Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue

Tue, 31 May 2016 21:01:02 -0700 

Kay Zhou Y wrote:

Hi Rob,

The status for ipaCert is MONITORING no matter before or after resubmit this 
request ID, as below:

Request ID '20140605220249':
         status: MONITORING
         stuck: no
         key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'
         CA: dogtag-ipa-renew-agent
         issuer: CN=Certificate Authority,O=DRUTT.COM
         subject: CN=IPA RA,O=DRUTT.COM
         expires: 2014-06-24 14:08:50 UTC
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command:
         post-save command:
         track: yes
         auto-renew: yes

I have restarted ipa service before renewal since there is no pki-cad service 
in our env.
Oh. So unfortunately the version of certmonger you have has a bug where the pre/post commands weren't displayed (it was only a display issue). If you look in /var/lib/certmonger/requests/<id> you can find the source for this output. See what the pre/post save command is for any of the CA subsystem certs and I guess perhaps ipaCert. I need to see how they are configured to do the renewal.
Maybe my memory is failing but I'd have sworn the CA process name was pki-cad. ipactl restart will restart the world. Given that the certs are expired you need to restart things when you go back in time. I saw that you are tracking the subsystem certs on this master so the CA must be installed. 


I have tried so many times for this processes, and I even want to recreate the 
ipaCert, but it failed.
Before you go poking too manually into things I'd strongly recommend backing up the NSS databases first. You could easily break something. 


The references I used as below, but both of them are not available for my 
issue:(
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
http://www.freeipa.org/page/PKI

and if it's feasible we modify the expiration date for these certs manually or 
recreate it directly ?
You can't change any attributes of a certificate without re-issuing it. You can't issue a new cert without the CA up and I suspect it isn't up.
The cert may be in MONITORING when you go back in time because really, it's fine as long as it isn't expired, so MONITORING is a-ok. 

rob



Thanks,
BR//Kay
-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Tuesday, May 31, 2016 11:10 PM
To: Kay Zhou Y; freeipa-users@redhat.com
Cc: Doris Hongmei; Xionglin Gu
Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue

Kay Zhou Y wrote:

Hi Rob,

Thanks  for your reply.

And about your suggestion, actually I have done it. but it just renew the two 
389-ds certs and Apache certs.
Since the ipaCert and subsystem certs are expired at 20140624, so I must roll 
back time before it. then begin to renew, but after I done this:

"Let's force renewal on all of the certificates:
# for line in `getcert list | grep Request | cut -d "'" -f2`; do
getcert resubmit -i $line; done ..."

According to the wiki, (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal 
). The CA subsystem c



ertificates will be renewed. But it did not.


Ok, what state are the certificates in? When you go back in time are you 
restarting the pki-cad service before attempting to do the renewal?


Finally after I finish all action mentioned in the wiki page, I still can't 
renew ipaCert and other four CA subsystem certificates.
And the two 389-ds and apache certs will still expired after the date 20160623 
( expire date of ipaCert 20140624 + two years).

If there is any other guide or doc about the ipaCert and CA subsystem 
certificates?


Not really for IPA 2.x

rob



Thanks a lot for your support!





Thanks,
BR//Kay

-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Friday, May 27, 2016 11:41 PM
To: Kay Zhou Y; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue

Kay Zhou Y wrote:

Hi,

This is Kay.

I am not sure if the email address is correct, and I am really
appreciate if there is any help for my issue. it's baffling for few
days, and the expire date is coming soon.. L

There is a IPA 2.2 environment, and three "Server-Cert"(two 389-ds
and the Apache certs) will be expired at 2016-06-05 22:03:17 UTC.

Two years ago, these certs were renewed by other guys according to
this
document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal

and it was successful then the certificates has been renewed until 20160605.

But recently I want to renew it again since the expire date is coming.
Then I follow the above guide, however things not go well.


The problem looks to be because the IPA RA cert (ipaCert) isn't
matching what dogtag expects. See the wiki page starting at

"For ipaCert, stored in /etc/httpd/alias you have another job to do..."

You'll want to be sure that description correctly matches the certificate in 
the Apache database and confirm that the usercertificate value in LDAP matches 
the cert being presented.

rob



As below, it's the 8 certs which certmonger are tracking:

root@ecnshlx3039-test2(SH):~ #getcert list

Number of certificates and requests being tracked: 8.

Request ID '20120704140859':

           status: CA_UNREACHABLE

           ca-error: Server failed request, will retry: 4301 (RPC
failed at server.  Certificate operation cannot be completed:
EXCEPTION                                        (Invalid Credential.)).

           stuck: yes

           key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Ce
r
t',token='NSS
Certificate DB',pinfile='
/etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt'

           certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Ce
r
t',token='NSS
Certificate DB'

           CA: IPA

           issuer: CN=Certificate Authority,O=DRUTT.COM

           subject: CN=ipa1.drutt.com,O=DRUTT.COM

           expires: 2016-06-05 22:03:17 UTC

           eku: id-kp-serverAuth,id-kp-clientAuth

           pre-save command:

           post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
DRUTT-COM

           track: yes

           auto-renew: yes

Request ID '20120704140922':

           status: CA_UNREACHABLE

           ca-error: Server failed request, will retry: 4301 (RPC
failed at server.  Certificate operation cannot be completed:
EXCEPTION                                        (Invalid Credential.)).

           stuck: yes

           key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
,token='NSS
Certificate DB',pinfile='/e
tc/dirsrv/slapd-PKI-IPA/pwdfile.txt'

           certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
,token='NSS
Certificate DB'

           CA: IPA

           issuer: CN=Certificate Authority,O=DRUTT.COM

           subject: CN=ipa1.drutt.com,O=DRUTT.COM

           expires: 2016-06-05 22:03:17 UTC

           eku: id-kp-serverAuth,id-kp-clientAuth

           pre-save command:

           post-save command:

           track: yes

           auto-renew: yes

Request ID '20120704141150':

           status: CA_UNREACHABLE

           ca-error: Server failed request, will retry: 4301 (RPC
failed at server.  Certificate operation cannot be completed:
EXCEPTION                                        (Invalid Credential.)).

           stuck: yes

           key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='
N
SS
Certificate
DB',pinfile='/etc/httpd/
alias/pwdfile.txt'

           certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='
N
SS
Certificate DB'

           CA: IPA

           issuer: CN=Certificate Authority,O=DRUTT.COM

           subject: CN=ipa1.drutt.com,O=DRUTT.COM

           expires: 2016-06-05 22:03:17 UTC

           eku: id-kp-serverAuth,id-kp-clientAuth

           pre-save command:

           post-save command: /usr/lib64/ipa/certmonger/restart_httpd

           track: yes

           auto-renew: yes

Request ID '20140605220249':

           status: MONITORING

           stuck: no

           key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate
DB',pinfile='/etc/httpd/alia
s/pwdfile.txt'

           certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'

           CA: dogtag-ipa-renew-agent

           issuer: CN=Certificate Authority,O=DRUTT.COM

           subject: CN=IPA RA,O=DRUTT.COM

           expires: 2014-06-24 14:08:50 UTC

           eku: id-kp-serverAuth,id-kp-clientAuth

           pre-save command:

           post-save command:

           track: yes

           auto-renew: yes

Request ID '20160527075219':

           status: MONITORING

           stuck: no

           key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCer
t
cert-pki-ca',token='NSS Certificate
DB                                       ',pin='565569846212'

           certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCer
t cert-pki-ca',token='NSS Certificate DB'

           CA: dogtag-ipa-renew-agent

           issuer: CN=Certificate Authority,O=DRUTT.COM

           subject: CN=CA Audit,O=DRUTT.COM

           expires: 2014-06-24 14:08:42 UTC

           pre-save command:

           post-save command:

           track: yes

           auto-renew: yes

Request ID '20160527075220':

           status: MONITORING

           stuck: no

           key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate
DB'                                       ,pin='565569846212'

           certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'

           CA: dogtag-ipa-renew-agent

           issuer: CN=Certificate Authority,O=DRUTT.COM

           subject: CN=OCSP Subsystem,O=DRUTT.COM

           expires: 2014-06-24 14:08:41 UTC

           eku: id-kp-OCSPSigning

           pre-save command:

           post-save command:

           track: yes

           auto-renew: yes

Request ID '20160527075221':

           status: MONITORING

           stuck: no

           key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate
DB',p                                       in='565569846212'

           certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'

           CA: dogtag-ipa-renew-agent

           issuer: CN=Certificate Authority,O=DRUTT.COM

           subject: CN=CA Subsystem,O=DRUTT.COM

           expires: 2014-06-24 14:08:41 UTC

           eku: id-kp-serverAuth,id-kp-clientAuth

           pre-save command:

           post-save command:

           track: yes

           auto-renew: yes

Request ID '20160527075222':

           status: MONITORING

           stuck: no

           key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate
DB',pin                                       ='565569846212'

           certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'

           CA: dogtag-ipa-renew-agent

           issuer: CN=Certificate Authority,O=DRUTT.COM

           subject: CN=ipa1.drutt.com,O=DRUTT.COM

           expires: 2014-06-24 14:08:41 UTC

           eku: id-kp-serverAuth

           pre-save command:

           post-save command:

           track: yes

           auto-renew: yes

Follow all the steps in the guide, the result is just first three
certificates are renewed to 20160622 if I set system time to
20140623(which the four CA subsystem certs and CA cert are valid).

But other five are not renewed at all (the four CA subsystem certs
and CA cert). there is no error information during these steps.

I google a lot but still found nothing could resolve it. and then I
found there was a similar thread:
https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.h
t
ml

But unfortunately the solution is not available for my issue either.

Since I am not familiar with Freeipa, so it bothers me so much.

Any help will be really appreciate. Thansks in advance!

Thanks,

BR//Kay









--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to