On 05/14/2016 12:01 AM, Adam Kaczka wrote:
> Hi all,
> 
> I have inherited a IPA system that has an expired cert and the old admins 
> have 
> left; I followed (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but 
> running into errors when I try to renew the CA certs even after time is 
> reset.  
> Also tried the troubleshooting under 
> (http://www.freeipa.org/page/Troubleshooting#Authentication_Errors); 
> specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a > 
> /tmp/ra.crt" 
> to add the cert in the database.
> 
>  From the output of getcert list, I see both CA_UNREACHABLE and 
> NEED_CSR_GEN_PIN.  I followed redhat article here 
> (https://access.redhat.com/solutions/1142913) which verified key file 
> password 
> is correct and I have reset time.  However the NEED_CSR_GEN_PIN status 
> remains.  
> My company actually has redhat support but when they built this IPA whoever 
> built it was using Centos 6 so I am out of luck here.
> 
> Would really appreciate any help since I am stuck at this point?  What else I 
> can do at this point?  e.g. Is generate a new CA cert necessary, etc.?

Hi,

you don't need to renew CA cert, it seems to be valid. But your server
cert is expired. It expired on 2016-03-29.

1. Move date back before this date, e.g., 2016-03-27.
2. Verify that IPA is running `ipactl status`. Maybe restart will be needed.
3. run `getcert list` to see if certmonger can communicate with CA
4. if certmonger doesn't renew the certs automatically, run `getcert
resubmit -i $certid` for the expired cert.

> 
> Version:
> ipa-pki-ca-theme.noarch                    9.0.3-7.el6                        
> @base
> ipa-pki-common-theme.noarch          9.0.3-7.el6                        @base
> ipa-pmincho-fonts.noarch             003.02-3.1.el6                     @base
> ipa-python.x86_64                    3.0.0-47.el6.centos.2              
> @updates
> ipa-server.x86_64                    3.0.0-47.el6.centos.2              
> @updates
> ipa-server-selinux.x86_64            3.0.0-47.el6.centos.2              
> @updates
> 
> Part of error logs from /var/log/pki-ca/debug after I reset clock; I see 
> these 
> errors which I think is relevlant?:
> [27/Dec/2015:14:12:01][main]: SigningUnit init: debug 
> org.mozilla.jss.crypto.ObjectNotFoundException
> Certificate object not found
> [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException
> Certificate object not found
> [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown()
> 
> Result seems to show key file password is correct:
> certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f 
> /etc/dirsrv/slapd-REALM-NET/pwdfile.txt
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key 
> and 
> Certificate Services"
> < 0> rsa      ############################   NSS Certificate DB:Server-Cert
> 
> 
> certutil -L -d /var/lib/pki-ca/alias
> 
> Certificate Nickname                                         Trust Attributes
>                                                               
> SSL,S/MIME,JAR/XPI
> 
> ocspSigningCert cert-pki-ca                                  u,u,u
> subsystemCert cert-pki-ca                                    u,u,u
> Server-Cert cert-pki-ca                                         u,u,u
> auditSigningCert cert-pki-ca                                 u,u,Pu
> caSigningCert cert-pki-ca                                    CTu,Cu,Cu
> 
> 
> certutil -L -d /etc/httpd/alias
> 
> Certificate Nickname                                         Trust Attributes
>                                                               
> SSL,S/MIME,JAR/XPI
> 
> Server-Cert                                                      u,u,u
> ipaCert                                                             u,u,u
> REALM.COM <http://REALM.COM> IPA CA                                      CT,C,
> 
> 
> certutil -L -d /etc/dirsrv/slapd-REALM-COM
> 
> Certificate Nickname                                         Trust Attributes
>                                                               
> SSL,S/MIME,JAR/XPI
> 
> Server-Cert                                                          u,u,u
> REALM.COM <http://REALM.COM> IPA CA                                          
> CT,C,C
> 
> 
> Output of getcert list:
> 
> Number of certificates and requests being tracked: 7.
> Request ID '21135214223243':
>          status: CA_UNREACHABLE
>          ca-error: Server at https://host.example.net/ipa/xml failed request, 
> will retry: 4301 (RPC failed at server.  Certificate oper
> ation cannot be completed: Unable to communicate with CMS (Not Found)).
>          stuck: no
>          key pair storage: 
> type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
>  
> Certificate DB',pinfil
> e='/etc/dirsrv/slapd-example-NET//pwdfile.txt'
>          certificate: 
> type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
>  
> Certificate DB'
>          CA: IPA
>          issuer: CN=Certificate Authority,O=example.NET
>          subject: CN=host.example.net <http://host.example.net>,O=example.NET
>          expires: 2016-03-29 14:09:46 UTC
>          key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>          eku: id-kp-serverAuth
>          pre-save command:
>          post-save command:
>          track: yes
>          auto-renew: yes
> Request ID '21135214223300':
>          status: CA_UNREACHABLE
>          ca-error: Server at https://host.example.net/ipa/xml failed request, 
> will retry: 4301 (RPC failed at server.  Certificate oper
> ation cannot be completed: Unable to communicate with CMS (Not Found)).
>          stuck: no
>          key pair storage: 
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>  Certificate 
> DB',pinfile='
> /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>          certificate: 
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>  Certificate 
> DB'
>          CA: IPA
>          issuer: CN=Certificate Authority,O=example.NET
>          subject: CN=host.example.net <http://host.example.net>,O=example.NET
>          expires: 2016-03-29 14:09:45 UTC
>          key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>          eku: id-kp-serverAuth
>          pre-save command:
>          post-save command:
>          track: yes
>          auto-renew: yes
> Request ID '20130519130741':
>          status: NEED_CSR_GEN_PIN
>          ca-error: Internal error: no response to 
> "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-
> pki-ca&serial_num=61&renewal=true&xml=true".
>          stuck: yes
>          key pair storage: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert 
> cert-pki-ca',token='NSS Certificate
> DB',pin set
>          certificate: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>          CA: dogtag-ipa-renew-agent
>          issuer: CN=Certificate Authority,O=example.NET
>          subject: CN=CA Audit,O=example.NET
>          expires: 2017-10-13 14:10:49 UTC
>          key usage: digitalSignature,nonRepudiation
>          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>          post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
> "auditSigningCert cert-pki-ca"
>          track: yes
>          auto-renew: yes
> Request ID '20130519130742':
>          status: NEED_CSR_GEN_PIN
>          ca-error: Internal error: no response to 
> "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> m=60&renewal=true&xml=true".
>          stuck: yes
>          key pair storage: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS Certificate D
> B',pin set
>          certificate: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>          CA: dogtag-ipa-renew-agent
>          issuer: CN=Certificate Authority,O=example.NET
>          subject: CN=OCSP Subsystem,O=example.NET
>          expires: 2017-10-13 14:09:49 UTC
>          eku: id-kp-OCSPSigning
>          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>          post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
> "ocspSigningCert cert-pki-ca"
>          track: yes
>          auto-renew: yes
> Request ID '20130519130743':
>          status: NEED_CSR_GEN_PIN
>          ca-error: Internal error: no response to 
> "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> m=62&renewal=true&xml=true".
>          stuck: yes
>          key pair storage: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
> cert-pki-ca',token='NSS Certificate DB'
> ,pin set
>          certificate: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
> cert-pki-ca',token='NSS Certificate DB'
>          CA: dogtag-ipa-renew-agent
>          issuer: CN=Certificate Authority,O=example.NET
>          subject: CN=CA Subsystem,O=example.NET
>          expires: 2017-10-13 14:09:49 UTC
>          key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>          eku: id-kp-serverAuth,id-kp-clientAuth
>          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>          post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
> "subsystemCert cert-pki-ca"
>          track: yes
>          auto-renew: yes
> Request ID '20130519130744':
>          status: MONITORING
>          ca-error: Internal error: no response to 
> "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> m=64&renewal=true&xml=true".
>          stuck: no
>          key pair storage: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate 
> DB',pinfile='/etc/httpd/al
> ias/pwdfile.txt'
>          certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate DB'
>          CA: dogtag-ipa-renew-agent
>          issuer: CN=Certificate Authority,O=example.NET
>          subject: CN=RA Subsystem,O=example.NET
>          expires: 2017-10-13 14:09:49 UTC
>          key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>          eku: id-kp-serverAuth,id-kp-clientAuth
>          pre-save command:
>          post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>          track: yes
>          auto-renew: yes
> Request ID '20130519130745':
>          status: NEED_CSR_GEN_PIN
>          ca-error: Internal error: no response to 
> "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> m=63&renewal=true&xml=true".
>          stuck: yes
>          key pair storage: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
> cert-pki-ca',token='NSS Certificate DB',p
> in set
>          certificate: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
> cert-pki-ca',token='NSS Certificate DB'
>          CA: dogtag-ipa-renew-agent
>          issuer: CN=Certificate Authority,O=example.NET
>          subject: CN=host.example.net <http://host.example.net>,O=example.NET
>          expires: 2017-10-13 14:09:49 UTC
>          key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>          eku: id-kp-serverAuth,id-kp-clientAuth
>          pre-save command:
>          post-save command:
>          track: yes
>          auto-renew: yes
> 
> 
> Regards, Adam
> 
> 
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to