Gronde, Christopher (Contractor) wrote:
> Currently running ipa-server-3.0.0-47.el6.x86_64
> 
> I have stopped ntpd and reset the date to Sept 21st.  Yes I agree this has 
> been baffling me for days.

You should be tracking 8 certificates. The output of `getcert list`
should look something like:

Number of certificates and requests being tracked: 8.
Request ID '20150102143352':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=CA Audit,O=EXAMPLE.COM
        expires: 2016-12-22 14:33:08 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20150102143353':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=OCSP Subsystem,O=EXAMPLE.COM
        expires: 2016-12-22 14:33:07 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        eku: id-kp-OCSPSigning
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20150102143354':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=CA Subsystem,O=EXAMPLE.COM
        expires: 2016-12-22 14:33:07 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20150102143355':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=IPA RA,O=EXAMPLE.COM
        expires: 2016-12-22 14:33:51 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes
Request ID '20150102143356':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=ipa.example.com,O=EXAMPLE.COM
        expires: 2016-12-22 14:33:07 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20150102143410':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=ipa.example.com,O=EXAMPLE.COM
        expires: 2017-01-02 14:34:09 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
EXAMPLE-COM
        track: yes
        auto-renew: yes
Request ID '20150102143452':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=ipa.example.com,O=EXAMPLE.COM
        expires: 2017-01-02 14:34:51 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
        track: yes
        auto-renew: yes
Request ID '20150102143632':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=ipa.example.com,O=EXAMPLE.COM
        expires: 2017-01-02 14:36:32 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes

What is missing are the certs for 389-ds and for the CA itself. I'm
guessing those are also expired/expiring.

rob

> 
> 
> -----Original Message-----
> From: Rob Crittenden [mailto:rcrit...@redhat.com] 
> Sent: Thursday, October 08, 2015 9:49 AM
> To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>; 
> Alexander Bokovoy <aboko...@redhat.com>
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Certmonger and dogtag not working....issues 
> manually renewing Server-Cert
> 
> Gronde, Christopher (Contractor) wrote:
>> Now I am getting CA_UNREACHABLE
>>
>> # ipa-getcert resubmit -i 20151007150853 -p 
>> /etc/httpd/alias/pwdfile.txt -K HTTP/comipa02.<example>.gov -C 
>> /usr/lib64/ipa/certmonger/restart_httpd
>> Resubmitting "20151007150853" to "IPA".
>>
>> # ipa-getcert list
>> Number of certificates and requests being tracked: 2.
>> Request ID '20151007150853':
>>         status: CA_UNREACHABLE
>>         ca-error: Error setting up ccache for "host" service on client using 
>> default keytab: Cannot contact any KDC for realm '<example>.GOV'.
>>         stuck: no
>>         key pair storage: 
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>         certificate: 
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
>> Certificate DB'
>>         CA: IPA
>>         issuer: CN=Certificate Authority,O=<example>.GOV
>>         subject: CN=comipa02.itmodev.gov,O=<example>.GOV
>>         expires: 2015-09-23 17:46:26 UTC
>>         key usage: 
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command:
>>         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>         track: yes
>>         auto-renew: yes
> 
> What really baffles me is what happened to the original tracking for these 
> certificates. Based on the original e-mail only 2 of the 8 are being tracked 
> at all.
> 
> What version of IPA is this? rpm -q ipa-server
> 
> I'm guessing that the IPA services aren't running due to the expired 
> certificates. You'll need to roll back the time to before Sept 22, at last, 
> to get things up and running.
> 
> rob
> 
>>
>>
>> -----Original Message-----
>> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
>> Sent: Thursday, October 08, 2015 9:00 AM
>> To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>
>> Cc: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] Certmonger and dogtag not 
>> working....issues manually renewing Server-Cert
>>
>> Hi,
>>
>> On Thu, 08 Oct 2015, Gronde, Christopher (Contractor) wrote:
>>> Thank you for your response!
>> Do not respond directly, send your emails to the mailing list, please.
>>
>>> Yes "getent passwd admin" does work
>>>
>>> # getent passwd admin
>>> admin:*:1278200000:1278200000:Administrator:/home/admin:/bin/bash
>>>
>>> The second not returned:
>>>
>>> # ipa-getcert resubmit -i 20151007150853 -p 
>>> /etc/httpd/alias/pwdfile.txt Resubmitting "20151007150853" to "IPA".
>>>
>>> ]# ipa-getcert resubmit -i 20151007150853 -p 
>>> /etc/httpd/alias/pwdfile.txt Resubmitting "20151007150853" to "IPA".
>>> [root@comipa02 conf.d]# ipa-getcert list Number of certificates and 
>>> requests being tracked: 2.
>>> Request ID '20151007150853':
>>>        status: MONITORING
>>>        ca-error: Unable to determine principal name for signing request.
>> So it doesn't know whom to map the cert to.
>>
>> When re-submitting the request with ipa-getcert, add
>>   -K HTTP/comipa02.itmodev.gov
>>
>> While at it, I've looked at my test setup and I can see that your 
>> configuration below lacks restart of httpd after certificate was
>> rotated:
>>   -C /usr/lib64/ipa/certmonger/restart_httpd
>>
>>
>>>        stuck: no
>>>        key pair storage: 
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>        certificate: 
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
>>> Certificate DB'
>>>        CA: IPA
>>>        issuer: CN=Certificate Authority,O=<example>.GOV
>>>        subject: CN=comipa02.itmodev.gov,O=<example>.GOV
>>>        expires: 2015-09-23 17:46:26 UTC
>>>        key usage: 
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>        eku: id-kp-serverAuth,id-kp-clientAuth
>>>        pre-save command:
>>>        post-save command:
>>>        track: yes
>>>        auto-renew: yes
>>>
>>> This Cert however still shows expired.  What do I need to do to go about 
>>> renewing it?
>>>
>>> # certutil -V -u V -n Server-Cert -d /etc/httpd/alias
>>> certutil: certificate is invalid: Peer's Certificate has expired.
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
>>> Sent: Thursday, October 08, 2015 2:22 AM
>>> To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>
>>> Cc: freeipa-users@redhat.com
>>> Subject: Re: [Freeipa-users] Certmonger and dogtag not 
>>> working....issues manually renewing Server-Cert
>>>
>>> On Wed, 07 Oct 2015, Gronde, Christopher (Contractor) wrote:
>>>> I am new to FreeIPA and have inherited two IPA servers not sure if 
>>>> one is a master/slave or how they are different.  I will try to give 
>>>> some pertinent outputs below of some of the things I am seeing.  I 
>>>> know the Server-Cert is expired but can't figure out how to renew 
>>>> it.  There also appears to be Kerberos authentication issues going 
>>>> on as I'm trying to fix it.
>>>>
>>>> #getcert list -d /etc/httpd/alias -n ipaCert Number of certificates 
>>>> and requests being tracked: 2.
>>>> Request ID '20150922143354':
>>>>        status: NEED_TO_SUBMIT
>>>>        stuck: no
>>>>        key pair storage: 
>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>>        certificate: 
>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
>>>> Certificate DB'
>>>>        CA: dogtag-ipa-retrieve-agent-submit
>>>>        issuer: CN=Certificate Authority,O=<example>.GOV
>>>>        subject: CN=IPA RA,O=<example>.GOV
>>>>        expires: 2013-10-09 11:45:01 UTC
>>>>        key usage: 
>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>>        eku: id-kp-serverAuth,id-kp-clientAuth
>>>>        pre-save command:
>>>>        post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>>        track: yes
>>>>        auto-renew: yes
>>>>
>>>> #certutil -V -u V -n Server-Cert -d /etc/httpd/alias
>>>> certutil: certificate is invalid: Peer's Certificate has expired.
>>>>
>>>>
>>>> #certutil -L -d /etc/httpd/alias -n Server-Cert
>>>> Certificate:
>>>>    Data:
>>>>        Version: 3 (0x2)
>>>>        Serial Number: 166 (0xa6)
>>>>        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
>>>>        Issuer: "CN=Certificate Authority,O=<example>.GOV"
>>>>        Validity:
>>>>            Not Before: Sun Sep 22 17:46:26 2013
>>>>            Not After : Wed Sep 23 17:46:26 2015
>>>>        Subject: "CN=comipa02.<example>.gov,O=<example>.GOV"
>>>>        Subject Public Key Info:
>>>>            Public Key Algorithm: PKCS #1 RSA Encryption
>>>>            RSA Public Key:
>>>>                Modulus:
>>>>                    c6:8e:37:ee:72:82:58:78:4e:16:b8:18:f3:28:05:d9:
>>>>                    e5:3c:ee:01:ec:3e:28:d5:87:be:e4:74:ec:e5:27:40:
>>>>                    ca:9c:eb:61:a2:ad:44:c0:d9:2e:6d:93:fd:67:4c:f8:
>>>>                    6d:f6:f2:63:6f:e6:00:4a:2a:c4:44:f5:e7:32:50:40:
>>>>                    51:5b:0e:15:69:25:ef:c9:4f:47:ad:ba:90:fb:36:6d:
>>>>                    14:3f:04:c4:7b:c3:e6:b1:30:7b:56:2d:d3:0f:d9:2f:
>>>>                    c9:57:89:c7:21:8a:a6:d4:2a:63:27:6c:54:53:7b:44:
>>>>                    9a:0b:da:8f:b9:88:ec:b4:95:d3:5c:6c:cf:7b:dc:30:
>>>>                    ef:25:db:fd:89:26:7f:25:34:9d:6e:7b:b0:94:62:81:
>>>>                    0e:b8:d6:3e:95:0e:71:e2:3f:6b:e2:3d:f2:71:8d:4c:
>>>>                    ec:41:e2:fa:c7:8b:50:80:90:68:a8:88:5c:07:c6:cc:
>>>>                    5a:48:fc:7f:37:28:78:b3:2e:79:05:73:a5:9d:75:ae:
>>>>                    15:bc:55:6c:85:ab:cd:2e:44:6b:10:c2:25:d8:bb:03:
>>>>                    11:3f:69:44:3e:1c:ba:a3:c9:fa:36:ae:a6:6e:f4:51:
>>>>                    a0:74:ff:e9:31:40:51:69:d2:49:47:a8:38:7a:9b:b8:
>>>>                    32:04:4c:ad:6d:52:91:53:61:a3:fa:37:82:f4:38:cb
>>>>                Exponent: 65537 (0x10001)
>>>>        Signed Extensions:
>>>>            Name: Certificate Authority Key Identifier
>>>>            Key ID:
>>>>                ab:01:f6:f0:b1:f6:58:15:f9:0d:e6:35:83:44:ab:50:
>>>>                c3:13:4b:16
>>>>
>>>>            Name: Authority Information Access
>>>>            Method: PKIX Online Certificate Status Protocol
>>>>            Location:
>>>>                URI: "http://comipa01.<example>.gov:80/ca/ocsp"
>>>>
>>>>            Name: Certificate Key Usage
>>>>            Critical: True
>>>>            Usages: Digital Signature
>>>>                    Non-Repudiation
>>>>                    Key Encipherment
>>>>                    Data Encipherment
>>>>
>>>>            Name: Extended Key Usage
>>>>                TLS Web Server Authentication Certificate
>>>>                TLS Web Client Authentication Certificate
>>>>
>>>>    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
>>>>    Signature:
>>>>        2d:e0:48:99:ca:e8:e3:33:40:de:9b:a9:bf:a0:37:98:
>>>>        d3:22:f7:d5:ff:a6:2b:fd:b3:fc:c8:c3:f0:16:ee:a5:
>>>>        44:5a:8d:d8:eb:eb:56:08:95:3e:48:2d:a1:be:a0:c2:
>>>>        64:a3:55:62:ab:42:3b:e6:ff:90:3e:0f:a2:59:2a:7a:
>>>>        c0:f3:81:bb:6d:27:6a:1d:12:41:89:cb:fc:cf:5d:fa:
>>>>        b5:f6:6d:b9:1a:b8:fb:cc:84:3c:5d:98:da:79:64:07:
>>>>        6f:c0:d1:9d:8a:e1:03:70:71:87:39:f6:fc:a0:4a:a2:
>>>>        43:57:0a:dc:33:6b:f4:4e:be:0a:5b:26:83:eb:e3:57:
>>>>        ad:aa:5c:d4:f7:1f:0d:38:f2:71:85:b0:27:9c:8e:57:
>>>>        01:51:b5:e8:e7:a4:9f:a0:0b:bd:96:45:ac:30:86:d5:
>>>>        b8:78:56:5e:29:3e:70:9d:80:b0:25:50:fc:c6:e1:a7:
>>>>        0a:1c:e9:da:1d:00:1f:53:9b:fd:9b:a9:74:1b:45:8f:
>>>>        7d:f0:c4:cc:ff:ae:1f:0f:3e:2d:8f:81:80:ee:27:38:
>>>>        f6:5b:39:b4:54:7c:56:c5:b4:0e:93:b8:24:18:42:70:
>>>>        5d:d3:7b:c9:db:be:14:22:1c:29:16:84:ab:4d:05:b0:
>>>>        7b:1b:7d:e4:94:0d:39:42:71:33:94:57:16:7b:90:6f
>>>>    Fingerprint (SHA-256):
>>>>        
>>>> DD:B0:8E:6B:5F:61:D1:7C:29:ED:CB:8C:8D:7E:9F:94:BE:40:E7:8B:AD:55:ED:14:E9:32:C4:7A:F0:0A:F3:2C
>>>>    Fingerprint (SHA1):
>>>>        88:51:F1:8F:3A:BD:7E:24:0D:4D:4A:CE:94:FB:A9:75:14:82:58:FA
>>>>
>>>>    Certificate Trust Flags:
>>>>        SSL Flags:
>>>>            User
>>>>        Email Flags:
>>>>            User
>>>>        Object Signing Flags:
>>>>            User
>>>>
>>>> #ipa-getkeytab -s compia02.itmodev.gov -p host/comipa02.itmodev.gov 
>>>> -k /etc/krb5.keytab Kerberos User Principal not found. Do you have a valid 
>>>> Credential Cache?
>>> So, let's start here.
>>>
>>> First above you have a typo: compia02.itmodev.gov versus 
>>> comipa02.itmodev.gov. However, as this is your IPA master, I'm not sure why 
>>> you need to re-retrieve its host keytab. Does user name resolution (getent 
>>> passwd admin) work on the master? If it does, you *don't* need to change 
>>> existing keytab.
>>>
>>> Second, in the output below we can see that certmonger needs a PIN for the 
>>> request to proceed:
>>>> #ipa-getcert list
>>>> Number of certificates and requests being tracked: 2.
>>>> Request ID '20151007150853':
>>>>        status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>>> 'Newly added request needs a PIN to read the key material'
>>>
>>>>        stuck: yes
>>>>        key pair storage: 
>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
>>>>        certificate: 
>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
>>>>        CA: IPA
>>>>        issuer:
>>>>        subject:
>>>>        expires: unknown
>>>>        pre-save command:
>>>>        post-save command:
>>>>        track: yes
>>>>        auto-renew: yes
>>>
>>> The PIN is in /etc/httpd/alias/pwdfile.txt, to supply it to certmonger, you 
>>> need to re-submit the request and specify the pin:
>>>
>>> ipa-getcert resubmit -i 20151007150853 -p 
>>> /etc/httpd/alias/pwdfile.txt
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>
>> --
>> / Alexander Bokovoy
>>
>>
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to