From that I know you could trigger a refresh by restarting certmonger.
> On 9 Jul 2018, at 07:38, Thomas Letherby via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Hello Fraser, > > As I've been playing around with this before I dig in further I pulled the > expiry for the certificates across all the places I know to look, if I have a > cert listed, it's expired: > > certutil -d /etc/pki/pki-tomcat/alias -L Up to date > > certutil -d /etc/dirsrv/slapd-I-DOMAIN-NET -L > I.DOMAIN.NET <http://i.domain.net/> IPA CA > > certutil -d /etc/httpd/alias -L > Signing-Cert > I.DOMAIN.NET <http://i.domain.net/> IPA CA > > getcert-list all up to date. > > ipa-getcert list all up to date > > ldapsearch -Y GSSAPI -h `hostname` -p 389 -b "cn=I.DOMAIN.NET > <http://i.domain.net/> IPA > CA,cn=certificates,cn=ipa,cn=etc,dc=i,dc=DOMAIN,dc=net" > Expired > > ldapsearch -Y GSSAPI -h `hostname` -p 389 -b uid=pkidbuser,ou=people,o=ipaca > "(objectclass=*)" usercertificate > 1 - Expired > 2 - Expired > 3 - In date > > I've managed to narrow down the expiries to a crossover of one day, and > setting the date to that day allows Tomcat-PKI to start, but the above > results show that the certs haven't updated yet, but they may do in the next > few hours? > > Thomas > > > > On Sun, Jul 8, 2018 at 11:23 AM Fraser Tweedale <ftwee...@redhat.com > <mailto:ftwee...@redhat.com>> wrote: > On Fri, Jul 06, 2018 at 09:21:44PM -0700, Thomas Letherby wrote: > > Hello Fraser, > > > > The serial numbers appear to match, but if I run ipa-certupdate I get the > > following: > > > > ipa-certupdate > > trying https://server1.i.domain.net/ipa/json > > <https://server1.i.domain.net/ipa/json> > > Connection to https://server1.i.domain.net/ipa/json > > <https://server1.i.domain.net/ipa/json> failed with [SSL: > > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) > > > > Tomcat is the only service that appears to be failing with the following > > error: > > > > Internal Database Error encountered: Could not connect to LDAP server host > > xipa1.i.xrs444.net <http://xipa1.i.xrs444.net/> port 636 Error > > netscape.ldap.LDAPException: Unable to > > create socket: org.mozilla.jss.ssl.SSLSocketException: > > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181) > > Peer's Certificate has expired. (-1) > > > > But it should now be valid as I set the date back. If I set the date to > > today I get this error: > > > > Internal Database Error encountered: Could not connect to LDAP server host > > xipa1.i.xrs444.net <http://xipa1.i.xrs444.net/> port 636 Error > > netscape.ldap.LDAPException: Unable to > > create socket: org.mozilla.jss.ssl.SSLSocketException: > > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12195) > > Peer does not recognize and trust the CA that issued your certificate. (-1) > > > > Looks like it can't load because the certificate it uses isn't valid, if I > > roll the clock back so the CA cert is, the certificate Tomcat is using > > isn't valid and if I roll forward the CA cert isn't. > > > > How can I break this catch 22? > > > Which is the not-yet-valid certificate at the time to which you > rolled back? The subsystemCert or the 389DS server certificate? > > In either case, you can look in the Dogtag certificate repository > (ou=certificateRepository,ou=ca,o=ipaca) for a version of the > certificate that is valid at the relevant time. Copy the cert data > (you can base64-decode the value to get the binary DER certificate > data). Then you can delete the not-yet-valid-at-that-time > certificate from the NSSDB and add the appropriate certificate using > > certutil -d <nssdb-path> -A -i <cert-path> > > If the certificate in question is the Dogtag subsystemCert, you will > furthermore need to fix up the data in the uid=pkidbuser entry to > match the "current" certificate. > > HTH, > Fraser > > > > Thanks, > > > > Thomas > > > > > > > > > > On Fri, Jun 29, 2018 at 12:10 AM Fraser Tweedale <ftwee...@redhat.com > > <mailto:ftwee...@redhat.com>> > > wrote: > > > > > On Thu, Jun 28, 2018 at 06:01:18PM -0700, Thomas Letherby wrote: > > > > Hello all, > > > > > > > > Here's the info: > > > > > > > > certutil -d /etc/dirsrv/slapd-I-domain-NET -L > > > > > > > > Certificate Nickname Trust > > > > Attributes > > > > > > > > SSL,S/MIME,JAR/XPI > > > > > > > > Server-Cert u,u,u > > > > O=domain,ST=Arizona,C=US CT,C,C > > > > I.domain.NET <http://i.domain.net/> IPA CA > > > > CT,C,C > > > > > > > > I.domain.NET <http://i.domain.net/> IPA CA is out of date for those. > > > > > > > Try running ipa-certupdate. It will update the IPA CA certificate > > > in the various trust stores including the DS NSSDB. > > > > > > It reads the certificates from > > > > > > cn=YOUR.DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,{basedn} > > > > > > so you should probably check that the certificate in that entry is > > > up to date also. > > > > > > Cheers, > > > Fraser > > > > > > > certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' > > > -a > > > > Not After : Fri Jun 05 01:32:01 2020 > > > > Matches > > > > ldapsearch -Y GSSAPI -h `hostname` -p 389 -b > > > > uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" usercertificate > > > > > > > > Thomas > > > > > > > > > > > > > > > > > > > > On Thu, Jun 28, 2018 at 5:56 AM Rob Crittenden <rcrit...@redhat.com > > > > <mailto:rcrit...@redhat.com>> > > > wrote: > > > > > > > > > Thomas Letherby via FreeIPA-users wrote: > > > > > > Hello Florence, > > > > > > > > > > > > It was the Signing-Cert and the I.domain.NET <http://i.domain.net/> > > > > > > <http://I.domain.NET <http://i.domain.net/>> > > > IPA > > > > > > CA cert. By setting the clock back I managed to get those to renew, > > > now > > > > > > it seems I just need to get tomcat-pki to start. > > > > > > > > > > > > The error is: > > > > > > > > > > > > Internal Database Error encountered: Could not connect to LDAP > > > > > > server > > > > > > host xipa1.i.xrs444.net <http://xipa1.i.xrs444.net/> > > > > > > <http://xipa1.i.xrs444.net <http://xipa1.i.xrs444.net/>> port 636 > > > > > > Error > > > > > > netscape.ldap.LDAPException: Unable to create socket: > > > > > > org.mozilla.jss.ssl.SSLSocketException: > > > > > > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: > > > > > > (-12195) Peer does not recognize and trust the CA that issued your > > > > > > certificate. (-1) > > > > > > > > > > > > certutil -d /etc/pki/pki-tomcat/alias -L > > > > > > > > > > > > Certificate Nickname Trust > > > > > > Attributes > > > > > > > > > > > > SSL,S/MIME,JAR/XPI > > > > > > > > > > > > Server-Cert cert-pki-ca u,u,u > > > > > > ocspSigningCert cert-pki-ca u,u,u > > > > > > O=domain,ST=Arizona,C=US CT,C,C > > > > > > auditSigningCert cert-pki-ca u,u,Pu > > > > > > subsystemCert cert-pki-ca u,u,u > > > > > > caSigningCert cert-pki-ca > > > CTu,Cu,Cu > > > > > > > > > > > > These are all set to expire in 2020 or beyond. > > > > > > > > > > > > certutil -d /etc/httpd/alias -L Server-Cert > > > > > > > > > > > > Certificate Nickname Trust > > > > > > Attributes > > > > > > > > > > > > SSL,S/MIME,JAR/XPI > > > > > > > > > > > > Signing-Cert u,u,u > > > > > > O=xrs444,ST=Arizona,C=US CT,C,C > > > > > > I.XRS444.NET <http://i.xrs444.net/> <http://I.XRS444.NET > > > > > > <http://i.xrs444.net/>> IPA CA > > > > > > CT,C,C > > > > > > Server-Cert u,u,u > > > > > > > > > > > > I.XRS444.NET <http://i.xrs444.net/> <http://I.XRS444.NET > > > > > > <http://i.xrs444.net/>> IPA CA and Signing-Cert are the > > > > > > expired certs here. > > > > > > > > > > Don't worry about Signing-Cert. It is the cert used to sign the jar > > > file > > > > > used to autoconfigure Firefox. You should never need to re-sign one > > > > > again (and this method isn't allowed in modern Firefox anyway). > > > > > > > > > > rob > > > > > > > > > > > > > > > > > Thomas > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Jun 27, 2018 at 12:20 AM Florence Blanc-Renaud < > > > f...@redhat.com <mailto:f...@redhat.com> > > > > > > <mailto:f...@redhat.com <mailto:f...@redhat.com>>> wrote: > > > > > > > > > > > > On 06/27/2018 07:02 AM, Thomas Letherby via FreeIPA-users wrote: > > > > > > > After some fiddling with dates some more I seem to have the > > > HTTPD > > > > > > cert > > > > > > > in sync, however it appears the cert signing cert is expired. > > > > > > > > > > > > > > named also says it's starting, but doesn't seem to want to > > > respond. > > > > > > > > > > > > > > I don't have time to dig into it more tonight, but let me know > > > what > > > > > > > other information or tests I can run and I'll get them posted > > > > > > tomorrow. > > > > > > > > > > > > > > Thanks all. > > > > > > > > > > > > > > Thomas > > > > > > > > > > > > > > On Mon, Jun 25, 2018 at 5:11 PM Thomas Letherby < > > > xrs...@xrs444.net <mailto:xrs...@xrs444.net> > > > > > > <mailto:xrs...@xrs444.net <mailto:xrs...@xrs444.net>> > > > > > > > <mailto:xrs...@xrs444.net <mailto:xrs...@xrs444.net> > > > > > > <mailto:xrs...@xrs444.net <mailto:xrs...@xrs444.net>>>> wrote: > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > > > I think this is everything (domain name changed to protect > > > the > > > > > > > guilty!): > > > > > > > > > > > > > > https://pastebin.com/bF1KR7VJ > > > > > > <https://pastebin.com/bF1KR7VJ> > > > > > > > > > > > > > Hi Thomas, > > > > > > > > > > > > in the provided pastebin, the error 'certutil: function failed: > > > > > > SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an > > > old, > > > > > > unsupported format' can be easily explained: there is a typo in > > > the > > > > > > directory path. > > > > > > You can try with certutil -d /etc/pki/pki-tomcat/alias -L -n > > > > > <nickname> > > > > > > (note the pki-tomcat instead of pki-tomcat*d*). > > > > > > > > > > > > You mention that the cert signing cert is expired, can you > > > clarify > > > > > > which > > > > > > certificate this is? Please provide the subject name, > > > > > > certificate > > > > > > nickname and location. > > > > > > > > > > > > Flo > > > > > > > I pulled the same on the replica, which appears to be > > > playing > > > > > > up too > > > > > > > in a similar fashion. > > > > > > > > > > > > > > I did just notice the date on the replica is out, I never > > > set > > > > > it > > > > > > > back when I was trying to get the cert to renew. > > > > > > > > > > > > > > Let me know if you need anything else. > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > Thomas > > > > > > > > > > > > > > On Sun, Jun 24, 2018 at 8:43 PM Fraser Tweedale > > > > > > <ftwee...@redhat.com <mailto:ftwee...@redhat.com> > > > > > > <mailto:ftwee...@redhat.com <mailto:ftwee...@redhat.com>> > > > > > > > <mailto:ftwee...@redhat.com <mailto:ftwee...@redhat.com> > > > > > > <mailto:ftwee...@redhat.com <mailto:ftwee...@redhat.com>>>> > > > > > wrote: > > > > > > > > > > > > > > On Fri, Jun 22, 2018 at 11:16:21PM -0700, Thomas > > > Letherby > > > > > via > > > > > > > FreeIPA-users wrote: > > > > > > > > Hello all, > > > > > > > > I had an issue a short while ago with a replica > > > which > > > > > > turned > > > > > > > out to be an > > > > > > > > expired certificate which I renewed and all seemed > > > good. > > > > > > > > > > > > > > > > Seemed... > > > > > > > > > > > > > > > > It now appears that although the certificate > > > renewed as > > > > > > seen > > > > > > > by getcert > > > > > > > > -list, it didn't update /etc/httpd/alias and so the > > > > > > httpd and > > > > > > > tomcat-pki > > > > > > > > services won't start unless I set the date to > > > before the > > > > > > > certificate > > > > > > > > expired, and even then sometimes the httpd > > > > > > error_log > > > > > shows: > > > > > > > > Unable to verify certificate 'Server-Cert'. Add > > > > > > > "NSSEnforceValidCerts off" > > > > > > > > to nss.conf so the server can start until the > > > problem > > > > > > can be > > > > > > > resolved. > > > > > > > > and the service fails to start. > > > > > > > > > > > > > > > Hi Thomas, > > > > > > > > > > > > > > Can you please show `getcert list` output on the > > > server in > > > > > > question, > > > > > > > as well as the output of > > > > > > > > > > > > > > certutil -d /etc/httpd/alias -L Server-Cert > > > > > > > > > > > > > > and > > > > > > > > > > > > > > certutil -d /etc/pki/pki-tomcatd/alias -L > > > <nickname> > > > > > > > > > > > > > > for each nickname in the /etc/pki/pki-tomcatd/alias > > > NSSDB. > > > > > > > > > > > > > > And Certmonger journal output. And pki debug log > > > > > > > /var/log/pki/pki-tomcat/ca/debug. > > > > > > > > > > > > > > It is strange that `getcert list' shows an up to date > > > > > > certificate > > > > > > > while the actual certificate that is being tracked is > > > > > > expired... > > > > > > > > > > > > > > Thanks, > > > > > > > Fraser > > > > > > > > > > > > > > > I've tried resubmitting the certificate, and it > > > doesn't > > > > > > seem > > > > > > > to throw an > > > > > > > > error, but it doesn't update /alias either. > > > > > > > > Trying to access the server via the web page shows > > > the > > > > > old > > > > > > > certificate > > > > > > > > still in use. > > > > > > > > I see the same certificate error with the replica > > > > > server, > > > > > > > which was freshly > > > > > > > > rebuilt and added last week. > > > > > > > > I've doubtless dug further into the hole trying to > > > > > > > troubleshoot this, so I > > > > > > > > probably need to start from the beginning again, > > > and a > > > > > > > pointer in the right > > > > > > > > direction would be a great help! > > > > > > > > > > > > > > > > A getcert list shows all the certificates expiry > > > dates > > > > > well > > > > > > > into the future. > > > > > > > > > > > > > > > > How can I get the certs back in sync? I've found a > > > few > > > > > > guides > > > > > > > and most seem > > > > > > > > to be for earlier versions, and I'm not sure if > > > they're > > > > > > still > > > > > > > current. > > > > > > > > > > > > > > > > I can post whatever logs you think will help, I'm > > > > > > afraid I'm > > > > > > > not familiar > > > > > > > > enough with them all to tell which are the most > > > > > > relevant. Is > > > > > > > there a guide > > > > > > > > for the logs? > > > > > > > > > > > > > > > > Thanks for any help you can give, > > > > > > > > > > > > > > > > Thomas > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > FreeIPA-users mailing list -- > > > > > > > freeipa-users@lists.fedorahosted.org > > > > > > <mailto:freeipa-users@lists.fedorahosted.org> > > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > > > > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > > > > > <mailto:freeipa-users@lists.fedorahosted.org> > > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > > > > > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > > > > > To unsubscribe send an email to > > > > > > > freeipa-users-le...@lists.fedorahosted.org > > > > > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > > > > > > <mailto:freeipa-users-le...@lists.fedorahosted.org>> > > > > > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > > > > > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > > > > > > <mailto:freeipa-users-le...@lists.fedorahosted.org>>> > > > > > > > > Fedora Code of Conduct: > > > > > > > https://getfedora.org/code-of-conduct.html > > > > > > <https://getfedora.org/code-of-conduct.html> > > > > > > > > List Guidelines: > > > > > > > > > > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > > <https://fedoraproject.org/wiki/Mailing_list_guidelines> > > > > > > > > List Archives: > > > > > > > > > > > > > > > > > > > > > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/CAXKCVP42DLWJQV2TAJFFCR2NG2CBO27/ > > > > > > <https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/CAXKCVP42DLWJQV2TAJFFCR2NG2CBO27/> > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > FreeIPA-users mailing list -- > > > freeipa-users@lists.fedorahosted.org > > > <mailto:freeipa-users@lists.fedorahosted.org> > > > > > > <mailto:freeipa-users@lists.fedorahosted.org > > > > > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > > > > > To unsubscribe send an email to > > > > > > freeipa-users-le...@lists.fedorahosted.org > > > > > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > > > > > > <mailto:freeipa-users-le...@lists.fedorahosted.org>> > > > > > > > Fedora Code of Conduct: > > > https://getfedora.org/code-of-conduct.html > > > <https://getfedora.org/code-of-conduct.html> > > > > > > > List Guidelines: > > > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > > <https://fedoraproject.org/wiki/Mailing_list_guidelines> > > > > > > > List Archives: > > > > > > > > > > > > > > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RAEH5S7INPORXEK7ZKGQTLXEHH3CH4S4/ > > > > > > <https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RAEH5S7INPORXEK7ZKGQTLXEHH3CH4S4/> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > > > > <mailto:freeipa-users@lists.fedorahosted.org> > > > > > > To unsubscribe send an email to > > > > > freeipa-users-le...@lists.fedorahosted.org > > > > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > > > > <https://getfedora.org/code-of-conduct.html> > > > > > > List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > <https://fedoraproject.org/wiki/Mailing_list_guidelines> > > > > > > List Archives: > > > > > > > > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GTA5E2BV7VO24KL25TST5DTDXRAYOKDG/ > > > > > > <https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GTA5E2BV7VO24KL25TST5DTDXRAYOKDG/> > > > > > > > > > > > > > > > > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/Z2CWAOM4HBHXWBCQRFJXFCHMOEBRFPPO/ > > <https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/Z2CWAOM4HBHXWBCQRFJXFCHMOEBRFPPO/>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/LQOLUUVXTHR2WBB4A6SRGM6HAL5TMC2O/