ipa-cacert-manage only renews CA certificate. It does not fix expired CA subsystem certificates (#getcert list), IIRC.
I think the process was: - move system time to about 1-2 weeks before the oldest expired certificate expiry time - restart certmonnger - now certmonger itself should start renewing the certificates. Other alternative is to resubmit them with "getcert resubmit" command and see the results - when done, time can be moved back Honza (CCed), if I missed anything, please let me know. Martin On 12/11/2015 08:54 PM, Jani West wrote: > Hello, > > Seems like I indeed have expired certs. The problem is, how I can renew these. > > I tried to do: > --------------- > root@ipa1 ca]# systemctl restart dirsrv.target > [root@ipa1 ca]# ipa-cacert-manage renew > Renewing CA certificate, please wait > Error resubmitting certmonger request '20150814121620', please check the > request manually > --------------- > > I still have old certs: > > > > Request ID '20150814121606': > status: CA_WORKING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='654666959930' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=PLANWEE.LOCAL > subject: CN=CA Audit,O=PLANWEE.LOCAL > expires: 2015-09-29 20:22:26 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20150814121614': > status: CA_WORKING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='654666959930' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=PLANWEE.LOCAL > subject: CN=OCSP Subsystem,O=PLANWEE.LOCAL > expires: 2015-09-29 20:22:25 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20150814121618': > status: CA_WORKING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='654666959930' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=PLANWEE.LOCAL > subject: CN=CA Subsystem,O=PLANWEE.LOCAL > expires: 2015-09-29 20:22:25 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20150814121621': > status: CA_WORKING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=PLANWEE.LOCAL > subject: CN=IPA RA,O=PLANWEE.LOCAL > expires: 2015-09-29 20:23:10 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > > On 12/11/2015 10:23 AM, Martin Kosek wrote: >> On 12/11/2015 08:31 AM, Jani West wrote: >>> Hello, >>> >>> Pki-tomcatd seems to have difficulties when connecting to CA. LDAP >>> server is starting ok when starting it directly with "systemctl start >>> dirsrv.target". >>> >>> When starting "systemctl start ipa" everything else will startup exept >>> the >>> pki-tomcatd. >>> >>> Obviously same thing happens when starting with ipactl directly: >>> [root@ipa1 ca]# ipactl start >>> Existing service file detected! >>> Assuming stale, cleaning and proceeding >>> Starting Directory Service >>> Starting krb5kdc Service >>> Starting kadmin Service >>> Starting named Service >>> Starting ipa_memcached Service >>> Starting httpd Service >>> Starting pki-tomcatd Service >>> Failed to start pki-tomcatd Service >>> Shutting down >>> Aborting ipactl >>> >>> >>> /var/log/pki/pki-tomcat/localhost.2015-12-11.log >>> SEVERE: Servlet.service() for servlet [caGetStatus] in context with >>> path [/ca] >>> threw exception java.io.IOException: CS server is not ready to serve. >>> >>> >>> /var/log/dirsrv/slapd-PLANWEE-LOCAL/errors >>> [11/Dec/2015:01:02:19 +0200] - slapd started. Listening on All >>> Interfaces port >>> 389 for LDAP requests >>> [11/Dec/2015:01:02:19 +0200] - Listening on All Interfaces port 636 for >>> LDAPS requests >>> [11/Dec/2015:01:02:19 +0200] - Listening on >>> /var/run/slapd-PLANWEE-LOCAL.socket >>> for LDAPI requests >>> [11/Dec/2015:01:02:19 +0200] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint >>> is not >>> connected) >>> [11/Dec/2015:01:02:19 +0200] slapi_ldap_bind - Error: could not perform >>> interactive bind for id [] authentication mechanism [GSSAPI]: error -1 >>> (Can't contact LDAP server) >>> >>> /var/log/pki/pki-tomcat/ca/debug >>> Internal Database Error encountered: Could not connect to LDAP server >>> host ipa1.backend.planwee.local port 636 Error >>> netscape.ldap.LDAPException: IO >>> Error creating JSS SSL Socket (-1) >>> >>> Environment: >>> CentOS 7 >>> IPA 4.1 >>> >>> The problem looks the same as this: >>> https://access.redhat.com/solutions/2022123 >>> >>> Unfortunately I cannot view resolution. >>> >>> is this related to expired CA certificates? >> >> If you have expired certificates (you can check with "# getcert list | >> grep expires"), it could cause issues like that also. >> >> The article you are referring to is rather around wrong CA certificate >> trust attributes in /var/lib/pki/pki-tomcat/alias/ or >> /etc/dirsrv/slapd-EXAMPLE-COM/ NSS databases. >> >> You can check that with >> # certutil -L -d /var/lib/pki/pki-tomcat/alias/ >> # certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/ >> >> BTW, if you want to see the whole article or other articles from the >> large KB, I would suggest getting a subscription :-) > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
