On 05/11/2015 05:14 PM, Thibaut Pouzet wrote: > Hi ! > > I am running into a weird problem with my IPA Server, and the > certificates management. My setup is : > CentOS 6.6 > pki-ca-9.0.3-38.el6_6.noarch > ipa-server-3.0.0-42.el6.centos.x86_64 > Linux ipa_server 2.6.32-504.16.2.el6.x86_64 #1 SMP Wed Apr 22 06:48:29 > UTC 2015 x86_64 x86_64 x86_64 GNU/Linux > > The server has been installed two years ago, and all the certificates on > the master server expired this month. (2 year validity). Apparently, > they were not properly tracked by certmonger, so they were not renewed. > > By doing some getcert stop-tracking, then getcert start-tracking xxxx, I > was able to track 8 of the 9 certificates that I can display with > getcert list on this server. > > There is one that remains expired, despite all the efforts I put into > renewing it. This is the one used for the pki-ca administration pages > reachable on ports 9443, 9444 and 9445. Here is its status after trying > to resubmit it : > getcert resubmit -i 20150511145941 -K HTTP/ipa_server > getcert list -i 20150511145941 > > Number of certificates and requests being tracked: 9. > Request ID '20150511145941': > status: CA_UNREACHABLE > ca-error: Server at https://ipa_server/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: FAILURE (Invalid Request)). > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='1234' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=ipa_domain > subject: CN=ipa_server,O=ipa_domain > expires: 2015-04-09 04:58:33 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > > I tried to stop tracking it, and then tracking it again, with no luck : > getcert start-tracking -d "/var/lib/pki-ca/alias" -n "subsystemCert > cert-pki-ca" -t "NSS Certificate DB" -P 1234 -r -c IPA > > I changed the trust settings as well, still not working : > sh-4.1# certutil -M -n "Server-Cert cert-pki-ca" -d > /var/lib/pki-ca/alias -t u,u,Pu > > sh-4.1# certutil -L -d /var/lib/pki-ca/alias > Certificate Nickname Trust > Attributes > SSL,S/MIME,JAR/XPI > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > caSigningCert cert-pki-ca CTu,Cu,Cu > Server-Cert cert-pki-ca u,u,Pu > > However, I find this error in different places : > ca-error: Server at "http://ipa_server:9180/ca/ee/ca/profileSubmit"; > replied: Invalid Request > > sh-4.1# ipa user-show admin > ipa: ERROR: Missing or invalid HTTP Referer, https://ipa_server/ipa/xml > > Sometimes, I also get it with "ipa cert-show 1", sometimes I don't. > > Sometimes its status changes even though I don't think I've done anything : > ca-error: Server at https://ipa_server/ipa/xml failed request, will > retry: 911 (RPC failed at server. Missing or invalid HTTP Referer, > https://ipa_server/ipa/xml). > > And I can find inside /var/log/pki-ca/debug these lines : > [11/May/2015:20:38:49][http-9180-1]: EnrollProfile: parsePKCS10: > signature verification enabled > [11/May/2015:20:38:49][http-9180-1]: EnrollProfile: parsePKCS10 > org.mozilla.jss.NoSuchTokenException > [11/May/2015:20:38:49][http-9180-1]: EnrollProfile: parsePKCS10 > restoring thread token > Invalid Request > at > com.netscape.cms.profile.common.EnrollProfile.parsePKCS10(EnrollProfile.java:953) > at > com.netscape.cms.profile.common.EnrollProfile.createRequests(EnrollProfile.java:102) > at > com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:1001) > at > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:501) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) > at java.lang.Thread.run(Thread.java:701) > > > There is the BLOB inside the logs, containing the CSR, and I can read it > with openssl so it is correctly formatted : > > Certificate Request: > Data: > Version: 0 (0x0) > Subject: O=ipa_domain, CN=ipa_server > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:b8:d6:d3:51:c0:4c:ce:2a:c1:1b:b7:60:a3:6a: > 04:ec:6d:75:94:c4:b9:b5:4a:40:3a:be:d5:12:d8: > 77:af:a2:8e:a4:5a:47:cf:3b:4d:7a:8a:13:2b:1a: > 93:c0:f3:a5:ae:25:44:86:56:72:d9:73:9e:e3:22: > 0e:7c:66:64:87:f7:b1:06:2f:c5:ca:7d:b6:3f:9e: > 67:9e:b3:5b:72:56:bd:12:e6:65:65:8b:b3:5a:5d: > 53:94:a2:d7:be:53:97:59:9d:c4:2e:1a:79:b5:c2: > d1:ac:85:90:04:0b:1b:c6:27:fb:82:46:88:c1:31: > 38:83:1d:a8:83:bc:a3:a9:fa:3e:de:91:e0:84:d6: > 00:cb:e1:80:38:61:55:4c:60:6b:d7:55:7c:5d:88: > f6:c2:bf:42:57:3b:82:30:2b:29:b9:84:93:90:60: > c6:1a:f4:3a:45:fa:04:69:60:c0:86:33:02:4d:69: > 04:07:e0:37:36:b2:2f:ae:6d:28:5a:86:90:65:30: > b3:9b:5f:e4:8d:f2:d1:dd:1b:6a:02:23:fb:07:7e: > 0d:e0:f0:64:1a:34:8c:2d:f5:db:63:22:82:6f:e4: > 53:72:c1:dc:9a:e9:37:4c:f0:3b:39:d4:31:d6:b9: > 62:c4:93:2d:30:47:f4:4a:2f:76:fc:08:f4:82:28: > 1b:fb > Exponent: 65537 (0x10001) > Attributes: > friendlyName :unable to print attribute > Requested Extensions: > X509v3 Key Usage: > Digital Signature, Non Repudiation, Key Encipherment, > Data Encipherment > X509v3 Subject Alternative Name: > othername:<unsupported>, othername:<unsupported> > X509v3 Extended Key Usage: > TLS Web Server Authentication > X509v3 Basic Constraints: critical > CA:FALSE > X509v3 Subject Key Identifier: > 2E:41:D7:91:F0:F4:AA:F6:3D:C0:0C:6B:89:DB:23:6C:90:DA:0E:C7 > Signature Algorithm: sha256WithRSAEncryption > 53:36:9a:b6:e8:90:a1:3f:99:cf:85:64:9d:1c:ff:40:ad:f4: > 31:53:03:81:0c:37:5e:3d:d2:a2:c1:fb:1c:6c:68:f9:c8:cd: > b9:45:38:be:b1:17:ac:63:7b:a7:46:ca:64:1a:d3:4a:c2:63: > ca:64:ca:39:01:e4:5f:3b:6c:86:de:23:0e:12:04:be:2b:f7: > 22:1c:ac:0f:91:56:87:b2:95:20:a6:2d:10:f9:98:e5:51:46: > c8:b0:71:20:85:98:a3:35:c4:ef:fd:55:20:5e:a9:01:ed:3b: > 99:5f:43:8a:85:b1:c7:3d:94:1d:d6:4b:87:3b:1a:72:c4:7b: > 35:5c:65:11:e2:7f:ba:72:d8:63:ab:f6:a1:6f:b0:73:0b:c5: > c7:ca:2a:da:eb:b3:d0:64:75:7d:c3:9a:f5:b3:e7:d1:7b:e2: > b0:ab:68:87:a2:fd:71:19:92:49:b5:e0:72:32:d8:cd:b7:f3: > c9:a2:92:0d:20:65:c7:4a:5a:e7:d4:2a:e5:50:f1:63:44:97: > 2c:c5:27:c4:2e:38:be:4f:02:33:91:f5:7d:2d:ab:75:7b:09: > f7:86:0d:ac:3b:b7:c9:5e:00:96:49:e4:b1:f5:19:d2:1b:e6: > 68:d6:e9:51:5b:9b:ec:d4:b3:e6:fd:e3:ee:7f:84:c3:e6:9b: > cb:11:d8:48 > > And here I am, with this expired certificate still being served on my > server... > > If anyone has any clue on what's going on, I would be really grateful ! > > Cheers, >
Thanks for the report. This is out of my expertise unfortunately, I am CCing developers from Dogtag, hoping they can help. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
