Hello!
I've been running FreeIPA 4.3.1 on Ubuntu 16.04 for almost two years and most certificates should expire within three weeks. As this deadline approaches, I noticed certmonger has been unable to renew certificates due to the error below.
After googling for two days, I found this issue has been observed by many people before, mostly after expiration of the certificates, as in https://tinyurl.com/vajmocw
Still, I couldn't find a solution to this problem. If it is impossible to fix this issue while using FreeIPA 4.3.1, I would like to:
1) Find a way to renew all certificates even if certmonger can't be fixed. This would allow me to postpone the solution to after the next OS and/or FreeIPA upgrade 2) Find out what version of FreeIPA I should upgrade to while the operating system remains Ubuntu 16.04
Any help would be appreciated! Thanks!
Robson
======> Command: systemctl status certmonger
Nov 17 20:53:08 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 20:53:08 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). Nov 17 21:10:13 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875188]: Forwarding request to dogtag-ipa-renew-agent Nov 17 21:10:13 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875188]: dogtag-ipa-renew-agent returned 3 Nov 17 21:10:13 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:10:13 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). Nov 17 21:25:20 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875738]: Forwarding request to dogtag-ipa-renew-agent Nov 17 21:25:20 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875738]: dogtag-ipa-renew-agent returned 3 Nov 17 21:25:21 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:25:21 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). Nov 17 21:25:31 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875766]: Forwarding request to dogtag-ipa-renew-agent Nov 17 21:25:31 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875766]: dogtag-ipa-renew-agent returned 3 Nov 17 21:25:31 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:25:31 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).
ah yes, certificates and renewal, I have spend so much time with that!
A very good starting point for debugging is this excellent guide. https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-...
Regards Bjarne Blichfeldt.
From: Robson Francisco de Souza [mailto:rfsouza@usp.br] Sent: 18. november 2019 03:03 To: freeipa-users@lists.fedorahosted.org Subject: [Freeipa-users] certmonger error on ubuntu
Hello!
I've been running FreeIPA 4.3.1 on Ubuntu 16.04 for almost two years and most certificates should expire within three weeks. As this deadline approaches, I noticed certmonger has been unable to renew certificates due to the error below.
After googling for two days, I found this issue has been observed by many people before, mostly after expiration of the certificates, as in https://tinyurl.com/vajmocw
Still, I couldn't find a solution to this problem. If it is impossible to fix this issue while using FreeIPA 4.3.1, I would like to:
1) Find a way to renew all certificates even if certmonger can't be fixed. This would allow me to postpone the solution to after the next OS and/or FreeIPA upgrade 2) Find out what version of FreeIPA I should upgrade to while the operating system remains Ubuntu 16.04
Any help would be appreciated! Thanks!
Robson
======> Command: systemctl status certmonger
Nov 17 20:53:08 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 20:53:08 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). Nov 17 21:10:13 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875188]: Forwarding request to dogtag-ipa-renew-agent Nov 17 21:10:13 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875188]: dogtag-ipa-renew-agent returned 3 Nov 17 21:10:13 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:10:13 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). Nov 17 21:25:20 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875738]: Forwarding request to dogtag-ipa-renew-agent Nov 17 21:25:20 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875738]: dogtag-ipa-renew-agent returned 3 Nov 17 21:25:21 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:25:21 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). Nov 17 21:25:31 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875766]: Forwarding request to dogtag-ipa-renew-agent Nov 17 21:25:31 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875766]: dogtag-ipa-renew-agent returned 3 Nov 17 21:25:31 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:25:31 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).
-- Robson Francisco de Souza, PhD Laboratório de Estrutura e Evolução de Proteínas (LEEP/PSEL) Departamento de Microbiologia Instituto de Ciências Biomédicas Universidade de São Paulo Av. Prof. Lineu Prestes, 1374 - Ed. Biomédicas II - Sala 250 - 2o. andar Tel: 3091-0891 Cidade Universitária - CEP 05508-900 - São Paulo - SP - Brasil
---- Robson Francisco de Souza, PhD Protein Structure and Evolution Laboratory (LEEP/PSEL) Microbiology Departament Biomedical Sciences Institute University of Sao Paulo Av. Prof. Lineu Prestes, 1374 - Biomédicas II - Sala 250 Phone: 55-11-3091-0891 Cidade Universitária - ZIP 05508-900 - São Paulo - SP - Brazil
On 18.11.2019 4.03, Robson Francisco de Souza via FreeIPA-users wrote:
Hello!
I've been running FreeIPA 4.3.1 on Ubuntu 16.04 for almost two years and most certificates should expire within three weeks. As this deadline approaches, I noticed certmonger has been unable to renew certificates due to the error below.
After googling for two days, I found this issue has been observed by many people before, mostly after expiration of the certificates, as in https://tinyurl.com/vajmocw
Still, I couldn't find a solution to this problem. If it is impossible to fix this issue while using FreeIPA 4.3.1, I would like to:
- Find a way to renew all certificates even if certmonger can't be
fixed. This would allow me to postpone the solution to after the next OS and/or FreeIPA upgrade 2) Find out what version of FreeIPA I should upgrade to while the operating system remains Ubuntu 16.04
Any help would be appreciated! Thanks!
Hi,
This probably needs libnsspem, you can find it in 18.04.. not 100% sure but I think it should at least install fine.
Hi Bjarne,
Thanks for the link! It helped me learn a lot about certmonger and certutil. No solution yet but I'll keep searching...
Best, Robson
Em seg., 18 de nov. de 2019 às 07:13, Bjarne Blichfeldt via FreeIPA-users < freeipa-users@lists.fedorahosted.org> escreveu:
ah yes, certificates and renewal, I have spend so much time with that!
A very good starting point for debugging is this excellent guide. https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-...
Regards
Bjarne Blichfeldt.
*From:* Robson Francisco de Souza [mailto:rfsouza@usp.br] *Sent:* 18. november 2019 03:03 *To:* freeipa-users@lists.fedorahosted.org *Subject:* [Freeipa-users] certmonger error on ubuntu
Hello!
I've been running FreeIPA 4.3.1 on Ubuntu 16.04 for almost two years and most certificates should expire within three weeks. As this deadline approaches, I noticed certmonger has been unable to renew certificates due to the error below.
After googling for two days, I found this issue has been observed by many people before, mostly after expiration of the certificates, as in https://tinyurl.com/vajmocw
Still, I couldn't find a solution to this problem.
If it is impossible to fix this issue while using FreeIPA 4.3.1, I would like to:
- Find a way to renew all certificates even if certmonger can't be fixed.
This would allow me to postpone the solution to after the next OS and/or FreeIPA upgrade
- Find out what version of FreeIPA I should upgrade to while the
operating system remains Ubuntu 16.04
Any help would be appreciated!
Thanks!
Robson
======> Command: systemctl status certmonger
Nov 17 20:53:08 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 20:53:08 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).
Nov 17 21:10:13 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875188]: Forwarding request to dogtag-ipa-renew-agent
Nov 17 21:10:13 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875188]: dogtag-ipa-renew-agent returned 3
Nov 17 21:10:13 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:10:13 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).
Nov 17 21:25:20 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875738]: Forwarding request to dogtag-ipa-renew-agent
Nov 17 21:25:20 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875738]: dogtag-ipa-renew-agent returned 3
Nov 17 21:25:21 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:25:21 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).
Nov 17 21:25:31 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875766]: Forwarding request to dogtag-ipa-renew-agent
Nov 17 21:25:31 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875766]: dogtag-ipa-renew-agent returned 3
Nov 17 21:25:31 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:25:31 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).
--
Robson Francisco de Souza, PhD Laboratório de Estrutura e Evolução de Proteínas (LEEP/PSEL) Departamento de Microbiologia Instituto de Ciências Biomédicas Universidade de São Paulo Av. Prof. Lineu Prestes, 1374 - Ed. Biomédicas II - Sala 250 - 2o. andar Tel: 3091-0891 Cidade Universitária - CEP 05508-900 - São Paulo - SP - Brasil
Robson Francisco de Souza, PhD Protein Structure and Evolution Laboratory (LEEP/PSEL) Microbiology Departament Biomedical Sciences Institute University of Sao Paulo Av. Prof. Lineu Prestes, 1374 - Biomédicas II - Sala 250 Phone: 55-11-3091-0891 Cidade Universitária - ZIP 05508-900 - São Paulo - SP - Brazil _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi Timo,
Thanks for your reply.
I have searched the web a lot and attempt several solutions but all fail because certmonger cannot talk to the FreeIPA web interface. A few words on my setup:
- I have two FreeIPA servers (4.3.1-0ubuntu1), one is the original master and the other is a replica, but both are ca and renew masters - Everything was installed using apt-get on Ubuntu 16.04 and I've always updated regularly - FreeIPA was installed with DNS for our intranet and configured to talk to intranet IPs only, thus ignoring the WAN interface - None of my certificates is expired and all NSS databases and PEM files match the corresponding LDAP entries
My objective, as I said, is to make sure certificates are renewed before expiring. My problem is that certmonger shows:
ca-error: Error 60 connecting to https://<snip>:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
What I have tried to do:
- I did install libnsspem (1.0.3-0ubuntu2) but this only changed https Error 77 to 60 - I attempted to bypass the IPA web server and certmonger to renew the by using
/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -i /etc/ipa/ca.crt -d /etc/apache2/nssdb -n ipaCert -p /etc/apache2/nssdb/pwdfile.txt -D 5 -v
The command above seemed to succeed but only generated a bunch of cookie errors in certmonger's output. I would latter remove some of these cookie errors using getcert resubmit on the original master but that would only bring back the https error. No progress here.
- After a lot of web research, I found a reference to a problem with the Trust Attributes in the NSS database:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
It seemed analogous to my problem and I decided to give it a try:
certutil -d /etc/ipa/nssdb/ -M -n 'CEFAPNET.ICB.USP.BR IPA CA' -t ',,' certutil -d /etc/ipa/nssdb/ -M -n 'CEFAPNET.ICB.USP.BR IPA CA' -t 'C,C,C'
but, even after this, certmonger continues to be unable to communicate with the ipa web server/proxy. I don't know if the problem is authentication against apache or tomcat but this curl command:
SSL_DIR=/etc/apache2/nssdb/ curl -s -v -o /dev/null --cacert /etc/ipa/ca.crt https://<snip>:8443/ca/agent/ca/profileReview
returns a gnutls_handshake failure:
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 10.1.1.1... * Connected to <snip> (10.1.1.1) port 8443 (#0) * found 1 certificates in /etc/ipa/ca.crt * found 600 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1 * server certificate verification OK * server certificate status verification SKIPPED * common name: ipa.cefapnet.icb.usp.br (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: O=REALM,CN=server * start date: Wed, 20 Dec 2017 17:36:53 GMT * expire date: Tue, 10 Dec 2019 17:36:53 GMT * issuer: O=REALM,CN=Certificate Authority * compression: NULL * ALPN, server did not agree to a protocol
GET /ca/agent/ca/profileReview HTTP/1.1 Host: <snip>:8443 User-Agent: curl/7.47.0 Accept: */*
* gnutls_handshake() failed: Illegal parameter * Closing connection 0 curl: (35) gnutls_handshake() failed: Illegal parameter
Questions:
1) Is this a compatibility issue between Dogtag or the IPA server NSS or TLS libraries and those of certmonger or its helpers? 2) Can I disable the need for a certificate to connect to the server while asking IPA to renew my certificates?
This is a production system and I really would like to make sure it doesn't become unavailable next month.
I'm pasting some more information below.
Thanks again! Robson
========> certutil -L /etc/dirsrv/slapd-CEFAPNET-ICB-USP-BR/: Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI Server-Cert u,u,u CEFAPNET.ICB.USP.BR IPA CA CT,C,C
/etc/pki/pki-tomcat/alias/: Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu
/etc/ipa/nssdb/: Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CEFAPNET.ICB.USP.BR IPA CA C,C,C
/etc/apache2/nssdb/: Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u ipaCert u,u,u Server-Cert u,u,u CEFAPNET.ICB.USP.BR IPA CA C,C,C
========> getcert list Number of certificates and requests being tracked: 8. Request ID '20171220173724': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=CA Audit,O=REALM.LOCAL expires: 2019-12-10 17:36:54 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171220173725': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=OCSP Subsystem,O=REALM.LOCAL expires: 2019-12-10 17:36:53 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171220173726': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=CA Subsystem,O=REALM.LOCAL expires: 2019-12-10 17:36:53 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171220173727': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=Certificate Authority,O=REALM.LOCAL expires: 2037-12-20 17:36:53 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171220173728': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=IPA RA,O=REALM.LOCAL expires: 2019-12-10 17:37:21 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20171220173729': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=server.local,O=REALM.LOCAL expires: 2019-12-10 17:36:53 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20171220173759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-REALM.LOCAL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-CEFAPNET-ICB-USP-BR/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-REALM.LOCAL',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=server.local,O=REALM.LOCAL expires: 2019-12-21 17:37:59 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv REALM.LOCAL track: yes auto-renew: yes Request ID '20171220173822': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=server.local,O=REALM.LOCAL expires: 2019-12-21 17:38:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Em seg., 18 de nov. de 2019 às 09:09, Timo Aaltonen tjaalton@ubuntu.com escreveu:
On 18.11.2019 4.03, Robson Francisco de Souza via FreeIPA-users wrote:
Hello!
I've been running FreeIPA 4.3.1 on Ubuntu 16.04 for almost two years and most certificates should expire within three weeks. As this deadline approaches, I noticed certmonger has been unable to renew certificates due to the error below.
After googling for two days, I found this issue has been observed by many people before, mostly after expiration of the certificates, as in https://tinyurl.com/vajmocw
Still, I couldn't find a solution to this problem. If it is impossible to fix this issue while using FreeIPA 4.3.1, I would like to:
- Find a way to renew all certificates even if certmonger can't be
fixed. This would allow me to postpone the solution to after the next OS and/or FreeIPA upgrade 2) Find out what version of FreeIPA I should upgrade to while the operating system remains Ubuntu 16.04
Any help would be appreciated! Thanks!
Hi,
This probably needs libnsspem, you can find it in 18.04.. not 100% sure but I think it should at least install fine.
-- t
Robson Francisco de Souza via FreeIPA-users wrote:
Hi Timo,
Thanks for your reply.
I have searched the web a lot and attempt several solutions but all fail because certmonger cannot talk to the FreeIPA web interface. A few words on my setup:
- I have two FreeIPA servers (4.3.1-0ubuntu1), one is the original
master and the other is a replica, but both are ca and renew masters
- Everything was installed using apt-get on Ubuntu 16.04 and I've always
updated regularly
- FreeIPA was installed with DNS for our intranet and configured to talk
to intranet IPs only, thus ignoring the WAN interface
- None of my certificates is expired and all NSS databases and PEM files
match the corresponding LDAP entries
My objective, as I said, is to make sure certificates are renewed before expiring. My problem is that certmonger shows:
ca-error: Error 60 connecting to https://<snip>:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
Talking to dogtag requires a client certificate. This client certificate is loaded via libnsspem.
Changing to error 60 is probably a good sign.
I don't know what NSS database is used by certmonger in Ubuntu so I can't recommend where to check for missing CA certificate/trust.
In upstream IPA this is in /etc/ipa/nssdb.
Another suggestion would be to look in /etc/pki/nssdb.
rob
Hi,
I know this is old thread but i'm facing the same issue. I have tried all possible solution mentioned here. Anyone know how to fix "ca-error: Error 60 connecting to https://<xxxx>:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates."
thanks, look
Look data via FreeIPA-users wrote:
Hi,
I know this is old thread but i'm facing the same issue. I have tried all possible solution mentioned here. Anyone know how to fix "ca-error: Error 60 connecting to https://<xxxx>:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates."
Need more context. What version of Ubuntu. Is this a server running on it or a client?
If it's a server then its likely the same libnsspem problem Timo mentions in the thread. I'm not sure if that was ever resolved.
rob
Hi Rob,
It's Ubuntu 16.04 and a server running on it. IPA VERSION: 4.3.1, API_VERSION: 2.164.
I installed libnsspem from Ubuntu 18.04. Following that, the error message changed from Error 77 to Error 60 as mentioned here.
I'm not sure what else I need to change.
look
Look data via FreeIPA-users wrote:
Hi Rob,
It's Ubuntu 16.04 and a server running on it. IPA VERSION: 4.3.1, API_VERSION: 2.164.
I installed libnsspem from Ubuntu 18.04. Following that, the error message changed from Error 77 to Error 60 as mentioned here.
I'm not sure what else I need to change.
I don't know. The server on Ubuntu is built and linked differently than Fedora or RHEL releases and is using very old code by Internet standards.
The submission by /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit should include the path to /etc/ipa/ca.crt which is passed into libcurl by certmonger. It's possible that this either isn't being passed into or isn't being used by nss-pem. It well could be an issue in curl.
Note that curl upstream has dropped this integration.
rob
Morning,
You do realize you are on end of life versions of ubuntu both 16.04 and 18.04.
Regards, Jonathan Aquilina
-----Original Message----- From: Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: 07 February 2024 20:40 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Look data thelookdata@gmail.com; Rob Crittenden rcritten@redhat.com Subject: [Freeipa-users] Re: certmonger error on ubuntu
Look data via FreeIPA-users wrote:
Hi Rob,
It's Ubuntu 16.04 and a server running on it. IPA VERSION: 4.3.1, API_VERSION: 2.164.
I installed libnsspem from Ubuntu 18.04. Following that, the error message changed from Error 77 to Error 60 as mentioned here.
I'm not sure what else I need to change.
I don't know. The server on Ubuntu is built and linked differently than Fedora or RHEL releases and is using very old code by Internet standards.
The submission by /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit should include the path to /etc/ipa/ca.crt which is passed into libcurl by certmonger. It's possible that this either isn't being passed into or isn't being used by nss-pem. It well could be an issue in curl.
Note that curl upstream has dropped this integration.
rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://atpscan.global.hornetsecurity.com/index.php?atp_str=gAyyXwsz6hi-jGXr... List Guidelines: https://atpscan.global.hornetsecurity.com/index.php?atp_str=7iQnFFRsYBl5FQ98... List Archives: https://atpscan.global.hornetsecurity.com/index.php?atp_str=IAmBHxVCIcOAxZNK... Do not reply to spam, report it: https://atpscan.global.hornetsecurity.com/index.php?atp_str=pFPnVR0IQRA-62MP...
freeipa-users@lists.fedorahosted.org