Florence Blanc-Renaud via FreeIPA-users wrote: > Hi, > > On Mon, Dec 12, 2022 at 10:20 AM junhou he via FreeIPA-users > <[email protected] > <mailto:[email protected]>> wrote: > > Hi , > getcert list > Number of certificates and requests being tracked: 7. > Request ID '20221116023302': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=WINGON.HK <http://WINGON.HK> > subject: CN=IPA RA,O=WINGON.HK <http://WINGON.HK> > issued: 2022-11-16 10:33:02 HKT > expires: 2024-11-05 10:33:02 HKT > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-clientAuth > profile: caSubsystemCert > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20221116023307': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=WINGON.HK <http://WINGON.HK> > subject: CN=CA Audit,O=WINGON.HK <http://WINGON.HK> > issued: 2022-11-16 10:31:47 HKT > expires: 2024-11-05 10:31:47 HKT > key usage: digitalSignature,nonRepudiation > profile: caSignedLogCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221116023309': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=WINGON.HK <http://WINGON.HK> > subject: CN=OCSP Subsystem,O=WINGON.HK <http://WINGON.HK> > issued: 2022-11-16 10:31:46 HKT > expires: 2024-11-05 10:31:46 HKT > eku: id-kp-OCSPSigning > profile: caOCSPCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221116023310': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=WINGON.HK <http://WINGON.HK> > subject: CN=CA Subsystem,O=WINGON.HK <http://WINGON.HK> > issued: 2022-11-16 10:31:46 HKT > expires: 2024-11-05 10:31:46 HKT > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-clientAuth > profile: caSubsystemCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221116023311': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=WINGON.HK <http://WINGON.HK> > subject: CN=Certificate Authority,O=WINGON.HK <http://WINGON.HK> > issued: 2022-11-16 10:31:44 HKT > expires: 2042-11-16 10:31:44 HKT > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > profile: caCACert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221116023312': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=WINGON.HK <http://WINGON.HK> > subject: CN=wocfreeipa.wingon.hk > <http://wocfreeipa.wingon.hk>,O=WINGON.HK <http://WINGON.HK> > issued: 2022-11-16 10:31:46 HKT > expires: 2024-11-05 10:31:46 HKT > dns: wocfreeipa.wingon.hk <http://wocfreeipa.wingon.hk> > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth > profile: caServerCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221116023354': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: IPA > issuer: CN=Certificate Authority,O=WINGON.HK <http://WINGON.HK> > subject: CN=wocfreeipa.wingon.hk > <http://wocfreeipa.wingon.hk>,O=WINGON.HK <http://WINGON.HK> > issued: 2022-11-16 10:33:55 HKT > expires: 2024-11-16 10:33:55 HKT > dns: wocfreeipa.wingon.hk <http://wocfreeipa.wingon.hk> > principal name: krbtgt/[email protected] > <mailto:[email protected]> > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > > > So far, looks good. All the tracked certs are still valid. > One question, though: there is no tracking for httpd and ldap server > certificates, does it mean that they were replaced with > externally-signed server certificates using ipa-server-certinstall? > > ldapsearch -x -o ldif-wrap=no -LLL -s base -h `hostname` -p 389 -b > uid=ipara,ou=people,o=ipaca description usercertificate* > dn: uid=ipara,ou=people,o=ipaca > description: 2;7;CN=Certificate Authority,O=WINGON.HK > <http://WINGON.HK>;CN=IPA RA,O=WINGON.HK <http://WINGON.HK> > > Is there a usercertificate attribute in this entry? (maybe a copy-paste > issue but there is a * in your command, it should not be there). > The value stored in this usercertificate attribute should be identical > to the content of /var/lib/ipa/ra-agent.pem. > > > openssl x509 -nameopt RFC2253 -noout -subject -serial -issuer -in > /var/lib/ipa/ra-agent.pem > subject=CN=IPA RA,O=WINGON.HK <http://WINGON.HK> > serial=07 > issuer=CN=Certificate Authority,O=WINGON.HK <http://WINGON.HK> > > The RA certificate and the info stored in LDAP are consistent, no issue > seen so far. > > > [root@wocfreeipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n > ipaCert > certutil: Could not find cert: ipaCert > : PR_FILE_NOT_FOUND_ERROR: File not found > > This error can be ignored, with your version the cert is stored in the > pem file /var/lib/ipa/ra-agent.pem. > > [root@wocfreeipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > caSigningCert cert-pki-ca CTu,Cu,Cu > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > Server-Cert cert-pki-ca u,u,u > OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, > Inc.,C=US C,, > CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, > Inc.,L=Scottsdale,ST=Arizona,C=US C,, > NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate > Authority - > G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\ > <http://certs.godaddy.com/repository/,O=GoDaddy.com%5C>, > Inc.,L=Scottsdale,ST=Arizona,C=US C,, > > I executed the above command as you suggested, unfortunately > ipaCert* cannot be found > > Yes, this error can be ignored, you must have IPA >= 4.5. > > What is the content of /var/log/pki/pki-tomcat/ca/debug?
Could this be mismatch in the proxy secrets? If you look in /etc/httpd/conf.d/ipa-pki-proxy.conf the secret should match the value in /etc/pki/pki-tomcat/server.xml for the connector. Tomcat changed the name of the attribute and in some cases a new secret was generated for the CA and not for IPA. See https://bugzilla.redhat.com/show_bug.cgi?id=2092015 rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
