[Freeipa-users] Re: Certificate not found: auditSigningCert cert-pki-ca - Can't run pki-tomcatd Service

Tue, 14 Jan 2020 14:42:10 -0800 

> On 1/9/20 6:44 AM, Ferdinand Babas via FreeIPA-users wrote:
> Hi,
> 
> you need to carefully pick the date in the past. At that given date, all 
> your certs must be valid (ie notbefore < date < notafter). It's likely 
> that you choose a date before the notbefore date of some of the certs.
> 
> flo

Hi flo,

Still working on this and I'm unsure exactly what to do next.  Here are the Not 
Before and Not After dates of all the certs:

/etc/dirsrv/slapd-CFHT-HAWAII-EDU,nickname='Server-Cert'
            Not Before: Sat May 18 19:15:24 2019
            Not After : Tue May 18 19:15:24 2021

/etc/httpd/alias,nickname='Server-Cert'
            Not Before: Sat May 18 19:15:34 2019
            Not After : Tue May 18 19:15:34 2021

/etc/httpd/alias,nickname='ipaCert'
            Not Before: Wed Jun 14 06:06:40 2017
            Not After : Tue Jun 04 06:06:40 2019

/etc/pki/pki-tomcat/alias,nickname='auditSigningCert cert-pki-ca'
            Not Before: Wed Jun 14 20:45:05 2017
            Not After : Tue Jun 04 20:45:05 2019

/etc/pki/pki-tomcat/alias,nickname='ocspSigningCert cert-pki-ca'
            Not Before: Sat Jun 01 10:29:31 2019
            Not After : Fri May 21 10:29:31 2021

/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca
            Not Before: Thu Jun 29 04:28:11 2017
            Not After : Wed Jun 19 04:28:11 2019

/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca
            Not Before: Wed Jul 22 14:25:13 2015
            Not After : Sun Jul 22 14:25:13 2035

/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca'
            Not Before: Tue May 07 19:15:22 2019
            Not After : Mon Apr 26 19:15:22 2021

From what I can tell setting the date to 2019-06-02 should be fine so I did 
that and restarted pki-tomcatd (which starts up fine when back dated).

When I restart certmonger I'm getting log messages of:

Jun  3 00:00:24 francolin ns-slapd: [03/Jun/2019:00:00:24.572219961 -1000] 
csngen_new_csn - Warning: too much time skew (-19483202 secs). Current seqnum=1
Jun  3 00:00:24 francolin ns-slapd: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (Ticket not yet valid)
Jun  3 00:00:24 francolin ns-slapd: [03/Jun/2019:00:00:24.612098416 -1000] 
csngen_new_csn - Warning: too much time skew (-19483203 secs). Current seqnum=1
Jun  3 00:00:24 francolin ns-slapd: [03/Jun/2019:00:00:24.628118429 -1000] 
csngen_new_csn - Warning: too much time skew (-19483204 secs). Current seqnum=1

And getcert list displays the following:

...
Request ID '20170614061938':
        status: NEED_CSR_GEN_TOKEN
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=LOCAL
        subject: CN=IPA RA,O=LOCAL
        expires: 2019-06-04 06:06:40 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
        post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes
Request ID '20170614062601':
        status: MONITORING
        ca-error: Server at 
"https://francolin.local:8443/ca/agent/ca/profileProcess"; replied: 1: You did 
not provide a valid certificate for this operation
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=LOCAL
        subject: CN=CA Audit,O=LOCAL
        expires: 2019-06-04 20:45:05 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
...
Request ID '20170614062603':
        status: MONITORING
        ca-error: Server at 
"https://francolin.local:8443/ca/agent/ca/profileProcess"; replied: 1: You did 
not provide a valid certificate for this operation
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=LOCAL
        subject: CN=CA Subsystem,O=LOCAL
        expires: 2019-06-19 04:28:11 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes
...

Thanks for all of your help.

Ferdinand
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to