[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Hi, > Are they visible from the command-line, ipa cert-find ? I see 202 entries same as the web UI. None are valid. I see some REVOKED, EXPIRED and others without status > All Firefox or just one instance? What do you mean by all Firefox? It's only when I connect to the FreeIPA web UI (freeipa.qc.lrtech.ca/ipa/ui/) my clients are working fine on Firefox. I might have questions about SAMBA with LDAP and OpenVPN. Should I start a new thread for those? They are all related to certificates and how to renew them for those services. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Eric Boisvert via FreeIPA-users wrote: > Good morning, > > That did the trick! > > The root certificate and the IPA certificate were missing from > /etc/httpd/nssdb. > > > Here are few questions that is still have: > > From what I can understand /etc/httpd/nssdb isn't a default database. Does > /etc/httpd/alias would have been updated with ipa-certupdate? /etc/httpd/alias is only updated by ipa-certupdate on an IPA server. > > I can't see any valid certificates from the web interface of FreeIPA > (freeipa.qc.lrtech.ca/ipa/ui/#/e/cert/search) even if they are valid with > certmonger (getcert list). Before I was able to see them. Are they visible from the command-line, ipa cert-find ? > The documentation of ipa-certupdate say "Update local IPA certificate > databases with certificates from the server". From where on the server? Is it > in LDAP server? In LDAP under cn=certificates,cn=ipa,cn=etc,dc=example,dc=test > Firefox still showing me SEC_ERROR_REUSED_ISSUER_AND_SERIAL. Any idea other > then looking at the certificate serial? This is simply annoying, but not the > end of the world since Chrome is working just fine. All Firefox or just one instance? rob > > Thanks again for your time. > Eric > > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Good morning, That did the trick! The root certificate and the IPA certificate were missing from /etc/httpd/nssdb. Here are few questions that is still have: From what I can understand /etc/httpd/nssdb isn't a default database. Does /etc/httpd/alias would have been updated with ipa-certupdate? I can't see any valid certificates from the web interface of FreeIPA (freeipa.qc.lrtech.ca/ipa/ui/#/e/cert/search) even if they are valid with certmonger (getcert list). Before I was able to see them. The documentation of ipa-certupdate say "Update local IPA certificate databases with certificates from the server". From where on the server? Is it in LDAP server? Firefox still showing me SEC_ERROR_REUSED_ISSUER_AND_SERIAL. Any idea other then looking at the certificate serial? This is simply annoying, but not the end of the world since Chrome is working just fine. Thanks again for your time. Eric ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Eric Boisvert via FreeIPA-users wrote: > Good afternoon, > > The configuration seem to have been put in /etc/httpd/client.conf see below: > >> >> >> ServerName client >> >> NSSEnforceValidCerts off >> >> NSSEngine on >> >> NSSCipherSuite >> +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sh$ >> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 >> >> NSSNickname Server-Cert >> >> NSSCertificateDatabase /etc/httpd/nssdb >> >> Redirect permanent / https://client.qc.lrtech.ca/ >> >> >> >> ServerName client.qc.lrtech.ca >> >> NSSEnforceValidCerts off >> >> NSSEngine on >> >> NSSCipherSuite >> +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha$ >> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 >> >> NSSNickname Server-Cert >> >> NSSCertificateDatabase /etc/httpd/nssdb >> ProxyRequests Off >> >> ProxyPreserveHost On >> >> Order deny,allow >> #Deny from all >> Allow from all >> >> ProxyPass / http://127.0.0.1:8169/ retry=0 >> ProxyPassReverse/ http://127.0.0.1:8169/ retry=0 >> >> > > I tried to restart httpd, certmonger, and my browser but without success. > > > When I do ipa-getcert resubmit -i am I suppose to see something change > freeipa.qc.lrtech.ca/ipa/ui/#/e/cert/search? All I can see is Expired, > Revoked and greyed out certificates. ipa-certupdate doesn't update /etc/httpd/nssdb which is why it is missing parts of the chain. I'd suggest adding those certificates manually which IIRC you've already done elsewhere. With NSS of the EL7 era, each database is independent. getcert list -i will tell you the current status and issue date of the certificate so you can tell whether one was re-issued. If it isn't in MONITORING then something went wrong. Alternatively you can add -w -v to the end of the resubmit request to watch it in real-time. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Good afternoon, The configuration seem to have been put in /etc/httpd/client.conf see below: > > > ServerName client > > NSSEnforceValidCerts off > > NSSEngine on > > NSSCipherSuite > +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sh$ > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > NSSNickname Server-Cert > > NSSCertificateDatabase /etc/httpd/nssdb > > Redirect permanent / https://client.qc.lrtech.ca/ > > > > ServerName client.qc.lrtech.ca > > NSSEnforceValidCerts off > > NSSEngine on > > NSSCipherSuite > +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha$ > NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2 > > NSSNickname Server-Cert > > NSSCertificateDatabase /etc/httpd/nssdb > ProxyRequests Off > > ProxyPreserveHost On > > Order deny,allow > #Deny from all > Allow from all > > ProxyPass / http://127.0.0.1:8169/ retry=0 > ProxyPassReverse/ http://127.0.0.1:8169/ retry=0 > > I tried to restart httpd, certmonger, and my browser but without success. When I do ipa-getcert resubmit -i am I suppose to see something change freeipa.qc.lrtech.ca/ipa/ui/#/e/cert/search? All I can see is Expired, Revoked and greyed out certificates. Eric ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Hi, I hope I got everything right: on client.qc.lrtech.ca you have configured apache, and it should be using a certificate delivered by IPA and monitored by certmonger. Certmonger is monitoring the cert 'Server-Cert' that is stored in the NSS database */etc/httpd/nssdb*. From your description, it looks like the DB contains the cert that you expect (recently renewed). When clients connect to your apache server, they see that it's using an old cert. You mention* /etc/httpd/alias/* NSS database. So how is apache configured? If apache is using mod_nss, the configuration is usually stored in /etc/httpd/conf.d/nss.conf and contains NSSNickname='Server-Cert' NSSCertificateDatabase ... You need to ensure that NSSCertificateDatabase contains the right path, */etc/httpd/nssdb*. flo On Thu, Mar 17, 2022 at 2:40 PM Eric Boisvert via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Good morning, > > > if you run "ipa-cacert-manage install -t CT,C,C /path/to/newrootca.pem", > > the new root CA will be loaded in the LDAP server with the right trust > > flags. Then "ipa-certupdate" will download it from the LDAP server and > put > > it into all the relevant NSS databases / files with the right trust > flags. > > I tried to run ipa-cacert-manage install -t CT,C,C /path/to/newrootca.pem > but I got: > Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's > certificate issuer has been marked as not trusted by the user. > > I don't have any pem file. I use the crt is it ok? > > > > There is no real need to remove the old CA certs, even if they expired. > But > > if you really want to clean up things, you need to remove them from the > > LDAP server. They are located in cn=certificates,cn=ipa,cn=etc,$BASEDN > and > > you will need to find the right LDAP entry/entries and delete them with > > ldapdelete. > > The certificates that I'm trying to remove are not old one but new ones > that I didn't create correctly. > > One was from march 4th and is not overlapping the old one > One was from march 1st but with wrong extensions > > I tried to use ldapsearch but I need more time to fully understand how it > work since it's the first time I'm using it. > > > > Which "old certificate" are you referring to? Are you accessing IPA at > > https:///ipa/ui or accessing a service deployed on your client > > and protected by the client certificate? > > I'm accessing a service on my client. I was able to renew is certificates > but he's still showing me the old certificates chain in firefox and chrome. > At least the LDAP is working since we can now connect users to the service. > > See getcert list output on my client below: > > > # getcert list > > Number of certificates and requests being tracked: 1. > > Request ID '20211130131728': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/nssdb/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > > subject: CN=client.qc.lrtech.ca,O=QC.LRTECH.CA > > expires: 2024-03-16 13:17:47 UTC > > dns: client.qc.lrtech.ca > > principal name: HTTP/client.qc.lrtech...@qc.lrtech.ca > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > See # certutil -L -d /etc/httpd/nssdb/ output below (Bad root and ipa > certificates, but good server-cert): > Should I add my new root and ipa certificate manually? > > > Certificate Nickname Trust Attributes > > > SSL,S/MIME,JAR/XPI > > > > LR Tech ROOT CA CT,C,C > > QC.LRTECH.CA IPA CA CT,C,C > > Server-Cert u,u,u > > See # certutil -L -d /etc/httpd/alias/ output below (Old server-cert from > 2021 and example certificates): > > > Certificate NicknameTrust Attributes > > > SSL,S/MIME,JAR/XPI > > > > cacertCTu,Cu,Cu > > beta u,pu,u > > alpha u,pu,u > > Server-Certu,u,u > > See # certutil -L -d /etc/ipa/nssdb/ output below (2 New and 2 old > certificates everything is ok but done manually): > > > Certificate Nickname Trust Attributes > > > SSL,S/MIME,JAR/XPI > > > > E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=QC,C=CA CT,C,C > > QC.LRTECH.CA IPA CA CT,C,C > >
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Good morning, > if you run "ipa-cacert-manage install -t CT,C,C /path/to/newrootca.pem", > the new root CA will be loaded in the LDAP server with the right trust > flags. Then "ipa-certupdate" will download it from the LDAP server and put > it into all the relevant NSS databases / files with the right trust flags. I tried to run ipa-cacert-manage install -t CT,C,C /path/to/newrootca.pem but I got: Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. I don't have any pem file. I use the crt is it ok? > There is no real need to remove the old CA certs, even if they expired. But > if you really want to clean up things, you need to remove them from the > LDAP server. They are located in cn=certificates,cn=ipa,cn=etc,$BASEDN and > you will need to find the right LDAP entry/entries and delete them with > ldapdelete. The certificates that I'm trying to remove are not old one but new ones that I didn't create correctly. One was from march 4th and is not overlapping the old one One was from march 1st but with wrong extensions I tried to use ldapsearch but I need more time to fully understand how it work since it's the first time I'm using it. > Which "old certificate" are you referring to? Are you accessing IPA at > https:///ipa/ui or accessing a service deployed on your client > and protected by the client certificate? I'm accessing a service on my client. I was able to renew is certificates but he's still showing me the old certificates chain in firefox and chrome. At least the LDAP is working since we can now connect users to the service. See getcert list output on my client below: > # getcert list > Number of certificates and requests being tracked: 1. > Request ID '20211130131728': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/nssdb/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=client.qc.lrtech.ca,O=QC.LRTECH.CA > expires: 2024-03-16 13:17:47 UTC > dns: client.qc.lrtech.ca > principal name: HTTP/client.qc.lrtech...@qc.lrtech.ca > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes See # certutil -L -d /etc/httpd/nssdb/ output below (Bad root and ipa certificates, but good server-cert): Should I add my new root and ipa certificate manually? > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > LR Tech ROOT CA CT,C,C > QC.LRTECH.CA IPA CA CT,C,C > Server-Cert u,u,u See # certutil -L -d /etc/httpd/alias/ output below (Old server-cert from 2021 and example certificates): > Certificate NicknameTrust Attributes > > SSL,S/MIME,JAR/XPI > > cacertCTu,Cu,Cu > beta u,pu,u > alpha u,pu,u > Server-Certu,u,u See # certutil -L -d /etc/ipa/nssdb/ output below (2 New and 2 old certificates everything is ok but done manually): > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=QC,C=CA CT,C,C > QC.LRTECH.CA IPA CA CT,C,C > QC.LRTECH.CA IPA CA CT,C,C > E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA 2022,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=QC,C=CA CT,C,C /etc/pki/nssdb is empty No /etc/dirsrv/SLAPD-XX/ Eric ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Hi, On Wed, Mar 16, 2022 at 3:14 PM Eric Boisvert via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Sorry for the third reply in a row, > > A coworker was able to fix the > > GSSError: Major (851968): Unspecified GSS failure. Minor code may provide > more information, Minor (2529639122): Generic preauthentication failure > > by doing > > # kinit admin > # mv /etc/krb5.keytab /etc/krb5.keytab-BACKUP > # ipa-getkeytab -s freeipa.qc.lrtech.ca -p host/ > client.qc.lrtech...@qc.lrtech.ca -k /etc/krb5.keytab > > and I was able to fix > > ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as > not trusted > by the user.) > > by manually adding my root CA to /etc/ipa/nssdb with the command > > # certutil -A -i -t CT,C,C -d /etc/ipa/nssdb -n "E=ad...@lrtech.ca,CN=LR > Tech inc. ROOT CA 2022,OU=Intranet,O=LR Tech inc.,L=Levis,ST=QC,C=CA" > > After that the ipa-certupdate command was successful, but those old > certificates that I talked about earlier came back and I add to manually > delete them. Again I had to modifie my root CA in the /etc/ipa/nssdb > because it lost is trusted attributes CT,C,C > if you run "ipa-cacert-manage install -t CT,C,C /path/to/newrootca.pem", the new root CA will be loaded in the LDAP server with the right trust flags. Then "ipa-certupdate" will download it from the LDAP server and put it into all the relevant NSS databases / files with the right trust flags. There is no real need to remove the old CA certs, even if they expired. But if you really want to clean up things, you need to remove them from the LDAP server. They are located in cn=certificates,cn=ipa,cn=etc,$BASEDN and you will need to find the right LDAP entry/entries and delete them with ldapdelete. > Then I was able to resubmit my client certificate to FreeIPA. Hooray!!! > > > Am I suppose to do all that manual work? > Does it exist an IPA command to remove those annoying certificates and > save my root CA trusted state? > > My client can now communicate with my FreeIPA, but he's still giving me my > old certificate when I access is URL in Firefox or Chrome. > Should I manually add my root CA to another database? > Which "old certificate" are you referring to? Are you accessing IPA at https:///ipa/ui or accessing a service deployed on your client and protected by the client certificate? flo > > /etc/ipa/nssdb - root CA is present > /etc/httpd/alias - Not here > /etc/httpd/nssdb - Not here > > Eric > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Sorry for the third reply in a row, A coworker was able to fix the GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639122): Generic preauthentication failure by doing # kinit admin # mv /etc/krb5.keytab /etc/krb5.keytab-BACKUP # ipa-getkeytab -s freeipa.qc.lrtech.ca -p host/client.qc.lrtech...@qc.lrtech.ca -k /etc/krb5.keytab and I was able to fix ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) by manually adding my root CA to /etc/ipa/nssdb with the command # certutil -A -i -t CT,C,C -d /etc/ipa/nssdb -n "E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA 2022,OU=Intranet,O=LR Tech inc.,L=Levis,ST=QC,C=CA" After that the ipa-certupdate command was successful, but those old certificates that I talked about earlier came back and I add to manually delete them. Again I had to modifie my root CA in the /etc/ipa/nssdb because it lost is trusted attributes CT,C,C Then I was able to resubmit my client certificate to FreeIPA. Hooray!!! Am I suppose to do all that manual work? Does it exist an IPA command to remove those annoying certificates and save my root CA trusted state? My client can now communicate with my FreeIPA, but he's still giving me my old certificate when I access is URL in Firefox or Chrome. Should I manually add my root CA to another database? /etc/ipa/nssdb - root CA is present /etc/httpd/alias - Not here /etc/httpd/nssdb - Not here Eric ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Good morning,
Little update
My client time wasn't synchronize with NTP. After doing so I got a new error
message.
((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not
trusted by the user.)
See ipa-certupdate -v output below:
> # ipa-certupdate -v
> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
> ipa: DEBUG: Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@qc.lrtech.ca
> ipa: DEBUG: Process finished, return code=1
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=keyctl_search: Required key not available
>
> ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: failed to find
> session_cookie in persistent storage for principal 'ad...@qc.lrtech.ca'
> ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: trying
> https://freeipa.qc.lrtech.ca/ipa/json
> ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Created connection
> context.rpcclient_52339344
> ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: Forwarding 'schema' to json
> server 'https://freeipa.qc.lrtech.ca/ipa/json'
> ipa: DEBUG: NSSConnection init freeipa.qc.lrtech.ca
> ipa: DEBUG: Connecting: X.X.X.X:0
> ipa: ERROR: cert validation failed for
> "CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
> certificate issuer has been marked as not trusted by the user.)
> ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection
> context.rpcclient_52339344
> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> execute
> return_value = self.run()
> File "/usr/lib/python2.7/site-packages/ipaclient/ipa_certupdate.py", line
> 54, in run
> api.finalize()
> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in
> finalize
> self.__do_if_not_done('load_plugins')
> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in
> __do_if_not_done
> getattr(self, name)()
> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in
> load_plugins
> for package in self.packages:
> File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in
> packages
> ipaclient.remote_plugins.get_package(self),
> File
> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line
> 118, in get_package
> plugins = schema.get_package(server_info, client)
> File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
> line 543, in get_package
> schema = Schema(client)
> File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
> line 387, in __init__
> fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
> File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
> line 426, in _fetch
> schema = client.forward(u'schema', **kwargs)['result']
> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1000, in forward
> raise NetworkError(uri=server, error=str(e))
>
> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: The ipa-certupdate command
> failed, exception: NetworkError: cannot connect to
> 'https://freeipa.qc.lrtech.ca/ipa/json': (SEC_ERROR_UNTRUSTED_ISSUER) Peer's
> certificate issuer has been marked as not trusted by the user.
> ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: cannot connect to
> 'https://freeipa.qc.lrtech.ca/ipa/json': (SEC_ERROR_UNTRUSTED_ISSUER) Peer's
> certificate issuer has been marked as not trusted by the user.
> ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: The ipa-certupdate command
> failed.
My client is able to ping my FreeIPA server, I tried to manually add my root
certificate to /etc/pki/ca-trust/source/anchors and did a update-ca-trust
extract.
Should I restart some service to apply change?
Eric
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Good afternoon, > Firefox stores the trusted CAs and you can manually remove the conflicting > one: Edit > Settings > Privacy & Security > Certificates > View > Certificates... > In the Authorities tab, you can look for your original root CA (for which > the key was lost) / the one that you created with the same subject name, > and remove it. None of my certificates where in Firefox trusted store so I add the new root CA. I tried to restart Firefox but still got the error. See ipa-certupdate -v output below: > # ipa-certupdate -v > ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file > ipa: DEBUG: Loading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > ipa: DEBUG: Starting external process > ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@qc.lrtech.ca > ipa: DEBUG: Process finished, return code=1 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr=keyctl_search: Required key not available > > ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: failed to find > session_cookie in persistent storage for principal 'ad...@qc.lrtech.ca' > ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: trying > https://freeipa.qc.lrtech.ca/ipa/json > ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Created connection > context.rpcclient_45621904 > ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: Forwarding 'schema' to json > server 'https://freeipa.qc.lrtech.ca/ipa/json' > ipa: DEBUG: NSSConnection init freeipa.qc.lrtech.ca > ipa: DEBUG: Connecting: 192.168.254.203:0 > ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server > ipa: DEBUG: cert valid True for "CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA" > ipa: DEBUG: handshake complete, peer = 192.168.254.203:443 > ipa: DEBUG: Protocol: TLS1.2 > ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > ipa: DEBUG: received Set-Cookie > 'ipa_session=bd05b8f4e89ed6380efa3d2dbcf7176f; Domain=freeipa.qc.lrtech.ca; > Path=/ipa; Expires=Tue, 15 Mar 2022 16:37:05 GMT; Secure; HttpOnly' > ipa: DEBUG: storing cookie 'ipa_session=bd05b8f4e89ed6380efa3d2dbcf7176f; > Domain=freeipa.qc.lrtech.ca; Path=/ipa; Expires=Tue, 15 Mar 2022 16:37:05 > GMT; Secure; HttpOnly' for principal ad...@qc.lrtech.ca > ipa: DEBUG: Starting external process > ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@qc.lrtech.ca > ipa: DEBUG: Process finished, return code=1 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr=keyctl_search: Required key not available > > ipa: DEBUG: Starting external process > ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@qc.lrtech.ca > ipa: DEBUG: Process finished, return code=1 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr=keyctl_search: Required key not available > > ipa: DEBUG: Starting external process > ipa: DEBUG: args=keyctl padd user ipa_session_cookie:ad...@qc.lrtech.ca @s > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout=253871631 > > ipa: DEBUG: stderr= > ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection > context.rpcclient_45621904 > ipa: DEBUG: importing all plugin modules in > ipaclient.remote_plugins.schema$ed0ad850... > ipa: DEBUG: importing plugin module > ipaclient.remote_plugins.schema$ed0ad850.plugins > ipa: DEBUG: importing all plugin modules in ipaclient.plugins... > ipa: DEBUG: importing plugin module ipaclient.plugins.automember > ipa: DEBUG: importing plugin module ipaclient.plugins.automount > ipa: DEBUG: importing plugin module ipaclient.plugins.cert > ipa: DEBUG: importing plugin module ipaclient.plugins.certprofile > ipa: DEBUG: importing plugin module ipaclient.plugins.dns > ipa: DEBUG: importing plugin module ipaclient.plugins.hbacrule > ipa: DEBUG: importing plugin module ipaclient.plugins.hbactest > ipa: DEBUG: importing plugin module ipaclient.plugins.host > ipa: DEBUG: importing plugin module ipaclient.plugins.idrange > ipa: DEBUG: importing plugin module ipaclient.plugins.internal > ipa: DEBUG: importing plugin module ipaclient.plugins.location > ipa: DEBUG: importing plugin module ipaclient.plugins.migration > ipa: DEBUG: importing plugin module ipaclient.plugins.misc > ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken > ipa: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey > ipa: DEBUG: importing plugin module ipaclient.plugins.passwd > ipa: DEBUG: importing plugin module ipaclient.plugins.permission > ipa: DEBUG: importing plugin module ipaclient.plugins.rpcclient > ipa: DEBUG: importing plugin module ipaclient.plugins.server > ipa: DEBUG: importing plugin module ipaclient.plugins.service > ipa: DEBUG: importing plugin module ipaclient.plugins.sudorule > ipa: DEBUG: importing plugin module ipaclient.plugins.topology > ipa: DEBUG: importing plugin module ipaclient.plugins.trust > ipa: DEBUG: importing plugin module ipaclient.plugins.user > ipa: DEBUG: importing plugin module ipaclient.plugins.vault > ipa: DEBUG: Initializing principal host/client.qc.lrtech...@qc.lrtech.ca > using keytab
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Hi, On Tue, Mar 15, 2022 at 2:19 PM Eric Boisvert via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Good morning, > > I don't know what happened, but this morning the ipa cert-show 1 command > is working and it's showing an old certificate. > > That's normal as the cert with serial = 1 is the one created when IPA server was installed and the IPA CA got created. > Also the CMS error is gone on the FreeIPA server. > > Firefox is still showing the error message. > Firefox stores the trusted CAs and you can manually remove the conflicting one: Edit > Settings > Privacy & Security > Certificates > View Certificates... In the Authorities tab, you can look for your original root CA (for which the key was lost) / the one that you created with the same subject name, and remove it. > After copying the /etc/pki/ca-trust/source/ipa.p11-kit from the server to > a client > Doing the kinit > Running update-ca-trust > Running ipa-ckiniertupdate > > I still got Major (851968): Unspecified GSS failure. Minor code may > provide more information, Minor (2529639122): Generic preauthentication > failure > > With this version of IPA, you need to run kinit admin before ipa-certupdate. If this doesn't solve the issue, please paste the output of ipa-certupdate -v, it will help troubleshoot. flo > Should I go back in time on the client server or it's possible to be at > the current time when doing manipulation? > > I guess there is something wrong with how my clients are setup and that > I'm really close to fix almost everything. > > Eric > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Good morning, I don't know what happened, but this morning the ipa cert-show 1 command is working and it's showing an old certificate. Also the CMS error is gone on the FreeIPA server. Firefox is still showing the error message. After copying the /etc/pki/ca-trust/source/ipa.p11-kit from the server to a client Doing the kinit Running update-ca-trust Running ipa-ckiniertupdate I still got Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639122): Generic preauthentication failure Should I go back in time on the client server or it's possible to be at the current time when doing manipulation? I guess there is something wrong with how my clients are setup and that I'm really close to fix almost everything. Eric ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
> What is the serial number for the two "QC.LRTECH.CA IPA CA" > certificates? Are they different? If not that would explain the Firefox > error. They are different: Serial Number: 4098 (0x1002) Serial Number: 00:8a:58:8a:64:a9:7d:dc:a0 > On the IPA server with the CA up, does ipa cert-show 1 work? > > If not we need to work on that first. It means the CA isn't quite > functioning despite the renewed certificates. No ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500) > With the renewed certificates you shouldn't have to fiddle with time > anymore. Do basic operations work on the server with current time? What is a basic operations? I can do ipactl restart, status without problem. I can do getcert list. kinit is working. certutil is working too > I'm not sure if this is a typo or not, # certutil -L -d /etc/httpd/nssdb > > Did you mean /etc/pki/nssdb? It wasn't a typo and I looked in /etc/pki/nssdb and it was empty. I'm not the one that setup FreeIPA so if something isn't at the right place I can't really explain why. Eric ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
I suppose we tackle these one at a time. The older CA certificate can be deleted eventually which will prevent it from being re-added by ipa-certupdate. I think for now we defer on that. What is the serial number for the two "QC.LRTECH.CA IPA CA" certificates? Are they different? If not that would explain the Firefox error. On the IPA server with the CA up, does ipa cert-show 1 work? If not we need to work on that first. It means the CA isn't quite functioning despite the renewed certificates. With the renewed certificates you shouldn't have to fiddle with time anymore. Do basic operations work on the server with current time? I'm not sure if this is a typo or not, # certutil -L -d /etc/httpd/nssdb Did you mean /etc/pki/nssdb? rob Eric Boisvert via FreeIPA-users wrote: > Good afternoon, > > I was able to find a date where it's possible to start IPA services > successfully (2022-03-02). > > > Is it possible to clear IPA from bad certificates? > > I see four "QC.LRTECH.CA IPA CA" certificates in: > > certutil -L -d /etc/ipa/nssdb > certutil -L -d /etc/httpd/alias > certutil -L -d /etc/dirsrv/slapd-QC-LRTECH-CA/ > > I can manually delete them with certutil -D -d -n and > keep the one I want, but each time I execute ipa-certupdate they come back > and root CA isn't trusted anymore. > > # certutil -L -d /etc/ipa/nssdb > >> Certificate Nickname Trust Attributes >> >> SSL,S/MIME,JAR/XPI >> >> E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech >> inc.,L=Levis,ST=QC,C=CA CT,C,C >> QC.LRTECH.CA IPA CA CT,C,C >> QC.LRTECH.CA IPA CA CT,C,C >> E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech >> inc.,L=Levis,ST=Quebec,C=CA CT,C,C > > # certutil -L -d /etc/httpd/alias > >> Certificate Nickname Trust Attributes >> >> SSL,S/MIME,JAR/XPI >> >> E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech >> inc.,L=Levis,ST=QC,C=CA CT,C,C >> QC.LRTECH.CA IPA CA CT,C,C >> Signing-Cert u,u,u >> QC.LRTECH.CA IPA CA CT,C,C >> E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech >> inc.,L=Levis,ST=Quebec,C=CA CT,C,C >> Server-Cert u,u,u >> ipaCertu,u,u > > # certutil -L -d /etc/pki/pki-tomcat/alias/ > >> Certificate Nickname Trust Attributes >> >> SSL,S/MIME,JAR/XPI >> >> E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech >> inc.,L=Levis,ST=QC,C=CA CT,C,C >> caSigningCert cert-pki-caCTu,Cu,Cu >> subsystemCert cert-pki-ca u,u,u >> auditSigningCert cert-pki-cau,u,Pu >> caSigningCert cert-pki-caCTu,Cu,Cu >> E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech >> inc.,L=Levis,ST=Quebec,C=CA C,, >> Server-Cert cert-pki-cau,u,u >> ocspSigningCert cert-pki-ca u,u,u > > # certutil -L -d /etc/dirsrv/slapd-QC-LRTECH-CA/ > >> Certificate Nickname Trust Attributes >> >> SSL,S/MIME,JAR/XPI >> >> E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech >> inc.,L=Levis,ST=QC,C=CA CT,C,C >> QC.LRTECH.CA IPA CA CT,C,C >> Server-Certu,u,u >> QC.LRTECH.CA IPA CA CT,C,C >> E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech >> inc.,L=Levis,ST=Quebec,C=CA CT,C,C > > > After the cleaning I was able to renew all certificates and they are all > MONITORING with a valid date. > > See getcert list output below. > >> Number of certificates and requests being tracked: 8. >> Request ID '20170113205242': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=QC.LRTECH.CA >> subject: CN=CA Audit,O=QC.LRTECH.CA >>
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Good afternoon, I was able to find a date where it's possible to start IPA services successfully (2022-03-02). Is it possible to clear IPA from bad certificates? I see four "QC.LRTECH.CA IPA CA" certificates in: certutil -L -d /etc/ipa/nssdb certutil -L -d /etc/httpd/alias certutil -L -d /etc/dirsrv/slapd-QC-LRTECH-CA/ I can manually delete them with certutil -D -d -n and keep the one I want, but each time I execute ipa-certupdate they come back and root CA isn't trusted anymore. # certutil -L -d /etc/ipa/nssdb > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=QC,C=CA CT,C,C > QC.LRTECH.CA IPA CA CT,C,C > QC.LRTECH.CA IPA CA CT,C,C > E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=Quebec,C=CA CT,C,C # certutil -L -d /etc/httpd/alias > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=QC,C=CA CT,C,C > QC.LRTECH.CA IPA CA CT,C,C > Signing-Cert u,u,u > QC.LRTECH.CA IPA CA CT,C,C > E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=Quebec,C=CA CT,C,C > Server-Cert u,u,u > ipaCertu,u,u # certutil -L -d /etc/pki/pki-tomcat/alias/ > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=QC,C=CA CT,C,C > caSigningCert cert-pki-caCTu,Cu,Cu > subsystemCert cert-pki-ca u,u,u > auditSigningCert cert-pki-cau,u,Pu > caSigningCert cert-pki-caCTu,Cu,Cu > E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=Quebec,C=CA C,, > Server-Cert cert-pki-cau,u,u > ocspSigningCert cert-pki-ca u,u,u # certutil -L -d /etc/dirsrv/slapd-QC-LRTECH-CA/ > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > E=ad...@lrtech.ca,CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=QC,C=CA CT,C,C > QC.LRTECH.CA IPA CA CT,C,C > Server-Certu,u,u > QC.LRTECH.CA IPA CA CT,C,C > E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=Quebec,C=CA CT,C,C After the cleaning I was able to renew all certificates and they are all MONITORING with a valid date. See getcert list output below. > Number of certificates and requests being tracked: 8. > Request ID '20170113205242': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=CA Audit,O=QC.LRTECH.CA > expires: 2024-02-23 05:00:03 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20170113205243': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=OCSP Subsystem,O=QC.LRTECH.CA > expires: 2024-02-23 05:00:13 UTC > eku: id-kp-OCSPSigning >
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Hi, in your previous email, the output of certutil shows that the new root CA isn't trusted in some databases (flag is ,, instead of CT,C,C). You can change the trust flags with certutil -M -t CT,C,C -d -n . The 2nd thing to take into account: if you change the date in the past in order to renew a certificate, you need to pick a date where all certificates are still valid and also *already* valid. For instance if the LDAP cert was renewed March 1, 2022 and is already in use, you cannot pick a date before this "valid from" date. Are you able to find such a date in the past and successfully start all IPA services without the --ignore-service-failure option? If yes, then you should be able to launch "getcert resubmit -i 20170113205244" in order to renew ipaCert. flo On Mon, Mar 14, 2022 at 1:31 PM Eric Boisvert via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Good morning Everyone, > > I made little progress this weekend. I'm currently in a state where all my > service in the ipactl status command are running, but if I restart, the > pki-tomcatd service show netscape.ldap.LDAPException: Authentication failed > (48) in the debug ouput when executing ipactl -r restart > --ignore-service-failure. > > The new output of getcert list look like follow: > > > # getcert list > > Number of certificates and requests being tracked: 8. > > Request ID '20170113205242': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > > subject: CN=CA Audit,O=QC.LRTECH.CA > > expires: 2024-03-01 19:02:05 UTC > > key usage: digitalSignature,nonRepudiation > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20170113205243': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > > subject: CN=OCSP Subsystem,O=QC.LRTECH.CA > > expires: 2024-03-01 19:01:55 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20170113205244': > > status: CA_UNREACHABLE > > ca-error: Error 60 connecting to > https://dc01.qc.lrtech.ca:8443/ca/agent/ca/profileReview: Peer > certificate cannot be authenticated with given CA certificates. > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > > subject: CN=CA Subsystem,O=QC.LRTECH.CA > > expires: 2022-03-03 20:49:21 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20170113205245': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: E=ad...@lrtech.ca,CN=LR Tech inc. Root CA > 2022,OU=Intranet,O=LR Tech inc.,L=Levis,ST=Quebec,C=CA > > subject: CN=Certificate Authority,O=QC.LRTECH.CA > > expires: 2027-03-04 14:26:48 UTC > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Good morning Everyone, I made little progress this weekend. I'm currently in a state where all my service in the ipactl status command are running, but if I restart, the pki-tomcatd service show netscape.ldap.LDAPException: Authentication failed (48) in the debug ouput when executing ipactl -r restart --ignore-service-failure. The new output of getcert list look like follow: > # getcert list > Number of certificates and requests being tracked: 8. > Request ID '20170113205242': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=CA Audit,O=QC.LRTECH.CA > expires: 2024-03-01 19:02:05 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20170113205243': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=OCSP Subsystem,O=QC.LRTECH.CA > expires: 2024-03-01 19:01:55 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20170113205244': > status: CA_UNREACHABLE > ca-error: Error 60 connecting to > https://dc01.qc.lrtech.ca:8443/ca/agent/ca/profileReview: Peer certificate > cannot be authenticated with given CA certificates. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=CA Subsystem,O=QC.LRTECH.CA > expires: 2022-03-03 20:49:21 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20170113205245': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: E=ad...@lrtech.ca,CN=LR Tech inc. Root CA > 2022,OU=Intranet,O=LR Tech inc.,L=Levis,ST=Quebec,C=CA > subject: CN=Certificate Authority,O=QC.LRTECH.CA > expires: 2027-03-04 14:26:48 UTC > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20170113205246': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=IPA RA,O=QC.LRTECH.CA > expires: 2024-03-01 19:02:15 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20170113205247': > status:
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
> - how many IPA servers do you have with a CA role? ipa server-role-find > --role "CA server" We only have one IPA server executing the above command return: ipa: ERROR: cannot connect to 'https://freeipa.qc.lrtech.ca/ipa/json': Could not connect to freeipa.qc.lrtech.ca using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported. > - among those, which one is the renewal master? ipa config-show | grep Since we have only 1 server it should be freeipa.qc.lrtech.ca but the command return the same error as above. > - can you provide the full output of "getcert list" executed on the IPA > renewal master # getcert list Number of certificates and requests being tracked: 8. Request ID '20170113205242': status: CA_UNREACHABLE ca-error: Internal error stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=QC.LRTECH.CA subject: CN=CA Audit,O=QC.LRTECH.CA expires: 2022-03-03 20:49:21 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170113205243': status: CA_UNREACHABLE ca-error: Internal error stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=QC.LRTECH.CA subject: CN=OCSP Subsystem,O=QC.LRTECH.CA expires: 2022-03-03 20:49:21 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170113205244': status: CA_UNREACHABLE ca-error: Internal error stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=QC.LRTECH.CA subject: CN=CA Subsystem,O=QC.LRTECH.CA expires: 2022-03-03 20:49:21 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170113205245': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: E=ad...@lrtech.ca,CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech inc.,L=Levis,ST=Quebec,C=CA subject: CN=Certificate Authority,O=QC.LRTECH.CA expires: 2027-03-04 14:26:48 UTC pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170113205246': status: CA_UNREACHABLE ca-error: Internal error stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=QC.LRTECH.CA subject: CN=IPA RA,O=QC.LRTECH.CA expires: 2022-03-03 20:49:21 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Hi, let's get an accurate status first: - how many IPA servers do you have with a CA role? ipa server-role-find --role "CA server" - among those, which one is the renewal master? ipa config-show | grep renewal - can you provide the full output of "getcert list" executed on the IPA renewal master - is the new root CA present in /etc/ipa/ca.crt (this file should contain IPA CA cert + the new and old root ca) - is the new root CA present in /etc/ipa/nssdb, /etc/httpd/alias, /etc/dirsrv/slapd-xx, /etc/pki/pki-tomcat/alias ? Use certutil -L -d to check the list of certs - is the new IPA CA present in the same nss databases? flo On Fri, Mar 11, 2022 at 4:05 PM Eric Boisvert via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Good morning everyone, > > Unfortunately before being able to renew my clients CA I need to fix an > issue that prevent FreeIPA from starting. With the help of a coworker we > found that pki-tomcatd failed to start. > > We then found this documentation about the problem: > https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ > . If I'm not wrong it was written by Florence. > > When I'm trying to read the /var/log/pki/pki-tomcat/ca/debug file it's > empty. From there I'm a bit lost and don't know where I can find useful log > to help me. > > > > Should I start a new thread with this problem? > > > Also is it possible to do remote debugging, google meet, zoom, etc. with > someone to further help us with our problem? > > > Thanks again for your help and time. > > Eric > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Good morning everyone, Unfortunately before being able to renew my clients CA I need to fix an issue that prevent FreeIPA from starting. With the help of a coworker we found that pki-tomcatd failed to start. We then found this documentation about the problem: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ . If I'm not wrong it was written by Florence. When I'm trying to read the /var/log/pki/pki-tomcat/ca/debug file it's empty. From there I'm a bit lost and don't know where I can find useful log to help me. Should I start a new thread with this problem? Also is it possible to do remote debugging, google meet, zoom, etc. with someone to further help us with our problem? Thanks again for your help and time. Eric ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Eric Boisvert via FreeIPA-users wrote:
> I did a kinit with my admin user and enter the password.
>
> Now ipa-certupdate -v return:
>
> # ipa-certupdate -v
> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
> ipa: DEBUG: Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@qc.lrtech.ca
> ipa: DEBUG: Process finished, return code=1
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=keyctl_search: Required key not available
>
> ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: failed to find
> session_cookie in persistent storage for principal 'ad...@qc.lrtech.ca'
> ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: trying
> https://freeipa.qc.lrtech.ca/ipa/json
> ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Created connection
> context.rpcclient_26500816
> ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: Forwarding 'schema' to json
> server 'https://freeipa.qc.lrtech.ca/ipa/json'
> ipa: DEBUG: NSSConnection init freeipa.qc.lrtech.ca
> ipa: DEBUG: Connecting: IP_ADDRESS:0
> ipa: ERROR: cert validation failed for
> "CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA" ((SEC_ERROR_EXPIRED_CERTIFICATE)
> Peer's Certificate has expired.)
> ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection
> context.rpcclient_26500816
> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> execute
> return_value = self.run()
> File "/usr/lib/python2.7/site-packages/ipaclient/ipa_certupdate.py", line
> 54, in run
> api.finalize()
> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in
> finalize
> self.__do_if_not_done('load_plugins')
> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in
> __do_if_not_done
> getattr(self, name)()
> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in
> load_plugins
> for package in self.packages:
> File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in
> packages
> ipaclient.remote_plugins.get_package(self),
> File
> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line
> 118, in get_package
> plugins = schema.get_package(server_info, client)
> File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
> line 543, in get_package
> schema = Schema(client)
> File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
> line 387, in __init__
> fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
> File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
> line 426, in _fetch
> schema = client.forward(u'schema', **kwargs)['result']
> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1000, in forward
> raise NetworkError(uri=server, error=str(e))
>
> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: The ipa-certupdate command
> failed, exception: NetworkError: cannot connect to
> 'https://freeipa.qc.lrtech.ca/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE)
> Peer's Certificate has expired.
> ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: cannot connect to
> 'https://freeipa.qc.lrtech.ca/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE)
> Peer's Certificate has expired.
> ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: The ipa-certupdate command
> failed.
>
> Sorry for asking trivial quesions I'm new to FreeIPA.
Now you have a classic chicken and egg problem. The clients were all
configured with the old CA and now you have a brand new one.
I'd give this a try:
Copy /etc/pki/ca-trust/source/ipa.p11-kit from the server to a client
Run update-ca-trust
Then try a command like ipa user-show admin, or ipa-certupdate.
If that works on one client (and I think it will), repeat it on the
others and you're back in business.
rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
I did a kinit with my admin user and enter the password.
Now ipa-certupdate -v return:
# ipa-certupdate -v
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
ipa: DEBUG: Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa: DEBUG: Starting external process
ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:ad...@qc.lrtech.ca
ipa: DEBUG: Process finished, return code=1
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=keyctl_search: Required key not available
ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: failed to find session_cookie
in persistent storage for principal 'ad...@qc.lrtech.ca'
ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: trying
https://freeipa.qc.lrtech.ca/ipa/json
ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Created connection
context.rpcclient_26500816
ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: Forwarding 'schema' to json
server 'https://freeipa.qc.lrtech.ca/ipa/json'
ipa: DEBUG: NSSConnection init freeipa.qc.lrtech.ca
ipa: DEBUG: Connecting: IP_ADDRESS:0
ipa: ERROR: cert validation failed for "CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA"
((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection
context.rpcclient_26500816
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaclient/ipa_certupdate.py", line 54,
in run
api.finalize()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in
finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in
__do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in
load_plugins
for package in self.packages:
File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in
packages
ipaclient.remote_plugins.get_package(self),
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py",
line 118, in get_package
plugins = schema.get_package(server_info, client)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
line 543, in get_package
schema = Schema(client)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
line 387, in __init__
fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
line 426, in _fetch
schema = client.forward(u'schema', **kwargs)['result']
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1000, in forward
raise NetworkError(uri=server, error=str(e))
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: The ipa-certupdate command
failed, exception: NetworkError: cannot connect to
'https://freeipa.qc.lrtech.ca/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's
Certificate has expired.
ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: cannot connect to
'https://freeipa.qc.lrtech.ca/ipa/json': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's
Certificate has expired.
ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: The ipa-certupdate command
failed.
Sorry for asking trivial quesions I'm new to FreeIPA.
Eric
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
You need to do a kinit first.
rob
Eric Boisvert via FreeIPA-users wrote:
> Thank you for you quick answer,
>
> I just tried to call ipa-certupdate but I get the following error from
> Kerberos.
>
> # ipa-certupdate -v
> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
> ipa: DEBUG: Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: trying
> https://freeipa.qc.lrtech.ca/ipa/json
> ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Created connection
> context.rpcclient_45956816
> ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: Forwarding 'schema' to json
> server 'https://freeipa.qc.lrtech.ca/ipa/json'
> ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection
> context.rpcclient_45956816
> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> execute
> return_value = self.run()
> File "/usr/lib/python2.7/site-packages/ipaclient/ipa_certupdate.py", line
> 54, in run
> api.finalize()
> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in
> finalize
> self.__do_if_not_done('load_plugins')
> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in
> __do_if_not_done
> getattr(self, name)()
> File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in
> load_plugins
> for package in self.packages:
> File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in
> packages
> ipaclient.remote_plugins.get_package(self),
> File
> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line
> 118, in get_package
> plugins = schema.get_package(server_info, client)
> File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
> line 543, in get_package
> schema = Schema(client)
> File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
> line 387, in __init__
> fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
> File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
> line 426, in _fetch
> schema = client.forward(u'schema', **kwargs)['result']
> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 986, in forward
> return self._call_command(command, params)
> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 967, in
> _call_command
> return command(*params)
> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1117, in _call
> return self.__request(name, args)
> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1084, in
> __request
> verbose=self.__verbose >= 3,
> File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request
> return self.single_request(host, handler, request_body, verbose)
> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 617, in
> single_request
> h = SSLTransport.make_connection(self, host)
> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 492, in
> make_connection
> host, self._extra_headers, x509 = self.get_host_info(host)
> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 574, in
> get_host_info
> self._handle_exception(e, service=service)
> File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 547, in
> _handle_exception
> raise errors.CCacheError()
>
> ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: The ipa-certupdate command
> failed, exception: CCacheError: did not receive Kerberos credentials
> ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: did not receive Kerberos
> credentials
> ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: The ipa-certupdate command
> failed.
>
>
> Eric
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Thank you for you quick answer,
I just tried to call ipa-certupdate but I get the following error from Kerberos.
# ipa-certupdate -v
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
ipa: DEBUG: Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: trying
https://freeipa.qc.lrtech.ca/ipa/json
ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Created connection
context.rpcclient_45956816
ipa.ipaclient.plugins.rpcclient.rpcclient: INFO: Forwarding 'schema' to json
server 'https://freeipa.qc.lrtech.ca/ipa/json'
ipa.ipaclient.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection
context.rpcclient_45956816
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaclient/ipa_certupdate.py", line 54,
in run
api.finalize()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 707, in
finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 422, in
__do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 585, in
load_plugins
for package in self.packages:
File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in
packages
ipaclient.remote_plugins.get_package(self),
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py",
line 118, in get_package
plugins = schema.get_package(server_info, client)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
line 543, in get_package
schema = Schema(client)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
line 387, in __init__
fingerprint, ttl = self._fetch(client, ignore_cache=read_failed)
File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
line 426, in _fetch
schema = client.forward(u'schema', **kwargs)['result']
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 986, in forward
return self._call_command(command, params)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 967, in
_call_command
return command(*params)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1117, in _call
return self.__request(name, args)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1084, in __request
verbose=self.__verbose >= 3,
File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request
return self.single_request(host, handler, request_body, verbose)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 617, in
single_request
h = SSLTransport.make_connection(self, host)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 492, in
make_connection
host, self._extra_headers, x509 = self.get_host_info(host)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 574, in
get_host_info
self._handle_exception(e, service=service)
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 547, in
_handle_exception
raise errors.CCacheError()
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: The ipa-certupdate command
failed, exception: CCacheError: did not receive Kerberos credentials
ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: did not receive Kerberos
credentials
ipa.ipaclient.ipa_certupdate.CertUpdate: ERROR: The ipa-certupdate command
failed.
Eric
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Hi, You need to call ipa-certupdate on all the IPA hosts (servers/clients), in order to import the new root CA to all the NSS databases used by the various IPA services, as well as /etc/ipa/ca.crt and a few other files. flo On Thu, Mar 10, 2022 at 3:49 PM Eric Boisvert via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Good morning Florence, > > You guessed right! > > By changing some details in the root CA subject the command > ipa-cacert-manage renew worked. > We now have a root CA valid until 2042 and a FreeIPA CA valid until 2027. > > > > I'm now trying to manually renew my vm certificate with the command > ipa-getcert resubmit -i REQUEST_ID found here: > https://www.freeipa.org/page/Certmonger > > I did add my root CA to the trusted certificates by moving it to > /etc/pki/ca-trust/source/anchors/ and by executing update-ca-trust. > > Note that getcert list give me CA_UNREACHABLE status and ca-error: Peer > certificate cannot be authenticated with given CA certificates and those > certificate are on the same vm where FreeIPA is installed. > > Request ID '20170525181552': > status: CA_UNREACHABLE > ca-error: Server at https://freeipa.qc.lrtech.ca/ipa/xml failed > request, will retry: -504 (libcurl failed to execute the HTTP POST > transaction, explaining: Peer's Certificate has expired.). > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA > expires: 2022-03-03 20:49:21 UTC > dns: freeipa.qc.lrtech.ca > principal name: HTTP/freeipa.qc.lrtech...@qc.lrtech.ca > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > Any advice would be appreciated. After that I guess I just have to add my > root CA to the trusted certificates of my other VMs and manually renew the > certificates. > > Eric > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Good morning Florence, You guessed right! By changing some details in the root CA subject the command ipa-cacert-manage renew worked. We now have a root CA valid until 2042 and a FreeIPA CA valid until 2027. I'm now trying to manually renew my vm certificate with the command ipa-getcert resubmit -i REQUEST_ID found here: https://www.freeipa.org/page/Certmonger I did add my root CA to the trusted certificates by moving it to /etc/pki/ca-trust/source/anchors/ and by executing update-ca-trust. Note that getcert list give me CA_UNREACHABLE status and ca-error: Peer certificate cannot be authenticated with given CA certificates and those certificate are on the same vm where FreeIPA is installed. Request ID '20170525181552': status: CA_UNREACHABLE ca-error: Server at https://freeipa.qc.lrtech.ca/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=QC.LRTECH.CA subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA expires: 2022-03-03 20:49:21 UTC dns: freeipa.qc.lrtech.ca principal name: HTTP/freeipa.qc.lrtech...@qc.lrtech.ca key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Any advice would be appreciated. After that I guess I just have to add my root CA to the trusted certificates of my other VMs and manually renew the certificates. Eric ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Hi, On Wed, Mar 9, 2022 at 10:12 PM Eric Boisvert via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Good afternoon Rob, > > TL;DR We cant renew FreeIPA certificate because we lost our Root > certificate private key and replacing it doesn't work > > We are currently using: > - CentOS Linux release 7.3.1611 (Core) > - FreeIPA 4.4.0-14.el7.centos.1.1 > > Our certificate structure look like this: > Self-sign root certificate (valid but lost private key) > FreeIPA CA > certificate (expired) > client VM certificate (expired). > > Everything is on a local network and none of our server seems to use NTP > for clock synchronization (might be useful if we want to make our > certificates valid by going back in time???). > > > Recently our FreeIPA CA certificate expire and we are unable to renew it > because we lost our private key of our root certificate. > > We tried to create a new root certificate with openssl and the help of the > following documentation: > > https://docs.microsoft.com/en-us/azure/application-gateway/self-signed-certificates > https://www.poftut.com/create-self-signed-root-certificate-openssl/ > > We then tried to renew the FreeIPA CA certificate with the > ipa-cacert-manage renew command wich generate a csr that we sign with our > newly created root certificate. The command was found here: > https://www.freeipa.org/page/Howto/CA_Certificate_Renewal > > Unfortunately FreeIPA give an error that we have a public key info > mismatch (I can add the verbose command if needed). > I guess that you re-used the same root CA name, and that's why FreeIPA complains. If you create a new root CA with a different subject name, add this new CA cert and then do ipa-cacert-manage renew I believe it should work. flo > > After some research we conclude that FreeIPA doesn't want to have is root > certificate changed so we find this article that look similar to our > problem. > > https://frasertweedale.github.io/blog-redhat/posts/2018-05-31-replacing-lost-ca.html > > Since every command seems to use https to get Kerberos credentials and > that our certificate is invalid we can't execute command like ipa > server-find, ipa ca-find, etc. > > This is where we are now. > > We are currently trying to setup a new FreeIPA VM with a client VM so we > can run test on it before doing so on our production environment. > > Thank you for your time and your help! > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Good afternoon Rob, TL;DR We cant renew FreeIPA certificate because we lost our Root certificate private key and replacing it doesn't work We are currently using: - CentOS Linux release 7.3.1611 (Core) - FreeIPA 4.4.0-14.el7.centos.1.1 Our certificate structure look like this: Self-sign root certificate (valid but lost private key) > FreeIPA CA certificate (expired) > client VM certificate (expired). Everything is on a local network and none of our server seems to use NTP for clock synchronization (might be useful if we want to make our certificates valid by going back in time???). Recently our FreeIPA CA certificate expire and we are unable to renew it because we lost our private key of our root certificate. We tried to create a new root certificate with openssl and the help of the following documentation: https://docs.microsoft.com/en-us/azure/application-gateway/self-signed-certificates https://www.poftut.com/create-self-signed-root-certificate-openssl/ We then tried to renew the FreeIPA CA certificate with the ipa-cacert-manage renew command wich generate a csr that we sign with our newly created root certificate. The command was found here: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal Unfortunately FreeIPA give an error that we have a public key info mismatch (I can add the verbose command if needed). After some research we conclude that FreeIPA doesn't want to have is root certificate changed so we find this article that look similar to our problem. https://frasertweedale.github.io/blog-redhat/posts/2018-05-31-replacing-lost-ca.html Since every command seems to use https to get Kerberos credentials and that our certificate is invalid we can't execute command like ipa server-find, ipa ca-find, etc. This is where we are now. We are currently trying to setup a new FreeIPA VM with a client VM so we can run test on it before doing so on our production environment. Thank you for your time and your help! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.
Eric Boisvert via FreeIPA-users wrote: > Hi, > > > > We are looking for help on CA certificate renewal with FreeIPA under a > Linux environment. We went through most of the FreeIPA documentation > available and we couldnt fix our issue yet. > > > > Is there an expert on this topic that could help us with this issue. We can try. Can you explain what is going on, on what distribution and version of IPA? rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
