Re: [Freeipa-users] Problems with expired certificates
Tómas Edwardsson wrote: I'm having issues with expired certificates in /var/lib/pki-ca/alias which I'm quite unsure on how to fix. The ones that have expired are: subsystemCert cert-pki-ca Server-Cert cert-pki-ca According to getcert list the following 2 requests are stuck The error code translates to: CURLE_SSL_CACERT (60) Peer certificate cannot be authenticated with known CA certificates. Which is odd considering that other certificates in the same database were renewed ok. I suppose I'd rewind time to the day before expiration and run: getcert resubmit -i id for each of these and see if it goes through. rob Request ID '20130415234030': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='502532376322' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=D.LAN subject: CN=CA Subsystem,O=D.LAN expires: 2013-07-10 14:24:34 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert subsystemCert cert-pki-ca track: yes auto-renew: yes Request ID '20130415234032': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='502532376322' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=D.LAN subject: CN=auth.d.lan,O=D.LAN expires: 2013-07-10 14:24:33 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Here is what I could find from some browsing with certutil: [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI subsystemCert cert-pki-cau,u,u ocspSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-caCTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n subsystemCert cert-pki-ca|grep Not After Not After : Wed Jul 10 14:24:34 2013 [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n ocspSigningCert cert-pki-ca|grep Not After Not After : Mon Jun 29 00:00:55 2015 [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n caSigningCert cert-pki-ca|grep Not After Not After : Sun Jul 21 14:24:32 2019 [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n Server-Cert cert-pki-ca|grep Not After Not After : Wed Jul 10 14:24:33 2013 [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n auditSigningCert cert-pki-ca|grep Not After Not After : Mon Jun 29 00:01:55 2015 How can I renew the affected certificates? --- Tomas Edwardsson ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problems with expired certificates
On 10/16/2013 07:56 PM, Tómas Edwardsson wrote: I'm having issues with expired certificates in /var/lib/pki-ca/alias which I'm quite unsure on how to fix. The ones that have expired are: subsystemCert cert-pki-ca Server-Cert cert-pki-ca Please search this list for some recommendations. There have been some recently. They will give you some hints. The general path is to set the time into the past and then force the certificate rotation. The specific steps depend on the version of IPA you have. According to getcert list the following 2 requests are stuck Request ID '20130415234030': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='502532376322' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=D.LAN subject: CN=CA Subsystem,O=D.LAN expires: 2013-07-10 14:24:34 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert subsystemCert cert-pki-ca track: yes auto-renew: yes Request ID '20130415234032': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='502532376322' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=D.LAN subject: CN=auth.d.lan,O=D.LAN expires: 2013-07-10 14:24:33 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Here is what I could find from some browsing with certutil: [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI subsystemCert cert-pki-cau,u,u ocspSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-caCTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n subsystemCert cert-pki-ca|grep Not After Not After : Wed Jul 10 14:24:34 2013 [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n ocspSigningCert cert-pki-ca|grep Not After Not After : Mon Jun 29 00:00:55 2015 [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n caSigningCert cert-pki-ca|grep Not After Not After : Sun Jul 21 14:24:32 2019 [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n Server-Cert cert-pki-ca|grep Not After Not After : Wed Jul 10 14:24:33 2013 [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n auditSigningCert cert-pki-ca|grep Not After Not After : Mon Jun 29 00:01:55 2015 How can I renew the affected certificates? --- Tomas Edwardsson ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Problems with expired certificates
I'm having issues with expired certificates in /var/lib/pki-ca/alias which I'm quite unsure on how to fix. The ones that have expired are: subsystemCert cert-pki-ca Server-Cert cert-pki-ca According to getcert list the following 2 requests are stuck Request ID '20130415234030': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='502532376322' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=D.LAN subject: CN=CA Subsystem,O=D.LAN expires: 2013-07-10 14:24:34 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert subsystemCert cert-pki-ca track: yes auto-renew: yes Request ID '20130415234032': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://auth.d.lan:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='502532376322' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=D.LAN subject: CN=auth.d.lan,O=D.LAN expires: 2013-07-10 14:24:33 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Here is what I could find from some browsing with certutil: [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI subsystemCert cert-pki-cau,u,u ocspSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-caCTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n subsystemCert cert-pki-ca|grep Not After Not After : Wed Jul 10 14:24:34 2013 [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n ocspSigningCert cert-pki-ca|grep Not After Not After : Mon Jun 29 00:00:55 2015 [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n caSigningCert cert-pki-ca|grep Not After Not After : Sun Jul 21 14:24:32 2019 [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n Server-Cert cert-pki-ca|grep Not After Not After : Wed Jul 10 14:24:33 2013 [root@auth ~]# certutil -d /var/lib/pki-ca/alias -L -n auditSigningCert cert-pki-ca|grep Not After Not After : Mon Jun 29 00:01:55 2015 How can I renew the affected certificates? --- Tomas Edwardsson ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users