On 11/24/20 10:50 AM, Marc Pearson | i-Neda Ltd wrote:
Thanks Flo,
I'm suprosed I didn't catch that typeo:
certutil -L -d /etc/dirsrv/slapd-INT-I-NEDA-COM
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE C,, CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,, CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,, comodoCA C,, INT.I-NEDA.COM IPA CA CT,C,C INT.I-NEDA.COM IPA CA CT,C,C INT.I-NEDA.COM IPA CA CT,C,C CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,, CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,, comodoCA2 C,, INT.I-NEDA.COM IPA CA CT,C,C INT.I-NEDA.COM IPA CA CT,C,C comodoCA C,, CN=*.int.i-neda.com u,u,u INT.I-NEDA.COM IPA CA CT,C,C
Ok, so I think the issue with ipa-cert-fix comes from the fact that the LDAP server cert is not called 'Server-Cert' but rather 'CN=*.int.i-neda.com' - you can check with the following command: # grep nsSSLPersonalitySSL /etc/dirsrv/slapd-INT-I-NEDA-COM/dse.ldif
Can you log an issue at https://pagure.io/freeipa/new_issue ? When the LDAP server cert doesn't have the default name, ipa-cert-fix fails. A possible workaround would be to rename the cert in the NSSDB to 'Server-Cert' with certutil --rename but you will also need to update the dse.ldif file (stop ds, edit, start ds). This will allow you to use ipa-cert-fix and hopefully to move forward.
flo
Marc.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: 24 November 2020 09:01 To: Marc Pearson | i-Neda Ltd mpearson@i-neda.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] subsystemCert appears out of date
On 11/24/20 9:54 AM, Marc Pearson | i-Neda Ltd wrote:
Hi Flo,
I'm getting a database error when running that command:
# certutil -L -d /etc/dirsrc/slapd-INT-I-NEDA-COM certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
Sorry, I made a typo, it should be dirsrv, not dirsrc: # certutil -L -d /etc/dirsrv/slapd-INT-I-NEDA-COM
flo
Not sure if that's of any help?
Marc.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: 21 November 2020 19:06 To: Marc Pearson | i-Neda Ltd mpearson@i-neda.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] subsystemCert appears out of date
On 11/18/20 12:23 PM, Marc Pearson | i-Neda Ltd wrote:
Hi Flo,
Thanks for the information. I've tried to run the cert fix utility just now and I'm hitting an issue, ironically with the SSL certificate:
[root@red-auth01 ~]# ipa-cert-fix Failed to get Server-Cert The ipa-cert-fix command failed.
Hi, I failed to notice the first time but there is no tracking for the LDAP cert that is stored in /etc/dirsrv/slapd-$DOMAIN/. What is the output of # certutil -L -d /etc/dirsrc/slapd-$DOMAIN You should see Server-Cert (=the ldap server certificate), or maybe a different nickname is used?
flo
From the message log: Nov 18 11:18:32 red-auth01 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Nov 18 11:18:32 red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3 Nov 18 11:18:33 red-auth01 certmonger: 2020-11-18 11:18:33 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate. Nov 18 11:18:35 red-auth01 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Nov 18 11:18:35 red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3 Nov 18 11:18:35 red-auth01 certmonger: 2020-11-18 11:18:35 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate.
Any advice?
Marc.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: 17 November 2020 10:57 To: Marc Pearson | i-Neda Ltd mpearson@i-neda.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] subsystemCert appears out of date
On 11/17/20 10:19 AM, Marc Pearson | i-Neda Ltd wrote:
Hi Flo,
Thanks for the help. Included is the output of all the commands as you requested. These were all run from a single freeIPA server (red-auth01).
kinit admin; ipa server-role-find --role "CA server" Password for admin@INT.I-NEDA.COM:
8 server roles matched
 Server name: power-auth03.int.i-neda.com  Role name: CA
server  Role status: enabled
 Server name: power-auth04.int.i-neda.com  Role name: CA
server  Role status: absent
 Server name: red-auth01.int.i-neda.com  Role name: CA
server  Role status: enabled
 Server name: red-auth02.int.i-neda.com  Role name: CA
server  Role status: enabled
 Server name: red-auth03.int.i-neda.com  Role name: CA
server  Role status: enabled
 Server name: red-auth04.int.i-neda.com  Role name: CA
server  Role status: enabled
 Server name: white-auth01.int.i-neda.com  Role name: CA
server  Role status: enabled
 Server name: white-auth02.int.i-neda.com  Role name: CA
server  Role status: enabled
Number of entries returned 8
 kinit admin; ipa config-show | grep "renewal"
Password for admin@INT.I-NEDA.COM: Â IPA CA renewal master: red-auth01.int.i-neda.com
rpm -qa | grep ipa-server ipa-server-common-4.6.8-5.el7.centos.noarch ipa-server-4.6.8-5.el7.centos.x86_64 ipa-server-dns-4.6.8-5.el7.centos.noarch
getcert list Number of certificates and requests being tracked: 8. Request ID '20171101175244': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM expires: 2021-08-10 14:04:07 UTC principal name: krbtgt/INT.I-NEDA.COM@INT.I-NEDA.COM certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
Request ID '20180722081853': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigni n g Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigni n g Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=CA Audit,O=INT.I-NEDA.COM expires: 2022-09-16 12:36:41 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20180722081854': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSignin g C ert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSignin g C ert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=OCSP Subsystem,O=INT.I-NEDA.COM expires: 2022-09-16 12:35:31 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180722081855': status: CA_UNREACHABLE ca-error: Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemC e r t cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemC e r t cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=CA Subsystem,O=INT.I-NEDA.COM expires: 2020-10-24 07:04:35 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20180722081856': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningC e r t cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningC e r t cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=Certificate Authority,O=INT.I-NEDA.COM expires: 2040-10-10 07:51:04 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20180722081857': status: CA_UNREACHABLE ca-error: Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=IPA RA,O=INT.I-NEDA.COM expires: 2020-10-24 07:03:24 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
Request ID '20180722081858': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cer t cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cer t cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM expires: 2021-02-09 11:59:57 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
Request ID '20200530130439': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes
Hi Marc,
so the current situation is the following:
- red-auth01 is the renewal master, with multiple replicas hosting the CA role.
- on this server, 'subsystemCert cert-pki-ca' is expired (expires:
2020-10-24 07:04:35 UTC) as well as /var/lib/ipa/ra-agent.pem (expires: 2020-10-24 07:03:24 UTC).
- there is also an issue with the tracking of the cert used by HTTP
But one of your comments is puzzling me:
The signing SSL (int.i-neda.com) is a full wildcard block chain that is authorized by a recognised 3rd party. It's worth noting though, that we had some issues with the block chain back in April as the thrid parties block chain expired. So it's possible that this is as a result of that issue, and may require some fettling to resolve. All help is appreciated.
Did you import the new CA chain at that time using ipa-cacert-manage install / ipa-certupdate?
According to getcert output, the IPA CA is now self-signed. It looks a lot like issue https://pagure.io/freeipa/issue/8176 where the externally-signed IPA CA is renewed/replaced with a self-signed CA.
As you have ipa 4.6.8-5, the ipa-cert-fix utility is available on your system. It will be easier to use this tool to fix the server: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linu x /7/html-single/linux_domain_identity_authentication_and_policy_guide/ i ndex#renewing-expired-system-certificate-when-idm-is-offline
Once the systems are up again, you can switch back to an externally-signed ipa CA:
- import the external CA chain using ipa-cacert-manage install + run
ipa-certupdate on all the ipa nodes
- switch to externally-signed CA with ipa-cacert-manage renew
--external-ca command (https://access.redhat.com/documentation/en-us/red_hat_enterprise_lin u x/7/html-single/linux_domain_identity_authentication_and_policy_guide / index#manual-cert-renewal-ext)
HTH, flo
My current tempory work around is to set the local clock of the OS back by over a month so the server belives the expired CA's are still valid.
Kind Regards,
Marc.
-- *From:* Florence Blanc-Renaud flo@redhat.com *Sent:* 16 November 2020 14:35 *To:* FreeIPA users list freeipa-users@lists.fedorahosted.org *Cc:* Marc Pearson | i-Neda Ltd mpearson@i-neda.com *Subject:* Re: [Freeipa-users] subsystemCert appears out of date On 11/16/20 10:03 AM, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote:
Hi All,
My subsystem cert appears to have gone out of date, and Iââ,¬â"¢m unable to get it to update. This has become an issue on my production environment, and my current work around has been to take the system date back by a month. Iââ,¬â"¢ve tried the cert renew tool, but this doesnââ,¬â"¢t seem to have updated this cert.
Is anyone able to point me in the right direction to be able to update this specific certificate as Iââ,¬â"¢ve been unable to find anything online.
[auth01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca'
Certificate:
 Ã, Ã, Ã, Data:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Version: 3 (0x2)
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Serial Number: 42 (0x2a)
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Issuer: "CN=Certificate Authority,O=INT.I-NEDA.COM"
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Validity:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Not Before: Sun Nov 04 08:04:35 2018
Not After : Sat Oct 24 07:04:35 2020
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Subject: "CN=CA Subsystem,O=INT.I-NEDA.COM"
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Subject Public Key Info:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Public Key Algorithm: PKCS #1 RSA Encryption
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, RSA Public Key:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Modulus:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, c6:7e:e6:40:8f:6e:77:07:8f:2a:ca:ca:63:63:cf:c6:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 5f:1c:09:63:4a:bb:17:68:17:cd:20:9b:f3:b0:5b:c0:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, f7:ff:72:07:1d:a2:29:93:61:62:5c:9f:04:d3:cb:7b:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, bf:53:de:bb:dd:d6:3f:a1:14:95:04:53:64:87:73:24:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, e3:61:66:96:ab:99:1f:2c:da:ec:22:e5:21:b1:5c:d5:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 0a:dd:4e:3f:f8:e2:90:a1:55:31:ad:11:2f:3b:d3:90:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 14:dc:b7:9d:fc:35:1a:ab:48:27:68:0a:9f:cb:95:14:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 00:93:b8:d4:d4:30:de:4e:be:20:a3:01:24:e8:f2:4a:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 1a:d2:b6:e0:09:77:3d:24:e3:5a:cf:51:d6:ca:d2:65:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 53:62:72:64:fe:7d:53:09:0e:97:b8:61:c9:c8:6d:24:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 52:15:f2:bf:40:04:38:24:22:73:fb:80:a0:ff:16:57:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, e1:0b:3c:71:02:d7:e6:2e:94:0a:e7:4e:aa:5e:6f:91:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, a5:68:65:21:cd:68:0c:2d:5d:53:fa:e0:10:75:47:43:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 04:f2:8b:e1:1c:1c:ed:a6:c1:ee:5c:6c:72:51:b5:e6:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, cd:f9:06:45:17:00:2b:d7:34:75:8a:59:f2:21:97:c6:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 63:d3:6f:54:d9:00:42:74:88:9e:94:d0:d4:d2:a1:b7
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Exponent: 65537 (0x10001)
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Signed Extensions:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Certificate Authority Key Identifier
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Key ID:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, f2:bb:9c:4f:e3:d8:c3:f9:58:eb:cc:5f:f7:be:8c:d6:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, d5:08:c0:3a
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Authority Information Access
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Method: PKIX Online Certificate Status Protocol
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Location:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, URI: "http://ipa-ca.int.i-neda.com/ca/ocsp"
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Certificate Key Usage
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Critical: True
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Usages: Digital Signature
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Non-Repudiation
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Key Encipherment
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Data Encipherment
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Extended Key Usage
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, TLS Web Server Authentication Certificate
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, TLS Web Client Authentication Certificate
 Ã, Ã, Ã, Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
 Ã, Ã, Ã, Signature:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 5f:b7:31:25:10:ef:e7:72:44:8e:94:1d:57:4e:bb:4e:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 22:cf:9b:7e:f4:20:a2:fa:96:2a:cf:e9:70:cd:a6:82:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 4a:bd:58:4b:a7:df:4d:77:47:ba:65:d0:68:c5:dc:59:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 77:7e:bf:36:d3:55:c7:86:d3:16:77:51:46:c2:48:de:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, e8:0d:62:05:b9:8c:46:bd:22:7d:8d:d0:ad:5a:64:6b:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 9b:7d:ec:4c:e6:05:e7:02:97:cd:01:f5:19:91:15:7e:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, cc:41:5b:f2:00:2d:c0:0b:91:9e:62:d5:7a:b2:1e:8f:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 32:62:c2:ed:1a:e8:e1:56:32:e0:0e:79:55:a2:49:35:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 0e:df:5d:a3:df:e2:dd:58:60:4a:dd:19:92:f7:4d:60:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 59:0e:16:b1:ae:32:e6:c5:c5:fa:5b:2f:fe:1d:fe:e9:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, ec:67:2b:65:33:f2:57:64:8a:68:f3:91:9b:25:ff:02:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 64:4c:a1:6d:fe:f0:73:95:f2:0f:49:fb:3f:85:21:a0:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 68:37:dc:cd:73:02:73:20:22:a9:1d:c9:7e:88:4f:9b:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 7c:92:f8:c1:50:0f:95:43:48:5b:8b:7f:0f:48:04:a8:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, c7:c0:0e:58:7c:86:2c:3a:b5:72:e3:34:3d:d8:0f:26:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, eb:44:fa:75:c1:c8:fc:b6:7d:f7:31:91:a4:71:a1:51
 Ã, Ã, Ã, Fingerprint (SHA-256):
4F:2A:1B:54:65:B6:09:3E:AD:68:08:92:CB:8D:FE:13:EF:B8:4C:F1:1E:0F:E1: 15:13:92:D3:7A:3D:F8:54:44
 Ã, Ã, Ã, Fingerprint (SHA1):
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 03:34:DC:55:F5:00:AF:8C:EF:AC:AA:0D:E0:44:AD:5C:6F:CF:97:A6
 Ã, Ã, Ã, Mozilla-CA-Policy: false (attribute missing)
 Ã, Ã, Ã, Certificate Trust Flags:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, SSL Flags:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Email Flags:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Object Signing Flags:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
Thanks for the help,
Marc.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fe d o rahosted.org
Hi Marc,
we need more information in order to help you:
- do you have multiple master/replicas with the CA role:
# kinit admin; ipa server-role-find --role "CA server"
- which server is the renewal master:
# kinit admin ; ipa config-show | grep "renewal"
- which version is installed:
# rpm -qa | grep ipa-server
- Is the subsystemCert cert-pki-ca the only expired certificate:
# getcert list
flo
Hi Flo,
I've raised that issue as requested including this full email chain so far:
https://pagure.io/freeipa/issue/8600
Sorry to seem dense, but ssl certs and keys are definatly not my strong suite, and the whole freeipa setup se have was sort of dumped on me when my colleague who was looking after this left the company. Would you be able to be a bit more specific on what I need to do to try and work around this issue, or point me in the correct direction so that I'm able figure out (and hopefully learn more of the freeipa workings) the steps to attempt this work around.
Thanks for all the help so far, it's been much appreciated.
Kind Regards,
Marc.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: 24 November 2020 10:45 To: Marc Pearson | i-Neda Ltd mpearson@i-neda.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] subsystemCert appears out of date
On 11/24/20 10:50 AM, Marc Pearson | i-Neda Ltd wrote:
Thanks Flo,
I'm suprosed I didn't catch that typeo:
certutil -L -d /etc/dirsrv/slapd-INT-I-NEDA-COM
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE C,, CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,, CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,, comodoCA C,, INT.I-NEDA.COM IPA CA CT,C,C INT.I-NEDA.COM IPA CA CT,C,C INT.I-NEDA.COM IPA CA CT,C,C CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,, CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,, comodoCA2 C,, INT.I-NEDA.COM IPA CA CT,C,C INT.I-NEDA.COM IPA CA CT,C,C comodoCA C,, CN=*.int.i-neda.com u,u,u INT.I-NEDA.COM IPA CA CT,C,C
Ok, so I think the issue with ipa-cert-fix comes from the fact that the LDAP server cert is not called 'Server-Cert' but rather 'CN=*.int.i-neda.com' - you can check with the following command: # grep nsSSLPersonalitySSL /etc/dirsrv/slapd-INT-I-NEDA-COM/dse.ldif
Can you log an issue at https://pagure.io/freeipa/new_issue ? When the LDAP server cert doesn't have the default name, ipa-cert-fix fails. A possible workaround would be to rename the cert in the NSSDB to 'Server-Cert' with certutil --rename but you will also need to update the dse.ldif file (stop ds, edit, start ds). This will allow you to use ipa-cert-fix and hopefully to move forward.
flo
Marc.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: 24 November 2020 09:01 To: Marc Pearson | i-Neda Ltd mpearson@i-neda.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] subsystemCert appears out of date
On 11/24/20 9:54 AM, Marc Pearson | i-Neda Ltd wrote:
Hi Flo,
I'm getting a database error when running that command:
# certutil -L -d /etc/dirsrc/slapd-INT-I-NEDA-COM certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
Sorry, I made a typo, it should be dirsrv, not dirsrc: # certutil -L -d /etc/dirsrv/slapd-INT-I-NEDA-COM
flo
Not sure if that's of any help?
Marc.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: 21 November 2020 19:06 To: Marc Pearson | i-Neda Ltd mpearson@i-neda.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] subsystemCert appears out of date
On 11/18/20 12:23 PM, Marc Pearson | i-Neda Ltd wrote:
Hi Flo,
Thanks for the information. I've tried to run the cert fix utility just now and I'm hitting an issue, ironically with the SSL certificate:
[root@red-auth01 ~]# ipa-cert-fix Failed to get Server-Cert The ipa-cert-fix command failed.
Hi, I failed to notice the first time but there is no tracking for the LDAP cert that is stored in /etc/dirsrv/slapd-$DOMAIN/. What is the output of # certutil -L -d /etc/dirsrc/slapd-$DOMAIN You should see Server-Cert (=the ldap server certificate), or maybe a different nickname is used?
flo
From the message log: Nov 18 11:18:32 red-auth01 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Nov 18 11:18:32 red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3 Nov 18 11:18:33 red-auth01 certmonger: 2020-11-18 11:18:33 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate. Nov 18 11:18:35 red-auth01 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Nov 18 11:18:35 red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3 Nov 18 11:18:35 red-auth01 certmonger: 2020-11-18 11:18:35 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate.
Any advice?
Marc.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: 17 November 2020 10:57 To: Marc Pearson | i-Neda Ltd mpearson@i-neda.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] subsystemCert appears out of date
On 11/17/20 10:19 AM, Marc Pearson | i-Neda Ltd wrote:
Hi Flo,
Thanks for the help. Included is the output of all the commands as you requested. These were all run from a single freeIPA server (red-auth01).
kinit admin; ipa server-role-find --role "CA server" Password for admin@INT.I-NEDA.COM:
8 server roles matched
 Server name: power-auth03.int.i-neda.com  Role name: CA
server  Role status: enabled
 Server name: power-auth04.int.i-neda.com  Role name: CA
server  Role status: absent
 Server name: red-auth01.int.i-neda.com  Role name: CA
server  Role status: enabled
 Server name: red-auth02.int.i-neda.com  Role name: CA
server  Role status: enabled
 Server name: red-auth03.int.i-neda.com  Role name: CA
server  Role status: enabled
 Server name: red-auth04.int.i-neda.com  Role name: CA
server  Role status: enabled
 Server name: white-auth01.int.i-neda.com  Role name: CA
server  Role status: enabled
 Server name: white-auth02.int.i-neda.com  Role name: CA
server  Role status: enabled
Number of entries returned 8
 kinit admin; ipa config-show | grep "renewal"
Password for admin@INT.I-NEDA.COM: Â IPA CA renewal master: red-auth01.int.i-neda.com
rpm -qa | grep ipa-server ipa-server-common-4.6.8-5.el7.centos.noarch ipa-server-4.6.8-5.el7.centos.x86_64 ipa-server-dns-4.6.8-5.el7.centos.noarch
getcert list Number of certificates and requests being tracked: 8. Request ID '20171101175244': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM expires: 2021-08-10 14:04:07 UTC principal name: krbtgt/INT.I-NEDA.COM@INT.I-NEDA.COM certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
Request ID '20180722081853': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSign i n g Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSign i n g Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=CA Audit,O=INT.I-NEDA.COM expires: 2022-09-16 12:36:41 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20180722081854': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigni n g C ert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigni n g C ert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=OCSP Subsystem,O=INT.I-NEDA.COM expires: 2022-09-16 12:35:31 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180722081855': status: CA_UNREACHABLE ca-error: Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystem C e r t cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystem C e r t cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=CA Subsystem,O=INT.I-NEDA.COM expires: 2020-10-24 07:04:35 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20180722081856': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigning C e r t cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigning C e r t cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=Certificate Authority,O=INT.I-NEDA.COM expires: 2040-10-10 07:51:04 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20180722081857': status: CA_UNREACHABLE ca-error: Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=IPA RA,O=INT.I-NEDA.COM expires: 2020-10-24 07:03:24 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
Request ID '20180722081858': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Ce r t cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Ce r t cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=INT.I-NEDA.COM subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM expires: 2021-02-09 11:59:57 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
Request ID '20200530130439': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes
Hi Marc,
so the current situation is the following:
- red-auth01 is the renewal master, with multiple replicas hosting the CA role.
- on this server, 'subsystemCert cert-pki-ca' is expired (expires:
2020-10-24 07:04:35 UTC) as well as /var/lib/ipa/ra-agent.pem (expires: 2020-10-24 07:03:24 UTC).
- there is also an issue with the tracking of the cert used by HTTP
But one of your comments is puzzling me:
The signing SSL (int.i-neda.com) is a full wildcard block chain that is authorized by a recognised 3rd party. It's worth noting though, that we had some issues with the block chain back in April as the thrid parties block chain expired. So it's possible that this is as a result of that issue, and may require some fettling to resolve. All help is appreciated.
Did you import the new CA chain at that time using ipa-cacert-manage install / ipa-certupdate?
According to getcert output, the IPA CA is now self-signed. It looks a lot like issue https://pagure.io/freeipa/issue/8176 where the externally-signed IPA CA is renewed/replaced with a self-signed CA.
As you have ipa 4.6.8-5, the ipa-cert-fix utility is available on your system. It will be easier to use this tool to fix the server: https://access.redhat.com/documentation/en-us/red_hat_enterprise_lin u x /7/html-single/linux_domain_identity_authentication_and_policy_guide / i ndex#renewing-expired-system-certificate-when-idm-is-offline
Once the systems are up again, you can switch back to an externally-signed ipa CA:
- import the external CA chain using ipa-cacert-manage install + run
ipa-certupdate on all the ipa nodes
- switch to externally-signed CA with ipa-cacert-manage renew
--external-ca command (https://access.redhat.com/documentation/en-us/red_hat_enterprise_li n u x/7/html-single/linux_domain_identity_authentication_and_policy_guid e / index#manual-cert-renewal-ext)
HTH, flo
My current tempory work around is to set the local clock of the OS back by over a month so the server belives the expired CA's are still valid.
Kind Regards,
Marc.
-- *From:* Florence Blanc-Renaud flo@redhat.com *Sent:* 16 November 2020 14:35 *To:* FreeIPA users list freeipa-users@lists.fedorahosted.org *Cc:* Marc Pearson | i-Neda Ltd mpearson@i-neda.com *Subject:* Re: [Freeipa-users] subsystemCert appears out of date On 11/16/20 10:03 AM, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote:
Hi All,
My subsystem cert appears to have gone out of date, and Iââ,¬â"¢m unable to get it to update. This has become an issue on my production environment, and my current work around has been to take the system date back by a month. Iââ,¬â"¢ve tried the cert renew tool, but this doesnââ,¬â"¢t seem to have updated this cert.
Is anyone able to point me in the right direction to be able to update this specific certificate as Iââ,¬â"¢ve been unable to find anything online.
[auth01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca'
Certificate:
 Ã, Ã, Ã, Data:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Version: 3 (0x2)
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Serial Number: 42 (0x2a)
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Issuer: "CN=Certificate Authority,O=INT.I-NEDA.COM"
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Validity:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Not Before: Sun Nov 04 08:04:35 2018
Not After : Sat Oct 24 07:04:35 2020
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Subject: "CN=CA Subsystem,O=INT.I-NEDA.COM"
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Subject Public Key Info:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Public Key Algorithm: PKCS #1 RSA Encryption
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, RSA Public Key:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Modulus:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, c6:7e:e6:40:8f:6e:77:07:8f:2a:ca:ca:63:63:cf:c6:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 5f:1c:09:63:4a:bb:17:68:17:cd:20:9b:f3:b0:5b:c0:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, f7:ff:72:07:1d:a2:29:93:61:62:5c:9f:04:d3:cb:7b:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, bf:53:de:bb:dd:d6:3f:a1:14:95:04:53:64:87:73:24:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, e3:61:66:96:ab:99:1f:2c:da:ec:22:e5:21:b1:5c:d5:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 0a:dd:4e:3f:f8:e2:90:a1:55:31:ad:11:2f:3b:d3:90:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 14:dc:b7:9d:fc:35:1a:ab:48:27:68:0a:9f:cb:95:14:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 00:93:b8:d4:d4:30:de:4e:be:20:a3:01:24:e8:f2:4a:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 1a:d2:b6:e0:09:77:3d:24:e3:5a:cf:51:d6:ca:d2:65:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 53:62:72:64:fe:7d:53:09:0e:97:b8:61:c9:c8:6d:24:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 52:15:f2:bf:40:04:38:24:22:73:fb:80:a0:ff:16:57:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, e1:0b:3c:71:02:d7:e6:2e:94:0a:e7:4e:aa:5e:6f:91:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, a5:68:65:21:cd:68:0c:2d:5d:53:fa:e0:10:75:47:43:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 04:f2:8b:e1:1c:1c:ed:a6:c1:ee:5c:6c:72:51:b5:e6:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, cd:f9:06:45:17:00:2b:d7:34:75:8a:59:f2:21:97:c6:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 63:d3:6f:54:d9:00:42:74:88:9e:94:d0:d4:d2:a1:b7
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Exponent: 65537 (0x10001)
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Signed Extensions:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Certificate Authority Key Identifier
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Key ID:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, f2:bb:9c:4f:e3:d8:c3:f9:58:eb:cc:5f:f7:be:8c:d6:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, d5:08:c0:3a
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Authority Information Access
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Method: PKIX Online Certificate Status Protocol
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Location:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, URI: "http://ipa-ca.int.i-neda.com/ca/ocsp"
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Certificate Key Usage
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Critical: True
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Usages: Digital Signature
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Non-Repudiation
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Key Encipherment
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Data Encipherment
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Extended Key Usage
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, TLS Web Server Authentication Certificate
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, TLS Web Client Authentication Certificate
 Ã, Ã, Ã, Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
 Ã, Ã, Ã, Signature:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 5f:b7:31:25:10:ef:e7:72:44:8e:94:1d:57:4e:bb:4e:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 22:cf:9b:7e:f4:20:a2:fa:96:2a:cf:e9:70:cd:a6:82:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 4a:bd:58:4b:a7:df:4d:77:47:ba:65:d0:68:c5:dc:59:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 77:7e:bf:36:d3:55:c7:86:d3:16:77:51:46:c2:48:de:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, e8:0d:62:05:b9:8c:46:bd:22:7d:8d:d0:ad:5a:64:6b:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 9b:7d:ec:4c:e6:05:e7:02:97:cd:01:f5:19:91:15:7e:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, cc:41:5b:f2:00:2d:c0:0b:91:9e:62:d5:7a:b2:1e:8f:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 32:62:c2:ed:1a:e8:e1:56:32:e0:0e:79:55:a2:49:35:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 0e:df:5d:a3:df:e2:dd:58:60:4a:dd:19:92:f7:4d:60:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 59:0e:16:b1:ae:32:e6:c5:c5:fa:5b:2f:fe:1d:fe:e9:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, ec:67:2b:65:33:f2:57:64:8a:68:f3:91:9b:25:ff:02:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 64:4c:a1:6d:fe:f0:73:95:f2:0f:49:fb:3f:85:21:a0:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 68:37:dc:cd:73:02:73:20:22:a9:1d:c9:7e:88:4f:9b:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 7c:92:f8:c1:50:0f:95:43:48:5b:8b:7f:0f:48:04:a8:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, c7:c0:0e:58:7c:86:2c:3a:b5:72:e3:34:3d:d8:0f:26:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, eb:44:fa:75:c1:c8:fc:b6:7d:f7:31:91:a4:71:a1:51
 Ã, Ã, Ã, Fingerprint (SHA-256):
4F:2A:1B:54:65:B6:09:3E:AD:68:08:92:CB:8D:FE:13:EF:B8:4C:F1:1E:0F:E1: 15:13:92:D3:7A:3D:F8:54:44
 Ã, Ã, Ã, Fingerprint (SHA1):
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 03:34:DC:55:F5:00:AF:8C:EF:AC:AA:0D:E0:44:AD:5C:6F:CF:97:A6
 Ã, Ã, Ã, Mozilla-CA-Policy: false (attribute missing)
 Ã, Ã, Ã, Certificate Trust Flags:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, SSL Flags:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Email Flags:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Object Signing Flags:
 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
Thanks for the help,
Marc.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.f e d o rahosted.org
Hi Marc,
we need more information in order to help you:
- do you have multiple master/replicas with the CA role:
# kinit admin; ipa server-role-find --role "CA server"
- which server is the renewal master:
# kinit admin ; ipa config-show | grep "renewal"
- which version is installed:
# rpm -qa | grep ipa-server
- Is the subsystemCert cert-pki-ca the only expired certificate:
# getcert list
flo
freeipa-users@lists.fedorahosted.org