Hi Rob,
The status for ipaCert is MONITORING no matter before or after resubmit this
request ID, as below:
Request ID '20140605220249':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DRUTT.COM
subject: CN=IPA RA,O=DRUTT.COM
expires: 2014-06-24 14:08:50 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
I have restarted ipa service before renewal since there is no pki-cad service
in our env.
I have tried so many times for this processes, and I even want to recreate the
ipaCert, but it failed.
The references I used as below, but both of them are not available for my
issue:(
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
http://www.freeipa.org/page/PKI
and if it's feasible we modify the expiration date for these certs manually or
recreate it directly ?
Thanks,
BR//Kay
-----Original Message-----
From: Rob Crittenden [mailto:[email protected]]
Sent: Tuesday, May 31, 2016 11:10 PM
To: Kay Zhou Y; [email protected]
Cc: Doris Hongmei; Xionglin Gu
Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue
Kay Zhou Y wrote:
> Hi Rob,
>
> Thanks for your reply.
>
> And about your suggestion, actually I have done it. but it just renew the two
> 389-ds certs and Apache certs.
> Since the ipaCert and subsystem certs are expired at 20140624, so I must roll
> back time before it. then begin to renew, but after I done this:
>
> "Let's force renewal on all of the certificates:
> # for line in `getcert list | grep Request | cut -d "'" -f2`; do
> getcert resubmit -i $line; done ..."
>
> According to the wiki,
> (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ). The CA subsystem
> certificates will be renewed. But it did not.
Ok, what state are the certificates in? When you go back in time are you
restarting the pki-cad service before attempting to do the renewal?
> Finally after I finish all action mentioned in the wiki page, I still can't
> renew ipaCert and other four CA subsystem certificates.
> And the two 389-ds and apache certs will still expired after the date
> 20160623 ( expire date of ipaCert 20140624 + two years).
>
> If there is any other guide or doc about the ipaCert and CA subsystem
> certificates?
Not really for IPA 2.x
rob
> Thanks a lot for your support!
>
> Thanks,
> BR//Kay
>
> -----Original Message-----
> From: Rob Crittenden [mailto:[email protected]]
> Sent: Friday, May 27, 2016 11:41 PM
> To: Kay Zhou Y; [email protected]
> Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue
>
> Kay Zhou Y wrote:
>> Hi,
>>
>> This is Kay.
>>
>> I am not sure if the email address is correct, and I am really
>> appreciate if there is any help for my issue. it's baffling for few
>> days, and the expire date is coming soon.. L
>>
>> There is a IPA 2.2 environment, and three "Server-Cert"(two 389-ds
>> and the Apache certs) will be expired at 2016-06-05 22:03:17 UTC.
>>
>> Two years ago, these certs were renewed by other guys according to
>> this
>> document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>>
>> and it was successful then the certificates has been renewed until 20160605.
>>
>> But recently I want to renew it again since the expire date is coming.
>> Then I follow the above guide, however things not go well.
>
> The problem looks to be because the IPA RA cert (ipaCert) isn't
> matching what dogtag expects. See the wiki page starting at
>
> "For ipaCert, stored in /etc/httpd/alias you have another job to do..."
>
> You'll want to be sure that description correctly matches the certificate in
> the Apache database and confirm that the usercertificate value in LDAP
> matches the cert being presented.
>
> rob
>
>>
>> As below, it's the 8 certs which certmonger are tracking:
>>
>> root@ecnshlx3039-test2(SH):~ #getcert list
>>
>> Number of certificates and requests being tracked: 8.
>>
>> Request ID '20120704140859':
>>
>> status: CA_UNREACHABLE
>>
>> ca-error: Server failed request, will retry: 4301 (RPC
>> failed at server. Certificate operation cannot be completed:
>> EXCEPTION (Invalid Credential.)).
>>
>> stuck: yes
>>
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Ce
>> r
>> t',token='NSS
>> Certificate DB',pinfile='
>> /etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt'
>>
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Ce
>> r
>> t',token='NSS
>> Certificate DB'
>>
>> CA: IPA
>>
>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>
>> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>
>> expires: 2016-06-05 22:03:17 UTC
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command:
>>
>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>> DRUTT-COM
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20120704140922':
>>
>> status: CA_UNREACHABLE
>>
>> ca-error: Server failed request, will retry: 4301 (RPC
>> failed at server. Certificate operation cannot be completed:
>> EXCEPTION (Invalid Credential.)).
>>
>> stuck: yes
>>
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
>> ,token='NSS
>> Certificate DB',pinfile='/e
>> tc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>>
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
>> ,token='NSS
>> Certificate DB'
>>
>> CA: IPA
>>
>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>
>> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>
>> expires: 2016-06-05 22:03:17 UTC
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command:
>>
>> post-save command:
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20120704141150':
>>
>> status: CA_UNREACHABLE
>>
>> ca-error: Server failed request, will retry: 4301 (RPC
>> failed at server. Certificate operation cannot be completed:
>> EXCEPTION (Invalid Credential.)).
>>
>> stuck: yes
>>
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='
>> N
>> SS
>> Certificate
>> DB',pinfile='/etc/httpd/
>> alias/pwdfile.txt'
>>
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='
>> N
>> SS
>> Certificate DB'
>>
>> CA: IPA
>>
>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>
>> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>
>> expires: 2016-06-05 22:03:17 UTC
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command:
>>
>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20140605220249':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate
>> DB',pinfile='/etc/httpd/alia
>> s/pwdfile.txt'
>>
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB'
>>
>> CA: dogtag-ipa-renew-agent
>>
>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>
>> subject: CN=IPA RA,O=DRUTT.COM
>>
>> expires: 2014-06-24 14:08:50 UTC
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command:
>>
>> post-save command:
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20160527075219':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCer
>> t
>> cert-pki-ca',token='NSS Certificate
>> DB ',pin='565569846212'
>>
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCer
>> t cert-pki-ca',token='NSS Certificate DB'
>>
>> CA: dogtag-ipa-renew-agent
>>
>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>
>> subject: CN=CA Audit,O=DRUTT.COM
>>
>> expires: 2014-06-24 14:08:42 UTC
>>
>> pre-save command:
>>
>> post-save command:
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20160527075220':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate
>> DB' ,pin='565569846212'
>>
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>>
>> CA: dogtag-ipa-renew-agent
>>
>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>
>> subject: CN=OCSP Subsystem,O=DRUTT.COM
>>
>> expires: 2014-06-24 14:08:41 UTC
>>
>> eku: id-kp-OCSPSigning
>>
>> pre-save command:
>>
>> post-save command:
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20160527075221':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate
>> DB',p in='565569846212'
>>
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB'
>>
>> CA: dogtag-ipa-renew-agent
>>
>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>
>> subject: CN=CA Subsystem,O=DRUTT.COM
>>
>> expires: 2014-06-24 14:08:41 UTC
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command:
>>
>> post-save command:
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20160527075222':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate
>> DB',pin ='565569846212'
>>
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB'
>>
>> CA: dogtag-ipa-renew-agent
>>
>> issuer: CN=Certificate Authority,O=DRUTT.COM
>>
>> subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>
>> expires: 2014-06-24 14:08:41 UTC
>>
>> eku: id-kp-serverAuth
>>
>> pre-save command:
>>
>> post-save command:
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Follow all the steps in the guide, the result is just first three
>> certificates are renewed to 20160622 if I set system time to
>> 20140623(which the four CA subsystem certs and CA cert are valid).
>>
>> But other five are not renewed at all (the four CA subsystem certs
>> and CA cert). there is no error information during these steps.
>>
>> I google a lot but still found nothing could resolve it. and then I
>> found there was a similar thread:
>> https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.h
>> t
>> ml
>>
>> But unfortunately the solution is not available for my issue either.
>>
>> Since I am not familiar with Freeipa, so it bothers me so much.
>>
>> Any help will be really appreciate. Thansks in advance!
>>
>> Thanks,
>>
>> BR//Kay
>>
>>
>>
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
