[Freeipa-users] Re: Certificates renewing with the wrong Subject
I know this is an old thread but I'm just posting this for someone who comes along the same issue like me... In order to fix my problem I had to do the following to fix for example the 'ocspSigningCert cert-pki-ca' certificate renewing with wrong subjects: Find the Serial number for that certificate: #certutil -L -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" | grep Serial Get the reqeustID: #ldapsearch -D "cn=Directory Manager" -W -s sub -b cn={SERIALNUMBER},ou=certificateRepository,ou=ca,o=ipaca "metaInfo" Get the request data: #ldapsearch -D "cn=Directory Manager" -W -s sub -b cn={REQUESTID},ou=ca,ou=requests,o=ipaca If the request data does not match the current certificate, we need to find one which should be used instead. #certutil -L -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" | grep Subject #ldapsearch -D "cn=Directory Manager" -W -s sub -b ou=ca,ou=requests,o=ipaca "extdata-req--005fsubject--005fname--002ecn={SUBJECT}" If we have multiple results check the one which has the right attributes set comparing to a different system. Once you know which request to use change the requestid in the certificateRepository to the one selected. I used ldapadmin to connect to change but the ldapmodify should also work. Hope this helps someone in the future... ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/QYTZMNXASGLFCFX54FA4KOPPIMPV376H/
[Freeipa-users] Re: Certificates renewing with the wrong Subject
I'm getting the same problem. Did you find a solution? I cannot get my certificates renew with the wright subject. It always adding the hostname of a deleted replica into 'cert_subject_der'. Thanks, Jakob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GSADUV3ZAAN6ACSUGZ3Z5MGNARNFFWH3/
[Freeipa-users] Re: Certificates renewing with the wrong Subject
On 05/02/2018 19:44, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone wrote: On 31/01/2018 20:36, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 25/01/2018 16:56, Roderick Johnstone via FreeIPA-users wrote: On 25/01/2018 13:43, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 24/01/2018 21:09, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 24/01/2018 15:22, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 23/01/2018 14:34, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 20:07, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: Hi Our freeipa certificates need to be renewed due to passing their expiry dates. While some certificates have renewed ok, the ipaCert and auditSigningCert are renewing but the new certificates have the wrong Subject. Environment is: serverA (CRL, first, master) RHEL 7.3, ipa 4.4 serverB (replica) RHEL 7.3, ipa 4.4 serverC (replica) RHEL 7.4, ipa 4.5 Once there are renewed certificates with the wrong Subject present, there are various problems with renewing the remaining certificates, which I think might be related to the bad Subject: 1) When just ipaCert has the wrong subject no further renewals happen 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd service will not start and no further renewals happen. I've been round the following loop many times on ServerA, our first master: 1) Restore good certificates from backup 2) Put the clock back to a time when certificates are all valid 3) Resubmit certificates for renewal Each time the ipaCert renews it has the same wrong Subject. The wrong Subject includes the host name of one of our ipa client systems. Each time the auditSigningCert renews it has the same wrong Subject but a different subject to the ipaCert. The wrong Subject in this case includes the host name of a system which has never been an ipa client, but might have been added and removed with ipa host-add and ipa host-del for testing something, a while ago. As far as I can see, the "cert_subject" is set correctly in the file /var/lib/certmonger/ until the point at which the certificate is actually renewed. I'd be very grateful for some pointers as to which configuration options and logs to check through to resolve this problem on our production system. If its of any relevance we did change which server is the first master some time ago. I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what the subject is. I'm not seeing any obvious CSR fields in the /etc/pki/pki-tomcat/ca/CS.cfg file. foo.bar.certreq= The CSR in the certmonger requests file for the auditSigningCert seems to be showing with the correct Subject. This is different from the bad subject showing in the requests file field: cert_subject= The value of cert_subject comes from the issued certificate. and the Subject which is showing in the 'getcert list' output (which is the same as that in the cert_subject= field.> I'm not quite sure what this all means. It is displayed from the data within the tracked certmonger request. certmonger logs to syslog so you can check there or you can stop the process and run it manually with: certmonger -n -d 9 2>&1 | tee certmonger.log That will provide a lot of debugging output that may show what is going on. I've restored certificate databases from backup and put the clock back to a time when certificates are valid and renewed the ocspSigining certificate with: getcert resubmit -N "CN=OCSP Subsystem,O=" -i 20161124081302 (I've previously tried without the -N with similar results) What I am seeing in the certmonger logs is: 2017-10-23 00:05:28 [438] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [438] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:28 [439] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:28 [440] 0x1d Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20171025122401. 2017-10-23 00:05:28 [442] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [442] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:28 [443] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:28 [444] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [444] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:39 [581] Found a certificate with the same nickname but different subject, removing certificate "ocspSigningCert cert-pki-ca" with subject "CN=OCSP Subsystem,O=". 2017-10-23 00:05:39 [
[Freeipa-users] Re: Certificates renewing with the wrong Subject
Roderick Johnstone wrote: > On 31/01/2018 20:36, Rob Crittenden via FreeIPA-users wrote: >> Roderick Johnstone via FreeIPA-users wrote: >>> On 25/01/2018 16:56, Roderick Johnstone via FreeIPA-users wrote: On 25/01/2018 13:43, Rob Crittenden via FreeIPA-users wrote: > Roderick Johnstone via FreeIPA-users wrote: >> On 24/01/2018 21:09, Rob Crittenden via FreeIPA-users wrote: >>> Roderick Johnstone via FreeIPA-users wrote: On 24/01/2018 15:22, Rob Crittenden via FreeIPA-users wrote: > Roderick Johnstone via FreeIPA-users wrote: >> On 23/01/2018 14:34, Rob Crittenden via FreeIPA-users wrote: >>> Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 20:07, Rob Crittenden via FreeIPA-users wrote: > Roderick Johnstone via FreeIPA-users wrote: >> On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: >>> Roderick Johnstone via FreeIPA-users wrote: Hi Our freeipa certificates need to be renewed due to passing their expiry dates. While some certificates have renewed ok, the ipaCert and auditSigningCert are renewing but the new certificates have the wrong Subject. Environment is: serverA (CRL, first, master) RHEL 7.3, ipa 4.4 serverB (replica) RHEL 7.3, ipa 4.4 serverC (replica) RHEL 7.4, ipa 4.5 Once there are renewed certificates with the wrong Subject present, there are various problems with renewing the remaining certificates, which I think might be related to the bad Subject: 1) When just ipaCert has the wrong subject no further renewals happen 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd service will not start and no further renewals happen. I've been round the following loop many times on ServerA, our first master: 1) Restore good certificates from backup 2) Put the clock back to a time when certificates are all valid 3) Resubmit certificates for renewal Each time the ipaCert renews it has the same wrong Subject. The wrong Subject includes the host name of one of our ipa client systems. Each time the auditSigningCert renews it has the same wrong Subject but a different subject to the ipaCert. The wrong Subject in this case includes the host name of a system which has never been an ipa client, but might have been added and removed with ipa host-add and ipa host-del for testing something, a while ago. As far as I can see, the "cert_subject" is set correctly in the file /var/lib/certmonger/ until the point at which the certificate is actually renewed. I'd be very grateful for some pointers as to which configuration options and logs to check through to resolve this problem on our production system. If its of any relevance we did change which server is the first master some time ago. >>> >>> I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger >>> to see >>> what >>> the subject is. >> >> I'm not seeing any obvious CSR fields in the >> /etc/pki/pki-tomcat/ca/CS.cfg file. > > foo.bar.certreq= > >> The CSR in the certmonger requests file for the >> auditSigningCert >> seems >> to be showing with the correct Subject. This is different >> from >> the bad >> subject showing in the requests file field: >> cert_subject= > > The value of cert_subject comes from the issued certificate. > >> and the Subject which is showing in the 'getcert list' output >> (which is >>
[Freeipa-users] Re: Certificates renewing with the wrong Subject
On 31/01/2018 20:36, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 25/01/2018 16:56, Roderick Johnstone via FreeIPA-users wrote: On 25/01/2018 13:43, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 24/01/2018 21:09, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 24/01/2018 15:22, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 23/01/2018 14:34, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 20:07, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: Hi Our freeipa certificates need to be renewed due to passing their expiry dates. While some certificates have renewed ok, the ipaCert and auditSigningCert are renewing but the new certificates have the wrong Subject. Environment is: serverA (CRL, first, master) RHEL 7.3, ipa 4.4 serverB (replica) RHEL 7.3, ipa 4.4 serverC (replica) RHEL 7.4, ipa 4.5 Once there are renewed certificates with the wrong Subject present, there are various problems with renewing the remaining certificates, which I think might be related to the bad Subject: 1) When just ipaCert has the wrong subject no further renewals happen 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd service will not start and no further renewals happen. I've been round the following loop many times on ServerA, our first master: 1) Restore good certificates from backup 2) Put the clock back to a time when certificates are all valid 3) Resubmit certificates for renewal Each time the ipaCert renews it has the same wrong Subject. The wrong Subject includes the host name of one of our ipa client systems. Each time the auditSigningCert renews it has the same wrong Subject but a different subject to the ipaCert. The wrong Subject in this case includes the host name of a system which has never been an ipa client, but might have been added and removed with ipa host-add and ipa host-del for testing something, a while ago. As far as I can see, the "cert_subject" is set correctly in the file /var/lib/certmonger/ until the point at which the certificate is actually renewed. I'd be very grateful for some pointers as to which configuration options and logs to check through to resolve this problem on our production system. If its of any relevance we did change which server is the first master some time ago. I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what the subject is. I'm not seeing any obvious CSR fields in the /etc/pki/pki-tomcat/ca/CS.cfg file. foo.bar.certreq= The CSR in the certmonger requests file for the auditSigningCert seems to be showing with the correct Subject. This is different from the bad subject showing in the requests file field: cert_subject= The value of cert_subject comes from the issued certificate. and the Subject which is showing in the 'getcert list' output (which is the same as that in the cert_subject= field.> I'm not quite sure what this all means. It is displayed from the data within the tracked certmonger request. certmonger logs to syslog so you can check there or you can stop the process and run it manually with: certmonger -n -d 9 2>&1 | tee certmonger.log That will provide a lot of debugging output that may show what is going on. I've restored certificate databases from backup and put the clock back to a time when certificates are valid and renewed the ocspSigining certificate with: getcert resubmit -N "CN=OCSP Subsystem,O=" -i 20161124081302 (I've previously tried without the -N with similar results) What I am seeing in the certmonger logs is: 2017-10-23 00:05:28 [438] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [438] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:28 [439] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:28 [440] 0x1d Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20171025122401. 2017-10-23 00:05:28 [442] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [442] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:28 [443] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:28 [444] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [444] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:39 [581] Found a certificate with the same nickname but different subject, removing certificate "ocspSigningCert cert-pki-ca" with subject "CN=OCSP Subsystem,O=". 2017-10-23 00:05:39 [581] Imported certificate "ocspSigningCert cert-pki-ca", got nickname "ocspSigningCert ce
[Freeipa-users] Re: Certificates renewing with the wrong Subject
Roderick Johnstone via FreeIPA-users wrote: > On 25/01/2018 16:56, Roderick Johnstone via FreeIPA-users wrote: >> On 25/01/2018 13:43, Rob Crittenden via FreeIPA-users wrote: >>> Roderick Johnstone via FreeIPA-users wrote: On 24/01/2018 21:09, Rob Crittenden via FreeIPA-users wrote: > Roderick Johnstone via FreeIPA-users wrote: >> On 24/01/2018 15:22, Rob Crittenden via FreeIPA-users wrote: >>> Roderick Johnstone via FreeIPA-users wrote: On 23/01/2018 14:34, Rob Crittenden via FreeIPA-users wrote: > Roderick Johnstone via FreeIPA-users wrote: >> On 15/01/2018 20:07, Rob Crittenden via FreeIPA-users wrote: >>> Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: > Roderick Johnstone via FreeIPA-users wrote: >> Hi >> >> Our freeipa certificates need to be renewed due to passing >> their >> expiry >> dates. >> >> While some certificates have renewed ok, the ipaCert and >> auditSigningCert are renewing but the new certificates >> have the >> wrong >> Subject. >> >> Environment is: >> serverA (CRL, first, master) RHEL 7.3, ipa 4.4 >> serverB (replica) RHEL 7.3, ipa 4.4 >> serverC (replica) RHEL 7.4, ipa 4.5 >> >> Once there are renewed certificates with the wrong Subject >> present, >> there are various problems with renewing the remaining >> certificates, >> which I think might be related to the bad Subject: >> >> 1) When just ipaCert has the wrong subject no further >> renewals >> happen >> >> 2) When auditSigningCert has the wrong subject the ipa >> pki-tomcatd >> service will not start and no further renewals happen. >> >> I've been round the following loop many times on ServerA, our >> first >> master: >> >> 1) Restore good certificates from backup >> 2) Put the clock back to a time when certificates are all >> valid >> 3) Resubmit certificates for renewal >> >> Each time the ipaCert renews it has the same wrong >> Subject. The >> wrong >> Subject includes the host name of one of our ipa client >> systems. >> >> Each time the auditSigningCert renews it has the same wrong >> Subject >> but >> a different subject to the ipaCert. The wrong Subject in this >> case >> includes the host name of a system which has never been an >> ipa >> client, >> but might have been added and removed with ipa host-add >> and ipa >> host-del >> for testing something, a while ago. >> >> As far as I can see, the "cert_subject" is set correctly >> in the >> file >> /var/lib/certmonger/ until the point at which the >> certificate is actually renewed. >> >> I'd be very grateful for some pointers as to which >> configuration >> options >> and logs to check through to resolve this problem on our >> production >> system. >> >> If its of any relevance we did change which server is the >> first >> master >> some time ago. > > I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger > to see > what > the subject is. I'm not seeing any obvious CSR fields in the /etc/pki/pki-tomcat/ca/CS.cfg file. >>> >>> foo.bar.certreq= >>> The CSR in the certmonger requests file for the auditSigningCert seems to be showing with the correct Subject. This is different from the bad subject showing in the requests file field: cert_subject= >>> >>> The value of cert_subject comes from the issued certificate. >>> and the Subject which is showing in the 'getcert list' output (which is the same as that in the cert_subject= field.> I'm not quite sure what this all means. >>> >>> It is displayed from the data within the tracked certmonger >>> request. >>> >>> certmonger logs to syslog so you can check there or you can stop >>> the >>> process and run it manually with: certmonger -n -d 9 2>&1 |
[Freeipa-users] Re: Certificates renewing with the wrong Subject
On 25/01/2018 16:56, Roderick Johnstone via FreeIPA-users wrote: On 25/01/2018 13:43, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 24/01/2018 21:09, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 24/01/2018 15:22, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 23/01/2018 14:34, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 20:07, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: Hi Our freeipa certificates need to be renewed due to passing their expiry dates. While some certificates have renewed ok, the ipaCert and auditSigningCert are renewing but the new certificates have the wrong Subject. Environment is: serverA (CRL, first, master) RHEL 7.3, ipa 4.4 serverB (replica) RHEL 7.3, ipa 4.4 serverC (replica) RHEL 7.4, ipa 4.5 Once there are renewed certificates with the wrong Subject present, there are various problems with renewing the remaining certificates, which I think might be related to the bad Subject: 1) When just ipaCert has the wrong subject no further renewals happen 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd service will not start and no further renewals happen. I've been round the following loop many times on ServerA, our first master: 1) Restore good certificates from backup 2) Put the clock back to a time when certificates are all valid 3) Resubmit certificates for renewal Each time the ipaCert renews it has the same wrong Subject. The wrong Subject includes the host name of one of our ipa client systems. Each time the auditSigningCert renews it has the same wrong Subject but a different subject to the ipaCert. The wrong Subject in this case includes the host name of a system which has never been an ipa client, but might have been added and removed with ipa host-add and ipa host-del for testing something, a while ago. As far as I can see, the "cert_subject" is set correctly in the file /var/lib/certmonger/ until the point at which the certificate is actually renewed. I'd be very grateful for some pointers as to which configuration options and logs to check through to resolve this problem on our production system. If its of any relevance we did change which server is the first master some time ago. I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what the subject is. I'm not seeing any obvious CSR fields in the /etc/pki/pki-tomcat/ca/CS.cfg file. foo.bar.certreq= The CSR in the certmonger requests file for the auditSigningCert seems to be showing with the correct Subject. This is different from the bad subject showing in the requests file field: cert_subject= The value of cert_subject comes from the issued certificate. and the Subject which is showing in the 'getcert list' output (which is the same as that in the cert_subject= field.> I'm not quite sure what this all means. It is displayed from the data within the tracked certmonger request. certmonger logs to syslog so you can check there or you can stop the process and run it manually with: certmonger -n -d 9 2>&1 | tee certmonger.log That will provide a lot of debugging output that may show what is going on. I've restored certificate databases from backup and put the clock back to a time when certificates are valid and renewed the ocspSigining certificate with: getcert resubmit -N "CN=OCSP Subsystem,O=" -i 20161124081302 (I've previously tried without the -N with similar results) What I am seeing in the certmonger logs is: 2017-10-23 00:05:28 [438] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [438] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:28 [439] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:28 [440] 0x1d Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20171025122401. 2017-10-23 00:05:28 [442] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [442] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:28 [443] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:28 [444] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [444] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:39 [581] Found a certificate with the same nickname but different subject, removing certificate "ocspSigningCert cert-pki-ca" with subject "CN=OCSP Subsystem,O=". 2017-10-23 00:05:39 [581] Imported certificate "ocspSigningCert cert-pki-ca", got nickname "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:39 [583] Located the certificate "ocspSigningCert cert
[Freeipa-users] Re: Certificates renewing with the wrong Subject
On 25/01/2018 13:43, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 24/01/2018 21:09, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 24/01/2018 15:22, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 23/01/2018 14:34, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 20:07, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: Hi Our freeipa certificates need to be renewed due to passing their expiry dates. While some certificates have renewed ok, the ipaCert and auditSigningCert are renewing but the new certificates have the wrong Subject. Environment is: serverA (CRL, first, master) RHEL 7.3, ipa 4.4 serverB (replica) RHEL 7.3, ipa 4.4 serverC (replica) RHEL 7.4, ipa 4.5 Once there are renewed certificates with the wrong Subject present, there are various problems with renewing the remaining certificates, which I think might be related to the bad Subject: 1) When just ipaCert has the wrong subject no further renewals happen 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd service will not start and no further renewals happen. I've been round the following loop many times on ServerA, our first master: 1) Restore good certificates from backup 2) Put the clock back to a time when certificates are all valid 3) Resubmit certificates for renewal Each time the ipaCert renews it has the same wrong Subject. The wrong Subject includes the host name of one of our ipa client systems. Each time the auditSigningCert renews it has the same wrong Subject but a different subject to the ipaCert. The wrong Subject in this case includes the host name of a system which has never been an ipa client, but might have been added and removed with ipa host-add and ipa host-del for testing something, a while ago. As far as I can see, the "cert_subject" is set correctly in the file /var/lib/certmonger/ until the point at which the certificate is actually renewed. I'd be very grateful for some pointers as to which configuration options and logs to check through to resolve this problem on our production system. If its of any relevance we did change which server is the first master some time ago. I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what the subject is. I'm not seeing any obvious CSR fields in the /etc/pki/pki-tomcat/ca/CS.cfg file. foo.bar.certreq= The CSR in the certmonger requests file for the auditSigningCert seems to be showing with the correct Subject. This is different from the bad subject showing in the requests file field: cert_subject= The value of cert_subject comes from the issued certificate. and the Subject which is showing in the 'getcert list' output (which is the same as that in the cert_subject= field.> I'm not quite sure what this all means. It is displayed from the data within the tracked certmonger request. certmonger logs to syslog so you can check there or you can stop the process and run it manually with: certmonger -n -d 9 2>&1 | tee certmonger.log That will provide a lot of debugging output that may show what is going on. I've restored certificate databases from backup and put the clock back to a time when certificates are valid and renewed the ocspSigining certificate with: getcert resubmit -N "CN=OCSP Subsystem,O=" -i 20161124081302 (I've previously tried without the -N with similar results) What I am seeing in the certmonger logs is: 2017-10-23 00:05:28 [438] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [438] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:28 [439] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:28 [440] 0x1d Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20171025122401. 2017-10-23 00:05:28 [442] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [442] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:28 [443] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:28 [444] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [444] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:39 [581] Found a certificate with the same nickname but different subject, removing certificate "ocspSigningCert cert-pki-ca" with subject "CN=OCSP Subsystem,O=". 2017-10-23 00:05:39 [581] Imported certificate "ocspSigningCert cert-pki-ca", got nickname "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:39 [583] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:39 [48576] Adding hook "/usr/libexec/ipa/certmonger/renew_ca_ce
[Freeipa-users] Re: Certificates renewing with the wrong Subject
Roderick Johnstone via FreeIPA-users wrote: > On 24/01/2018 21:09, Rob Crittenden via FreeIPA-users wrote: >> Roderick Johnstone via FreeIPA-users wrote: >>> On 24/01/2018 15:22, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: > On 23/01/2018 14:34, Rob Crittenden via FreeIPA-users wrote: >> Roderick Johnstone via FreeIPA-users wrote: >>> On 15/01/2018 20:07, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: > On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: >> Roderick Johnstone via FreeIPA-users wrote: >>> Hi >>> >>> Our freeipa certificates need to be renewed due to passing their >>> expiry >>> dates. >>> >>> While some certificates have renewed ok, the ipaCert and >>> auditSigningCert are renewing but the new certificates have the >>> wrong >>> Subject. >>> >>> Environment is: >>> serverA (CRL, first, master) RHEL 7.3, ipa 4.4 >>> serverB (replica) RHEL 7.3, ipa 4.4 >>> serverC (replica) RHEL 7.4, ipa 4.5 >>> >>> Once there are renewed certificates with the wrong Subject >>> present, >>> there are various problems with renewing the remaining >>> certificates, >>> which I think might be related to the bad Subject: >>> >>> 1) When just ipaCert has the wrong subject no further renewals >>> happen >>> >>> 2) When auditSigningCert has the wrong subject the ipa >>> pki-tomcatd >>> service will not start and no further renewals happen. >>> >>> I've been round the following loop many times on ServerA, our >>> first >>> master: >>> >>> 1) Restore good certificates from backup >>> 2) Put the clock back to a time when certificates are all valid >>> 3) Resubmit certificates for renewal >>> >>> Each time the ipaCert renews it has the same wrong Subject. The >>> wrong >>> Subject includes the host name of one of our ipa client systems. >>> >>> Each time the auditSigningCert renews it has the same wrong >>> Subject >>> but >>> a different subject to the ipaCert. The wrong Subject in this >>> case >>> includes the host name of a system which has never been an ipa >>> client, >>> but might have been added and removed with ipa host-add and ipa >>> host-del >>> for testing something, a while ago. >>> >>> As far as I can see, the "cert_subject" is set correctly in the >>> file >>> /var/lib/certmonger/ until the point at which the >>> certificate is actually renewed. >>> >>> I'd be very grateful for some pointers as to which configuration >>> options >>> and logs to check through to resolve this problem on our >>> production >>> system. >>> >>> If its of any relevance we did change which server is the first >>> master >>> some time ago. >> >> I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see >> what >> the subject is. > > I'm not seeing any obvious CSR fields in the > /etc/pki/pki-tomcat/ca/CS.cfg file. foo.bar.certreq= > The CSR in the certmonger requests file for the auditSigningCert > seems > to be showing with the correct Subject. This is different from > the bad > subject showing in the requests file field: > cert_subject= The value of cert_subject comes from the issued certificate. > and the Subject which is showing in the 'getcert list' output > (which is > the same as that in the cert_subject= field.> > I'm not quite sure what this all means. It is displayed from the data within the tracked certmonger request. certmonger logs to syslog so you can check there or you can stop the process and run it manually with: certmonger -n -d 9 2>&1 | tee certmonger.log That will provide a lot of debugging output that may show what is going on. >>> >>> I've restored certificate databases from backup and put the clock >>> back >>> to a time when certificates are valid and renewed the ocspSigining >>> certificate with: >>> getcert resubmit -N "CN=OCSP Subsystem,O=" -i 20161124081302 >>> >>> (I've previously tried without the -N with similar results) >>> >>> What I am seeing in the certmonger logs is: >>> >>> >>> 2017-10-23 00:05:28 [438] Located the key 'ocspSigningCert >>> cert-pki-ca'. >>> 2017-10-23 00:05:28 [438] Converted private
[Freeipa-users] Re: Certificates renewing with the wrong Subject
On 24/01/2018 21:09, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 24/01/2018 15:22, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 23/01/2018 14:34, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 20:07, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: Hi Our freeipa certificates need to be renewed due to passing their expiry dates. While some certificates have renewed ok, the ipaCert and auditSigningCert are renewing but the new certificates have the wrong Subject. Environment is: serverA (CRL, first, master) RHEL 7.3, ipa 4.4 serverB (replica) RHEL 7.3, ipa 4.4 serverC (replica) RHEL 7.4, ipa 4.5 Once there are renewed certificates with the wrong Subject present, there are various problems with renewing the remaining certificates, which I think might be related to the bad Subject: 1) When just ipaCert has the wrong subject no further renewals happen 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd service will not start and no further renewals happen. I've been round the following loop many times on ServerA, our first master: 1) Restore good certificates from backup 2) Put the clock back to a time when certificates are all valid 3) Resubmit certificates for renewal Each time the ipaCert renews it has the same wrong Subject. The wrong Subject includes the host name of one of our ipa client systems. Each time the auditSigningCert renews it has the same wrong Subject but a different subject to the ipaCert. The wrong Subject in this case includes the host name of a system which has never been an ipa client, but might have been added and removed with ipa host-add and ipa host-del for testing something, a while ago. As far as I can see, the "cert_subject" is set correctly in the file /var/lib/certmonger/ until the point at which the certificate is actually renewed. I'd be very grateful for some pointers as to which configuration options and logs to check through to resolve this problem on our production system. If its of any relevance we did change which server is the first master some time ago. I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what the subject is. I'm not seeing any obvious CSR fields in the /etc/pki/pki-tomcat/ca/CS.cfg file. foo.bar.certreq= The CSR in the certmonger requests file for the auditSigningCert seems to be showing with the correct Subject. This is different from the bad subject showing in the requests file field: cert_subject= The value of cert_subject comes from the issued certificate. and the Subject which is showing in the 'getcert list' output (which is the same as that in the cert_subject= field.> I'm not quite sure what this all means. It is displayed from the data within the tracked certmonger request. certmonger logs to syslog so you can check there or you can stop the process and run it manually with: certmonger -n -d 9 2>&1 | tee certmonger.log That will provide a lot of debugging output that may show what is going on. I've restored certificate databases from backup and put the clock back to a time when certificates are valid and renewed the ocspSigining certificate with: getcert resubmit -N "CN=OCSP Subsystem,O=" -i 20161124081302 (I've previously tried without the -N with similar results) What I am seeing in the certmonger logs is: 2017-10-23 00:05:28 [438] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [438] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:28 [439] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:28 [440] 0x1d Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20171025122401. 2017-10-23 00:05:28 [442] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [442] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:28 [443] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:28 [444] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [444] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:39 [581] Found a certificate with the same nickname but different subject, removing certificate "ocspSigningCert cert-pki-ca" with subject "CN=OCSP Subsystem,O=". 2017-10-23 00:05:39 [581] Imported certificate "ocspSigningCert cert-pki-ca", got nickname "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:39 [583] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:39 [48576] Adding hook "/usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"" (0). 2017-10-23 00:10:43 [942] 0x1d Certificate named "ocspSigningCert ce
[Freeipa-users] Re: Certificates renewing with the wrong Subject
Roderick Johnstone via FreeIPA-users wrote: > On 24/01/2018 15:22, Rob Crittenden via FreeIPA-users wrote: >> Roderick Johnstone via FreeIPA-users wrote: >>> On 23/01/2018 14:34, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: > On 15/01/2018 20:07, Rob Crittenden via FreeIPA-users wrote: >> Roderick Johnstone via FreeIPA-users wrote: >>> On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: > Hi > > Our freeipa certificates need to be renewed due to passing their > expiry > dates. > > While some certificates have renewed ok, the ipaCert and > auditSigningCert are renewing but the new certificates have the > wrong > Subject. > > Environment is: > serverA (CRL, first, master) RHEL 7.3, ipa 4.4 > serverB (replica) RHEL 7.3, ipa 4.4 > serverC (replica) RHEL 7.4, ipa 4.5 > > Once there are renewed certificates with the wrong Subject > present, > there are various problems with renewing the remaining > certificates, > which I think might be related to the bad Subject: > > 1) When just ipaCert has the wrong subject no further renewals > happen > > 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd > service will not start and no further renewals happen. > > I've been round the following loop many times on ServerA, our > first > master: > > 1) Restore good certificates from backup > 2) Put the clock back to a time when certificates are all valid > 3) Resubmit certificates for renewal > > Each time the ipaCert renews it has the same wrong Subject. The > wrong > Subject includes the host name of one of our ipa client systems. > > Each time the auditSigningCert renews it has the same wrong > Subject > but > a different subject to the ipaCert. The wrong Subject in this case > includes the host name of a system which has never been an ipa > client, > but might have been added and removed with ipa host-add and ipa > host-del > for testing something, a while ago. > > As far as I can see, the "cert_subject" is set correctly in the > file > /var/lib/certmonger/ until the point at which the > certificate is actually renewed. > > I'd be very grateful for some pointers as to which configuration > options > and logs to check through to resolve this problem on our > production > system. > > If its of any relevance we did change which server is the first > master > some time ago. I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what the subject is. >>> >>> I'm not seeing any obvious CSR fields in the >>> /etc/pki/pki-tomcat/ca/CS.cfg file. >> >> foo.bar.certreq= >> >>> The CSR in the certmonger requests file for the auditSigningCert >>> seems >>> to be showing with the correct Subject. This is different from >>> the bad >>> subject showing in the requests file field: >>> cert_subject= >> >> The value of cert_subject comes from the issued certificate. >> >>> and the Subject which is showing in the 'getcert list' output >>> (which is >>> the same as that in the cert_subject= field.> >>> I'm not quite sure what this all means. >> >> It is displayed from the data within the tracked certmonger request. >> >> certmonger logs to syslog so you can check there or you can stop the >> process and run it manually with: certmonger -n -d 9 2>&1 | tee >> certmonger.log >> >> That will provide a lot of debugging output that may show what is >> going on. > > I've restored certificate databases from backup and put the clock back > to a time when certificates are valid and renewed the ocspSigining > certificate with: > getcert resubmit -N "CN=OCSP Subsystem,O=" -i 20161124081302 > > (I've previously tried without the -N with similar results) > > What I am seeing in the certmonger logs is: > > > 2017-10-23 00:05:28 [438] Located the key 'ocspSigningCert > cert-pki-ca'. > 2017-10-23 00:05:28 [438] Converted private key 'ocspSigningCert > cert-pki-ca' to public key. > 2017-10-23 00:05:28 [439] Located the certificate "ocspSigningCert > cert-pki-ca". > 2017-10-23 00:05:28 [440] 0x1d Certificate named "ocspSigningCert > cert-pki-ca" in token "NSS Certificate DB" in database > "/etc/pki/pki-tomcat/alias" will not be valid after 20171025122401. > 2017-10-23 00:05:28 [442] Located t
[Freeipa-users] Re: Certificates renewing with the wrong Subject
On 24/01/2018 15:22, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 23/01/2018 14:34, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 20:07, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: Hi Our freeipa certificates need to be renewed due to passing their expiry dates. While some certificates have renewed ok, the ipaCert and auditSigningCert are renewing but the new certificates have the wrong Subject. Environment is: serverA (CRL, first, master) RHEL 7.3, ipa 4.4 serverB (replica) RHEL 7.3, ipa 4.4 serverC (replica) RHEL 7.4, ipa 4.5 Once there are renewed certificates with the wrong Subject present, there are various problems with renewing the remaining certificates, which I think might be related to the bad Subject: 1) When just ipaCert has the wrong subject no further renewals happen 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd service will not start and no further renewals happen. I've been round the following loop many times on ServerA, our first master: 1) Restore good certificates from backup 2) Put the clock back to a time when certificates are all valid 3) Resubmit certificates for renewal Each time the ipaCert renews it has the same wrong Subject. The wrong Subject includes the host name of one of our ipa client systems. Each time the auditSigningCert renews it has the same wrong Subject but a different subject to the ipaCert. The wrong Subject in this case includes the host name of a system which has never been an ipa client, but might have been added and removed with ipa host-add and ipa host-del for testing something, a while ago. As far as I can see, the "cert_subject" is set correctly in the file /var/lib/certmonger/ until the point at which the certificate is actually renewed. I'd be very grateful for some pointers as to which configuration options and logs to check through to resolve this problem on our production system. If its of any relevance we did change which server is the first master some time ago. I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what the subject is. I'm not seeing any obvious CSR fields in the /etc/pki/pki-tomcat/ca/CS.cfg file. foo.bar.certreq= The CSR in the certmonger requests file for the auditSigningCert seems to be showing with the correct Subject. This is different from the bad subject showing in the requests file field: cert_subject= The value of cert_subject comes from the issued certificate. and the Subject which is showing in the 'getcert list' output (which is the same as that in the cert_subject= field.> I'm not quite sure what this all means. It is displayed from the data within the tracked certmonger request. certmonger logs to syslog so you can check there or you can stop the process and run it manually with: certmonger -n -d 9 2>&1 | tee certmonger.log That will provide a lot of debugging output that may show what is going on. I've restored certificate databases from backup and put the clock back to a time when certificates are valid and renewed the ocspSigining certificate with: getcert resubmit -N "CN=OCSP Subsystem,O=" -i 20161124081302 (I've previously tried without the -N with similar results) What I am seeing in the certmonger logs is: 2017-10-23 00:05:28 [438] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [438] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:28 [439] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:28 [440] 0x1d Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20171025122401. 2017-10-23 00:05:28 [442] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [442] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:28 [443] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:28 [444] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [444] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:39 [581] Found a certificate with the same nickname but different subject, removing certificate "ocspSigningCert cert-pki-ca" with subject "CN=OCSP Subsystem,O=". 2017-10-23 00:05:39 [581] Imported certificate "ocspSigningCert cert-pki-ca", got nickname "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:39 [583] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:39 [48576] Adding hook "/usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"" (0). 2017-10-23 00:10:43 [942] 0x1d Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. I
[Freeipa-users] Re: Certificates renewing with the wrong Subject
Roderick Johnstone via FreeIPA-users wrote: > On 23/01/2018 14:34, Rob Crittenden via FreeIPA-users wrote: >> Roderick Johnstone via FreeIPA-users wrote: >>> On 15/01/2018 20:07, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: > On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: >> Roderick Johnstone via FreeIPA-users wrote: >>> Hi >>> >>> Our freeipa certificates need to be renewed due to passing their >>> expiry >>> dates. >>> >>> While some certificates have renewed ok, the ipaCert and >>> auditSigningCert are renewing but the new certificates have the >>> wrong >>> Subject. >>> >>> Environment is: >>> serverA (CRL, first, master) RHEL 7.3, ipa 4.4 >>> serverB (replica) RHEL 7.3, ipa 4.4 >>> serverC (replica) RHEL 7.4, ipa 4.5 >>> >>> Once there are renewed certificates with the wrong Subject present, >>> there are various problems with renewing the remaining certificates, >>> which I think might be related to the bad Subject: >>> >>> 1) When just ipaCert has the wrong subject no further renewals >>> happen >>> >>> 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd >>> service will not start and no further renewals happen. >>> >>> I've been round the following loop many times on ServerA, our first >>> master: >>> >>> 1) Restore good certificates from backup >>> 2) Put the clock back to a time when certificates are all valid >>> 3) Resubmit certificates for renewal >>> >>> Each time the ipaCert renews it has the same wrong Subject. The >>> wrong >>> Subject includes the host name of one of our ipa client systems. >>> >>> Each time the auditSigningCert renews it has the same wrong Subject >>> but >>> a different subject to the ipaCert. The wrong Subject in this case >>> includes the host name of a system which has never been an ipa >>> client, >>> but might have been added and removed with ipa host-add and ipa >>> host-del >>> for testing something, a while ago. >>> >>> As far as I can see, the "cert_subject" is set correctly in the file >>> /var/lib/certmonger/ until the point at which the >>> certificate is actually renewed. >>> >>> I'd be very grateful for some pointers as to which configuration >>> options >>> and logs to check through to resolve this problem on our production >>> system. >>> >>> If its of any relevance we did change which server is the first >>> master >>> some time ago. >> >> I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what >> the subject is. > > I'm not seeing any obvious CSR fields in the > /etc/pki/pki-tomcat/ca/CS.cfg file. foo.bar.certreq= > The CSR in the certmonger requests file for the auditSigningCert seems > to be showing with the correct Subject. This is different from the bad > subject showing in the requests file field: > cert_subject= The value of cert_subject comes from the issued certificate. > and the Subject which is showing in the 'getcert list' output > (which is > the same as that in the cert_subject= field.> > I'm not quite sure what this all means. It is displayed from the data within the tracked certmonger request. certmonger logs to syslog so you can check there or you can stop the process and run it manually with: certmonger -n -d 9 2>&1 | tee certmonger.log That will provide a lot of debugging output that may show what is going on. >>> >>> I've restored certificate databases from backup and put the clock back >>> to a time when certificates are valid and renewed the ocspSigining >>> certificate with: >>> getcert resubmit -N "CN=OCSP Subsystem,O=" -i 20161124081302 >>> >>> (I've previously tried without the -N with similar results) >>> >>> What I am seeing in the certmonger logs is: >>> >>> >>> 2017-10-23 00:05:28 [438] Located the key 'ocspSigningCert cert-pki-ca'. >>> 2017-10-23 00:05:28 [438] Converted private key 'ocspSigningCert >>> cert-pki-ca' to public key. >>> 2017-10-23 00:05:28 [439] Located the certificate "ocspSigningCert >>> cert-pki-ca". >>> 2017-10-23 00:05:28 [440] 0x1d Certificate named "ocspSigningCert >>> cert-pki-ca" in token "NSS Certificate DB" in database >>> "/etc/pki/pki-tomcat/alias" will not be valid after 20171025122401. >>> 2017-10-23 00:05:28 [442] Located the key 'ocspSigningCert cert-pki-ca'. >>> 2017-10-23 00:05:28 [442] Converted private key 'ocspSigningCert >>> cert-pki-ca' to public key. >>> 2017-10-23 00:05:28 [443] Located the certificate "ocspSigningCert >>> cert-pki-ca". >>> 2017-10-23 00:05:28 [444] Located the key 'ocspSigningCert cert-pki-ca'. >>> 2017-10-23 00:05:28 [444] Converted private key 'ocspSigningCert >>> cert-pki-ca' to public key. >>> 2017-10-23 00:05:
[Freeipa-users] Re: Certificates renewing with the wrong Subject
On 23/01/2018 14:34, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 20:07, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: Hi Our freeipa certificates need to be renewed due to passing their expiry dates. While some certificates have renewed ok, the ipaCert and auditSigningCert are renewing but the new certificates have the wrong Subject. Environment is: serverA (CRL, first, master) RHEL 7.3, ipa 4.4 serverB (replica) RHEL 7.3, ipa 4.4 serverC (replica) RHEL 7.4, ipa 4.5 Once there are renewed certificates with the wrong Subject present, there are various problems with renewing the remaining certificates, which I think might be related to the bad Subject: 1) When just ipaCert has the wrong subject no further renewals happen 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd service will not start and no further renewals happen. I've been round the following loop many times on ServerA, our first master: 1) Restore good certificates from backup 2) Put the clock back to a time when certificates are all valid 3) Resubmit certificates for renewal Each time the ipaCert renews it has the same wrong Subject. The wrong Subject includes the host name of one of our ipa client systems. Each time the auditSigningCert renews it has the same wrong Subject but a different subject to the ipaCert. The wrong Subject in this case includes the host name of a system which has never been an ipa client, but might have been added and removed with ipa host-add and ipa host-del for testing something, a while ago. As far as I can see, the "cert_subject" is set correctly in the file /var/lib/certmonger/ until the point at which the certificate is actually renewed. I'd be very grateful for some pointers as to which configuration options and logs to check through to resolve this problem on our production system. If its of any relevance we did change which server is the first master some time ago. I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what the subject is. I'm not seeing any obvious CSR fields in the /etc/pki/pki-tomcat/ca/CS.cfg file. foo.bar.certreq= The CSR in the certmonger requests file for the auditSigningCert seems to be showing with the correct Subject. This is different from the bad subject showing in the requests file field: cert_subject= The value of cert_subject comes from the issued certificate. and the Subject which is showing in the 'getcert list' output (which is the same as that in the cert_subject= field.> I'm not quite sure what this all means. It is displayed from the data within the tracked certmonger request. certmonger logs to syslog so you can check there or you can stop the process and run it manually with: certmonger -n -d 9 2>&1 | tee certmonger.log That will provide a lot of debugging output that may show what is going on. I've restored certificate databases from backup and put the clock back to a time when certificates are valid and renewed the ocspSigining certificate with: getcert resubmit -N "CN=OCSP Subsystem,O=" -i 20161124081302 (I've previously tried without the -N with similar results) What I am seeing in the certmonger logs is: 2017-10-23 00:05:28 [438] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [438] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:28 [439] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:28 [440] 0x1d Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20171025122401. 2017-10-23 00:05:28 [442] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [442] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:28 [443] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:28 [444] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [444] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:39 [581] Found a certificate with the same nickname but different subject, removing certificate "ocspSigningCert cert-pki-ca" with subject "CN=OCSP Subsystem,O=". 2017-10-23 00:05:39 [581] Imported certificate "ocspSigningCert cert-pki-ca", got nickname "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:39 [583] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:39 [48576] Adding hook "/usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"" (0). 2017-10-23 00:10:43 [942] 0x1d Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. I now have a date valid ocspSigningCertificate, but with the wrong subject, and a broken certificate system
[Freeipa-users] Re: Certificates renewing with the wrong Subject
Roderick Johnstone via FreeIPA-users wrote: > On 15/01/2018 20:07, Rob Crittenden via FreeIPA-users wrote: >> Roderick Johnstone via FreeIPA-users wrote: >>> On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: > Hi > > Our freeipa certificates need to be renewed due to passing their > expiry > dates. > > While some certificates have renewed ok, the ipaCert and > auditSigningCert are renewing but the new certificates have the wrong > Subject. > > Environment is: > serverA (CRL, first, master) RHEL 7.3, ipa 4.4 > serverB (replica) RHEL 7.3, ipa 4.4 > serverC (replica) RHEL 7.4, ipa 4.5 > > Once there are renewed certificates with the wrong Subject present, > there are various problems with renewing the remaining certificates, > which I think might be related to the bad Subject: > > 1) When just ipaCert has the wrong subject no further renewals happen > > 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd > service will not start and no further renewals happen. > > I've been round the following loop many times on ServerA, our first > master: > > 1) Restore good certificates from backup > 2) Put the clock back to a time when certificates are all valid > 3) Resubmit certificates for renewal > > Each time the ipaCert renews it has the same wrong Subject. The wrong > Subject includes the host name of one of our ipa client systems. > > Each time the auditSigningCert renews it has the same wrong Subject > but > a different subject to the ipaCert. The wrong Subject in this case > includes the host name of a system which has never been an ipa client, > but might have been added and removed with ipa host-add and ipa > host-del > for testing something, a while ago. > > As far as I can see, the "cert_subject" is set correctly in the file > /var/lib/certmonger/ until the point at which the > certificate is actually renewed. > > I'd be very grateful for some pointers as to which configuration > options > and logs to check through to resolve this problem on our production > system. > > If its of any relevance we did change which server is the first master > some time ago. I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what the subject is. >>> >>> I'm not seeing any obvious CSR fields in the >>> /etc/pki/pki-tomcat/ca/CS.cfg file. >> >> foo.bar.certreq= >> >>> The CSR in the certmonger requests file for the auditSigningCert seems >>> to be showing with the correct Subject. This is different from the bad >>> subject showing in the requests file field: >>> cert_subject= >> >> The value of cert_subject comes from the issued certificate. >> >>> and the Subject which is showing in the 'getcert list' output (which is >>> the same as that in the cert_subject= field.> >>> I'm not quite sure what this all means. >> >> It is displayed from the data within the tracked certmonger request. >> >> certmonger logs to syslog so you can check there or you can stop the >> process and run it manually with: certmonger -n -d 9 2>&1 | tee >> certmonger.log >> >> That will provide a lot of debugging output that may show what is >> going on. > > I've restored certificate databases from backup and put the clock back > to a time when certificates are valid and renewed the ocspSigining > certificate with: > getcert resubmit -N "CN=OCSP Subsystem,O=" -i 20161124081302 > > (I've previously tried without the -N with similar results) > > What I am seeing in the certmonger logs is: > > > 2017-10-23 00:05:28 [438] Located the key 'ocspSigningCert cert-pki-ca'. > 2017-10-23 00:05:28 [438] Converted private key 'ocspSigningCert > cert-pki-ca' to public key. > 2017-10-23 00:05:28 [439] Located the certificate "ocspSigningCert > cert-pki-ca". > 2017-10-23 00:05:28 [440] 0x1d Certificate named "ocspSigningCert > cert-pki-ca" in token "NSS Certificate DB" in database > "/etc/pki/pki-tomcat/alias" will not be valid after 20171025122401. > 2017-10-23 00:05:28 [442] Located the key 'ocspSigningCert cert-pki-ca'. > 2017-10-23 00:05:28 [442] Converted private key 'ocspSigningCert > cert-pki-ca' to public key. > 2017-10-23 00:05:28 [443] Located the certificate "ocspSigningCert > cert-pki-ca". > 2017-10-23 00:05:28 [444] Located the key 'ocspSigningCert cert-pki-ca'. > 2017-10-23 00:05:28 [444] Converted private key 'ocspSigningCert > cert-pki-ca' to public key. > 2017-10-23 00:05:39 [581] Found a certificate with the same nickname but > different subject, removing certificate "ocspSigningCert cert-pki-ca" > with subject "CN=OCSP Subsystem,O=". > 2017-10-23 00:05:39 [581] Imported certificate "ocspSigningCert > cert-pki-ca", got nickname "ocspSigningCert cert-pki-ca". > 2017-10-23 00:05:39 [583] Located the certificate "ocspSigningCert > cert-pki-ca".
[Freeipa-users] Re: Certificates renewing with the wrong Subject
On 15/01/2018 20:07, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: Hi Our freeipa certificates need to be renewed due to passing their expiry dates. While some certificates have renewed ok, the ipaCert and auditSigningCert are renewing but the new certificates have the wrong Subject. Environment is: serverA (CRL, first, master) RHEL 7.3, ipa 4.4 serverB (replica) RHEL 7.3, ipa 4.4 serverC (replica) RHEL 7.4, ipa 4.5 Once there are renewed certificates with the wrong Subject present, there are various problems with renewing the remaining certificates, which I think might be related to the bad Subject: 1) When just ipaCert has the wrong subject no further renewals happen 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd service will not start and no further renewals happen. I've been round the following loop many times on ServerA, our first master: 1) Restore good certificates from backup 2) Put the clock back to a time when certificates are all valid 3) Resubmit certificates for renewal Each time the ipaCert renews it has the same wrong Subject. The wrong Subject includes the host name of one of our ipa client systems. Each time the auditSigningCert renews it has the same wrong Subject but a different subject to the ipaCert. The wrong Subject in this case includes the host name of a system which has never been an ipa client, but might have been added and removed with ipa host-add and ipa host-del for testing something, a while ago. As far as I can see, the "cert_subject" is set correctly in the file /var/lib/certmonger/ until the point at which the certificate is actually renewed. I'd be very grateful for some pointers as to which configuration options and logs to check through to resolve this problem on our production system. If its of any relevance we did change which server is the first master some time ago. I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what the subject is. I'm not seeing any obvious CSR fields in the /etc/pki/pki-tomcat/ca/CS.cfg file. foo.bar.certreq= The CSR in the certmonger requests file for the auditSigningCert seems to be showing with the correct Subject. This is different from the bad subject showing in the requests file field: cert_subject= The value of cert_subject comes from the issued certificate. and the Subject which is showing in the 'getcert list' output (which is the same as that in the cert_subject= field.> I'm not quite sure what this all means. It is displayed from the data within the tracked certmonger request. certmonger logs to syslog so you can check there or you can stop the process and run it manually with: certmonger -n -d 9 2>&1 | tee certmonger.log That will provide a lot of debugging output that may show what is going on. I've restored certificate databases from backup and put the clock back to a time when certificates are valid and renewed the ocspSigining certificate with: getcert resubmit -N "CN=OCSP Subsystem,O=" -i 20161124081302 (I've previously tried without the -N with similar results) What I am seeing in the certmonger logs is: 2017-10-23 00:05:28 [438] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [438] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:28 [439] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:28 [440] 0x1d Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20171025122401. 2017-10-23 00:05:28 [442] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [442] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:28 [443] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:28 [444] Located the key 'ocspSigningCert cert-pki-ca'. 2017-10-23 00:05:28 [444] Converted private key 'ocspSigningCert cert-pki-ca' to public key. 2017-10-23 00:05:39 [581] Found a certificate with the same nickname but different subject, removing certificate "ocspSigningCert cert-pki-ca" with subject "CN=OCSP Subsystem,O=". 2017-10-23 00:05:39 [581] Imported certificate "ocspSigningCert cert-pki-ca", got nickname "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:39 [583] Located the certificate "ocspSigningCert cert-pki-ca". 2017-10-23 00:05:39 [48576] Adding hook "/usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"" (0). 2017-10-23 00:10:43 [942] 0x1d Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. I now have a date valid ocspSigningCertificate, but with the wrong subject, and a broken certificate system which will no longer start. ipactl status ... pki-tomcatd Service: STOPPED I can't
[Freeipa-users] Re: Certificates renewing with the wrong Subject
Roderick Johnstone via FreeIPA-users wrote: > On 16/01/2018 12:14, Roderick Johnstone via FreeIPA-users wrote: > Hi Rob > > This is all on my first master server. > > I put the clock back to when the certificates that O restore form backup > are all valid. > > I restored the databases in /etc/httpd/alias and > /etc/pki/pki-tomcat/alias from the last good backup I had. > > I also restored the CS.cfg file from backup. > > I updated the trusts in /etc/pki/pki-tomcat/alias for > caSigningCert cert-pki-ca > to match what is in section 5 of: > https://access.redhat.com/solutions/643753 This was previously: > caSigningCert cert-pki-ca CTu,u,u > for some reason. > > I stopped the certmonger service and run the certmonger command you gave > to start verbose logging. > > I was able to start all the ipa services after running: > pki-server subsystem-enable ca > (this seems to become disabled when the tomcatd service cannot start. > > I ran getcert resubmit -i for the expiring certificates. > > The first one I tried (ocspSigningCert) renewed but gets an odd Subject. > It includes the hostname of one of my replica servers. > > The other certificates have not renewed. > > As you said, there is a large amount of info in the verbose certmonger > debug logs, but it is not immediately obvious to me what has gone wrong, > except that there are some instances of: > Internal error > > Would you be prepared to have a look at the log file off-list (3.3MB > file, uncompressed) to see if it means more to you. Sure, feel free to send it to me directly. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Certificates renewing with the wrong Subject
On 16/01/2018 12:14, Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 20:07, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: Hi Our freeipa certificates need to be renewed due to passing their expiry dates. While some certificates have renewed ok, the ipaCert and auditSigningCert are renewing but the new certificates have the wrong Subject. Environment is: serverA (CRL, first, master) RHEL 7.3, ipa 4.4 serverB (replica) RHEL 7.3, ipa 4.4 serverC (replica) RHEL 7.4, ipa 4.5 Once there are renewed certificates with the wrong Subject present, there are various problems with renewing the remaining certificates, which I think might be related to the bad Subject: 1) When just ipaCert has the wrong subject no further renewals happen 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd service will not start and no further renewals happen. I've been round the following loop many times on ServerA, our first master: 1) Restore good certificates from backup 2) Put the clock back to a time when certificates are all valid 3) Resubmit certificates for renewal Each time the ipaCert renews it has the same wrong Subject. The wrong Subject includes the host name of one of our ipa client systems. Each time the auditSigningCert renews it has the same wrong Subject but a different subject to the ipaCert. The wrong Subject in this case includes the host name of a system which has never been an ipa client, but might have been added and removed with ipa host-add and ipa host-del for testing something, a while ago. As far as I can see, the "cert_subject" is set correctly in the file /var/lib/certmonger/ until the point at which the certificate is actually renewed. I'd be very grateful for some pointers as to which configuration options and logs to check through to resolve this problem on our production system. If its of any relevance we did change which server is the first master some time ago. I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what the subject is. I'm not seeing any obvious CSR fields in the /etc/pki/pki-tomcat/ca/CS.cfg file. foo.bar.certreq= Thanks for the hint (and for your input in general). I'm seeing only the following four certreq entries in CS.cfg, nothing obvious for ca.audit_signing: $ pwd /etc/pki/pki-tomcat/ca $ ls -l CS.cfg -rw-rw 1 pkiuser pkiuser 82417 Oct 24 12:00 CS.cfg $ grep certreq CS.cfg | awk -F= '{print $1}' ca.ocsp_signing.certreq ca.signing.certreq ca.sslserver.certreq ca.subsystem.certreq Interestingly the CS.cfg file was written at just the time I have been putting the clock back to for certificate renewal purposes. If I look at a backup of the CS.cfg file that I have I see all certreq as expected: $ pwd /var/tmp/rmj/etc/pki/pki-tomcat/ca $ ls -l CS.cfg -rw-rw 1 pkiuser pkiuser 83015 Aug 18 22:43 CS.cfg $ grep certreq CS.cfg | awk -F= '{print $1}' ca.audit_signing.certreq ca.ocsp_signing.certreq ca.signing.certreq ca.sslserver.certreq ca.subsystem.certreq Here are the results of checking the CSRs in both the cetmonger requests and CS.cfg locations in the live system: The CSRs in the CS.cfg file show: ca.ocsp_signing.certreq Subject: O=, CN=OCSP Subsystem ca.signing.certreq Subject: O=, CN=Certificate Authority ca.sslserver.certreq Subject: O=, CN= ca.subsystem.certreq Subject: O=, CN=CA Subsystem The CSRs in certmonger requests show: auditSigningCert_certmongerrequest_csr.lis Subject: O=, CN=CA Audit ipaCert_certmongerrequest_csr.lis Subject: O=, CN=IPA RA ocspSigningCert_certmongerrequest_csr.lis Subject: O=, CN=OCSP Subsystem Server-Cert_certmongerrequest_csr.lis Subject: O=, CN= subsystemCert_certmongerrequest_csr.lis Subject: O=, CN=CA Subsystem So those look ok, except that there is no entry for ca.audit_signing.certreq in the live CS.cfg file. The auditSigningCert in the backup of the CS.cfg looks to be correct: Subject: O=, CN=CA Audit The getcert list output that shows the bad subject for current auditSigningCert: $ getcert list | egrep "certificate:|subject|expires" certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' subject: CN=,O=domain in caps> expires: 2019-10-25 11:19:50 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' subject: CN=OCSP Subsystem,O= expires: 2017-10-25 12:24:01 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' subject: CN=CA Subsystem,O= expires: 2017-10-25 12:24:02 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
[Freeipa-users] Re: Certificates renewing with the wrong Subject
On 15/01/2018 20:07, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: Hi Our freeipa certificates need to be renewed due to passing their expiry dates. While some certificates have renewed ok, the ipaCert and auditSigningCert are renewing but the new certificates have the wrong Subject. Environment is: serverA (CRL, first, master) RHEL 7.3, ipa 4.4 serverB (replica) RHEL 7.3, ipa 4.4 serverC (replica) RHEL 7.4, ipa 4.5 Once there are renewed certificates with the wrong Subject present, there are various problems with renewing the remaining certificates, which I think might be related to the bad Subject: 1) When just ipaCert has the wrong subject no further renewals happen 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd service will not start and no further renewals happen. I've been round the following loop many times on ServerA, our first master: 1) Restore good certificates from backup 2) Put the clock back to a time when certificates are all valid 3) Resubmit certificates for renewal Each time the ipaCert renews it has the same wrong Subject. The wrong Subject includes the host name of one of our ipa client systems. Each time the auditSigningCert renews it has the same wrong Subject but a different subject to the ipaCert. The wrong Subject in this case includes the host name of a system which has never been an ipa client, but might have been added and removed with ipa host-add and ipa host-del for testing something, a while ago. As far as I can see, the "cert_subject" is set correctly in the file /var/lib/certmonger/ until the point at which the certificate is actually renewed. I'd be very grateful for some pointers as to which configuration options and logs to check through to resolve this problem on our production system. If its of any relevance we did change which server is the first master some time ago. I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what the subject is. I'm not seeing any obvious CSR fields in the /etc/pki/pki-tomcat/ca/CS.cfg file. foo.bar.certreq= Thanks for the hint (and for your input in general). I'm seeing only the following four certreq entries in CS.cfg, nothing obvious for ca.audit_signing: $ pwd /etc/pki/pki-tomcat/ca $ ls -l CS.cfg -rw-rw 1 pkiuser pkiuser 82417 Oct 24 12:00 CS.cfg $ grep certreq CS.cfg | awk -F= '{print $1}' ca.ocsp_signing.certreq ca.signing.certreq ca.sslserver.certreq ca.subsystem.certreq Interestingly the CS.cfg file was written at just the time I have been putting the clock back to for certificate renewal purposes. If I look at a backup of the CS.cfg file that I have I see all certreq as expected: $ pwd /var/tmp/rmj/etc/pki/pki-tomcat/ca $ ls -l CS.cfg -rw-rw 1 pkiuser pkiuser 83015 Aug 18 22:43 CS.cfg $ grep certreq CS.cfg | awk -F= '{print $1}' ca.audit_signing.certreq ca.ocsp_signing.certreq ca.signing.certreq ca.sslserver.certreq ca.subsystem.certreq Here are the results of checking the CSRs in both the cetmonger requests and CS.cfg locations in the live system: The CSRs in the CS.cfg file show: ca.ocsp_signing.certreq Subject: O=, CN=OCSP Subsystem ca.signing.certreq Subject: O=, CN=Certificate Authority ca.sslserver.certreq Subject: O=, CN= ca.subsystem.certreq Subject: O=, CN=CA Subsystem The CSRs in certmonger requests show: auditSigningCert_certmongerrequest_csr.lis Subject: O=, CN=CA Audit ipaCert_certmongerrequest_csr.lis Subject: O=, CN=IPA RA ocspSigningCert_certmongerrequest_csr.lis Subject: O=, CN=OCSP Subsystem Server-Cert_certmongerrequest_csr.lis Subject: O=, CN= subsystemCert_certmongerrequest_csr.lis Subject: O=, CN=CA Subsystem So those look ok, except that there is no entry for ca.audit_signing.certreq in the live CS.cfg file. The auditSigningCert in the backup of the CS.cfg looks to be correct: Subject: O=, CN=CA Audit The getcert list output that shows the bad subject for current auditSigningCert: $ getcert list | egrep "certificate:|subject|expires" certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' subject: CN=,O=caps> expires: 2019-10-25 11:19:50 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' subject: CN=OCSP Subsystem,O= expires: 2017-10-25 12:24:01 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' subject: CN=CA Subsystem,O= expires: 2017-10-25 12:24:02 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' subject: CN=Certificate Authority,
[Freeipa-users] Re: Certificates renewing with the wrong Subject
Roderick Johnstone via FreeIPA-users wrote: > On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: >> Roderick Johnstone via FreeIPA-users wrote: >>> Hi >>> >>> Our freeipa certificates need to be renewed due to passing their expiry >>> dates. >>> >>> While some certificates have renewed ok, the ipaCert and >>> auditSigningCert are renewing but the new certificates have the wrong >>> Subject. >>> >>> Environment is: >>> serverA (CRL, first, master) RHEL 7.3, ipa 4.4 >>> serverB (replica) RHEL 7.3, ipa 4.4 >>> serverC (replica) RHEL 7.4, ipa 4.5 >>> >>> Once there are renewed certificates with the wrong Subject present, >>> there are various problems with renewing the remaining certificates, >>> which I think might be related to the bad Subject: >>> >>> 1) When just ipaCert has the wrong subject no further renewals happen >>> >>> 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd >>> service will not start and no further renewals happen. >>> >>> I've been round the following loop many times on ServerA, our first >>> master: >>> >>> 1) Restore good certificates from backup >>> 2) Put the clock back to a time when certificates are all valid >>> 3) Resubmit certificates for renewal >>> >>> Each time the ipaCert renews it has the same wrong Subject. The wrong >>> Subject includes the host name of one of our ipa client systems. >>> >>> Each time the auditSigningCert renews it has the same wrong Subject but >>> a different subject to the ipaCert. The wrong Subject in this case >>> includes the host name of a system which has never been an ipa client, >>> but might have been added and removed with ipa host-add and ipa host-del >>> for testing something, a while ago. >>> >>> As far as I can see, the "cert_subject" is set correctly in the file >>> /var/lib/certmonger/ until the point at which the >>> certificate is actually renewed. >>> >>> I'd be very grateful for some pointers as to which configuration options >>> and logs to check through to resolve this problem on our production >>> system. >>> >>> If its of any relevance we did change which server is the first master >>> some time ago. >> >> I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what >> the subject is. > > I'm not seeing any obvious CSR fields in the > /etc/pki/pki-tomcat/ca/CS.cfg file. foo.bar.certreq= > The CSR in the certmonger requests file for the auditSigningCert seems > to be showing with the correct Subject. This is different from the bad > subject showing in the requests file field: > cert_subject= The value of cert_subject comes from the issued certificate. > and the Subject which is showing in the 'getcert list' output (which is > the same as that in the cert_subject= field.> > I'm not quite sure what this all means. It is displayed from the data within the tracked certmonger request. certmonger logs to syslog so you can check there or you can stop the process and run it manually with: certmonger -n -d 9 2>&1 | tee certmonger.log That will provide a lot of debugging output that may show what is going on. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Certificates renewing with the wrong Subject
On 15/01/2018 16:06, Rob Crittenden via FreeIPA-users wrote: Roderick Johnstone via FreeIPA-users wrote: Hi Our freeipa certificates need to be renewed due to passing their expiry dates. While some certificates have renewed ok, the ipaCert and auditSigningCert are renewing but the new certificates have the wrong Subject. Environment is: serverA (CRL, first, master) RHEL 7.3, ipa 4.4 serverB (replica) RHEL 7.3, ipa 4.4 serverC (replica) RHEL 7.4, ipa 4.5 Once there are renewed certificates with the wrong Subject present, there are various problems with renewing the remaining certificates, which I think might be related to the bad Subject: 1) When just ipaCert has the wrong subject no further renewals happen 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd service will not start and no further renewals happen. I've been round the following loop many times on ServerA, our first master: 1) Restore good certificates from backup 2) Put the clock back to a time when certificates are all valid 3) Resubmit certificates for renewal Each time the ipaCert renews it has the same wrong Subject. The wrong Subject includes the host name of one of our ipa client systems. Each time the auditSigningCert renews it has the same wrong Subject but a different subject to the ipaCert. The wrong Subject in this case includes the host name of a system which has never been an ipa client, but might have been added and removed with ipa host-add and ipa host-del for testing something, a while ago. As far as I can see, the "cert_subject" is set correctly in the file /var/lib/certmonger/ until the point at which the certificate is actually renewed. I'd be very grateful for some pointers as to which configuration options and logs to check through to resolve this problem on our production system. If its of any relevance we did change which server is the first master some time ago. I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what the subject is. I'm not seeing any obvious CSR fields in the /etc/pki/pki-tomcat/ca/CS.cfg file. The CSR in the certmonger requests file for the auditSigningCert seems to be showing with the correct Subject. This is different from the bad subject showing in the requests file field: cert_subject= and the Subject which is showing in the 'getcert list' output (which is the same as that in the cert_subject= field. I'm not quite sure what this all means. Roderick rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Certificates renewing with the wrong Subject
Roderick Johnstone via FreeIPA-users wrote: > Hi > > Our freeipa certificates need to be renewed due to passing their expiry > dates. > > While some certificates have renewed ok, the ipaCert and > auditSigningCert are renewing but the new certificates have the wrong > Subject. > > Environment is: > serverA (CRL, first, master) RHEL 7.3, ipa 4.4 > serverB (replica) RHEL 7.3, ipa 4.4 > serverC (replica) RHEL 7.4, ipa 4.5 > > Once there are renewed certificates with the wrong Subject present, > there are various problems with renewing the remaining certificates, > which I think might be related to the bad Subject: > > 1) When just ipaCert has the wrong subject no further renewals happen > > 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd > service will not start and no further renewals happen. > > I've been round the following loop many times on ServerA, our first master: > > 1) Restore good certificates from backup > 2) Put the clock back to a time when certificates are all valid > 3) Resubmit certificates for renewal > > Each time the ipaCert renews it has the same wrong Subject. The wrong > Subject includes the host name of one of our ipa client systems. > > Each time the auditSigningCert renews it has the same wrong Subject but > a different subject to the ipaCert. The wrong Subject in this case > includes the host name of a system which has never been an ipa client, > but might have been added and removed with ipa host-add and ipa host-del > for testing something, a while ago. > > As far as I can see, the "cert_subject" is set correctly in the file > /var/lib/certmonger/ until the point at which the > certificate is actually renewed. > > I'd be very grateful for some pointers as to which configuration options > and logs to check through to resolve this problem on our production system. > > If its of any relevance we did change which server is the first master > some time ago. I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what the subject is. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org