Another key difference I noticed is that the problematic certs have
CA:IPA in them, while the working certs have CA:
dogtag-ipa-retrieve-agent-submit.



 getcert list
Number of certificates and requests being tracked: 8.
Request ID '20130524104636':
        status: CA_UNREACHABLE
        ca-error: Server at https://dc.mydom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server.  cannot connect to
'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -12269]
(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as
expired.).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=MYDOM.COM
        subject: CN=dc.mydom.com,O=MYDOM.COM
        expires: 2015-05-25 10:12:33 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20130524104731':
        status: CA_WORKING
        stuck: no
        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='386562502473'
        certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-retrieve-agent-submit
        issuer: CN=Certificate Authority,O=MYDOM.COM
        subject: CN=CA Audit,O=MYDOM.COM
        expires: 2015-04-29 23:48:46 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20130524104732':
        status: CA_WORKING
        stuck: no
        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='386562502473'
        certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-retrieve-agent-submit
        issuer: CN=Certificate Authority,O=MYDOM.COM
        subject: CN=OCSP Subsystem,O=MYDOM.COM
        expires: 2015-04-29 23:48:45 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        eku: id-kp-OCSPSigning
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20130524104733':
        status: CA_WORKING
        stuck: no
        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='386562502473'
        certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-retrieve-agent-submit
        issuer: CN=Certificate Authority,O=MYDOM.COM
        subject: CN=CA Subsystem,O=MYDOM.COM
        expires: 2015-04-29 23:48:46 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20130524104734':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='386562502473'
        certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=MYDOM.COM
        subject: CN=dc.mydom.com,O=MYDOM.COM
        expires: 2017-04-06 09:41:48 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20130524104828':
        status: CA_UNREACHABLE
        ca-error: Server at https://dc.mydom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server.  cannot connect to
'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -8053]
(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-MYDOM-COM/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=MYDOM.COM
        subject: CN=dc.mydom.com,O=MYDOM.COM
        expires: 2015-05-25 10:12:32 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20130524104917':
        status: CA_UNREACHABLE
        ca-error: Server at https://dc.mydom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server.  cannot connect to
'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -12269]
(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as
expired.).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=MYDOM.COM
        subject: CN=dc.mydom.com,O=MYDOM.COM
        expires: 2015-05-25 10:12:33 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20130524105011':
        status: CA_WORKING
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
        CA: dogtag-ipa-retrieve-agent-submit
        issuer: CN=Certificate Authority,O=MYDOM.COM
        subject: CN=IPA RA,O=MYDOM.COM
        expires: 2015-04-29 23:49:29 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

On Tue, May 19, 2015 at 10:52 PM, Sina Owolabi <notify.s...@gmail.com> wrote:
> Hi Rob
>
>
> Thanks!
> I noticed that the problematic records have their expiration in the
> future! And I also do not have pki-tomcatd, it's pki-cad.
>
> From getcert list, the troublesome IDs are:
>
> Request ID '20130524104828':
>         status: CA_UNREACHABLE
>         ca-error: Server at https://dc.mydom.com/ipa/xml failed
> request, will retry: 907 (RPC failed at server.  cannot connect to
> 'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -8053]
> (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-MYDOM-COM/pwdfile.txt'
>         certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=MYDOM.COM
>         subject: CN=dc.mydom.com,O=MYDOM.COM
>         expires: 2015-05-25 10:12:32 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
> Request ID '20130524104917':
>         status: CA_UNREACHABLE
>         ca-error: Server at https://dc.mydom.com/ipa/xml failed
> request, will retry: 907 (RPC failed at server.  cannot connect to
> 'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -12269]
> (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as
> expired.).
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>         certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=MYDOM.COM
>         subject: CN=dc.mydom.com,O=MYDOM.COM
>         expires: 2015-05-25 10:12:33 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
>
> On Tue, May 19, 2015 at 4:25 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
>> Sina Owolabi wrote:
>>>
>>> Hi Rob
>>>
>>> Ive been to the URL but its a little difficult applying these commands
>>> to RHEL6 systems.
>>> For instance there is no /etc/pki-tomcat directory in RHEL6, and I
>>> cannot find the ipa.crt
>>>
>>> Im sure as a noob I am overlooking some very obvious stuff, but could
>>> you please guide me on what to do?
>>
>>
>> Sorry, I think I pointed you at the wrong page. Check out
>> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>>
>> Your CA subsystem are expired, or nearly expired. They are valid for two
>> years. Based on the request ID in the snippet you posted at least some are
>> valid for another few days.
>>
>> What I'd suggest is to send the machine back in time and restart the
>> services. This should bring things up so that certmonger can do the renewal:
>>
>> # ipactl stop
>> # /sbin/service ntpd stop
>> # date 0501hhm where hhmm are the current hour and minute
>> # ipactl start
>>
>> Hopefully ntpd isn't started by ipactl. If it is then it will undo your
>> going back in time, and you'll need to start the services manually:
>>
>> # service dirsrv@YOURREALM start
>> # service krb5kdc
>> # service httpd start
>> # service pki-tomcatd start
>>
>> Restart certmonger
>>
>> # service certmonger restart
>>
>> Wait a bit
>>
>> # getcert list
>>
>> Watch the status. They should go to MODIFIED
>>
>> Once done:
>>
>> # ipactl stop
>>
>> Return date to present, either by restarting ntpd or date or whatever method
>> you'd like.
>>
>> I'm taking a completely wild guess on the date to go back to. The expiration
>> date is listed in the getcert output. I'd go back a week before the oldest
>> expiration.
>>
>> rob
>>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to