So over the weekend time on the server changed back to normal so I set the time 
back again and tried to restart the ipa service and I get the following

#service ipa start
Starting Directory Service
Starting dirsrv:
    ITMODEV-GOV...                                         [FAILED]
  *** Error: 1 instance(s) failed to start
Failed to start Directory Service: Command '/sbin/service dirsrv start ' 
returned non-zero exit status 1

-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gronde, Christopher 
(Contractor)
Sent: Tuesday, October 13, 2015 10:50 AM
To: Rob Crittenden <rcrit...@redhat.com>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Certmonger and dogtag not working....issues 
manually renewing Server-Cert

Still having issues...if I can still have assistance with this

getcert list
Number of certificates and requests being tracked: 3.
Request ID '20150922143354':
        status: NEED_TO_SUBMIT
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'
        CA: dogtag-ipa-retrieve-agent-submit
        issuer: CN=Certificate Authority,O=ITMODEV.GOV
        subject: CN=IPA RA,O=ITMODEV.GOV
        expires: 2013-10-09 11:45:01 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes
Request ID '20151007150853':
        status: CA_UNREACHABLE
        ca-error: Error setting up ccache for "host" service on client using 
default keytab: Cannot contact any KDC for realm 'ITMODEV.GOV'.
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=ITMODEV.GOV
        subject: CN=comipa02.itmodev.gov,O=ITMODEV.GOV
        expires: 2015-09-23 17:46:26 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes
Request ID '20150921154714':
        status: NEED_CA
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-ITMODEV-GOV',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-ITMODEV-GOV/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-ITMODEV-GOV',nickname='Server-Cert',token='NSS
 Certificate DB'
        issuer: CN=Certificate Authority,O=ITMODEV.GOV
        subject: CN=comipa02.itmodev.gov,O=ITMODEV.GOV
        expires: 2015-09-23 17:46:26 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv ITMODEV-GOV
        track: yes
        auto-renew: yes

-----Original Message-----
From: Gronde, Christopher (Contractor)
Sent: Thursday, October 08, 2015 2:06 PM
To: 'Rob Crittenden' <rcrit...@redhat.com>
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Certmonger and dogtag not working....issues 
manually renewing Server-Cert

# ldapsearch -x -b cn=ca_renewal,cn=ipa,cn=etc,dc=itmodev,dc=gov
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

ipa service was not running...I attempted to start it.

# service ipa start
Starting Directory Service
Starting dirsrv:
    ITMODEV-GOV...[08/Oct/2015:14:03:08 -0400] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of 
family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - 
Peer's Certificate has expired.)
                                                           [  OK  ] Starting 
KDC Service
Starting Kerberos 5 KDC:                                   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:                          [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached:                                    [  OK  ]
Starting HTTP Service
Starting httpd:                                            [FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping ipa_memcached:                                    [  OK  ]
Stopping httpd:                                            [FAILED]
Shutting down dirsrv:
    ITMODEV-GOV...                                         [  OK  ]
Aborting ipactl

Ntpd is still stopped but date was back to today so I changed the date back to 
9/21 and started ipa services

# service ipa start
Starting Directory Service
Starting dirsrv:
    ITMODEV-GOV...                                         [  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:                                   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:                          [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached:                                    [  OK  ]
Starting HTTP Service
Starting httpd:                                            [  OK  ]

]# service ipa start
Starting Directory Service
Starting dirsrv:
    ITMODEV-GOV...[08/Oct/2015:14:03:08 -0400] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of 
family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - 
Peer's Certificate has expired.)
                                                           [  OK  ] Starting 
KDC Service
Starting Kerberos 5 KDC:                                   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:                          [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached:                                    [  OK  ]
Starting HTTP Service
Starting httpd:                                            [FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping ipa_memcached:                                    [  OK  ]
Stopping httpd:                                            [FAILED]
Shutting down dirsrv:
    ITMODEV-GOV...                                         [  OK  ]
Aborting ipactl



-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Thursday, October 08, 2015 1:51 PM
To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Certmonger and dogtag not working....issues 
manually renewing Server-Cert

Gronde, Christopher (Contractor) wrote:
> First commend came back:
> 
> ]# grep internal= /var/lib/pki-ca/conf/password.conf
> grep: /var/lib/pki-ca/conf/password.conf: No such file or directory
> 
> There is no pki-ca dir on this server

That simplifies things a bit.

The NEED_TO_SUBMIT status is odd on ipaCert because that suggests that it has a 
CSR and it doesn't. This CA will attempt to fetch an update cert from LDAP.

See what is available with:

% ldapsearch -x -b cn=ca_renewal,cn=ipa,cn=etc,dc=itmodev,dc=gov

I'm just assuming your IPA Instance isn't actually running, right?
You'll probably need to go back in time to have any chance of this working. 
Apache would be most vocal about not being able to start with an expired cert 
and offer a means to workaround it (going back in time is a better solution).

This is of course assuming that the other IPA master(s) actually have renewed 
certificates themselves.

rob
> 
> -----Original Message-----
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Thursday, October 08, 2015 11:37 AM
> To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>; 
> Alexander Bokovoy <aboko...@redhat.com>
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Certmonger and dogtag not 
> working....issues manually renewing Server-Cert
> 
> Gronde, Christopher (Contractor) wrote:
>> When I ran "getcert list" rather than "ipa-getcert list" I get the following:
>>
>> # getcert list
>> Number of certificates and requests being tracked: 2.
>> Request ID '20150922143354':
>>         status: NEED_TO_SUBMIT
>>         stuck: no
>>         key pair storage: 
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>         certificate: 
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
>> Certificate DB'
>>         CA: dogtag-ipa-retrieve-agent-submit
>>         issuer: CN=Certificate Authority,O=ITMODEV.GOV
>>         subject: CN=IPA RA,O=ITMODEV.GOV
>>         expires: 2013-10-09 11:45:01 UTC
>>         key usage: 
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command:
>>         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>         track: yes
>>         auto-renew: yes
>> Request ID '20151007150853':
>>         status: CA_UNREACHABLE
>>         ca-error: Server at https://comipa02.itmodev.gov/ipa/xml failed 
>> request, will retry: -504 (libcurl failed to execute the HTTP POST 
>> transaction.  Peer certificate cannot be authenticated with known CA 
>> certificates).
>>         stuck: no
>>         key pair storage: 
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>         certificate: 
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
>> Certificate DB'
>>         CA: IPA
>>         issuer: CN=Certificate Authority,O=ITMODEV.GOV
>>         subject: CN=comipa02.itmodev.gov,O=ITMODEV.GOV
>>         expires: 2015-09-23 17:46:26 UTC
>>         key usage: 
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command:
>>         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>         track: yes
>>         auto-renew: yes
> 
> I don't know how the certificates became un-tracked but the result is that 
> the expiration date passed and I can only assume that they are all expired 
> now. What is really strange is that someone poked at ipaCert last month, 
> though that cert expired 2 years ago. The Apache cert is equally confusing as 
> it has probably been renewed at least once given the date of ipaCert.
> 
> In any case, the first thing to do is to see what the state of the other 
> certs are. These will enable certmonger tracking of them.
> 
> NOTE: I haven't tested these commands on a live system but I think it is 
> right.
> 
> # grep internal= /var/lib/pki-ca/conf/password.conf
> 
> The series of numbers is the PIN you need next.
> 
> # for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert 
> cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
> do
>     getcert start-tracking -d /var/lib/pki-ca/alias -n "${nickname}" -c 
> dogtag-ipa-renew-agent -P <internal pin> -B 
> /usr/lib64/ipa/certmonger/stop_pkicad -C 
> '/usr/lib64/ipa/certmonger/renew_ca_cert "${nickname}"'
> done
> 
> The tracking is incorrect for ipaCert so you'll need to try to fix it with:
> 
> # getcert start-tracking -i 20150922143354 -C 
> /usr/lib64/ipa/certmonger/renew_ra_cert
> 
> And finally track the 389-ds certs:
> 
> # getcert start-tracking -d /etc/dirsrv/slapd-ITMODEV-GOV -p 
> /etc/dirsrv/slapd-ITMODEV-GOV/pwdfile.txt -n Server-Cert -C 
> '/usr/lib64/ipa/certmonger/restart_dirsrv ITMODEV-GOV'
> # getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA -p 
> /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -n Server-Cert -C 
> '/usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA'
> 
> So now theoretically getcert list will show all 8 certificates as being 
> tracked.
> 
> Start with the 4 CA certificates and see when they expire. Stop ntpd if 
> running, go back to when those are valid and try restarting the CA. You may 
> have to go back *really* far given the expiration date of ipaCert.
> In fact, to get things working you might have to go back, renew some of the 
> certs, move forward to when those would expire last month and renew again.
> 
> # service pki-cad restart
> 
> Give it a minute to fully start then try the renewal either by restarting 
> certmonger or for each of the CA subsystem certs run getcert resubmit -i <id>.
> 
> Assuming that worked next try to renew ipaCert. If that gets renewed then do 
> the 3 remaining certs: Apache and the two 389-ds instances.
> 
> If that works run ipactl stop, bring time forward, ipactl start.
> 
> rob
> 
> 
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcrit...@redhat.com]
>> Sent: Thursday, October 08, 2015 10:33 AM
>> To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>; 
>> Alexander Bokovoy <aboko...@redhat.com>
>> Cc: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] Certmonger and dogtag not 
>> working....issues manually renewing Server-Cert
>>
>> Gronde, Christopher (Contractor) wrote:
>>> Currently running ipa-server-3.0.0-47.el6.x86_64
>>>
>>> I have stopped ntpd and reset the date to Sept 21st.  Yes I agree this has 
>>> been baffling me for days.
>>
>> You should be tracking 8 certificates. The output of `getcert list` should 
>> look something like:
>>
>> Number of certificates and requests being tracked: 8.
>> Request ID '20150102143352':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCer
>> t cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCer
>> t cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-renew-agent
>>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>         subject: CN=CA Audit,O=EXAMPLE.COM
>>         expires: 2016-12-22 14:33:08 UTC
>>         key usage: digitalSignature,nonRepudiation
>>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>> Request ID '20150102143353':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-renew-agent
>>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>         subject: CN=OCSP Subsystem,O=EXAMPLE.COM
>>         expires: 2016-12-22 14:33:07 UTC
>>         key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>         eku: id-kp-OCSPSigning
>>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>> Request ID '20150102143354':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-renew-agent
>>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>         subject: CN=CA Subsystem,O=EXAMPLE.COM
>>         expires: 2016-12-22 14:33:07 UTC
>>         key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "subsystemCert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>> Request ID '20150102143355':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>         certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB'
>>         CA: dogtag-ipa-renew-agent
>>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>         subject: CN=IPA RA,O=EXAMPLE.COM
>>         expires: 2016-12-22 14:33:51 UTC
>>         key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command:
>>         post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>         track: yes
>>         auto-renew: yes
>> Request ID '20150102143356':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-renew-agent
>>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>         subject: CN=ipa.example.com,O=EXAMPLE.COM
>>         expires: 2016-12-22 14:33:07 UTC
>>         key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth
>>         pre-save command:
>>         post-save command:
>>         track: yes
>>         auto-renew: yes
>> Request ID '20150102143410':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-
>> C
>> ert',token='NSS Certificate
>> DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
>>         certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-
>> C
>> ert',token='NSS
>> Certificate DB'
>>         CA: IPA
>>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>         subject: CN=ipa.example.com,O=EXAMPLE.COM
>>         expires: 2017-01-02 14:34:09 UTC
>>         key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command:
>>         post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>> EXAMPLE-COM
>>         track: yes
>>         auto-renew: yes
>> Request ID '20150102143452':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
>> ,token='NSS Certificate
>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>>         certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
>> ,token='NSS
>> Certificate DB'
>>         CA: IPA
>>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>         subject: CN=ipa.example.com,O=EXAMPLE.COM
>>         expires: 2017-01-02 14:34:51 UTC
>>         key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command:
>>         post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
>>         track: yes
>>         auto-renew: yes
>> Request ID '20150102143632':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='
>> N SS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>         certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='
>> N
>> SS
>> Certificate DB'
>>         CA: IPA
>>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>         subject: CN=ipa.example.com,O=EXAMPLE.COM
>>         expires: 2017-01-02 14:36:32 UTC
>>         key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command:
>>         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>         track: yes
>>         auto-renew: yes
>>
>> What is missing are the certs for 389-ds and for the CA itself. I'm guessing 
>> those are also expired/expiring.
>>
>> rob
>>
>>>
>>>
>>> -----Original Message-----
>>> From: Rob Crittenden [mailto:rcrit...@redhat.com]
>>> Sent: Thursday, October 08, 2015 9:49 AM
>>> To: Gronde, Christopher (Contractor) 
>>> <christopher.gro...@fincen.gov>; Alexander Bokovoy 
>>> <aboko...@redhat.com>
>>> Cc: freeipa-users@redhat.com
>>> Subject: Re: [Freeipa-users] Certmonger and dogtag not 
>>> working....issues manually renewing Server-Cert
>>>
>>> Gronde, Christopher (Contractor) wrote:
>>>> Now I am getting CA_UNREACHABLE
>>>>
>>>> # ipa-getcert resubmit -i 20151007150853 -p 
>>>> /etc/httpd/alias/pwdfile.txt -K HTTP/comipa02.<example>.gov -C 
>>>> /usr/lib64/ipa/certmonger/restart_httpd
>>>> Resubmitting "20151007150853" to "IPA".
>>>>
>>>> # ipa-getcert list
>>>> Number of certificates and requests being tracked: 2.
>>>> Request ID '20151007150853':
>>>>         status: CA_UNREACHABLE
>>>>         ca-error: Error setting up ccache for "host" service on client 
>>>> using default keytab: Cannot contact any KDC for realm '<example>.GOV'.
>>>>         stuck: no
>>>>         key pair storage: 
>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>>         certificate: 
>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
>>>> Certificate DB'
>>>>         CA: IPA
>>>>         issuer: CN=Certificate Authority,O=<example>.GOV
>>>>         subject: CN=comipa02.itmodev.gov,O=<example>.GOV
>>>>         expires: 2015-09-23 17:46:26 UTC
>>>>         key usage: 
>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>>>         pre-save command:
>>>>         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>>         track: yes
>>>>         auto-renew: yes
>>>
>>> What really baffles me is what happened to the original tracking for these 
>>> certificates. Based on the original e-mail only 2 of the 8 are being 
>>> tracked at all.
>>>
>>> What version of IPA is this? rpm -q ipa-server
>>>
>>> I'm guessing that the IPA services aren't running due to the expired 
>>> certificates. You'll need to roll back the time to before Sept 22, at last, 
>>> to get things up and running.
>>>
>>> rob
>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
>>>> Sent: Thursday, October 08, 2015 9:00 AM
>>>> To: Gronde, Christopher (Contractor) 
>>>> <christopher.gro...@fincen.gov>
>>>> Cc: freeipa-users@redhat.com
>>>> Subject: Re: [Freeipa-users] Certmonger and dogtag not 
>>>> working....issues manually renewing Server-Cert
>>>>
>>>> Hi,
>>>>
>>>> On Thu, 08 Oct 2015, Gronde, Christopher (Contractor) wrote:
>>>>> Thank you for your response!
>>>> Do not respond directly, send your emails to the mailing list, please.
>>>>
>>>>> Yes "getent passwd admin" does work
>>>>>
>>>>> # getent passwd admin
>>>>> admin:*:1278200000:1278200000:Administrator:/home/admin:/bin/bash
>>>>>
>>>>> The second not returned:
>>>>>
>>>>> # ipa-getcert resubmit -i 20151007150853 -p 
>>>>> /etc/httpd/alias/pwdfile.txt Resubmitting "20151007150853" to "IPA".
>>>>>
>>>>> ]# ipa-getcert resubmit -i 20151007150853 -p 
>>>>> /etc/httpd/alias/pwdfile.txt Resubmitting "20151007150853" to "IPA".
>>>>> [root@comipa02 conf.d]# ipa-getcert list Number of certificates 
>>>>> and requests being tracked: 2.
>>>>> Request ID '20151007150853':
>>>>>        status: MONITORING
>>>>>        ca-error: Unable to determine principal name for signing request.
>>>> So it doesn't know whom to map the cert to.
>>>>
>>>> When re-submitting the request with ipa-getcert, add
>>>>   -K HTTP/comipa02.itmodev.gov
>>>>
>>>> While at it, I've looked at my test setup and I can see that your 
>>>> configuration below lacks restart of httpd after certificate was
>>>> rotated:
>>>>   -C /usr/lib64/ipa/certmonger/restart_httpd
>>>>
>>>>
>>>>>        stuck: no
>>>>>        key pair storage: 
>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>>>        certificate: 
>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
>>>>> Certificate DB'
>>>>>        CA: IPA
>>>>>        issuer: CN=Certificate Authority,O=<example>.GOV
>>>>>        subject: CN=comipa02.itmodev.gov,O=<example>.GOV
>>>>>        expires: 2015-09-23 17:46:26 UTC
>>>>>        key usage: 
>>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>>>        eku: id-kp-serverAuth,id-kp-clientAuth
>>>>>        pre-save command:
>>>>>        post-save command:
>>>>>        track: yes
>>>>>        auto-renew: yes
>>>>>
>>>>> This Cert however still shows expired.  What do I need to do to go about 
>>>>> renewing it?
>>>>>
>>>>> # certutil -V -u V -n Server-Cert -d /etc/httpd/alias
>>>>> certutil: certificate is invalid: Peer's Certificate has expired.
>>>>>
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
>>>>> Sent: Thursday, October 08, 2015 2:22 AM
>>>>> To: Gronde, Christopher (Contractor) 
>>>>> <christopher.gro...@fincen.gov>
>>>>> Cc: freeipa-users@redhat.com
>>>>> Subject: Re: [Freeipa-users] Certmonger and dogtag not 
>>>>> working....issues manually renewing Server-Cert
>>>>>
>>>>> On Wed, 07 Oct 2015, Gronde, Christopher (Contractor) wrote:
>>>>>> I am new to FreeIPA and have inherited two IPA servers not sure 
>>>>>> if one is a master/slave or how they are different.  I will try 
>>>>>> to give some pertinent outputs below of some of the things I am 
>>>>>> seeing.  I know the Server-Cert is expired but can't figure out 
>>>>>> how to renew it.  There also appears to be Kerberos 
>>>>>> authentication issues going on as I'm trying to fix it.
>>>>>>
>>>>>> #getcert list -d /etc/httpd/alias -n ipaCert Number of 
>>>>>> certificates and requests being tracked: 2.
>>>>>> Request ID '20150922143354':
>>>>>>        status: NEED_TO_SUBMIT
>>>>>>        stuck: no
>>>>>>        key pair storage: 
>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>>>>        certificate: 
>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
>>>>>> Certificate DB'
>>>>>>        CA: dogtag-ipa-retrieve-agent-submit
>>>>>>        issuer: CN=Certificate Authority,O=<example>.GOV
>>>>>>        subject: CN=IPA RA,O=<example>.GOV
>>>>>>        expires: 2013-10-09 11:45:01 UTC
>>>>>>        key usage: 
>>>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>>>>        eku: id-kp-serverAuth,id-kp-clientAuth
>>>>>>        pre-save command:
>>>>>>        post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>>>>        track: yes
>>>>>>        auto-renew: yes
>>>>>>
>>>>>> #certutil -V -u V -n Server-Cert -d /etc/httpd/alias
>>>>>> certutil: certificate is invalid: Peer's Certificate has expired.
>>>>>>
>>>>>>
>>>>>> #certutil -L -d /etc/httpd/alias -n Server-Cert
>>>>>> Certificate:
>>>>>>    Data:
>>>>>>        Version: 3 (0x2)
>>>>>>        Serial Number: 166 (0xa6)
>>>>>>        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
>>>>>>        Issuer: "CN=Certificate Authority,O=<example>.GOV"
>>>>>>        Validity:
>>>>>>            Not Before: Sun Sep 22 17:46:26 2013
>>>>>>            Not After : Wed Sep 23 17:46:26 2015
>>>>>>        Subject: "CN=comipa02.<example>.gov,O=<example>.GOV"
>>>>>>        Subject Public Key Info:
>>>>>>            Public Key Algorithm: PKCS #1 RSA Encryption
>>>>>>            RSA Public Key:
>>>>>>                Modulus:
>>>>>>                    c6:8e:37:ee:72:82:58:78:4e:16:b8:18:f3:28:05:d9:
>>>>>>                    e5:3c:ee:01:ec:3e:28:d5:87:be:e4:74:ec:e5:27:40:
>>>>>>                    ca:9c:eb:61:a2:ad:44:c0:d9:2e:6d:93:fd:67:4c:f8:
>>>>>>                    6d:f6:f2:63:6f:e6:00:4a:2a:c4:44:f5:e7:32:50:40:
>>>>>>                    51:5b:0e:15:69:25:ef:c9:4f:47:ad:ba:90:fb:36:6d:
>>>>>>                    14:3f:04:c4:7b:c3:e6:b1:30:7b:56:2d:d3:0f:d9:2f:
>>>>>>                    c9:57:89:c7:21:8a:a6:d4:2a:63:27:6c:54:53:7b:44:
>>>>>>                    9a:0b:da:8f:b9:88:ec:b4:95:d3:5c:6c:cf:7b:dc:30:
>>>>>>                    ef:25:db:fd:89:26:7f:25:34:9d:6e:7b:b0:94:62:81:
>>>>>>                    0e:b8:d6:3e:95:0e:71:e2:3f:6b:e2:3d:f2:71:8d:4c:
>>>>>>                    ec:41:e2:fa:c7:8b:50:80:90:68:a8:88:5c:07:c6:cc:
>>>>>>                    5a:48:fc:7f:37:28:78:b3:2e:79:05:73:a5:9d:75:ae:
>>>>>>                    15:bc:55:6c:85:ab:cd:2e:44:6b:10:c2:25:d8:bb:03:
>>>>>>                    11:3f:69:44:3e:1c:ba:a3:c9:fa:36:ae:a6:6e:f4:51:
>>>>>>                    a0:74:ff:e9:31:40:51:69:d2:49:47:a8:38:7a:9b:b8:
>>>>>>                    32:04:4c:ad:6d:52:91:53:61:a3:fa:37:82:f4:38:cb
>>>>>>                Exponent: 65537 (0x10001)
>>>>>>        Signed Extensions:
>>>>>>            Name: Certificate Authority Key Identifier
>>>>>>            Key ID:
>>>>>>                ab:01:f6:f0:b1:f6:58:15:f9:0d:e6:35:83:44:ab:50:
>>>>>>                c3:13:4b:16
>>>>>>
>>>>>>            Name: Authority Information Access
>>>>>>            Method: PKIX Online Certificate Status Protocol
>>>>>>            Location:
>>>>>>                URI: "http://comipa01.<example>.gov:80/ca/ocsp"
>>>>>>
>>>>>>            Name: Certificate Key Usage
>>>>>>            Critical: True
>>>>>>            Usages: Digital Signature
>>>>>>                    Non-Repudiation
>>>>>>                    Key Encipherment
>>>>>>                    Data Encipherment
>>>>>>
>>>>>>            Name: Extended Key Usage
>>>>>>                TLS Web Server Authentication Certificate
>>>>>>                TLS Web Client Authentication Certificate
>>>>>>
>>>>>>    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
>>>>>>    Signature:
>>>>>>        2d:e0:48:99:ca:e8:e3:33:40:de:9b:a9:bf:a0:37:98:
>>>>>>        d3:22:f7:d5:ff:a6:2b:fd:b3:fc:c8:c3:f0:16:ee:a5:
>>>>>>        44:5a:8d:d8:eb:eb:56:08:95:3e:48:2d:a1:be:a0:c2:
>>>>>>        64:a3:55:62:ab:42:3b:e6:ff:90:3e:0f:a2:59:2a:7a:
>>>>>>        c0:f3:81:bb:6d:27:6a:1d:12:41:89:cb:fc:cf:5d:fa:
>>>>>>        b5:f6:6d:b9:1a:b8:fb:cc:84:3c:5d:98:da:79:64:07:
>>>>>>        6f:c0:d1:9d:8a:e1:03:70:71:87:39:f6:fc:a0:4a:a2:
>>>>>>        43:57:0a:dc:33:6b:f4:4e:be:0a:5b:26:83:eb:e3:57:
>>>>>>        ad:aa:5c:d4:f7:1f:0d:38:f2:71:85:b0:27:9c:8e:57:
>>>>>>        01:51:b5:e8:e7:a4:9f:a0:0b:bd:96:45:ac:30:86:d5:
>>>>>>        b8:78:56:5e:29:3e:70:9d:80:b0:25:50:fc:c6:e1:a7:
>>>>>>        0a:1c:e9:da:1d:00:1f:53:9b:fd:9b:a9:74:1b:45:8f:
>>>>>>        7d:f0:c4:cc:ff:ae:1f:0f:3e:2d:8f:81:80:ee:27:38:
>>>>>>        f6:5b:39:b4:54:7c:56:c5:b4:0e:93:b8:24:18:42:70:
>>>>>>        5d:d3:7b:c9:db:be:14:22:1c:29:16:84:ab:4d:05:b0:
>>>>>>        7b:1b:7d:e4:94:0d:39:42:71:33:94:57:16:7b:90:6f
>>>>>>    Fingerprint (SHA-256):
>>>>>>        
>>>>>> DD:B0:8E:6B:5F:61:D1:7C:29:ED:CB:8C:8D:7E:9F:94:BE:40:E7:8B:AD:55:ED:14:E9:32:C4:7A:F0:0A:F3:2C
>>>>>>    Fingerprint (SHA1):
>>>>>>        
>>>>>> 88:51:F1:8F:3A:BD:7E:24:0D:4D:4A:CE:94:FB:A9:75:14:82:58:FA
>>>>>>
>>>>>>    Certificate Trust Flags:
>>>>>>        SSL Flags:
>>>>>>            User
>>>>>>        Email Flags:
>>>>>>            User
>>>>>>        Object Signing Flags:
>>>>>>            User
>>>>>>
>>>>>> #ipa-getkeytab -s compia02.itmodev.gov -p 
>>>>>> host/comipa02.itmodev.gov -k /etc/krb5.keytab Kerberos User Principal 
>>>>>> not found. Do you have a valid Credential Cache?
>>>>> So, let's start here.
>>>>>
>>>>> First above you have a typo: compia02.itmodev.gov versus 
>>>>> comipa02.itmodev.gov. However, as this is your IPA master, I'm not sure 
>>>>> why you need to re-retrieve its host keytab. Does user name resolution 
>>>>> (getent passwd admin) work on the master? If it does, you *don't* need to 
>>>>> change existing keytab.
>>>>>
>>>>> Second, in the output below we can see that certmonger needs a PIN for 
>>>>> the request to proceed:
>>>>>> #ipa-getcert list
>>>>>> Number of certificates and requests being tracked: 2.
>>>>>> Request ID '20151007150853':
>>>>>>        status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>>>>> 'Newly added request needs a PIN to read the key material'
>>>>>
>>>>>>        stuck: yes
>>>>>>        key pair storage: 
>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
>>>>>>        certificate: 
>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
>>>>>>        CA: IPA
>>>>>>        issuer:
>>>>>>        subject:
>>>>>>        expires: unknown
>>>>>>        pre-save command:
>>>>>>        post-save command:
>>>>>>        track: yes
>>>>>>        auto-renew: yes
>>>>>
>>>>> The PIN is in /etc/httpd/alias/pwdfile.txt, to supply it to certmonger, 
>>>>> you need to re-submit the request and specify the pin:
>>>>>
>>>>> ipa-getcert resubmit -i 20151007150853 -p 
>>>>> /etc/httpd/alias/pwdfile.txt
>>>>>
>>>>> --
>>>>> / Alexander Bokovoy
>>>>>
>>>>
>>>> --
>>>> / Alexander Bokovoy
>>>>
>>>>
>>>
>>>
>>
>>
> 
> 



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to