Hi Flo, Thanks for the help. Included is the output of all the commands as you requested. These were all run from a single freeIPA server (red-auth01).
kinit admin; ipa server-role-find --role "CA server" Password for [email protected]: ---------------------- 8 server roles matched ---------------------- Server name: power-auth03.int.i-neda.com Role name: CA server Role status: enabled Server name: power-auth04.int.i-neda.com Role name: CA server Role status: absent Server name: red-auth01.int.i-neda.com Role name: CA server Role status: enabled Server name: red-auth02.int.i-neda.com Role name: CA server Role status: enabled Server name: red-auth03.int.i-neda.com Role name: CA server Role status: enabled Server name: red-auth04.int.i-neda.com Role name: CA server Role status: enabled Server name: white-auth01.int.i-neda.com Role name: CA server Role status: enabled Server name: white-auth02.int.i-neda.com Role name: CA server Role status: enabled ---------------------------- Number of entries returned 8 ---------------------------- kinit admin; ipa config-show | grep "renewal" Password for [email protected]: IPA CA renewal master: red-auth01.int.i-neda.com rpm -qa | grep ipa-server ipa-server-common-4.6.8-5.el7.centos.noarch ipa-server-4.6.8-5.el7.centos.x86_64 ipa-server-dns-4.6.8-5.el7.centos.noarch getcert list Number of certificates and requests being tracked: 8. Request ID '20171101175244': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM expires: 2021-08-10 14:04:07 UTC principal name: krbtgt/[email protected] certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20180722081853': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=CA Audit,O=INT.I-NEDA.COM expires: 2022-09-16 12:36:41 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180722081854': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=OCSP Subsystem,O=INT.I-NEDA.COM expires: 2022-09-16 12:35:31 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180722081855': status: CA_UNREACHABLE ca-error: Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=CA Subsystem,O=INT.I-NEDA.COM expires: 2020-10-24 07:04:35 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180722081856': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=Certificate Authority,O=INT.I-NEDA.COM expires: 2040-10-10 07:51:04 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180722081857': status: CA_UNREACHABLE ca-error: Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=IPA RA,O=INT.I-NEDA.COM expires: 2020-10-24 07:03:24 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20180722081858': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM expires: 2021-02-09 11:59:57 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20200530130439': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes The signing SSL (int.i-neda.com) is a full wildcard block chain that is authorized by a recognised 3rd party. It's worth noting though, that we had some issues with the block chain back in April as the thrid parties block chain expired. So it's possible that this is as a result of that issue, and may require some fettling to resolve. All help is appreciated. My current tempory work around is to set the local clock of the OS back by over a month so the server belives the expired CA's are still valid. Kind Regards, Marc. ________________________________ From: Florence Blanc-Renaud <[email protected]> Sent: 16 November 2020 14:35 To: FreeIPA users list <[email protected]> Cc: Marc Pearson | i-Neda Ltd <[email protected]> Subject: Re: [Freeipa-users] subsystemCert appears out of date On 11/16/20 10:03 AM, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote: > Hi All, > > My subsystem cert appears to have gone out of date, and I’m unable to > get it to update. This has become an issue on my production environment, > and my current work around has been to take the system date back by a > month. I’ve tried the cert renew tool, but this doesn’t seem to have > updated this cert. > > Is anyone able to point me in the right direction to be able to update > this specific certificate as I’ve been unable to find anything online. > > [auth01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert > cert-pki-ca' > > Certificate: > >    Data: > >        Version: 3 (0x2) > >        Serial Number: 42 (0x2a) > >        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > >        Issuer: "CN=Certificate Authority,O=INT.I-NEDA.COM" > >        Validity: > >            Not Before: Sun Nov 04 08:04:35 2018 > > Not After : Sat Oct 24 07:04:35 2020 > >        Subject: "CN=CA Subsystem,O=INT.I-NEDA.COM" > >        Subject Public Key Info: > >            Public Key Algorithm: PKCS #1 RSA Encryption > >            RSA Public Key: > >                Modulus: > >                    > c6:7e:e6:40:8f:6e:77:07:8f:2a:ca:ca:63:63:cf:c6: > >                    > 5f:1c:09:63:4a:bb:17:68:17:cd:20:9b:f3:b0:5b:c0: > >                    > f7:ff:72:07:1d:a2:29:93:61:62:5c:9f:04:d3:cb:7b: > >                    > bf:53:de:bb:dd:d6:3f:a1:14:95:04:53:64:87:73:24: > >                    > e3:61:66:96:ab:99:1f:2c:da:ec:22:e5:21:b1:5c:d5: > >                    > 0a:dd:4e:3f:f8:e2:90:a1:55:31:ad:11:2f:3b:d3:90: > >                    > 14:dc:b7:9d:fc:35:1a:ab:48:27:68:0a:9f:cb:95:14: > >                    > 00:93:b8:d4:d4:30:de:4e:be:20:a3:01:24:e8:f2:4a: > >                    > 1a:d2:b6:e0:09:77:3d:24:e3:5a:cf:51:d6:ca:d2:65: > >                    > 53:62:72:64:fe:7d:53:09:0e:97:b8:61:c9:c8:6d:24: > >                    > 52:15:f2:bf:40:04:38:24:22:73:fb:80:a0:ff:16:57: > >                    > e1:0b:3c:71:02:d7:e6:2e:94:0a:e7:4e:aa:5e:6f:91: > >                    > a5:68:65:21:cd:68:0c:2d:5d:53:fa:e0:10:75:47:43: > >                    > 04:f2:8b:e1:1c:1c:ed:a6:c1:ee:5c:6c:72:51:b5:e6: > >                    > cd:f9:06:45:17:00:2b:d7:34:75:8a:59:f2:21:97:c6: > >                    > 63:d3:6f:54:d9:00:42:74:88:9e:94:d0:d4:d2:a1:b7 > >                Exponent: 65537 (0x10001) > >        Signed Extensions: > >            Name: Certificate Authority Key Identifier > >            Key ID: > >                > f2:bb:9c:4f:e3:d8:c3:f9:58:eb:cc:5f:f7:be:8c:d6: > >                d5:08:c0:3a > >            Name: Authority Information Access > >            Method: PKIX Online Certificate Status Protocol > >            Location: > >                 URI: "http://ipa-ca.int.i-neda.com/ca/ocsp"; > >            Name: Certificate Key Usage > >            Critical: True > >            Usages: Digital Signature > >                    Non-Repudiation > >                    Key Encipherment > >                    Data Encipherment > >            Name: Extended Key Usage > >                TLS Web Server Authentication Certificate > >                TLS Web Client Authentication Certificate > >    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > >    Signature: > >        5f:b7:31:25:10:ef:e7:72:44:8e:94:1d:57:4e:bb:4e: > >        22:cf:9b:7e:f4:20:a2:fa:96:2a:cf:e9:70:cd:a6:82: > >        4a:bd:58:4b:a7:df:4d:77:47:ba:65:d0:68:c5:dc:59: > >        77:7e:bf:36:d3:55:c7:86:d3:16:77:51:46:c2:48:de: > >        e8:0d:62:05:b9:8c:46:bd:22:7d:8d:d0:ad:5a:64:6b: > >        9b:7d:ec:4c:e6:05:e7:02:97:cd:01:f5:19:91:15:7e: > >        cc:41:5b:f2:00:2d:c0:0b:91:9e:62:d5:7a:b2:1e:8f: > >        32:62:c2:ed:1a:e8:e1:56:32:e0:0e:79:55:a2:49:35: > >        0e:df:5d:a3:df:e2:dd:58:60:4a:dd:19:92:f7:4d:60: > >        59:0e:16:b1:ae:32:e6:c5:c5:fa:5b:2f:fe:1d:fe:e9: > >        ec:67:2b:65:33:f2:57:64:8a:68:f3:91:9b:25:ff:02: > >        64:4c:a1:6d:fe:f0:73:95:f2:0f:49:fb:3f:85:21:a0: > >        68:37:dc:cd:73:02:73:20:22:a9:1d:c9:7e:88:4f:9b: > >        7c:92:f8:c1:50:0f:95:43:48:5b:8b:7f:0f:48:04:a8: > >        c7:c0:0e:58:7c:86:2c:3a:b5:72:e3:34:3d:d8:0f:26: > >        eb:44:fa:75:c1:c8:fc:b6:7d:f7:31:91:a4:71:a1:51 > >    Fingerprint (SHA-256): > > > 4F:2A:1B:54:65:B6:09:3E:AD:68:08:92:CB:8D:FE:13:EF:B8:4C:F1:1E:0F:E1:15:13:92:D3:7A:3D:F8:54:44 > >    Fingerprint (SHA1): > >        03:34:DC:55:F5:00:AF:8C:EF:AC:AA:0D:E0:44:AD:5C:6F:CF:97:A6 > >    Mozilla-CA-Policy: false (attribute missing) > >    Certificate Trust Flags: > >        SSL Flags: > >            User > >        Email Flags: > >            User > >        Object Signing Flags: > >            User > > Thanks for the help, > > Marc. > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Hi Marc, we need more information in order to help you: - do you have multiple master/replicas with the CA role: # kinit admin; ipa server-role-find --role "CA server" - which server is the renewal master: # kinit admin ; ipa config-show | grep "renewal" - which version is installed: # rpm -qa | grep ipa-server - Is the subsystemCert cert-pki-ca the only expired certificate: # getcert list flo
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
