[Freeipa-users] Re: IPA certs expired, pki-tomcatd fails to start

Mon, 08 Feb 2021 05:47:46 -0800 

On 2/8/21 2:03 PM, Manuel Gujo via FreeIPA-users wrote:

Hi Florence, thanks for the answer

it's a single IPA server, VERSION: 4.6.8, API_VERSION: 2.237


Hi,
The CA is self-signed and still valid, and you are lucky because this ipa version already provides a new tool called ipa-cert-fix that should be able to help renew the certificates.
For more information please refer to the doc [1]. ipa-cert-fix analyzes the existing certificates and lists the ones that need to be renewed, then prompts you for confirmation and proceeds. No need to move the date in the past or do manual steps. 

HTH,
flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/cert-renewal#renewing-expired-system-certificate-when-idm-is-offline 


I kinit as admin without problems, then:

[root@ipa1 ~]# ipa server-role-find
ipa: ERROR: cannot connect to 'https://ipa1.itec.lab/ipa/json': Internal Server 
Error
[root@ipa1 ~]# rpm -qa *ipa-server
ipa-server-4.6.8-5.el7.centos.x86_64

# getcert list
Number of certificates and requests being tracked: 7.
Request ID '20191231201955':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: SelfSign
        issuer: CN=ipa1.itec.lab,O=ITEC.LAB
        subject: CN=ipa1.itec.lab,O=ITEC.LAB
        expires: 2020-12-31 20:19:55 UTC
        principal name: krbtgt/[email protected]
        certificate template/profile: KDCs_PKINIT_Certs
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
        track: yes
        auto-renew: yes
Request ID '20201102185036':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=ITEC.LAB
        subject: CN=CA Audit,O=ITEC.LAB
        expires: 2020-12-08 09:35:14 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20201102185037':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=ITEC.LAB
        subject: CN=OCSP Subsystem,O=ITEC.LAB
        expires: 2020-12-08 09:38:07 UTC
        eku: id-kp-OCSPSigning
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20201102185038':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=ITEC.LAB
        subject: CN=CA Subsystem,O=ITEC.LAB
        expires: 2020-12-08 09:37:36 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert 
cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20201102185039':
        status: NEED_CSR_GEN_PIN
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent-selfsigned
        issuer: CN=Certificate Authority,O=ITEC.LAB
        subject: CN=Certificate Authority,O=ITEC.LAB
        expires: 2037-01-25 14:22:25 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert 
cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20201102185040':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
        certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=ITEC.LAB
        subject: CN=IPA RA,O=ITEC.LAB
        expires: 2020-12-08 09:37:47 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
        post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes
Request ID '20201102185042':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=ITEC.LAB
        subject: CN=ipa1.itec.lab,O=ITEC.LAB
        expires: 2020-12-08 09:35:05 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert 
cert-pki-ca"
        track: yes
        auto-renew: yes

I had to set my date in several weeks before the expiring to renew them via 
certmonger, but it does not auto-renew past 30-12-2020

Thanks for the support,
Manuel
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]


_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to