I'm trying to fix a freeipa 4.6 cluster running on centos 7 that has expired directory and http certificates. I turned back the clock so that the certs would be valid and am trying to run ipa-cert-fix but its failing with:
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf INFO: Fixing the following system certs: ['sslserver'] INFO: Renewing the following additional certs: ['21'] SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Stopping the instance to proceed with system cert renewal INFO: Configuring LDAP password authentication INFO: Setting pkidbuser password via ldappasswd SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Selftests disabled for subsystems: ca INFO: Resetting password for uid=ipara,ou=people,o=ipaca SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Creating a temporary sslserver cert INFO: Getting sslserver cert info for ca INFO: Trying to create a new temp cert for sslserver. INFO: Generate temp SSL certificate INFO: Getting sslserver cert info for ca INFO: Selftests enabled for subsystems: ca INFO: Restoring previous LDAP configuration ERROR: Unable to find CSR for sslserver cert
AFter doing some searching I found https://access.redhat.com/solutions/4852721 but the instructions aren't applying to me because there's no CSR in the request:
Request ID '20210601131820': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=CA Subsystem,O=RHELENT.LAN expires: 2023-05-01 18:04:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
then look for a csr:
[root@freeipa ~]# grep -A 19 csr /var/lib/certmonger/requests/20210601131820 [root@freeipa ~]#
Is there something i can do to get the ca subsystem cert re-issued?
Thanks
Marc Boorshtein
Marc Boorshtein via FreeIPA-users wrote:
I'm trying to fix a freeipa 4.6 cluster running on centos 7 that has expired directory and http certificates. I turned back the clock so that the certs would be valid and am trying to run ipa-cert-fix but its failing with:
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf INFO: Fixing the following system certs: ['sslserver'] INFO: Renewing the following additional certs: ['21'] SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Stopping the instance to proceed with system cert renewal INFO: Configuring LDAP password authentication INFO: Setting pkidbuser password via ldappasswd SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Selftests disabled for subsystems: ca INFO: Resetting password for uid=ipara,ou=people,o=ipaca SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Creating a temporary sslserver cert INFO: Getting sslserver cert info for ca INFO: Trying to create a new temp cert for sslserver. INFO: Generate temp SSL certificate INFO: Getting sslserver cert info for ca INFO: Selftests enabled for subsystems: ca INFO: Restoring previous LDAP configuration ERROR: Unable to find CSR for sslserver cert
AFter doing some searching I found https://access.redhat.com/solutions/4852721 but the instructions aren't applying to me because there's no CSR in the request:
Request ID '20210601131820': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=CA Subsystem,O=RHELENT.LAN expires: 2023-05-01 18:04:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
then look for a csr:
[root@freeipa ~]# grep -A 19 csr /var/lib/certmonger/requests/20210601131820 [root@freeipa ~]#
Is there something i can do to get the ca subsystem cert re-issued?
It didn't fail on the subsystem certificate, it failed on the TLS certificate for the CA itself (it seems). You can check that with:
getcert list -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca"
If it expires in 2023 then you're ok with the CA anyhow.
rob
It didn't fail on the subsystem certificate, it failed on the TLS certificate for the CA itself (it seems). You can check that with:
getcert list -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca"
Here's the output:
[root@freeipa ca]# getcert list -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" Number of certificates and requests being tracked: 9. Request ID '20210601131824': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN expires: 2021-06-08 16:53:15 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
If it expires in 2023 then you're ok with the CA anyhow.
Listed as expiring in 2021. Can I force this to be re-issued?
Thanks Marc
Marc Boorshtein wrote:
It didn't fail on the subsystem certificate, it failed on the TLS certificate for the CA itself (it seems). You can check that with: getcert list -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca"
Here's the output:
[root@freeipa ca]# getcert list -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" Number of certificates and requests being tracked: 9. Request ID '20210601131824': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN expires: 2021-06-08 16:53:15 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
If it expires in 2023 then you're ok with the CA anyhow.
Listed as expiring in 2021. Can I force this to be re-issued?
Looks like you're running into https://bugzilla.redhat.com/show_bug.cgi?id=1780782
The fix wasn't backported to the ipa-4.6 branch.
Try retrieving the CSR from certmonger as suggested in the BZ.
rob
Looks like you're running into https://bugzilla.redhat.com/show_bug.cgi?id=1780782
The fix wasn't backported to the ipa-4.6 branch.
Try retrieving the CSR from certmonger as suggested in the BZ.
I tried that, bot no change:
# grep -A 19 csr /var/lib/certmonger/requests/20210601131824 csr=-----BEGIN NEW CERTIFICATE REQUEST----- MIIDDTCCAfUCAQAwJzEUMBIGA1UECgwLUkhFTEVOVC5MQU4xDzANBgNVBAMMBklQ QSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwhWQd1/97oB3yd DSQqOz3ZlBM0DygBWflWgbnMVsqf/HHpw+kDZeq5mRJ62/62/ene25/E6QuYOOvN YfwcJdaqGRRhXLlURYsKgeXymK8Y58+/97+yP4YRe1/QEw0MogMwY/+ov2BOIy+i 6OmsZhuIv6ZgPEXqMqXgm9VP082uuwH0eLu60+H4stVr9BsFvC6wOb3N6nIIpd0N RgjMTFUPLyBWqw1R7q+dyaNcGDUiHycYLO3q/8F9YQyOGVC/Y1psgXH33RvuEkWI pb8GHjmqSPpMWBp8EhZsXc6g4jvD4sD7wlClLKJvz/+Xq3jVxkE+kPMO14LRU+eo Dh7c63MCAwEAAaCBoDArBgkqhkiG9w0BCRQxHh4cADIAMAAyADEAMAA2ADAAMQAx ADMAMQA4ADIAMzBxBgkqhkiG9w0BCQ4xZDBiMA4GA1UdDwEBAAQEAwIE8DAgBgNV HSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAgBgNV HQ4BAQAEFgQU+KhKXfD/PdXMbPumFzZncl96xmswDQYJKoZIhvcNAQELBQADggEB AH0LQGM63xHZP0GQsV28kcqIVr5qcnJugRwXPpJ90Hbp+MGjHrhS4vAWRRULRnAh 0t5XziT95j3UuixFCt8pe5yoy/YPiczR7Hkk/s+JVV8iNuqO6vvFe32yIKTpaULC BG6S38F7WVoj4+Gv9rq2nY9U02NFzGlujip7gtrnTMaGQ7KOu+J/vksICOwe9/yM zHjw5t+p1Ltbk4691fcmV9iZp0FR5bSAUweFJnO+er3ovPqtDtGf+LfTaaAWB3EE Tl1aoswI4YtpFWtuN3A9RU0z42Q1VDau6ITj05zLJRE3MhZsZY5OjuRTMlpoSqxv 0DU4gR7eTcjzO7TcKELQnBs= -----END NEW CERTIFICATE REQUEST----- spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcIVkHdf/e6Ad8nQ0kKjs92ZQTNA8oAVn5VoG5zFbKn/xx6cPpA2XquZkSetv+tv3p3tufxOkLmDjrzWH8HCXWqhkUYVy5VEWLCoHl8pivGOfPv/e/sj+GEXtf0BMNDKIDMGP/qL9gTiMvoujprGYbiL+mYDxF6jKl4JvVT9PNrrsB9Hi7utPh+LLVa/QbBbwusDm9zepyCKXdDUYIzExVDy8gVqsNUe6vncmjXBg1Ih8nGCzt6v/BfWEMjhlQv2NabIFx990b7hJFiKW/Bh45qkj6TFgafBIWbF3OoOI7w+LA+8JQpSyib8//l6t41cZBPpDzDteC0VPnqA4e3OtzAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEANLPk6UZoMcMh1HC+0aUOPqpxfNbenr4Vy32ieKuUZYdESXlKdutuIZStCAGobduEEABpQg9hj54R3l8ruFTGdNy+Yd4vXglDFfYUtHid0VV0PTy9DF7pa2brWR6OMysR9EquR4eAWvTIwF6oFFz+b/5FBY6mQa67DPiK7gVd4a39JolPGpMmvxXrCgIF3008jtlhsZwkNosFkHYwMryqLoNwi2I9mPqOv/ZeGq6ymHMi+P7IZnsKqt16sZQJXLpAbnKpc9RiJSxYrDGUB6O0wbqkyjaTrFMLHbM+xSJxN66OoUAkd80mYvS2xEYeqm5IqtoG2uTjo3z5RbKiaOHfrw==
Then, added
ca.cert.sslserver.certreq=MIIDDTCCAfUCAQAwJzEUMBIGA1UECgwLUkhFTEVOVC5MQU4xDzANBgNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwhWQd1/97oB3ydDSQqOz3ZlBM0DygBWflWgbnMVsqf/HHpw+kDZeq5mRJ62/62/ene25/E6QuYOOvNYfwcJdaqGRRhXLlURYsKgeXymK8Y58+/97+yP4YRe1/QEw0MogMwY/+ov2BOIy+i6OmsZhuIv6ZgPEXqMqXgm9VP082uuwH0eLu60+H4stVr9BsFvC6wOb3N6nIIpd0NRgjMTFUPLyBWqw1R7q+dyaNcGDUiHycYLO3q/8F9YQyOGVC/Y1psgXH33RvuEkWIpb8GHjmqSPpMWBp8EhZsXc6g4jvD4sD7wlClLKJvz/+Xq3jVxkE+kPMO14LRU+eoDh7c63MCAwEAAaCBoDArBgkqhkiG9w0BCRQxHh4cADIAMAAyADEAMAA2ADAAMQAxADMAMQA4ADIAMzBxBgkqhkiG9w0BCQ4xZDBiMA4GA1UdDwEBAAQEAwIE8DAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQU+KhKXfD/PdXMbPumFzZncl96xmswDQYJKoZIhvcNAQELBQADggEBAH0LQGM63xHZP0GQsV28kcqIVr5qcnJugRwXPpJ90Hbp+MGjHrhS4vAWRRULRnAh0t5XziT95j3UuixFCt8pe5yoy/YPiczR7Hkk/s+JVV8iNuqO6vvFe32yIKTpaULCBG6S38F7WVoj4+Gv9rq2nY9U02NFzGlujip7gtrnTMaGQ7KOu+J/vksICOwe9/yMzHjw5t+p1Ltbk4691fcmV9iZp0FR5bSAUweFJnO+er3ovPqtDtGf+LfTaaAWB3EETl1aoswI4YtpFWtuN3A9RU0z42Q1VDau6ITj05zLJRE3MhZsZY5OjuRTMlpoSqxv0DU4gR7eTcjzO7TcKELQnBs=
to /etc/pki/pki-tomcat/ca/CS.cfg, then run:
# ipa-cert-fix
WARNING
ipa-cert-fix is intended for recovery when expired certificates prevent the normal operation of IPA. It should ONLY be used in such scenarios, and backup of the system, especially certificates and keys, is STRONGLY RECOMMENDED.
The following certificates will be renewed:
Dogtag sslserver certificate: Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN Serial: 23 Expires: 2021-06-08 16:53:15
IPA IPA RA certificate: Subject: CN=IPA RA,O=RHELENT.LAN Serial: 21 Expires: 2021-06-08 16:52:45
Enter "yes" to proceed: yes Proceeding. Command 'pki-server cert-fix --ldapi-socket /var/run/slapd-RHELENT-LAN.socket --agent-uid ipara --cert sslserver --extra-cert 21' returned non-zero exit status 1 The ipa-cert-fix command failed. [root@freeipa ca]# pki-server cert-fix --ldapi-socket /var/run/slapd-RHELENT-LAN.socket --agent-uid ipara --cert sslserver --extra-cert 21 INFO: Loading password config: /etc/pki/pki-tomcat/password.conf INFO: Fixing the following system certs: ['sslserver'] INFO: Renewing the following additional certs: ['21'] SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Stopping the instance to proceed with system cert renewal INFO: Configuring LDAP password authentication INFO: Setting pkidbuser password via ldappasswd SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Selftests disabled for subsystems: ca INFO: Resetting password for uid=ipara,ou=people,o=ipaca SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Creating a temporary sslserver cert INFO: Getting sslserver cert info for ca INFO: Trying to create a new temp cert for sslserver. INFO: Generate temp SSL certificate INFO: Getting sslserver cert info for ca INFO: Selftests enabled for subsystems: ca INFO: Restoring previous LDAP configuration ERROR: Unable to find CSR for sslserver cert
thanks Marc
Hi,
the CSR that you used is the one for the RA cert, not for "Server-Cert cert-pki-ca" (*openssl req -noout -text* shows *Subject: O = RHELENT.LAN, CN = IPA RA*).
It seems that 2 different repair procedures were mixed: go back in time and use ipa-cert-fix. With ipa-cert-fix you don't need to change the current time. In order to fix the issue, we need to have the full picture: - what is the full output of getcert list (please include the "current" date on the system for us to know which certs are considered still valid) - which node is the renewal master (ipa config-show | grep "IPA CA renewal master")
The request ID for "Server-Cert cert-pki-ca" (as displayed by getcert list) is 20210601131824, meaning that the corresponding request file can be found with # grep -l "id=20210601131824" /var/lib/certmonger/requests/*
If the request file doesn't already contain a CSR, it can be added using getcert resubmit -i <ID>. flo
On Tue, Sep 14, 2021 at 10:12 PM Marc Boorshtein via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Looks like you're running into https://bugzilla.redhat.com/show_bug.cgi?id=1780782
The fix wasn't backported to the ipa-4.6 branch.
Try retrieving the CSR from certmonger as suggested in the BZ.
I tried that, bot no change:
# grep -A 19 csr /var/lib/certmonger/requests/20210601131824 csr=-----BEGIN NEW CERTIFICATE REQUEST----- MIIDDTCCAfUCAQAwJzEUMBIGA1UECgwLUkhFTEVOVC5MQU4xDzANBgNVBAMMBklQ QSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwhWQd1/97oB3yd DSQqOz3ZlBM0DygBWflWgbnMVsqf/HHpw+kDZeq5mRJ62/62/ene25/E6QuYOOvN YfwcJdaqGRRhXLlURYsKgeXymK8Y58+/97+yP4YRe1/QEw0MogMwY/+ov2BOIy+i 6OmsZhuIv6ZgPEXqMqXgm9VP082uuwH0eLu60+H4stVr9BsFvC6wOb3N6nIIpd0N RgjMTFUPLyBWqw1R7q+dyaNcGDUiHycYLO3q/8F9YQyOGVC/Y1psgXH33RvuEkWI pb8GHjmqSPpMWBp8EhZsXc6g4jvD4sD7wlClLKJvz/+Xq3jVxkE+kPMO14LRU+eo Dh7c63MCAwEAAaCBoDArBgkqhkiG9w0BCRQxHh4cADIAMAAyADEAMAA2ADAAMQAx ADMAMQA4ADIAMzBxBgkqhkiG9w0BCQ4xZDBiMA4GA1UdDwEBAAQEAwIE8DAgBgNV HSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAgBgNV HQ4BAQAEFgQU+KhKXfD/PdXMbPumFzZncl96xmswDQYJKoZIhvcNAQELBQADggEB AH0LQGM63xHZP0GQsV28kcqIVr5qcnJugRwXPpJ90Hbp+MGjHrhS4vAWRRULRnAh 0t5XziT95j3UuixFCt8pe5yoy/YPiczR7Hkk/s+JVV8iNuqO6vvFe32yIKTpaULC BG6S38F7WVoj4+Gv9rq2nY9U02NFzGlujip7gtrnTMaGQ7KOu+J/vksICOwe9/yM zHjw5t+p1Ltbk4691fcmV9iZp0FR5bSAUweFJnO+er3ovPqtDtGf+LfTaaAWB3EE Tl1aoswI4YtpFWtuN3A9RU0z42Q1VDau6ITj05zLJRE3MhZsZY5OjuRTMlpoSqxv 0DU4gR7eTcjzO7TcKELQnBs= -----END NEW CERTIFICATE REQUEST-----
spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcIVkHdf/e6Ad8nQ0kKjs92ZQTNA8oAVn5VoG5zFbKn/xx6cPpA2XquZkSetv+tv3p3tufxOkLmDjrzWH8HCXWqhkUYVy5VEWLCoHl8pivGOfPv/e/sj+GEXtf0BMNDKIDMGP/qL9gTiMvoujprGYbiL+mYDxF6jKl4JvVT9PNrrsB9Hi7utPh+LLVa/QbBbwusDm9zepyCKXdDUYIzExVDy8gVqsNUe6vncmjXBg1Ih8nGCzt6v/BfWEMjhlQv2NabIFx990b7hJFiKW/Bh45qkj6TFgafBIWbF3OoOI7w+LA+8JQpSyib8//l6t41cZBPpDzDteC0VPnqA4e3OtzAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEANLPk6UZoMcMh1HC+0aUOPqpxfNbenr4Vy32ieKuUZYdESXlKdutuIZStCAGobduEEABpQg9hj54R3l8ruFTGdNy+Yd4vXglDFfYUtHid0VV0PTy9DF7pa2brWR6OMysR9EquR4eAWvTIwF6oFFz+b/5FBY6mQa67DPiK7gVd4a39JolPGpMmvxXrCgIF3008jtlhsZwkNosFkHYwMryqLoNwi2I9mPqOv/ZeGq6ymHMi+P7IZnsKqt16sZQJXLpAbnKpc9RiJSxYrDGUB6O0wbqkyjaTrFMLHbM+xSJxN66OoUAkd80mYvS2xEYeqm5IqtoG2uTjo3z5RbKiaOHfrw==
Then, added
ca.cert.sslserver.certreq=MIIDDTCCAfUCAQAwJzEUMBIGA1UECgwLUkhFTEVOVC5MQU4xDzANBgNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwhWQd1/97oB3ydDSQqOz3ZlBM0DygBWflWgbnMVsqf/HHpw+kDZeq5mRJ62/62/ene25/E6QuYOOvNYfwcJdaqGRRhXLlURYsKgeXymK8Y58+/97+yP4YRe1/QEw0MogMwY/+ov2BOIy+i6OmsZhuIv6ZgPEXqMqXgm9VP082uuwH0eLu60+H4stVr9BsFvC6wOb3N6nIIpd0NRgjMTFUPLyBWqw1R7q+dyaNcGDUiHycYLO3q/8F9YQyOGVC/Y1psgXH33RvuEkWIpb8GHjmqSPpMWBp8EhZsXc6g4jvD4sD7wlClLKJvz/+Xq3jVxkE+kPMO14LRU+eoDh7c63MCAwEAAaCBoDArBgkqhkiG9w0BCRQxHh4cADIAMAAyADEAMAA2ADAAMQAxADMAMQA4ADIAMzBxBgkqhkiG9w0BCQ4xZDBiMA4GA1UdDwEBAAQEAwIE8DAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQU+KhKXfD/PdXMbPumFzZncl96xmswDQYJKoZIhvcNAQELBQADggEBAH0LQGM63xHZP0GQsV28kcqIVr5qcnJugRwXPpJ90Hbp+MGjHrhS4vAWRRULRnAh0t5XziT95j3UuixFCt8pe5yoy/YPiczR7Hkk/s+JVV8iNuqO6vvFe32yIKTpaULCBG6S38F7WVoj4+Gv9rq2nY9U02NFzGlujip7gtrnTMaGQ7KOu+J/vksICOwe9/yMzHjw5t+p1Ltbk4691fcmV9iZp0FR5bSAUweFJnO+er3ovPqtDtGf+LfTaaAWB3EETl1aoswI4YtpFWtuN3A9RU0z42Q1VDau6ITj05zLJRE3MhZsZY5OjuRTMlpoSqxv0DU4gR7eTcjzO7TcKELQnBs=
to /etc/pki/pki-tomcat/ca/CS.cfg, then run:
# ipa-cert-fix
WARNING
ipa-cert-fix is intended for recovery when expired certificates prevent the normal operation of IPA. It should ONLY be used in such scenarios, and backup of the system, especially certificates and keys, is STRONGLY RECOMMENDED.
The following certificates will be renewed:
Dogtag sslserver certificate: Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN Serial: 23 Expires: 2021-06-08 16:53:15
IPA IPA RA certificate: Subject: CN=IPA RA,O=RHELENT.LAN Serial: 21 Expires: 2021-06-08 16:52:45
Enter "yes" to proceed: yes Proceeding. Command 'pki-server cert-fix --ldapi-socket /var/run/slapd-RHELENT-LAN.socket --agent-uid ipara --cert sslserver --extra-cert 21' returned non-zero exit status 1 The ipa-cert-fix command failed. [root@freeipa ca]# pki-server cert-fix --ldapi-socket /var/run/slapd-RHELENT-LAN.socket --agent-uid ipara --cert sslserver --extra-cert 21 INFO: Loading password config: /etc/pki/pki-tomcat/password.conf INFO: Fixing the following system certs: ['sslserver'] INFO: Renewing the following additional certs: ['21'] SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Stopping the instance to proceed with system cert renewal INFO: Configuring LDAP password authentication INFO: Setting pkidbuser password via ldappasswd SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Selftests disabled for subsystems: ca INFO: Resetting password for uid=ipara,ou=people,o=ipaca SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Creating a temporary sslserver cert INFO: Getting sslserver cert info for ca INFO: Trying to create a new temp cert for sslserver. INFO: Generate temp SSL certificate INFO: Getting sslserver cert info for ca INFO: Selftests enabled for subsystems: ca INFO: Restoring previous LDAP configuration ERROR: Unable to find CSR for sslserver cert
thanks Marc
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
It seems that 2 different repair procedures were mixed: go back in time and use ipa-cert-fix. With ipa-cert-fix you don't need to change the current time. In order to fix the issue, we need to have the full picture:
- what is the full output of getcert list (please include the "current"
date on the system for us to know which certs are considered still valid)
- which node is the renewal master (ipa config-show | grep "IPA CA renewal
master")
Yes, I had to turn back the clock because the directory server wouldn't start causing ipa-cert-fix to not work. Here's the fulloutput:
[root@freeipa ~]# getcert list Number of certificates and requests being tracked: 9. Request ID '20180504194716': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=freeipa.rhelent.lan,O=RHELENT.LAN subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN expires: 2022-02-11 18:03:36 UTC principal name: krbtgt/RHELENT.LAN@RHELENT.LAN certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20210601131816': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=CA Audit,O=RHELENT.LAN expires: 2023-05-01 18:06:01 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20210601131818': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=OCSP Subsystem,O=RHELENT.LAN expires: 2023-05-01 18:04:04 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20210601131820': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=CA Subsystem,O=RHELENT.LAN expires: 2023-05-01 18:04:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20210601131821': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=Certificate Authority,O=RHELENT.LAN expires: 2035-09-03 19:24:04 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20210601131823': status: NEED_TO_SUBMIT ca-error: Error 7 connecting to http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=IPA RA,O=RHELENT.LAN expires: 2021-06-08 16:52:45 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20210601131824': status: NEED_TO_SUBMIT ca-error: Error 7 connecting to http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN expires: 2021-06-08 16:53:15 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20210601131827': status: NEED_TO_SUBMIT ca-error: Server at https://freeipa.rhelent.lan/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-RHELENT-LAN',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-RHELENT-LAN/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-RHELENT-LAN',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN expires: 2021-07-11 16:52:10 UTC principal name: ldap/freeipa.rhelent.lan@RHELENT.LAN key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv RHELENT-LAN track: yes auto-renew: yes Request ID '20210601131835': status: NEED_TO_SUBMIT ca-error: Server at https://freeipa.rhelent.lan/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN expires: 2021-07-12 16:52:09 UTC principal name: HTTP/freeipa.rhelent.lan@RHELENT.LAN key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
There's only one node
The request ID for "Server-Cert cert-pki-ca" (as displayed by getcert list) is 20210601131824, meaning that the corresponding request file can be found with # grep -l "id=20210601131824" /var/lib/certmonger/requests/*
Ah, found it. It was in a different file then I expected. Thank you. I moved that CSR into /etc/pki/pki-tomcat/ca/CS.cfg but still no luck (with the current date):
# ipa-cert-fix
WARNING
ipa-cert-fix is intended for recovery when expired certificates prevent the normal operation of IPA. It should ONLY be used in such scenarios, and backup of the system, especially certificates and keys, is STRONGLY RECOMMENDED.
The following certificates will be renewed:
Dogtag sslserver certificate: Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN Serial: 23 Expires: 2021-06-08 16:53:15
IPA IPA RA certificate: Subject: CN=IPA RA,O=RHELENT.LAN Serial: 21 Expires: 2021-06-08 16:52:45
IPA Apache HTTPS certificate: Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN Serial: 26 Expires: 2021-07-12 16:52:09
IPA LDAP certificate: Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN Serial: 25 Expires: 2021-07-11 16:52:10
Enter "yes" to proceed: yes Proceeding. [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/sslserver.crt' The ipa-cert-fix command failed.
Thanks Marc
Hi,
what is the full output of *ipa-cert-fix -v* (verbose)? The command internally calls "*pki-server cert-fix*", and you will be able to find the exact arguments list provided in the logs. Retry the same "pki-server cert-fix" command with -v option and we will get more information about what is going wrong.
flo
On Wed, Sep 15, 2021 at 2:29 PM Marc Boorshtein < marc.boorshtein@tremolosecurity.com> wrote:
It seems that 2 different repair procedures were mixed: go back in time and use ipa-cert-fix. With ipa-cert-fix you don't need to change the current time. In order to fix the issue, we need to have the full picture:
- what is the full output of getcert list (please include the "current"
date on the system for us to know which certs are considered still valid)
- which node is the renewal master (ipa config-show | grep "IPA CA
renewal master")
Yes, I had to turn back the clock because the directory server wouldn't start causing ipa-cert-fix to not work. Here's the fulloutput:
[root@freeipa ~]# getcert list Number of certificates and requests being tracked: 9. Request ID '20180504194716': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=freeipa.rhelent.lan,O=RHELENT.LAN subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN expires: 2022-02-11 18:03:36 UTC principal name: krbtgt/RHELENT.LAN@RHELENT.LAN certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20210601131816': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=CA Audit,O=RHELENT.LAN expires: 2023-05-01 18:06:01 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20210601131818': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=OCSP Subsystem,O=RHELENT.LAN expires: 2023-05-01 18:04:04 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20210601131820': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=CA Subsystem,O=RHELENT.LAN expires: 2023-05-01 18:04:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20210601131821': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=Certificate Authority,O=RHELENT.LAN expires: 2035-09-03 19:24:04 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20210601131823': status: NEED_TO_SUBMIT ca-error: Error 7 connecting to http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=IPA RA,O=RHELENT.LAN expires: 2021-06-08 16:52:45 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20210601131824': status: NEED_TO_SUBMIT ca-error: Error 7 connecting to http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN expires: 2021-06-08 16:53:15 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20210601131827': status: NEED_TO_SUBMIT ca-error: Server at https://freeipa.rhelent.lan/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-RHELENT-LAN',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-RHELENT-LAN/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-RHELENT-LAN',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN expires: 2021-07-11 16:52:10 UTC principal name: ldap/freeipa.rhelent.lan@RHELENT.LAN key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv RHELENT-LAN track: yes auto-renew: yes Request ID '20210601131835': status: NEED_TO_SUBMIT ca-error: Server at https://freeipa.rhelent.lan/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN expires: 2021-07-12 16:52:09 UTC principal name: HTTP/freeipa.rhelent.lan@RHELENT.LAN key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
There's only one node
The request ID for "Server-Cert cert-pki-ca" (as displayed by getcert list) is 20210601131824, meaning that the corresponding request file can be found with # grep -l "id=20210601131824" /var/lib/certmonger/requests/*
Ah, found it. It was in a different file then I expected. Thank you. I moved that CSR into /etc/pki/pki-tomcat/ca/CS.cfg but still no luck (with the current date):
# ipa-cert-fix
WARNING
ipa-cert-fix is intended for recovery when expired certificates prevent the normal operation of IPA. It should ONLY be used in such scenarios, and backup of the system, especially certificates and keys, is STRONGLY RECOMMENDED.
The following certificates will be renewed:
Dogtag sslserver certificate: Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN Serial: 23 Expires: 2021-06-08 16:53:15
IPA IPA RA certificate: Subject: CN=IPA RA,O=RHELENT.LAN Serial: 21 Expires: 2021-06-08 16:52:45
IPA Apache HTTPS certificate: Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN Serial: 26 Expires: 2021-07-12 16:52:09
IPA LDAP certificate: Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN Serial: 25 Expires: 2021-07-11 16:52:10
Enter "yes" to proceed: yes Proceeding. [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/sslserver.crt' The ipa-cert-fix command failed.
Thanks Marc
freeipa-users@lists.fedorahosted.org