On 7/5/20 2:23 AM, Ilya Kogan via FreeIPA-users wrote:
Hi,
I seem to be facing a similar issue with one of my KRAs. My KRA
certificates were, for some reason, not automatically renewed when they
expired last month. Using `ipa-cert-fix` correctly fixed them on _one_
host. On the other, they seem to be stuck in the renewal state and
`ipa-cert-fix` claims there's nothing to do:
```
Request ID '20191031183458':
status: MONITORING
ca-error: Server at
"http://ipa-one.mydomain.org:8080/ca/ee/ca/profileSubmit"; replied:
Missing credential: sessionID
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-kra',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-kra',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=MYDOMAIN.ORG
<http://MYDOMAIN.ORG>
subject: CN=KRA Audit,O=MYDOMAIN.ORG <http://MYDOMAIN.ORG>
expires: 2020-06-27 01:54:34 EDT
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-kra"
track: yes
auto-renew: yes
Request ID '20191031183459':
status: MONITORING
ca-error: Server at
"http://ipa-one.mydomain.org:8080/ca/ee/ca/profileSubmit"; replied:
Missing credential: sessionID
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='transportCert
cert-pki-kra',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='transportCert
cert-pki-kra',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=MYDOMAIN.ORG
<http://MYDOMAIN.ORG>
subject: CN=KRA Transport Certificate,O=MYDOMAIN.ORG
<http://MYDOMAIN.ORG>
expires: 2020-06-27 01:54:30 EDT
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"transportCert cert-pki-kra"
track: yes
auto-renew: yes
Request ID '20191031183500':
status: MONITORING
ca-error: Server at
"http://ipa-one.mydomain.org:8080/ca/ee/ca/profileSubmit"; replied:
Missing credential: sessionID
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert
cert-pki-kra',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert
cert-pki-kra',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=MYDOMAIN.ORG
<http://MYDOMAIN.ORG>
subject: CN=KRA Storage Certificate,O=MYDOMAIN.ORG
<http://MYDOMAIN.ORG>
expires: 2020-06-27 01:54:32 EDT
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"storageCert cert-pki-kra"
track: yes
auto-renew: yes
```
Here are the sequence of events that seem to have led to this:
1. Install FreeIPA Master many years ago and continue to upgrade it from
time to time.
2. Install FreeIPA Replica a few years after and continue to upgrade it
from time to time.
3. Allow the certificates to expire on both nodes.
4. Attempt to patch the replica via `yum upgrade` on the second node.
5. Notice after reboot that `pki-tomcatd` is having trouble and discover
certificate issues.
5. Issue `ipa-cert-fix`, reboot again, and notice that things are
working. Try and create a key in the vault.
6. Attempt to patch the master via `yum upgrade` on the first node.
7. Notice after reboot that everything seems to be ok. Try and create a
key in the vault.
8. Notice a few days later that renewal seems to be broken on the first
node.
At this point `ipa-cert-fix` just shows that everything is fine. If I
run it with -v, and then check the "storageCert cert-pki-kra"
certificate with `openssl x509 -text -in`, I'm shown:
Hi,
just double-checking, but did you run ipa-cert-fix on the replica that
was repaired in step 5? If that's the case, it's normal that
ipa-cert-fix does not see any issue as it's running only locally and
does not attempt to repair remote nodes.
You will need to login to the node with expired certs and run
ipa-cert-fix there.
HTH,
flo
Validity
Not Before: Jun 29 00:52:33 2020 GMT
Not After : Jun 19 00:52:33 2022 GMT
On the second known, `getcert list` shows correct expirations for those
certificates:
Request ID '20191206005909':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert
cert-pki-kra',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='storageCert
cert-pki-kra',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=MYDOMAIN.ORG
<http://MYDOMAIN.ORG>
subject: CN=KRA Storage Certificate,O=MYDOMAIN.ORG
<http://MYDOMAIN.ORG>
expires: 2022-06-18 20:52:33 EDT
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"storageCert cert-pki-kra"
track: yes
auto-renew: yes
It seems like _something_, perhaps `ipa-cert-fix` somehow renewed these
certificates but...outside of certmonger? Is this some other version of
https://bugzilla.redhat.com/show_bug.cgi?id=1788907? The certificates
are not in CA_WORKING though, they're in MONITORING.
What can I do to get myself out of this state as it seems like I'm in a
"this could explode at any moment" situation?
This is on Fedora 30 with IP version:
Last metadata expiration check: 0:23:05 ago on Sat 04 Jul 2020 07:59:16
PM EDT.
Installed Packages
Name : certmonger
Version : 0.79.9
Release : 1.fc30
Architecture : x86_64
Size : 3.4 M
Source : certmonger-0.79.9-1.fc30.src.rpm
Repository : @System
From repo : updates
.. snip ..
Name : freeipa-server
Version : 4.8.3
Release : 1.fc30
Architecture : x86_64
Size : 1.3 M
Source : freeipa-4.8.3-1.fc30.src.rpm
Repository : @System
From repo : updates
.. snip ..
Thanks!
Ilya Kogan
w: github.com/ikogan <http://github.com/ikogan> e: iko...@mythicnet.org
<mailto:iko...@mythicnet.org>
<http://twitter.com/ilkogan> <https://www.linkedin.com/in/ilyakogan/>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
