Hi,
some certificates on our freeipa-cluster (3 servers) are have been not
renewed till now, 2 hours before expiring. Can this be a problem?
Some of the certificates, the ones expiring show "ca-error: Invalid
cookie: '' in the "getcert list" output, what makes me nervous.
We also have the problem when certmonger can not reach the CA
CA_UNREACHABLE after restarting a freeipa-server. But when we restart
the certmonger.server after everything being up again everything looks good.
Maybe you can give me some advice what to check and which logs you else
would need.
Thanks
Christof Schulze
--
Christof Schulze
Institute of Materials Simulation (WW8)
Department of Materials Science
Friedrich-Alexander-University Erlangen-Nürnberg
Dr.-Mack-Str. 77,
90762 Fürth, Germany
Tel: 0911/65078-65069
Email: christof.schu...@ww.uni-erlangen.de
Number of certificates and requests being tracked: 9.
Request ID '20170927064701':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) -
FAU,C=DE,L=FUERTH
subject: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) -
FAU,C=DE,L=FUERTH
expires: 2018-09-27 06:47:01 UTC
principal name: krbtgt/xxxkd.fau...@xxxkd.fau.de
certificate template/profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20171206120336':
status: MONITORING
ca-error: Invalid cookie: ''
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=g...@example.com,L=FUERTH
subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) -
FAU,C=DE,E=g...@example.com,L=FUERTH
expires: 2018-01-29 12:00:45 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171206120337':
status: MONITORING
ca-error: Invalid cookie: ''
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=g...@example.com,L=FUERTH
subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) -
FAU,C=DE,E=g...@example.com,L=FUERTH
expires: 2018-01-29 12:00:44 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171206120338':
status: MONITORING
ca-error: Invalid cookie: ''
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=g...@example.com,L=FUERTH
subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) -
FAU,C=DE,E=g...@example.com,L=FUERTH
expires: 2018-01-29 12:00:44 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171206120339':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=g...@example.com,L=FUERTH
subject: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute
(XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
expires: 2036-02-09 12:00:40 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171206120340':
status: MONITORING
ca-error: Invalid cookie: ''
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=g...@example.com,L=FUERTH
subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) -
FAU,C=DE,E=g...@example.com,L=FUERTH
expires: 2018-01-29 12:01:11 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20171206120341':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=g...@example.com,L=FUERTH
subject: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) -
FAU,C=DE,E=g...@example.com,L=FUERTH
expires: 2018-07-29 13:05:20 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171206120345':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-XXXKD-FAU-DE',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-XXXKD-FAU-DE/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-XXXKD-FAU-DE',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=g...@example.com,L=FUERTH
subject: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) -
FAU,C=DE,E=g...@example.com,L=FUERTH
expires: 2018-08-09 13:01:15 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
XXXKD-FAU-DE
track: yes
auto-renew: yes
Request ID '20171206120351':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=g...@example.com,L=FUERTH
subject: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) -
FAU,C=DE,E=g...@example.com,L=FUERTH
expires: 2018-08-09 13:01:17 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org