subject:"Re\: \[Freeipa\-users\] another certmonger question"

Re: [Freeipa-users] another certmonger question

2016-10-04 Thread Rob Crittenden


Natxo Asenjo wrote:

hi,

On Mon, Oct 3, 2016 at 5:32 PM, Rob Crittenden > wrote:


usercertificate is a multi-valued LDAP attribute but IPA 3.0 only
really operates on the "first" value returned (I didn't look at more
recent versions). In this case it is the 267976717 cert. The other
certs shown without details are for the other serial numbers that
cert-find is reporting

I can't see a way that this first usercertificate value isn't
revoked and removed upon renewal so I can't quite figure out how you
got into this state (and so easily as I understand it). I wasn't
able to reproduce it myself. Do you have any idea how wide-spread
this is in your infrastructure?

I can see that once in this state that any "extra" certs would just
be stuck there, never to be revoked.


This is happening all over the place.

I guess I will have to script this: retrieve the usercertificate
attribute of the host computers, get their 'not before/not after' and
serial number values, and revoke the oldest valid ones in case there is
more than one valid one. This should not be very hard.


I need to monitor the certmonger status as well, a nagios plugin should
do the trick.



You may want to open a bug against RHEL 6 on this as well.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] another certmonger question

2016-10-04 Thread Natxo Asenjo

hi,

On Mon, Oct 3, 2016 at 5:32 PM, Rob Crittenden  wrote:

>
> usercertificate is a multi-valued LDAP attribute but IPA 3.0 only really
> operates on the "first" value returned (I didn't look at more recent
> versions). In this case it is the 267976717 cert. The other certs shown
> without details are for the other serial numbers that cert-find is reporting

> I can't see a way that this first usercertificate value isn't revoked and
> removed upon renewal so I can't quite figure out how you got into this
> state (and so easily as I understand it). I wasn't able to reproduce it
> myself. Do you have any idea how wide-spread this is in your infrastructure?
>
> I can see that once in this state that any "extra" certs would just be
> stuck there, never to be revoked.
>

This is happening all over the place.

I guess I will have to script this: retrieve the usercertificate attribute
of the host computers, get their 'not before/not after' and serial number
values, and revoke the oldest valid ones in case there is more than one
valid one. This should not be very hard.

I need to monitor the certmonger status as well, a nagios plugin should do
the trick.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] another certmonger question

2016-09-30 Thread Natxo Asenjo

On Fri, Sep 30, 2016 at 10:45 AM, Rob Crittenden 
wrote:

> Natxo Asenjo wrote:
>
>>
>>
>> On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden > > wrote:
>>
>> Natxo Asenjo wrote:
>>
>>
>>
>> On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden
>> 
>> >> wrote:
>>
>>
>>  It's hard to say, it may in fact not be a problem.
>>
>>  It is really a matter of what service the certificate(s)
>> are related
>>  to. I'd look at the serial numbers and then correlate those
>> to the
>>  issued certificates.
>>
>>  I'd also do a service-find on the hostname to see if any
>> services
>>  have certificates issued and with what serial numbers.
>>
>>
>> I agree, it could be that. But just for testing I have created a
>> vm,
>> joined it to the domain and resubmitted the certificate.
>>
>> Now there are two valid host certificates with the same subject:
>>
>>
>>$ ipa cert-find --subject=throwaway.unix.iriszorg.nl
>> 
>> > >
>> --
>> 2 certificates matched
>> --
>> Serial number (hex): 0x3FFE0002
>> Serial number: 1073610754
>> Status: VALID
>> Subject: CN=throwaway.unix.iriszorg.nl
>> 
>> > >,O=UNIX.IRISZORG.NL
>> 
>> 
>>
>> Serial number (hex): 0x3FFE0003
>> Serial number: 1073610755
>> Status: VALID
>> Subject: CN=throwaway.unix.iriszorg.nl
>> 
>> > >,O=UNIX.IRISZORG.NL
>> 
>> 
>> 
>> Number of entries returned 2
>> 
>>
>>
>> So it certmonger in this centos 6.8 32bit host is renewing but not
>> having the old certificate revoked.
>>
>>
>> I'd check the Apache log to find the cert_request call to see if you
>> can see if there are any issues raised. It should be doing a
>> cert_revoke at the same time.
>>
>> Can you should how this certificate is being tracked?
>>
>>
>> sure:
>>
>> $ sudo getcert list
>> Number of certificates and requests being tracked: 1.
>> Request ID '20160929100945':
>>  status: MONITORING
>>  stuck: no
>>  key pair storage:
>> type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate -
>> throwaway.unix.iriszorg.nl
>> ',token='NSS Certificate DB'
>>  certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
>> Machine Certificate - throwaway.unix.iriszorg.nl
>> ',token='NSS Certificate DB'
>>  CA: IPA
>>  issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
>> 
>>  subject: CN=throwaway.unix.iriszorg.nl
>> ,O=UNIX.IRISZORG.NL
>> 
>>  expires: 2018-09-30 10:13:17 UTC
>>  principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl
>> 
>>  key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>  eku: id-kp-serverAuth,id-kp-clientAuth
>>  pre-save command:
>>  post-save command:
>>  track: yes
>>  auto-renew: yes
>>
>> now, let's resubmit:
>>
>> $ sudo ipa-getcert resubmit -i 20160929100945
>> Resubmitting "20160929100945" to "IPA".
>> [jose.admin@throwaway ~]$ sudo getcert list
>> Number of certificates and requests being tracked: 1.
>> Request ID '20160929100945':
>>  status: MONITORING
>>  stuck: no
>>  key pair storage:
>> type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate -
>> throwaway.unix.iriszorg.nl
>> ',token='NSS Certificate DB'
>>  certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
>> Machine Certificate - throwaway.unix.iriszorg.nl
>> ',token='NSS Certificate DB'
>>  CA: IPA
>>  issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
>> 
>>  subject: CN=throwaway.unix.iriszorg.nl
>> ,O=UNIX.IRISZORG.NL
>> 
>>  expires: 2018-09-30 20:41:28 UTC
>>  principal name:

Re: [Freeipa-users] another certmonger question

2016-09-30 Thread Rob Crittenden

Natxo Asenjo wrote:

On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden > wrote:

Natxo Asenjo wrote:

On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden

>> wrote:

 It's hard to say, it may in fact not be a problem.

 It is really a matter of what service the certificate(s)
are related
 to. I'd look at the serial numbers and then correlate those
to the
 issued certificates.

 I'd also do a service-find on the hostname to see if any
services
 have certificates issued and with what serial numbers.

I agree, it could be that. But just for testing I have created a vm,
joined it to the domain and resubmitted the certificate.

Now there are two valid host certificates with the same subject:

   $ ipa cert-find --subject=throwaway.unix.iriszorg.nl

>
--
2 certificates matched
--
Serial number (hex): 0x3FFE0002
Serial number: 1073610754
Status: VALID
Subject: CN=throwaway.unix.iriszorg.nl

>,O=UNIX.IRISZORG.NL

Serial number (hex): 0x3FFE0003
Serial number: 1073610755
Status: VALID
Subject: CN=throwaway.unix.iriszorg.nl

>,O=UNIX.IRISZORG.NL

Number of entries returned 2

So it certmonger in this centos 6.8 32bit host is renewing but not
having the old certificate revoked.

I'd check the Apache log to find the cert_request call to see if you
can see if there are any issues raised. It should be doing a
cert_revoke at the same time.

Can you should how this certificate is being tracked?

sure:

$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160929100945':
 status: MONITORING
 stuck: no
 key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate -
throwaway.unix.iriszorg.nl
',token='NSS Certificate DB'
 certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
Machine Certificate - throwaway.unix.iriszorg.nl
',token='NSS Certificate DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL

 subject: CN=throwaway.unix.iriszorg.nl
,O=UNIX.IRISZORG.NL

 expires: 2018-09-30 10:13:17 UTC
 principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl

 key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command:
 post-save command:
 track: yes
 auto-renew: yes

now, let's resubmit:

$ sudo ipa-getcert resubmit -i 20160929100945
Resubmitting "20160929100945" to "IPA".
[jose.admin@throwaway ~]$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160929100945':
 status: MONITORING
 stuck: no
 key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate -
throwaway.unix.iriszorg.nl
',token='NSS Certificate DB'
 certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
Machine Certificate - throwaway.unix.iriszorg.nl
',token='NSS Certificate DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL

 subject: CN=throwaway.unix.iriszorg.nl
,O=UNIX.IRISZORG.NL

 expires: 2018-09-30 20:41:28 UTC
 principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl

 key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command:
 post-save command:
 track: yes
 auto-renew: yes

so it has been successfully renewed.

In the access_log of the kdc I see this:

172.20.4.228 - - [29/Sep/2016:22:41:27 +0200] "POST

Re: [Freeipa-users] another certmonger question

2016-09-29 Thread Natxo Asenjo

On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden  wrote:

> Natxo Asenjo wrote:
>
>>
>>
>> On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden > > wrote:
>>
>>
>> It's hard to say, it may in fact not be a problem.
>>
>> It is really a matter of what service the certificate(s) are related
>> to. I'd look at the serial numbers and then correlate those to the
>> issued certificates.
>>
>> I'd also do a service-find on the hostname to see if any services
>> have certificates issued and with what serial numbers.
>>
>>
>> I agree, it could be that. But just for testing I have created a vm,
>> joined it to the domain and resubmitted the certificate.
>>
>> Now there are two valid host certificates with the same subject:
>>
>>
>>   $ ipa cert-find --subject=throwaway.unix.iriszorg.nl
>> 
>> --
>> 2 certificates matched
>> --
>>Serial number (hex): 0x3FFE0002
>>Serial number: 1073610754
>>Status: VALID
>>Subject: CN=throwaway.unix.iriszorg.nl
>> ,O=UNIX.IRISZORG.NL
>> 
>>
>>Serial number (hex): 0x3FFE0003
>>Serial number: 1073610755
>>Status: VALID
>>Subject: CN=throwaway.unix.iriszorg.nl
>> ,O=UNIX.IRISZORG.NL
>> 
>> 
>> Number of entries returned 2
>> 
>>
>>
>> So it certmonger in this centos 6.8 32bit host is renewing but not
>> having the old certificate revoked.
>>
>
> I'd check the Apache log to find the cert_request call to see if you can
> see if there are any issues raised. It should be doing a cert_revoke at the
> same time.
>
> Can you should how this certificate is being tracked?
>

sure:

$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160929100945':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
Machine Certificate - throwaway.unix.iriszorg.nl',token='NSS Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
Certificate - throwaway.unix.iriszorg.nl',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
expires: 2018-09-30 10:13:17 UTC
principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes

now, let's resubmit:

$ sudo ipa-getcert resubmit -i 20160929100945
Resubmitting "20160929100945" to "IPA".
[jose.admin@throwaway ~]$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160929100945':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
Machine Certificate - throwaway.unix.iriszorg.nl',token='NSS Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
Certificate - throwaway.unix.iriszorg.nl',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
expires: 2018-09-30 20:41:28 UTC
principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes

so it has been successfully renewed.

In the access_log of the kdc I see this:

172.20.4.228 - - [29/Sep/2016:22:41:27 +0200] "POST
https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient
HTTP/1.1" 200 1913
172.20.6.81 - host/throwaway.unix.iriszorg...@unix.iriszorg.nl
[29/Sep/2016:22:41:27 +0200] "POST /ipa/xml HTTP/1.1" 200 2929

and in the error_log:
[Thu Sep 29 22:41:28.626669 2016] [:error] [pid 4617] ipa: INFO:
[xmlserver] host/throwaway.unix.iriszorg...@unix.iriszorg.nl:

Re: [Freeipa-users] another certmonger question

2016-09-29 Thread Rob Crittenden


Natxo Asenjo wrote:



On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden > wrote:


It's hard to say, it may in fact not be a problem.

It is really a matter of what service the certificate(s) are related
to. I'd look at the serial numbers and then correlate those to the
issued certificates.

I'd also do a service-find on the hostname to see if any services
have certificates issued and with what serial numbers.


I agree, it could be that. But just for testing I have created a vm,
joined it to the domain and resubmitted the certificate.

Now there are two valid host certificates with the same subject:


  $ ipa cert-find --subject=throwaway.unix.iriszorg.nl

--
2 certificates matched
--
   Serial number (hex): 0x3FFE0002
   Serial number: 1073610754
   Status: VALID
   Subject: CN=throwaway.unix.iriszorg.nl
,O=UNIX.IRISZORG.NL


   Serial number (hex): 0x3FFE0003
   Serial number: 1073610755
   Status: VALID
   Subject: CN=throwaway.unix.iriszorg.nl
,O=UNIX.IRISZORG.NL


Number of entries returned 2



So it certmonger in this centos 6.8 32bit host is renewing but not
having the old certificate revoked.


I'd check the Apache log to find the cert_request call to see if you can 
see if there are any issues raised. It should be doing a cert_revoke at 
the same time.


Can you should how this certificate is being tracked?

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] another certmonger question

2016-09-29 Thread Natxo Asenjo

On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden  wrote:

>
> It's hard to say, it may in fact not be a problem.
>
> It is really a matter of what service the certificate(s) are related to.
> I'd look at the serial numbers and then correlate those to the issued
> certificates.
>
> I'd also do a service-find on the hostname to see if any services have
> certificates issued and with what serial numbers.
>

I agree, it could be that. But just for testing I have created a vm, joined
it to the domain and resubmitted the certificate.

Now there are two valid host certificates with the same subject:


 $ ipa cert-find --subject=throwaway.unix.iriszorg.nl
--
2 certificates matched
--
  Serial number (hex): 0x3FFE0002
  Serial number: 1073610754
  Status: VALID
  Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL

  Serial number (hex): 0x3FFE0003
  Serial number: 1073610755
  Status: VALID
  Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL

Number of entries returned 2



So it certmonger in this centos 6.8 32bit host is renewing but not having
the old certificate revoked.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] another certmonger question

2016-09-27 Thread Rob Crittenden


Natxo Asenjo wrote:

hi,

after our upgrade from centos 6.8 to 7.2, when I renew a certificate
using ipa-getcert resubmit -i xx the certificate is properly
renewed, but the info on ipa host-show still shows the old certificate
info. Is this normal?

$ sudo getcert list | grep expires
 expires: 2018-09-27 19:46:03 UTC

so that certificate has successfully been renewed, but this is the
host's info:

$ ipa host-show hostname | grep -i after
  Not After: Wed Jun 07 14:30:47 2017 UTC

and I see there as well more than one certificate for that host:

$ ipa cert-find --subject=hostname
--
5 certificates matched
--
   Serial number (hex): 0xFF90008
   Serial number: 267976712
   Status: VALID
   Subject: CN=hostname.unix.iriszorg.nl
,O=UNIX.IRISZORG.NL


   Serial number (hex): 0xFF90009
   Serial number: 267976713
   Status: VALID
   Subject: CN=hostname.unix.iriszorg.nl
,O=UNIX.IRISZORG.NL


   Serial number (hex): 0xFF9000A
   Serial number: 267976714
   Status: VALID
   Subject: CN=hostname.unix.iriszorg.nl
,O=UNIX.IRISZORG.NL


   Serial number (hex): 0xFFF001D
   Serial number: 268369949
   Status: REVOKED_EXPIRED
   Subject: CN=hostname.unix.iriszorg.nl
,O=UNIX.IRISZORG.NL


   Serial number (hex): 0xFFF0093
   Serial number: 268370067
   Status: REVOKED
   Subject: CN=hostname.unix.iriszorg.nl
,O=UNIX.IRISZORG.NL


Number of entries returned 5


And three of them are still valid. As a comparison, another hosts which
was installed about the same time also has 5 certificates, but 4 are
revoked and the expires info of getcert list and of the valid
certificate are the same.

So how do I correct this?


It's hard to say, it may in fact not be a problem.

It is really a matter of what service the certificate(s) are related to. 
I'd look at the serial numbers and then correlate those to the issued 
certificates.


I'd also do a service-find on the hostname to see if any services have 
certificates issued and with what serial numbers.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] another certmonger question

Re: [Freeipa-users] another certmonger question

Re: [Freeipa-users] another certmonger question

Re: [Freeipa-users] another certmonger question

Re: [Freeipa-users] another certmonger question

Re: [Freeipa-users] another certmonger question

Re: [Freeipa-users] another certmonger question

Re: [Freeipa-users] another certmonger question

8 matches

Site Navigation

Mail list logo

Footer information