Hi Rob, The status for ipaCert is MONITORING no matter before or after resubmit this request ID, as below:
Request ID '20140605220249': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=IPA RA,O=DRUTT.COM expires: 2014-06-24 14:08:50 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes I have restarted ipa service before renewal since there is no pki-cad service in our env. I have tried so many times for this processes, and I even want to recreate the ipaCert, but it failed. The references I used as below, but both of them are not available for my issue:( http://www.freeipa.org/page/Howto/CA_Certificate_Renewal http://www.freeipa.org/page/PKI and if it's feasible we modify the expiration date for these certs manually or recreate it directly ? Thanks, BR//Kay -----Original Message----- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, May 31, 2016 11:10 PM To: Kay Zhou Y; freeipa-users@redhat.com Cc: Doris Hongmei; Xionglin Gu Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue Kay Zhou Y wrote: > Hi Rob, > > Thanks for your reply. > > And about your suggestion, actually I have done it. but it just renew the two > 389-ds certs and Apache certs. > Since the ipaCert and subsystem certs are expired at 20140624, so I must roll > back time before it. then begin to renew, but after I done this: > > "Let's force renewal on all of the certificates: > # for line in `getcert list | grep Request | cut -d "'" -f2`; do > getcert resubmit -i $line; done ..." > > According to the wiki, > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ). The CA subsystem > certificates will be renewed. But it did not. Ok, what state are the certificates in? When you go back in time are you restarting the pki-cad service before attempting to do the renewal? > Finally after I finish all action mentioned in the wiki page, I still can't > renew ipaCert and other four CA subsystem certificates. > And the two 389-ds and apache certs will still expired after the date > 20160623 ( expire date of ipaCert 20140624 + two years). > > If there is any other guide or doc about the ipaCert and CA subsystem > certificates? Not really for IPA 2.x rob > Thanks a lot for your support! > > Thanks, > BR//Kay > > -----Original Message----- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Friday, May 27, 2016 11:41 PM > To: Kay Zhou Y; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue > > Kay Zhou Y wrote: >> Hi, >> >> This is Kay. >> >> I am not sure if the email address is correct, and I am really >> appreciate if there is any help for my issue. it's baffling for few >> days, and the expire date is coming soon.. L >> >> There is a IPA 2.2 environment, and three "Server-Cert"(two 389-ds >> and the Apache certs) will be expired at 2016-06-05 22:03:17 UTC. >> >> Two years ago, these certs were renewed by other guys according to >> this >> document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal >> >> and it was successful then the certificates has been renewed until 20160605. >> >> But recently I want to renew it again since the expire date is coming. >> Then I follow the above guide, however things not go well. > > The problem looks to be because the IPA RA cert (ipaCert) isn't > matching what dogtag expects. See the wiki page starting at > > "For ipaCert, stored in /etc/httpd/alias you have another job to do..." > > You'll want to be sure that description correctly matches the certificate in > the Apache database and confirm that the usercertificate value in LDAP > matches the cert being presented. > > rob > >> >> As below, it's the 8 certs which certmonger are tracking: >> >> root@ecnshlx3039-test2(SH):~ #getcert list >> >> Number of certificates and requests being tracked: 8. >> >> Request ID '20120704140859': >> >> status: CA_UNREACHABLE >> >> ca-error: Server failed request, will retry: 4301 (RPC >> failed at server. Certificate operation cannot be completed: >> EXCEPTION (Invalid Credential.)). >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Ce >> r >> t',token='NSS >> Certificate DB',pinfile=' >> /etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt' >> >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Ce >> r >> t',token='NSS >> Certificate DB' >> >> CA: IPA >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=ipa1.drutt.com,O=DRUTT.COM >> >> expires: 2016-06-05 22:03:17 UTC >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >> DRUTT-COM >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20120704140922': >> >> status: CA_UNREACHABLE >> >> ca-error: Server failed request, will retry: 4301 (RPC >> failed at server. Certificate operation cannot be completed: >> EXCEPTION (Invalid Credential.)). >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' >> ,token='NSS >> Certificate DB',pinfile='/e >> tc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >> >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' >> ,token='NSS >> Certificate DB' >> >> CA: IPA >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=ipa1.drutt.com,O=DRUTT.COM >> >> expires: 2016-06-05 22:03:17 UTC >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20120704141150': >> >> status: CA_UNREACHABLE >> >> ca-error: Server failed request, will retry: 4301 (RPC >> failed at server. Certificate operation cannot be completed: >> EXCEPTION (Invalid Credential.)). >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token=' >> N >> SS >> Certificate >> DB',pinfile='/etc/httpd/ >> alias/pwdfile.txt' >> >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token=' >> N >> SS >> Certificate DB' >> >> CA: IPA >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=ipa1.drutt.com,O=DRUTT.COM >> >> expires: 2016-06-05 22:03:17 UTC >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20140605220249': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate >> DB',pinfile='/etc/httpd/alia >> s/pwdfile.txt' >> >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=IPA RA,O=DRUTT.COM >> >> expires: 2014-06-24 14:08:50 UTC >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20160527075219': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCer >> t >> cert-pki-ca',token='NSS Certificate >> DB ',pin='565569846212' >> >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCer >> t cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=CA Audit,O=DRUTT.COM >> >> expires: 2014-06-24 14:08:42 UTC >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20160527075220': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate >> DB' ,pin='565569846212' >> >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=OCSP Subsystem,O=DRUTT.COM >> >> expires: 2014-06-24 14:08:41 UTC >> >> eku: id-kp-OCSPSigning >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20160527075221': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate >> DB',p in='565569846212' >> >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=CA Subsystem,O=DRUTT.COM >> >> expires: 2014-06-24 14:08:41 UTC >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20160527075222': >> >> status: MONITORING >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate >> DB',pin ='565569846212' >> >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB' >> >> CA: dogtag-ipa-renew-agent >> >> issuer: CN=Certificate Authority,O=DRUTT.COM >> >> subject: CN=ipa1.drutt.com,O=DRUTT.COM >> >> expires: 2014-06-24 14:08:41 UTC >> >> eku: id-kp-serverAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Follow all the steps in the guide, the result is just first three >> certificates are renewed to 20160622 if I set system time to >> 20140623(which the four CA subsystem certs and CA cert are valid). >> >> But other five are not renewed at all (the four CA subsystem certs >> and CA cert). there is no error information during these steps. >> >> I google a lot but still found nothing could resolve it. and then I >> found there was a similar thread: >> https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.h >> t >> ml >> >> But unfortunately the solution is not available for my issue either. >> >> Since I am not familiar with Freeipa, so it bothers me so much. >> >> Any help will be really appreciate. Thansks in advance! >> >> Thanks, >> >> BR//Kay >> >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project