On 1/14/20 11:41 PM, Ferdinand Babas via FreeIPA-users wrote:
On 1/9/20 6:44 AM, Ferdinand Babas via FreeIPA-users wrote:
Hi,
you need to carefully pick the date in the past. At that given date, all
your certs must be valid (ie notbefore < date < notafter). It's likely
that you choose a date before the notbefore date of some of the certs.
flo
Hi flo,
Still working on this and I'm unsure exactly what to do next. Here are the Not
Before and Not After dates of all the certs:
/etc/dirsrv/slapd-CFHT-HAWAII-EDU,nickname='Server-Cert'
Not Before: Sat May 18 19:15:24 2019
Not After : Tue May 18 19:15:24 2021
/etc/httpd/alias,nickname='Server-Cert'
Not Before: Sat May 18 19:15:34 2019
Not After : Tue May 18 19:15:34 2021
/etc/httpd/alias,nickname='ipaCert'
Not Before: Wed Jun 14 06:06:40 2017
Not After : Tue Jun 04 06:06:40 2019
/etc/pki/pki-tomcat/alias,nickname='auditSigningCert cert-pki-ca'
Not Before: Wed Jun 14 20:45:05 2017
Not After : Tue Jun 04 20:45:05 2019
/etc/pki/pki-tomcat/alias,nickname='ocspSigningCert cert-pki-ca'
Not Before: Sat Jun 01 10:29:31 2019
Not After : Fri May 21 10:29:31 2021
/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca
Not Before: Thu Jun 29 04:28:11 2017
Not After : Wed Jun 19 04:28:11 2019
/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca
Not Before: Wed Jul 22 14:25:13 2015
Not After : Sun Jul 22 14:25:13 2035
/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca'
Not Before: Tue May 07 19:15:22 2019
Not After : Mon Apr 26 19:15:22 2021
From what I can tell setting the date to 2019-06-02 should be fine so I did
that and restarted pki-tomcatd (which starts up fine when back dated).
Agreed, any date between June 1 and June 4 should be ok.
When I restart certmonger I'm getting log messages of:
Jun 3 00:00:24 francolin ns-slapd: [03/Jun/2019:00:00:24.572219961 -1000]
csngen_new_csn - Warning: too much time skew (-19483202 secs). Current seqnum=1
Jun 3 00:00:24 francolin ns-slapd: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Ticket not yet valid)
Jun 3 00:00:24 francolin ns-slapd: [03/Jun/2019:00:00:24.612098416 -1000]
csngen_new_csn - Warning: too much time skew (-19483203 secs). Current seqnum=1
Jun 3 00:00:24 francolin ns-slapd: [03/Jun/2019:00:00:24.628118429 -1000]
csngen_new_csn - Warning: too much time skew (-19483204 secs). Current seqnum=1
And getcert list displays the following:
...
Request ID '20170614061938':
status: NEED_CSR_GEN_TOKEN
ipaCert is the most important cert to renew and should be handled first.
The man page for getcert-list explains this error as:
NEED_CSR_GEN_TOKEN
The service was unable to find the token in which the
key pair
is supposed to be stored.
So I would check if /etc/httpd/alias has the right permissions, if
/etc/httpd/alias/pwdfile.txt contains the password for /etc/httpd/alias
and has the right permissions.
On a RHEL 7.2 system I can see:
[root ~]# ls -ld /etc/httpd/alias/
drwxr-xr-x. 2 root root 4096 Jan 15 10:48 /etc/httpd/alias/
[root ~]# ls -l /etc/httpd/alias/
total 188
-r--r--r--. 1 root root 1427 Jan 15 10:48 cacert.asc
-r--r--r--. 1 root root 1427 Jan 13 14:19 cacert.asc.orig
-rw-rw----. 1 root apache 65536 Jan 15 10:49 cert8.db
-rw-rw----. 1 root apache 65536 Jan 13 14:27 cert8.db.orig
-rw-------. 1 root root 5872 Nov 16 2018 install.log
-rw-rw----. 1 root apache 16384 Jan 15 10:49 key3.db
-rw-rw----. 1 root apache 16384 Jan 13 14:27 key3.db.orig
-r--r-----. 1 root apache 3481 Jan 15 10:47 kra-agent.pem
lrwxrwxrwx. 1 root root 33 Nov 16 2018 libnssckbi.so ->
../../..//usr/lib64/libnssckbi.so
-rw-rw----. 1 root apache 20 Jan 15 10:47 pwdfile.txt
-rw-rw----. 1 root apache 20 Jan 13 14:18 pwdfile.txt.orig
-rw-rw----. 1 root apache 16384 Jan 15 10:47 secmod.db
-rw-rw----. 1 root apache 16384 Jan 13 14:18 secmod.db.orig
And to check the password:
[root@ ~]# certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
< 0> rsa 1b212c867ebde61fdc295ecd63ef690cd93fc783 NSS Certificate
DB:ipaCert
< 1> rsa da7a2b61ed951d1cfff1309534a3232258da9487 NSS Certificate
DB:Signing-Cert
< 2> rsa e5fdd7ec9d8daa97566695ac562fb1697a811401 NSS Certificate
DB:Server-Cert
(if the password file is wrong, you will see: Incorrect password/PIN
entered)
flo
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=LOCAL
subject: CN=IPA RA,O=LOCAL
expires: 2019-06-04 06:06:40 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20170614062601':
status: MONITORING
ca-error: Server at
"https://francolin.local:8443/ca/agent/ca/profileProcess" replied: 1: You did
not provide a valid certificate for this operation
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=LOCAL
subject: CN=CA Audit,O=LOCAL
expires: 2019-06-04 20:45:05 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
...
Request ID '20170614062603':
status: MONITORING
ca-error: Server at
"https://francolin.local:8443/ca/agent/ca/profileProcess" replied: 1: You did
not provide a valid certificate for this operation
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=LOCAL
subject: CN=CA Subsystem,O=LOCAL
expires: 2019-06-19 04:28:11 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
...
Thanks for all of your help.
Ferdinand
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org