Re: [Freeipa-users] Certificate expired/renew problems
Ok I found my issue. I didn't realize the server I initially tried to setup as the new master CA was 32 bit. What clued me in was the renew_ca_cert and stop_pkicad commands including a 64bit path in setting the certificates to be tracked in certmonger. But that path didn't exist on this server... The other two servers are 64 bit. Once I switched the master CA over to one of these and then set the time back before they certificates expired, all the certificates renewed and then populated out to the other servers. So all the certificates look good now. The only issue I see now is if I log into the web management console on the 32 bit server I get the error: ipa error 4301 Certificate operation cannot be completed: EXCEPTION (Invalid Credential.) But the two 64 bit interfaces look good. But I'm not to worried about this as now the plan is to replace the 32 bit server with 64. thanks, Marc On Mon, Jun 8, 2015 at 10:24 AM, Rob Crittenden rcrit...@redhat.com wrote: John Desantis wrote: Marc, Unfortunately, I've never had to promote a replica to become the CA master in our environment. Is the host that's reporting the error the URL of the old master or the replica? Did you check the CS.cfg to see if the replica certificate is present vs. the old master? John DeSantis I think he just needs to go back in time again, restart the CA, restart certmonger and that should do it. It looks like this machine is configured to do the subsystem renewal: it uses dogtag-ipa-renew-agent as the certmonger CA. rob On Jun 5, 2015 3:49 PM, Marc Wiatrowski w...@iglass.net mailto:w...@iglass.net wrote: Thank you John. I had tried that but you did give me some things to look at. I was able to get 2 of the certificates to renew by setting the date back in time, a services restart, and issuing 'ipa-getcert resubmit -i request id' This renewed the following 'Server-Cert' and 'ipaCert' but did not 'auditSigningCert cert-pki-ca' 'ocspSigningCert cert-pki-ca' or 'subsystemCert cert-pki-ca' The admin web interface now gives 'ipa error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)' listing the certs shows an error along the lines of Internal error: no response to http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCertserial_num=1073545218renewal=truexml=true . If any of these are useful. messages: Jun 5 15:38:05 spider01o certmonger: Internal error: no response to http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCertserial_num=5renewal=truexml=true . httpd/error: [Fri Jun 05 14:32:26 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Not Found) selftests.log: 8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SystemCertsVerification: system certs verification failure 8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! $ ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING $ certutil -L -d /var/lib/pki-ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-caCTu,u,u auditSigningCert cert-pki-ca u,u,Pu $ getcert list Number of certificates and requests being tracked: 9. Request ID '20131204194012': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET http://IGLASS.NET subject: CN=spider01o,O=IGLASS.NET http://IGLASS.NET expires: 2017-05-28 18:03:59 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162346': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate:
Re: [Freeipa-users] Certificate expired/renew problems
John Desantis wrote: Marc, Unfortunately, I've never had to promote a replica to become the CA master in our environment. Is the host that's reporting the error the URL of the old master or the replica? Did you check the CS.cfg to see if the replica certificate is present vs. the old master? John DeSantis I think he just needs to go back in time again, restart the CA, restart certmonger and that should do it. It looks like this machine is configured to do the subsystem renewal: it uses dogtag-ipa-renew-agent as the certmonger CA. rob On Jun 5, 2015 3:49 PM, Marc Wiatrowski w...@iglass.net mailto:w...@iglass.net wrote: Thank you John. I had tried that but you did give me some things to look at. I was able to get 2 of the certificates to renew by setting the date back in time, a services restart, and issuing 'ipa-getcert resubmit -i request id' This renewed the following 'Server-Cert' and 'ipaCert' but did not 'auditSigningCert cert-pki-ca' 'ocspSigningCert cert-pki-ca' or 'subsystemCert cert-pki-ca' The admin web interface now gives 'ipa error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)' listing the certs shows an error along the lines of Internal error: no response to http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCertserial_num=1073545218renewal=truexml=true;. If any of these are useful. messages: Jun 5 15:38:05 spider01o certmonger: Internal error: no response to http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCertserial_num=5renewal=truexml=true;. httpd/error: [Fri Jun 05 14:32:26 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Not Found) selftests.log: 8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SystemCertsVerification: system certs verification failure 8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! $ ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING $ certutil -L -d /var/lib/pki-ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-caCTu,u,u auditSigningCert cert-pki-ca u,u,Pu $ getcert list Number of certificates and requests being tracked: 9. Request ID '20131204194012': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET http://IGLASS.NET subject: CN=spider01o,O=IGLASS.NET http://IGLASS.NET expires: 2017-05-28 18:03:59 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162346': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET http://IGLASS.NET subject: CN=spider01o.iglass.net http://spider01o.iglass.net,O=IGLASS.NET http://IGLASS.NET expires: 2016-11-14 16:22:37 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162434': status: MONITORING ca-error: Internal error: no response to http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCertserial_num=1073545218renewal=truexml=true;. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='x' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA:
Re: [Freeipa-users] Certificate expired/renew problems
Marc, I experienced a similar issue earlier this year. Try restarting certmonger after temporarily changing the date back on the master. In our case that service had failed miserably and it didn't allow FreeIPA to renew the certificates properly. Our replicas however were hit with a bug [1] during this process. We applied the patched code and followed the same process and all was well. John DeSantis [1] https://fedorahosted.org/freeipa/ticket/4064 2015-06-05 11:12 GMT-04:00 Marc Wiatrowski w...@iglass.net: hello, I've got a problem with expired certificates in my ipa/IdM setup. I believe the root issue to be from the fact that when everything was first setup about a year ago and everything was replicated from a first ipa server which no longer exists. There are currently 3 ipa servers but none of them are the original. Couple days ago I started getting errors similar to '(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired' through the web management interface. After investigating with 'getcert list' I found that several certificates expired at 2015-05-31 18:48:55 UTC. I found http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master and followed the procedure for ipa 4.0 and everything seemed to go as expected. However this did not fix my issue. With more searching it looked like once the certificates are expired the auto renew will not work. Finding https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0 to try to manually renew I am stuck at the the beginning with 'Give the CSR to your external CA.' I don't believe we had our certificates externally signed. They are whatever the original install put in place. Setting the date back in time reeks havoc on our environment so I'm reluctant to leave it for to long. I can get what I believe is the original CSR from /etc/pki-ca/CS.cfg but unsure what to do next or if this is even the road I should be going down. Things seem to be working for the most part except trying to make updates. Any help on what to do next, somewhere else to look, or if I'm going in the right direction would be greatly appreciated. thanks, Marc Info: CentOS 6.5 with some current updates including ipa-server-3.0.0-42.el6.centos.i686 certmonger-0.75.13-1.el6.i686 $ getcert list-cas CA 'SelfSign': is-default: no ca-type: INTERNAL:SELF next-serial-number: 01 CA 'IPA': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/ipa-submit CA 'certmaster': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/certmaster-submit CA 'dogtag-ipa-renew-agent': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit CA 'local': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/local-submit CA 'dogtag-ipa-retrieve-agent-submit': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit $ getcert list Number of certificates and requests being tracked: 9. Request ID '20131204194012': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o,O=IGLASS.NET expires: 2015-12-05 19:40:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162346': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o.iglass.net,O=IGLASS.NET expires: 2016-11-14 16:22:37 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162434': status: MONITORING ca-error: Internal error: no response to http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCertserial_num=1073545218renewal=truexml=true;. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='x' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o.iglass.net,O=IGLASS.NET expires: 2016-11-03 16:24:27
[Freeipa-users] Certificate expired/renew problems
hello, I've got a problem with expired certificates in my ipa/IdM setup. I believe the root issue to be from the fact that when everything was first setup about a year ago and everything was replicated from a first ipa server which no longer exists. There are currently 3 ipa servers but none of them are the original. Couple days ago I started getting errors similar to '(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired' through the web management interface. After investigating with 'getcert list' I found that several certificates expired at 2015-05-31 18:48:55 UTC. I found http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master and followed the procedure for ipa 4.0 and everything seemed to go as expected. However this did not fix my issue. With more searching it looked like once the certificates are expired the auto renew will not work. Finding https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0 to try to manually renew I am stuck at the the beginning with 'Give the CSR to your external CA.' I don't believe we had our certificates externally signed. They are whatever the original install put in place. Setting the date back in time reeks havoc on our environment so I'm reluctant to leave it for to long. I can get what I believe is the original CSR from /etc/pki-ca/CS.cfg but unsure what to do next or if this is even the road I should be going down. Things seem to be working for the most part except trying to make updates. Any help on what to do next, somewhere else to look, or if I'm going in the right direction would be greatly appreciated. thanks, Marc Info: CentOS 6.5 with some current updates including ipa-server-3.0.0-42.el6.centos.i686 certmonger-0.75.13-1.el6.i686 $ getcert list-cas CA 'SelfSign': is-default: no ca-type: INTERNAL:SELF next-serial-number: 01 CA 'IPA': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/ipa-submit CA 'certmaster': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/certmaster-submit CA 'dogtag-ipa-renew-agent': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit CA 'local': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/local-submit CA 'dogtag-ipa-retrieve-agent-submit': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit $ getcert list Number of certificates and requests being tracked: 9. Request ID '20131204194012': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o,O=IGLASS.NET expires: 2015-12-05 19:40:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162346': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o.iglass.net,O=IGLASS.NET expires: 2016-11-14 16:22:37 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162434': status: MONITORING ca-error: Internal error: no response to http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCertserial_num=1073545218renewal=truexml=true . stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='x' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o.iglass.net,O=IGLASS.NET expires: 2016-11-03 16:24:27 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162522': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o.iglass.net,O=IGLASS.NET expires: 2016-11-14