It seems that 2 different repair procedures were mixed: go back in time
and use ipa-cert-fix. With ipa-cert-fix you don't need to change the
current time. In order to fix the issue, we need to have the full picture:
- what is the full output of getcert list (please include the "current"
date on the system for us to know which certs are considered still valid)
- which node is the renewal master (ipa config-show | grep "IPA CA renewal
master")
Yes, I had to turn back the clock because the directory server wouldn't
start causing ipa-cert-fix to not work. Here's the fulloutput:
[root@freeipa ~]# getcert list
Number of certificates and requests being tracked: 9.
Request ID '20180504194716':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=freeipa.rhelent.lan,O=RHELENT.LAN
subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
expires: 2022-02-11 18:03:36 UTC
principal name: krbtgt/RHELENT.LAN(a)RHELENT.LAN
certificate template/profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20210601131816':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=CA Audit,O=RHELENT.LAN
expires: 2023-05-01 18:06:01 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210601131818':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=OCSP Subsystem,O=RHELENT.LAN
expires: 2023-05-01 18:04:04 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210601131820':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=CA Subsystem,O=RHELENT.LAN
expires: 2023-05-01 18:04:11 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210601131821':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=Certificate Authority,O=RHELENT.LAN
expires: 2035-09-03 19:24:04 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210601131823':
status: NEED_TO_SUBMIT
ca-error: Error 7 connecting to
http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect to
server.
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=IPA RA,O=RHELENT.LAN
expires: 2021-06-08 16:52:45 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20210601131824':
status: NEED_TO_SUBMIT
ca-error: Error 7 connecting to
http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect to
server.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
expires: 2021-06-08 16:53:15 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20210601131827':
status: NEED_TO_SUBMIT
ca-error: Server at
https://freeipa.rhelent.lan/ipa/xml failed request,
will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: Peer's Certificate has expired.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-RHELENT-LAN',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-RHELENT-LAN/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-RHELENT-LAN',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
expires: 2021-07-11 16:52:10 UTC
principal name: ldap/freeipa.rhelent.lan(a)RHELENT.LAN
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv RHELENT-LAN
track: yes
auto-renew: yes
Request ID '20210601131835':
status: NEED_TO_SUBMIT
ca-error: Server at
https://freeipa.rhelent.lan/ipa/xml failed request,
will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: Peer's Certificate has expired.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
expires: 2021-07-12 16:52:09 UTC
principal name: HTTP/freeipa.rhelent.lan(a)RHELENT.LAN
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
There's only one node
The request ID for "Server-Cert cert-pki-ca" (as displayed by getcert
list) is 20210601131824, meaning that the corresponding request file can be
found with
# grep -l "id=20210601131824" /var/lib/certmonger/requests/*
Ah, found it. It was in a different file then I expected. Thank you. I
moved that CSR into /etc/pki/pki-tomcat/ca/CS.cfg but still no luck (with
the current date):
# ipa-cert-fix
WARNING
ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of IPA. It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.
The following certificates will be renewed:
Dogtag sslserver certificate:
Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
Serial: 23
Expires: 2021-06-08 16:53:15
IPA IPA RA certificate:
Subject: CN=IPA RA,O=RHELENT.LAN
Serial: 21
Expires: 2021-06-08 16:52:45
IPA Apache HTTPS certificate:
Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
Serial: 26
Expires: 2021-07-12 16:52:09
IPA LDAP certificate:
Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
Serial: 25
Expires: 2021-07-11 16:52:10
Enter "yes" to proceed: yes
Proceeding.
[Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/certs/sslserver.crt'
The ipa-cert-fix command failed.
Thanks
Marc