Re: [Freeipa-users] Expired SSL certificate issue with IPA

Tue, 03 Jan 2012 14:24:50 -0800 

nasir nasir wrote:



--- On *Tue, 1/3/12, Rich Megginson /<rmegg...@redhat.com>/*wrote:


    From: Rich Megginson <rmegg...@redhat.com>
    Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
    To: "nasir nasir" <kollath...@yahoo.com>
    Cc: freeipa-users@redhat.com, fasilk...@gmail.com
    Date: Tuesday, January 3, 2012, 7:41 AM

    On 01/03/2012 12:52 AM, nasir nasir wrote:

    Hi,

    I am facing a serious issue with my production IPA server. When I
    try to access IPA web interface using Firefox, it hangs and
    doesn't allow me to get in. It seems to be due to expired SSL
    certificate as seen in the apache log file,


    [Tue Jan 03 10:34:08 2012] [error] Certificate not verified:
    'Server-Cert'
    [Tue Jan 03 10:34:08 2012] [error] SSL Library Error: -8181
    Certificate has expired
    [Tue Jan 03 10:34:08 2012] [error] Unable to verify certificate
    'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the
    server can start until the problem can be resolved.
    [Tue Jan 03 10:34:08 2012] [error] Certificate not verified:
    'Server-Cert'


    Also, when I try to use the command line (ipa user-mod or
    user-show commands) it too just hangs and doesn't give any output
    or allow me for any input. I can see the following in krb5kdc.log ,

    Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): preauth
    (timestamp) verify failure: Decrypt integrity check failed
    Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): AS_REQ (4
    etypes {18 17 16 23}) 192.168.1.10: PREAUTH_FAILED:
    host/xxxxx.xxxxx....@xxxxxx.com
    </mc/compose?to=host/xxxxx.xxxxx....@xxxxxx.com> for
    krbtgt/xxxxxx....@xxxxxx.com
    </mc/compose?to=krbtgt/xxxxxx....@xxxxxx.com>, Decrypt integrity
    check failed
    Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2429](info): AS_REQ (4
    etypes {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
    host/xxxx.xxxxx....@xxxxx.com
    </mc/compose?to=host/xxxx.xxxxx....@xxxxx.com> for
    krbtgt/xxxxxx....@xxxxxx.com
    </mc/compose?to=krbtgt/xxxxxx....@xxxxxx.com>, Additional
    pre-authentication required


    The output of "certutil -L -d /etc/httpd/alias -n Server-Cert"
    confirms that certificate is expired as given below.

    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number: 10 (0xa)
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Issuer: "CN=Certificate Authority,O=XXXXXX.COM"
    Validity:
    Not Before: Sun Jun 19 11:27:20 2011
    Not After : Fri Dec 16 11:27:20 2011


    Relevant info

    OS: RHEL 6.1


    Output of rpm -qa | grep ipa

    ipa-client-2.0.0-23.el6.i686
    ipa-pki-ca-theme-9.0.3-6.el6.noarch
    ipa-pki-common-theme-9.0.3-6.el6.noarch
    device-mapper-multipath-libs-0.4.9-41.el6.i686
    python-iniparse-0.3.1-2.1.el6.noarch
    ipa-python-2.0.0-23.el6.i686
    ipa-server-selinux-2.0.0-23.el6.i686
    ipa-server-2.0.0-23.el6.i686
    device-mapper-multipath-0.4.9-41.el6.i686
    ipa-admintools-2.0.0-23.el6.i686


    I went through the documentations to check how to renew the
    expired certs but it seems to be confusing and different across
    versions. Could someone please help me out by suggesting which is
    the best way to achieve this ? Any help would be greatly
    appreciated as I am unable to perform any task on the IPA server
    now because of this.


    I suggest following the mod_nss suggestion to allow it to start and
    use the expired cert while you attempt to figure this out.

    Thanks indeed for the suggestion. I will consider this. But can
    anyone point me the steps to renew certificate from the expired one ?

    Thankds and regards,
    Nidal


Lets start with figuring out why certmonger didn't do this for you:

Can you run as root: ipa-getcert list

You should have something like:

Request ID '20111215203350':
        status: MONITORING
        stuck: no

        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'

        CA: IPA
        issuer: CN=EXAMPLE.COM Certificate Authority
        subject: CN=rawhide.example.com,O=EXAMPLE.COM
        expires: 2021-12-15 20:33:50 UTC
        track: yes
        auto-renew: yes


If you don't have something like this then perhaps the easiest way to 
get it renewed is to tell certmonger to track it. First, look at your 
current database, it should look something like:


# certutil -L -d /etc/httpd/alias

Server-Cert                                                  u,u,u
EXAMPLE.COM IPA CA                                           CTu,u,Cu
Signing-Cert                                                 u,u,u

Now track it

# ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert


Use ipa-getcert list to track the status of the renewal. Once it has 
been completed you can reset the EnforceValidCerts option and restart 
Apache.



If certmonger is already tracking the cert and the renewal has failed 
then please provide the ipa-getcert list output.


rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users






















					Reply via email to