master: idm1.ww8kd.fau.de
> 
> But when checking the different points on the side linked by you. I can
> see:
> All off them have
>         ca.crl.MasterCRL.enableCRLUpdates=false
>         ca.crl.MasterCRL.enableCRLCache=false
> 
> And all of them have the RewriteRule in the
> /etc/httpd/conf.d/ipa-pki-proxy.conf.
> 
> I remember years ago the original idm1 got roasted by some electrical
> surge. And I think it got cloned by one of the others (documentation
> would be king).
> 
> So all of them are clones and we don't have a CRL generation master.
> 
> The renewed "auditSigningCert cert-pki-ca" on the master didn't get
> replicated to the others.
> 
> Can I just promote idm1 to become CRL generation master by setting
>         ca.crl.MasterCRL.enableCRLUpdates=true
>         ca.crl.MasterCRL.enableCRLCache=true

Yes but that won't affect renewal.

> And how to get new certificates?

As Flo suggested, check syslog for certmonger messages. Look for AVCs.

Look at the output of getcert list to see what the status and errors are.

rob

> 
> 
> And Thanks for your patience.
> 
> 
> On 30.01.2018 14:26, Florence Blanc-Renaud wrote:
>> On 01/30/2018 02:02 PM, Christof Schulze via FreeIPA-users wrote:
>>> Hi,
>>>
>>> Now the roof is on fire, all certificates are synced on all masters
>>> since a long time ago.
>>>
>>> The not renewing certificates in /etc/pki/pki-tomcat/alias have now
>>> expired
>>>       "subsystemCert cert-pki-ca" , "ocspSigningCert cert-pki-ca" ,
>>>       "/var/lib/ipa/ra-agent.pem"
>>>
>>> The "auditSigningCert cert-pki-ca" certificate is the only one which
>>> has been renewed. (Old Serial Number: 5 (0x5), New Serial Number:
>>> 536739845 (0x1ffe0005) valid till 2020)
>>>
>>> The userCertificate in (uid=ipara,ou=people,o=ipaca) and the IPA RA
>>> certificate in /var/lib/ipa/ra-agent.pem are matching and expired.
>>>
>>>
>>> pki-tomcat can no longer access the ldap.
>>>
>>>      slapi_ldap_bind - Error: could not send startTLS request: error
>>> -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not
>>> connected)
>>>
>>>
>>> Is there some way this situation can be solved?
>> Hi,
>>
>> you need first to identify who is your renewal master and start
>> repairing this machine. You can use ipa config-show or a direct
>> ldapsearch as described here
>> (https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Identifying_current_first_master)
>> to find the renewal master.
>>
>> On the renewal master, check if the certificates have been properly
>> renewed. If it is not the case, you will need to chase the failure by
>> checking SE linux AVCs or errors in the journal produced by certmonger.
>> The renewal master really needs to be repaired first, as it is the
>> source containing some certs that will later be downloaded by the
>> other masters.
>>
>> Flo
>>
>>>
>>> Thanks
>>>
>>> Christof Schulze
>>>
>>>
>>>
>>> Request ID '20171206120336':
>>>      status: MONITORING
>>>      stuck: no
>>>      key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>>      certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>>      CA: dogtag-ipa-ca-renew-agent
>>>      issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some
>>> Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
>>>      subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) -
>>> FAU,C=DE,E=g...@example.com,L=FUERTH
>>>      expires: 2020-01-19 13:22:53 UTC
>>>      key usage: digitalSignature,nonRepudiation
>>>      pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>>      post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "auditSigningCert cert-pki-ca"
>>>      track: yes
>>>      auto-renew: yes
>>> Request ID '20171206120337':
>>>      status: MONITORING
>>>      stuck: no
>>>      key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>>      certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>>      CA: dogtag-ipa-ca-renew-agent
>>>      issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some
>>> Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
>>>      subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute
>>> (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
>>>      expires: 2018-01-29 12:00:44 UTC
>>>      key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>>      eku: id-kp-OCSPSigning
>>>      pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>>      post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert cert-pki-ca"
>>>      track: yes
>>>      auto-renew: yes
>>> Request ID '20171206120338':
>>>      status: MONITORING
>>>      stuck: no
>>>      key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>>      certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>>      CA: dogtag-ipa-ca-renew-agent
>>>      issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some
>>> Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
>>>      subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
>>> - FAU,C=DE,E=g...@example.com,L=FUERTH
>>>      expires: 2018-01-29 12:00:44 UTC
>>>      key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>      eku: id-kp-serverAuth,id-kp-clientAuth
>>>      pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>>      post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "subsystemCert cert-pki-ca"
>>>      track: yes
>>>      auto-renew: yes
>>> Request ID '20171206120340':
>>>      status: MONITORING
>>>      stuck: no
>>>      key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>>>      certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>>>      CA: dogtag-ipa-ca-renew-agent
>>>      issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some
>>> Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
>>>      subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) -
>>> FAU,C=DE,E=g...@example.com,L=FUERTH
>>>      expires: 2018-01-29 12:01:11 UTC
>>>      key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>      eku: id-kp-serverAuth,id-kp-clientAuth
>>>      pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>>>      post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>>>      track: yes
>>>      auto-renew: yes
>>>
>>>
>>> On 30.01.2018 00:40, Fraser Tweedale via FreeIPA-users wrote:
>>>> On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via
>>>> FreeIPA-users wrote:
>>>>> Hi,
>>>>>
>>>>> some certificates on our freeipa-cluster (3 servers) are have been not
>>>>> renewed till now, 2 hours before expiring. Can this be a problem?
>>>>>
>>>>> Some of the certificates, the ones expiring  show "ca-error:
>>>>> Invalid cookie:
>>>>> '' in the "getcert list" output, what makes me nervous.
>>>>>
>>>>> We also have the problem when certmonger can not reach the CA
>>>>> CA_UNREACHABLE
>>>>> after restarting a freeipa-server. But when we restart the
>>>>> certmonger.server
>>>>> after everything being up again everything looks good.
>>>>>
>>>>> Maybe you can give me some advice what to check and which logs you
>>>>> else
>>>>> would need.
>>>>>
>>>>>
>>>>> Thanks
>>>>>
>>>>> Christof Schulze
>>>>>
>>>> Hi Christof,
>>>>
>>>> Yes, it is a problem.  They should have been renewed before now.
>>>> The errors in `getcert list' output show that there has been a
>>>> problem.
>>>>
>>>> First, check that all certificates are valid, all certificates have
>>>> been synced across all masters using `ipa-certupdate` on each
>>>> master.  You should also check that the userCertificate attribute in
>>>> entry:
>>>>
>>>>    uid=ipara,ou=people,o=ipaca
>>>>
>>>> matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem
>>>>
>>>> Also check that your topology has correct renewal master
>>>> configuration.  ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local
>>>> with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)).  It should
>>>> return exactly one entry and it must be a valid, active master.
>>>>
>>>> HTH,
>>>> Fraser
>>>
>>
> 
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to