ok, so all certs are renewed (dogldap and http). On Tue, Sep 20, 2016 at 11:49 AM, Natxo Asenjo <[email protected]> wrote:
> > > On Mon, Sep 19, 2016 at 5:27 PM, Rob Crittenden <[email protected]> > wrote: > >> Natxo Asenjo wrote: >> >>> hi, >>> >>> >>> On Fri, Sep 16, 2016 at 4:22 PM, Rob Crittenden <[email protected] >>> >> Ok, how about we work around the problem. >> > > Gladly ;-) > > >> Since it is failing on the revocation what you might try is removing the >> userCertificate value from the ldap/kdc01.unix.iriszorg.nl service entry. >> >> I think this will work: >> >> $ ipa service-show ldap/kdc01.unix.iriszorg.nl |grep Serial >> <note this down for later> >> >> $ ipa service-mod --certificate= ldap/kdc01.unix.iriszorg.nl >> >> If this doesn't work you can use ldapmodify to delete the usercertificate >> value. >> >> This will remove the certificate value so there is nothing to revoke and >> a new cert will be saved (hopefully). >> >> Now try to resubmit the request via certmonger. >> >> It if works then you can run ipa cert-revooke <old serial #> >> >> It isn't a great answer long-term because it is really just working >> around the problem but it should get the certs renewed. >> >> > ok, so I restarted the httpd service then I could use ipa service-show: > > $ ipa service-show ldap/kdc01.unix.iriszorg.nl |grep Serial > Serial Number: 175 > Serial Number (hex): 0xAF > bash-4.1$ ipa service-mod --certificate= ldap/kdc01.unix.iriszorg.nl > --------------------------------------------------------------- > Modified service "ldap/[email protected]" > --------------------------------------------------------------- > Principal: ldap/[email protected] > Managed by: kdc01.unix.iriszorg.nl > > > bash-4.1$ sudo ipa-getcert resubmit -i 20121107212513 > Resubmitting "20121107212513" to "IPA". > bash-4.1$ sudo getcert list > Number of certificates and requests being tracked: 8. > Request ID '20121107212513': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed at > server. Certificate operation cannot be completed: Failure decoding > Certificate Signing Request). > stuck: yes > key pair storage: type=NSSDB,location='/etc/ > dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt' > certificate: type=NSSDB,location='/etc/ > dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL > subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL > expires: 2016-10-12 10:49:24 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib/ipa/certmonger/restart_dirsrv > UNIX-IRISZORG-NL > track: yes > auto-renew: yes > > > > the certificate is gone: > $ ipa service-show ldap/kdc01.unix.iriszorg.nl > ipa: ERROR: Could not create log_dir u'/home/jose.admin/.ipa/log' > Principal: ldap/[email protected] > Keytab: True > Managed by: kdc01.unix.iriszorg.nl > > > But then I thought, what the hell, let's try again, restarted httpd, > resubmitted it, and now it did work ;-) > > $ ipa service-show ldap/kdc01.unix.iriszorg.nl > Principal: ldap/[email protected] > Certificate: MIIDrDCCApSgAwIBAgICAPUwDQYJKo > ZIhvcNAQELBQAwOzEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEeMBwGA1 > UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDkyMDA4MDY1OFoXDT > E4MDkyMTA4MDY1OFowPDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEfMB > 0GA1UEAxMWa2RjMDEudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQ > EBBQADggEPADCCAQoCggEBAO2QVqrFRb/Q5dhkAi7BK29BJhqTvbaH3bNDLvhe1 > snyChdlr/AIwrJj/53Ti2eJ7u1BtV7u3gSwQ3/xJ0HwUZmOEQHCNDrjcGy+ > iw7lqkC5NaZ8AGt8bSTGWwnJvEGWrb3uEJzVZf+xB5eZa8vFXr+ > Jlcfoq8DbVZhX274pmpVfQOnRckD+AmncuEItHpcJCCHneF0QzA5DQqlTPUFerFm3F/iI/ > k6g9XbHQaNejcUYdhXpy9q0mEuBIIsEzTeNWTTEsUYX5TPVEsN3x2feA0icx > R6bUTeg2BqSu7ZOuM55iBp3l0d9UAQ7W7yh76FI/Bqz8vIMdS6VsurPS4asLa8CAwEAAaO > BuDCBtTAfBgNVHSMEGDAWgBSjl+SKLrjPPuoz8ryT1iPeqYQ2aDBEBggr > BgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAGGKGh0dHA6Ly9rZGMwMS51bml4Lmly > aXN6b3JnLm5sOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQ > UFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUBIRsG98GBkIyB/ > BgQKloUlLEJeEwDQYJKoZIhvcNAQELBQADggEBAHN+ggklVf2uzaePwEI9rMObe0WZeOyCLZ > xEtigDaJIHkq3GzkugxcG8ivD/LnuF0D8m07npfpIMC3QRUJQjFjz6E3rKtqau0QY0BO+ > Dwg1TzItQqXxgHtCqcQ7bmahj2AMPRNUXeZck0p/eueG4wj2kbLwTLU6cOfwnT4IOfszAS > 9GCql6oQIXlOfG6i6DAodBpgWziDfIrRJsJi4ZE+FvJL/ImJDdW+ > En50UyGp0n31oMSDIxWf1bdWUctSEYhcy9JftzkitNm1FD+a1HzeYyuHthzlHHcSIXN/ > kXRSGktpe8VHE5XLtKnH92vmkMnyxZvE///2+ExHXIAOkwq3ck= > Keytab: True > Managed by: kdc01.unix.iriszorg.nl > Subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL > Serial Number: 245 > Serial Number (hex): 0xF5 > Issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL > Not Before: Tue Sep 20 08:06:58 2016 UTC > Not After: Fri Sep 21 08:06:58 2018 UTC > Fingerprint (MD5): f8:d3:cb:6f:4c:ca:e4:f3:47:65:51:d3:2c:69:84:df > Fingerprint (SHA1): e3:0a:66:19:d7:36:fe:c4:ff:58: > bf:90:35:3e:0b:31:cb:a0:58:37 > > So I could revoke the old one: > > $ ipa cert-revoke 175 > Revoked: True > > > and now getcert list shows the certificate is ok: > > Number of certificates and requests being tracked: 8. > Request ID '20121107212513': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/ > dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt' > certificate: type=NSSDB,location='/etc/ > dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL > subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL > expires: 2018-09-21 08:06:58 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib/ipa/certmonger/restart_dirsrv > UNIX-IRISZORG-NL > track: yes > auto-renew: yes > > > So one down, two to go, it seems. > > > > > -- > Groeten, > natxo > -- -- Groeten, natxo
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
