[Freeipa-users] Re: FreeIPA - Need help with Expired Certificate

Wed, 15 May 2024 13:26:48 -0700 

azeem via FreeIPA-users wrote:
> Hi Rob,
> 
> Thanks for you reply. FreeIPA, version: 4.2.0 - Centos 7
> And yes are right. Here's the list of all the certifficates :-
> 
> 
> getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20160825909273':
> status: CA_UNREACHABLE
> ca-error: Server at https://test.domain.com/ipa/xml failed request, will 
> retry: 907 (RPC
> failed at server. cannot connect to
> 'https://test.domain.com:443/ca/eeca/ca/profileSubmitSSLClient':
> (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as 
> expired.).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-TEST-DOMAINCOM/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM
> subject: CN=test.domain.com,O=TEST-DOMAIN-COM
> expires: 2023-12-18 15:52:08 UTC
> principal name: ldap/test.domain.com(a)TEST.DOMAIN.COM
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv TEST.DOMAIN.COM
> track: yes
> auto-renew: yes
> Request ID '20160825202951':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM
>         subject: CN=CA Audit,O=TEST.DOMAIN.COM
>         expires: 2023-06-29 10:17:49 UTC
>         key usage: digitalSignature,nonRepudiation
>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
> "auditSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20160825202952':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM
>         subject: CN=OCSP Subsystem,O=TEST-DOMAIN-COM
>         expires: 2023-06-29 10:16:09 UTC
>         eku: id-kp-OCSPSigning
>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
> "ocspSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20160825202953':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM
>         subject: CN=CA Subsystem,O=TEST-DOMAIN-COM
>         expires: 2023-06-29 10:16:29 UTC
>         key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
> "subsystemCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20160825202954':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM
>         subject: CN=Certificate Authority,O=TEST-DOMAIN-COM
>         expires: 2035-10-30 19:52:54 UTC
>         key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
> "caSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20160825202955':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate: 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-renew-agent
>         issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM
>         subject: CN=test.domain.com,O=TEST-DOMAIN-COM
>         expires: 2024-04-23 15:52:18 UTC
>         key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
> "Server-Cert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20160825203104':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>         certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM
>         subject: CN=test.domain.com,O=TEST-DOMAIN-COM
>         expires: 2024-10-14 20:01:14 UTC
>         principal name: HTTP/[email protected]
>         key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>         track: yes
>         auto-renew: yes
> Request ID '20160825203110':
>         status: MONITORING
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>         certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM
>         subject: CN=IPA RA,O=TEST-DOMAIN-COM
>         expires: 2023-06-29 10:16:20 UTC
>         key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
>         post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>         track: yes
>         auto-renew: yes

You're running such an old version of RHEL and IPA that you're going to
need to do this the hard way.

Some of the certs expired nearly a year ago.

I'd recommend, if you can, snapshot the system so you can recover if
anything goes awry.

What you're going to need to do is stop ntpd and go back in time to
2023-06-28. Once you do that run ipactl restart. That will hopefully
bring all the services back up and operational.

See if this host is the renweal master: ipa config-show

If it is then proceed. If not you'll need to set it as the renewal
master: ipa config-mod --ca-renewal-master-server=<this FQDN>

Restart certmonger and then watch to see if the renewals happen.

getcert list | grep status

The certs should go into SUBMITTING and eventually hopefully MONITORING.
It may be a bumpy ride as the certs need to renew one at a time and
there will be a lot of service restarts so it may take a while.

Assuming all the certs renew then you can come back to present time,
ipactl restart, and things should work for another year.

rob
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to