[Freeipa-users] Certificates not renewed till 2 hours before expiring

Mon, 29 Jan 2018 06:55:57 -0800 

Hi,
some certificates on our freeipa-cluster (3 servers) are have been not renewed till now, 2 hours before expiring. Can this be a problem? 


Some of the certificates, the ones expiring  show "ca-error: Invalid 
cookie: '' in the "getcert list" output, what makes me nervous.



We also have the problem when certmonger can not reach the CA 
CA_UNREACHABLE after restarting a freeipa-server. But when we restart 
the certmonger.server after everything being up again everything looks good.



Maybe you can give me some advice what to check and which logs you else 
would need.



Thanks

Christof Schulze





--
Christof Schulze

Institute of Materials Simulation (WW8)
Department of Materials Science
Friedrich-Alexander-University Erlangen-Nürnberg
Dr.-Mack-Str. 77,
90762 Fürth, Germany

Tel: 0911/65078-65069
Email: christof.schu...@ww.uni-erlangen.de

Number of certificates and requests being tracked: 9.
Request ID '20170927064701':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: SelfSign
        issuer: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
FAU,C=DE,L=FUERTH
        subject: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
FAU,C=DE,L=FUERTH
        expires: 2018-09-27 06:47:01 UTC
        principal name: krbtgt/xxxkd.fau...@xxxkd.fau.de
        certificate template/profile: KDCs_PKINIT_Certs
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
        track: yes
        auto-renew: yes
Request ID '20171206120336':
        status: MONITORING
        ca-error: Invalid cookie: ''
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) 
- FAU,C=DE,E=g...@example.com,L=FUERTH
        subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
FAU,C=DE,E=g...@example.com,L=FUERTH
        expires: 2018-01-29 12:00:45 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20171206120337':
        status: MONITORING
        ca-error: Invalid cookie: ''
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) 
- FAU,C=DE,E=g...@example.com,L=FUERTH
        subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
FAU,C=DE,E=g...@example.com,L=FUERTH
        expires: 2018-01-29 12:00:44 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        eku: id-kp-OCSPSigning
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20171206120338':
        status: MONITORING
        ca-error: Invalid cookie: ''
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) 
- FAU,C=DE,E=g...@example.com,L=FUERTH
        subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
FAU,C=DE,E=g...@example.com,L=FUERTH
        expires: 2018-01-29 12:00:44 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20171206120339':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) 
- FAU,C=DE,E=g...@example.com,L=FUERTH
        subject: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute 
(XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
        expires: 2036-02-09 12:00:40 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"caSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20171206120340':
        status: MONITORING
        ca-error: Invalid cookie: ''
        stuck: no
        key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
        certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) 
- FAU,C=DE,E=g...@example.com,L=FUERTH
        subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
FAU,C=DE,E=g...@example.com,L=FUERTH
        expires: 2018-01-29 12:01:11 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
        post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes
Request ID '20171206120341':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) 
- FAU,C=DE,E=g...@example.com,L=FUERTH
        subject: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
FAU,C=DE,E=g...@example.com,L=FUERTH
        expires: 2018-07-29 13:05:20 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"Server-Cert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20171206120345':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-XXXKD-FAU-DE',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-XXXKD-FAU-DE/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-XXXKD-FAU-DE',nickname='Server-Cert',token='NSS
 Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) 
- FAU,C=DE,E=g...@example.com,L=FUERTH
        subject: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
FAU,C=DE,E=g...@example.com,L=FUERTH
        expires: 2018-08-09 13:01:15 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv 
XXXKD-FAU-DE
        track: yes
        auto-renew: yes
Request ID '20171206120351':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some Institute (XXX) 
- FAU,C=DE,E=g...@example.com,L=FUERTH
        subject: CN=idm1.XXXkd.fau.de,O=XXXKD.FAU.DE,OU=Some Institute (XXX) - 
FAU,C=DE,E=g...@example.com,L=FUERTH
        expires: 2018-08-09 13:01:17 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org






















					Reply via email to