11:50 a.m.
I'm trying to fix a freeipa 4.6 cluster running on centos 7 that has
expired directory and http certificates. I turned back the clock so that
the certs would be valid and am trying to run ipa-cert-fix but its failing
with:
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Fixing the following system certs: ['sslserver']
INFO: Renewing the following additional certs: ['21']
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Stopping the instance to proceed with system cert renewal
INFO: Configuring LDAP password authentication
INFO: Setting pkidbuser password via ldappasswd
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Selftests disabled for subsystems: ca
INFO: Resetting password for uid=ipara,ou=people,o=ipaca
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Creating a temporary sslserver cert
INFO: Getting sslserver cert info for ca
INFO: Trying to create a new temp cert for sslserver.
INFO: Generate temp SSL certificate
INFO: Getting sslserver cert info for ca
INFO: Selftests enabled for subsystems: ca
INFO: Restoring previous LDAP configuration
ERROR: Unable to find CSR for sslserver cert
AFter doing some searching I found
https://access.redhat.com/solutions/4852721 but the instructions aren't
applying to me because there's no CSR in the request:
Request ID '20210601131820':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=CA Subsystem,O=RHELENT.LAN
expires: 2023-05-01 18:04:11 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
then look for a csr:
[root@freeipa ~]# grep -A 19 csr
/var/lib/certmonger/requests/20210601131820
[root@freeipa ~]#
Is there something i can do to get the ca subsystem cert re-issued?
Thanks
Marc Boorshtein
2:02 p.m.
Marc Boorshtein via FreeIPA-users wrote:
I'm trying to fix a freeipa 4.6 cluster running on centos 7 that
has
expired directory and http certificates. I turned back the clock so
that the certs would be valid and am trying to run ipa-cert-fix but its
failing with:
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Fixing the following system certs: ['sslserver']
INFO: Renewing the following additional certs: ['21']
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Stopping the instance to proceed with system cert renewal
INFO: Configuring LDAP password authentication
INFO: Setting pkidbuser password via ldappasswd
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Selftests disabled for subsystems: ca
INFO: Resetting password for uid=ipara,ou=people,o=ipaca
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Creating a temporary sslserver cert
INFO: Getting sslserver cert info for ca
INFO: Trying to create a new temp cert for sslserver.
INFO: Generate temp SSL certificate
INFO: Getting sslserver cert info for ca
INFO: Selftests enabled for subsystems: ca
INFO: Restoring previous LDAP configuration
ERROR: Unable to find CSR for sslserver cert
AFter doing some searching I
found https://access.redhat.com/solutions/4852721 but the instructions
aren't applying to me because there's no CSR in the request:
Request ID '20210601131820':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=CA Subsystem,O=RHELENT.LAN
expires: 2023-05-01 18:04:11 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
then look for a csr:
[root@freeipa ~]# grep -A 19 csr
/var/lib/certmonger/requests/20210601131820
[root@freeipa ~]#
Is there something i can do to get the ca subsystem cert re-issued?
It didn't fail on the subsystem certificate, it failed on the TLS
certificate for the CA itself (it seems). You can check that with:
getcert list -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca"
If it expires in 2023 then you're ok with the CA anyhow.
rob
2:09 p.m.
It didn't fail on the subsystem certificate, it failed on the TLS
certificate for the CA itself (it seems). You can check that with:
getcert list -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca"
Here's the output:
[root@freeipa ca]# getcert list -d /etc/pki/pki-tomcat/alias -n
"Server-Cert cert-pki-ca"
Number of certificates and requests being tracked: 9.
Request ID '20210601131824':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to
http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect to
server.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
expires: 2021-06-08 16:53:15 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
If it expires in 2023 then you're ok with the CA anyhow.
Listed as expiring in 2021. Can I force this to be re-issued?
Thanks
Marc
2:50 p.m.
Marc Boorshtein wrote:
It didn't fail on the subsystem certificate, it failed on the TLS
certificate for the CA itself (it seems). You can check that with:
getcert list -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca"
Here's the output:
[root@freeipa ca]# getcert list -d /etc/pki/pki-tomcat/alias -n
"Server-Cert cert-pki-ca"
Number of certificates and requests being tracked: 9.
Request ID '20210601131824':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to
http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect
to server.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
expires: 2021-06-08 16:53:15 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
If it expires in 2023 then you're ok with the CA anyhow.
Listed as expiring in 2021. Can I force this to be re-issued?
Looks like you're running into
https://bugzilla.redhat.com/show_bug.cgi?id=1780782
The fix wasn't backported to the ipa-4.6 branch.
Try retrieving the CSR from certmonger as suggested in the BZ.
rob
3:10 p.m.
Looks like you're running into
https://bugzilla.redhat.com/show_bug.cgi?id=1780782
The fix wasn't backported to the ipa-4.6 branch.
Try retrieving the CSR from certmonger as suggested in the BZ.
I tried that, bot no change:
# grep -A 19 csr /var/lib/certmonger/requests/20210601131824
csr=-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDDTCCAfUCAQAwJzEUMBIGA1UECgwLUkhFTEVOVC5MQU4xDzANBgNVBAMMBklQ
QSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwhWQd1/97oB3yd
DSQqOz3ZlBM0DygBWflWgbnMVsqf/HHpw+kDZeq5mRJ62/62/ene25/E6QuYOOvN
YfwcJdaqGRRhXLlURYsKgeXymK8Y58+/97+yP4YRe1/QEw0MogMwY/+ov2BOIy+i
6OmsZhuIv6ZgPEXqMqXgm9VP082uuwH0eLu60+H4stVr9BsFvC6wOb3N6nIIpd0N
RgjMTFUPLyBWqw1R7q+dyaNcGDUiHycYLO3q/8F9YQyOGVC/Y1psgXH33RvuEkWI
pb8GHjmqSPpMWBp8EhZsXc6g4jvD4sD7wlClLKJvz/+Xq3jVxkE+kPMO14LRU+eo
Dh7c63MCAwEAAaCBoDArBgkqhkiG9w0BCRQxHh4cADIAMAAyADEAMAA2ADAAMQAx
ADMAMQA4ADIAMzBxBgkqhkiG9w0BCQ4xZDBiMA4GA1UdDwEBAAQEAwIE8DAgBgNV
HSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAgBgNV
HQ4BAQAEFgQU+KhKXfD/PdXMbPumFzZncl96xmswDQYJKoZIhvcNAQELBQADggEB
AH0LQGM63xHZP0GQsV28kcqIVr5qcnJugRwXPpJ90Hbp+MGjHrhS4vAWRRULRnAh
0t5XziT95j3UuixFCt8pe5yoy/YPiczR7Hkk/s+JVV8iNuqO6vvFe32yIKTpaULC
BG6S38F7WVoj4+Gv9rq2nY9U02NFzGlujip7gtrnTMaGQ7KOu+J/vksICOwe9/yM
zHjw5t+p1Ltbk4691fcmV9iZp0FR5bSAUweFJnO+er3ovPqtDtGf+LfTaaAWB3EE
Tl1aoswI4YtpFWtuN3A9RU0z42Q1VDau6ITj05zLJRE3MhZsZY5OjuRTMlpoSqxv
0DU4gR7eTcjzO7TcKELQnBs=
-----END NEW CERTIFICATE REQUEST-----
spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcIVkHdf/e6Ad8nQ0kKjs92ZQTNA8oAVn5VoG5zFbKn/xx6cPpA2XquZkSetv+tv3p3tufxOkLmDjrzWH8HCXWqhkUYVy5VEWLCoHl8pivGOfPv/e/sj+GEXtf0BMNDKIDMGP/qL9gTiMvoujprGYbiL+mYDxF6jKl4JvVT9PNrrsB9Hi7utPh+LLVa/QbBbwusDm9zepyCKXdDUYIzExVDy8gVqsNUe6vncmjXBg1Ih8nGCzt6v/BfWEMjhlQv2NabIFx990b7hJFiKW/Bh45qkj6TFgafBIWbF3OoOI7w+LA+8JQpSyib8//l6t41cZBPpDzDteC0VPnqA4e3OtzAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEANLPk6UZoMcMh1HC+0aUOPqpxfNbenr4Vy32ieKuUZYdESXlKdutuIZStCAGobduEEABpQg9hj54R3l8ruFTGdNy+Yd4vXglDFfYUtHid0VV0PTy9DF7pa2brWR6OMysR9EquR4eAWvTIwF6oFFz+b/5FBY6mQa67DPiK7gVd4a39JolPGpMmvxXrCgIF3008jtlhsZwkNosFkHYwMryqLoNwi2I9mPqOv/ZeGq6ymHMi+P7IZnsKqt16sZQJXLpAbnKpc9RiJSxYrDGUB6O0wbqkyjaTrFMLHbM+xSJxN66OoUAkd80mYvS2xEYeqm5IqtoG2uTjo3z5RbKiaOHfrw==
Then, added
ca.cert.sslserver.certreq=MIIDDTCCAfUCAQAwJzEUMBIGA1UECgwLUkhFTEVOVC5MQU4xDzANBgNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwhWQd1/97oB3ydDSQqOz3ZlBM0DygBWflWgbnMVsqf/HHpw+kDZeq5mRJ62/62/ene25/E6QuYOOvNYfwcJdaqGRRhXLlURYsKgeXymK8Y58+/97+yP4YRe1/QEw0MogMwY/+ov2BOIy+i6OmsZhuIv6ZgPEXqMqXgm9VP082uuwH0eLu60+H4stVr9BsFvC6wOb3N6nIIpd0NRgjMTFUPLyBWqw1R7q+dyaNcGDUiHycYLO3q/8F9YQyOGVC/Y1psgXH33RvuEkWIpb8GHjmqSPpMWBp8EhZsXc6g4jvD4sD7wlClLKJvz/+Xq3jVxkE+kPMO14LRU+eoDh7c63MCAwEAAaCBoDArBgkqhkiG9w0BCRQxHh4cADIAMAAyADEAMAA2ADAAMQAxADMAMQA4ADIAMzBxBgkqhkiG9w0BCQ4xZDBiMA4GA1UdDwEBAAQEAwIE8DAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQU+KhKXfD/PdXMbPumFzZncl96xmswDQYJKoZIhvcNAQELBQADggEBAH0LQGM63xHZP0GQsV28kcqIVr5qcnJugRwXPpJ90Hbp+MGjHrhS4vAWRRULRnAh0t5XziT95j3UuixFCt8pe5yoy/YPiczR7Hkk/s+JVV8iNuqO6vvFe32yIKTpaULCBG6S38F7WVoj4+Gv9rq2nY9U02NFzGlujip7gtrnTMaGQ7KOu+J/vksICOwe9/yMzHjw5t+p1Ltbk4691fcmV9iZp0FR5bSAUweFJnO+er3ovPqtDtGf+LfTaaAWB3EETl1aoswI4YtpFWtuN3A9RU0z42Q1VDau6ITj05zLJRE3MhZsZY5OjuRTMlpoSqxv0DU4gR7eTcjzO7TcKELQnBs=
to /etc/pki/pki-tomcat/ca/CS.cfg, then run:
# ipa-cert-fix
WARNING
ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of IPA. It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.
The following certificates will be renewed:
Dogtag sslserver certificate:
Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
Serial: 23
Expires: 2021-06-08 16:53:15
IPA IPA RA certificate:
Subject: CN=IPA RA,O=RHELENT.LAN
Serial: 21
Expires: 2021-06-08 16:52:45
Enter "yes" to proceed: yes
Proceeding.
Command 'pki-server cert-fix --ldapi-socket
/var/run/slapd-RHELENT-LAN.socket --agent-uid ipara --cert sslserver
--extra-cert 21' returned non-zero exit status 1
The ipa-cert-fix command failed.
[root@freeipa ca]# pki-server cert-fix --ldapi-socket
/var/run/slapd-RHELENT-LAN.socket --agent-uid ipara --cert sslserver
--extra-cert 21
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Fixing the following system certs: ['sslserver']
INFO: Renewing the following additional certs: ['21']
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Stopping the instance to proceed with system cert renewal
INFO: Configuring LDAP password authentication
INFO: Setting pkidbuser password via ldappasswd
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Selftests disabled for subsystems: ca
INFO: Resetting password for uid=ipara,ou=people,o=ipaca
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Creating a temporary sslserver cert
INFO: Getting sslserver cert info for ca
INFO: Trying to create a new temp cert for sslserver.
INFO: Generate temp SSL certificate
INFO: Getting sslserver cert info for ca
INFO: Selftests enabled for subsystems: ca
INFO: Restoring previous LDAP configuration
ERROR: Unable to find CSR for sslserver cert
thanks
Marc
4:17 a.m.
Hi,
the CSR that you used is the one for the RA cert, not for "Server-Cert
cert-pki-ca" (*openssl req -noout -text* shows *Subject: O = RHELENT.LAN,
CN = IPA RA*).
It seems that 2 different repair procedures were mixed: go back in time and
use ipa-cert-fix. With ipa-cert-fix you don't need to change the current
time. In order to fix the issue, we need to have the full picture:
- what is the full output of getcert list (please include the "current"
date on the system for us to know which certs are considered still valid)
- which node is the renewal master (ipa config-show | grep "IPA CA renewal
master")
The request ID for "Server-Cert cert-pki-ca" (as displayed by getcert list)
is 20210601131824, meaning that the corresponding request file can be found
with
# grep -l "id=20210601131824" /var/lib/certmonger/requests/*
If the request file doesn't already contain a CSR, it can be added using
getcert resubmit -i <ID>.
flo
On Tue, Sep 14, 2021 at 10:12 PM Marc Boorshtein via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> Looks like you're running into
> https://bugzilla.redhat.com/show_bug.cgi?id=1780782
>
> The fix wasn't backported to the ipa-4.6 branch.
>
> Try retrieving the CSR from certmonger as suggested in the BZ.
>
>
I tried that, bot no change:
# grep -A 19 csr /var/lib/certmonger/requests/20210601131824
csr=-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDDTCCAfUCAQAwJzEUMBIGA1UECgwLUkhFTEVOVC5MQU4xDzANBgNVBAMMBklQ
QSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwhWQd1/97oB3yd
DSQqOz3ZlBM0DygBWflWgbnMVsqf/HHpw+kDZeq5mRJ62/62/ene25/E6QuYOOvN
YfwcJdaqGRRhXLlURYsKgeXymK8Y58+/97+yP4YRe1/QEw0MogMwY/+ov2BOIy+i
6OmsZhuIv6ZgPEXqMqXgm9VP082uuwH0eLu60+H4stVr9BsFvC6wOb3N6nIIpd0N
RgjMTFUPLyBWqw1R7q+dyaNcGDUiHycYLO3q/8F9YQyOGVC/Y1psgXH33RvuEkWI
pb8GHjmqSPpMWBp8EhZsXc6g4jvD4sD7wlClLKJvz/+Xq3jVxkE+kPMO14LRU+eo
Dh7c63MCAwEAAaCBoDArBgkqhkiG9w0BCRQxHh4cADIAMAAyADEAMAA2ADAAMQAx
ADMAMQA4ADIAMzBxBgkqhkiG9w0BCQ4xZDBiMA4GA1UdDwEBAAQEAwIE8DAgBgNV
HSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAgBgNV
HQ4BAQAEFgQU+KhKXfD/PdXMbPumFzZncl96xmswDQYJKoZIhvcNAQELBQADggEB
AH0LQGM63xHZP0GQsV28kcqIVr5qcnJugRwXPpJ90Hbp+MGjHrhS4vAWRRULRnAh
0t5XziT95j3UuixFCt8pe5yoy/YPiczR7Hkk/s+JVV8iNuqO6vvFe32yIKTpaULC
BG6S38F7WVoj4+Gv9rq2nY9U02NFzGlujip7gtrnTMaGQ7KOu+J/vksICOwe9/yM
zHjw5t+p1Ltbk4691fcmV9iZp0FR5bSAUweFJnO+er3ovPqtDtGf+LfTaaAWB3EE
Tl1aoswI4YtpFWtuN3A9RU0z42Q1VDau6ITj05zLJRE3MhZsZY5OjuRTMlpoSqxv
0DU4gR7eTcjzO7TcKELQnBs=
-----END NEW CERTIFICATE REQUEST-----
spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcIVkHdf/e6Ad8nQ0kKjs92ZQTNA8oAVn5VoG5zFbKn/xx6cPpA2XquZkSetv+tv3p3tufxOkLmDjrzWH8HCXWqhkUYVy5VEWLCoHl8pivGOfPv/e/sj+GEXtf0BMNDKIDMGP/qL9gTiMvoujprGYbiL+mYDxF6jKl4JvVT9PNrrsB9Hi7utPh+LLVa/QbBbwusDm9zepyCKXdDUYIzExVDy8gVqsNUe6vncmjXBg1Ih8nGCzt6v/BfWEMjhlQv2NabIFx990b7hJFiKW/Bh45qkj6TFgafBIWbF3OoOI7w+LA+8JQpSyib8//l6t41cZBPpDzDteC0VPnqA4e3OtzAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEANLPk6UZoMcMh1HC+0aUOPqpxfNbenr4Vy32ieKuUZYdESXlKdutuIZStCAGobduEEABpQg9hj54R3l8ruFTGdNy+Yd4vXglDFfYUtHid0VV0PTy9DF7pa2brWR6OMysR9EquR4eAWvTIwF6oFFz+b/5FBY6mQa67DPiK7gVd4a39JolPGpMmvxXrCgIF3008jtlhsZwkNosFkHYwMryqLoNwi2I9mPqOv/ZeGq6ymHMi+P7IZnsKqt16sZQJXLpAbnKpc9RiJSxYrDGUB6O0wbqkyjaTrFMLHbM+xSJxN66OoUAkd80mYvS2xEYeqm5IqtoG2uTjo3z5RbKiaOHfrw==
Then, added
ca.cert.sslserver.certreq=MIIDDTCCAfUCAQAwJzEUMBIGA1UECgwLUkhFTEVOVC5MQU4xDzANBgNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwhWQd1/97oB3ydDSQqOz3ZlBM0DygBWflWgbnMVsqf/HHpw+kDZeq5mRJ62/62/ene25/E6QuYOOvNYfwcJdaqGRRhXLlURYsKgeXymK8Y58+/97+yP4YRe1/QEw0MogMwY/+ov2BOIy+i6OmsZhuIv6ZgPEXqMqXgm9VP082uuwH0eLu60+H4stVr9BsFvC6wOb3N6nIIpd0NRgjMTFUPLyBWqw1R7q+dyaNcGDUiHycYLO3q/8F9YQyOGVC/Y1psgXH33RvuEkWIpb8GHjmqSPpMWBp8EhZsXc6g4jvD4sD7wlClLKJvz/+Xq3jVxkE+kPMO14LRU+eoDh7c63MCAwEAAaCBoDArBgkqhkiG9w0BCRQxHh4cADIAMAAyADEAMAA2ADAAMQAxADMAMQA4ADIAMzBxBgkqhkiG9w0BCQ4xZDBiMA4GA1UdDwEBAAQEAwIE8DAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQU+KhKXfD/PdXMbPumFzZncl96xmswDQYJKoZIhvcNAQELBQADggEBAH0LQGM63xHZP0GQsV28kcqIVr5qcnJugRwXPpJ90Hbp+MGjHrhS4vAWRRULRnAh0t5XziT95j3UuixFCt8pe5yoy/YPiczR7Hkk/s+JVV8iNuqO6vvFe32yIKTpaULCBG6S38F7WVoj4+Gv9rq2nY9U02NFzGlujip7gtrnTMaGQ7KOu+J/vksICOwe9/yMzHjw5t+p1Ltbk4691fcmV9iZp0FR5bSAUweFJnO+er3ovPqtDtGf+LfTaaAWB3EETl1aoswI4YtpFWtuN3A9RU0z42Q1VDau6ITj05zLJRE3MhZsZY5OjuRTMlpoSqxv0DU4gR7eTcjzO7TcKELQnBs=
to /etc/pki/pki-tomcat/ca/CS.cfg, then run:
# ipa-cert-fix
WARNING
ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of IPA. It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.
The following certificates will be renewed:
Dogtag sslserver certificate:
Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
Serial: 23
Expires: 2021-06-08 16:53:15
IPA IPA RA certificate:
Subject: CN=IPA RA,O=RHELENT.LAN
Serial: 21
Expires: 2021-06-08 16:52:45
Enter "yes" to proceed: yes
Proceeding.
Command 'pki-server cert-fix --ldapi-socket
/var/run/slapd-RHELENT-LAN.socket --agent-uid ipara --cert sslserver
--extra-cert 21' returned non-zero exit status 1
The ipa-cert-fix command failed.
[root@freeipa ca]# pki-server cert-fix --ldapi-socket
/var/run/slapd-RHELENT-LAN.socket --agent-uid ipara --cert sslserver
--extra-cert 21
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Fixing the following system certs: ['sslserver']
INFO: Renewing the following additional certs: ['21']
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Stopping the instance to proceed with system cert renewal
INFO: Configuring LDAP password authentication
INFO: Setting pkidbuser password via ldappasswd
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Selftests disabled for subsystems: ca
INFO: Resetting password for uid=ipara,ou=people,o=ipaca
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Creating a temporary sslserver cert
INFO: Getting sslserver cert info for ca
INFO: Trying to create a new temp cert for sslserver.
INFO: Generate temp SSL certificate
INFO: Getting sslserver cert info for ca
INFO: Selftests enabled for subsystems: ca
INFO: Restoring previous LDAP configuration
ERROR: Unable to find CSR for sslserver cert
thanks
Marc
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
7:28 a.m.
It seems that 2 different repair procedures were mixed: go back in time
and use ipa-cert-fix. With ipa-cert-fix you don't need to change the
current time. In order to fix the issue, we need to have the full picture:
- what is the full output of getcert list (please include the "current"
date on the system for us to know which certs are considered still valid)
- which node is the renewal master (ipa config-show | grep "IPA CA renewal
master")
Yes, I had to turn back the clock because the directory server wouldn't
start causing ipa-cert-fix to not work. Here's the fulloutput:
[root@freeipa ~]# getcert list
Number of certificates and requests being tracked: 9.
Request ID '20180504194716':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=freeipa.rhelent.lan,O=RHELENT.LAN
subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
expires: 2022-02-11 18:03:36 UTC
principal name: krbtgt/RHELENT.LAN(a)RHELENT.LAN
certificate template/profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20210601131816':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=CA Audit,O=RHELENT.LAN
expires: 2023-05-01 18:06:01 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210601131818':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=OCSP Subsystem,O=RHELENT.LAN
expires: 2023-05-01 18:04:04 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210601131820':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=CA Subsystem,O=RHELENT.LAN
expires: 2023-05-01 18:04:11 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210601131821':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=Certificate Authority,O=RHELENT.LAN
expires: 2035-09-03 19:24:04 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210601131823':
status: NEED_TO_SUBMIT
ca-error: Error 7 connecting to
http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect to
server.
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=IPA RA,O=RHELENT.LAN
expires: 2021-06-08 16:52:45 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20210601131824':
status: NEED_TO_SUBMIT
ca-error: Error 7 connecting to
http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect to
server.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
expires: 2021-06-08 16:53:15 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210601131827':
status: NEED_TO_SUBMIT
ca-error: Server at https://freeipa.rhelent.lan/ipa/xml failed request,
will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: Peer's Certificate has expired.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-RHELENT-LAN',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-RHELENT-LAN/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-RHELENT-LAN',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
expires: 2021-07-11 16:52:10 UTC
principal name: ldap/freeipa.rhelent.lan(a)RHELENT.LAN
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv RHELENT-LAN
track: yes
auto-renew: yes
Request ID '20210601131835':
status: NEED_TO_SUBMIT
ca-error: Server at https://freeipa.rhelent.lan/ipa/xml failed request,
will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: Peer's Certificate has expired.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
expires: 2021-07-12 16:52:09 UTC
principal name: HTTP/freeipa.rhelent.lan(a)RHELENT.LAN
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
There's only one node
The request ID for "Server-Cert cert-pki-ca" (as displayed by getcert
list) is 20210601131824, meaning that the corresponding request file can be
found with
# grep -l "id=20210601131824" /var/lib/certmonger/requests/*
Ah, found it. It was in a different file then I expected. Thank you. I
moved that CSR into /etc/pki/pki-tomcat/ca/CS.cfg but still no luck (with
the current date):
# ipa-cert-fix
WARNING
ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of IPA. It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.
The following certificates will be renewed:
Dogtag sslserver certificate:
Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
Serial: 23
Expires: 2021-06-08 16:53:15
IPA IPA RA certificate:
Subject: CN=IPA RA,O=RHELENT.LAN
Serial: 21
Expires: 2021-06-08 16:52:45
IPA Apache HTTPS certificate:
Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
Serial: 26
Expires: 2021-07-12 16:52:09
IPA LDAP certificate:
Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
Serial: 25
Expires: 2021-07-11 16:52:10
Enter "yes" to proceed: yes
Proceeding.
[Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/certs/sslserver.crt'
The ipa-cert-fix command failed.
Thanks
Marc
1:57 a.m.
Hi,
what is the full output of *ipa-cert-fix -v* (verbose)? The command
internally calls "*pki-server cert-fix*", and you will be able to find the
exact arguments list provided in the logs. Retry the same "pki-server
cert-fix" command with -v option and we will get more information about
what is going wrong.
flo
On Wed, Sep 15, 2021 at 2:29 PM Marc Boorshtein <
marc.boorshtein(a)tremolosecurity.com> wrote:
>
> It seems that 2 different repair procedures were mixed: go back in time
> and use ipa-cert-fix. With ipa-cert-fix you don't need to change the
> current time. In order to fix the issue, we need to have the full picture:
> - what is the full output of getcert list (please include the "current"
> date on the system for us to know which certs are considered still valid)
> - which node is the renewal master (ipa config-show | grep "IPA CA
> renewal master")
>
Yes, I had to turn back the clock because the directory server wouldn't
start causing ipa-cert-fix to not work. Here's the fulloutput:
[root@freeipa ~]# getcert list
Number of certificates and requests being tracked: 9.
Request ID '20180504194716':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=freeipa.rhelent.lan,O=RHELENT.LAN
subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
expires: 2022-02-11 18:03:36 UTC
principal name: krbtgt/RHELENT.LAN(a)RHELENT.LAN
certificate template/profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20210601131816':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=CA Audit,O=RHELENT.LAN
expires: 2023-05-01 18:06:01 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210601131818':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=OCSP Subsystem,O=RHELENT.LAN
expires: 2023-05-01 18:04:04 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210601131820':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=CA Subsystem,O=RHELENT.LAN
expires: 2023-05-01 18:04:11 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210601131821':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=Certificate Authority,O=RHELENT.LAN
expires: 2035-09-03 19:24:04 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210601131823':
status: NEED_TO_SUBMIT
ca-error: Error 7 connecting to
http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect
to server.
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=IPA RA,O=RHELENT.LAN
expires: 2021-06-08 16:52:45 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20210601131824':
status: NEED_TO_SUBMIT
ca-error: Error 7 connecting to
http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect
to server.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
expires: 2021-06-08 16:53:15 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210601131827':
status: NEED_TO_SUBMIT
ca-error: Server at https://freeipa.rhelent.lan/ipa/xml failed request,
will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: Peer's Certificate has expired.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-RHELENT-LAN',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-RHELENT-LAN/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-RHELENT-LAN',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
expires: 2021-07-11 16:52:10 UTC
principal name: ldap/freeipa.rhelent.lan(a)RHELENT.LAN
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv RHELENT-LAN
track: yes
auto-renew: yes
Request ID '20210601131835':
status: NEED_TO_SUBMIT
ca-error: Server at https://freeipa.rhelent.lan/ipa/xml failed request,
will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: Peer's Certificate has expired.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
expires: 2021-07-12 16:52:09 UTC
principal name: HTTP/freeipa.rhelent.lan(a)RHELENT.LAN
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
There's only one node
>
> The request ID for "Server-Cert cert-pki-ca" (as displayed by getcert
> list) is 20210601131824, meaning that the corresponding request file can be
> found with
> # grep -l "id=20210601131824" /var/lib/certmonger/requests/*
>
Ah, found it. It was in a different file then I expected. Thank you. I
moved that CSR into /etc/pki/pki-tomcat/ca/CS.cfg but still no luck (with
the current date):
# ipa-cert-fix
WARNING
ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of IPA. It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.
The following certificates will be renewed:
Dogtag sslserver certificate:
Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
Serial: 23
Expires: 2021-06-08 16:53:15
IPA IPA RA certificate:
Subject: CN=IPA RA,O=RHELENT.LAN
Serial: 21
Expires: 2021-06-08 16:52:45
IPA Apache HTTPS certificate:
Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
Serial: 26
Expires: 2021-07-12 16:52:09
IPA LDAP certificate:
Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
Serial: 25
Expires: 2021-07-11 16:52:10
Enter "yes" to proceed: yes
Proceeding.
[Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/certs/sslserver.crt'
The ipa-cert-fix command failed.
Thanks
Marc
952
days inactive
954
days old
freeipa-users@lists.fedorahosted.org
7 comments
3 participants
participants (3)
-
Florence Renaud -
Marc Boorshtein -
Rob Crittenden