Natxo Asenjo wrote:



On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Natxo Asenjo wrote:



        On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden
        <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
        <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:


             It's hard to say, it may in fact not be a problem.

             It is really a matter of what service the certificate(s)
        are related
             to. I'd look at the serial numbers and then correlate those
        to the
             issued certificates.

             I'd also do a service-find on the hostname to see if any
        services
             have certificates issued and with what serial numbers.


        I agree, it could be that. But just for testing I have created a vm,
        joined it to the domain and resubmitted the certificate.

        Now there are two valid host certificates with the same subject:


           $ ipa cert-find --subject=throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>
        <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>
        ----------------------
        2 certificates matched
        ----------------------
            Serial number (hex): 0x3FFE0002
            Serial number: 1073610754
            Status: VALID
            Subject: CN=throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>
        <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
        <http://UNIX.IRISZORG.NL>
        <http://UNIX.IRISZORG.NL>

            Serial number (hex): 0x3FFE0003
            Serial number: 1073610755
            Status: VALID
            Subject: CN=throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>
        <http://throwaway.unix.iriszorg.nl
        <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
        <http://UNIX.IRISZORG.NL>
        <http://UNIX.IRISZORG.NL>
        ----------------------------
        Number of entries returned 2
        ----------------------------


        So it certmonger in this centos 6.8 32bit host is renewing but not
        having the old certificate revoked.


    I'd check the Apache log to find the cert_request call to see if you
    can see if there are any issues raised. It should be doing a
    cert_revoke at the same time.

    Can you should how this certificate is being tracked?


sure:

$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160929100945':
     status: MONITORING
     stuck: no
     key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate -
throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB'
     certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
Machine Certificate - throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB'
     CA: IPA
     issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
     subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
     expires: 2018-09-30 10:13:17 UTC
     principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
     key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command:
     post-save command:
     track: yes
     auto-renew: yes

now, let's resubmit:

$ sudo ipa-getcert resubmit -i 20160929100945
Resubmitting "20160929100945" to "IPA".
[jose.admin@throwaway ~]$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160929100945':
     status: MONITORING
     stuck: no
     key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate -
throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB'
     certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
Machine Certificate - throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB'
     CA: IPA
     issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
     subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
     expires: 2018-09-30 20:41:28 UTC
     principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
     key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command:
     post-save command:
     track: yes
     auto-renew: yes

so it has been successfully renewed.

In the access_log of the kdc I see this:

172.20.4.228 - - [29/Sep/2016:22:41:27 +0200] "POST
https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient
HTTP/1.1" 200 1913
172.20.6.81 - host/throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
[29/Sep/2016:22:41:27 +0200] "POST /ipa/xml HTTP/1.1" 200 2929

and in the error_log:
[Thu Sep 29 22:41:28.626669 2016] [:error] [pid 4617] ipa: INFO:
[xmlserver] host/throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>:
cert_request(u'MIID6DCCAtACAQAwQDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEjMCEGA1UEAxMadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4jBk7V2D5pX12kYrr++lwsWq1UWHy6PM9O+B/GvxaI0JoARBrhR6MKI1Ev+DV2r5ukNNWHj5+/kKbtW9XI2XMZ9pIBSwG3SG4m9s3gQV3dGQjlRCcU+MgXiDxRtRy2Vdzd1fZ9xdB1txH3ZnZfceTosNw4Jp3bm/VtPChWJeN6K671FLRCzJkI1KrC+LHfGbvyTtOipB5O9t8RkN4Qh01r/rphPvt9Gh+/mTlHnmGP9+sseqHHsgv2fPvRQowpJDEytTX5w/8pLrUCATqJUYfxK5RDuwD1304p3WXDFLoU6p2xaR63h34muj1a5NV1CvQFqJapHB5B/w6uUbLzjg3AgMBAAGgggFhMHcGCSqGSIb3DQEJFDFqHmgASQBQAEEAIABNAGEAYwBoAGkAbgBlACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAALQAgAHQAaAByAG8AdwBhAHcAYQB5AC4AdQBuAGkAeAAuAGkAcgBpAHMAegBvAHIAZwAuAG4AbDCB5QYJKoZIhvcNAQkOMYHXMIHUMIGhBgNVHREBAQAEgZYwgZOgQAYKKwYBBAGCNxQCA6AyDDBob3N0L3Rocm93YXdheS51bml4LmlyaXN6b3JnLm5sQFVOSVguSVJJU1pPUkcuTkygTwYGKwYBBQICoEUwQ6ASGxBVTklYLklSSVNaT1JHLk5MoS0wK6ADAgEBoSQwIhsEaG9zdBsadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUgXWL3vdW/I31tQxv5YjyMZy4x8kw!
DQYJKoZIhv
cNAQELBQADggEBAD674/oGYlQTQDSvwf0muYoxBsj1dc6gnArw0JJpGVCNMv/J3FdgOLcOhxzZcOfZiQr4NdYoV+/6mISOhknMa4ErJhqSAWbUA+w3+lL3CHfdDtNueUjZRbPZezcC0rhAlnXBT7iakjuhE56WkZz7AihEU8RAvnZfSRi1mhehf3wFRYKWuzK9AW1DTY/uGMmHXiFtvINpfAJ3yL66xPwTj4087nz9w4YUqNyCX+hYL+7idCJeoMjDyCqYQpjFkdfZhRuNd+rrKWTgYvKN3w/5+ItefDCYy8py91V2kXS7BrsYjd+2YHtQ2AbjgIW2xpTr/+PetToZyL50oWCpduT5t+M=',
principal=u'host/throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>', add=True,
version=u'2.51'): SUCCESS

and now I have 3 valid certificates:

$ ipa cert-find --subject=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
----------------------
3 certificates matched
----------------------
   Serial number (hex): 0xFF9000D
   Serial number: 267976717
   Status: VALID
   Subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>

   Serial number (hex): 0x3FFE0002
   Serial number: 1073610754
   Status: VALID
   Subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>

   Serial number (hex): 0x3FFE0003
   Serial number: 1073610755
   Status: VALID
   Subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
----------------------------
Number of entries returned 3
----------------------------

Ok, let me start by saying that this is not a bug in either certmonger or dogtag. IPA is supposed to do the revocation in the cert_request command.

The steps IPA _should_ be taking are:

1. Figure out if we are doing a certificate for a host or a service.
2. See if the requester is allowed to manage this entry
3. Look at the entry to see if it has a usercertificate attribute. If so revoke that serial number, then clear the usercertificate value in the host or service entry (via service_mod or host_mod)
4. Request a new certificate
5. Update IPA with the new value

Does a certificate appear in ipa host-show throwaway.unix.iriszorg.nl, and which certificate serial number?

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to