Schrier, William (Contractor) via FreeIPA-users wrote: > | 7 certificates are tracked, so I guess they are: > > > > You’re correct, here is the list of certs tracked with the names: > > # getcert list | egrep "Request ID|status:|CA:|expires:|certificate:" > > Request ID '20210201172746': > > status: SUBMITTING > > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > > CA: dogtag-ipa-ca-renew-agent > > expires: 2025-05-31 15:41:32 UTC > > Request ID '20210201172819': > > status: MONITORING > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > expires: 2025-05-31 15:41:32 UTC > > Request ID '20210201172820': > > status: MONITORING > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS > FIPS 140-2 Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > expires: 2025-05-31 15:41:32 UTC > > Request ID '20210201172821': > > status: MONITORING > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > expires: 2025-05-31 15:41:32 UTC > > Request ID '20210201172822': > > status: MONITORING > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > expires: 2027-06-09 13:26:26 UTC > > Request ID '20210201172823': > > status: MONITORING > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > expires: 2025-05-31 15:41:32 UTC > > Request ID '20210201172924': > > status: CA_UNREACHABLE > > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > > CA: IPA > > expires: 2025-05-31 15:41:32 UTC > > > > > > > > And the following ones are not tracked: the HTTPd server cert (stored > in /etc/httpd/alias) and the LDAP server cert (stored > in /etc/dirsrv/slapd-XXX). > > You need to: > > * check if they are still valid > > o find their nickname using certutil -L -d > /etc/dirsrv/slapd-IPA-TEST/ and certutil -L -d /etc/httpd/alias > (usually it's Server-Cert but it may differ) > > # certutil -L -d /etc/dirsrv/slapd-IPA-TEST/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > IPA.TEST IPA CA CT,C,C > *Server-Cert* u,u,u > > o check if they are still valid: certutil -L > -d /etc/dirsrv/slapd-IPA-TEST/ -n Server-Cert | grep -C2 "Validity:" > > # certutil -L -d /etc/dirsrv/slapd-IPA-TEST/ -n Server-Cert | grep -C2 > "Validity:" > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > *Issuer: "CN=Certificate Authority,O=IPA.TEST"* > Validity: > *Not Before*: Tue Apr 08 09:27:53 2025 > *Not After* : Fri Apr 09 09:27:53 2027 > > o check if their issuer is known by IPA (it should be present in > /etc/ipa/ca.crt and in the various NSS databases). If not, you > need to add the whole chain with intermediate certs if any. > > * when you are sure that the HTTPd and LDAP certs are good, restart > IPA services with ipactl start --ignore-service-failures > * then we'll re-assess the situation and fix the other certs. > > > > > > As you can see they’re still valid for a few more weeks… but also from > the list of names of certs in those directories, you’ll also see that we > have duplicate entries for all of the CAs… both the IPA CA and the CAs > that were used to sign the certs… I am wondering if this is the problem. > > > > # certutil -L -d /etc/dirsrv/slapd-[CENSORED]/ -n "CN=[CENSORED]" | grep > -C2 "Validity:" > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=PC-SubCA-B,DC=[DOMAIN]" > > Validity: > > Not Before: Wed Jul 05 13:54:09 2023 > > Not After : Fri Jul 04 13:54:09 2025 > > # certutil -L -d /etc/httpd/alias/ | sed -e 's/CT,C,C//' -e 's/u,u,u//' > | tail -n > +4 > > > > [DOMAIN] IPA CA > > CN=us01-linadm01.peacecorps.gov,OU=OCIO,O=PEACECORPS.GOV,L=Washington,ST=District > of Columbia,C=US > > CN=PC-RootCA > > CN=PC-SubCA-A,DC=[DOMAIN] > > CN=PC-SubCA-B,DC=[DOMAIN] > > [DOMAIN] IPA CA > > [DOMAIN] IPA CA > > CN=PC-SubCA-A,DC=[DOMAIN] > > CN=PC-SubCA-B,DC=[DOMAIN] > > # certutil -L -d /etc/httpd/alias/ -n "CN=[CENSORED]" | grep -C2 "Validity:" > > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > > Issuer: "CN=PC-SubCA-B,DC=[DOMAIN]" > > Validity: > > Not Before: Wed Jul 05 13:54:09 2023 > > Not After : Fri Jul 04 13:54:09 2025 > > > >
What directions did you follow from Flo's blog? It looks like on the CA signing cert was updated. Is that all you did? I think at this point you should try running ipa-cert-fix. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
