-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/05/2013 01:35 AM, Martin Kosek wrote: > On 12/04/2013 06:58 PM, Erinn Looney-Triggs wrote: >> On 12/04/2013 07:15 AM, Rob Crittenden wrote: >>> Erinn Looney-Triggs wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>> >>>> On 11/27/2013 11:11 AM, Rob Crittenden wrote: >>>>> Erinn Looney-Triggs wrote: >>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>>> >>>>>> >>>>>> >>>>>> On 11/25/2013 11:09 AM, Rob Crittenden wrote: >>>>>>> Erinn Looney-Triggs wrote: >>>>>>>> Folks just wanted to touch base again before the >>>>>>>> American holiday season starts. My CA, which is >>>>>>>> subordinate to AD CS will be expiring on December >>>>>>>> 9th, I submitted a bug, y'all drew up docs etc for a >>>>>>>> plan (thanks). Now I just wanted to see how it was >>>>>>>> going and if need be what manual steps I will need to >>>>>>>> take to renew the certificate. >>>>>>>> >>>>>>>> Thanks again for the great work, >>>>>>> >>>>>>> We're working on an a set of tools to make this easier. >>>>>>> For now I've appended some manual instructions onto a >>>>>>> page still in progress. >>>>>>> >>>>>>> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Manual_Procedure_in_IPA_3.0 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>> >>>>>>> >> >>>>>>> > >>>>>>> Some parts may be still be a little rough or hard to understand. >>>>>>> Let me know if you have any problems or corrections. >>>>>>> >>>>>>> rob >>>>>> >>>>>> Rob, >>>>>> >>>>>> Thanks for the instructions, a few questions. >>>>>> >>>>>> What sort of interruption in service could this create? >>>>> >>>>> Services will be restarted during this process including >>>>> your LDAP, Apache and CA instances. Downtime should be >>>>> relatively short, no more than a few minutes combined. >>>>> >>>>>> Can you expand on this section a little bit: Replace the >>>>>> value of ca.signing.cert in /etc/pki-ca/CS.cfg. This is >>>>>> the base64 value of the certificate. You can obtain this >>>>>> by removing the BEGIN/END blocks from ipa.crt and >>>>>> compressing it into a single line. >>>>> >>>>> A PEM cert looks like: >>>>> >>>>> -----BEGIN CERTIFICATE----- >>>>> MIIB/zCCAWigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBB >>>>> >>>>> >> >>>>> IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDIyMzIyMzMxNVoXDTIw >>>>> MDIyMzIyMzMxNVowKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0 >>>>> >>>>> >> >>>>> aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+G6ultyLaXqzBlypA >>>>> DnOsinkMTlZZssTFQh/QUMi1F1fcn8QUlmsl9a+l6w6hfZm7P8z3sVwsjLQcDWA4 >>>>> >>>>> >> >>>>> KxOh+LmIsNL4OKx4wKF1q/pSt1PATRU5Pgu2+3wlwJO0H7cl4QfavoOLwmxAZf/l >>>>> ZNIy/5czvSWFWj7EJj16ty9BeQIDAQABozYwNDARBglghkgBhvhCAQEEBAMCAAcw >>>>> >>>>> >> >>>>> DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAsQwDQYJKoZIhvcNAQEFBQAD >>>>> gYEAl0gIshwNkhyfNe1XMLswPeOgH5YN1BUuKXzbv1fuSIkArjwLODr4cOdXzQvt >>>>> >>>>> >> >>>>> yaiX6Z+pRC/sK8MgLhPxV2X9QVQdzKfLkVGIdboCt1j3EXxSUCZeIuSKouitkWYe >>>>> eSH9DQkYDp/oKgANLWnY7CNorPz6xQktp1pB0DGohV1BeTA= -----END >>>>> CERTIFICATE----- >>>>> >>>>> You need to drop the BEGIN/END blocks then combine all the >>>>> lines into a single line, so you have a unified base64 >>>>> blog. It will look like: >>>>> >>>>> ca.signing.cert=MII...B0DGohV1BeTA= >>>>> >>>>> I was afraid wrapping woudl destroy my demonstration so I >>>>> used ellipses instead. >>>>> >>>>>> Thanks and happy Thanksgiving, >>>>> >>>>> You're welcome. You too. >>>>> >>>>> rob >>>>> >>>> >>>> Ok I have done the steps as outlined. One small suggestion >>>> and one question came up. >>>> >>>> Suggestion: for the ldapmodify command indicate that a ctl-d >>>> is necessary to end input. Most folks will know this, but >>>> some may not. >>>> >>>> For the client section you have me copy the newly signed >>>> subordnate CA certificate into /etc/ipa/ca.crt. However, on >>>> my hosts that was actually a copy of the AD CS certificate, >>>> not the subordinate certificate. In the case of a subordinate >>>> installation do you want the root or the subordinate CA? It >>>> would seem that the root would be broader, but I just want to >>>> make sure. >>>> >> >>> The IPA CA cert should be sufficient. >> >>> rob >> >> >> Thanks, and just for an update, the switch over was made, >> certmonger is happily updating certs now on all hosts and >> everything just appears to be working thus far, minus the >> replication of the agent certificate which I am still looking >> into. >> >> Thanks for the help, >> >> -Erinn > > Great, I am glad to hear that. Note that we were investigating > renewing certificates and clones and found out an issue in Python > readline that prevented a renewal of the IPA agent certificate: > > https://fedorahosted.org/freeipa/ticket/4064 > > Could this be the reason of your issues? Did you saw a crash of > certmonger during the renewal? It was found out to be happening due > to the aforementioned bug. > > Thanks, Martin >
That seems very likely, however abrt didn't catch anything, and there doesn't appear to be any tmp file wreckage left anywhere. I can't find anything in the logs indicating failure, all signs point to success for the renewal: Dec 3 20:47:25 ipa2 certmonger: Certificate named "Server-Cert" in token "NSS Certificate DB" in database "/etc/dirsrv/slapd-ABAQIS-COM" will not be valid afte r 20131210032326. Dec 3 20:47:25 ipa2 certmonger: Certificate named "Server-Cert" in token "NSS Certificate DB" in database "/etc/dirsrv/slapd-PKI-IPA" will not be valid after 20131210032326. Dec 3 20:47:25 ipa2 certmonger: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" will not be valid after 20131210032326. Dec 3 20:47:25 ipa2 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" will not be valid after 20131210032326. Dec 3 20:47:25 ipa2 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" will not be valid after 20131210032326. Dec 3 20:47:25 ipa2 certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in database "/etc/httpd/alias" will not be valid after 20131210032326. Dec 3 20:47:26 ipa2 certmonger: Certificate named "Server-Cert" in token "NSS Certificate DB" in database "/etc/dirsrv/slapd-PKI-IPA" issued by CA and saved. Dec 3 20:47:26 ipa2 certmonger: Certificate named "Server-Cert" in token "NSS Certificate DB" in database "/etc/dirsrv/slapd-ABAQIS-COM" issued by CA and saved. Dec 3 20:47:26 ipa2 python: Updating certificate for auditSigningCert cert-pki-ca Dec 3 20:47:26 ipa2 python: Updating certificate for ocspSigningCert cert-pki-ca Dec 3 20:47:27 ipa2 python: Updating certificate for subsystemCert cert-pki-ca Dec 3 20:47:27 ipa2 python: Updating certificate for ipaCert Dec 3 20:47:28 ipa2 python: certmonger stopping pki-cad Dec 3 20:48:04 ipa2 python: certmonger started pki-cad, nickname 'auditSigningCert cert-pki-ca' Dec 3 20:48:04 ipa2 certmonger: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" issued by CA and saved. Dec 3 20:48:08 ipa2 python: certmonger stopping pki-cad Dec 3 20:48:44 ipa2 python: certmonger started pki-cad, nickname 'ocspSigningCert cert-pki-ca' Dec 3 20:48:44 ipa2 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" issued by CA and saved. Dec 3 20:48:48 ipa2 python: certmonger stopping pki-cad Dec 3 20:49:24 ipa2 python: certmonger started pki-cad, nickname 'subsystemCert cert-pki-ca' Dec 3 20:49:24 ipa2 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/var/lib/pki-ca/alias" issued by CA and saved. Dec 3 20:49:27 ipa2 python: certmonger restarted httpd Dec 3 20:49:29 ipa2 certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in database "/etc/httpd/alias" issued by CA and saved. Sorry for the word wrap there. Certmonger continued to run throughout it appears. The dates line up correctly, certmonger on the primary renewed on the 3rd and the secondary failed to get the new certificate which led straight back to the same place. - -Erinn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQEcBAEBAgAGBQJSoNwkAAoJENetaK3v/E7PdnIIAKZGdafIitLcx8umSt3DSVDy nP+0o1XgFIoSjYmr2n3c0fuxrlGf8NC4IgNSMYJ8HOHiMo45Gd+sqWvBEio//jys dQcUEmCB3Amyc28SARnijMAzUucaScCFITctXf3IkeTjBniKx4OzDyLJflpi1xkU FTF8l9bovOWDWABjQEOXZuLUX5+wYXgmcpK0xophW1A0pr/WX6XdNPv4v7lHaqrV knw/uMXj36XJOFXWbRob3/54LiZJT9fsRIxKz2A11ZPIAo1GARlAb0FoVznoy8cm EiIuCeRZfMgaaxNJ2GZlY+NTqTmY2yITuuWNh2LERSqHf1MRvd1PwnTAQvdRmh8= =nO8F -----END PGP SIGNATURE----- _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
