Hi Timo,
Thanks for your reply.
I have searched the web a lot and attempt several solutions but all fail because certmonger cannot talk to the FreeIPA web interface. A few words on my setup:
- I have two FreeIPA servers (4.3.1-0ubuntu1), one is the original master and the other is a replica, but both are ca and renew masters - Everything was installed using apt-get on Ubuntu 16.04 and I've always updated regularly - FreeIPA was installed with DNS for our intranet and configured to talk to intranet IPs only, thus ignoring the WAN interface - None of my certificates is expired and all NSS databases and PEM files match the corresponding LDAP entries
My objective, as I said, is to make sure certificates are renewed before expiring. My problem is that certmonger shows:
ca-error: Error 60 connecting to https://<snip>:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
What I have tried to do:
- I did install libnsspem (1.0.3-0ubuntu2) but this only changed https Error 77 to 60 - I attempted to bypass the IPA web server and certmonger to renew the by using
/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -i /etc/ipa/ca.crt -d /etc/apache2/nssdb -n ipaCert -p /etc/apache2/nssdb/pwdfile.txt -D 5 -v
The command above seemed to succeed but only generated a bunch of cookie errors in certmonger's output. I would latter remove some of these cookie errors using getcert resubmit on the original master but that would only bring back the https error. No progress here.
- After a lot of web research, I found a reference to a problem with the Trust Attributes in the NSS database:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
It seemed analogous to my problem and I decided to give it a try:
certutil -d /etc/ipa/nssdb/ -M -n 'CEFAPNET.ICB.USP.BR IPA CA' -t ',,' certutil -d /etc/ipa/nssdb/ -M -n 'CEFAPNET.ICB.USP.BR IPA CA' -t 'C,C,C'
but, even after this, certmonger continues to be unable to communicate with the ipa web server/proxy. I don't know if the problem is authentication against apache or tomcat but this curl command:
SSL_DIR=/etc/apache2/nssdb/ curl -s -v -o /dev/null --cacert /etc/ipa/ca.crt https://<snip>:8443/ca/agent/ca/profileReview
returns a gnutls_handshake failure:
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 10.1.1.1... * Connected to <snip> (10.1.1.1) port 8443 (#0) * found 1 certificates in /etc/ipa/ca.crt * found 600 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1 * server certificate verification OK * server certificate status verification SKIPPED * common name: ipa.cefapnet.icb.usp.br (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: O=REALM,CN=server * start date: Wed, 20 Dec 2017 17:36:53 GMT * expire date: Tue, 10 Dec 2019 17:36:53 GMT * issuer: O=REALM,CN=Certificate Authority * compression: NULL * ALPN, server did not agree to a protocol
GET /ca/agent/ca/profileReview HTTP/1.1 Host: <snip>:8443 User-Agent: curl/7.47.0 Accept: */*
* gnutls_handshake() failed: Illegal parameter * Closing connection 0 curl: (35) gnutls_handshake() failed: Illegal parameter
Questions:
1) Is this a compatibility issue between Dogtag or the IPA server NSS or TLS libraries and those of certmonger or its helpers? 2) Can I disable the need for a certificate to connect to the server while asking IPA to renew my certificates?
This is a production system and I really would like to make sure it doesn't become unavailable next month.
I'm pasting some more information below.
Thanks again! Robson
========> certutil -L /etc/dirsrv/slapd-CEFAPNET-ICB-USP-BR/: Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI Server-Cert u,u,u CEFAPNET.ICB.USP.BR IPA CA CT,C,C
/etc/pki/pki-tomcat/alias/: Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu
/etc/ipa/nssdb/: Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CEFAPNET.ICB.USP.BR IPA CA C,C,C
/etc/apache2/nssdb/: Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u ipaCert u,u,u Server-Cert u,u,u CEFAPNET.ICB.USP.BR IPA CA C,C,C
========> getcert list Number of certificates and requests being tracked: 8. Request ID '20171220173724': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=CA Audit,O=REALM.LOCAL expires: 2019-12-10 17:36:54 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171220173725': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=OCSP Subsystem,O=REALM.LOCAL expires: 2019-12-10 17:36:53 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171220173726': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=CA Subsystem,O=REALM.LOCAL expires: 2019-12-10 17:36:53 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171220173727': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=Certificate Authority,O=REALM.LOCAL expires: 2037-12-20 17:36:53 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171220173728': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=IPA RA,O=REALM.LOCAL expires: 2019-12-10 17:37:21 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20171220173729': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=server.local,O=REALM.LOCAL expires: 2019-12-10 17:36:53 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20171220173759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-REALM.LOCAL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-CEFAPNET-ICB-USP-BR/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-REALM.LOCAL',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=server.local,O=REALM.LOCAL expires: 2019-12-21 17:37:59 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv REALM.LOCAL track: yes auto-renew: yes Request ID '20171220173822': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=server.local,O=REALM.LOCAL expires: 2019-12-21 17:38:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Em seg., 18 de nov. de 2019 às 09:09, Timo Aaltonen tjaalton@ubuntu.com escreveu:
On 18.11.2019 4.03, Robson Francisco de Souza via FreeIPA-users wrote:
Hello!
I've been running FreeIPA 4.3.1 on Ubuntu 16.04 for almost two years and most certificates should expire within three weeks. As this deadline approaches, I noticed certmonger has been unable to renew certificates due to the error below.
After googling for two days, I found this issue has been observed by many people before, mostly after expiration of the certificates, as in https://tinyurl.com/vajmocw
Still, I couldn't find a solution to this problem. If it is impossible to fix this issue while using FreeIPA 4.3.1, I would like to:
- Find a way to renew all certificates even if certmonger can't be
fixed. This would allow me to postpone the solution to after the next OS and/or FreeIPA upgrade 2) Find out what version of FreeIPA I should upgrade to while the operating system remains Ubuntu 16.04
Any help would be appreciated! Thanks!
Hi,
This probably needs libnsspem, you can find it in 18.04.. not 100% sure but I think it should at least install fine.
-- t