On 9 Jul 2018, at 07:38, Thomas Letherby via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:Hello Fraser,_______________________________________________As I've been playing around with this before I dig in further I pulled the expiry for the certificates across all the places I know to look, if I have a cert listed, it's expired:certutil -d /etc/pki/pki-tomcat/alias -L Up to datecertutil -d /etc/dirsrv/slapd-I-DOMAIN-NET -LI.DOMAIN.NET IPA CAcertutil -d /etc/httpd/alias -LSigning-CertI.DOMAIN.NET IPA CAgetcert-list all up to date.ipa-getcert list all up to dateldapsearch -Y GSSAPI -h `hostname` -p 389 -b "cn=I.DOMAIN.NET IPA CA,cn=certificates,cn=ipa,cn=etc,dc=i,dc=DOMAIN,dc=net"Expiredldapsearch -Y GSSAPI -h `hostname` -p 389 -b uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" usercertificate1 - Expired2 - Expired3 - In dateI've managed to narrow down the expiries to a crossover of one day, and setting the date to that day allows Tomcat-PKI to start, but the above results show that the certs haven't updated yet, but they may do in the next few hours?ThomasOn Sun, Jul 8, 2018 at 11:23 AM Fraser Tweedale <ftweedal@redhat.com> wrote:On Fri, Jul 06, 2018 at 09:21:44PM -0700, Thomas Letherby wrote:
> Hello Fraser,
>
> The serial numbers appear to match, but if I run ipa-certupdate I get the
> following:
>
> ipa-certupdate
> trying https://server1.i.domain.net/ipa/json
> Connection to https://server1.i.domain.net/ipa/json failed with [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
>
> Tomcat is the only service that appears to be failing with the following
> error:
>
> Internal Database Error encountered: Could not connect to LDAP server host
> xipa1.i.xrs444.net port 636 Error netscape.ldap.LDAPException: Unable to
> create socket: org.mozilla.jss.ssl.SSLSocketException:
> org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181)
> Peer's Certificate has expired. (-1)
>
> But it should now be valid as I set the date back. If I set the date to
> today I get this error:
>
> Internal Database Error encountered: Could not connect to LDAP server host
> xipa1.i.xrs444.net port 636 Error netscape.ldap.LDAPException: Unable to
> create socket: org.mozilla.jss.ssl.SSLSocketException:
> org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12195)
> Peer does not recognize and trust the CA that issued your certificate. (-1)
>
> Looks like it can't load because the certificate it uses isn't valid, if I
> roll the clock back so the CA cert is, the certificate Tomcat is using
> isn't valid and if I roll forward the CA cert isn't.
>
> How can I break this catch 22?
>
Which is the not-yet-valid certificate at the time to which you
rolled back? The subsystemCert or the 389DS server certificate?
In either case, you can look in the Dogtag certificate repository
(ou=certificateRepository,ou=ca,o=ipaca) for a version of the
certificate that is valid at the relevant time. Copy the cert data
(you can base64-decode the value to get the binary DER certificate
data). Then you can delete the not-yet-valid-at-that-time
certificate from the NSSDB and add the appropriate certificate using
certutil -d <nssdb-path> -A -i <cert-path>
If the certificate in question is the Dogtag subsystemCert, you will
furthermore need to fix up the data in the uid=pkidbuser entry to
match the "current" certificate.
HTH,
Fraser
> Thanks,
>
> Thomas
>
>
>
>
> On Fri, Jun 29, 2018 at 12:10 AM Fraser Tweedale <ftweedal@redhat.com>
> wrote:
>
> > On Thu, Jun 28, 2018 at 06:01:18PM -0700, Thomas Letherby wrote:
> > > Hello all,
> > >
> > > Here's the info:
> > >
> > > certutil -d /etc/dirsrv/slapd-I-domain-NET -L
> > >
> > > Certificate Nickname Trust
> > > Attributes
> > >
> > > SSL,S/MIME,JAR/XPI
> > >
> > > Server-Cert u,u,u
> > > O=domain,ST=Arizona,C=US CT,C,C
> > > I.domain.NET IPA CA CT,C,C
> > >
> > > I.domain.NET IPA CA is out of date for those.
> > >
> > Try running ipa-certupdate. It will update the IPA CA certificate
> > in the various trust stores including the DS NSSDB.
> >
> > It reads the certificates from
> >
> > cn=YOUR.DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,{basedn}
> >
> > so you should probably check that the certificate in that entry is
> > up to date also.
> >
> > Cheers,
> > Fraser
> >
> > > certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca'
> > -a
> > > Not After : Fri Jun 05 01:32:01 2020
> > > Matches
> > > ldapsearch -Y GSSAPI -h `hostname` -p 389 -b
> > > uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" usercertificate
> > >
> > > Thomas
> > >
> > >
> > >
> > >
> > > On Thu, Jun 28, 2018 at 5:56 AM Rob Crittenden <rcritten@redhat.com>
> > wrote:
> > >
> > > > Thomas Letherby via FreeIPA-users wrote:
> > > > > Hello Florence,
> > > > >
> > > > > It was the Signing-Cert and the I.domain.NET <http://I.domain.NET>
> > IPA
> > > > > CA cert. By setting the clock back I managed to get those to renew,
> > now
> > > > > it seems I just need to get tomcat-pki to start.
> > > > >
> > > > > The error is:
> > > > >
> > > > > Internal Database Error encountered: Could not connect to LDAP server
> > > > > host xipa1.i.xrs444.net <http://xipa1.i.xrs444.net> port 636 Error
> > > > > netscape.ldap.LDAPException: Unable to create socket:
> > > > > org.mozilla.jss.ssl.SSLSocketException:
> > > > > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed:
> > > > > (-12195) Peer does not recognize and trust the CA that issued your
> > > > > certificate. (-1)
> > > > >
> > > > > certutil -d /etc/pki/pki-tomcat/alias -L
> > > > >
> > > > > Certificate Nickname Trust
> > > > > Attributes
> > > > >
> > > > > SSL,S/MIME,JAR/XPI
> > > > >
> > > > > Server-Cert cert-pki-ca u,u,u
> > > > > ocspSigningCert cert-pki-ca u,u,u
> > > > > O=domain,ST=Arizona,C=US CT,C,C
> > > > > auditSigningCert cert-pki-ca u,u,Pu
> > > > > subsystemCert cert-pki-ca u,u,u
> > > > > caSigningCert cert-pki-ca
> > CTu,Cu,Cu
> > > > >
> > > > > These are all set to expire in 2020 or beyond.
> > > > >
> > > > > certutil -d /etc/httpd/alias -L Server-Cert
> > > > >
> > > > > Certificate Nickname Trust
> > > > > Attributes
> > > > >
> > > > > SSL,S/MIME,JAR/XPI
> > > > >
> > > > > Signing-Cert u,u,u
> > > > > O=xrs444,ST=Arizona,C=US CT,C,C
> > > > > I.XRS444.NET <http://I.XRS444.NET> IPA CA
> > > > > CT,C,C
> > > > > Server-Cert u,u,u
> > > > >
> > > > > I.XRS444.NET <http://I.XRS444.NET> IPA CA and Signing-Cert are the
> > > > > expired certs here.
> > > >
> > > > Don't worry about Signing-Cert. It is the cert used to sign the jar
> > file
> > > > used to autoconfigure Firefox. You should never need to re-sign one
> > > > again (and this method isn't allowed in modern Firefox anyway).
> > > >
> > > > rob
> > > >
> > > > >
> > > > > Thomas
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Jun 27, 2018 at 12:20 AM Florence Blanc-Renaud <
> > flo@redhat.com
> > > > > <mailto:flo@redhat.com>> wrote:
> > > > >
> > > > > On 06/27/2018 07:02 AM, Thomas Letherby via FreeIPA-users wrote:
> > > > > > After some fiddling with dates some more I seem to have the
> > HTTPD
> > > > > cert
> > > > > > in sync, however it appears the cert signing cert is expired.
> > > > > >
> > > > > > named also says it's starting, but doesn't seem to want to
> > respond.
> > > > > >
> > > > > > I don't have time to dig into it more tonight, but let me know
> > what
> > > > > > other information or tests I can run and I'll get them posted
> > > > > tomorrow.
> > > > > >
> > > > > > Thanks all.
> > > > > >
> > > > > > Thomas
> > > > > >
> > > > > > On Mon, Jun 25, 2018 at 5:11 PM Thomas Letherby <
> > xrs444@xrs444.net
> > > > > <mailto:xrs444@xrs444.net>
> > > > > > <mailto:xrs444@xrs444.net <mailto:xrs444@xrs444.net>>> wrote:
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > > I think this is everything (domain name changed to protect
> > the
> > > > > > guilty!):
> > > > > >
> > > > > > https://pastebin.com/bF1KR7VJ
> > > > > >
> > > > > Hi Thomas,
> > > > >
> > > > > in the provided pastebin, the error 'certutil: function failed:
> > > > > SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an
> > old,
> > > > > unsupported format' can be easily explained: there is a typo in
> > the
> > > > > directory path.
> > > > > You can try with certutil -d /etc/pki/pki-tomcat/alias -L -n
> > > > <nickname>
> > > > > (note the pki-tomcat instead of pki-tomcat*d*).
> > > > >
> > > > > You mention that the cert signing cert is expired, can you
> > clarify
> > > > > which
> > > > > certificate this is? Please provide the subject name, certificate
> > > > > nickname and location.
> > > > >
> > > > > Flo
> > > > > > I pulled the same on the replica, which appears to be
> > playing
> > > > > up too
> > > > > > in a similar fashion.
> > > > > >
> > > > > > I did just notice the date on the replica is out, I never
> > set
> > > > it
> > > > > > back when I was trying to get the cert to renew.
> > > > > >
> > > > > > Let me know if you need anything else.
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Thomas
> > > > > >
> > > > > > On Sun, Jun 24, 2018 at 8:43 PM Fraser Tweedale
> > > > > <ftweedal@redhat.com <mailto:ftweedal@redhat.com>
> > > > > > <mailto:ftweedal@redhat.com <mailto:ftweedal@redhat.com>>>
> > > > wrote:
> > > > > >
> > > > > > On Fri, Jun 22, 2018 at 11:16:21PM -0700, Thomas
> > Letherby
> > > > via
> > > > > > FreeIPA-users wrote:
> > > > > > > Hello all,
> > > > > > > I had an issue a short while ago with a replica
> > which
> > > > > turned
> > > > > > out to be an
> > > > > > > expired certificate which I renewed and all seemed
> > good.
> > > > > > >
> > > > > > > Seemed...
> > > > > > >
> > > > > > > It now appears that although the certificate
> > renewed as
> > > > > seen
> > > > > > by getcert
> > > > > > > -list, it didn't update /etc/httpd/alias and so the
> > > > > httpd and
> > > > > > tomcat-pki
> > > > > > > services won't start unless I set the date to
> > before the
> > > > > > certificate
> > > > > > > expired, and even then sometimes the httpd error_log
> > > > shows:
> > > > > > > Unable to verify certificate 'Server-Cert'. Add
> > > > > > "NSSEnforceValidCerts off"
> > > > > > > to nss.conf so the server can start until the
> > problem
> > > > > can be
> > > > > > resolved.
> > > > > > > and the service fails to start.
> > > > > > >
> > > > > > Hi Thomas,
> > > > > >
> > > > > > Can you please show `getcert list` output on the
> > server in
> > > > > question,
> > > > > > as well as the output of
> > > > > >
> > > > > > certutil -d /etc/httpd/alias -L Server-Cert
> > > > > >
> > > > > > and
> > > > > >
> > > > > > certutil -d /etc/pki/pki-tomcatd/alias -L
> > <nickname>
> > > > > >
> > > > > > for each nickname in the /etc/pki/pki-tomcatd/alias
> > NSSDB.
> > > > > >
> > > > > > And Certmonger journal output. And pki debug log
> > > > > > /var/log/pki/pki-tomcat/ca/debug.
> > > > > >
> > > > > > It is strange that `getcert list' shows an up to date
> > > > > certificate
> > > > > > while the actual certificate that is being tracked is
> > > > > expired...
> > > > > >
> > > > > > Thanks,
> > > > > > Fraser
> > > > > >
> > > > > > > I've tried resubmitting the certificate, and it
> > doesn't
> > > > > seem
> > > > > > to throw an
> > > > > > > error, but it doesn't update /alias either.
> > > > > > > Trying to access the server via the web page shows
> > the
> > > > old
> > > > > > certificate
> > > > > > > still in use.
> > > > > > > I see the same certificate error with the replica
> > > > server,
> > > > > > which was freshly
> > > > > > > rebuilt and added last week.
> > > > > > > I've doubtless dug further into the hole trying to
> > > > > > troubleshoot this, so I
> > > > > > > probably need to start from the beginning again,
> > and a
> > > > > > pointer in the right
> > > > > > > direction would be a great help!
> > > > > > >
> > > > > > > A getcert list shows all the certificates expiry
> > dates
> > > > well
> > > > > > into the future.
> > > > > > >
> > > > > > > How can I get the certs back in sync? I've found a
> > few
> > > > > guides
> > > > > > and most seem
> > > > > > > to be for earlier versions, and I'm not sure if
> > they're
> > > > > still
> > > > > > current.
> > > > > > >
> > > > > > > I can post whatever logs you think will help, I'm
> > > > > afraid I'm
> > > > > > not familiar
> > > > > > > enough with them all to tell which are the most
> > > > > relevant. Is
> > > > > > there a guide
> > > > > > > for the logs?
> > > > > > >
> > > > > > > Thanks for any help you can give,
> > > > > > >
> > > > > > > Thomas
> > > > > >
> > > > > > > _______________________________________________
> > > > > > > FreeIPA-users mailing list --
> > > > > > freeipa-users@lists.fedorahosted.org
> > > > > <mailto:freeipa-users@lists.fedorahosted.org>
> > > > > > <mailto:freeipa-users@lists.fedorahosted.org
> > > > > <mailto:freeipa-users@lists.fedorahosted.org>>
> > > > > > > To unsubscribe send an email to
> > > > > > freeipa-users-leave@lists.fedorahosted.org
> > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > > > > > Fedora Code of Conduct:
> > > > > > https://getfedora.org/code-of-conduct.html
> > > > > > > List Guidelines:
> > > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > > > List Archives:
> > > > > >
> > > > >
> > > >
> > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/CAXKCVP42DLWJQV2TAJFFCR2NG2CBO27/
> > > > > >
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > FreeIPA-users mailing list --
> > freeipa-users@lists.fedorahosted.org
> > > > > <mailto:freeipa-users@lists.fedorahosted.org>
> > > > > > To unsubscribe send an email to
> > > > > freeipa-users-leave@lists.fedorahosted.org
> > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > > > > > Fedora Code of Conduct:
> > https://getfedora.org/code-of-conduct.html
> > > > > > List Guidelines:
> > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > > List Archives:
> > > > >
> > > >
> > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RAEH5S7INPORXEK7ZKGQTLXEHH3CH4S4/
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > > > To unsubscribe send an email to
> > > > freeipa-users-leave@lists.fedorahosted.org
> > > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > > > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives:
> > > >
> > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GTA5E2BV7VO24KL25TST5DTDXRAYOKDG/
> > > > >
> > > >
> > > >
> >
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/Z2CWAOM4HBHXWBCQRFJXFCHMOEBRFPPO/