[Freeipa-users] Re: subsystemCert appears out of date

[Florence Blanc-Renaud via FreeIPA-users]

On 11/17/20 10:19 AM, Marc Pearson | i-Neda Ltd wrote:
Hi Flo,
Thanks for the help. Included is the output of all the commands as you 
requested. These were all run from a single freeIPA server (red-auth01).

kinit admin; ipa server-role-find --role "CA server"
Password for ad...@int.i-neda.com:
----------------------
8 server roles matched
----------------------
   Server name: power-auth03.int.i-neda.com
   Role name: CA server
   Role status: enabled

   Server name: power-auth04.int.i-neda.com
   Role name: CA server
   Role status: absent

   Server name: red-auth01.int.i-neda.com
   Role name: CA server
   Role status: enabled

   Server name: red-auth02.int.i-neda.com
   Role name: CA server
   Role status: enabled

   Server name: red-auth03.int.i-neda.com
   Role name: CA server
   Role status: enabled

   Server name: red-auth04.int.i-neda.com
   Role name: CA server
   Role status: enabled

   Server name: white-auth01.int.i-neda.com
   Role name: CA server
   Role status: enabled

   Server name: white-auth02.int.i-neda.com
   Role name: CA server
   Role status: enabled
----------------------------
Number of entries returned 8
----------------------------


  kinit admin; ipa config-show | grep "renewal"
Password for ad...@int.i-neda.com:
   IPA CA renewal master: red-auth01.int.i-neda.com


rpm -qa | grep ipa-server
ipa-server-common-4.6.8-5.el7.centos.noarch
ipa-server-4.6.8-5.el7.centos.x86_64
ipa-server-dns-4.6.8-5.el7.centos.noarch


getcert list
Number of certificates and requests being tracked: 8.
Request ID '20171101175244':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
expires: 2021-08-10 14:04:07 UTC
principal name: krbtgt/int.i-neda....@int.i-neda.com
certificate template/profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes

Request ID '20180722081853':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
subject: CN=CA Audit,O=INT.I-NEDA.COM
expires: 2022-09-16 12:36:41 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes

Request ID '20180722081854':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS 
Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS 
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
subject: CN=OCSP Subsystem,O=INT.I-NEDA.COM
expires: 2022-09-16 12:35:31 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180722081855':
status: CA_UNREACHABLE
ca-error: Error 58 connecting to 
https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: 
Problem with the local SSL certificate.
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
subject: CN=CA Subsystem,O=INT.I-NEDA.COM
expires: 2020-10-24 07:04:35 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes

Request ID '20180722081856':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
subject: CN=Certificate Authority,O=INT.I-NEDA.COM
expires: 2040-10-10 07:51:04 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes

Request ID '20180722081857':
status: CA_UNREACHABLE
ca-error: Error 58 connecting to 
https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: 
Problem with the local SSL certificate.
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
subject: CN=IPA RA,O=INT.I-NEDA.COM
expires: 2020-10-24 07:03:24 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes

Request ID '20180722081858':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
expires: 2021-02-09 11:59:57 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes

Request ID '20200530130439':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes

Hi Marc,

so the current situation is the following:
- red-auth01 is the renewal master, with multiple replicas hosting the 
CA role.
- on this server, 'subsystemCert cert-pki-ca' is expired (expires: 
2020-10-24 07:04:35 UTC) as well as /var/lib/ipa/ra-agent.pem (expires: 
2020-10-24 07:03:24 UTC).
- there is also an issue with the tracking of the cert used by HTTP

But one of your comments is puzzling me:

The signing SSL (int.i-neda.com) is a full wildcard block chain that is 
authorized by a recognised 3rd party. It's worth noting though, that we 
had some issues with the block chain back in April as the thrid parties 
block chain expired. So it's possible that this is as a result of that 
issue, and may require some fettling to resolve. All help is appreciated.
Did you import the new CA chain at that time using ipa-cacert-manage 
install / ipa-certupdate?

According to getcert output, the IPA CA is now self-signed. It looks a 
lot like issue https://pagure.io/freeipa/issue/8176 where the 
externally-signed IPA CA is renewed/replaced with a self-signed CA.

As you have ipa 4.6.8-5, the ipa-cert-fix utility is available on your 
system. It will be easier to use this tool to fix the server:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#renewing-expired-system-certificate-when-idm-is-offline

Once the systems are up again, you can switch back to an 
externally-signed ipa CA:
- import the external CA chain using ipa-cacert-manage install + run 
ipa-certupdate on all the ipa nodes
- switch to externally-signed CA with ipa-cacert-manage renew 
--external-ca command 
(https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#manual-cert-renewal-ext)

HTH,
flo

My current tempory work around is to set the local clock of the OS back 
by over a month so the server belives the expired CA's are still valid.

Kind Regards,

Marc.
------------------------------------------------------------------------
*From:* Florence Blanc-Renaud <f...@redhat.com>
*Sent:* 16 November 2020 14:35
*To:* FreeIPA users list <freeipa-users@lists.fedorahosted.org>
*Cc:* Marc Pearson | i-Neda Ltd <mpear...@i-neda.com>
*Subject:* Re: [Freeipa-users] subsystemCert appears out of date
On 11/16/20 10:03 AM, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote:
Hi All,

My subsystem cert appears to have gone out of date, and I’m unable to 
get it to update. This has become an issue on my production environment, 
and my current work around has been to take the system date back by a 
month. I’ve tried the cert renew tool, but this doesn’t seem to have 
updated this cert.

Is anyone able to point me in the right direction to be able to update 
this specific certificate as I’ve been unable to find anything online.

[auth01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert 
cert-pki-ca'

Certificate:

      Data:

          Version: 3 (0x2)

          Serial Number: 42 (0x2a)

          Signature Algorithm: PKCS #1 SHA-256 With RSA 
Encryption

          Issuer: "CN=Certificate 
Authority,O=INT.I-NEDA.COM"

          Validity:

              Not Before: Sun Nov 04 08:04:35 
2018

Not After : Sat Oct 24 07:04:35 2020

          Subject: "CN=CA Subsystem,O=INT.I-NEDA.COM"

          Subject Public Key Info:

              Public Key Algorithm: PKCS #1 
RSA Encryption

              RSA Public Key:

                  Modulus:

                      
c6:7e:e6:40:8f:6e:77:07:8f:2a:ca:ca:63:63:cf:c6:

                      
5f:1c:09:63:4a:bb:17:68:17:cd:20:9b:f3:b0:5b:c0:

                      
f7:ff:72:07:1d:a2:29:93:61:62:5c:9f:04:d3:cb:7b:

                      
bf:53:de:bb:dd:d6:3f:a1:14:95:04:53:64:87:73:24:

                      
e3:61:66:96:ab:99:1f:2c:da:ec:22:e5:21:b1:5c:d5:

                      
0a:dd:4e:3f:f8:e2:90:a1:55:31:ad:11:2f:3b:d3:90:

                      
14:dc:b7:9d:fc:35:1a:ab:48:27:68:0a:9f:cb:95:14:

                      
00:93:b8:d4:d4:30:de:4e:be:20:a3:01:24:e8:f2:4a:

                      
1a:d2:b6:e0:09:77:3d:24:e3:5a:cf:51:d6:ca:d2:65:

                      
53:62:72:64:fe:7d:53:09:0e:97:b8:61:c9:c8:6d:24:

                      
52:15:f2:bf:40:04:38:24:22:73:fb:80:a0:ff:16:57:

                      
e1:0b:3c:71:02:d7:e6:2e:94:0a:e7:4e:aa:5e:6f:91:

                      
a5:68:65:21:cd:68:0c:2d:5d:53:fa:e0:10:75:47:43:

                      
04:f2:8b:e1:1c:1c:ed:a6:c1:ee:5c:6c:72:51:b5:e6:

                      
cd:f9:06:45:17:00:2b:d7:34:75:8a:59:f2:21:97:c6:

                      
63:d3:6f:54:d9:00:42:74:88:9e:94:d0:d4:d2:a1:b7

                  Exponent: 65537 
(0x10001)

          Signed Extensions:

              Name: Certificate Authority Key 
Identifier

              Key ID:

                  
f2:bb:9c:4f:e3:d8:c3:f9:58:eb:cc:5f:f7:be:8c:d6:

                  d5:08:c0:3a

              Name: Authority Information 
Access

              Method: PKIX Online Certificate 
Status Protocol

              Location:

                  URI: 
"http://ipa-ca.int.i-neda.com/ca/ocsp";

              Name: Certificate Key Usage

              Critical: True

              Usages: Digital Signature

                      
Non-Repudiation

                      
Key Encipherment

                      
Data Encipherment

              Name: Extended Key Usage

                  TLS Web Server 
Authentication Certificate

                  TLS Web Client 
Authentication Certificate

      Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption

      Signature:

          5f:b7:31:25:10:ef:e7:72:44:8e:94:1d:57:4e:bb:4e:

          22:cf:9b:7e:f4:20:a2:fa:96:2a:cf:e9:70:cd:a6:82:

          4a:bd:58:4b:a7:df:4d:77:47:ba:65:d0:68:c5:dc:59:

          77:7e:bf:36:d3:55:c7:86:d3:16:77:51:46:c2:48:de:

          e8:0d:62:05:b9:8c:46:bd:22:7d:8d:d0:ad:5a:64:6b:

          9b:7d:ec:4c:e6:05:e7:02:97:cd:01:f5:19:91:15:7e:

          cc:41:5b:f2:00:2d:c0:0b:91:9e:62:d5:7a:b2:1e:8f:

          32:62:c2:ed:1a:e8:e1:56:32:e0:0e:79:55:a2:49:35:

          0e:df:5d:a3:df:e2:dd:58:60:4a:dd:19:92:f7:4d:60:

          59:0e:16:b1:ae:32:e6:c5:c5:fa:5b:2f:fe:1d:fe:e9:

          ec:67:2b:65:33:f2:57:64:8a:68:f3:91:9b:25:ff:02:

          64:4c:a1:6d:fe:f0:73:95:f2:0f:49:fb:3f:85:21:a0:

          68:37:dc:cd:73:02:73:20:22:a9:1d:c9:7e:88:4f:9b:

          7c:92:f8:c1:50:0f:95:43:48:5b:8b:7f:0f:48:04:a8:

          c7:c0:0e:58:7c:86:2c:3a:b5:72:e3:34:3d:d8:0f:26:

          eb:44:fa:75:c1:c8:fc:b6:7d:f7:31:91:a4:71:a1:51

      Fingerprint (SHA-256):

         
4F:2A:1B:54:65:B6:09:3E:AD:68:08:92:CB:8D:FE:13:EF:B8:4C:F1:1E:0F:E1:15:13:92:D3:7A:3D:F8:54:44

      Fingerprint (SHA1):

          
03:34:DC:55:F5:00:AF:8C:EF:AC:AA:0D:E0:44:AD:5C:6F:CF:97:A6

      Mozilla-CA-Policy: false (attribute missing)

      Certificate Trust Flags:

          SSL Flags:

              User

          Email Flags:

              User

          Object Signing Flags:

              User

Thanks for the help,

Marc.


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Hi Marc,

we need more information in order to help you:
- do you have multiple master/replicas with the CA role:
# kinit admin; ipa server-role-find --role "CA server"

- which server is the renewal master:
# kinit admin ; ipa config-show | grep "renewal"

- which version is installed:
# rpm -qa | grep ipa-server

- Is the subsystemCert cert-pki-ca the only expired certificate:
# getcert list

flo

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org