[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

Fri, 03 Jan 2020 01:02:36 -0800 

On 1/3/20 3:03 AM, luckydog xf via FreeIPA-users wrote:

On 12/31/19 1:47 AM, luckydog xf via FreeIPA-users wrote:
Hi,

can you check if the cert is revoked with:
$ certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert cert-pki-ca'
| grep -i Serial
(note the Serial number)
$ ipa cert-show <serial found above>

Does the last command display "Revoked: True" with a Revocation reason
or "Revoked: False"?

flo



[root@ipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert 
cert-pki-ca' | grep serial -i
         Serial Number: 268238851 (0xffd0003)
****************************************************************

[root@ipa ~]# ipa cert-show 268238851
   Issuing CA: ipa
   Certificate:   ..... ### chopped ###

   Subject: CN=ipa.ipa.pthl.hk,O=IPA.PTHL.HK
   Issuer: CN=Certificate Authority,O=IPA.PTHL.HK
   Not Before: Tue Nov 21 08:43:11 2017 UTC
   Not After: Mon Nov 11 08:43:11 2019 UTC
   Serial number: 268238851
   Serial number (hex): 0xFFD0003
   Revoked: True
   Revocation reason: 0
---------------------------------------------------

Yes, this serial Number was marked 'revoked'.


Hi,
the following is not a supported procedure but you can try to manually edit the certificate entry and remove the revocation information. The entry is cn=<serial>,ou=certificaterepository,ou=ca,o=ipaca and you will need to remove the attributes revokedOn, revokedBy, revInfo and replace certStatus: REVOKED with certStatus: VALID. 

You can use ldapmodify:

$ ldapmodify -D "cn=directory manager" -W -f mod.ldif

With the following mod.ldif:
$ cat mod.ldif
dn: cn=<serial>,ou=certificateRepository,ou=ca,o=ipaca
changetype: modify
delete: revokedOn
-
delete: revokedBy
-
delete: revInfo
-
replace: certStatus
certStatus: VALID
After that, check that the cert is not revoked any more with $ ipa cert-show <serial>, and you should be able to retry the renewal. 
HTH,
flo

_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]


_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to