-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 07/28/2014 12:20 PM, Ade Lee wrote: > On Mon, 2014-07-28 at 12:14 -0700, Erinn Looney-Triggs wrote: >> On 07/28/2014 11:07 AM, Ade Lee wrote: >>>> >>>> No exceptions thrown in the journal. >>>> >>>> When investigating the cacert.p12 file that is bundled up >>>> for the replica's I see two caSigningCert's. One is the older >>>> one, before I renewed and one is the new, valid, post renewal >>>> one. Are these the certs that are used or are they requested >>>> from the primary much like the servercert? >>> >>> I think the problem might be that there are two >>> caSigningCerts, with presumably the same nickname. We need to >>> try and generate a p12 file without the old pre-renewal signing >>> cert. >>> >>> Does the master certdb contain both certs with the same >>> nickname? If so, you could try to remove the old signing cert >>> from the master certdb and then regenerate the pkcs12 using >>> PKCS12Export. >>> >>> Here is one way you could try to do this: 1. Export the >>> caSigning cert from the certdb using pk12util. Check that only >>> the latest cert/key has been exported. Make sure to note down >>> the exact cert nickname. If so, then continue .. 2. Shut down >>> the CA. 3. IMPORTANT: Back up the certdb. 4. Delete the >>> caSigning cert from the certdb using certutil. You may have to >>> do this twice to remove both certs. 5. Re-import the saved >>> caSigningCert using pk12util. 6. Restart the CA. >>> >>>> >>>> However, when examining the /etc/pki/pki-tomcat/alias db >>>> there is no casigningcert, hence I suppose the failure. So >>>> somewhere in there it is getting lost, I'll keep looking but >>>> throw me any ideas. >>>> >>> By this, you are implying looking at the clone certdb, right? >>> The cert should certainly still exist on the master. The cert >>> not being in the clone certdb is because it fails to be >>> imported from the PKCS12 file. >>> >>> >>>> -Erinn >>>> >>>> >>>> >> >> Ok to make sure we are on the same page and I am not chasing my >> own tail here, I am going to recap this as I understand the issue >> now. >> >> Essentially, we get a cacert.p12 file on the master IPA server >> that was generated using: PKCS12Export -d $ALIAS_PATH -p >> /root/keydb_pin -w /root/dm_password -o /root/cacert.p12 >> >> This cacert.p12 file contains multiple copies of certificates, >> both expired and valid, for, well, multiple aliases in fact not >> just the caSigningCert. >> >> Nevertheless, because of these multiple copies of the >> caSigningCert we are venturing a guess that this is munging up >> the ca clone on the replica (a fair guess I would say). So there >> is probably a bug in here somewhere, either on the exporting end, >> or on the importing end. >> >> So, I/we are trying to use the userspace tools to basically clean >> up the NSS db to only have the valid copy of this certificate. >> >> However, it appears to me that most of these tools are not >> granular enough in their selection, the export everyhing with an >> alias of 'caSigningCert cert-pki-ca' or delete all instance of >> 'caSigningCert cert-pki-ca'. Kind of a sledgehammer for a penny >> nail type thing. Does this sound about right? >> >> If so, it looks like a more granular approach is warranted. I'll >> be looking into python-nss as python is what I know best to see >> if I can hack up something to whip the DB into proper shape. >> >> Anything I am missing here? Sound like a reasonable approach? >> > That sounds exactly right. > > You could try deleting the cert using certutil -D (make sure to > back up the certdb first) and see if it will delete one or both > certificates. Or you could try renaming the cert nick using > certutil and see if it renames just one. > > Ade >> -Erinn >> >> > >
certutil doesn't appear to have a rename option, there looks to be a RFE open for it that was last updated about 5 years ago: https://bugzilla.mozilla.org/show_bug.cgi?id=448738 But if it is available in certutil it isn't documented. Though it is a good thought, I reckoned as long as it renamed one of the certs then I could get what I wanted to get done. - -Erinn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJT1sADAAoJEFg7BmJL2iPODRkH/3FzRbUn1QRMY531sr+trFmo Aokjqka02i2wd+/QD3qfAFqA4J6ZPywRcx3edt6EqHSRGu1J2acnuzfr0zs3c1x+ Fgha7GLPCHTYa1Ct43HEzpPKiajXV+lMzCB34mZqIik+Npgs77qb6JecPRHsBdGT lPi/gvRb0uoWsCQwn5oizksLjqN5kB2pdpZ7CKDuuX3RRPkgYjNY9gKkSbIfLOTW RMCYnyCefR3qdABRacijVX27LhsGmDBkYBEABNf80kHcGtCVrrxIfpUKTzOoC1Bi 3Zq8lfAu0SiKcC+H/nCQHUjbJvw1nJn3ig5Zi+snzccUTiv4PyAtbcmYN35o8aQ= =L7sm -----END PGP SIGNATURE----- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project