Randy Morgan wrote:
On 9/9/2019 11:31 AM, Rob Crittenden wrote:
Randy Morgan via FreeIPA-users wrote:
We have been working to solve an expired certificate issue in IPA. There is an open ticket in Red Hat supportCASE 02438518. We have tried many things but so far have had no luck getting the certs to update. Currently the system is running RHEL 8.0 and IPA 4.7.1.
pki-server cert-fix -n 'subsystemCert cert-pki-ca' -d /var/lib/pki/pki-tomcat/alias/ -C /root/passwd -vvv INFO: Loading instance: pki-tomcat INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat INFO: Loading password config: /etc/pki/pki-tomcat/password.conf INFO: Loading subsystem: ca INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg INFO: Getting signing cert info for ca from CS.cfg INFO: Getting signing cert info for ca from NSS database INFO: Getting ocsp_signing cert info for ca from CS.cfg INFO: Getting ocsp_signing cert info for ca from NSS database INFO: Getting sslserver cert info for ca from CS.cfg INFO: Getting sslserver cert info for ca from NSS database INFO: Getting subsystem cert info for ca from CS.cfg INFO: Getting subsystem cert info for ca from NSS database INFO: Getting audit_signing cert info for ca from CS.cfg INFO: Getting audit_signing cert info for ca from NSS database INFO: Fixing the following certs: ['ca_ocsp_signing', 'sslserver', 'subsystem', 'ca_audit_signing'] INFO: Stopping the instance to proceed with system cert renewal INFO: Selftests disabled for subsystems: ca INFO: Getting sslserver cert info for ca from CS.cfg INFO: Getting sslserver cert info for ca from NSS database INFO: Trying to create a new temp cert for sslserver. INFO: Generate temp SSL certificate INFO: Getting sslserver cert info for ca from CS.cfg INFO: Getting sslserver cert info for ca from NSS database INFO: CSR for sslserver has been written to /tmp/tmpg_738l5a/sslserver.csr INFO: Getting signing cert info for ca from CS.cfg INFO: Getting signing cert info for ca from NSS database INFO: CA cert written to /tmp/tmpg_738l5a/ca_certificate.crt INFO: AKI: 0x1D0F356A3E7A6968A231723231EB22DA5A01F542 INFO: Temp cert for sslserver is available at /etc/pki/pki-tomcat/certs/sslserver.crt. INFO: Getting sslserver cert info for ca from CS.cfg INFO: Getting sslserver cert info for ca from NSS database INFO: Getting sslserver cert info for ca from CS.cfg INFO: Getting sslserver cert info for ca from NSS database INFO: Updating CS.cfg with the new certificate INFO: Getting ocsp_signing cert info for ca from CS.cfg INFO: Getting ocsp_signing cert info for ca from NSS database INFO: Trying to setup a secure connection to CA subsystem. INFO: Secure connection with CA is established. INFO: Placing cert creation request for serial: 49 Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 600, in urlopen chunked=chunked) File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 343, in _make_request self._validate_conn(conn) File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 849, in _validate_conn conn.connect() File "/usr/lib/python3.6/site-packages/urllib3/connection.py", line 356, in connect ssl_context=context) File "/usr/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 350, in ssl_wrap_socket context.load_cert_chain(certfile, keyfile) ssl.SSLError: [X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3550)
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 449, in send timeout=timeout File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 638, in urlopen _stacktrace=sys.exc_info()[2]) File "/usr/lib/python3.6/site-packages/urllib3/util/retry.py", line 398, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='ipa2.chem.byu.edu', port=8443): Max retries exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal (Caused by SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3550)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 119, in <module> cli.execute(sys.argv) File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 111, in execute super(PKIServerCLI, self).execute(args) File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute module.execute(module_args) File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute module.execute(module_args) File "/usr/lib/python3.6/site-packages/pki/server/cli/cert.py", line 1154, in execute renew=True) File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 1709, in cert_create PKIServer.renew_certificate(connection, new_cert_file, serial) File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 202, in renew_certificate ret = cert_client.enroll_cert(inputs=inputs, profile_id='caManualRenewal') File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442, in handler return fn_call(inst, *args, **kwargs) File "/usr/lib/python3.6/site-packages/pki/cert.py", line 1011, in enroll_cert enroll_request = self.create_enrollment_request(profile_id, inputs) File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442, in handler return fn_call(inst, *args, **kwargs) File "/usr/lib/python3.6/site-packages/pki/cert.py", line 962, in create_enrollment_request enrollment_template = self.get_enrollment_template(profile_id) File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442, in handler return fn_call(inst, *args, **kwargs) File "/usr/lib/python3.6/site-packages/pki/cert.py", line 942, in get_enrollment_template r = self.connection.get(url, self.headers) File "/usr/lib/python3.6/site-packages/pki/client.py", line 46, in wrapper return func(self, *args, **kwargs) File "/usr/lib/python3.6/site-packages/pki/client.py", line 160, in get timeout=timeout, File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 537, in get return self.request('GET', url, **kwargs) File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 524, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 637, in send r = adapter.send(request, **kwargs) File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 514, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='ipa2.chem.byu.edu', port=8443): Max retries exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal (Caused by SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3550)'),)) ERROR: HTTPSConnectionPool(host='ipa2.chem.byu.edu', port=8443): Max retries exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal (Caused by SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3550)'),))
[root@ipa2 ~]# echo "--Certificate:" && openssl x509 -noout -modulus -in /var/lib/ipa/ra-agent.pem && echo "--Key:" && openssl rsa -noout -modulus -in /var/lib/ipa/ra-agent.key --Certificate: Modulus=CBA68178847F53CC0D4A45871FEA7CCFD879D6423923DF75E557011E4C458BD5207ACBB4EAFC7A460C050878621E22406E7661105F7D8E7AF448AA1F0988C908F3173B77D87581BE7006ED09F76F0D4D736050088E986133DE851A0FB93A101AA77921CC24063A94E5076FD74D4D81139E7A2AAC61B86D07D424158CE56913ABB08C1CDBDAE35CE2D7BCEB9EF9D5A909FFF502A02E1E847DC44E8672A8889A65A721DC78FE70C24D9E12BB4E88D7AD0A49948E2BF40A22431731872ADFC3B81E368C655EB9B00DC37D04526EE2917445D2FAEBCF116821486FF088E500F12128A8D90309E8ED275CDD48E77BDE0E3358A6A81BD9DD2AD5AC6F68315C96FC50E9
--Key: Modulus=CBA68178847F53CC0D4A45871FEA7CCFD879D6423923DF75E557011E4C458BD5207ACBB4EAFC7A460C050878621E22406E7661105F7D8E7AF448AA1F0988C908F3173B77D87581BE7006ED09F76F0D4D736050088E986133DE851A0FB93A101AA77921CC24063A94E5076FD74D4D81139E7A2AAC61B86D07D424158CE56913ABB08C1CDBDAE35CE2D7BCEB9EF9D5A909FFF502A02E1E847DC44E8672A8889A65A721DC78FE70C24D9E12BB4E88D7AD0A49948E2BF40A22431731872ADFC3B81E368C655EB9B00DC37D04526EE2917445D2FAEBCF116821486FF088E500F12128A8D90309E8ED275CDD48E77BDE0E3358A6A81BD9DD2AD5AC6F68315C96FC50E9
[root@ipa2 ~]# openssl rsa -noout -modulus -in /var/lib/ipa/ra-agent.key | openssl md5 (stdin)= 0915781edbe620c5791cda50f310c538 [root@ipa2 ~]# openssl x509 -noout -modulus -in /var/lib/ipa/ra-agent.pem | openssl md5 (stdin)= 0915781edbe620c5791cda50f310c538
Looking at the cert and the key, they are a match and modulus also matches. What I can't figure out is why I am seeing this error if the key and cert match. Is it possible to have a timestamp issue, or is there some other reason that I can't find. Any help would be greatly appreciated.
I'm not familiar with this command but based on the options you are passing you compared the wrong cert. You compared the RA agent cert and you asked to renew the subsystem cert.
You might want to see what cert owns serial number 49.
rob
The reason these are the two compared is that there are no other keys on the server. Looking through the documentation seems to indicate that all certs are generated from this key pair. Is that not correct, and if it is not correct then where are the keys located for the other certs, I have been unable to locate them anywhere on the server.
The certs and keys are stored in the NSS database in /etc/pki/pki-tomcat/alias/
rob
freeipa-users@lists.fedorahosted.org