Hi there,
I need some suggestions for a certificate related problem. The setup has 2 servers, let's call them ldap1 and ldap2 with ldap1 being the primary system with the CA. The certificates were to expire on june 15. I checked on june 1st and on ldap1 certmonger had renewed all certificates, on ldap2 certmonger was not running. So, I restarted the certmonger service and it began its work. `getcert list` shows three certificates (it's ipa 4.4, so that's probably correct)
Quite soon, the first certificate was renewed (HTTP/ldap2, ...) I assume that's the one for the web UI. A second one (ldap/ldap2...) is still valid until december. I assume that's why all the ldap related stuff and replication is still working.
But the cn=IPA RA expired one week ago (may 24th).
I have no ipa-certs-fix, would setting back the system clock still work? The HTTP/ldap2 certificate was not yet valid when the IPA RA certificate expired.
Or put the the other round: what happens if i don't renew this certificate - that's not quite clear to me. Currently, the system ist working fine, replication works and in 2022 the hardware will be replaced, so we will setup new replicas anyways. But, that's after the expiration date of the ldap/ldap2 certificate.
I hope this is understandable and thanks in advance for any hint.
Jan Bundesmann via FreeIPA-users wrote:
Hi there,
I need some suggestions for a certificate related problem. The setup has 2 servers, let's call them ldap1 and ldap2 with ldap1 being the primary system with the CA. The certificates were to expire on june 15. I checked on june 1st and on ldap1 certmonger had renewed all certificates, on ldap2 certmonger was not running. So, I restarted the certmonger service and it began its work. `getcert list` shows three certificates (it's ipa 4.4, so that's probably correct)
Quite soon, the first certificate was renewed (HTTP/ldap2, ...) I assume that's the one for the web UI. A second one (ldap/ldap2...) is still valid until december. I assume that's why all the ldap related stuff and replication is still working.
But the cn=IPA RA expired one week ago (may 24th).
I have no ipa-certs-fix, would setting back the system clock still work? The HTTP/ldap2 certificate was not yet valid when the IPA RA certificate expired.
Or put the the other round: what happens if i don't renew this certificate - that's not quite clear to me. Currently, the system ist working fine, replication works and in 2022 the hardware will be replaced, so we will setup new replicas anyways. But, that's after the expiration date of the ldap/ldap2 certificate.
I hope this is understandable and thanks in advance for any hint.
Only one server (CA replication master) does the renewal of the CA certificates, including the RA certificate. It puts the results into LDAP where the other servers can retrieve the updated certificates.
So the RA certificate seems already renewed if the server with a CA is working (ipa cert-show 1 as a test).
The impact of not having an updated RA certificate on ldap2 is that it won't be able to communicate with the CA.
Can we see the tracking of this request on ldap2?
getcert list -d /etc/httpd/alias -n ipaCert
rob
Hi, thanks for your answer,
That seems in line with not being able to communicate with the CA: ``` [root@ldap2 requests]# ipa cert-show 1 ipa: ERROR: cannot connect to 'https://ldap1:443/ca/agent/ca/displayBySerial': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired. ```
Unfortunately, I will have no access to the system before next monday to obtain the `getcert list`. The status of the request is 'CA_WORKING' - that much I can tell.
I could not see any other response in the logs. (journalctl or /var/log/messages) and the CSR does not seem to arrive at ldap1. But I understand that I could manually bring the CSR to ldap1, sign it there, bring it back... There are, however, a lot of points I'm unsure about.
Hi, thanks for your answer,
That seems in line with not being able to communicate with the CA: ``` [root@ldap2 requests]# ipa cert-show 1 ipa: ERROR: cannot connect to 'https://ldap1:443/ca/agent/ca/displayBySerial': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired. ```
Unfortunately, I will have no access to the system before next monday to obtain the `getcert list`. The status of the request is 'CA_WORKING' - that much I can tell.
I could not see any other response in the logs. (journalctl or /var/log/messages) and the CSR does not seem to arrive at ldap1. But I understand that I could manually bring the CSR to ldap1, sign it there, bring it back... There are, however, a lot of points I'm unsure about.
Jan Bundesmann via FreeIPA-users wrote:
Hi, thanks for your answer,
That seems in line with not being able to communicate with the CA:
[root@ldap2 requests]# ipa cert-show 1 ipa: ERROR: cannot connect to 'https://ldap1:443/ca/agent/ca/displayBySerial': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.
You want to do this on ldap1 to ensure that at the CA works. This does confirm that the RA cert is expired.
Unfortunately, I will have no access to the system before next monday to obtain the `getcert list`. The status of the request is 'CA_WORKING' - that much I can tell.
I could not see any other response in the logs. (journalctl or /var/log/messages) and the CSR does not seem to arrive at ldap1. But I understand that I could manually bring the CSR to ldap1, sign it there, bring it back... There are, however, a lot of points I'm unsure about.
The tracking state is what I was looking for. CA_WORKING means that it is waiting for an updated certificate to become available. Is replication working between the two systems?
Look on both LDAP servers in cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=test. There should be an entry for the RA agent there (along with the other renewed CA certificates).
If the entry exists on ldap2 then getcert resubmit -d /etc/httpd/alias -n ipaCert should force it to try to pick it up.
rob
(Last mail wasn't sent to mailing list - bad settings of my mail client, sorry for that).
So, replication is working and there is indeed a new certificate for IPA RA. Can this be from the renewal cycle on ldap1.
But isn't this some kind of chicken-egg-problem now? Apparently ldap2 cannot talk to the CA and as a consequence I cannot query certificate contents on ldap2. getcert resubmit puts me back in the status of CA_WORKING.
Would adding it manually to the database in /etc/httpd/alias work? Or can I put in some other place to make the "dogtag-ipa-ca-renew-agent" aware of the new certificate?
Jan Bundesmann via FreeIPA-users wrote:
(Last mail wasn't sent to mailing list - bad settings of my mail client, sorry for that).
So, replication is working and there is indeed a new certificate for IPA RA. Can this be from the renewal cycle on ldap1.
Yes. Only one server does the renewal through the CA, the so-called CA Renewal Master. The result of the renewal is put into LDAP to be shared with the other IPA servers. It sounds like this happened as expected.
But isn't this some kind of chicken-egg-problem now? Apparently ldap2 cannot talk to the CA and as a consequence I cannot query certificate contents on ldap2. getcert resubmit puts me back in the status of CA_WORKING.
It's not because communication with the CA is not necessary in order to retrieve the updated certificate as it is stored within the IPA LDAP tree.
Would adding it manually to the database in /etc/httpd/alias work? Or can I put in some other place to make the "dogtag-ipa-ca-renew-agent" aware of the new certificate?
It's possible sure.
I'd also suggest checking the journal for certmonger messages to perhaps get a better idea of what is going on. The 389-ds access log will show you whether certmonger is searching for the updated cert.
rob
Hi,
to conclude this issue: I eventually reinstalled the server. So no real solution but this was better to calculate in terms of how much time we needed.
Thanks for the help here!
freeipa-users@lists.fedorahosted.org