Hello,
I have a freeipa server (ipa-server-4.5.0-22.el7.centos.x86_64).
Сertificates expired in April 2022 and why certmonger did not renew them is not
clear.
getcert list
Request ID '20180510155654':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2024-03-07 17:47:25 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20180510155804':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2024-03-05 17:47:13 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180510155805':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2024-03-07 17:47:15 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180510155806':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2024-03-05 17:47:23 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180510155807':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2038-05-10 15:56:32 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180510155808':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://freeipa.example.com:8443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-04-15 04:47:25 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180510155834':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa.example.com/ipa/xml failed request,
will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: Failed connect to freeipa.example.com:443; Connection refused).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-04-25 20:55:59 UTC
dns: freeipa.example.com
principal name: ldap/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
EXAMPLE-COM
track: yes
auto-renew: yes
Request ID '20180510155907':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa.example.com/ipa/xml failed request,
will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: Failed connect to freeipa.example.com:443; Connection refused).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-04-26 06:11:51 UTC
dns: freeipa.example.com
principal name: ldap/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20180510155922':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa.example.com/ipa/xml failed request,
will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: Failed connect to freeipa.example.com:443; Connection refused).
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-04-25 20:56:54 UTC
principal name: krbtgt/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20180720144614':
status: CA_REJECTED
ca-error: Server at https://freeipa.example.com/ipa/xml denied our
request, giving up: 2100 (RPC failed at server. Insufficient access:
Insufficient 'add' privilege to add the entry
'krbprincipalname=HTTP/[email protected],cn=services,cn=accounts,dc=example,dc=cb,dc=com'.).
stuck: yes
key pair storage:
type=FILE,location='/etc/pki/tls/private/pb-freeipa.key'
certificate: type=FILE,location='/etc/pki/tls/certs/pb-freeipa.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20180720151813':
status: NEED_KEY_GEN_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/ipa/certdb',nickname='Server-Cert',pin set
certificate:
type=NSSDB,location='/etc/ipa/certdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20180720152853':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa.example.com/ipa/xml failed request,
will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: Failed connect to freeipa.example.com:443; Connection refused).
stuck: no
key pair storage:
type=FILE,location='/etc/pki/tls/private/freeipa.example.com.key'
certificate:
type=FILE,location='/etc/pki/tls/certs/freeipa.example.com.crt'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-04-25 20:57:24 UTC
dns: freeipa.example.com
principal name: HTTP/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20180723075009':
status: NEED_CSR
stuck: no
key pair storage: type=FILE,location='/root/OVPN_CLIENT_1.key'
certificate: type=FILE,location='/root/OVPN_CLIENT_1.pem'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2020-07-23 07:50:10 UTC
dns: freeipa.example.com
principal name: host/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20180723075356':
status: CA_REJECTED
ca-error: Server at https://freeipa.example.com/ipa/xml denied our
request, giving up: 3009 (RPC failed at server. invalid 'csr': hostname in
subject of request 'OVPN_CLIENT_1' does not match name or aliases of principal
'HTTP/[email protected]').
stuck: yes
key pair storage: type=FILE,location='/root/OVPN_CLIENT_2.key'
certificate: type=FILE,location='/root/OVPN_CLIENT_2.pem'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20180723075553':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa.example.com/ipa/xml failed request,
will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: Peer's Certificate has expired.).
stuck: no
key pair storage: type=FILE,location='/root/OVPN_CLIENT_3.key'
certificate: type=FILE,location='/root/OVPN_CLIENT_3.pem'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20200514145151':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa.example.com/ipa/xml failed request,
will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: Peer's Certificate has expired.).
stuck: no
key pair storage: type=FILE,location='/home/user/vpn-user.key'
certificate: type=FILE,location='/home/user/vpn-user.crt'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-05-15 14:51:52 UTC
dns: freeipa.example.com
principal name: host/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20200514150206':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa.example.com/ipa/xml failed request,
will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: Peer's Certificate has expired.).
stuck: no
key pair storage:
type=FILE,location='/home/user/freeipa.example.com.key'
certificate: type=FILE,location='/home/user/freeipa.example.com.crt'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-05-15 15:02:07 UTC
dns: freeipa.example.com
principal name: host/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
I tried to update the certificates using the information from the following
links:
https://floblanc.wordpress.com/2016/12/06/using-certmonger-to-track-certificates/
https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-with-freeipa/
https://listman.redhat.com/archives/freeipa-users/2017-January/msg00216.html
but it was not possible to update expired certificates.
Please would you tell how to solve the problem.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
