Re: [Freeipa-users] Subsystem certs not renewed

2013-10-15 Thread Federico Nebiolo
Il 14/10/2013 17:01, Rob Crittenden ha scritto:
 Federico Nebiolo wrote:
 Dear IPA users,

 My IPA 3.0 installation on CentOS 6.4 (coming from a 2.2 upgrade)
 suddenly stopped working for the CA part.
 I'm not sure this is the root of all the issues, but subsystem
 certificates was expired and not renewed: getcert list gives a similar
 output for all of them, and I don't know how to proceed.

 []# getcert list -c dogtag-ipa-renew-agent

 Request ID '20130902075915':
 status: MONITORING
 ca-error: No end-entity URL (-E) given, and no default known.
 stuck: no
 key pair storage:
 type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
 Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 certificate:
 type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
 Certificate DB'
 CA: dogtag-ipa-renew-agent
 issuer: CN=Certificate Authority,O=
 subject: CN=RA Subsystem,O=
 expires: 2013-10-11 07:44:12 UTC
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command:
 post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
 track: yes
 auto-renew: yes

 Do you have any hints on how to solve?
 
 Try adding a host=fqdn to the [global] section in
 /etc/ipa/default.conf where host is the fqdn of your IPA master.
 
 I think you'll need to temporarily go back in time to the 11th for the
 renewal to succeed.
 
 You can force certmonger to try the renewal again with:
 
 # getcert resubmit -i 20130902075915
 
 You'll want to do this for all certs affected by this.
 
 If this works please let us know and we'll make sure that host exists in
 default.conf when upgrades happen.
 
 rob

Rob,
adding host=fqdn and moving the clock backward partially worked.

Now both CN=RA Subsystem and CN=fqdn certificates are renewed, but
certmonger is unable to renew CN=CA Subsystem, CN=CA Audit and
CN=OCSP Subsystem.

Certmonger error is an Error 35 connecting to
https://fqdn:9443/ca/agent/ca/profileReview: SSL connect error: it
seems to me that selfsigned CA certificate in chain is not accepted by
certmonger, thus certificates are not renewed. Is there another
parameter I can specify to make dogtag-ipa-renew-agent accept its CA?

Many thanks again
federico

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Subsystem certs not renewed

2013-10-15 Thread Rob Crittenden

Federico Nebiolo wrote:

Il 14/10/2013 17:01, Rob Crittenden ha scritto:

Federico Nebiolo wrote:

Dear IPA users,

My IPA 3.0 installation on CentOS 6.4 (coming from a 2.2 upgrade)
suddenly stopped working for the CA part.
I'm not sure this is the root of all the issues, but subsystem
certificates was expired and not renewed: getcert list gives a similar
output for all of them, and I don't know how to proceed.

[]# getcert list -c dogtag-ipa-renew-agent

Request ID '20130902075915':
 status: MONITORING
 ca-error: No end-entity URL (-E) given, and no default known.
 stuck: no
 key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
 CA: dogtag-ipa-renew-agent
 issuer: CN=Certificate Authority,O=
 subject: CN=RA Subsystem,O=
 expires: 2013-10-11 07:44:12 UTC
 eku: id-kp-serverAuth,id-kp-clientAuth
 pre-save command:
 post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
 track: yes
 auto-renew: yes

Do you have any hints on how to solve?


Try adding a host=fqdn to the [global] section in
/etc/ipa/default.conf where host is the fqdn of your IPA master.

I think you'll need to temporarily go back in time to the 11th for the
renewal to succeed.

You can force certmonger to try the renewal again with:

# getcert resubmit -i 20130902075915

You'll want to do this for all certs affected by this.

If this works please let us know and we'll make sure that host exists in
default.conf when upgrades happen.

rob


Rob,
adding host=fqdn and moving the clock backward partially worked.

Now both CN=RA Subsystem and CN=fqdn certificates are renewed, but
certmonger is unable to renew CN=CA Subsystem, CN=CA Audit and
CN=OCSP Subsystem.

Certmonger error is an Error 35 connecting to
https://fqdn:9443/ca/agent/ca/profileReview: SSL connect error: it
seems to me that selfsigned CA certificate in chain is not accepted by
certmonger, thus certificates are not renewed. Is there another
parameter I can specify to make dogtag-ipa-renew-agent accept its CA?


I'm not sure why it wouldn't accept the connection. Could it be that you 
didn't set time back far enough?


I think you can simulate things with something like:

# echo   /tmp/pw
# sslget -v -d /etc/pki/nssdb/ -w /tmp/pw -r /ca/ee/ca/getCertChain 
ipa.example.com:9443


You might try a similar command with curl, you  just need to create the 
sqlite equivalent first:


# certutil -A -d sql:/etc/pki/nssdb -n 'IPA CA' -t CT,CT, -a -i 
/etc/ipa/ca.crt

# curl -v https://ipa.example.com:9443/ca/ee/ca/getCertChain

Hopefully you'll get a more specific error message out of one of those.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


[Freeipa-users] Subsystem certs not renewed

2013-10-14 Thread Federico Nebiolo
Dear IPA users,

My IPA 3.0 installation on CentOS 6.4 (coming from a 2.2 upgrade)
suddenly stopped working for the CA part.
I'm not sure this is the root of all the issues, but subsystem
certificates was expired and not renewed: getcert list gives a similar
output for all of them, and I don't know how to proceed.

[]# getcert list -c dogtag-ipa-renew-agent

Request ID '20130902075915':
status: MONITORING
ca-error: No end-entity URL (-E) given, and no default known.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=RA Subsystem,O=
expires: 2013-10-11 07:44:12 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes

Do you have any hints on how to solve?

Many thanks in advance
federico

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Subsystem certs not renewed

2013-10-14 Thread Rob Crittenden

Federico Nebiolo wrote:

Dear IPA users,

My IPA 3.0 installation on CentOS 6.4 (coming from a 2.2 upgrade)
suddenly stopped working for the CA part.
I'm not sure this is the root of all the issues, but subsystem
certificates was expired and not renewed: getcert list gives a similar
output for all of them, and I don't know how to proceed.

[]# getcert list -c dogtag-ipa-renew-agent

Request ID '20130902075915':
status: MONITORING
ca-error: No end-entity URL (-E) given, and no default known.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=RA Subsystem,O=
expires: 2013-10-11 07:44:12 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes

Do you have any hints on how to solve?


Try adding a host=fqdn to the [global] section in 
/etc/ipa/default.conf where host is the fqdn of your IPA master.


I think you'll need to temporarily go back in time to the 11th for the 
renewal to succeed.


You can force certmonger to try the renewal again with:

# getcert resubmit -i 20130902075915

You'll want to do this for all certs affected by this.

If this works please let us know and we'll make sure that host exists in 
default.conf when upgrades happen.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users