Hi devs,
This is at least the second time recently that people needing to renew service certificates used ``ipa-cacert-manage renew`` (the wrong command) and either didn't solve the problem or got into a deeper mess.
Clearly we have a usability problem here.
The ipa-cacert-manage(1) man page is clear, but perhaps could use a prominent statement that it doesn't renew service certs and if that's all the user needs to do, to use `getcert resubmit` instead.
But I think better would be to enhance `ipa-cacert-manage renew` to inspect the current CA certificate and if it has, say, more than 75% of its validity period still to go, to PROMPT the user to confirm that renewing the *CA* certificate is really what they wanted to do.
What do others think of this idea?
Cheers, Fraser
On Tue, Aug 01, 2017 at 05:22:53PM +0200, Florence Blanc-Renaud via FreeIPA-users wrote:
On 08/01/2017 03:50 PM, Jason B. Nance via FreeIPA-users wrote:
Hello everyone,
I'm running FreeIPA 4.4 (as shipped with current CentOS 7). I had a series of unfortunate events which resulted in the entire cluster being offline for a matter of a couple weeks during which the certificate in /etc/httpd/alias expired. I rolled back the clocks on all of the servers in the cluster and started them successfully, however, the certificates in /etc/httpd/alias did not get renewed. Is there a process that automatically handles this or was I supposed to be maintaining that?
Additionally, based on:
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
...I ran "ipa-cacert-manage renew" on my CA in a hope that that would trigger renewals across the boards, but now it appears that only the CA was updated as none of the server certificates were re-issued and are now all untrusted (I can't do "kinit admin" any longer as my realm is now down). Is there any chance of rolling that back or issuing new certs to get things going again?
Hi,
ipa-cacert-manage will only renew IPA CA certificate, not the LDAP or HTTP server certificates. When IPA is using an embedded CA, the LDAP and HTTP server certificates should be automatically renewed thanks to certmonger. If the automatic renewal did not happen, you can check:
- if the certificates are indeed tracked by certmonger sudo getcert list -n Server-Cert The tool should output one cert for HTTP (in /etc/httpd/alias) and one for
LDAP (in /etc/dirsrv/slapd-DOM...). If the certs are not tracked, you need to use getcert start-tracking to track them.
- if they are tracked but not renewed, check the journal for certmonger
messages. Certmonger should log a message when a certificate is nearing its expiration, and another message when the renewal succeeded.
When the certificates are expired, the method is to stop ntpd, go back in time to a date where the certs were still valid, then manually trigger the renewal using getcert resubmit -i <ID>. In case of errors, examine the journal logs and try to fix the issue, then relaunch getcert resubmit. Once the renewal succeeds, getcert list shows the cert status as MONITORING and you can restart ntpd.
This blog [1] provides a few examples of issues and their resolution
HTH, Flo
[1] https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-...
If I have to start over, that is certainly an option. I'm just trying to get a better understanding of what I should have been doing to avoid this situation in the first place.
Thanks,
j _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Wed, Aug 2, 2017 at 3:30 AM, Fraser Tweedale ftweedal@redhat.com wrote:
Hi devs,
This is at least the second time recently that people needing to renew service certificates used ``ipa-cacert-manage renew`` (the wrong command) and either didn't solve the problem or got into a deeper mess.
Clearly we have a usability problem here.
The ipa-cacert-manage(1) man page is clear, but perhaps could use a prominent statement that it doesn't renew service certs and if that's all the user needs to do, to use `getcert resubmit` instead.
Right, I think that a lot of people don't understand certificates well and so they don't distinguish CA cert and other cert. So when they see a howto for "CA certificate renewal" they understand "certificate renewal".
From that perspective another possible culprit is also page: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
But I think better would be to enhance `ipa-cacert-manage renew` to inspect the current CA certificate and if it has, say, more than 75% of its validity period still to go, to PROMPT the user to confirm that renewing the *CA* certificate is really what they wanted to do.
What do others think of this idea?
I like the idea.
Cheers, Fraser
On Tue, Aug 01, 2017 at 05:22:53PM +0200, Florence Blanc-Renaud via FreeIPA-users wrote:
On 08/01/2017 03:50 PM, Jason B. Nance via FreeIPA-users wrote:
Hello everyone,
I'm running FreeIPA 4.4 (as shipped with current CentOS 7). I had a series of unfortunate events which resulted in the entire cluster being offline for a matter of a couple weeks during which the certificate in /etc/httpd/alias expired. I rolled back the clocks on all of the servers in the cluster and started them successfully, however, the certificates in /etc/httpd/alias did not get renewed. Is there a process that automatically handles this or was I supposed to be maintaining that?
Additionally, based on:
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
...I ran "ipa-cacert-manage renew" on my CA in a hope that that would trigger renewals across the boards, but now it appears that only the CA was updated as none of the server certificates were re-issued and are now all untrusted (I can't do "kinit admin" any longer as my realm is now down). Is there any chance of rolling that back or issuing new certs to get things going again?
Hi,
ipa-cacert-manage will only renew IPA CA certificate, not the LDAP or HTTP server certificates. When IPA is using an embedded CA, the LDAP and HTTP server certificates should be automatically renewed thanks to certmonger. If the automatic renewal did not happen, you can check:
- if the certificates are indeed tracked by certmonger sudo getcert list -n Server-Cert The tool should output one cert for HTTP (in /etc/httpd/alias) and one for
LDAP (in /etc/dirsrv/slapd-DOM...). If the certs are not tracked, you need to use getcert start-tracking to track them.
- if they are tracked but not renewed, check the journal for certmonger
messages. Certmonger should log a message when a certificate is nearing its expiration, and another message when the renewal succeeded.
When the certificates are expired, the method is to stop ntpd, go back in time to a date where the certs were still valid, then manually trigger the renewal using getcert resubmit -i <ID>. In case of errors, examine the journal logs and try to fix the issue, then relaunch getcert resubmit. Once the renewal succeeds, getcert list shows the cert status as MONITORING and you can restart ntpd.
This blog [1] provides a few examples of issues and their resolution
HTH, Flo
[1] https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-...
If I have to start over, that is certainly an option. I'm just trying to get a better understanding of what I should have been doing to avoid this situation in the first place.
Thanks,
j _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Petr Vobornik via FreeIPA-devel wrote:
On Wed, Aug 2, 2017 at 3:30 AM, Fraser Tweedale ftweedal@redhat.com wrote:
Hi devs,
This is at least the second time recently that people needing to renew service certificates used ``ipa-cacert-manage renew`` (the wrong command) and either didn't solve the problem or got into a deeper mess.
Clearly we have a usability problem here.
The ipa-cacert-manage(1) man page is clear, but perhaps could use a prominent statement that it doesn't renew service certs and if that's all the user needs to do, to use `getcert resubmit` instead.
Right, I think that a lot of people don't understand certificates well and so they don't distinguish CA cert and other cert. So when they see a howto for "CA certificate renewal" they understand "certificate renewal".
From that perspective another possible culprit is also page: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
But I think better would be to enhance `ipa-cacert-manage renew` to inspect the current CA certificate and if it has, say, more than 75% of its validity period still to go, to PROMPT the user to confirm that renewing the *CA* certificate is really what they wanted to do.
What do others think of this idea?
I like the idea.
Honestly, I'd be even harsher. IMHO this is one of those times that requires:
Are you sure? (yes/NO)
Are you really sure? (yes/NO)
Really, you want to renew the CA certificate and not some other certificate? This is not something to be done lightly? (yes/NO)
<insert another 72 questions here>
rob
Cheers, Fraser
On Tue, Aug 01, 2017 at 05:22:53PM +0200, Florence Blanc-Renaud via FreeIPA-users wrote:
On 08/01/2017 03:50 PM, Jason B. Nance via FreeIPA-users wrote:
Hello everyone,
I'm running FreeIPA 4.4 (as shipped with current CentOS 7). I had a series of unfortunate events which resulted in the entire cluster being offline for a matter of a couple weeks during which the certificate in /etc/httpd/alias expired. I rolled back the clocks on all of the servers in the cluster and started them successfully, however, the certificates in /etc/httpd/alias did not get renewed. Is there a process that automatically handles this or was I supposed to be maintaining that?
Additionally, based on:
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
...I ran "ipa-cacert-manage renew" on my CA in a hope that that would trigger renewals across the boards, but now it appears that only the CA was updated as none of the server certificates were re-issued and are now all untrusted (I can't do "kinit admin" any longer as my realm is now down). Is there any chance of rolling that back or issuing new certs to get things going again?
Hi,
ipa-cacert-manage will only renew IPA CA certificate, not the LDAP or HTTP server certificates. When IPA is using an embedded CA, the LDAP and HTTP server certificates should be automatically renewed thanks to certmonger. If the automatic renewal did not happen, you can check:
- if the certificates are indeed tracked by certmonger sudo getcert list -n Server-Cert The tool should output one cert for HTTP (in /etc/httpd/alias) and one for
LDAP (in /etc/dirsrv/slapd-DOM...). If the certs are not tracked, you need to use getcert start-tracking to track them.
- if they are tracked but not renewed, check the journal for certmonger
messages. Certmonger should log a message when a certificate is nearing its expiration, and another message when the renewal succeeded.
When the certificates are expired, the method is to stop ntpd, go back in time to a date where the certs were still valid, then manually trigger the renewal using getcert resubmit -i <ID>. In case of errors, examine the journal logs and try to fix the issue, then relaunch getcert resubmit. Once the renewal succeeds, getcert list shows the cert status as MONITORING and you can restart ntpd.
This blog [1] provides a few examples of issues and their resolution
HTH, Flo
[1] https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-...
If I have to start over, that is certainly an option. I'm just trying to get a better understanding of what I should have been doing to avoid this situation in the first place.
Thanks,
j _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Wed, Aug 02, 2017 at 09:59:35AM -0400, Rob Crittenden wrote:
Petr Vobornik via FreeIPA-devel wrote:
On Wed, Aug 2, 2017 at 3:30 AM, Fraser Tweedale ftweedal@redhat.com wrote:
Hi devs,
This is at least the second time recently that people needing to renew service certificates used ``ipa-cacert-manage renew`` (the wrong command) and either didn't solve the problem or got into a deeper mess.
Clearly we have a usability problem here.
The ipa-cacert-manage(1) man page is clear, but perhaps could use a prominent statement that it doesn't renew service certs and if that's all the user needs to do, to use `getcert resubmit` instead.
Right, I think that a lot of people don't understand certificates well and so they don't distinguish CA cert and other cert. So when they see a howto for "CA certificate renewal" they understand "certificate renewal".
From that perspective another possible culprit is also page: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
But I think better would be to enhance `ipa-cacert-manage renew` to inspect the current CA certificate and if it has, say, more than 75% of its validity period still to go, to PROMPT the user to confirm that renewing the *CA* certificate is really what they wanted to do.
What do others think of this idea?
I like the idea.
Honestly, I'd be even harsher. IMHO this is one of those times that requires:
Are you sure? (yes/NO)
Are you really sure? (yes/NO)
Really, you want to renew the CA certificate and not some other certificate? This is not something to be done lightly? (yes/NO)
<insert another 72 questions here>
rob
OK, I've filed tickets:
- https://pagure.io/freeipa/issue/7084 (update command with prompts) - https://pagure.io/freeipa/issue/7085 (manpage)
Thanks, Fraser
On Wed, Aug 2, 2017 at 10:04 PM, Fraser Tweedale ftweedal@redhat.com wrote:
On Wed, Aug 02, 2017 at 09:59:35AM -0400, Rob Crittenden wrote:
Petr Vobornik via FreeIPA-devel wrote:
On Wed, Aug 2, 2017 at 3:30 AM, Fraser Tweedale ftweedal@redhat.com wrote:
Hi devs,
This is at least the second time recently that people needing to renew service certificates used ``ipa-cacert-manage renew`` (the wrong command) and either didn't solve the problem or got into a deeper mess.
Clearly we have a usability problem here.
The ipa-cacert-manage(1) man page is clear, but perhaps could use a prominent statement that it doesn't renew service certs and if that's all the user needs to do, to use `getcert resubmit` instead.
Right, I think that a lot of people don't understand certificates well and so they don't distinguish CA cert and other cert. So when they see a howto for "CA certificate renewal" they understand "certificate renewal".
From that perspective another possible culprit is also page: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
But I think better would be to enhance `ipa-cacert-manage renew` to inspect the current CA certificate and if it has, say, more than 75% of its validity period still to go, to PROMPT the user to confirm that renewing the *CA* certificate is really what they wanted to do.
What do others think of this idea?
I like the idea.
Honestly, I'd be even harsher. IMHO this is one of those times that requires:
Are you sure? (yes/NO)
Are you really sure? (yes/NO)
Really, you want to renew the CA certificate and not some other certificate? This is not something to be done lightly? (yes/NO)
<insert another 72 questions here>
rob
OK, I've filed tickets:
- https://pagure.io/freeipa/issue/7084 (update command with prompts)
- https://pagure.io/freeipa/issue/7085 (manpage)
Thanks, Fraser
I've updated: - https://www.freeipa.org/page/Troubleshooting#IPA_won.27t_start.2C_expired_ce... - https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
Especially the first one was quite misleading it pointed people to CA Cert renewal page in case of any problem with certificates.
freeipa-devel@lists.fedorahosted.org