[Freeipa-users] IPA 2.2 Certificate Renewal issue

Fri, 27 May 2016 07:19:18 -0700 

Hi,

This is Kay.
I am not sure if the email address is correct, and I am really appreciate if 
there is any help for my issue. it's baffling for few days, and the expire date 
is coming soon.. :(

There is a IPA 2.2 environment, and three "Server-Cert"( two 389-ds and the 
Apache certs) will be expired at 2016-06-05 22:03:17 UTC.
Two years ago, these certs were renewed by other guys according to this 
document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
and it was successful then the certificates has been renewed until 20160605.

But recently I want to renew it again since the expire date is coming. Then I 
follow the above guide, however things not go well.
As below, it's the 8 certs which certmonger are tracking:
root@ecnshlx3039-test2(SH):~ #getcert list
Number of certificates and requests being tracked: 8.
Request ID '20120704140859':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 4301 (RPC failed at 
server.  Certificate operation cannot be completed: EXCEPTION                   
                     (Invalid Credential.)).
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='                                       
/etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS
 Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=DRUTT.COM
        subject: CN=ipa1.drutt.com,O=DRUTT.COM
        expires: 2016-06-05 22:03:17 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DRUTT-COM
        track: yes
        auto-renew: yes
Request ID '20120704140922':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 4301 (RPC failed at 
server.  Certificate operation cannot be completed: EXCEPTION                   
                     (Invalid Credential.)).
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/e                                       
tc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=DRUTT.COM
        subject: CN=ipa1.drutt.com,O=DRUTT.COM
        expires: 2016-06-05 22:03:17 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20120704141150':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 4301 (RPC failed at 
server.  Certificate operation cannot be completed: EXCEPTION                   
                     (Invalid Credential.)).
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/                                       
alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=DRUTT.COM
        subject: CN=ipa1.drutt.com,O=DRUTT.COM
        expires: 2016-06-05 22:03:17 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes
Request ID '20140605220249':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alia                                       
s/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=DRUTT.COM
        subject: CN=IPA RA,O=DRUTT.COM
        expires: 2014-06-24 14:08:50 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20160527075219':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB                                       
',pin='565569846212'
        certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=DRUTT.COM
        subject: CN=CA Audit,O=DRUTT.COM
        expires: 2014-06-24 14:08:42 UTC
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20160527075220':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'                                       
,pin='565569846212'
        certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=DRUTT.COM
        subject: CN=OCSP Subsystem,O=DRUTT.COM
        expires: 2014-06-24 14:08:41 UTC
        eku: id-kp-OCSPSigning
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20160527075221':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',p                                       
in='565569846212'
        certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=DRUTT.COM
        subject: CN=CA Subsystem,O=DRUTT.COM
        expires: 2014-06-24 14:08:41 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20160527075222':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin                                     
  ='565569846212'
        certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=DRUTT.COM
        subject: CN=ipa1.drutt.com,O=DRUTT.COM
        expires: 2014-06-24 14:08:41 UTC
        eku: id-kp-serverAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes


Follow all the steps in the guide, the result is just first three certificates 
are renewed to 20160622 if I set system time to 20140623(which the four CA 
subsystem certs and CA cert are valid).
But other five are not renewed at all (the four CA subsystem certs and CA 
cert). there is no error information during these steps.


I google a lot but still found nothing could resolve it. and then I found there 
was a similar thread: 
https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.html
But unfortunately the solution is not available for my issue either.

Since I am not familiar with Freeipa, so it bothers me so much.
Any help will be really appreciate. Thansks in advance!

Thanks,
BR//Kay

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to