| 7 certificates are tracked, so I guess they are:
You’re correct, here is the list of certs tracked with the names:
# getcert list | egrep "Request ID|status:|CA:|expires:|certificate:"
Request ID '20210201172746':
status: SUBMITTING
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172819':
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
CA: dogtag-ipa-ca-renew-agent
expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172820':
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
CA: dogtag-ipa-ca-renew-agent
expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172821':
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
CA: dogtag-ipa-ca-renew-agent
expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172822':
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
CA: dogtag-ipa-ca-renew-agent
expires: 2027-06-09 13:26:26 UTC
Request ID '20210201172823':
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
CA: dogtag-ipa-ca-renew-agent
expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172924':
status: CA_UNREACHABLE
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
expires: 2025-05-31 15:41:32 UTC
And the following ones are not tracked: the HTTPd server cert (stored in
/etc/httpd/alias) and the LDAP server cert (stored in /etc/dirsrv/slapd-XXX).
You need to:
* check if they are still valid
* find their nickname using certutil -L -d /etc/dirsrv/slapd-IPA-TEST/
and certutil -L -d /etc/httpd/alias (usually it's Server-Cert but it may differ)
# certutil -L -d /etc/dirsrv/slapd-IPA-TEST/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
IPA.TEST IPA CA CT,C,C
Server-Cert u,u,u
* check if they are still valid: certutil -L -d
/etc/dirsrv/slapd-IPA-TEST/ -n Server-Cert | grep -C2 "Validity:"
# certutil -L -d /etc/dirsrv/slapd-IPA-TEST/ -n Server-Cert | grep -C2
"Validity:"
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=IPA.TEST"
Validity:
Not Before: Tue Apr 08 09:27:53 2025
Not After : Fri Apr 09 09:27:53 2027
* check if their issuer is known by IPA (it should be present in
/etc/ipa/ca.crt and in the various NSS databases). If not, you need to add the
whole chain with intermediate certs if any.
* when you are sure that the HTTPd and LDAP certs are good, restart IPA
services with ipactl start --ignore-service-failures
* then we'll re-assess the situation and fix the other certs.
As you can see they’re still valid for a few more weeks… but also from the list
of names of certs in those directories, you’ll also see that we have duplicate
entries for all of the CAs… both the IPA CA and the CAs that were used to sign
the certs… I am wondering if this is the problem.
# certutil -L -d /etc/dirsrv/slapd-[CENSORED]/ -n "CN=[CENSORED]" | grep -C2
"Validity:"
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=PC-SubCA-B,DC=[DOMAIN]"
Validity:
Not Before: Wed Jul 05 13:54:09 2023
Not After : Fri Jul 04 13:54:09 2025
# certutil -L -d /etc/httpd/alias/ | sed -e 's/CT,C,C//' -e 's/u,u,u//' | tail
-n +4
[DOMAIN] IPA CA
CN=us01-linadm01.peacecorps.gov,OU=OCIO,O=PEACECORPS.GOV,L=Washington,ST=District
of Columbia,C=US
CN=PC-RootCA
CN=PC-SubCA-A,DC=[DOMAIN]
CN=PC-SubCA-B,DC=[DOMAIN]
[DOMAIN] IPA CA
[DOMAIN] IPA CA
CN=PC-SubCA-A,DC=[DOMAIN]
CN=PC-SubCA-B,DC=[DOMAIN]
# certutil -L -d /etc/httpd/alias/ -n "CN=[CENSORED]" | grep -C2 "Validity:"
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=PC-SubCA-B,DC=[DOMAIN]"
Validity:
Not Before: Wed Jul 05 13:54:09 2023
Not After : Fri Jul 04 13:54:09 2025
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
