Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue

Rob Crittenden Fri, 27 May 2016 08:46:27 -0700

Kay Zhou Y wrote:

Hi,


This is Kay.

I am not sure if the email address is correct, and I am really
appreciate if there is any help for my issue. its baffling for few
days, and the expire date is coming soon.. L

There is a IPA 2.2 environment, and three Server-Cert(two 389-ds and
the Apache certs) will be expired at 2016-06-05 22:03:17 UTC.

Two years ago, these certs were renewed by other guys according to this
document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal

and it was successful then the certificates has been renewed until 20160605.

But recently I want to renew it again since the expire date is coming.
Then I follow the above guide, however things not go well.

The problem looks to be because the IPA RA cert (ipaCert) isn't matchingwhat dogtag expects. See the wiki page starting at


"For ipaCert, stored in /etc/httpd/alias you have another job to do..."

You'll want to be sure that description correctly matches thecertificate in the Apache database and confirm that the usercertificatevalue in LDAP matches the cert being presented.

rob


As below, its the 8 certs which certmonger are tracking:

root@ecnshlx3039-test2(SH):~ #getcert list

Number of certificates and requests being tracked: 8.

Request ID '20120704140859':

         status: CA_UNREACHABLE

         ca-error: Server failed request, will retry: 4301 (RPC failed
at server.  Certificate operation cannot be completed:
EXCEPTION                                        (Invalid Credential.)).

         stuck: yes

         key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='
/etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt'

         certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS
Certificate DB'

         CA: IPA

         issuer: CN=Certificate Authority,O=DRUTT.COM

         subject: CN=ipa1.drutt.com,O=DRUTT.COM

         expires: 2016-06-05 22:03:17 UTC

         eku: id-kp-serverAuth,id-kp-clientAuth

         pre-save command:

         post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
DRUTT-COM

         track: yes

         auto-renew: yes

Request ID '20120704140922':

         status: CA_UNREACHABLE

         ca-error: Server failed request, will retry: 4301 (RPC failed
at server.  Certificate operation cannot be completed:
EXCEPTION                                        (Invalid Credential.)).

         stuck: yes

         key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/e
tc/dirsrv/slapd-PKI-IPA/pwdfile.txt'

         certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'

         CA: IPA

         issuer: CN=Certificate Authority,O=DRUTT.COM

         subject: CN=ipa1.drutt.com,O=DRUTT.COM

         expires: 2016-06-05 22:03:17 UTC

         eku: id-kp-serverAuth,id-kp-clientAuth

         pre-save command:

         post-save command:

         track: yes

         auto-renew: yes

Request ID '20120704141150':

         status: CA_UNREACHABLE

         ca-error: Server failed request, will retry: 4301 (RPC failed
at server.  Certificate operation cannot be completed:
EXCEPTION                                        (Invalid Credential.)).

         stuck: yes

         key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/httpd/
alias/pwdfile.txt'

         certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'

         CA: IPA

         issuer: CN=Certificate Authority,O=DRUTT.COM

         subject: CN=ipa1.drutt.com,O=DRUTT.COM

         expires: 2016-06-05 22:03:17 UTC

         eku: id-kp-serverAuth,id-kp-clientAuth

         pre-save command:

         post-save command: /usr/lib64/ipa/certmonger/restart_httpd

         track: yes

         auto-renew: yes

Request ID '20140605220249':

         status: MONITORING

         stuck: no

         key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate
DB',pinfile='/etc/httpd/alia
s/pwdfile.txt'

         certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'

         CA: dogtag-ipa-renew-agent

         issuer: CN=Certificate Authority,O=DRUTT.COM

         subject: CN=IPA RA,O=DRUTT.COM

         expires: 2014-06-24 14:08:50 UTC

         eku: id-kp-serverAuth,id-kp-clientAuth

         pre-save command:

         post-save command:

         track: yes

         auto-renew: yes

Request ID '20160527075219':

         status: MONITORING

         stuck: no

         key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate
DB                                       ',pin='565569846212'

         certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'

         CA: dogtag-ipa-renew-agent

         issuer: CN=Certificate Authority,O=DRUTT.COM

         subject: CN=CA Audit,O=DRUTT.COM

         expires: 2014-06-24 14:08:42 UTC

         pre-save command:

         post-save command:

         track: yes

         auto-renew: yes

Request ID '20160527075220':

         status: MONITORING

         stuck: no

         key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate
DB'                                       ,pin='565569846212'

         certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'

         CA: dogtag-ipa-renew-agent

         issuer: CN=Certificate Authority,O=DRUTT.COM

         subject: CN=OCSP Subsystem,O=DRUTT.COM

         expires: 2014-06-24 14:08:41 UTC

         eku: id-kp-OCSPSigning

         pre-save command:

         post-save command:

         track: yes

         auto-renew: yes

Request ID '20160527075221':

         status: MONITORING

         stuck: no

         key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate
DB',p                                       in='565569846212'

         certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'

         CA: dogtag-ipa-renew-agent

         issuer: CN=Certificate Authority,O=DRUTT.COM

         subject: CN=CA Subsystem,O=DRUTT.COM

         expires: 2014-06-24 14:08:41 UTC

         eku: id-kp-serverAuth,id-kp-clientAuth

         pre-save command:

         post-save command:

         track: yes

         auto-renew: yes

Request ID '20160527075222':

         status: MONITORING

         stuck: no

         key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate
DB',pin                                       ='565569846212'

         certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'

         CA: dogtag-ipa-renew-agent

         issuer: CN=Certificate Authority,O=DRUTT.COM

         subject: CN=ipa1.drutt.com,O=DRUTT.COM

         expires: 2014-06-24 14:08:41 UTC

         eku: id-kp-serverAuth

         pre-save command:

         post-save command:

         track: yes

         auto-renew: yes

Follow all the steps in the guide, the result is just first three
certificates are renewed to 20160622 if I set system time to
20140623(which the four CA subsystem certs and CA cert are valid).

But other five are not renewed at all (the four CA subsystem certs and
CA cert). there is no error information during these steps.

I google a lot but still found nothing could resolve it. and then I
found there was a similar thread:
https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.html

But unfortunately the solution is not available for my issue either.

Since I am not familiar with Freeipa, so it bothers me so much.

Any help will be really appreciate. Thansks in advance!

Thanks,

BR//Kay


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue

Reply via email to