[Freeipa-users] Re: Renewing a failed to auto-renewal certificate

Tue, 08 Sep 2020 23:25:32 -0700 

Hi,
there is only one certificate that failed to renew, and the repair should (hopefully) be straightforward. 

First of all, please confirm that the server is the CA renewal master:
# ipa config-show | grep "CA renewal"


The output should display your hostname. If that's not the case, we need 
more information (which host is CA renewal master, are all the certs 
valid on this host?)



Let's assume that the host is CA renewal master. In this case, you need 
to change the date on the host and go back to a date when the cert was 
still valid (and the renewed certs are *already* valid). Any date in 
August should do the trick:

# ipactl start --ignore-service-failures

(note which services failed to start, I would expect httpd as its cert 
is expired)
# systemctl stop ntpd (or systemctl stop chronyd, depending on the time 
sync daemon the system is using)

# date -s <date in the past>

Now start the services which were previously failing, for instance
# systemctl start httpd

(warning: don't use "ipactl start" as it would restart the ntp server 
and move the date back to the present!)


Manually trigger renewal of the cert:
# getcert resubmit -i <ID of the cert>

Wait a few minutes, check if the cert was renewed:
# getcert list -i <ID of the cert>


When the status is MONITORING, you can restart ntpd/chronyd, force the 
date to the current date and that's it!


HTH,
flo

On 9/8/20 5:06 PM, Stuart McRobert via FreeIPA-users wrote:

Hi,


Although I thought these certificates would all happily auto-renew, and 
auto-renew: yes is shown, one of them clearly hasn't with an obvious 
impact on services.  I recognise this is now a fairly old version of 
freeipa.



As I don't wish to break anything further, what is the correct way to 
safely and successfully renew this one certificate?


Thanks

Best wishes

Stuart

-------------------------------------------------------

ipa --version
VERSION: 4.4.4, API_VERSION: 2.215


getcert list | grep -i expi
     expires: 2022-06-13 17:57:38 BST
     expires: 2022-06-13 17:57:48 BST
     expires: 2022-06-13 17:57:28 BST
     expires: 2036-09-08 17:57:09 BST
     expires: 2022-06-13 17:57:50 BST
     expires: 2022-06-13 17:57:22 BST
     expires: 2022-07-16 17:58:18 BST
     expires: 2020-09-04 17:46:56 BST    <<<<<<<<<<<<<<<<<<<<

I've changed strings to be OUR_DOMAIN and our_server below.

getcert list Number of certificates and requests being tracked: 8.
Request ID '20170405152505':
     status: MONITORING
     stuck: no

     key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
     certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'

     CA: dogtag-ipa-ca-renew-agent
     issuer: CN=Certificate Authority,O=OUR_DOMAIN
     subject: CN=CA Audit,O=OUR_DOMAIN
     expires: 2022-06-13 17:57:38 BST
     key usage: digitalSignature,nonRepudiation
     pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad

     post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"

     track: yes
     auto-renew: yes
Request ID '20170405152506':
     status: MONITORING
     stuck: no

     key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS 
Certificate DB',pin set
     certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS 
Certificate DB'

     CA: dogtag-ipa-ca-renew-agent
     issuer: CN=Certificate Authority,O=OUR_DOMAIN
     subject: CN=OCSP Subsystem,O=OUR_DOMAIN
     expires: 2022-06-13 17:57:48 BST
     eku: id-kp-OCSPSigning
     pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad

     post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"

     track: yes
     auto-renew: yes
Request ID '20170405152507':
     status: MONITORING
     stuck: no

     key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
     certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'

     CA: dogtag-ipa-ca-renew-agent
     issuer: CN=Certificate Authority,O=OUR_DOMAIN
     subject: CN=CA Subsystem,O=OUR_DOMAIN
     expires: 2022-06-13 17:57:28 BST

     key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad

     post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"

     track: yes
     auto-renew: yes
Request ID '20170405152508':
     status: MONITORING
     stuck: no

     key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
     certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'

     CA: dogtag-ipa-ca-renew-agent
     issuer: CN=Certificate Authority,O=OUR_DOMAIN
     subject: CN=Certificate Authority,O=OUR_DOMAIN
     expires: 2036-09-08 17:57:09 BST
     key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
     pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad

     post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"caSigningCert cert-pki-ca"

     track: yes
     auto-renew: yes
Request ID '20170405152509':
     status: MONITORING
     stuck: no

     key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'

     CA: dogtag-ipa-ca-renew-agent
     issuer: CN=Certificate Authority,O=OUR_DOMAIN
     subject: CN=IPA RA,O=OUR_DOMAIN
     expires: 2022-06-13 17:57:50 BST

     key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
     post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
     track: yes
     auto-renew: yes
Request ID '20170405152510':
     status: MONITORING
     stuck: no

     key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin set
     certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'

     CA: dogtag-ipa-renew-agent
     issuer: CN=Certificate Authority,O=OUR_DOMAIN
     subject: CN=our_server,O=OUR_DOMAIN
     expires: 2022-06-13 17:57:22 BST

     key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad

     post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"Server-Cert cert-pki-ca"

     track: yes
     auto-renew: yes
Request ID '20170405152511':
     status: MONITORING
     stuck: no

     key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-OUR_DOMAIN',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-OUR-DOMAIN/pwdfile.txt'
     certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-OUR_DOMAIN',nickname='Server-Cert',token='NSS 
Certificate DB'

     CA: IPA
     issuer: CN=Certificate Authority,O=OUR_DOMAIN
     subject: CN=our_server,O=OUR_DOMAIN
     expires: 2022-07-16 17:58:18 BST
     principal name: ldap/our_server@OUR_DOMAIN

     key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command:

     post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv 
OUR_DOMAIN

     track: yes
     auto-renew: yes
Request ID '20170405152512':
     status: CA_UNREACHABLE

     ca-error: Error setting up ccache for "host" service on client 
using default keytab: Cannot contact any KDC for requested realm.

     stuck: no

     key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'

     CA: IPA
     issuer: CN=Certificate Authority,O=OUR_DOMAIN
     subject: CN=our_server,O=OUR_DOMAIN

     expires: 2020-09-04 17:46:56 BST     
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

     principal name: HTTP/our_server@OUR_DOMAIN

     key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command:
     post-save command: /usr/libexec/ipa/certmonger/restart_httpd
     track: yes
     auto-renew: yes
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected] 


_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]






















					Reply via email to