Good afternoon,

I was able to find a date where it's possible to start IPA services 
successfully (2022-03-02).


Is it possible to clear IPA from bad certificates?

I see four "QC.LRTECH.CA IPA CA" certificates in:

certutil -L -d /etc/ipa/nssdb
certutil -L -d /etc/httpd/alias
certutil -L -d /etc/dirsrv/slapd-QC-LRTECH-CA/

I can manually delete them with certutil -D -d <path/todb> -n <nickname> and 
keep the one I want, but each time I execute ipa-certupdate they come back and 
root CA isn't trusted anymore.

# certutil -L -d /etc/ipa/nssdb

> Certificate Nickname                                         Trust Attributes
>                                                                           
> SSL,S/MIME,JAR/XPI
>
> E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech 
> inc.,L=Levis,ST=QC,C=CA CT,C,C
> QC.LRTECH.CA IPA CA                                          CT,C,C
> QC.LRTECH.CA IPA CA                                          CT,C,C
> E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech 
> inc.,L=Levis,ST=Quebec,C=CA CT,C,C

# certutil -L -d /etc/httpd/alias

> Certificate Nickname                                         Trust Attributes
>                                                                          
> SSL,S/MIME,JAR/XPI
>
> E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech 
> inc.,L=Levis,ST=QC,C=CA CT,C,C
> QC.LRTECH.CA IPA CA                                     CT,C,C
> Signing-Cert                                                       u,u,u
> QC.LRTECH.CA IPA CA                                     CT,C,C
> E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech 
> inc.,L=Levis,ST=Quebec,C=CA CT,C,C
> Server-Cert                                                         u,u,u
> ipaCert                                                                u,u,u

# certutil -L -d /etc/pki/pki-tomcat/alias/

> Certificate Nickname                                         Trust Attributes
>                                                                          
> SSL,S/MIME,JAR/XPI
>
> E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech 
> inc.,L=Levis,ST=QC,C=CA CT,C,C
> caSigningCert cert-pki-ca                                    CTu,Cu,Cu
> subsystemCert cert-pki-ca                                   u,u,u
> auditSigningCert cert-pki-ca                                u,u,Pu
> caSigningCert cert-pki-ca                                    CTu,Cu,Cu
> E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech 
> inc.,L=Levis,ST=Quebec,C=CA C,,
> Server-Cert cert-pki-ca                                        u,u,u
> ocspSigningCert cert-pki-ca                                 u,u,u

# certutil -L -d /etc/dirsrv/slapd-QC-LRTECH-CA/

> Certificate Nickname                                         Trust Attributes
>                                                                           
> SSL,S/MIME,JAR/XPI
>
> E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech 
> inc.,L=Levis,ST=QC,C=CA CT,C,C
> QC.LRTECH.CA IPA CA                                     CT,C,C
> Server-Cert                                                        u,u,u
> QC.LRTECH.CA IPA CA                                     CT,C,C
> E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech 
> inc.,L=Levis,ST=Quebec,C=CA CT,C,C


After the cleaning I was able to renew all certificates and they are all 
MONITORING with a valid date.

See getcert list output below.

> Number of certificates and requests being tracked: 8.
> Request ID '20170113205242':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=QC.LRTECH.CA
>         subject: CN=CA Audit,O=QC.LRTECH.CA
>         expires: 2024-02-23 05:00:03 UTC
>         key usage: digitalSignature,nonRepudiation
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "auditSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20170113205243':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=QC.LRTECH.CA
>         subject: CN=OCSP Subsystem,O=QC.LRTECH.CA
>         expires: 2024-02-23 05:00:13 UTC
>         eku: id-kp-OCSPSigning
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "ocspSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20170113205244':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=QC.LRTECH.CA
>         subject: CN=CA Subsystem,O=QC.LRTECH.CA
>         expires: 2024-02-20 05:03:27 UTC
>         key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "subsystemCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20170113205245':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 
> 2022,OU=Intranet,O=LR Tech inc.,L=Levis,ST=Quebec,C=CA
>         subject: CN=Certificate Authority,O=QC.LRTECH.CA
>         expires: 2027-03-04 14:26:48 UTC
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "caSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20170113205246':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>         certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=QC.LRTECH.CA
>         subject: CN=IPA RA,O=QC.LRTECH.CA
>         expires: 2024-02-20 05:03:35 UTC
>         key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>         post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>         track: yes
>         auto-renew: yes
> Request ID '20170113205247':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-renew-agent
>         issuer: CN=Certificate Authority,O=QC.LRTECH.CA
>         subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA
>         expires: 2024-02-23 05:00:11 UTC
>         key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
> "Server-Cert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20170113205302':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/dirsrv/slapd-QC-LRTECH-CA',nickname='Server-Cert',token='NSS
>  Certificate DB',pinfile='/etc/dirsrv/slapd-QC-LRTECH-CA/pwdfile.txt'
>         certificate: 
> type=NSSDB,location='/etc/dirsrv/slapd-QC-LRTECH-CA',nickname='Server-Cert',token='NSS
>  Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=QC.LRTECH.CA
>         subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA
>         expires: 2024-03-02 05:03:02 UTC
>         principal name: ldap/freeipa.qc.lrtech...@qc.lrtech.ca
>         key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv 
> QC-LRTECH-CA
>         track: yes
>         auto-renew: yes
> Request ID '20220304195651':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>         certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=QC.LRTECH.CA
>         subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA
>         expires: 2024-03-02 05:02:44 UTC
>         dns: freeipa.qc.lrtech.ca
>         principal name: HTTP/freeipa.qc.lrtech...@qc.lrtech.ca
>         key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes

Now I still got some issue with FreeIPA webUI.

Firefox is unable to load the page and gives error 
SEC_ERROR_REUSED_ISSUER_AND_SERIAL

Chrome allow me to connect but when I try to reach Authentication tab I get IPA 
Error 4301: CertificateOperationError Certificate operation cannot be 
completed: Unable to communicate with CMS (Internal Server Error)

After that I tried to renew my client certificate by doing what Rob said:
Copy /etc/pki/ca-trust/source/ipa.p11-kit from the server to a client
I set time to 2022-03-02
kinit
Run update-ca-trust
Run ipa-certupdate

But the ipa-certupdate command return:
Major (851968): Unspecified GSS failure.  Minor code may provide more 
information, Minor (2529639122): Generic preauthentication failure

Also I don't see my new root CA in /etc/httpd/nssdb even if the certificate is 
in /etc/pki/ca-trust/anchor/

# certutil -L -d /etc/httpd/nssdb

> Certificate Nickname                                         Trust Attributes
>                                                                          
> SSL,S/MIME,JAR/XPI
>
> LR Tech ROOT CA                                              CT,C,C
> Server-Cert                                                          u,u,u
> QC.LRTECH.CA IPA CA                                       CT,C,C


Eric
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to