Re: [Freeipa-users] FreeIPA webserver cert expired.

Rob Crittenden Wed, 18 Jul 2012 14:18:29 -0700

Paul Tader wrote:

On 6/29/12 5:14 PM, Rob Crittenden wrote:

Paul Tader wrote:

On 6/11/12 9:16 AM, Paul Tader wrote:

On 6/5/12 2:33 PM, Rob Crittenden wrote:

JR Aquino wrote:

On Jun 5, 2012, at 11:18 AM, Paul Tader wrote:

A couple days ago my (apache) certificates expired. Users are
able to
kinit but tools such as sudo fail because of the expired
certificates. Lots of reading/Google'ing later I found this script
(steps) to renew these certs:


I'm just curious, but, isn't certmonger supposed to automatically
renew these? Is certmonger failing in this case?


Yes, the first thing to do is figure out why certmonger didn't
automatically renew the certificates. Then it should be as simple as
setting the date back, letting certmonger do its thing, then
setting it
forward again.

That is very strange certmonger output. You might try setting the date
back a couple of days and trying something like:

ipa-getcert resubmit -i 20110706215145

And see what the status goes to.

rob


(Sorry for the delay reply)

No luck with setting the date back and resubmitting the certificate.



# /etc/init.d/ntpd stop
Stopping ntpd (via systemctl):                             [  OK  ]

# date 060112002012
Fri Jun  1 12:00:00 CDT 2012

# /etc/init.d/httpd stop
Stopping httpd (via systemctl):                            [  OK  ]
# /etc/init.d/httpd start
Starting httpd (via systemctl):                            [  OK  ]

# ipa-getcert resubmit -i 20110706215145
Resubmitting "20110706215145" to "IPA".

# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20110706215109':
     status: CA_UNREACHABLE
     ca-error: Server failed request, will retry: -504 (libcurl failed
to execute the HTTP POST transaction, explaining:  SSL connect error).
     stuck: yes
     key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS



Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt'
     certificate:
type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS



Certificate DB'
     CA: IPA
     issuer: CN=Certificate Authority,O=RELAM.NET
     subject: CN=srv01.company.net,O=REALM.NET
     expires: 2012-06-03 20:19:49 UTC
     eku: id-kp-serverAuth
     track: yes
     auto-renew: yes
Request ID '20110706215129':
     status: CA_UNREACHABLE
     ca-error: Server failed request, will retry: -504 (libcurl failed
to execute the HTTP POST transaction, explaining:  SSL connect error).
     stuck: yes
     key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS



Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
     certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS



Certificate DB'
     CA: IPA
     issuer: CN=Certificate Authority,O=REALM.NET
     subject: CN=srv01.company.net,O=REALM.NET
     expires: 2012-06-03 20:19:49 UTC
     eku: id-kp-serverAuth
     track: yes
     auto-renew: yes
Request ID '20110706215145':
     status: GENERATING_CSR
     ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: Unable to
communicate with CMS (Unauthorized)).
     stuck: no
     key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS

Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS

Certificate DB'
     CA: IPA
     issuer: CN=Certificate Authority,O=REALM.NET
     subject: CN=srv01.company.net,O=REALM.NET
     expires: 2012-06-03 20:19:49 UTC
     eku: id-kp-serverAuth
     track: yes
     auto-renew: yes

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



Still working on this problem.  I've imported new self signed certs
because I don't think I can renew expired certs and now all of the
entries list like this:

Request ID '20110706215145':
     status: NEED_CSR_GEN_TOKEN
     ca-error: Error setting up ccache for local "host" service using
default keytab.
     stuck: yes
     key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
     CA: IPA
     issuer: CN=Certificate Authority,O=REALM.NET
     subject: CN=ipa01.domain.net,O=REALM.NET
     expires: 2012-06-03 20:19:49 UTC
     eku: id-kp-serverAuth
     track: yes
     auto-renew: yes


Any tips or suggestions? I've saved off the old files so I think I can
go back to the expired certs.


This means that the keytab isn't working for certmonger. This could be a
couple of things. I'd try this first:

# kinit host/$(hostname) -kt /etc/krb5.keytab

And

# kvno host/$(hostname)

rob


Output below:

# kinit host/$(hostname) -kt /etc/krb5.keytab
kinit: Password incorrect while getting initial credentials

# kvno host/$(hostname)
kvno: Credentials cache file '/tmp/krb5cc_0' not found while getting
client principal name

Not sure how or why but it would appear that the host principal on yourserver is out-of-whack. I'd get a new one with:


# ipa-getkeytab -s $(hostname) -k /etc/krb5.keytab -p host/$(hostname)

That should make the kinit and kvno work, and certmonger as well.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA webserver cert expired.

Reply via email to