Thank you John. I had tried that but you did give me some things to look at.
I was able to get 2 of the certificates to renew by setting the date back in time, a services restart, and issuing 'ipa-getcert resubmit -i <request id>' This renewed the following 'Server-Cert' and 'ipaCert' but did not 'auditSigningCert cert-pki-ca' 'ocspSigningCert cert-pki-ca' or 'subsystemCert cert-pki-ca' The admin web interface now gives 'ipa error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)' listing the certs shows an error along the lines of Internal error: no response to " http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true ". If any of these are useful. messages: Jun 5 15:38:05 spider01o certmonger: Internal error: no response to " http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true ". httpd/error: [Fri Jun 05 14:32:26 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Not Found) selftests.log: 8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SystemCertsVerification: system certs verification failure 8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! $ ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING $ certutil -L -d /var/lib/pki-ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,u,u auditSigningCert cert-pki-ca u,u,Pu $ getcert list Number of certificates and requests being tracked: 9. Request ID '20131204194012': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o,O=IGLASS.NET expires: 2017-05-28 18:03:59 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162346': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o.iglass.net,O=IGLASS.NET expires: 2016-11-14 16:22:37 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162434': status: MONITORING ca-error: Internal error: no response to " http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='x' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o.iglass.net,O=IGLASS.NET expires: 2016-11-03 16:24:27 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162522': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o.iglass.net,O=IGLASS.NET expires: 2016-11-14 16:22:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141114162610': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01o.iglass.net,O=IGLASS.NET expires: 2016-11-14 16:22:42 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150604181945': status: MONITORING ca-error: Internal error: no response to " http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='x' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=CA Audit,O=IGLASS.NET expires: 2015-05-31 18:48:55 UTC key usage: digitalSignature,nonRepudiation pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150604181956': status: MONITORING ca-error: Internal error: no response to " http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=2&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='x' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=OCSP Subsystem,O=IGLASS.NET expires: 2015-05-31 18:48:54 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150604182006': status: MONITORING ca-error: Internal error: no response to " http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=4&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='x' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=CA Subsystem,O=IGLASS.NET expires: 2015-05-31 18:48:54 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150604182012': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=IPA RA,O=IGLASS.NET expires: 2017-05-25 13:58:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes thanks again. -Marc On Fri, Jun 5, 2015 at 1:03 PM, John Desantis <[email protected]> wrote: > Marc, > > I experienced a similar issue earlier this year. > > Try restarting certmonger after temporarily changing the date back on > the master. In our case that service had failed miserably and it > didn't allow FreeIPA to renew the certificates properly. > > Our replicas however were hit with a bug [1] during this process. We > applied the patched code and followed the same process and all was > well. > > John DeSantis > > [1] https://fedorahosted.org/freeipa/ticket/4064 > > > 2015-06-05 11:12 GMT-04:00 Marc Wiatrowski <[email protected]>: > > hello, > > > > I've got a problem with expired certificates in my ipa/IdM setup. I > believe > > the root issue to be from the fact that when everything was first setup > > about a year ago and everything was replicated from a first ipa server > which > > no longer exists. There are currently 3 ipa servers but none of them are > > the original. > > > > Couple days ago I started getting errors similar to > > '(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your > > certificate as expired' through the web management interface. After > > investigating with 'getcert list' I found that several certificates > expired > > at 2015-05-31 18:48:55 UTC. > > > > I found > > http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master > and > > followed the procedure for ipa <4.0 and everything seemed to go as > expected. > > However this did not fix my issue. > > > > With more searching it looked like once the certificates are expired the > > auto renew will not work. Finding > > > https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0 > > to try to manually renew I am stuck at the the beginning with 'Give the > CSR > > to your external CA.' I don't believe we had our certificates externally > > signed. They are whatever the original install put in place. Setting > the > > date back in time reeks havoc on our environment so I'm reluctant to > leave > > it for to long. I can get what I believe is the original CSR from > > /etc/pki-ca/CS.cfg but unsure what to do next or if this is even the > road I > > should be going down. > > > > Things seem to be working for the most part except trying to make > updates. > > Any help on what to do next, somewhere else to look, or if I'm going in > the > > right direction would be greatly appreciated. > > > > thanks, > > Marc > > > > Info: > > CentOS 6.5 with some current updates including > > ipa-server-3.0.0-42.el6.centos.i686 > > certmonger-0.75.13-1.el6.i686 > > > > $ getcert list-cas > > CA 'SelfSign': > > is-default: no > > ca-type: INTERNAL:SELF > > next-serial-number: 01 > > CA 'IPA': > > is-default: no > > ca-type: EXTERNAL > > helper-location: /usr/libexec/certmonger/ipa-submit > > CA 'certmaster': > > is-default: no > > ca-type: EXTERNAL > > helper-location: /usr/libexec/certmonger/certmaster-submit > > CA 'dogtag-ipa-renew-agent': > > is-default: no > > ca-type: EXTERNAL > > helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit > > CA 'local': > > is-default: no > > ca-type: EXTERNAL > > helper-location: /usr/libexec/certmonger/local-submit > > CA 'dogtag-ipa-retrieve-agent-submit': > > is-default: no > > ca-type: EXTERNAL > > helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit > > > > $ getcert list > > Number of certificates and requests being tracked: 9. > > Request ID '20131204194012': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > > Certificate DB' > > certificate: > > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=spider01o,O=IGLASS.NET > > expires: 2015-12-05 19:40:13 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20141114162346': > > status: MONITORING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=spider01o.iglass.net,O=IGLASS.NET > > expires: 2016-11-14 16:22:37 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20141114162434': > > status: MONITORING > > ca-error: Internal error: no response to > > " > http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB',pin='x' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=spider01o.iglass.net,O=IGLASS.NET > > expires: 2016-11-03 16:24:27 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20141114162522': > > status: MONITORING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=spider01o.iglass.net,O=IGLASS.NET > > expires: 2016-11-14 16:22:36 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20141114162610': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=spider01o.iglass.net,O=IGLASS.NET > > expires: 2016-11-14 16:22:42 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20150604181945': > > status: CA_UNREACHABLE > > ca-error: Error 35 connecting to > > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect > > error. > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='x' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=CA Audit,O=IGLASS.NET > > expires: 2015-05-31 18:48:55 UTC > > key usage: digitalSignature,nonRepudiation > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20150604181956': > > status: CA_UNREACHABLE > > ca-error: Error 35 connecting to > > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect > > error. > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='x' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=OCSP Subsystem,O=IGLASS.NET > > expires: 2015-05-31 18:48:54 UTC > > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > > eku: id-kp-OCSPSigning > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20150604182006': > > status: CA_UNREACHABLE > > ca-error: Error 35 connecting to > > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect > > error. > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin='x' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=CA Subsystem,O=IGLASS.NET > > expires: 2015-05-31 18:48:54 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20150604182012': > > status: CA_UNREACHABLE > > ca-error: Error 35 connecting to > > https://spider01o.iglass.net:9443/ca/agent/ca/profileReview: SSL connect > > error. > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=IGLASS.NET > > subject: CN=IPA RA,O=IGLASS.NET > > expires: 2015-05-31 18:49:37 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
