Hi,

On 14.12.2015 12:09, Martin Kosek wrote:
ipa-cacert-manage only renews CA certificate. It does not fix expired CA
subsystem certificates (#getcert list), IIRC.


Correct.


I think the process was:
- move system time to about 1-2 weeks before the oldest expired certificate
expiry time
- restart certmonnger
- now certmonger itself should start renewing the certificates. Other
alternative is to resubmit them with "getcert resubmit" command and see the 
results
- when done, time can be moved back

Honza (CCed), if I missed anything, please let me know.

This should work.


Martin

On 12/11/2015 08:54 PM, Jani West wrote:
Hello,

Seems like I indeed have expired certs. The problem is, how I can renew these.

I tried to do:
---------------
root@ipa1 ca]# systemctl restart dirsrv.target
[root@ipa1 ca]# ipa-cacert-manage renew
Renewing CA certificate, please wait
Error resubmitting certmonger request '20150814121620', please check the
request manually
---------------

I still have old certs:



Request ID '20150814121606':
     status: CA_WORKING
     stuck: no
     key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='654666959930'
     certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
     CA: dogtag-ipa-ca-renew-agent
     issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
     subject: CN=CA Audit,O=PLANWEE.LOCAL
     expires: 2015-09-29 20:22:26 UTC
     key usage: digitalSignature,nonRepudiation
     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
     track: yes
     auto-renew: yes
Request ID '20150814121614':
     status: CA_WORKING
     stuck: no
     key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='654666959930'
     certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
     CA: dogtag-ipa-ca-renew-agent
     issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
     subject: CN=OCSP Subsystem,O=PLANWEE.LOCAL
     expires: 2015-09-29 20:22:25 UTC
     key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
     eku: id-kp-OCSPSigning
     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"
     track: yes
     auto-renew: yes
Request ID '20150814121618':
     status: CA_WORKING
     stuck: no
     key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='654666959930'
     certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
     CA: dogtag-ipa-ca-renew-agent
     issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
     subject: CN=CA Subsystem,O=PLANWEE.LOCAL
     expires: 2015-09-29 20:22:25 UTC
     key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
     post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
     track: yes
     auto-renew: yes
Request ID '20150814121621':
     status: CA_WORKING
     stuck: no
     key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
     CA: dogtag-ipa-ca-renew-agent
     issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
     subject: CN=IPA RA,O=PLANWEE.LOCAL
     expires: 2015-09-29 20:23:10 UTC
     key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command:
     post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
     track: yes
     auto-renew: yes

On 12/11/2015 10:23 AM, Martin Kosek wrote:
On 12/11/2015 08:31 AM, Jani West wrote:
Hello,

Pki-tomcatd seems to have difficulties when connecting to CA. LDAP
server is starting ok when starting it directly with "systemctl start
dirsrv.target".

When starting "systemctl start ipa" everything else will startup exept
the
pki-tomcatd.

Obviously same thing happens when starting with ipactl directly:
[root@ipa1 ca]# ipactl start
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Shutting down
Aborting ipactl


/var/log/pki/pki-tomcat/localhost.2015-12-11.log
SEVERE: Servlet.service() for servlet [caGetStatus] in context with
path [/ca]
threw exception java.io.IOException: CS server is not ready to serve.


/var/log/dirsrv/slapd-PLANWEE-LOCAL/errors
[11/Dec/2015:01:02:19 +0200] - slapd started. Listening on All
Interfaces port
389 for LDAP requests
[11/Dec/2015:01:02:19 +0200] - Listening on All Interfaces port 636 for
LDAPS requests
[11/Dec/2015:01:02:19 +0200] - Listening on
/var/run/slapd-PLANWEE-LOCAL.socket
for LDAPI requests
[11/Dec/2015:01:02:19 +0200] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
-1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint
is not
connected)
[11/Dec/2015:01:02:19 +0200] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -1
(Can't contact LDAP server)

/var/log/pki/pki-tomcat/ca/debug
Internal Database Error encountered: Could not connect to LDAP server
host ipa1.backend.planwee.local port 636 Error
netscape.ldap.LDAPException: IO
Error creating JSS SSL Socket (-1)

Environment:
CentOS 7
IPA 4.1

The problem looks the same as this:
https://access.redhat.com/solutions/2022123

Unfortunately I cannot view resolution.

is this related to expired CA certificates?

If you have expired certificates (you can check with "# getcert list |
grep expires"), it could cause issues like that also.

The article you are referring to is rather around wrong CA certificate
trust attributes in /var/lib/pki/pki-tomcat/alias/ or
/etc/dirsrv/slapd-EXAMPLE-COM/ NSS databases.

You can check that with
# certutil -L -d /var/lib/pki/pki-tomcat/alias/
# certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/

BTW, if you want to see the whole article or other articles from the
large KB, I would suggest getting a subscription :-)





--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to