ok, so all certs are renewed (dogldap and http).

On Tue, Sep 20, 2016 at 11:49 AM, Natxo Asenjo <natxo.ase...@gmail.com>
wrote:

>
>
> On Mon, Sep 19, 2016 at 5:27 PM, Rob Crittenden <rcrit...@redhat.com>
> wrote:
>
>> Natxo Asenjo wrote:
>>
>>> hi,
>>>
>>>
>>> On Fri, Sep 16, 2016 at 4:22 PM, Rob Crittenden <rcrit...@redhat.com
>>>
>> Ok, how about we work around the problem.
>>
>
> Gladly ;-)
>
>
>> Since it is failing on the revocation what you might try is removing the
>> userCertificate value from the ldap/kdc01.unix.iriszorg.nl service entry.
>>
>> I think this will work:
>>
>> $ ipa service-show ldap/kdc01.unix.iriszorg.nl |grep Serial
>> <note this down for later>
>>
>> $ ipa service-mod --certificate= ldap/kdc01.unix.iriszorg.nl
>>
>> If this doesn't work you can use ldapmodify to delete the usercertificate
>> value.
>>
>> This will remove the certificate value so there is nothing to revoke and
>> a new cert will be saved (hopefully).
>>
>> Now try to resubmit the request via certmonger.
>>
>> It if works then you can run ipa cert-revooke <old serial #>
>>
>> It isn't a great answer long-term because it is really just working
>> around the problem but it should get the certs renewed.
>>
>>
> ok, so I restarted the httpd service then I could use ipa service-show:
>
> $ ipa service-show ldap/kdc01.unix.iriszorg.nl |grep Serial
>   Serial Number: 175
>   Serial Number (hex): 0xAF
> bash-4.1$ ipa service-mod --certificate= ldap/kdc01.unix.iriszorg.nl
> ---------------------------------------------------------------
> Modified service "ldap/kdc01.unix.iriszorg...@unix.iriszorg.nl"
> ---------------------------------------------------------------
>   Principal: ldap/kdc01.unix.iriszorg...@unix.iriszorg.nl
>   Managed by: kdc01.unix.iriszorg.nl
>
>
> bash-4.1$ sudo ipa-getcert resubmit -i 20121107212513
> Resubmitting "20121107212513" to "IPA".
> bash-4.1$ sudo getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20121107212513':
>         status: CA_UNREACHABLE
>         ca-error: Server failed request, will retry: 4301 (RPC failed at
> server.  Certificate operation cannot be completed: Failure decoding
> Certificate Signing Request).
>         stuck: yes
>         key pair storage: type=NSSDB,location='/etc/
> dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'
>         certificate: type=NSSDB,location='/etc/
> dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
>         subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
>         expires: 2016-10-12 10:49:24 UTC
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib/ipa/certmonger/restart_dirsrv
> UNIX-IRISZORG-NL
>         track: yes
>         auto-renew: yes
>
>
>
> the certificate is gone:
> $ ipa service-show ldap/kdc01.unix.iriszorg.nl
> ipa: ERROR: Could not create log_dir u'/home/jose.admin/.ipa/log'
>   Principal: ldap/kdc01.unix.iriszorg...@unix.iriszorg.nl
>   Keytab: True
>   Managed by: kdc01.unix.iriszorg.nl
>
>
> But then I thought, what the hell, let's try again, restarted httpd,
> resubmitted it, and now it did work ;-)
>
> $ ipa service-show ldap/kdc01.unix.iriszorg.nl
>   Principal: ldap/kdc01.unix.iriszorg...@unix.iriszorg.nl
>   Certificate: MIIDrDCCApSgAwIBAgICAPUwDQYJKo
> ZIhvcNAQELBQAwOzEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEeMBwGA1
> UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDkyMDA4MDY1OFoXDT
> E4MDkyMTA4MDY1OFowPDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEfMB
> 0GA1UEAxMWa2RjMDEudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQ
> EBBQADggEPADCCAQoCggEBAO2QVqrFRb/Q5dhkAi7BK29BJhqTvbaH3bNDLvhe1
> snyChdlr/AIwrJj/53Ti2eJ7u1BtV7u3gSwQ3/xJ0HwUZmOEQHCNDrjcGy+
> iw7lqkC5NaZ8AGt8bSTGWwnJvEGWrb3uEJzVZf+xB5eZa8vFXr+
> Jlcfoq8DbVZhX274pmpVfQOnRckD+AmncuEItHpcJCCHneF0QzA5DQqlTPUFerFm3F/iI/
> k6g9XbHQaNejcUYdhXpy9q0mEuBIIsEzTeNWTTEsUYX5TPVEsN3x2feA0icx
> R6bUTeg2BqSu7ZOuM55iBp3l0d9UAQ7W7yh76FI/Bqz8vIMdS6VsurPS4asLa8CAwEAAaO
> BuDCBtTAfBgNVHSMEGDAWgBSjl+SKLrjPPuoz8ryT1iPeqYQ2aDBEBggr
> BgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAGGKGh0dHA6Ly9rZGMwMS51bml4Lmly
> aXN6b3JnLm5sOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQ
> UFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUBIRsG98GBkIyB/
> BgQKloUlLEJeEwDQYJKoZIhvcNAQELBQADggEBAHN+ggklVf2uzaePwEI9rMObe0WZeOyCLZ
> xEtigDaJIHkq3GzkugxcG8ivD/LnuF0D8m07npfpIMC3QRUJQjFjz6E3rKtqau0QY0BO+
> Dwg1TzItQqXxgHtCqcQ7bmahj2AMPRNUXeZck0p/eueG4wj2kbLwTLU6cOfwnT4IOfszAS
> 9GCql6oQIXlOfG6i6DAodBpgWziDfIrRJsJi4ZE+FvJL/ImJDdW+
> En50UyGp0n31oMSDIxWf1bdWUctSEYhcy9JftzkitNm1FD+a1HzeYyuHthzlHHcSIXN/
> kXRSGktpe8VHE5XLtKnH92vmkMnyxZvE///2+ExHXIAOkwq3ck=
>   Keytab: True
>   Managed by: kdc01.unix.iriszorg.nl
>   Subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
>   Serial Number: 245
>   Serial Number (hex): 0xF5
>   Issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
>   Not Before: Tue Sep 20 08:06:58 2016 UTC
>   Not After: Fri Sep 21 08:06:58 2018 UTC
>   Fingerprint (MD5): f8:d3:cb:6f:4c:ca:e4:f3:47:65:51:d3:2c:69:84:df
>   Fingerprint (SHA1): e3:0a:66:19:d7:36:fe:c4:ff:58:
> bf:90:35:3e:0b:31:cb:a0:58:37
>
> So I could revoke the old one:
>
> $ ipa cert-revoke 175
>   Revoked: True
>
>
> and now getcert list shows the certificate is ok:
>
> Number of certificates and requests being tracked: 8.
> Request ID '20121107212513':
>         status: MONITORING
>         stuck: no
>         key pair storage: type=NSSDB,location='/etc/
> dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'
>         certificate: type=NSSDB,location='/etc/
> dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
>         subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
>         expires: 2018-09-21 08:06:58 UTC
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib/ipa/certmonger/restart_dirsrv
> UNIX-IRISZORG-NL
>         track: yes
>         auto-renew: yes
>
>
> So one down, two to go, it seems.
>
>
>
>
> --
> Groeten,
> natxo
>



-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to