Hello,
we run in a problem with expired certificates:
getcert list (sample show only one expired certificate)
...
Request ID '20170202144747':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate
Authority,O=NBG.WEBTREKK.COM
subject: CN=IPA
RA,O=NBG.WEBTREKK.COM
expires: 2017-07-30 13:37:02 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
...
Request ID '20170202144746':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate
Authority,O=NBG.WEBTREKK.COM
subject: CN=Certificate
Authority,O=NBG.WEBTREKK.COM
expires: 2035-08-10 13:36:23 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
...
We follow instruction to renew certificates found on this mailing list:
* set system time before expired
* set dogtag to use simple binds instead of TLS to connect to LDAP
* ipactl start --ignore-service-failures
* systemctl restart pki-tomcatd@pki-tomcat
* systemctl restart certmonger
* resubmit one of expired certificate: ipa-getcert resubmit -i
20170202144747
Jul 29 13:27:05 ipa-prod-01.<domain>
dogtag-ipa-ca-renew-agent-submit[10651]: Forwarding request to
dogtag-ipa-renew-agent
Jul 29 13:27:05 ipa-prod-01.<domain>
dogtag-ipa-renew-agent-submit[10661]: GET
http://ipa-prod-01.<domain>:8080/
ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=7&renewal=true&xml=true
Jul 29 13:27:05 ipa-prod-01.<domain>
dogtag-ipa-renew-agent-submit[10661]: <html><head><title>Apache
Tomcat/7.0.69 -
or report</title><style><!--H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2 {fo
nt-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3 {font-family:Tahoma,Arial,sans-serif;
color:white;background-color:#525D76;font-size:14px;} BODY
{font-family:Tahoma,Arial,sans-serif;color:black;background-color:whi
te;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
P {font-family:Tahoma,Arial,sans-serif;backgr│
ound:white;color:black;font-size:12px;}A {color : black;}A.name {color :
black;}HR {color : #525D76;}--></style> </head><body><h
1>HTTP Status 404 - /ca/ee/ca/profileSubmit</h1><HR size="1"
noshade="noshade"><p><b>type</b> Status
report</p><p><b>message</b>
<u>/ca/ee/ca/profileSubmit</u></p><p><b>description</b>
<u>The
requested resource is not available.</u></p><HR size="1" noshade
="noshade"><h3>Apache
Tomcat/7.0.69</h3></body></html>
Jul 29 13:27:05 ipa-prod-01.<domain>
dogtag-ipa-ca-renew-agent-submit[10651]: dogtag-ipa-renew-agent returned 2
In certmonger logs, we can see that the request is forwarded to
dogtag-ipa-renew-agent, but agent returned with return code 2, which
seemed to be "request rejected". So at this point I have no glue to
solve this problem. Any help is desired.
ipa
--version
VERSION: 4.4.0, API_VERSION: 2.213
Many thanks
Michael
--
________________________________________________
*Michael**Gusek*| System Administrator| Webtrekk GmbH |
*t*+49 30 755 415 302| *f *+49 30 755 415 100 | *w *www.webtrekk.com
<
https://www.webtrekk.com/?wt_mc=signature.-.-.-.homepageURL>
Amtsgericht/Local Court Berlin, HRB 93435 B | Geschäftsführer/CEO
Christian Sauer