Le 05/06/2015 22:19, Endi Sukma Dewata a écrit :
> On 5/19/2015 3:54 AM, Thibaut Pouzet wrote:
>> Hi,
>>
>> It appeared that the NSS DB had fips enabled due to the troubleshooting
>> of an old problem :
>>
>> # modutil -dbdir /var/lib/pki-ca/alias/ -list
>>
>> Listing of PKCS #11 Modules
>> -----------------------------------------------------------
>>    1. NSS Internal FIPS PKCS #11 Module
>>           slots: 1 slot attached
>>          status: loaded
>>
>>           slot: NSS FIPS 140-2 User Private Key Services
>>          token: NSS FIPS 140-2 Certificate DB
>> -----------------------------------------------------------
>>
>> I disabled it : modutil -dbdir /var/lib/pki-ca/alias -fips false
>>
>> And no longer have the stack trace in the debug logs while re-sumbitting
>> the certificate with certmonger.
>>
>> This is a first step in this certificate renewal, as I still cannot
>> renew it, I have a new error :
>>          status: CA_UNREACHABLE
>>          ca-error: Error 60 connecting to
>> https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate
>> cannot be authenticated with known CA certificates.
>>
>> This looks like a chicken and egg problem, the certificate served on
>> ipa_server:9443 is the one that needs to be renewed. I tried to step
>> back in time when the certificate was still valid with no luck.
>>
>> So if anyone has an idea here...
>>
>> Cheers,
> 
> Hi,
> 
> Is this still a problem? Per discussion with Rob it doesn't seem to be
> an issue with Dogtag itself.
> 
> I suppose you are following this instruction:
> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
> 
> Could you post the full getcert list output? Also after you reset the
> clock back and try the renewal again could you post the error messages
> that you get?
> 
> Hopefully the IPA team will be able to troubleshoot further. Thanks.
> 

Hi Endi,

Indeed, this is still a problem for this server. I did not had any new
idea on how to troubleshoot this issue unfortunately... Here is what you
asked :

With ntp running, date is now :

$ sudo getcert list -c dogtag-ipa-renew-agent
Number of certificates and requests being tracked: 9.
Request ID '20150511123414':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='640188994674'
        certificate:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=ipa_domain
        subject: CN=CA Audit,O=ipa_domain
        expires: 2017-04-10 05:34:30 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20150511123614':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to
https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with known CA certificates.
        stuck: no
        key pair storage:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='640188994674'
        certificate:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=ipa_domain
        subject: CN=CA Subsystem,O=ipa_domain
        expires: 2015-04-09 04:58:34 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20150511123705':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate:
type=NSSDB,='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=ipa_domain
        subject: CN=IPA RA,O=ipa_domain
        expires: 2017-04-18 07:11:38 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20150513074100':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to
https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with known CA certificates.
        stuck: no
        key pair storage:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='640188994674'
        certificate:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=ipa_domain
        subject: CN=ipa_server,O=ipa_domain
        expires: 2015-04-09 04:58:33 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20150107225544':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to
https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with known CA certificates.
        stuck: no
        key pair storage:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='640188994674'
        certificate:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=ipa_domain
        subject: CN=OCSP Subsystem,O=ipa_domain
        expires: 2015-04-09 04:58:33 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        eku: id-kp-OCSPSigning
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes


I set the date to before the expiration date of the certificate, and do
ipa getcert resubmit -i 20150513074100 :

$ sudo getcert list -c dogtag-ipa-renew-agent
Number of certificates and requests being tracked: 9.
Request ID '20150511123414':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='640188994674'
        certificate:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=ipa_domain
        subject: CN=CA Audit,O=ipa_domain
        expires: 2017-04-10 05:34:30 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20150511123614':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to
https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with known CA certificates.
        stuck: no
        key pair storage:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='640188994674'
        certificate:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=ipa_domain
        subject: CN=CA Subsystem,O=ipa_domain
        expires: 2015-04-09 04:58:34 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20150511123705':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate:
type=NSSDB,='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=ipa_domain
        subject: CN=IPA RA,O=ipa_domain
        expires: 2017-04-18 07:11:38 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20150513074100':
        status: NEED_TO_SUBMIT
        ca-error: Error 35 connecting to
https://ipa_server:9443/ca/agent/ca/profileReview: SSL connect error.
        stuck: no
        key pair storage:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='640188994674'
        certificate:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=ipa_domain
        subject: CN=ipa_server,O=ipa_domain
        expires: 2015-04-09 04:58:33 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20150107225544':
        status: CA_UNREACHABLE
        ca-error: Error 60 connecting to
https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with known CA certificates.
        stuck: no
        key pair storage:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='640188994674'
        certificate:
type=NSSDB,='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=ipa_domain
        subject: CN=OCSP Subsystem,O=ipa_domain
        expires: 2015-04-09 04:58:33 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        eku: id-kp-OCSPSigning
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

Nothing inside /var/log/pki-ca/debug regarding this resubmit request

Cheers,

-- 
Thibaut Pouzet
Lyra Network
Ingénieur Systèmes et Réseaux
(+33) 5 31 22 40 08
www.lyra-network.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to