On 05/14/2016 12:01 AM, Adam Kaczka wrote: > Hi all, > > I have inherited a IPA system that has an expired cert and the old admins > have > left; I followed (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but > running into errors when I try to renew the CA certs even after time is > reset. > Also tried the troubleshooting under > (http://www.freeipa.org/page/Troubleshooting#Authentication_Errors); > specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a > > /tmp/ra.crt" > to add the cert in the database. > > From the output of getcert list, I see both CA_UNREACHABLE and > NEED_CSR_GEN_PIN. I followed redhat article here > (https://access.redhat.com/solutions/1142913) which verified key file > password > is correct and I have reset time. However the NEED_CSR_GEN_PIN status > remains. > My company actually has redhat support but when they built this IPA whoever > built it was using Centos 6 so I am out of luck here. > > Would really appreciate any help since I am stuck at this point? What else I > can do at this point? e.g. Is generate a new CA cert necessary, etc.?
Hi, you don't need to renew CA cert, it seems to be valid. But your server cert is expired. It expired on 2016-03-29. 1. Move date back before this date, e.g., 2016-03-27. 2. Verify that IPA is running `ipactl status`. Maybe restart will be needed. 3. run `getcert list` to see if certmonger can communicate with CA 4. if certmonger doesn't renew the certs automatically, run `getcert resubmit -i $certid` for the expired cert. > > Version: > ipa-pki-ca-theme.noarch 9.0.3-7.el6 > @base > ipa-pki-common-theme.noarch 9.0.3-7.el6 @base > ipa-pmincho-fonts.noarch 003.02-3.1.el6 @base > ipa-python.x86_64 3.0.0-47.el6.centos.2 > @updates > ipa-server.x86_64 3.0.0-47.el6.centos.2 > @updates > ipa-server-selinux.x86_64 3.0.0-47.el6.centos.2 > @updates > > Part of error logs from /var/log/pki-ca/debug after I reset clock; I see > these > errors which I think is relevlant?: > [27/Dec/2015:14:12:01][main]: SigningUnit init: debug > org.mozilla.jss.crypto.ObjectNotFoundException > Certificate object not found > [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException > Certificate object not found > [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown() > > Result seems to show key file password is correct: > certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f > /etc/dirsrv/slapd-REALM-NET/pwdfile.txt > certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key > and > Certificate Services" > < 0> rsa ############################ NSS Certificate DB:Server-Cert > > > certutil -L -d /var/lib/pki-ca/alias > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > caSigningCert cert-pki-ca CTu,Cu,Cu > > > certutil -L -d /etc/httpd/alias > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > ipaCert u,u,u > REALM.COM <http://REALM.COM> IPA CA CT,C, > > > certutil -L -d /etc/dirsrv/slapd-REALM-COM > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > REALM.COM <http://REALM.COM> IPA CA > CT,C,C > > > Output of getcert list: > > Number of certificates and requests being tracked: 7. > Request ID '21135214223243': > status: CA_UNREACHABLE > ca-error: Server at https://host.example.net/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate oper > ation cannot be completed: Unable to communicate with CMS (Not Found)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS > > Certificate DB',pinfil > e='/etc/dirsrv/slapd-example-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=example.NET > subject: CN=host.example.net <http://host.example.net>,O=example.NET > expires: 2016-03-29 14:09:46 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '21135214223300': > status: CA_UNREACHABLE > ca-error: Server at https://host.example.net/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate oper > ation cannot be completed: Unable to communicate with CMS (Not Found)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile=' > /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > DB' > CA: IPA > issuer: CN=Certificate Authority,O=example.NET > subject: CN=host.example.net <http://host.example.net>,O=example.NET > expires: 2016-03-29 14:09:45 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert- > pki-ca&serial_num=61&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate > DB',pin set > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=example.NET > subject: CN=CA Audit,O=example.NET > expires: 2017-10-13 14:10:49 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu > m=60&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate D > B',pin set > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=example.NET > subject: CN=OCSP Subsystem,O=example.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu > m=62&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > ,pin set > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=example.NET > subject: CN=CA Subsystem,O=example.NET > expires: 2017-10-13 14:09:49 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to > "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu > m=64&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate > DB',pinfile='/etc/httpd/al > ias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=example.NET > subject: CN=RA Subsystem,O=example.NET > expires: 2017-10-13 14:09:49 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20130519130745': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu > m=63&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',p > in set > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=example.NET > subject: CN=host.example.net <http://host.example.net>,O=example.NET > expires: 2017-10-13 14:09:49 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > > Regards, Adam > > > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
