Hi, On Sun, Sep 4, 2022 at 6:54 AM Ahmad Sahibzada via FreeIPA-users < [email protected]> wrote:
> Hi , This time I can't blame certmonger for not renewing my freeipa certs > because they were not added to the tracking list. Now I have manually added > them by following the KB article " > https://access.redhat.com/articles/4062581";. Once added i followed the > following article to update it manually by following the KB article " > https://access.redhat.com/solutions/3357261";. Even performing all the > steps where i had to reverse the system time and submitting the manual > renewal request using "ipa-getcert resubmit -i [Request ID]" command, i > have no luck renewing the following one. > "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" > "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca". Here is my getcert > list command output: > Number of certificates and requests being tracked: 8. > Request ID '20220903192955': > status: MONITORING > ca-error: Unable to determine principal name for signing request. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: IPA > this is not the right CA to track this cert. The start-tracking command needs to specify -c dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=XYZ.COM > subject: CN=CA Audit,O=XYZ.COM > expires: 2022-07-07 09:02:50 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20220903193147': > status: MONITORING > ca-error: Unable to determine principal name for signing request. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: IPA > Same comment as above, please use start-tracking with -c dogtag-ipa-ca-renew-agent. > issuer: CN=Certificate Authority,O=XYZ.COM > subject: CN=OCSP Subsystem,O=XYZ.COM > expires: 2022-07-07 09:01:40 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20220903193259': > status: MONITORING > ca-error: Unable to determine principal name for signing request. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: IPA > Same comment as above, please use start-tracking with -c dogtag-ipa-ca-renew-agent. > issuer: CN=Certificate Authority,O=XYZ.COM > subject: CN=CA Subsystem,O=XYZ.COM > expires: 2022-07-27 16:09:07 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20220903193355': > status: MONITORING > ca-error: Unable to determine principal name for signing request. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: IPA > Same comment as above, please use start-tracking with -c dogtag-ipa-ca-renew-agent. > issuer: CN=Certificate Authority,O=XYZ.COM > subject: CN=hq-idm-lxd-01.xyz.com,O=XYZ.COM > expires: 2022-07-27 16:08:27 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20220903193457': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: IPA > issuer: CN=Certificate Authority,O=XYZ.COM > subject: CN=hq-idm-lxd-01.xyz.com,O=XYZ.COM > expires: 2024-07-06 13:07:27 UTC > The KDC cert has been renewed 2022-07-06, this means that you must pick a date after 2022-07-06 if you retry to change the date in the past. principal name: krbtgt/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > certificate template/profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > Request ID '20220903193541': > status: MONITORING > ca-error: Unable to determine principal name for signing request. > stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > CA: IPA > Same comment as above, please use start-tracking with -c dogtag-ipa-ca-renew-agent. HTH, flo > issuer: CN=Certificate Authority,O=XYZ.COM > subject: CN=IPA RA,O=XYZ.COM > expires: 2022-07-27 16:08:37 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20220903193608': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=XYZ.COM > subject: CN=hq-idm-lxd-01.xyz.com,O=XYZ.COM > expires: 2024-07-06 13:08:14 UTC > principal name: HTTP/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20220903194017': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-XYZ.COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-XYZ.COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-XYZ.COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=XYZ.COM > subject: CN=hq-idm-lxd-01.xyz.com,O=XYZ.COM > expires: 2024-07-06 13:08:32 UTC > principal name: ldap/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv > slapd-XYZ.COM > track: yes > auto-renew: yes > Here is the output of the ipactl status command, all services run but > pki-tomcatd Service: STOPPED > [root@hq-idm-lxd-01 tmp]# ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > ntpd Service: RUNNING > pki-tomcatd Service: STOPPED > smb Service: RUNNING > winbind Service: RUNNING > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > The output of the log /var/log/pki/pki-tomcat/ca/debug > Internal Database Error encountered: Could not connect to LDAP server > host hq-idm-lxd-01.linuxdev.addev.ssa.gov port 636 Error > netscape.ldap.LDAPException: Authentication failed (48) > Finally > [root@hq-idm-lxd-01 tmp]# ipa --version > VERSION: 4.6.5, API_VERSION: 2.231 > [root@hq-idm-lxd-01 tmp]# cat /etc/redhat-release > CentOS Linux release 7.7.1908 (Core) > Due to my limited knowledge of certs and IPA , i would like someone to > help me mitigate this issue. I have exhausted all my resources but still no > luck > VR > Z Sahibzada > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
