[Freeipa-users] "NSS Certificate DB" certificate created in new directory after renewal, breaking httpd

Mon, 19 Aug 2019 04:06:36 -0700 

Over the weekend, my original "NSS Certificate DB" certificate expired. It was 
automatically renewed, however in a new location:

# ipa-getcert list
Number of certificates and requests being tracked: 10.
Request ID '20180929060059':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-IPA-PHYSEC-DE',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-PHYSEC-DE
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-IPA-PHYSEC-DE',nickname='Server-Cert',token='NSS
 Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=IPA.PHYSEC.DE
        subject: CN=master.ipa.physec.de,O=IPA.PHYSEC.DE
        expires: 2021-07-20 14:25:43 UTC
        principal name: ldap/master.ipa.physec...@ipa.physec.de
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv 
IPA-PHYSEC-DE
        track: yes
        auto-renew: yes
Request ID '20180929060107':
        status: MONITORING
        ca-error: Unable to determine principal name for signing request.
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=IPA.PHYSEC.DE
        subject: CN=master.ipa.physec.de,O=IPA.PHYSEC.DE
        expires: 2019-08-17 12:45:50 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes

I managed to restart the FreeIPA service by adding `NSSEnforceValidCerts off` 
to `/etc/httpd/conf.d/nss.conf`. But logging into the webinterface still yields 
the following error in httpd:
[Mon Aug 19 10:36:05.722736 2019] [:error] [pid 12798] ipa: INFO: 401 
Unauthorized: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed 
(_ssl.c:618)
[Mon Aug 19 10:36:05.723894 2019] [:error] [pid 12802] SSL Library Error: 
-12269 The server has rejected your certificate as expired

I have intentionally not copied the new certificate to `/etc/httpd/alias` as I 
am not aware of all the involved components and fear that this might break 
something.

My system is running a fully patched CentOS 7.6, running FreeIPA 
4.6.4-10.el7.centos.6.

What should I do to resolve this issue, simply replacing the certificates, or 
is there a better method?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to