Hi Timo,

Thanks for your reply.

I have searched the web a lot and attempt several solutions but all fail because certmonger cannot talk to the FreeIPA web interface. A few words on my setup:

- I have two FreeIPA servers (4.3.1-0ubuntu1), one is the original master and the other is a replica, but both are ca and renew masters
- Everything was installed using apt-get on Ubuntu 16.04 and I've always updated regularly
- FreeIPA was installed with DNS for our intranet and configured to talk to intranet IPs only, thus ignoring the WAN interface
- None of my certificates is expired and all NSS databases and PEM files match the corresponding LDAP entries

My objective, as I said, is to make sure certificates are renewed before expiring.
My problem is that certmonger shows:

ca-error: Error 60 connecting to https://<snip>:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.

What I have tried to do:

- I did install libnsspem (1.0.3-0ubuntu2) but this only changed https Error 77 to 60
- I attempted to bypass the IPA web server and certmonger to renew the by using 

/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -i /etc/ipa/ca.crt -d /etc/apache2/nssdb -n ipaCert -p /etc/apache2/nssdb/pwdfile.txt -D 5 -v

The command above seemed to succeed but only generated a bunch of cookie errors in certmonger's output.
I would latter remove some of these cookie errors using getcert resubmit on the original master but that would only bring back the https error. No progress here.

- After a lot of web research, I found a reference to a problem with the Trust Attributes in the NSS database:


It seemed analogous to my problem and I decided to give it a try:

certutil -d /etc/ipa/nssdb/ -M -n 'CEFAPNET.ICB.USP.BR IPA CA' -t ',,'
certutil -d /etc/ipa/nssdb/ -M -n 'CEFAPNET.ICB.USP.BR IPA CA' -t 'C,C,C'

but, even after this, certmonger continues to be unable to communicate with the ipa web server/proxy.
I don't know if the problem is authentication against apache or tomcat but this curl command:

SSL_DIR=/etc/apache2/nssdb/ curl -s -v -o /dev/null --cacert /etc/ipa/ca.crt https://<snip>:8443/ca/agent/ca/profileReview

returns a gnutls_handshake failure:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.1.1.1...
* Connected to <snip> (10.1.1.1) port 8443 (#0)
* found 1 certificates in /etc/ipa/ca.crt
* found 600 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: ipa.cefapnet.icb.usp.br (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: O=REALM,CN=server
* start date: Wed, 20 Dec 2017 17:36:53 GMT
* expire date: Tue, 10 Dec 2019 17:36:53 GMT
* issuer: O=REALM,CN=Certificate Authority
* compression: NULL
* ALPN, server did not agree to a protocol
> GET /ca/agent/ca/profileReview HTTP/1.1
> Host: <snip>:8443
> User-Agent: curl/7.47.0
> Accept: */*
>
* gnutls_handshake() failed: Illegal parameter
* Closing connection 0
curl: (35) gnutls_handshake() failed: Illegal parameter

Questions:

1) Is this a compatibility issue between Dogtag or the IPA server NSS or TLS libraries and those of certmonger or its helpers?
2) Can I disable the need for a certificate to connect to the server while asking IPA to renew my certificates?

This is a production system and I really would like to make sure it doesn't become unavailable next month.

I'm pasting some more information below.

Thanks again!
Robson

========> certutil -L
/etc/dirsrv/slapd-CEFAPNET-ICB-USP-BR/:
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
Server-Cert                                                  u,u,u
CEFAPNET.ICB.USP.BR IPA CA                                   CT,C,C

/etc/pki/pki-tomcat/alias/:
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu

/etc/ipa/nssdb/:
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CEFAPNET.ICB.USP.BR IPA CA                                   C,C,C

/etc/apache2/nssdb/:
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Signing-Cert                                                 u,u,u
ipaCert                                                      u,u,u
Server-Cert                                                  u,u,u
CEFAPNET.ICB.USP.BR IPA CA                                   C,C,C

========> getcert list
Number of certificates and requests being tracked: 8.
Request ID '20171220173724':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=REALM.LOCAL
subject: CN=CA Audit,O=REALM.LOCAL
expires: 2019-12-10 17:36:54 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171220173725':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=REALM.LOCAL
subject: CN=OCSP Subsystem,O=REALM.LOCAL
expires: 2019-12-10 17:36:53 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171220173726':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=REALM.LOCAL
subject: CN=CA Subsystem,O=REALM.LOCAL
expires: 2019-12-10 17:36:53 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171220173727':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=REALM.LOCAL
subject: CN=Certificate Authority,O=REALM.LOCAL
expires: 2037-12-20 17:36:53 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171220173728':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=REALM.LOCAL
subject: CN=IPA RA,O=REALM.LOCAL
expires: 2019-12-10 17:37:21 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20171220173729':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=REALM.LOCAL
subject: CN=server.local,O=REALM.LOCAL
expires: 2019-12-10 17:36:53 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20171220173759':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-REALM.LOCAL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-CEFAPNET-ICB-USP-BR/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-REALM.LOCAL',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=REALM.LOCAL
subject: CN=server.local,O=REALM.LOCAL
expires: 2019-12-21 17:37:59 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_dirsrv REALM.LOCAL
track: yes
auto-renew: yes
Request ID '20171220173822':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=REALM.LOCAL
subject: CN=server.local,O=REALM.LOCAL
expires: 2019-12-21 17:38:22 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes

Em seg., 18 de nov. de 2019 às 09:09, Timo Aaltonen <tjaalton@ubuntu.com> escreveu:
On 18.11.2019 4.03, Robson Francisco de Souza via FreeIPA-users wrote:
> Hello!
>
> I've been running FreeIPA 4.3.1 on Ubuntu 16.04 for almost two years and
> most certificates should expire within three weeks. As this deadline
> approaches, I noticed certmonger has been unable to renew certificates
> due to the error below.
>
> After googling for two days, I found this issue has been observed by
> many people before, mostly after expiration of the certificates, as in
> https://tinyurl.com/vajmocw
>
> Still, I couldn't find a solution to this problem.
> If it is impossible to fix this issue while using FreeIPA 4.3.1, I would
> like to:
>
> 1) Find a way to renew all certificates even if certmonger can't be
> fixed. This would allow me to postpone the solution to after the next OS
> and/or FreeIPA upgrade
> 2) Find out what version of FreeIPA I should upgrade to while the
> operating system remains Ubuntu 16.04
>
> Any help would be appreciated!
> Thanks!

Hi,

This probably needs libnsspem, you can find it in 18.04.. not 100% sure
but I think it should at least install fine.


--
t


--
Robson Francisco de Souza, PhD
Laboratório de Estrutura e Evolução de Proteínas (LEEP/PSEL)
Departamento de Microbiologia
Instituto de Ciências Biomédicas
Universidade de São Paulo
Av. Prof. Lineu Prestes, 1374 - Ed. Biomédicas II - Sala 250 - 2o. andar
Tel: 3091-0891
Cidade Universitária - CEP 05508-900 - São Paulo - SP - Brasil

----
Robson Francisco de Souza, PhD
Protein Structure and Evolution Laboratory (LEEP/PSEL)
Microbiology Departament
Biomedical Sciences Institute
University of Sao Paulo
Av. Prof. Lineu Prestes, 1374 - Biomédicas II - Sala 250
Phone: 55-11-3091-0891
Cidade Universitária - ZIP 05508-900 - São Paulo - SP - Brazil