[Freeipa-users] Need Help - CA_UNREACHABLE

2023-04-16 Thread Justin Sanderson via FreeIPA-users 

THANKS IN ADVANCE FOR ANY HELP INFO YOU CAN PROVIDE!!

Greatly Appreciate!!


Ok. So after doing a LOT of reading and learning about FreeIPA the past 
2 days (yep, I inherited), I was able to fix my problem of pki-tomcatd 
(DogTAG i think its called) so that it would start.


The pki-tomcatd service wouldn't start due to some cert issues. I was 
fortunate enough to figure out how to enable BasicAuth for now to get 
the service to start.. so thats a win.



My SETUP:

I have a single server instance as a VM. There are no replicas.

The FreeIPA configuration is:

1) No DNS BIND server - using external DNS via AD in /etc/resolv.conf

2)  We ARE running all other services

3) Self-Signed CA configuration using DogTag i think its called. there 
are not external certs being used.



ipactl start has no issues now after I fixed the pki-tomcatd start 
problem using BasicAuth (workaround)



PROBLEM :

When i run "getcert list" I have 3 that have status CA_UNREACHABLE and 
ALL of them are related to /etc/pki/pki-tomcat/alias NSSDB.


They are set to expire in a few weeks so I need to figure this out.. 
needing some help.


The getcert list outputs a total of 9 or 10 certs so I don't think I'm 
missing anything.. Based off what I was able to find, it's common to 
have 8-10 certs in the output...?



Below are 2 of 3 certs that are going to expire soon and their CA is in 
an UNREACHABLE state. They all use the same NSSDB


**I have no idea where to start looking to fix this problem... which log 
file... how is it supposed to talk to the NSSDB. it's not a socket...? **


I'm worried that the certs will expire and I won't know how to fix it. 
or where to even look. HELP*!*!


I've seen several people posting already about certmonger not 
succesfully tracking/renewing some certs so Im a bit concerned 
espicially since the CA_UNREAHABLE error.


How do I fix this:

1) manually generate new certs and wth do I put them?

2) why is the CA_UNREACHABLE on a NSSDB ..? The files are there and 
intact. I can view the contents no prob.



 getcert list output 

Request ID '20190621200128':

    status: CA_UNREACHABLE

    ca-error: Internal error

    stuck: no

    key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set


    certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'


    CA: dogtag-ipa-ca-renew-agent

    issuer: CN=Certificate Authority,O=[SANITIZED DNS NAME]

    subject: CN=CA Audit,O=[SANITIZED DNS NAME]

    expires: 2023-05-04 12:52:47 UTC

    key usage: digitalSignature,nonRepudiation

    pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad

    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"


    track: yes

    auto-renew: yes

Request ID '20190621200129':

    status: CA_UNREACHABLE

    ca-error: Internal error

    stuck: no

    key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set


    certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'


    CA: dogtag-ipa-ca-renew-agent

    issuer: CN=Certificate Authority,O=[SANITIZED DNS NAME]

    subject: CN=OCSP Subsystem,O=[SANITIZED DNS NAME]

    expires: 2023-05-04 12:53:17 UTC

    eku: id-kp-OCSPSigning

    pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad

    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"


    track: yes

    auto-renew: yes

 
===



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Ansible FreeIPA Server + Replica

2023-04-16 Thread Finn Fysj via FreeIPA-users 
Yes, so I managed to successfully install IPA server and replica using the two 
roles.
They're both master?

I know the replicas configuration is based on the Master, but one of my problem 
is that:
- I use Idstart 6000 on my IPA server (master) and my replica does not follow 
this configuration, meaning when I try to create a user of both servers they 
start with different ID. On IPA server it'll have 6001 and on the replica it'll 
be 50001.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Proper way to update options on existing certificate

2023-04-16 Thread Sam Morris via FreeIPA-users 
On Fri, 2023-04-14 at 17:54 +, Shawn Asmussen via FreeIPA-users
wrote:
> Our organization has a large number of existing certificates that we
> want to make modifications to the options for. Specifically, we have
> certificates used by a couple of different services, that we want to
> add in a service restart when the certificate auto-renews, and we
> also have a lot of certificates that were created before we knew
> about the options like -O/-M/etc... where we manually set file
> permissions on the certs after creation. I know how to do these
> things on a a new cert request, using the various options, but I'd
> like to update these options on certificates that are already being
> tracked. The only way I've managed to do it so far is by using ipa-
> getcert resubmit, with the options that I want changed. However, this
> method results in the entire certificate being regenerated on the
> spot. If we had a small number of certs that we wanted to update,
> this wouldn't be a huge problem, but we have several different certs
> on a few thousand production systems that we want to update 
>  this way, and I'd prefer not to send 10,000 cert renewals up to the
> master server, and that would also end up making all of those
> thousands of certs auto renew at roughly the same time every year,
> which we consider to be undesirable. I assume that manual edits of
> the files in /var/lib/certmonger/requests is not the proper way to
> handle this, but what IS the correct way to make such modifications
> after the initial ipa-getcert request that created the certs
> originally?

You can update the properties of an existing tracking request with
'getcert start-tracking'. Use -i to identify the request and then add
any -M, -O, etc. options and the original request will be modified to
add/change those options.

-- 
Sam Morris 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue