sipazzo wrote:
I set time back on master ca and was able to renew its certs except for
one that has yet to expire but should have renewed. I tried to resubmit
it but it still does not renew and status says NEED_CSR_GEN_TOKEN. We do
have a go daddy cert we use as well but it is valid still. Is it because
of the nickname mismatches? I am not sure how to fix that.


There is no cert to renew. You replaced the IPA-issued certificates with GoDaddy certs. The NSS_CSR_GEN_TOKEN is there because there is no private key for a certificate named Server-Cert so certmonger doesn't know what to do. To make this go away you can tell certmonger to stop tracking this non-existent certificate with something like:

# ipa-getcert stop-tracking -i <request_id>

certmonger cannot auto-renew your GoDaddy certficate.

and see below.


ipa1-example.com

Request ID '20140729215756':
     status: NEED_CSR_GEN_TOKEN
     stuck: yes
     key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
     certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB'
     CA: IPA
     issuer: CN=Certificate Authority,O=EXAMPLE.COM
     subject: CN=ipa1.example.com,O=EXAMPLE.COM
     expires: 2016-07-29 20:39:21 UTC
     key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command:
     post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM
     track: yes
     auto-renew: yes

certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/

Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

NWF_GD                                                       u,u,u
CN=Certificate Authority,O=EXAMPLE.COM                      CT,,C
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\,
Inc.,C=US CT,,C
GD_CA                                                        CT,,C
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\,
Inc.,L=Scottsdale,ST=Arizona,C=US CT,,C


certutil -L -d /etc/dirsrv/slapd-PKI-IPA/

Certificate Nickname
O=EXAMPLE.COM     Trust Attributes

SSL,S/MIME,JAR/XPI

EXAMPLE.COM IPA CA                                          CT,C,
Server-Cert                                                  u,u,u


certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

EXAMPLE.COM IPA CA                                           CT,C,
ipaCert                                                      u,u,u
Server-Cert                                                  u,u,u

My other servers had varying degrees of success with their expired
certificates, I have one server that would not renew 6 of its certs, 1
that would not renew 2 of its certs and 1 that would not renew 1 of its
certs. These are examples of the last two - I will save the one that
won't renew 6 as I am hoping I can apply same steps to those failures.

*ipa2.example.com - 2 won't renew - one CA_unreachable even after
successful restart of services and one NEED_CSR_GEN_TOKEN*

Request ID '20140729215756':
     status: NEED_CSR_GEN_TOKEN
     stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
     certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB'
     CA: IPA
     issuer: CN=Certificate Authority,O=EXAMPLE.COM
     subject: CN=ipa2.example.com,O=EXAMPLE.COM
     expires: 2016-07-29 20:39:21 UTC
     key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command:
     post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM
     track: yes
     auto-renew: yes

I'm guessing same GoDaddy issue.

Request ID '20140729215712':
     status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://ipa2.example.com:9443/ca/agent/ca/profileReview: Peer
certificate cannot be authenticated with known CA certificates.
     stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
     certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
     CA: dogtag-ipa-renew-agent
     issuer: CN=Certificate Authority,O=EXAMPLE.COM
     subject: CN=ipa2.example.com,O=EXAMPLE.COM
     expires: 2016-07-18 21:57:06 UTC
     key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
     eku: id-kp-serverAuth
     pre-save command:
     post-save command:
     track: yes
     auto-renew: yes

You should update certmonger. The version you have doesn't include the pre/save commands in its output.

But going back in time should get this one renewed.

*ipa3 - 1 won't renew NEED_CSR_GEN_TOKEN*

Request ID '20140729215511':
     status: NEED_CSR_GEN_TOKEN
     stuck: yes
     key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
     certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB'
     CA: IPA
     issuer: CN=Certificate Authority,O=EXAMPLE.COM
     subject: CN=ipa3.example.com,O=EXAMPLE.COM
     expires: 2016-07-29 20:38:41 UTC
     key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command:
     post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM
     track: yes
     auto-renew: yes

More GoDaddy I assume.

rob






------------------------------------------------------------------------
*From:* sipazzo <sipa...@yahoo.com>
*To:* Rob Crittenden <rcrit...@redhat.com>; "freeipa-users@redhat.com"
<freeipa-users@redhat.com>
*Sent:* Friday, July 29, 2016 4:06 PM
*Subject:* Re: [Freeipa-users] certificates expired - won't renew

Rob you are awesome and I don't know what I would do without you. So I
have two things going on obviously. Following your instructions it looks
like the DM password has correctly been set. I cannot change the admin
password as a test because I get the cert errors. I am going to retry
setting dates back and requesting new certs again following some of the
threads I have seen. Could you please just clarify two points? On my 4
servers all running as CAs do I only need to set the date back to prior
to expired certs running ipa-getcert list or the earliest expired date
when running getcert list? The getcert list shows certs that have been
expired since June but the ipa-getcert shows more recent. Also, does it
matter which servers I do first? Meaning should I set time back on my
"master" CA first.

This is the expiration output info from my master:

[root@ipa2 ~]# ipa-getcert list | grep expires
     expires: 2016-08-26 16:41:24 UTC
     expires: 2016-08-26 16:41:23 UTC
     expires: 2016-08-26 16:41:24 UTC
[root@ipa2 ~]# getcert list | grep expires
     expires: 2016-08-26 16:41:24 UTC
     expires: 2016-08-15 16:47:26 UTC
     expires: 2016-08-26 16:41:23 UTC
     expires: 2016-08-26 16:41:24 UTC
     expires: 2016-06-06 23:36:29 UTC
     expires: 2016-06-06 23:36:28 UTC
     expires: 2016-06-06 23:36:28 UTC
     expires: 2016-06-06 23:37:09 UTC


Again thank you, as always.


------------------------------------------------------------------------
*From:* Rob Crittenden <rcrit...@redhat.com>
*To:* sipazzo <sipa...@yahoo.com>; "freeipa-users@redhat.com"
<freeipa-users@redhat.com>
*Sent:* Friday, July 29, 2016 2:10 PM
*Subject:* Re: [Freeipa-users] certificates expired - won't renew

sipazzo wrote:
 > I have seen many threads on this so sorry to bring it up again but I
 > have a freeipa domain, with 4 ipa servers running on redhat 6 version
 > 3.0.0-50. The certificates are expired/expiring and will not renew and
 > it is causing many issues for us. I have tried the many suggestions I
 > have see in the archives such as changing the time to prior to
 > expiration and attempting renew by resubmitting the requests but they
 > never renew. An example of getcert list from the first server that
expired:
 >
 > Number of certificates and requests being tracked: 8.

[snip]


 > localhost log in /var/log/pki-ca have errors like:
 > tail localhost.2016-07-29.log
 > Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve
invoke
 > SEVERE: Servlet.service() for servlet caProfileSubmit threw exception
 > java.io.IOException: CS server is not ready to serve.
 >      at
 > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441)
 >      at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
 >      at
 >
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
 >      at
 >
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
 >      at
 >
com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
 >      at
 >
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
 >      at org.
 >
 > Debug log in /var/log/pki-cacd
 >  tail debug
 > [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password
 > store initialized before.
 > [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password
 > store initialized.
 > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:
 > netscape.ldap.LDAPException: error result (49)
 > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to
 > query sessionIds: java.io.IOException: Failed to connect to the internal
 > database.
 > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable:
 > getSessionIds: Error in disconnecting from database:
 > java.lang.NullPointerException
 > [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password
 > store initialized before.
 > [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password
 > store initialized.
 > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:
 > netscape.ldap.LDAPException: error result (49)
 > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to
 > query sessionIds: java.io.IOException: Failed to connect to the internal
 > database.
 > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable:
 > getSessionIds: Error in disconnecting from database:
 > java.lang.NullPointerException
 >
 >
 > Performing most IPA commands results in errors such as ipa: ERROR: cert
 > validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM"
 > ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
 >
 > Not sure if it is related but we lost our first IPA server some time ago
 > and had to promote another to the CA master. Also, due to someone
 > leaving the company at the beginning of the year we had to change the
 > directory manager password. I followed all the directions to do so but
 > it does not seem like it was a completely smooth transaction.


It is related. Your CA can't connect to its database. You must have
missed a step when updating the DM password.

As a goof I just tried it on my RHEL 6 install and it seems to work,
this is what I did:

# service dirsrv stop
# /usr/bin/pwdhash password

edit both /etc/dirsrv/slapd-REALM/dse.ldif and
/etc/dirsrv/slapd-PKI-IPA/dse.ldif to set nsslapd-rootpw

# service dirsrv start

Check both of the new passwords:

# ldapsearch -x -D "cn=directory manager" -W -s base -b ""
"objectclass=*"
# ldapsearch -h localhost -po 7389 -x -D "cn=directory manager" -W -s
base -b "" "objectclass=*"

Update internaldb value in /etc/pki-ca/password.conf with the new password.

Update and test the admin user password:

# ldappasswd -h localhost -ZZ -p 7389 -x -D "cn=Directory Manager" -W -S
uid=admin,ou=people,o=ipaca
# ldapsearch -h localhost -ZZ -p 7389 -x -D
"uid=admin,ou=people,o=ipaca" -W -b "" -s base

Restart the CA

# service pki-cad restart

Note that things _still_ aren't going to work so hot with all the
expired certs but if you go back in time you will at least have a chance
of renewing things.

rob






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to