[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.

Rob Crittenden via FreeIPA-users Mon, 14 Mar 2022 13:56:04 -0700

I suppose we tackle these one at a time.

The older CA certificate can be deleted eventually which will prevent it
from being re-added by ipa-certupdate. I think for now we defer on that.


What is the serial number for the two "QC.LRTECH.CA IPA CA"
certificates? Are they different? If not that would explain the Firefox
error.

On the IPA server with the CA up, does ipa cert-show 1 work?

If not we need to work on that first. It means the CA isn't quite
functioning despite the renewed certificates.

With the renewed certificates you shouldn't have to fiddle with time
anymore. Do basic operations work on the server with current time?

I'm not sure if this is a typo or not, # certutil -L -d /etc/httpd/nssdb

Did you mean /etc/pki/nssdb?

rob

Eric Boisvert via FreeIPA-users wrote:
> Good afternoon,
> 
> I was able to find a date where it's possible to start IPA services 
> successfully (2022-03-02).
> 
> 
> Is it possible to clear IPA from bad certificates?
> 
> I see four "QC.LRTECH.CA IPA CA" certificates in:
> 
> certutil -L -d /etc/ipa/nssdb
> certutil -L -d /etc/httpd/alias
> certutil -L -d /etc/dirsrv/slapd-QC-LRTECH-CA/
> 
> I can manually delete them with certutil -D -d <path/todb> -n <nickname> and 
> keep the one I want, but each time I execute ipa-certupdate they come back 
> and root CA isn't trusted anymore.
> 
> # certutil -L -d /etc/ipa/nssdb
> 
>> Certificate Nickname                                         Trust Attributes
>>                                                                           
>> SSL,S/MIME,JAR/XPI
>>
>> E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech 
>> inc.,L=Levis,ST=QC,C=CA CT,C,C
>> QC.LRTECH.CA IPA CA                                          CT,C,C
>> QC.LRTECH.CA IPA CA                                          CT,C,C
>> E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech 
>> inc.,L=Levis,ST=Quebec,C=CA CT,C,C
> 
> # certutil -L -d /etc/httpd/alias
> 
>> Certificate Nickname                                         Trust Attributes
>>                                                                          
>> SSL,S/MIME,JAR/XPI
>>
>> E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech 
>> inc.,L=Levis,ST=QC,C=CA CT,C,C
>> QC.LRTECH.CA IPA CA                                     CT,C,C
>> Signing-Cert                                                       u,u,u
>> QC.LRTECH.CA IPA CA                                     CT,C,C
>> E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech 
>> inc.,L=Levis,ST=Quebec,C=CA CT,C,C
>> Server-Cert                                                         u,u,u
>> ipaCert                                                                u,u,u
> 
> # certutil -L -d /etc/pki/pki-tomcat/alias/
> 
>> Certificate Nickname                                         Trust Attributes
>>                                                                          
>> SSL,S/MIME,JAR/XPI
>>
>> E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech 
>> inc.,L=Levis,ST=QC,C=CA CT,C,C
>> caSigningCert cert-pki-ca                                    CTu,Cu,Cu
>> subsystemCert cert-pki-ca                                   u,u,u
>> auditSigningCert cert-pki-ca                                u,u,Pu
>> caSigningCert cert-pki-ca                                    CTu,Cu,Cu
>> E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech 
>> inc.,L=Levis,ST=Quebec,C=CA C,,
>> Server-Cert cert-pki-ca                                        u,u,u
>> ocspSigningCert cert-pki-ca                                 u,u,u
> 
> # certutil -L -d /etc/dirsrv/slapd-QC-LRTECH-CA/
> 
>> Certificate Nickname                                         Trust Attributes
>>                                                                           
>> SSL,S/MIME,JAR/XPI
>>
>> E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech 
>> inc.,L=Levis,ST=QC,C=CA CT,C,C
>> QC.LRTECH.CA IPA CA                                     CT,C,C
>> Server-Cert                                                        u,u,u
>> QC.LRTECH.CA IPA CA                                     CT,C,C
>> E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech 
>> inc.,L=Levis,ST=Quebec,C=CA CT,C,C
> 
> 
> After the cleaning I was able to renew all certificates and they are all 
> MONITORING with a valid date.
> 
> See getcert list output below.
> 
>> Number of certificates and requests being tracked: 8.
>> Request ID '20170113205242':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage: 
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate: 
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
>> cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-ca-renew-agent
>>         issuer: CN=Certificate Authority,O=QC.LRTECH.CA
>>         subject: CN=CA Audit,O=QC.LRTECH.CA
>>         expires: 2024-02-23 05:00:03 UTC
>>         key usage: digitalSignature,nonRepudiation
>>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
>> "auditSigningCert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>> Request ID '20170113205243':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage: 
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate: 
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
>> cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-ca-renew-agent
>>         issuer: CN=Certificate Authority,O=QC.LRTECH.CA
>>         subject: CN=OCSP Subsystem,O=QC.LRTECH.CA
>>         expires: 2024-02-23 05:00:13 UTC
>>         eku: id-kp-OCSPSigning
>>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
>> "ocspSigningCert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>> Request ID '20170113205244':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage: 
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate: 
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
>> cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-ca-renew-agent
>>         issuer: CN=Certificate Authority,O=QC.LRTECH.CA
>>         subject: CN=CA Subsystem,O=QC.LRTECH.CA
>>         expires: 2024-02-20 05:03:27 UTC
>>         key usage: 
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
>> "subsystemCert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>> Request ID '20170113205245':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage: 
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate: 
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
>> cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-ca-renew-agent
>>         issuer: E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 
>> 2022,OU=Intranet,O=LR Tech inc.,L=Levis,ST=Quebec,C=CA
>>         subject: CN=Certificate Authority,O=QC.LRTECH.CA
>>         expires: 2027-03-04 14:26:48 UTC
>>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
>> "caSigningCert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>> Request ID '20170113205246':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage: 
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>         certificate: 
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
>> Certificate DB'
>>         CA: dogtag-ipa-ca-renew-agent
>>         issuer: CN=Certificate Authority,O=QC.LRTECH.CA
>>         subject: CN=IPA RA,O=QC.LRTECH.CA
>>         expires: 2024-02-20 05:03:35 UTC
>>         key usage: 
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>>         post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>>         track: yes
>>         auto-renew: yes
>> Request ID '20170113205247':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage: 
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate: 
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
>> cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-renew-agent
>>         issuer: CN=Certificate Authority,O=QC.LRTECH.CA
>>         subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA
>>         expires: 2024-02-23 05:00:11 UTC
>>         key usage: 
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
>> "Server-Cert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>> Request ID '20170113205302':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage: 
>> type=NSSDB,location='/etc/dirsrv/slapd-QC-LRTECH-CA',nickname='Server-Cert',token='NSS
>>  Certificate DB',pinfile='/etc/dirsrv/slapd-QC-LRTECH-CA/pwdfile.txt'
>>         certificate: 
>> type=NSSDB,location='/etc/dirsrv/slapd-QC-LRTECH-CA',nickname='Server-Cert',token='NSS
>>  Certificate DB'
>>         CA: IPA
>>         issuer: CN=Certificate Authority,O=QC.LRTECH.CA
>>         subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA
>>         expires: 2024-03-02 05:03:02 UTC
>>         principal name: ldap/freeipa.qc.lrtech...@qc.lrtech.ca
>>         key usage: 
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command:
>>         post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv 
>> QC-LRTECH-CA
>>         track: yes
>>         auto-renew: yes
>> Request ID '20220304195651':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage: 
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>         certificate: 
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
>> Certificate DB'
>>         CA: IPA
>>         issuer: CN=Certificate Authority,O=QC.LRTECH.CA
>>         subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA
>>         expires: 2024-03-02 05:02:44 UTC
>>         dns: freeipa.qc.lrtech.ca
>>         principal name: HTTP/freeipa.qc.lrtech...@qc.lrtech.ca
>>         key usage: 
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command:
>>         post-save command:
>>         track: yes
>>         auto-renew: yes
> 
> Now I still got some issue with FreeIPA webUI.
> 
> Firefox is unable to load the page and gives error 
> SEC_ERROR_REUSED_ISSUER_AND_SERIAL
> 
> Chrome allow me to connect but when I try to reach Authentication tab I get 
> IPA Error 4301: CertificateOperationError Certificate operation cannot be 
> completed: Unable to communicate with CMS (Internal Server Error)
> 
> After that I tried to renew my client certificate by doing what Rob said:
> Copy /etc/pki/ca-trust/source/ipa.p11-kit from the server to a client
> I set time to 2022-03-02
> kinit
> Run update-ca-trust
> Run ipa-certupdate
> 
> But the ipa-certupdate command return:
> Major (851968): Unspecified GSS failure.  Minor code may provide more 
> information, Minor (2529639122): Generic preauthentication failure
> 
> Also I don't see my new root CA in /etc/httpd/nssdb even if the certificate 
> is in /etc/pki/ca-trust/anchor/
> 
> # certutil -L -d /etc/httpd/nssdb
> 
>> Certificate Nickname                                         Trust Attributes
>>                                                                          
>> SSL,S/MIME,JAR/XPI
>>
>> LR Tech ROOT CA                                              CT,C,C
>> Server-Cert                                                          u,u,u
>> QC.LRTECH.CA IPA CA                                       CT,C,C
> 
> 
> Eric
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.

Reply via email to