On 11/22/2016 11:50 AM, Bertrand Rétif wrote:



    *De: *"Florence Blanc-Renaud" <f...@redhat.com>
    *À: *"Bertrand Rétif" <bre...@phosphore.eu>, freeipa-users@redhat.com
    *Envoyé: *Mardi 22 Novembre 2016 11:33:45
    *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
    pki-tomcat issue

    On 11/22/2016 10:07 AM, Bertrand Rétif wrote:
    >
    ------------------------------------------------------------------------
    >
    >     *De: *"Bertrand Rétif" <bre...@phosphore.eu>
    >     *À: *freeipa-users@redhat.com
    >     *Envoyé: *Mardi 25 Octobre 2016 17:51:09
    >     *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
    >     pki-tomcat issue
    >
    >
    >
    ------------------------------------------------------------------------
    >
    >         *De: *"Florence Blanc-Renaud" <f...@redhat.com>
    >         *À: *"Bertrand Rétif" <bre...@phosphore.eu>,
    >         freeipa-users@redhat.com
    >         *Envoyé: *Jeudi 20 Octobre 2016 18:45:21
    >         *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
    >         pki-tomcat issue
    >
    >         On 10/19/2016 08:18 PM, Bertrand Rétif wrote:
    >         > *De: *"Bertrand Rétif" <bre...@phosphore.eu>
    >         >
    >         >     *À: *freeipa-users@redhat.com
    >         >     *Envoyé: *Mercredi 19 Octobre 2016 15:42:07
    >         >     *Objet: *Re: [Freeipa-users] Impossible to renew
    certificate.
    >         >     pki-tomcat issue
    >         >
    >         >
    >         >
    >
    ------------------------------------------------------------------------
    >         >
    >         >         *De: *"Rob Crittenden" <rcrit...@redhat.com>
    >         >         *À: *"Bertrand Rétif" <bre...@phosphore.eu>,
    >         >         freeipa-users@redhat.com
    >         >         *Envoyé: *Mercredi 19 Octobre 2016 15:30:14
    >         >         *Objet: *Re: [Freeipa-users] Impossible to renew
    >         certificate.
    >         >         pki-tomcat issue
    >         >
    >         >         Bertrand Rétif wrote:
    >         >         >> De: "Martin Babinsky" <mbabi...@redhat.com>
    >         >         >> À: freeipa-users@redhat.com
    >         >         >> Envoyé: Mercredi 19 Octobre 2016 08:45:49
    >         >         >> Objet: Re: [Freeipa-users] Impossible to renew
    >         certificate.
    >         >         pki-tomcat issue
    >         >         >
    >         >         >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
    >         >         >>> Hello,
    >         >         >>>
    >         >         >>> I had an issue with pki-tomcat.
    >         >         >>> I had serveral certificate that was expired and
    >         pki-tomcat
    >         >         did not start
    >         >         >>> anymore.
    >         >         >>>
    >         >         >>> I set the dateon the server before certificate
    >         expiration
    >         >         and then
    >         >         >>> pki-tomcat starts properly.
    >         >         >>> Then I try to resubmit the certificate, but
    I get
    >         below error:
    >         >         >>> "Profile caServerCert Not Found"
    >         >         >>>
    >         >         >>> Do you have any idea how I could fix this issue.
    >         >         >>>
    >         >         >>> Please find below output of commands:
    >         >         >>>
    >         >         >>>
    >         >         >>> # getcert resubmit -i 20160108170324
    >         >         >>>
    >         >         >>> # getcert list -i 20160108170324
    >         >         >>> Number of certificates and requests being
    tracked: 7.
    >         >         >>> Request ID '20160108170324':
    >         >         >>> status: MONITORING
    >         >         >>> ca-error: Server at
    >         >         >>>
    >         "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit";
    >         >         replied:
    >         >         >>> Profile caServerCert Not Found
    >         >         >>> stuck: no
    >         >         >>> key pair storage:
    >         >         >>>
    >         >
    >
    type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
    >         >         >>> Certificate
    DB',pinfile='/etc/httpd/alias/pwdfile.txt'
    >         >         >>> certificate:
    >         >         >>>
    >         >
    >
    type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
    >         >         >>> Certificate DB'
    >         >         >>> CA: dogtag-ipa-ca-renew-agent
    >         >         >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU
    >         >         >>> subject: CN=IPA RA,O=A.SKINFRA.EU
    >         >         >>> expires: 2016-06-28 15:25:11 UTC
    >         >         >>> key usage:
    >         >         >>>
    >
    digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    >         >         >>> eku: id-kp-serverAuth,id-kp-clientAuth
    >         >         >>> pre-save command:
    >         /usr/lib64/ipa/certmonger/renew_ra_cert_pre
    >         >         >>> post-save command:
    >         /usr/lib64/ipa/certmonger/renew_ra_cert
    >         >         >>> track: yes
    >         >         >>> auto-renew: yes
    >         >         >>>
    >         >         >>>
    >         >         >>> Thanksby advance for your help.
    >         >         >>> Bertrand
    >         >         >>>
    >         >         >>>
    >         >         >>>
    >         >         >>>
    >         >         >
    >         >         >> Hi Betrand,
    >         >         >
    >         >         >> what version of FreeIPA and Dogtag are you
    running?
    >         >         >
    >         >         >> Also perform the following search on the IPA
    master
    >         and post
    >         >         the result:
    >         >         >
    >         >         >> """
    >         >         >> ldapsearch -D "cn=Directory Manager" -W -b
    >         >         >> 'ou=certificateProfiles,ou=ca,o=ipaca'
    >         >         '(objectClass=certProfile)'
    >         >         >> """
    >         >         >
    >         >         > Hi Martin,
    >         >         >
    >         >         > Thanks for your reply.
    >         >         >
    >         >         > Here is version:
    >         >         > - FreeIPA 4.2.0
    >         >         > - Centos 7.2
    >         >         >
    >         >         > I have been able to fix the issue with "Profile
    >         caServerCert
    >         >         Not Found" by editing
    >         /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
    >         >         > I replace below entry
    >         >         >
    >         >
    >
    "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"
    >         >         > by
    >         >         >
    >
    "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"
    >         >         >
    >         >         > and then launch "ipa-server-upgrade" command
    >         >         > I found this solution in this post:
    >         >
    http://osdir.com/ml/freeipa-users/2016-03/msg00280.html
    >         >         >
    >         >         > Then I was able to renew my certificate.
    >         >         >
    >         >         > However I reboot my server to and pki-tomcat
    do not
    >         start and
    >         >         provide with a new erreor in
    >         /var/log/pki/pki-tomcat/ca/debug
    >         >         >
    >         >         > [19/Oct/2016:11:11:52][localhost-startStop-1]:
    >         CertUtils:
    >         >         verifySystemCertByNickname() passed:
    auditSigningCert
    >         cert-pki-ca
    >         >         > [19/Oct/2016:11:11:52][localhost-startStop-1]:
    >         >         SignedAuditEventFactory: create()
    >         >
    message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$
    >         >         >
    System$][Outcome=Success][CertNickName=auditSigningCert
    >         >         cert-pki-ca] CIMC certificate verification
    >         >         >
    >         >         > java.lang.Exception: SystemCertsVerification:
    system
    >         certs
    >         >         verification failure
    >         >         > at
    >         >
    >
    
com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
    >         >         > at
    >         >
    >
    
com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
    >         >         > at
    >         >
    >
    
com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
    >         >         > at
    >         >
    >
    com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701)
    >         >         > at
    >         >
    >
    com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148)
    >         >         > at
    com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
    >         >         > at
    com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
    >         >         > at
    >         >
    >
    com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
    >         >         > at
    >         javax.servlet.GenericServlet.init(GenericServlet.java:158)
    >         >         > at
    >         sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    >         >         > at
    >         >
    >
    
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    >         >         > at
    >         >
    >
    
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    >         >         > at
    java.lang.reflect.Method.invoke(Method.java:606)
    >         >         > at
    >         >
    >
    org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
    >         >         > at
    >         >
    >
    org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
    >         >         > at
    >         java.security.AccessController.doPrivileged(Native Method)
    >         >         > at
    >         javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
    >         >         > at
    >         >
    >
    org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
    >         >         > at
    >         >
    >
    
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
    >         >         > at
    >         >
    >
    
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
    >         >         > at
    >         >
    >
    
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
    >         >         > at
    >         >
    >
    
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
    >         >         > at
    >         >
    >
    org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
    >         >         > at
    >         >
    >
    
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
    >         >         > at
    >         >
    >
    
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
    >         >         > at
    >         >
    >
    org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    >         >         > at
    >         >
    >
    
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
    >         >         > at
    >         >
    >
    org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
    >         >         > at
    >         >
    >
    
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
    >         >         > at
    >         >
    >
    
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
    >         >         > at
    >         java.security.AccessController.doPrivileged(Native Method)
    >         >         > at
    >         >
    >
    org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
    >         >         > at
    >         >
    >
    org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
    >         >         > at
    >         >
    >
    org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
    >         >         > at
    >         >
    >
    
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
    >         >         > at
    >         >
    >
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
    >         >         > at
    >         java.util.concurrent.FutureTask.run(FutureTask.java:262)
    >         >         > at
    >         >
    >
    
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    >         >         > at
    >         >
    >
    
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    >         >         > at java.lang.Thread.run(Thread.java:745)
    >         >         > [19/Oct/2016:11:11:52][localhost-startStop-1]:
    >         >         SignedAuditEventFactory: create()
    >         >
    >
    
message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure]
    >         >         self tests execution (see selftests.log for details)
    >         >         > [19/Oct/2016:11:11:52][localhost-startStop-1]:
    >         >         CMSEngine.shutdown()
    >         >         >
    >         >         >
    >         >         > I am currently stuck here.
    >         >         > Thanks a lot for your help.
    >         >
    >         >         I'm guessing at least one of the CA subsystem
    >         certificates are
    >         >         still
    >         >         expired. Look at the "getcert list" output to see if
    >         there are any
    >         >         expired certificates.
    >         >
    >         >         rob
    >         >
    >         >         >
    >         >         > Bertrand
    >         >         >
    >         >         >
    >         >
    >         >     Hello Rob,
    >         >
    >         >     I check on my 2 servers and no certificate is expired
    >         >
    >         >     [root@sdkipa03 ~]# getcert list |grep expire
    >         >         expires: 2018-06-22 22:02:26 UTC
    >         >         expires: 2018-06-22 22:02:47 UTC
    >         >         expires: 2034-07-09 15:24:34 UTC
    >         >         expires: 2016-10-30 13:35:29 UTC
    >         >
    >         >     [root@sdkipa01 conf]# getcert list |grep expire
    >         >         expires: 2018-06-12 23:38:01 UTC
    >         >         expires: 2018-06-12 23:37:41 UTC
    >         >         expires: 2018-06-11 22:53:57 UTC
    >         >         expires: 2018-06-11 22:55:50 UTC
    >         >         expires: 2018-06-11 22:57:47 UTC
    >         >         expires: 2034-07-09 15:24:34 UTC
    >         >         expires: 2018-06-11 22:59:55 UTC
    >         >
    >         >     I see that one certificate is in status: CA_UNREACHABLE,
    >         maybe I
    >         >     reboot to soon my server...
    >         >
    >         >     I continue to investigate
    >         >
    >         >     Thanks for your help.
    >         >     Bertrand
    >         >
    >         > I fix my previous issue.
    >         > Now I have an issue with a server.
    >         > This server can not start pki-tomcatd, I get this error in
    >         debug file:
    >         > "Error netscape.ldap.LDAPExceptio n: IO Error creating
    JSS SSL
    >         Socket (-1)"
    >         >
    >         > After investigation i see that I do not have "ipaCert"
    >         certificat in
    >         > "/etc/httpd/alias"
    >         > cf below command:
    >         >
    >         > [root@sdkipa03 ~]# getcert list -d /etc/httpd/alias
    >         > Number of certificates and requests being tracked: 4.
    >         > Request ID '20141110133632':
    >         >     status: MONITORING
    >         >     stuck: no
    >         >     key pair storage:
    >         >
    >
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
    >         > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
    >         >     certificate:
    >         >
    >
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
    >         > Certificate DB'
    >         >     CA: IPA
    >         >     issuer: CN=Certificate Authority,O=A.SKINFRA.EU
    >         >     subject: CN=sdkipa03.skinfra.eu,O=A.SKINFRA.EU
    >         >     expires: 2018-06-22 22:02:47 UTC
    >         >     principal name: HTTP/sdkipa03.skinfra...@a.skinfra.eu
    >         >     key usage:
    >         >
    digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    >         >     eku: id-kp-serverAuth,id-kp-clientAuth
    >         >     pre-save command:
    >         >     post-save command:
    /usr/lib64/ipa/certmonger/restart_httpd
    >         >     track: yes
    >         >     auto-renew: yes
    >         >
    >         >
    >         > How can I add the certificate to /etc/httpd/alias?
    >         >
    >         Hi,
    >
    >         for the record, the command getcert list that you supplied
    shows
    >         the
    >         certificates in /etc/httpd/alias that are tracked by
    certmonger.
    >         If you
    >         want to display all the certificates contained in
    /etc/httpd/alias
    >         (whether tracked or not), then you may want to use
    certutil -L -d
    >         /etc/httpd/alias instead.
    >
    >         If ipaCert is missing, you can export ipaCert certificate from
    >         another
    >         master, then import it to your server.
    >
    >         On a master containing the cert:
    >         # certutil -d /etc/httpd/alias -L -n 'ipaCert' -a >
    >         /tmp/newRAcert.crt
    >
    >         Then copy the file /tmp/newRAcert.crt to your server and
    import
    >         the cert:
    >         # certutil -d /etc/httpd/alias -A -n 'ipaCert' -a -i
    >         /tmp/newRAcert.crt
    >         -t u,u,u
    >
    >         And finally you need to tell certmonger to monitor the
    cert using
    >         getcert start-tracking.
    >
    >         Hope this helps,
    >         Flo.
    >
    >         > Thanks fo ryour support.
    >         > Regards
    >         > Bertrand
    >         >
    >         >
    >         >
    >
    >     Hi,
    >
    >     Florence, thanks for your help.
    >     I was able to import correctly ipaCert with your commands.
    >     Now it seems that I also have an issue on one server with
    >     "subsystemCert cert-pki-ca" in /etc/pki/pki-tomcat/alias as I get
    >     below error when pki-tomcat try to start
    >
    >
    >     LdapJssSSLSocket set client auth cert nickname subsystemCert
    cert-pki-ca
    >     Could not connect to LDAP server host sdkipa03.XX.YY port 636
    Error
    >     netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (
    >     -1)
    >
    >
    >     Is there a way to restore a correct "subsystemCert cert-pki-ca"?
    >
    >     Regards
    >     Bertrand
    >
    > Hello,
    >
    > I am still stuck with my IPA server.
    > I have issues on both servers.
    > On server1, below certificate is not renewed properly
    >    certutil -L -d /etc/httpd/alias/ -n "ipaCert"
    >
    > and on server 2 this is this certificate:
    >   certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "Server-Cert
    cert-pki-ca"
    >
    > Could you provide me with the correct syntax with start-tracking
    command.
    > I tried to laucnh this command but my certificat remains in
    > "NEWLY_ADDED_NEED_KEYINFO_READ_PIN" state.
    > Here is the comnd I use:
    > getcert start-tracking -c dogtag-ipa-retrieve-agent-submit -d
    > /var/lib/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' -B
    > /usr/lib64/ipa/certmonger/stop_pkicad -C
    > '/usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"' -T
    > "Server-Cert cert-pki-ca" -P '20160614000000'
    >
    Hi Bertrand,

    to get the right command, you can check on a system where the
    certificate is properly monitored, this will show you the right
    parameters:
    $ sudo getcert list -n ipaCert
    Number of certificates and requests being tracked: 8.
    Request ID '20161122095344':
    [..]        key pair storage:
    type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
    Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
    [...]
            CA: dogtag-ipa-ca-renew-agent
    [...]
            pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
            post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
    [...]

    The relevant fields are NSSDB location, pinfile, nickname, CA, pre and
    post-save commands. So in order to monitor ipaCert, you will need to use
    $ sudo getcert start-tracking -d /etc/httpd/alias -n ipaCert \
         -p /etc/httpd/alias/pwdfile.txt \
         -c dogtag-ipa-ca-renew-agent \
         -B /usr/lib64/ipa/certmonger/renew_ra_cert_pre \
         -C /usr/lib64/ipa/certmonger/renew_ra_cert

    HTH,
    Flo.

    > Thanks by advance for your help.
    >
    > Regards
    > Bertrand

Hello Florence,

Thanks for your reply.
Before doing any mistakes, I just need some explanations as I think I do
not well understand how it should work.

Do all the certificate need to be track by certmonger on all servers or
they should only be tracked on one server and FreeIPA will update them
on other servers?

In my case I have below certicates outdated and not track on "server 1":
   - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "auditSigningCert
cert-pki-ca"
   - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "ocspSigningCert
cert-pki-ca"
   - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "subsystemCert
cert-pki-ca"

They are tracked by certmonger and have been correctly renewed on "server 2"
Do I need to add them tracked by certmonger on "server 1"?
If not, it means FreeIPA failed to update them? Should I delete and
import them manually on server 2?

If you need more details, do not hesitate to ask.

Hi Bertrand,

The certificate tracking depends on the type of certificate and on the server you're considering. For instance, if IPA includes a Certificate Authority, then ipaCert will be present on all the IPA servers (master/replicas) and tracked on all of them. The same ipaCert certificate is used on all the replicas. On the renewal master, the renewal operation actually renews the certificate and uploads the cert on LDAP, but on the other replicas the operation consists in downloading the new certificate from LDAP.

The HTTP and LDAP server certificates are present and tracked on all the IPA servers, but they are different on each server (you can see that the Subject of the certificate contains the hostname). They can be renewed independently on each IPA server.

The certificates used by Dogtag (the component providing the Certificate System) are present and tracked only on the IPA servers where the CA was setup (for instance if you installed a replica with --setup-ca or if you ran ipa-ca-install later on). The same certificates are used on all replicas containing a CA instance. They are: 'ocspSigningCert cert-pki-ca', 'subsystemCert cert-pki-ca', 'caSigningCert cert-pki-ca' and 'Server-Cert cert-pki-ca'. The renewal operation renews them on the renewal master and uploads them in LDAP, but just downloads them from LDAP on the other servers.

In your example, if server1 also contains a CA instance then it should also track the above certs.

You can find the renewal master with the following ldapsearch command:
$ ldapsearch -h localhost -p 389 -D 'cn=Directory Manager' -w password -b "cn=masters,cn=ipa,cn=etc,$BASEDN" -LLL '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn
dn: cn=CA,cn=ipaserver.fqdn,cn=masters,cn=ipa,cn=etc,$BASEDN

In this case the renewal master is ipaserver.fqdn

Hope this clarifies,
Flo.

Regards
Bertrand



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to