On 1/8/20 3:30 AM, Ferdinand Babas via FreeIPA-users wrote:
Do you have the file /var/lib/pki/pki-tomcat/conf/password.conf ? Its
content is usually:
internal=<password>
replicationdb=<number>
If it's empty/missing, you can also check if there is a
/etc/pki/pki-tomcat/alias/pwdfile.txt which should contain the password.
You really need this password if you want to manage the private keys
inside the NSS DB.
Export key + cert with pk12util
from an other node, then import. But you
will need the NSSDB password.
The password is the NSS DB's password, stored in
/var/lib/pki/pki-tomcat/conf/password.conf or
/etc/pki/pki-tomcat/alias/pwdfile.txt.
flo
Thanks for pointing me in the right direction. I was able to get the NSS DB password and
was able to export and import the key and cert like you described.
I had to export and import both the 'auditSigningCert cert-pki-ca' and
'subsystemCert cert-pki-ca' and now on the CA Renewal Master I get the following:
# certutil -L -d /etc/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca CTu,Cu,Cu
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
and Certificate Services"
< 0> rsa cc9d67...53abe6 (orphan)
< 1> rsa 7b55ea...d259f7 auditSigningCert cert-pki-ca
< 2> rsa f06e29...d0fb44 NSS Certificate DB:Server-Cert cert-pki-ca
< 3> rsa bcc164...94ef97 NSS Certificate DB:ocspSigningCert cert-pki-ca
< 4> rsa e49b1d...a6a30f NSS Certificate DB:caSigningCert cert-pki-ca
< 5> rsa 48f4a4...2c126e subsystemCert cert-pki-ca
Now the the certs that were imported are expired:
# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'auditSigningCert cert-pki-ca'
Validity:
Not Before: Wed Jun 14 20:45:05 2017
Not After : Tue Jun 04 20:45:05 2019
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca'
Validity:
Not Before: Thu Jun 29 04:28:11 2017
Not After : Wed Jun 19 04:28:11 2019
So I changed the date to prior to Jun 04 2019
# timedatectl set-time 2019-06-01
Restarted the pki-tomcatd service and the certmonger service and now I get the following:
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: STOPPED
pki-tomcatd Service: RUNNING <- Running... Yay!!
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
From /var/log/messages:
Jun 1 03:21:49 francolin systemd: Stopping Certificate monitoring and PKI enrollment...
Jun 1 03:21:49 francolin certmonger: 2019-06-01 00:17:28 [24501] Server at
"https://francolin.local:8443/ca/agent/ca/profileProcess" replied: 1: You did
not provide a valid certificate for this operation2019-06-01 00:38:13 [24501] Server at
"https://francolin.local:8443/ca/agent/ca/profileProcess" replied: 1: You did
not provide a valid certificate for this operation
Jun 1 03:21:49 francolin systemd: Starting Certificate monitoring and PKI enrollment...
Jun 1 03:21:50 francolin systemd: Started Certificate monitoring and PKI enrollment.
Jun 1 03:21:51 francolin ns-slapd: [01/Jun/2019:03:21:51.309397072 -1000] csngen_new_csn
- Warning: too much time skew (-19140576 secs). Current seqnum=a
Jun 1 03:21:51 francolin ns-slapd: [01/Jun/2019:03:21:51.372397615 -1000] csngen_new_csn
- Warning: too much time skew (-19140576 secs). Current seqnum=b
Jun 1 03:23:50 francolin ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Ticket not yet valid)
Jun 1 03:23:50 francolin ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Ticket not yet valid)
Jun 1 03:23:50 francolin ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Ticket not yet valid)
# getcert list
...
Request ID '20170614062601':
status: MONITORING
ca-error: Server at "https://francolin.local:8443/ca/agent/ca/profileProcess"
replied: 1: You did not provide a valid certificate for this operation
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=LOCAL
subject: CN=CA Audit,O=LOCAL
expires: 2019-06-04 20:45:05 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
...
Request ID '20170614062603':
status: MONITORING
ca-error: Server at "https://francolin.local:8443/ca/agent/ca/profileProcess"
replied: 1: You did not provide a valid certificate for this operation
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=LOCAL
subject: CN=CA Subsystem,O=LOCAL
expires: 2019-06-19 04:28:11 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
This is the furthest I've gotten and I appreciate all the help you've provided.
Hopefully a few more tips will get me going.
Thanks so much!!
Ferdinand