On ma, 19 elo 2019, Thomas Kropeit via FreeIPA-users wrote:
Over the weekend, my original "NSS Certificate DB"
certificate expired. It was automatically renewed, however in a new location:
# ipa-getcert list
Number of certificates and requests being tracked: 10.
Request ID '20180929060059':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-IPA-PHYSEC-DE',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-PHYSEC-DE
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-IPA-PHYSEC-DE',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.PHYSEC.DE
subject: CN=master.ipa.physec.de,O=IPA.PHYSEC.DE
expires: 2021-07-20 14:25:43 UTC
principal name: ldap/master.ipa.physec.de(a)IPA.PHYSEC.DE
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-PHYSEC-DE
track: yes
auto-renew: yes
Request ID '20180929060107':
status: MONITORING
ca-error: Unable to determine principal name for signing request.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.PHYSEC.DE
subject: CN=master.ipa.physec.de,O=IPA.PHYSEC.DE
expires: 2019-08-17 12:45:50 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
I managed to restart the FreeIPA service by adding `NSSEnforceValidCerts off` to
`/etc/httpd/conf.d/nss.conf`. But logging into the webinterface still yields the following
error in httpd:
[Mon Aug 19 10:36:05.722736 2019] [:error] [pid 12798] ipa: INFO: 401 Unauthorized: [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
[Mon Aug 19 10:36:05.723894 2019] [:error] [pid 12802] SSL Library Error: -12269 The
server has rejected your certificate as expired
I have intentionally not copied the new certificate to `/etc/httpd/alias` as I am not
aware of all the involved components and fear that this might break something.
My system is running a fully patched CentOS 7.6, running FreeIPA 4.6.4-10.el7.centos.6.
What should I do to resolve this issue, simply replacing the
certificates, or is there a better method?
These two certificates are different as
they issued to different
Kerberos principals (ldap/... and HTTP/...). In the other case you just
need to add
ipa-getcert resubmit -i 20180929060107 -K HTTP/master.ipa.physec.de
as this is what your ca-error says:
ca-error: Unable to determine principal name for signing
request.
But to submit it you'd need to get back in time when HTTP cert is valid
yet (before 2019-08-17) and not too far to have LDAP certificate invalid
yet (after 2019-07-20).
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland