Good afternoon, I was able to find a date where it's possible to start IPA services successfully (2022-03-02).
Is it possible to clear IPA from bad certificates? I see four "QC.LRTECH.CA IPA CA" certificates in: certutil -L -d /etc/ipa/nssdb certutil -L -d /etc/httpd/alias certutil -L -d /etc/dirsrv/slapd-QC-LRTECH-CA/ I can manually delete them with certutil -D -d <path/todb> -n <nickname> and keep the one I want, but each time I execute ipa-certupdate they come back and root CA isn't trusted anymore. # certutil -L -d /etc/ipa/nssdb > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=QC,C=CA CT,C,C > QC.LRTECH.CA IPA CA CT,C,C > QC.LRTECH.CA IPA CA CT,C,C > E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=Quebec,C=CA CT,C,C # certutil -L -d /etc/httpd/alias > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=QC,C=CA CT,C,C > QC.LRTECH.CA IPA CA CT,C,C > Signing-Cert u,u,u > QC.LRTECH.CA IPA CA CT,C,C > E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=Quebec,C=CA CT,C,C > Server-Cert u,u,u > ipaCert u,u,u # certutil -L -d /etc/pki/pki-tomcat/alias/ > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=QC,C=CA CT,C,C > caSigningCert cert-pki-ca CTu,Cu,Cu > subsystemCert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > caSigningCert cert-pki-ca CTu,Cu,Cu > E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=Quebec,C=CA C,, > Server-Cert cert-pki-ca u,u,u > ocspSigningCert cert-pki-ca u,u,u # certutil -L -d /etc/dirsrv/slapd-QC-LRTECH-CA/ > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=QC,C=CA CT,C,C > QC.LRTECH.CA IPA CA CT,C,C > Server-Cert u,u,u > QC.LRTECH.CA IPA CA CT,C,C > E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=Quebec,C=CA CT,C,C After the cleaning I was able to renew all certificates and they are all MONITORING with a valid date. See getcert list output below. > Number of certificates and requests being tracked: 8. > Request ID '20170113205242': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=CA Audit,O=QC.LRTECH.CA > expires: 2024-02-23 05:00:03 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20170113205243': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=OCSP Subsystem,O=QC.LRTECH.CA > expires: 2024-02-23 05:00:13 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20170113205244': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=CA Subsystem,O=QC.LRTECH.CA > expires: 2024-02-20 05:03:27 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20170113205245': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: E=ad...@lrtech.ca,CN=LR Tech inc. Root CA > 2022,OU=Intranet,O=LR Tech inc.,L=Levis,ST=Quebec,C=CA > subject: CN=Certificate Authority,O=QC.LRTECH.CA > expires: 2027-03-04 14:26:48 UTC > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20170113205246': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=IPA RA,O=QC.LRTECH.CA > expires: 2024-02-20 05:03:35 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20170113205247': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA > expires: 2024-02-23 05:00:11 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20170113205302': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-QC-LRTECH-CA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-QC-LRTECH-CA/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-QC-LRTECH-CA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA > expires: 2024-03-02 05:03:02 UTC > principal name: ldap/freeipa.qc.lrtech...@qc.lrtech.ca > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv > QC-LRTECH-CA > track: yes > auto-renew: yes > Request ID '20220304195651': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA > expires: 2024-03-02 05:02:44 UTC > dns: freeipa.qc.lrtech.ca > principal name: HTTP/freeipa.qc.lrtech...@qc.lrtech.ca > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes Now I still got some issue with FreeIPA webUI. Firefox is unable to load the page and gives error SEC_ERROR_REUSED_ISSUER_AND_SERIAL Chrome allow me to connect but when I try to reach Authentication tab I get IPA Error 4301: CertificateOperationError Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) After that I tried to renew my client certificate by doing what Rob said: Copy /etc/pki/ca-trust/source/ipa.p11-kit from the server to a client I set time to 2022-03-02 kinit Run update-ca-trust Run ipa-certupdate But the ipa-certupdate command return: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639122): Generic preauthentication failure Also I don't see my new root CA in /etc/httpd/nssdb even if the certificate is in /etc/pki/ca-trust/anchor/ # certutil -L -d /etc/httpd/nssdb > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > LR Tech ROOT CA CT,C,C > Server-Cert u,u,u > QC.LRTECH.CA IPA CA CT,C,C Eric _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure