On 01/07/2015 06:43 PM, John Desantis wrote: > Hello all, > > Just an update on this issue for anyone else who experiences a similar issue. > > It looks like the automatic renewal of the certificates failed on our > master due the certmonger service being "stuck". I stopped the > service, stopped IPA services, and then reset the date to a few days > prior to the expiration. I then (following a mailing list post) > restarted IPA and then certmonger. At this point, I checked the > status of the certificates and saw that they were changing. Only the > "Server-Cert" in /etc/httpd/alias was complaining this time of not > being able to contact the CA. Another certmonger service restart > corrected the issue. > > I can now re-provision nodes accordingly!
Ok, good to hear! > > The only remaining hiccup is now the replica's certmonger service > keeps dying while failing to re-issue the "ipaCert" in > /etc/httpd/alias. Log snippets are below: > > Jan 7 12:17:02 python: certmonger restarted httpd > Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS > Certificate DB" in database "/etc/httpd/alias" issued by CA and saved. > Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS > Certificate DB" in database "/etc/httpd/alias" is no longer valid. > Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS > Certificate DB" in database "/etc/httpd/alias" issued by CA but not > saved. > > The IPA services are running and the machine can be accessed (queries > issued, web GUI, etc.) > > Would anyone have an idea of why a replica would have issues renewing > the "ipaCert"? CCing Jan to advise, he is the most experienced in this area. > > Thank you, > John DeSantis > > > 2015-01-06 15:50 GMT-05:00 John Desantis <desan...@mail.usf.edu>: >> Hello all, >> >> Looking at the various online documentation regarding certificate renewals: >> >> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0 >> http://www.freeipa.org/page/Certmonger >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html >> >> I have to admit that I am completely confused on how to proceed given >> that the links above reference external CA's. >> >> The certificate was created in house (no external issuer) from what I >> can tell (openssl x509 -issuer and via IPA GUI). >> >> Thankfully(?), none of the certificates listed via 'getcert list' have >> a status of "CA_UNREACHABLE", although all of them state "NEED_CSR". >> I'll paste the contents below, sanitized of couse. >> >> # getcert list >> Number of certificates and requests being tracked: 8. >> Request ID '20130110185936': >> status: NEED_CSR >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE.COM/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=ipa.example.com,O=EXAMPLE.COM >> expires: 2015-01-11 18:59:35 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE.COM >> track: yes >> auto-renew: yes >> Request ID '20130110190008': >> status: NEED_CSR >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=ipa.example.com,O=EXAMPLE.COM >> expires: 2015-01-11 19:00:07 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20130110190034': >> status: NEED_CSR >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=ipa.example.com,O=EXAMPLE.COM >> expires: 2015-01-11 19:00:34 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> Request ID '20130410022007': >> status: NEED_CSR >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=CA Audit,O=EXAMPLE.COM >> expires: 2014-12-31 18:58:42 UTC >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130410022008': >> status: NEED_CSR >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >> expires: 2014-12-31 18:58:41 UTC >> eku: id-kp-OCSPSigning >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130410022009': >> status: NEED_CSR >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=CA Subsystem,O=EXAMPLE.COM >> expires: 2014-12-31 18:58:41 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130410022010': >> status: NEED_CSR >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=IPA RA,O=EXAMPLE.COM >> expires: 2014-12-31 18:59:24 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> Request ID '20130410022011': >> status: NEED_CSR >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=ipa.example.com,O=EXAMPLE.COM >> expires: 2014-12-31 18:58:41 UTC >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> >> This issue was manifest when I attempted to re-provision a client >> node. I'll paste the errors reported by Apache: >> >> [Tue Jan 06 14:14:47 2015] [error] Bad remote server certificate: -8181 >> [Tue Jan 06 14:14:47 2015] [error] SSL Library Error: -8181 >> Certificate has expired >> [Tue Jan 06 14:14:47 2015] [error] Re-negotiation handshake failed: >> Not accepted by client!? >> >> FWIW, all IPA services are running for now. >> >> Any guidance would certainly be appreciated! If more information is >> required, let me know and I'll paste it in a reply. >> >> Thank you, >> John DeSantis > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project