Natxo Asenjo wrote:
On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:
Natxo Asenjo wrote:
On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden
<rcrit...@redhat.com <mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:
It's hard to say, it may in fact not be a problem.
It is really a matter of what service the certificate(s)
are related
to. I'd look at the serial numbers and then correlate those
to the
issued certificates.
I'd also do a service-find on the hostname to see if any
services
have certificates issued and with what serial numbers.
I agree, it could be that. But just for testing I have created a vm,
joined it to the domain and resubmitted the certificate.
Now there are two valid host certificates with the same subject:
$ ipa cert-find --subject=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>
----------------------
2 certificates matched
----------------------
Serial number (hex): 0x3FFE0002
Serial number: 1073610754
Status: VALID
Subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
<http://UNIX.IRISZORG.NL>
Serial number (hex): 0x3FFE0003
Serial number: 1073610755
Status: VALID
Subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
<http://UNIX.IRISZORG.NL>
----------------------------
Number of entries returned 2
----------------------------
So it certmonger in this centos 6.8 32bit host is renewing but not
having the old certificate revoked.
I'd check the Apache log to find the cert_request call to see if you
can see if there are any issues raised. It should be doing a
cert_revoke at the same time.
Can you should how this certificate is being tracked?
sure:
$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160929100945':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate -
throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
Machine Certificate - throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
expires: 2018-09-30 10:13:17 UTC
principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
now, let's resubmit:
$ sudo ipa-getcert resubmit -i 20160929100945
Resubmitting "20160929100945" to "IPA".
[jose.admin@throwaway ~]$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160929100945':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate -
throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
Machine Certificate - throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
expires: 2018-09-30 20:41:28 UTC
principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
so it has been successfully renewed.
In the access_log of the kdc I see this:
172.20.4.228 - - [29/Sep/2016:22:41:27 +0200] "POST
https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient
HTTP/1.1" 200 1913
172.20.6.81 - host/throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
[29/Sep/2016:22:41:27 +0200] "POST /ipa/xml HTTP/1.1" 200 2929
and in the error_log:
[Thu Sep 29 22:41:28.626669 2016] [:error] [pid 4617] ipa: INFO:
[xmlserver] host/throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>:
cert_request(u'MIID6DCCAtACAQAwQDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEjMCEGA1UEAxMadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4jBk7V2D5pX12kYrr++lwsWq1UWHy6PM9O+B/GvxaI0JoARBrhR6MKI1Ev+DV2r5ukNNWHj5+/kKbtW9XI2XMZ9pIBSwG3SG4m9s3gQV3dGQjlRCcU+MgXiDxRtRy2Vdzd1fZ9xdB1txH3ZnZfceTosNw4Jp3bm/VtPChWJeN6K671FLRCzJkI1KrC+LHfGbvyTtOipB5O9t8RkN4Qh01r/rphPvt9Gh+/mTlHnmGP9+sseqHHsgv2fPvRQowpJDEytTX5w/8pLrUCATqJUYfxK5RDuwD1304p3WXDFLoU6p2xaR63h34muj1a5NV1CvQFqJapHB5B/w6uUbLzjg3AgMBAAGgggFhMHcGCSqGSIb3DQEJFDFqHmgASQBQAEEAIABNAGEAYwBoAGkAbgBlACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAALQAgAHQAaAByAG8AdwBhAHcAYQB5AC4AdQBuAGkAeAAuAGkAcgBpAHMAegBvAHIAZwAuAG4AbDCB5QYJKoZIhvcNAQkOMYHXMIHUMIGhBgNVHREBAQAEgZYwgZOgQAYKKwYBBAGCNxQCA6AyDDBob3N0L3Rocm93YXdheS51bml4LmlyaXN6b3JnLm5sQFVOSVguSVJJU1pPUkcuTkygTwYGKwYBBQICoEUwQ6ASGxBVTklYLklSSVNaT1JHLk5MoS0wK6ADAgEBoSQwIhsEaG9zdBsadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUgXWL3vdW/I31tQxv5YjyMZy4x8kw!
DQYJKoZIhv
cNAQELBQADggEBAD674/oGYlQTQDSvwf0muYoxBsj1dc6gnArw0JJpGVCNMv/J3FdgOLcOhxzZcOfZiQr4NdYoV+/6mISOhknMa4ErJhqSAWbUA+w3+lL3CHfdDtNueUjZRbPZezcC0rhAlnXBT7iakjuhE56WkZz7AihEU8RAvnZfSRi1mhehf3wFRYKWuzK9AW1DTY/uGMmHXiFtvINpfAJ3yL66xPwTj4087nz9w4YUqNyCX+hYL+7idCJeoMjDyCqYQpjFkdfZhRuNd+rrKWTgYvKN3w/5+ItefDCYy8py91V2kXS7BrsYjd+2YHtQ2AbjgIW2xpTr/+PetToZyL50oWCpduT5t+M=',
principal=u'host/throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>', add=True,
version=u'2.51'): SUCCESS
and now I have 3 valid certificates:
$ ipa cert-find --subject=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
----------------------
3 certificates matched
----------------------
Serial number (hex): 0xFF9000D
Serial number: 267976717
Status: VALID
Subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
Serial number (hex): 0x3FFE0002
Serial number: 1073610754
Status: VALID
Subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
Serial number (hex): 0x3FFE0003
Serial number: 1073610755
Status: VALID
Subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
----------------------------
Number of entries returned 3
----------------------------
Ok, let me start by saying that this is not a bug in either certmonger
or dogtag. IPA is supposed to do the revocation in the cert_request command.
The steps IPA _should_ be taking are:
1. Figure out if we are doing a certificate for a host or a service.
2. See if the requester is allowed to manage this entry
3. Look at the entry to see if it has a usercertificate attribute. If so
revoke that serial number, then clear the usercertificate value in the
host or service entry (via service_mod or host_mod)
4. Request a new certificate
5. Update IPA with the new value
Does a certificate appear in ipa host-show throwaway.unix.iriszorg.nl,
and which certificate serial number?
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
