Justin Sanderson via FreeIPA-users wrote: > Flo - That worked! > > I noticed in the output of each "resubmit" that it said it was > contacting the DogTag so it all kinda makes sense now as to why they > couldn't renew. > > > I can see that the certs actually renewed when i run "getcert list" but > when I'm in the web interface and goto "Authentication" --> > "Certificates" and Select Cert #93 (for example). > > It still shows an expiry date of 05/04/2023 and the "Subject" for the > cert is "CN=CA Audit,O=[sanitized domain name]". The issuing CA is "ipa".
You'd need to see the rest of the cert to determine when it was issued. Start by looking at the certificate on disk itself. A couple of quick and dirty ways of finding the serial number are: # certutil -L -d /etc/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' | grep Serial If you drop the grep you can see the whole thing, issuing date, expiration date, etc. or with grosser output (not all requests have a cert_nickname). # egrep "cert_serial|cert_nickname" /var/lib/certmonger/requests/* Then you can look it up in the UI if you want. > Are these the same certs that I'm seeing in "getcert list" output ?? Do > I need to bounce a service to re-read or for the gui to see the changes? We don't have enough information to say definitely but no restart is necessary. The above commands will tell you which serial number to look for. Certificate expiration dates are limited by the notAfter of the issuing CA. You can see what the date(s) are with: # openssl crl2pkcs7 -nocrl -certfile /etc/ipa/ca.crt | openssl pkcs7 -print_certs -text -noout So it is theoretically possible, though highly unlikely if self-signed, that your CA expires in May so therefore all the certs it issues will also expire then. It's also possible you were looking at an older audit cert though. rob > > > Btw - I'm running ipa-server-4.6.8-5.el7 (On a cent 7.9 box) > > > v/r, > > justin > > > On 4/17/2023 10:46 AM, Florence Blanc-Renaud wrote: >> Hi, >> >> On Mon, Apr 17, 2023 at 3:32 PM Justin Sanderson >> <[email protected]> wrote: >> >> >> Hey Flo - thanks for the quick response and input. >> >> >> I stumbled across the link you referenced this past weekend. For >> now, I'm ok with using BasicAuth to keep the system running. >> >> However, that is indicative of an underlying cert issue and may be >> related to the other issues mentioned in the post. >> >> >> My biggest/most-pressing issue is that I have an UNREACHABLE CA >> ... Is this problem due to the tomcat-pki not being able to >> login?? I would think that after switching over to binddn/password >> that the UNREACHABLE would resolve itself if that were the case. >> >> Basically, I think I'm having 2 issues. >> >> 1) the dogtag pki --> ldap auth which i think i have fixed for now. >> >> 2) I don't know how to fix the UNREACHABLE for the certs on the >> NSSDB (see below) >> >> Can you check if the PKI server is responsive using the following >> commands? >> # kinit admin >> # ipa cert-show 1 >> >> * If the command properly returns something then it means PKI is >> reachable and you can retry the renewal with >> >> # getcert resubmit -i <request id> >> with <request id> corresponding to the ID for auditSigningCert >> cert-pki-ca / ocspSigningCert cert-pki-ca. Wait for one renewal to >> complete successfully (getcert list -i <request id> displays >> MONITORING when the renewal is done) before launching the next one. >> You can observe the journal for additional logs. >> >> * If the command fails additional debugging will be needed, the >> first step would be to create /etc/ipa/server.conf with the >> following content: >> >> [global] >> debug=True >> >> and restart the stack with "ipactl restart". Then check the content of >> /var/log/httpd/error_log when you run "ipa cert-show 1", it will >> contain additional messages. >> >> By the way, which IPA version is installed? rpm -qa | grep ipa-server >> >> flo >> >> >> I know I'm missing something but I'm so new to this platform that >> I literally don't know where/how to fix. >> >> >> Thanks again. >> >> >> On 4/17/2023 4:03 AM, Florence Blanc-Renaud wrote: >>> Hi, >>> >>> On Mon, Apr 17, 2023 at 5:42 AM Justin Sanderson via >>> FreeIPA-users <[email protected]> wrote: >>> >>> THANKS IN ADVANCE FOR ANY HELP INFO YOU CAN PROVIDE!! >>> >>> Greatly Appreciate!! >>> >>> >>> Ok. So after doing a LOT of reading and learning about >>> FreeIPA the past 2 days (yep, I inherited), I was able to fix >>> my problem of pki-tomcatd (DogTAG i think its called) so that >>> it would start. >>> >>> The pki-tomcatd service wouldn't start due to some cert >>> issues. I was fortunate enough to figure out how to enable >>> BasicAuth for now to get the service to start.. so thats a win. >>> >>> So it means that PKI was not able to authenticate to the LDAP >>> server using the certificate subsystemCert cert-pki-ca and you >>> switched from certificate-based authentication to simple bind >>> using DN/password. >>> >>> There are some troubleshooting hints here for this specific >>> issue: >>> >>> https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ >>> >>> HTH, >>> flo >>> >>> >>> My SETUP: >>> >>> I have a single server instance as a VM. There are no replicas. >>> >>> The FreeIPA configuration is: >>> >>> 1) No DNS BIND server - using external DNS via AD in >>> /etc/resolv.conf >>> >>> 2) We ARE running all other services >>> >>> 3) Self-Signed CA configuration using DogTag i think its >>> called. there are not external certs being used. >>> >>> >>> ipactl start has no issues now after I fixed the pki-tomcatd >>> start problem using BasicAuth (workaround) >>> >>> >>> PROBLEM : >>> >>> When i run "getcert list" I have 3 that have status >>> CA_UNREACHABLE and ALL of them are related to >>> /etc/pki/pki-tomcat/alias NSSDB. >>> >>> They are set to expire in a few weeks so I need to figure >>> this out.. needing some help. >>> >>> The getcert list outputs a total of 9 or 10 certs so I don't >>> think I'm missing anything.. Based off what I was able to >>> find, it's common to have 8-10 certs in the output...? >>> >>> >>> Below are 2 of 3 certs that are going to expire soon and >>> their CA is in an UNREACHABLE state. They all use the same NSSDB >>> >>> **I have no idea where to start looking to fix this >>> problem... which log file... how is it supposed to talk to >>> the NSSDB. it's not a socket...? ** >>> >>> I'm worried that the certs will expire and I won't know how >>> to fix it. or where to even look. HELP*!*! >>> >>> I've seen several people posting already about certmonger not >>> succesfully tracking/renewing some certs so Im a bit >>> concerned espicially since the CA_UNREAHABLE error. >>> >>> How do I fix this: >>> >>> 1) manually generate new certs and wth do I put them? >>> >>> 2) why is the CA_UNREACHABLE on a NSSDB ..? The files are >>> there and intact. I can view the contents no prob. >>> >>> >>> ============ getcert list output ============================ >>> >>> Request ID '20190621200128': >>> >>> status: CA_UNREACHABLE >>> >>> ca-error: Internal error >>> >>> stuck: no >>> >>> key pair storage: >>> >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>> cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set >>> >>> certificate: >>> >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>> cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' >>> >>> CA: dogtag-ipa-ca-renew-agent >>> >>> issuer: CN=Certificate Authority,O=[SANITIZED DNS NAME] >>> >>> subject: CN=CA Audit,O=[SANITIZED DNS NAME] >>> >>> expires: 2023-05-04 12:52:47 UTC >>> >>> key usage: digitalSignature,nonRepudiation >>> >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> >>> post-save command: >>> /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert >>> cert-pki-ca" >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20190621200129': >>> >>> status: CA_UNREACHABLE >>> >>> ca-error: Internal error >>> >>> stuck: no >>> >>> key pair storage: >>> >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>> cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set >>> >>> certificate: >>> >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>> cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' >>> >>> CA: dogtag-ipa-ca-renew-agent >>> >>> issuer: CN=Certificate Authority,O=[SANITIZED DNS NAME] >>> >>> subject: CN=OCSP Subsystem,O=[SANITIZED DNS NAME] >>> >>> expires: 2023-05-04 12:53:17 UTC >>> >>> eku: id-kp-OCSPSigning >>> >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> >>> post-save command: >>> /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert >>> cert-pki-ca" >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> >>> =================================================================================================================================== >>> >>> >>> >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- >>> [email protected] >>> To unsubscribe send an email to >>> [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: >>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
