Re: [Freeipa-users] Replica Cert failed to renew ...

2014-08-06 Thread Martin Kosek 
Right, the processing route may not seem obvious. certmonger uses the server
from /etc/ipa/default.conf. This server does not necessarily need to also run
CA, we count with that option.

When certmonger wants to renew or request a certificate, it calls cert-request
API call on that server. The API call calls Dogtag backend which checks if the
server is a CA powered IPA. If it is not, it picks any other master where CA
*is* installed and connects that for the certificate operation. Check
_select_any_master in ipaserver/plugins/dogtag.py if you are interested about
the code.

Does that help?

Martin

On 08/06/2014 12:16 AM, Matt Bryant wrote:
 Hmmm so question here .. our domain was originally installed as a 2.x and
 upgraded to 3.x  .. I installed the replicas using the ipa-replica-prepare etc
 but the CA dirsrv instance was never copied over or started on the replicas 
 (ie
 no slapd-PKI-* around) .. yet /etc/ipa/defaults.conf points to the replica
 itself for certmonger - so not sure how that will work given there is no CA
 copy running on the replica ..
 
 In the end the process followed was to change the xmlrpc_uri to the original
 master and delete and resubit the cert request for Server-Cert for slapd 
 httpd/alias we get an up to date cert ... not sure if anything else broken by
 doing that though ...
 
 I assume maybe the replcia install/mgmt under 2.x was slightly or perhaps
 majorly different ...
 
 rgds
 
 Matt
 
 On 31/07/2014 6:21 pm, Martin Kosek wrote:
 (Adding back the users list as this may be interesting for everyone)

 Ok, the steps suggested below should help. If the DS does not want to start 
 at
 all because of the expired certificate, you can also edit
 /etc/dirsrv/slapd-YOUR-REALM/dse.ldif and edit it manually (only when dirsrv
 service is stopped).

 Martin

 On 07/31/2014 09:53 AM, Matt Bryant wrote:
 Martin,

 Correct in that the replica does not have a CA and the version being run is

 $ rpm -qa ipa-server
 ipa-server-3.0.0-25.el6.x86_64

 restarted the services and get

 Starting dirsrv:
  SERVER-IPA...[31/Jul/2014:18:00:15 +1000] - SSL alert:
 CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of
 family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error 
 -8181 -
 Peer's Certificate has expired.)

 so I think it is just dealing with an expired cert ... so will try the other
 steps suggested  ..

 rgds

 Matt Bryant

 On 31/07/14 17:33, Martin Kosek wrote:
 On 07/31/2014 07:49 AM, Matt Bryant wrote:
 All,

 Got an issue with an IPA replica in that the certs in /etc/httpd/alias 
 /etc/dirsrv/slapd-IPA-REALM have expired.
 I assume that this replica does not have a CA and we are only dealing with
 service HTTPD and DIRSRV service certificates.

 Have tried setting date back before expiry on the replica and doing an
 'ipa-getcert resubmit -i id' but that hasn't worked it looks like the CA
 master is actually rejecting it since the havent set the date back on that
 server.

 Error am getting on replica is ...

 Request ID '20120719044839':
   status: CA_UNREACHABLE
   ca-error: Server failed request, will retry: -504 (libcurl failed to
 execute the HTTP POST transaction.  Peer certificate cannot be 
 authenticated
 with known CA certificates).
 Isn't this rather a problem that the replica does not trust the master 
 server
 HTTPD certificate because it's certificates are not valid from replica POV?

 is there any way of forcing a re-newel or manual process for updating 
 these
 certs .. ???
 If this is just a replica without PKI, I would suggest synchronizing the 
 time
 back with the master CA server and restarting all the services.

 If the HTTPD service does not want to start, follow chapter ⁠25.2.2. 
 Starting
 IdM with Expired Certificates in
 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html


 and then try to resubmit the certificates so that they can be renewed on 
 the
 master. Do not forget to revert the above configuration changes when you 
 are
 done.

 Also, what version of FreeIPA are you running?

 HTH,
 Martin
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica Cert failed to renew ...

2014-08-05 Thread Matt Bryant 
Hmmm so question here .. our domain was originally installed as a 2.x 
and upgraded to 3.x  .. I installed the replicas using the 
ipa-replica-prepare etc but the CA dirsrv instance was never copied over 
or started on the replicas (ie no slapd-PKI-* around) .. yet 
/etc/ipa/defaults.conf points to the replica itself for certmonger - so 
not sure how that will work given there is no CA copy running on the 
replica ..


In the end the process followed was to change the xmlrpc_uri to the 
original master and delete and resubit the cert request for Server-Cert 
for slapd  httpd/alias we get an up to date cert ... not sure if 
anything else broken by doing that though ...


I assume maybe the replcia install/mgmt under 2.x was slightly or 
perhaps majorly different ...


rgds

Matt

On 31/07/2014 6:21 pm, Martin Kosek wrote:

(Adding back the users list as this may be interesting for everyone)

Ok, the steps suggested below should help. If the DS does not want to start at
all because of the expired certificate, you can also edit
/etc/dirsrv/slapd-YOUR-REALM/dse.ldif and edit it manually (only when dirsrv
service is stopped).

Martin

On 07/31/2014 09:53 AM, Matt Bryant wrote:

Martin,

Correct in that the replica does not have a CA and the version being run is

$ rpm -qa ipa-server
ipa-server-3.0.0-25.el6.x86_64

restarted the services and get

Starting dirsrv:
 SERVER-IPA...[31/Jul/2014:18:00:15 +1000] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of
family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 -
Peer's Certificate has expired.)

so I think it is just dealing with an expired cert ... so will try the other
steps suggested  ..

rgds

Matt Bryant

On 31/07/14 17:33, Martin Kosek wrote:

On 07/31/2014 07:49 AM, Matt Bryant wrote:

All,

Got an issue with an IPA replica in that the certs in /etc/httpd/alias 
/etc/dirsrv/slapd-IPA-REALM have expired.

I assume that this replica does not have a CA and we are only dealing with
service HTTPD and DIRSRV service certificates.


Have tried setting date back before expiry on the replica and doing an
'ipa-getcert resubmit -i id' but that hasn't worked it looks like the CA
master is actually rejecting it since the havent set the date back on that
server.

Error am getting on replica is ...

Request ID '20120719044839':
  status: CA_UNREACHABLE
  ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction.  Peer certificate cannot be authenticated
with known CA certificates).

Isn't this rather a problem that the replica does not trust the master server
HTTPD certificate because it's certificates are not valid from replica POV?


is there any way of forcing a re-newel or manual process for updating these
certs .. ???

If this is just a replica without PKI, I would suggest synchronizing the time
back with the master CA server and restarting all the services.

If the HTTPD service does not want to start, follow chapter ⁠25.2.2. Starting
IdM with Expired Certificates in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html

and then try to resubmit the certificates so that they can be renewed on the
master. Do not forget to revert the above configuration changes when you are
done.

Also, what version of FreeIPA are you running?

HTH,
Martin


--
Matt Bryant
Manager - SMB Services | Melbourne IT | Brisbane | Tel +617 3230 7422 | Mob 
+61431 496663


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica Cert failed to renew ...

2014-07-31 Thread Martin Kosek 
On 07/31/2014 07:49 AM, Matt Bryant wrote:
 All,
 
 Got an issue with an IPA replica in that the certs in /etc/httpd/alias 
 /etc/dirsrv/slapd-IPA-REALM have expired.

I assume that this replica does not have a CA and we are only dealing with
service HTTPD and DIRSRV service certificates.

 Have tried setting date back before expiry on the replica and doing an
 'ipa-getcert resubmit -i id' but that hasn't worked it looks like the CA
 master is actually rejecting it since the havent set the date back on that 
 server.
 
 Error am getting on replica is ...
 
 Request ID '20120719044839':
 status: CA_UNREACHABLE
 ca-error: Server failed request, will retry: -504 (libcurl failed to
 execute the HTTP POST transaction.  Peer certificate cannot be authenticated
 with known CA certificates).

Isn't this rather a problem that the replica does not trust the master server
HTTPD certificate because it's certificates are not valid from replica POV?

 is there any way of forcing a re-newel or manual process for updating these
 certs .. ???

If this is just a replica without PKI, I would suggest synchronizing the time
back with the master CA server and restarting all the services.

If the HTTPD service does not want to start, follow chapter ⁠25.2.2. Starting
IdM with Expired Certificates in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html
and then try to resubmit the certificates so that they can be renewed on the
master. Do not forget to revert the above configuration changes when you are 
done.

Also, what version of FreeIPA are you running?

HTH,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Replica Cert failed to renew ...

2014-07-31 Thread Martin Kosek 
(Adding back the users list as this may be interesting for everyone)

Ok, the steps suggested below should help. If the DS does not want to start at
all because of the expired certificate, you can also edit
/etc/dirsrv/slapd-YOUR-REALM/dse.ldif and edit it manually (only when dirsrv
service is stopped).

Martin

On 07/31/2014 09:53 AM, Matt Bryant wrote:
 Martin,
 
 Correct in that the replica does not have a CA and the version being run is
 
 $ rpm -qa ipa-server
 ipa-server-3.0.0-25.el6.x86_64
 
 restarted the services and get
 
 Starting dirsrv:
 SERVER-IPA...[31/Jul/2014:18:00:15 +1000] - SSL alert:
 CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of
 family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 -
 Peer's Certificate has expired.)
 
 so I think it is just dealing with an expired cert ... so will try the other
 steps suggested  ..
 
 rgds
 
 Matt Bryant
 
 On 31/07/14 17:33, Martin Kosek wrote:
 On 07/31/2014 07:49 AM, Matt Bryant wrote:
 All,

 Got an issue with an IPA replica in that the certs in /etc/httpd/alias 
 /etc/dirsrv/slapd-IPA-REALM have expired.
 I assume that this replica does not have a CA and we are only dealing with
 service HTTPD and DIRSRV service certificates.

 Have tried setting date back before expiry on the replica and doing an
 'ipa-getcert resubmit -i id' but that hasn't worked it looks like the CA
 master is actually rejecting it since the havent set the date back on that
 server.

 Error am getting on replica is ...

 Request ID '20120719044839':
  status: CA_UNREACHABLE
  ca-error: Server failed request, will retry: -504 (libcurl failed to
 execute the HTTP POST transaction.  Peer certificate cannot be authenticated
 with known CA certificates).
 Isn't this rather a problem that the replica does not trust the master server
 HTTPD certificate because it's certificates are not valid from replica POV?

 is there any way of forcing a re-newel or manual process for updating these
 certs .. ???
 If this is just a replica without PKI, I would suggest synchronizing the time
 back with the master CA server and restarting all the services.

 If the HTTPD service does not want to start, follow chapter ⁠25.2.2. 
 Starting
 IdM with Expired Certificates in
 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html

 and then try to resubmit the certificates so that they can be renewed on the
 master. Do not forget to revert the above configuration changes when you are
 done.

 Also, what version of FreeIPA are you running?

 HTH,
 Martin
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Replica Cert failed to renew ...

2014-07-30 Thread Matt Bryant 

All,

Got an issue with an IPA replica in that the certs in /etc/httpd/alias  
/etc/dirsrv/slapd-IPA-REALM have expired.


Have tried setting date back before expiry on the replica and doing an 
'ipa-getcert resubmit -i id' but that hasn't worked it looks like the 
CA master is actually rejecting it since the havent set the date back on 
that server.


Error am getting on replica is ...

Request ID '20120719044839':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed 
to execute the HTTP POST transaction.  Peer certificate cannot be 
authenticated with known CA certificates).


is there any way of forcing a re-newel or manual process for updating 
these certs .. ???


thx  rgds

Matt Bryant

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project