Thanks for your reply.
I have searched the web a lot and attempt several solutions but all fail because certmonger cannot talk to the FreeIPA web interface. A few words on my setup:
- I have two FreeIPA servers (4.3.1-0ubuntu1), one is the original master and the other is a replica, but both are ca and renew masters
- Everything was installed using apt-get on Ubuntu 16.04 and I've always updated regularly
- FreeIPA was installed with DNS for our intranet and configured to talk to intranet IPs only, thus ignoring the WAN interface
- None of my certificates is expired and all NSS databases and PEM files match the corresponding LDAP entries
My objective, as I said, is to make sure certificates are renewed before expiring.
ca-error: Error 60 connecting to https://<snip>:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
- I did install libnsspem (1.0.3-0ubuntu2) but this only changed https Error 77 to 60
/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -i /etc/ipa/ca.crt -d /etc/apache2/nssdb -n ipaCert -p /etc/apache2/nssdb/pwdfile.txt -D 5 -v
The command above seemed to succeed but only generated a bunch of cookie errors in certmonger's output.
I would latter remove some of these cookie errors using getcert resubmit on the original master but that would only bring back the https error. No progress here.
- After a lot of web research, I found a reference to a problem with the Trust Attributes in the NSS database:
but, even after this, certmonger continues to be unable to communicate with the ipa web server/proxy.
I don't know if the problem is authentication against apache or tomcat but this curl command:
SSL_DIR=/etc/apache2/nssdb/ curl -s -v -o /dev/null --cacert /etc/ipa/ca.crt https://<snip>:8443/ca/agent/ca/profileReview
returns a gnutls_handshake failure:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 10.1.1.1...
* Connected to <snip> (10.1.1.1) port 8443 (#0)
* found 1 certificates in /etc/ipa/ca.crt
* found 600 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1
* server certificate verification OK
* server certificate status verification SKIPPED
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: O=REALM,CN=server
* start date: Wed, 20 Dec 2017 17:36:53 GMT
* expire date: Tue, 10 Dec 2019 17:36:53 GMT
* issuer: O=REALM,CN=Certificate Authority
* compression: NULL
* ALPN, server did not agree to a protocol
> GET /ca/agent/ca/profileReview HTTP/1.1
> Host: <snip>:8443
> User-Agent: curl/7.47.0
> Accept: */*
>
* gnutls_handshake() failed: Illegal parameter
* Closing connection 0
curl: (35) gnutls_handshake() failed: Illegal parameter
1) Is this a compatibility issue between Dogtag or the IPA server NSS or TLS libraries and those of certmonger or its helpers?
2) Can I disable the need for a certificate to connect to the server while asking IPA to renew my certificates?
This is a production system and I really would like to make sure it doesn't become unavailable next month.
I'm pasting some more information below.
Number of certificates and requests being tracked: 8.
Request ID '20171220173724':
status: CA_UNREACHABLE
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=REALM.LOCAL
subject: CN=CA Audit,O=REALM.LOCAL
expires: 2019-12-10 17:36:54 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171220173725':
status: CA_UNREACHABLE
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=REALM.LOCAL
subject: CN=OCSP Subsystem,O=REALM.LOCAL
expires: 2019-12-10 17:36:53 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171220173726':
status: CA_UNREACHABLE
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=REALM.LOCAL
subject: CN=CA Subsystem,O=REALM.LOCAL
expires: 2019-12-10 17:36:53 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171220173727':
status: CA_UNREACHABLE
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=REALM.LOCAL
subject: CN=Certificate Authority,O=REALM.LOCAL
expires: 2037-12-20 17:36:53 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171220173728':
status: CA_UNREACHABLE
stuck: no
key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=REALM.LOCAL
subject: CN=IPA RA,O=REALM.LOCAL
expires: 2019-12-10 17:37:21 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20171220173729':
status: CA_UNREACHABLE
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=REALM.LOCAL
subject: CN=server.local,O=REALM.LOCAL
expires: 2019-12-10 17:36:53 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171220173759':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-REALM.LOCAL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-CEFAPNET-ICB-USP-BR/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-REALM.LOCAL',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=REALM.LOCAL
subject: CN=server.local,O=REALM.LOCAL
expires: 2019-12-21 17:37:59 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_dirsrv REALM.LOCAL
track: yes
auto-renew: yes
Request ID '20171220173822':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=REALM.LOCAL
subject: CN=server.local,O=REALM.LOCAL
expires: 2019-12-21 17:38:22 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes