Adding freeipa-users back.

Roberto Cornacchia wrote:
> Just to confirm, this is indeed the expired certificate
>
> $ getcert list -d /etc/httpd/alias -n Server-Cert
> Number of certificates and requests being tracked: 8.
> Request ID '20150316184529':
> status: CA_UNREACHABLE
> ca-error: Error setting up ccache for "host" service on client using
> default keytab: Cannot contact any KDC for requested realm.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM <http://HQ.SPINQUE.COM>
> subject: CN=spinque04.hq.spinque.com
> <http://spinque04.hq.spinque.com>,O=HQ.SPINQUE.COM <http://HQ.SPINQUE.COM>
> expires: 2017-03-16 18:45:29 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes

Since you have Apache up and limping along I'd first try:

# getcert resubmit -i 20150316184529

It is very possible that the tool will reject the server cert since it
is expired. If that happens then you'll need to set time back.

I'd encourage you to run: getcert list | grep expires

This will show you what certs need to be renewed and should give some
insight into the window of opportunity for setting the date back.

Assuming it's just the Apache cert that is expired I'd try setting the
date back to March 15, restart IPA, then I'd restart certmonger or try
the about resubmit command again.

Things can get tricky when some certs have renewed and some haven't.

rob

>
>
> On Wed, 7 Jun 2017 at 15:36 Roberto Cornacchia
> <roberto.cornacchia@gmail.com <mailto:roberto.cornacchia@gmail.com>> wrote:
>
>     Thanks Rob,
>
>     I've seen in similar posts that you recommend to go back in time and
>     restart certmonger. Would it work in this case?
>
>
>     On Wed, 7 Jun 2017 at 15:30 Rob Crittenden <rcritten@redhat.com
>     <mailto:rcritten@redhat.com>> wrote:
>
>         Roberto Cornacchia via FreeIPA-users wrote:
>         > OK, I did so and httpd restarts.
>         >
>         > $ openssl s_client -connect 127.0.0.1:443
>         <http://127.0.0.1:443> <http://127.0.0.1:443> -showcerts
>         > CONNECTED(00000003)
>         > depth=1 O = HQ.SPINQUE.COM <http://HQ.SPINQUE.COM>
>         <http://HQ.SPINQUE.COM>, CN = Certificate
>         > Authority
>         > verify return:1
>         > depth=0 O = HQ.SPINQUE.COM <http://HQ.SPINQUE.COM>
>         <http://HQ.SPINQUE.COM>, CN =
>         > spinque04.hq.spinque.com <http://spinque04.hq.spinque.com>
>         <http://spinque04.hq.spinque.com>
>         > verify error:num=10:certificate has expired
>         > notAfter=Mar 16 18:45:29 2017 GMT
>         > verify return:1
>         > depth=0 O = HQ.SPINQUE.COM <http://HQ.SPINQUE.COM>
>         <http://HQ.SPINQUE.COM>, CN =
>         > spinque04.hq.spinque.com <http://spinque04.hq.spinque.com>
>         <http://spinque04.hq.spinque.com>
>         > notAfter=Mar 16 18:45:29 2017 GMT
>         > verify return:1
>         > ---
>         > Certificate chain
>         >  0 s:/O=HQ.SPINQUE.COM/CN=spinque04.hq.spinque.com
>         <http://HQ.SPINQUE.COM/CN=spinque04.hq.spinque.com>
>         > <http://HQ.SPINQUE.COM/CN=spinque04.hq.spinque.com>
>         >    i:/O=HQ.SPINQUE.COM/CN=Certificate
>         <http://HQ.SPINQUE.COM/CN=Certificate>
>         > <http://HQ.SPINQUE.COM/CN=Certificate> Authority
>         > ...
>         >
>         > Fair enough, but why does this say it expires in 2019? Are
>         they two
>         > different certificates?
>         >
>         > $ getcert list -d /etc/httpd/alias -n ipaCert
>         > Number of certificates and requests being tracked: 8.
>         > Request ID '20160501114633':
>         > status: MONITORING
>         > stuck: no
>         > key pair storage:
>         >
>         type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>         > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>         > certificate:
>         >
>         type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>         > Certificate DB'
>         > CA: dogtag-ipa-ca-renew-agent
>         > issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM
>         <http://HQ.SPINQUE.COM> <http://HQ.SPINQUE.COM>
>         > subject: CN=IPA RA,O=HQ.SPINQUE.COM <http://HQ.SPINQUE.COM>
>         <http://HQ.SPINQUE.COM>
>         > expires: 2019-01-26 19:41:51 UTC
>         > key usage:
>         digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         > eku: id-kp-serverAuth,id-kp-clientAuth
>         > pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
>         > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>         > track: yes
>         > auto-renew: yes
>         >
>         > What's the right way to solve this?
>
>         You're looking at the wrong cert.
>
>         # getcert list -d /etc/httpd/alias -n Server-Cert
>
>         And really, you should examine all certificate status, not just
>         a single
>         one.
>
>         I was also strongly urge you to wait until all problems are resolved
>         before attempting to update packages in the future (unless a package
>         claims to fix a specific problem), particularly when it comes to
>         certificates.
>
>         rob
>