On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Natxo Asenjo wrote: > >> >> >> On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >> >> >> It's hard to say, it may in fact not be a problem. >> >> It is really a matter of what service the certificate(s) are related >> to. I'd look at the serial numbers and then correlate those to the >> issued certificates. >> >> I'd also do a service-find on the hostname to see if any services >> have certificates issued and with what serial numbers. >> >> >> I agree, it could be that. But just for testing I have created a vm, >> joined it to the domain and resubmitted the certificate. >> >> Now there are two valid host certificates with the same subject: >> >> >> $ ipa cert-find --subject=throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl> >> ---------------------- >> 2 certificates matched >> ---------------------- >> Serial number (hex): 0x3FFE0002 >> Serial number: 1073610754 >> Status: VALID >> Subject: CN=throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL >> <http://UNIX.IRISZORG.NL> >> >> Serial number (hex): 0x3FFE0003 >> Serial number: 1073610755 >> Status: VALID >> Subject: CN=throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL >> <http://UNIX.IRISZORG.NL> >> ---------------------------- >> Number of entries returned 2 >> ---------------------------- >> >> >> So it certmonger in this centos 6.8 32bit host is renewing but not >> having the old certificate revoked. >> > > I'd check the Apache log to find the cert_request call to see if you can > see if there are any issues raised. It should be doing a cert_revoke at the > same time. > > Can you should how this certificate is being tracked? > sure: $ sudo getcert list Number of certificates and requests being tracked: 1. Request ID '20160929100945': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - throwaway.unix.iriszorg.nl',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - throwaway.unix.iriszorg.nl',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL expires: 2018-09-30 10:13:17 UTC principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes now, let's resubmit: $ sudo ipa-getcert resubmit -i 20160929100945 Resubmitting "20160929100945" to "IPA". [jose.admin@throwaway ~]$ sudo getcert list Number of certificates and requests being tracked: 1. Request ID '20160929100945': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - throwaway.unix.iriszorg.nl',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - throwaway.unix.iriszorg.nl',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL expires: 2018-09-30 20:41:28 UTC principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes so it has been successfully renewed. In the access_log of the kdc I see this: 172.20.4.228 - - [29/Sep/2016:22:41:27 +0200] "POST https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient HTTP/1.1" 200 1913 172.20.6.81 - host/throwaway.unix.iriszorg...@unix.iriszorg.nl [29/Sep/2016:22:41:27 +0200] "POST /ipa/xml HTTP/1.1" 200 2929 and in the error_log: [Thu Sep 29 22:41:28.626669 2016] [:error] [pid 4617] ipa: INFO: [xmlserver] host/throwaway.unix.iriszorg...@unix.iriszorg.nl: cert_request(u'MIID6DCCAtACAQAwQDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEjMCEGA1UEAxMadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4jBk7V2D5pX12kYrr++lwsWq1UWHy6PM9O+B/GvxaI0JoARBrhR6MKI1Ev+DV2r5ukNNWHj5+/kKbtW9XI2XMZ9pIBSwG3SG4m9s3gQV3dGQjlRCcU+MgXiDxRtRy2Vdzd1fZ9xdB1txH3ZnZfceTosNw4Jp3bm/VtPChWJeN6K671FLRCzJkI1KrC+LHfGbvyTtOipB5O9t8RkN4Qh01r/rphPvt9Gh+/mTlHnmGP9+sseqHHsgv2fPvRQowpJDEytTX5w/8pLrUCATqJUYfxK5RDuwD1304p3WXDFLoU6p2xaR63h34muj1a5NV1CvQFqJapHB5B/w6uUbLzjg3AgMBAAGgggFhMHcGCSqGSIb3DQEJFDFqHmgASQBQAEEAIABNAGEAYwBoAGkAbgBlACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAALQAgAHQAaAByAG8AdwBhAHcAYQB5AC4AdQBuAGkAeAAuAGkAcgBpAHMAegBvAHIAZwAuAG4AbDCB5QYJKoZIhvcNAQkOMYHXMIHUMIGhBgNVHREBAQAEgZYwgZOgQAYKKwYBBAGCNxQCA6AyDDBob3N0L3Rocm93YXdheS51bml4LmlyaXN6b3JnLm5sQFVOSVguSVJJU1pPUkcuTkygTwYGKwYBBQICoEUwQ6ASGxBVTklYLklSSVNaT1JHLk5MoS0wK6ADAgEBoSQwIhsEaG9zdBsadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUgXWL3vdW/I31tQxv5YjyMZy4x8kwDQYJKoZIhvcNAQELBQADggEBAD674/oGYlQTQDSvwf0muYoxBsj1dc6gnArw0JJpGVCNMv/J3FdgOLcOhxzZcOfZiQr4NdYoV+/6mISOhknMa4ErJhqSAWbUA+w3+lL3CHfdDtNueUjZRbPZezcC0rhAlnXBT7iakjuhE56WkZz7AihEU8RAvnZfSRi1mhehf3wFRYKWuzK9AW1DTY/uGMmHXiFtvINpfAJ3yL66xPwTj4087nz9w4YUqNyCX+hYL+7idCJeoMjDyCqYQpjFkdfZhRuNd+rrKWTgYvKN3w/5+ItefDCYy8py91V2kXS7BrsYjd+2YHtQ2AbjgIW2xpTr/+PetToZyL50oWCpduT5t+M=', principal=u'host/throwaway.unix.iriszorg...@unix.iriszorg.nl', add=True, version=u'2.51'): SUCCESS and now I have 3 valid certificates: $ ipa cert-find --subject=throwaway.unix.iriszorg.nl ---------------------- 3 certificates matched ---------------------- Serial number (hex): 0xFF9000D Serial number: 267976717 Status: VALID Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL Serial number (hex): 0x3FFE0002 Serial number: 1073610754 Status: VALID Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL Serial number (hex): 0x3FFE0003 Serial number: 1073610755 Status: VALID Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL ---------------------------- Number of entries returned 3 ---------------------------- -- Groeten, natxo
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project