[Freeipa-users] IPA 2.2 Certificate Renewal issue
Hi, This is Kay. I am not sure if the email address is correct, and I am really appreciate if there is any help for my issue. it's baffling for few days, and the expire date is coming soon.. :( There is a IPA 2.2 environment, and three "Server-Cert"( two 389-ds and the Apache certs) will be expired at 2016-06-05 22:03:17 UTC. Two years ago, these certs were renewed by other guys according to this document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal and it was successful then the certificates has been renewed until 20160605. But recently I want to renew it again since the expire date is coming. Then I follow the above guide, however things not go well. As below, it's the 8 certs which certmonger are tracking: root@ecnshlx3039-test2(SH):~ #getcert list Number of certificates and requests being tracked: 8. Request ID '20120704140859': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile=' /etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=ipa1.drutt.com,O=DRUTT.COM expires: 2016-06-05 22:03:17 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DRUTT-COM track: yes auto-renew: yes Request ID '20120704140922': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/e tc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=ipa1.drutt.com,O=DRUTT.COM expires: 2016-06-05 22:03:17 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20120704141150': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/ alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=ipa1.drutt.com,O=DRUTT.COM expires: 2016-06-05 22:03:17 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20140605220249': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alia s/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=IPA RA,O=DRUTT.COM expires: 2014-06-24 14:08:50 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160527075219': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB ',pin='565569846212' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=CA Audit,O=DRUTT.COM expires: 2014-06-24 14:08:42 UTC pre-save command: post-save command: track: yes auto-renew:
Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue
Hi Rob, The status for ipaCert is MONITORING no matter before or after resubmit this request ID, as below: Request ID '20140605220249': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=IPA RA,O=DRUTT.COM expires: 2014-06-24 14:08:50 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes I have restarted ipa service before renewal since there is no pki-cad service in our env. I have tried so many times for this processes, and I even want to recreate the ipaCert, but it failed. The references I used as below, but both of them are not available for my issue:( http://www.freeipa.org/page/Howto/CA_Certificate_Renewal http://www.freeipa.org/page/PKI and if it's feasible we modify the expiration date for these certs manually or recreate it directly ? Thanks, BR//Kay -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, May 31, 2016 11:10 PM To: Kay Zhou Y; freeipa-users@redhat.com Cc: Doris Hongmei; Xionglin Gu Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue Kay Zhou Y wrote: > Hi Rob, > > Thanks for your reply. > > And about your suggestion, actually I have done it. but it just renew the two > 389-ds certs and Apache certs. > Since the ipaCert and subsystem certs are expired at 20140624, so I must roll > back time before it. then begin to renew, but after I done this: > > "Let's force renewal on all of the certificates: > # for line in `getcert list | grep Request | cut -d "'" -f2`; do > getcert resubmit -i $line; done ..." > > According to the wiki, > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ). The CA subsystem > certificates will be renewed. But it did not. Ok, what state are the certificates in? When you go back in time are you restarting the pki-cad service before attempting to do the renewal? > Finally after I finish all action mentioned in the wiki page, I still can't > renew ipaCert and other four CA subsystem certificates. > And the two 389-ds and apache certs will still expired after the date > 20160623 ( expire date of ipaCert 20140624 + two years). > > If there is any other guide or doc about the ipaCert and CA subsystem > certificates? Not really for IPA 2.x rob > Thanks a lot for your support! > > Thanks, > BR//Kay > > -Original Message----- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Friday, May 27, 2016 11:41 PM > To: Kay Zhou Y; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue > > Kay Zhou Y wrote: >> Hi, >> >> This is Kay. >> >> I am not sure if the email address is correct, and I am really >> appreciate if there is any help for my issue. it's baffling for few >> days, and the expire date is coming soon.. L >> >> There is a IPA 2.2 environment, and three "Server-Cert"(two 389-ds >> and the Apache certs) will be expired at 2016-06-05 22:03:17 UTC. >> >> Two years ago, these certs were renewed by other guys according to >> this >> document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal >> >> and it was successful then the certificates has been renewed until 20160605. >> >> But recently I want to renew it again since the expire date is coming. >> Then I follow the above guide, however things not go well. > > The problem looks to be because the IPA RA cert (ipaCert) isn't > matching what dogtag expects. See the wiki page starting at > > "For ipaCert, stored in /etc/httpd/alias you have another job to do..." > > You'll want to be sure that description correctly matches the certificate in > the Apache database and confirm that the usercertificate value in LDAP > matches the cert being presented. > > rob > >> >> As below, it's the 8 certs which certmonger are tracking: >> >> root@ecnshlx3039-test2(SH):~ #getcert list >> >> Number of certificates and requests being tracked: 8. >> >> Request ID '20120704140859': >> >> status: CA_UNREACHABLE >> >> ca-error: Server failed request, will retry: 4301 (RPC >> failed at server. Certificate operation cannot be comple
Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue
6-06-05 22:03:17 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20120704141150': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=ipa1.drutt.com,O=DRUTT.COM expires: 2016-06-05 22:03:17 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20140605220249': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=IPA RA,O=DRUTT.COM expires: 2014-06-24 14:08:50 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160601043748': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='565569846212' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=CA Audit,O=DRUTT.COM expires: 2014-06-24 14:08:42 UTC pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160601043749': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='565569846212' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=OCSP Subsystem,O=DRUTT.COM expires: 2014-06-24 14:08:41 UTC eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160601043750': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='565569846212' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=CA Subsystem,O=DRUTT.COM expires: 2014-06-24 14:08:41 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160601043751': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='565569846212' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=ipa1.drutt.com,O=DRUTT.COM expires: 2014-06-24 14:08:41 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes thanks, BR//Kay -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, June 01, 2016 11:56 AM To: Kay Zhou Y; freeipa-users@redhat.com Cc: Doris Hongmei; Xionglin Gu Subject: Re
Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue
Hi Rob, We are using fedora 17. And as you said, when I roll back time to when the CA subsystem and ipaCert are valid. Then restart ipatcl, "pki-cad@pki-ca.service" is active as normal. But these five certs could not renewed as before. (actually I always restart ipa world after I roll back time, this "pki-cad@pki-ca.service" should be active but I just ignore it before... ) Thanks, BR//Kay -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, June 01, 2016 10:37 PM To: Kay Zhou Y; freeipa-users@redhat.com Cc: Doris Hongmei; Xionglin Gu Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue Kay Zhou Y wrote: > Hi Rob, > > 1. I have made snapshots for this system for test, so NSS databases has been > backed up. > > 2. For the pki-cad service, I can't find it in my system, it shows there is > no such service. > but there is one service failed as below: > > root@ecnshlx3039-test2(SH):requests #systemctl status > pki-cad@pki-ca.service pki-cad@pki-ca.service - PKI Certificate Authority > Server pki-ca >Loaded: loaded (/lib/systemd/system/pki-cad@.service; enabled) >Active: failed (Result: exit-code) since Wed, 01 Jun 2016 06:28:53 > +0200; 23min ago > Process: 2675 ExecStop=/usr/bin/pkicontrol stop ca %i (code=exited, > status=1/FAILURE) > Process: 2525 ExecStart=/usr/bin/pkicontrol start ca %i > (code=exited, status=0/SUCCESS) > Main PID: 2593 (code=exited, status=0/SUCCESS) >CGroup: name=systemd:/system/pki-cad@.service/pki-ca > > Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: > pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun > 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: > pam_unix(runuser-l:session): session closed for user pkiuser Jun 01 > 06:28:52 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: > pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun > 01 06:28:53 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: > pam_unix(runuser-l:session): session closed for user pkiuser > > I can't start it normally, even the log just said: > Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: pki-cad@pki-ca.service: > control process exited, code=exited status=1 Jun 1 06:54:39 > ecnshlx3039-test2 systemd[1]: Unit pki-cad@pki-ca.service entered failed > state. > > I will google more to try to start it firstly. Ok, this is very confusing to me. What distribution are you running? I have the feeling you are running an extremely outdated version of Fedora. Yes, you need the CA up in order to get the certificates renewed. Look at catalina.out, the log "debug" and the selftests log for clues on why it won't start. You also need the PKI-IPA 389-ds instance running. And I guess you were just showing me the service name and such, but of course it won't start today with expired certs. > > 3. About the source of the output for getcert list: > > root@ecnshlx3039-test2(SH):requests #ll total 64 -rw---. 1 root > root 5698 Jun 1 06:06 20120704140859 -rw---. 1 root root 5695 Jun > 1 06:06 20120704140922 -rw---. 1 root root 5654 Jun 1 06:06 > 20120704141150 -rw---. 1 root root 5107 Jun 1 06:39 > 20140605220249 -rw---. 1 root root 4982 Jun 1 06:39 > 20160601043748 -rw---. 1 root root 5144 Jun 1 06:39 > 20160601043749 -rw---. 1 root root 5186 Jun 1 06:39 > 20160601043750 -rw---. 1 root root 5126 Jun 1 06:39 > 20160601043751 root@ecnshlx3039-test2(SH):requests # > root@ecnshlx3039-test2(SH):requests #grep post_certsave_command * > 20120704140859:post_certsave_command=/usr/lib64/ipa/certmonger/restart > _dirsrv DRUTT-COM > 20120704141150:post_certsave_command=/usr/lib64/ipa/certmonger/restart > _httpd root@ecnshlx3039-test2(SH):requests #grep pre_certsave_command > * root@ecnshlx3039-test2(SH):requests # > > there are just two statements. Ok, that is fine then I think. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue
Hi Rob, Actually certmonger service is failed after restart it, but without its active the two 389-ds and apache certs could be renewed as well.. it's weird.. root@ecnshlx3039-test2(SH):~ #systemctl status certmonger certmonger.service - Certificate monitoring and PKI enrollment Loaded: loaded (/usr/lib/systemd/system/certmonger.service; disabled) Active: failed (Result: exit-code) since Mon, 23 Jun 2014 00:31:11 +0200; 5s ago Process: 2198 ExecStart=/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n $OPTS (code=exited, status=1/FAILURE) CGroup: name=systemd:/system/certmonger.service Jun 23 00:31:11 ecnshlx3039-test2.sh.cn.ao.ericsson.se certmonger[2198]: 2014-06-23 00:31:11 [2198] Unable to set well-known bus name "org.fedorahosted.certmonger": (2). Jun 23 00:31:11 ecnshlx3039-test2.sh.cn.ao.ericsson.se certmonger[2198]: Error connecting to D-Bus. I have already renewed two 389-ds and apache certs to 20160622, however , since there is no enough time for us before expiration. So we try to seek other workarounds, and one solution for us is disable expired certificate according to https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/troubleshooting-servers-and-replicas.html#expired-certs After test, it could work, but IPA command could not be used. But seems we can still get data from LDAP. If there is any other way we could use to disable such expired certs without impact from your side? Thanks for your great support again :) BR//Kay -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Friday, June 03, 2016 5:34 AM To: Kay Zhou Y; freeipa-users@redhat.com Cc: Doris Hongmei; Xionglin Gu Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue Kay Zhou Y wrote: > Hi Rob, > > We are using fedora 17. > And as you said, when I roll back time to when the CA subsystem and ipaCert > are valid. Then restart ipatcl, "pki-cad@pki-ca.service" is active as normal. > But these five certs could not renewed as before. (actually I always > restart ipa world after I roll back time, this > "pki-cad@pki-ca.service" should be active but I just ignore it > before... ) With the time rolled back what I'd do is restart certmonger then run in a loop with a 1 second sleep ipa-getcert list and ensure that the statuses are changing to SUBMITTING, etc., and see what the final state is. certmonger logs to syslog so that might give some clues what is happening, and you can watch the dogtag logs to ensure the requests are being received, etc. rob > > Thanks, > BR//Kay > > -Original Message- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Wednesday, June 01, 2016 10:37 PM > To: Kay Zhou Y; freeipa-users@redhat.com > Cc: Doris Hongmei; Xionglin Gu > Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue > > Kay Zhou Y wrote: >> Hi Rob, >> >> 1. I have made snapshots for this system for test, so NSS databases has >> been backed up. >> >> 2. For the pki-cad service, I can't find it in my system, it shows there is >> no such service. >> but there is one service failed as below: >> >> root@ecnshlx3039-test2(SH):requests #systemctl status >> pki-cad@pki-ca.service pki-cad@pki-ca.service - PKI Certificate Authority >> Server pki-ca >> Loaded: loaded (/lib/systemd/system/pki-cad@.service; enabled) >> Active: failed (Result: exit-code) since Wed, 01 Jun 2016 >> 06:28:53 +0200; 23min ago >>Process: 2675 ExecStop=/usr/bin/pkicontrol stop ca %i >> (code=exited, status=1/FAILURE) >>Process: 2525 ExecStart=/usr/bin/pkicontrol start ca %i >> (code=exited, status=0/SUCCESS) >> Main PID: 2593 (code=exited, status=0/SUCCESS) >> CGroup: name=systemd:/system/pki-cad@.service/pki-ca >> >> Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: >> pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun >> 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: >> pam_unix(runuser-l:session): session closed for user pkiuser Jun 01 >> 06:28:52 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: >> pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun >> 01 06:28:53 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: >> pam_unix(runuser-l:session): session closed for user pkiuser >> >> I can't start it normally, even the log just said: >> Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: pki-cad@pki-ca.service: >> control process exited, code=exited status=1 Jun 1 06:54:39 >> ecnshlx3039-test2 systemd[1]: Unit pki-cad@pki-ca.service entered failed >> s