Il 14/10/2013 17:01, Rob Crittenden ha scritto: > Federico Nebiolo wrote: >> Dear IPA users, >> >> My IPA 3.0 installation on CentOS 6.4 (coming from a 2.2 upgrade) >> suddenly stopped working for the CA part. >> I'm not sure this is the root of all the issues, but subsystem >> certificates was expired and not renewed: getcert list gives a similar >> output for all of them, and I don't know how to proceed. >> >> []# getcert list -c dogtag-ipa-renew-agent >> >> Request ID '20130902075915': >> status: MONITORING >> ca-error: No end-entity URL (-E) given, and no default known. >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=XXXX >> subject: CN=RA Subsystem,O=XXXX >> expires: 2013-10-11 07:44:12 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> >> Do you have any hints on how to solve? > > Try adding a host=<fqdn> to the [global] section in > /etc/ipa/default.conf where host is the fqdn of your IPA master. > > I think you'll need to temporarily go back in time to the 11th for the > renewal to succeed. > > You can force certmonger to try the renewal again with: > > # getcert resubmit -i 20130902075915 > > You'll want to do this for all certs affected by this. > > If this works please let us know and we'll make sure that host exists in > default.conf when upgrades happen. > > rob
Rob, adding host=<fqdn> and moving the clock backward partially worked. Now both "CN=RA Subsystem" and "CN=<fqdn>" certificates are renewed, but certmonger is unable to renew "CN=CA Subsystem", "CN=CA Audit" and "CN=OCSP Subsystem". Certmonger error is an "Error 35 connecting to https://<fqdn>:9443/ca/agent/ca/profileReview: SSL connect error": it seems to me that selfsigned CA certificate in chain is not accepted by certmonger, thus certificates are not renewed. Is there another parameter I can specify to make dogtag-ipa-renew-agent accept its CA? Many thanks again federico _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
