Tómas Edwardsson wrote:
I'm having issues with expired certificates in /var/lib/pki-ca/alias which I'm
quite unsure on how to fix. The ones that have expired are:
subsystemCert cert-pki-ca
Server-Cert cert-pki-ca
According to "getcert list" the following 2 requests are stuck
The error code translates to:
CURLE_SSL_CACERT (60) Peer certificate cannot be authenticated with
known CA certificates.
Which is odd considering that other certificates in the same database
were renewed ok.
I suppose I'd rewind time to the day before expiration and run:
getcert resubmit -i <id> for each of these and see if it goes through.
rob
Request ID '20130415234030':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be
authenticated with known CA certificates.
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='502532376322'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=D.LAN
subject: CN=CA Subsystem,O=D.LAN
expires: 2013-07-10 14:24:34 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130415234032':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be
authenticated with known CA certificates.
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='502532376322'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=D.LAN
subject: CN=auth.d.lan,O=D.LAN
expires: 2013-07-10 14:24:33 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Here is what I could find from some browsing with certutil:
[root@auth ~]# certutil -d /var/lib/pki-ca/alias -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
subsystemCert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
[root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "subsystemCert
cert-pki-ca"|grep "Not After"
Not After : Wed Jul 10 14:24:34 2013
[root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "ocspSigningCert
cert-pki-ca"|grep "Not After"
Not After : Mon Jun 29 00:00:55 2015
[root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "caSigningCert
cert-pki-ca"|grep "Not After"
Not After : Sun Jul 21 14:24:32 2019
[root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "Server-Cert cert-pki-ca"|grep
"Not After"
Not After : Wed Jul 10 14:24:33 2013
[root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n "auditSigningCert
cert-pki-ca"|grep "Not After"
Not After : Mon Jun 29 00:01:55 2015
How can I renew the affected certificates?
---
Tomas Edwardsson
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
