Re: [Freeipa-users] Subsystem certs not renewed
Il 14/10/2013 17:01, Rob Crittenden ha scritto: Federico Nebiolo wrote: Dear IPA users, My IPA 3.0 installation on CentOS 6.4 (coming from a 2.2 upgrade) suddenly stopped working for the CA part. I'm not sure this is the root of all the issues, but subsystem certificates was expired and not renewed: getcert list gives a similar output for all of them, and I don't know how to proceed. []# getcert list -c dogtag-ipa-renew-agent Request ID '20130902075915': status: MONITORING ca-error: No end-entity URL (-E) given, and no default known. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= subject: CN=RA Subsystem,O= expires: 2013-10-11 07:44:12 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Do you have any hints on how to solve? Try adding a host=fqdn to the [global] section in /etc/ipa/default.conf where host is the fqdn of your IPA master. I think you'll need to temporarily go back in time to the 11th for the renewal to succeed. You can force certmonger to try the renewal again with: # getcert resubmit -i 20130902075915 You'll want to do this for all certs affected by this. If this works please let us know and we'll make sure that host exists in default.conf when upgrades happen. rob Rob, adding host=fqdn and moving the clock backward partially worked. Now both CN=RA Subsystem and CN=fqdn certificates are renewed, but certmonger is unable to renew CN=CA Subsystem, CN=CA Audit and CN=OCSP Subsystem. Certmonger error is an Error 35 connecting to https://fqdn:9443/ca/agent/ca/profileReview: SSL connect error: it seems to me that selfsigned CA certificate in chain is not accepted by certmonger, thus certificates are not renewed. Is there another parameter I can specify to make dogtag-ipa-renew-agent accept its CA? Many thanks again federico ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Subsystem certs not renewed
Federico Nebiolo wrote: Il 14/10/2013 17:01, Rob Crittenden ha scritto: Federico Nebiolo wrote: Dear IPA users, My IPA 3.0 installation on CentOS 6.4 (coming from a 2.2 upgrade) suddenly stopped working for the CA part. I'm not sure this is the root of all the issues, but subsystem certificates was expired and not renewed: getcert list gives a similar output for all of them, and I don't know how to proceed. []# getcert list -c dogtag-ipa-renew-agent Request ID '20130902075915': status: MONITORING ca-error: No end-entity URL (-E) given, and no default known. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= subject: CN=RA Subsystem,O= expires: 2013-10-11 07:44:12 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Do you have any hints on how to solve? Try adding a host=fqdn to the [global] section in /etc/ipa/default.conf where host is the fqdn of your IPA master. I think you'll need to temporarily go back in time to the 11th for the renewal to succeed. You can force certmonger to try the renewal again with: # getcert resubmit -i 20130902075915 You'll want to do this for all certs affected by this. If this works please let us know and we'll make sure that host exists in default.conf when upgrades happen. rob Rob, adding host=fqdn and moving the clock backward partially worked. Now both CN=RA Subsystem and CN=fqdn certificates are renewed, but certmonger is unable to renew CN=CA Subsystem, CN=CA Audit and CN=OCSP Subsystem. Certmonger error is an Error 35 connecting to https://fqdn:9443/ca/agent/ca/profileReview: SSL connect error: it seems to me that selfsigned CA certificate in chain is not accepted by certmonger, thus certificates are not renewed. Is there another parameter I can specify to make dogtag-ipa-renew-agent accept its CA? I'm not sure why it wouldn't accept the connection. Could it be that you didn't set time back far enough? I think you can simulate things with something like: # echo /tmp/pw # sslget -v -d /etc/pki/nssdb/ -w /tmp/pw -r /ca/ee/ca/getCertChain ipa.example.com:9443 You might try a similar command with curl, you just need to create the sqlite equivalent first: # certutil -A -d sql:/etc/pki/nssdb -n 'IPA CA' -t CT,CT, -a -i /etc/ipa/ca.crt # curl -v https://ipa.example.com:9443/ca/ee/ca/getCertChain Hopefully you'll get a more specific error message out of one of those. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Subsystem certs not renewed
Dear IPA users, My IPA 3.0 installation on CentOS 6.4 (coming from a 2.2 upgrade) suddenly stopped working for the CA part. I'm not sure this is the root of all the issues, but subsystem certificates was expired and not renewed: getcert list gives a similar output for all of them, and I don't know how to proceed. []# getcert list -c dogtag-ipa-renew-agent Request ID '20130902075915': status: MONITORING ca-error: No end-entity URL (-E) given, and no default known. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= subject: CN=RA Subsystem,O= expires: 2013-10-11 07:44:12 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Do you have any hints on how to solve? Many thanks in advance federico ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Subsystem certs not renewed
Federico Nebiolo wrote: Dear IPA users, My IPA 3.0 installation on CentOS 6.4 (coming from a 2.2 upgrade) suddenly stopped working for the CA part. I'm not sure this is the root of all the issues, but subsystem certificates was expired and not renewed: getcert list gives a similar output for all of them, and I don't know how to proceed. []# getcert list -c dogtag-ipa-renew-agent Request ID '20130902075915': status: MONITORING ca-error: No end-entity URL (-E) given, and no default known. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= subject: CN=RA Subsystem,O= expires: 2013-10-11 07:44:12 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Do you have any hints on how to solve? Try adding a host=fqdn to the [global] section in /etc/ipa/default.conf where host is the fqdn of your IPA master. I think you'll need to temporarily go back in time to the 11th for the renewal to succeed. You can force certmonger to try the renewal again with: # getcert resubmit -i 20130902075915 You'll want to do this for all certs affected by this. If this works please let us know and we'll make sure that host exists in default.conf when upgrades happen. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users