[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

Thu, 17 Nov 2022 09:33:27 -0800 

Hi,

On Thu, Nov 17, 2022 at 6:22 PM Sean McLennan via FreeIPA-users <
[email protected]> wrote:

> Mm. Actually, I'm not so sure.  Am I not interpreting the "getcert list"
> results correctly? When it says CA_UNREACHABLE because the cert expired,
> isn't that the CA Cert?
>
> Number of certificates and requests being tracked: 9.
> Request ID '20201114211025':
>         status: MONITORING
>         stuck: no
>         key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>         certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=[domain.com]
>         subject: CN=IPA RA,O=[domain.com]
>         expires: 2022-11-04 14:10:27 MDT
>         key usage: digitalSignature,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
>         post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
>         track: yes
>         auto-renew: yes
> Request ID '20201114211106':
>         status: NEED_CSR_GEN_TOKEN
>         stuck: yes
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=[domain.com]
>         subject: CN=localhost
>         expires: 2022-11-11 14:11:49 MST
>         key usage: digitalSignature,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20201114211107':
>         status: NEED_CSR_GEN_TOKEN
>         stuck: yes
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=[domain.com]
>         subject: CN=localhost
>         expires: 2022-11-11 14:11:53 MST
>         key usage: digitalSignature,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20201114211108':
>         status: NEED_CSR_GEN_TOKEN
>         stuck: yes
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=[domain.com]
>         subject: CN=localhost
>         expires: 2022-11-04 14:11:32 MDT
>         key usage: digitalSignature,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20201114211109':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=[domain.com]
>         subject: CN=localhost
>         expires: 2022-11-11 14:11:50 MST
>
^ This one (caSigningCert cert-pki-ca) is IPA CA and expires 2022-11-11 but
it definitely looks wrong, unless IPA was installed with custom (and
puzzlin) options: subject CN=localhost.

How was IPA installed? The default settings would install a self-signed CA
with subject CN=Certificate Authority,O=IPA.TEST for instance.
What is the content of /etc/ipa/ca.crt? You should see the original IPA CA
in this file.

flo

>         key usage: digitalSignature,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
> "caSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20201114211110':
>         status: NEED_CSR_GEN_TOKEN
>         stuck: yes
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=[domain.com]
>         subject: CN=localhost
>         expires: 2022-11-04 14:11:40 MDT
>         key usage: digitalSignature,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
> "Server-Cert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20201114211316':
>         status: CA_UNREACHABLE
>         ca-error: Server at https://ipa01.[domain.com]/ipa/xml failed
> request, will retry: -504 (libcurl failed to execute the HTTP POST
> transaction, explaining:  SSL certificate problem: certificate has expired).
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-SIMPLYWS-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-SIMPLYWS-COM/pwdfile.txt'
>         certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-SIMPLYWS-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=[domain.com]
>         subject: CN=ipa01.[domain.com],O=[domain.com]
>         expires: 2022-11-15 14:13:16 MST
>         dns: ipa01.[domain.com]
>         principal name: ldap/ipa01.[domain.com]@[domain.com]
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib/ipa/certmonger/restart_dirsrv
> SIMPLYWS-COM
>         track: yes
>         auto-renew: yes
> Request ID '20201114211418':
>         status: CA_UNREACHABLE
>         ca-error: Server at https://ipa01.[domain.com]/ipa/xml failed
> request, will retry: -504 (libcurl failed to execute the HTTP POST
> transaction, explaining:  SSL certificate problem: certificate has expired).
>         stuck: no
>         key pair storage:
> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa01.[
> domain.com]-443-RSA'
>         certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=[domain.com]
>         subject: CN=ipa01.[domain.com],O=[domain.com]
>         expires: 2022-11-15 14:14:22 MST
>         dns: ipa01.[domain.com]
>         principal name: HTTP/ipa01.[domain.com]@[domain.com]
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib/ipa/certmonger/restart_httpd
>         track: yes
>         auto-renew: yes
> Request ID '20201114211427':
>         status: CA_UNREACHABLE
>         ca-error: Server at https://ipa01.[domain.com]/ipa/xml failed
> request, will retry: -504 (libcurl failed to execute the HTTP POST
> transaction, explaining:  SSL certificate problem: certificate has expired).
>         stuck: no
>         key pair storage: type=FILE,location='/var/lib/krb5kdc/kdc.key'
>         certificate: type=FILE,location='/var/lib/krb5kdc/kdc.crt'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=[domain.com]
>         subject: CN=ipa01.[domain.com],O=[domain.com]
>         expires: 2022-11-15 14:14:27 MST
>         principal name: krbtgt/[domain.com]@[domain.com]
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-pkinit-KPKdc
>         pre-save command:
>         post-save command: /usr/lib/ipa/certmonger/renew_kdc_cert
>         track: yes
>         auto-renew: yes
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to