[Freeipa-users] Re: pki-tomcat won't start after CA certs updated, getcert still shows a lot of expired certs

[Schrier, William (Contractor) via FreeIPA-users]

| 7 certificates are tracked, so I guess they are:

You’re correct, here is the list of certs tracked with the names:
# getcert list | egrep "Request ID|status:|CA:|expires:|certificate:"
Request ID '20210201172746':
        status: SUBMITTING
        certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
        CA: dogtag-ipa-ca-renew-agent
        expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172819':
        status: MONITORING
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172820':
        status: MONITORING
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172821':
        status: MONITORING
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172822':
        status: MONITORING
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        expires: 2027-06-09 13:26:26 UTC
Request ID '20210201172823':
        status: MONITORING
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172924':
        status: CA_UNREACHABLE
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: IPA
        expires: 2025-05-31 15:41:32 UTC



And the following ones are not tracked: the HTTPd server cert (stored in 
/etc/httpd/alias) and the LDAP server cert (stored in /etc/dirsrv/slapd-XXX).
You need to:

  *   check if they are still valid

     *   find their nickname using certutil -L -d /etc/dirsrv/slapd-IPA-TEST/ 
and certutil -L -d /etc/httpd/alias (usually it's Server-Cert but it may differ)
# certutil -L -d /etc/dirsrv/slapd-IPA-TEST/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

IPA.TEST IPA CA                                              CT,C,C
Server-Cert                                                  u,u,u

     *   check if they are still valid: certutil -L -d 
/etc/dirsrv/slapd-IPA-TEST/ -n Server-Cert | grep -C2 "Validity:"
# certutil -L -d /etc/dirsrv/slapd-IPA-TEST/ -n Server-Cert | grep -C2 
"Validity:"
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=IPA.TEST"
        Validity:
            Not Before: Tue Apr 08 09:27:53 2025
            Not After : Fri Apr 09 09:27:53 2027

     *   check if their issuer is known by IPA (it should be present in 
/etc/ipa/ca.crt and in the various NSS databases). If not, you need to add the 
whole chain with intermediate certs if any.

  *   when you are sure that the HTTPd and LDAP certs are good, restart IPA 
services with ipactl start --ignore-service-failures
  *   then we'll re-assess the situation and fix the other certs.


As you can see they’re still valid for a few more weeks… but also from the list 
of names of certs in those directories, you’ll also see that we have duplicate 
entries for  all of the CAs… both the IPA CA and the CAs that were used to sign 
the certs… I am wondering if this is the problem.

# certutil -L -d /etc/dirsrv/slapd-[CENSORED]/ -n "CN=[CENSORED]" | grep -C2 
"Validity:"
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=PC-SubCA-B,DC=[DOMAIN]"
        Validity:
            Not Before: Wed Jul 05 13:54:09 2023
            Not After : Fri Jul 04 13:54:09 2025
# certutil -L -d /etc/httpd/alias/ | sed -e 's/CT,C,C//' -e 's/u,u,u//' | tail 
-n +4
[DOMAIN] IPA CA
CN=us01-linadm01.peacecorps.gov,OU=OCIO,O=PEACECORPS.GOV,L=Washington,ST=District
 of Columbia,C=US
CN=PC-RootCA
CN=PC-SubCA-A,DC=[DOMAIN]
CN=PC-SubCA-B,DC=[DOMAIN]
[DOMAIN] IPA CA
[DOMAIN] IPA CA
CN=PC-SubCA-A,DC=[DOMAIN]
CN=PC-SubCA-B,DC=[DOMAIN]
# certutil -L -d /etc/httpd/alias/ -n "CN=[CENSORED]" | grep -C2 "Validity:"
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=PC-SubCA-B,DC=[DOMAIN]"
        Validity:
            Not Before: Wed Jul 05 13:54:09 2023
            Not After : Fri Jul 04 13:54:09 2025


-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue