Travis West via FreeIPA-users wrote:
The person who set this up is no longer available. We have 6 IPA servers in a cluster, all set as MASTER. All servers are running IPA v. 4.6.4. On 8 March the CA Subsystem certificate expired. When looking at the certificate I noticed it had an incorrect Common Name, which may be why it didn't renew. I checked the pki-tomcat CS.cfg and the two lines ca.subsystem.cert - Has cert with incorrect hostname listed ca.subsystem.certreq - Has cert request for correct ca subsystem cert (Common Name CA Subsystem)
I tried removing the errant ca subsystem cert from the NSS DB in pki-tomcat/alias and was successful. I then tried to request a new SubSystem Cert using this command
getcert request -I CASubsystem -c dogtag-ipa-renew-agent -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -N 'cn=CA Subsystem,o=IPA.*****.NET' -P 'PIN_FROM_FILE' -t 'NSS Certificate DB'
And that seems to at least have issued the request because 'getcert list' shows the request, but with a CA_REJECTED message.
If I do an ldapsearch for the certificate, it shows the the correct cert with CN=CA Subystem, but the one that expired on 8 March.
How can I get a valid CA Subsystem cert again so I can start the CA on all IPA servers?
You are running a quite old version, on RHEL/CentOS 7.6 I presume? Later versions provide a tool to address this, ipa-cert-fix, which isn't available in 4.6.4.
You need to do a couple of things: 1. identify which server is your renewal master. ipa config-show will tell you. Otherwise you can restore to: ldapsearch -LLL -Q -Y GSSAPI -b cn=masters,cn=ipa,cn=etc,dc=example,dc=test "(ipaConfigString=caRenewalMaster)"
2. On the renewal master make sure it is tracking at least 8 certificates: getcert list will tell you. If it is then run getcert list | grep expires
This will tell you how many certs have or will expire soon. All the CA subsystem-related certificates expire at the same time so its likely that multiple have expired.
Removing the cert wasn't a good idea. I don't think it will be catastrophic to renewal but manually tweaking the cert database is not generally recommended.
So assuming you have multiple certificates that all expired on the 8th then what typically works is to disable chronyd/ntpd and use the date command to go back in time. Restart all IPA services and then certmonger and then watch it to see if the certificates are renewed.
rob