Leo Galambos via FreeIPA-users wrote: > Hello, > > our FreeIPA was running with correct certificates for 2 years (subject > "CN=ipa.hq.company,O=HQ.COMPANY"). Unfortunately, the new certificates > (ocspSigningCert, auditSigningCert) were recreated with simple > "CN=localhost" (automatically), i.e. the original value > "CN=ipa.hq.company,O=HQ.COMPANY" was ignored by certmonger. > > If you have some knowledge of the FreeIPA internals - can you point me > to the right direction, so that I could debug and/or fix this rotation > bug, please? > > Thank you, > LG > > > certmonger-0.79.13-3.el8.x86_64 > ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64 > > > # getcert list > > Request ID '20200324213127': > status: MONITORING > stuck: no > : > CA: IPA > issuer: CN=Certificate Authority,O=HQ.COMPANY > subject: CN=ipa.hq.company,O=HQ.COMPANY > expires: 2022-03-25 22:31:28 CET > principal name: krbtgt/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > Request ID '20210120221127': > status: MONITORING > stuck: no > : > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=HQ.COMPANY > subject: CN=localhost > expires: 2024-02-04 22:29:37 CET > key usage: digitalSignature,nonRepudiation > profile: caSignedLogCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20210120221129': > status: MONITORING > stuck: no > : > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=HQ.COMPANY > subject: CN=localhost > expires: 2024-02-04 22:28:36 CET > eku: id-kp-OCSPSigning > profile: caOCSPCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > <snip>
Is this the renewal master? (ipa config-show | grep renewal) You stripped out the key and certificate storage lines, can we see that as well? The cow may be out of the barn already, but certmonger should have already been aware of the hostname when the cert was re-issued. You can determine the request file name in /var/lib/certmonger/requests by greeping for the request ID (it may or may not match the filename). Then grep template_ from that file. At this point it may be CN=localhost but it would be interesting to see what is there. It should be straightforward to get new certificates by using the -N <subject> option with resubmit but it would be nice to try to figure out how it got into this situation. For example: # getcert resubmit -i 20210120221129 -N 'CN=OCSP Subsystem,O=HQ.COMPANY' -v -w rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
