On Jun 5, 2015 3:49 PM, "Marc Wiatrowski" <[email protected]
<mailto:[email protected]>> wrote:
Thank you John. I had tried that but you did give me some things to
look at.
I was able to get 2 of the certificates to renew by setting the date
back in time, a services restart, and issuing 'ipa-getcert resubmit
-i <request id>' This renewed the following 'Server-Cert' and
'ipaCert' but did not 'auditSigningCert cert-pki-ca'
'ocspSigningCert cert-pki-ca' or 'subsystemCert cert-pki-ca'
The admin web interface now gives 'ipa error 4301: Certificate
operation cannot be completed: Unable to communicate with CMS (Not
Found)'
listing the certs shows an error along the lines of
Internal error: no response to
"http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true";.
If any of these are useful.
messages:
Jun 5 15:38:05 spider01o certmonger: Internal error: no response to
"http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true";.
httpd/error:
[Fri Jun 05 14:32:26 2015] [error] ipa: ERROR:
ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate
with CMS (Not Found)
selftests.log:
8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1]
SystemCertsVerification: system certs verification failure
8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SelfTestSubsystem:
The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at
startup FAILED!
$ ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
$ certutil -L -d /var/lib/pki-ca/alias
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,u,u
auditSigningCert cert-pki-ca u,u,Pu
$ getcert list
Number of certificates and requests being tracked: 9.
Request ID '20131204194012':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
subject: CN=spider01o,O=IGLASS.NET <http://IGLASS.NET>
expires: 2017-05-28 18:03:59 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20141114162346':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
subject: CN=spider01o.iglass.net
<http://spider01o.iglass.net>,O=IGLASS.NET <http://IGLASS.NET>
expires: 2016-11-14 16:22:37 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20141114162434':
status: MONITORING
ca-error: Internal error: no response to
"http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='x'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
subject: CN=spider01o.iglass.net
<http://spider01o.iglass.net>,O=IGLASS.NET <http://IGLASS.NET>
expires: 2016-11-03 16:24:27 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20141114162522':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
subject: CN=spider01o.iglass.net
<http://spider01o.iglass.net>,O=IGLASS.NET <http://IGLASS.NET>
expires: 2016-11-14 16:22:36 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20141114162610':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
subject: CN=spider01o.iglass.net
<http://spider01o.iglass.net>,O=IGLASS.NET <http://IGLASS.NET>
expires: 2016-11-14 16:22:42 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150604181945':
status: MONITORING
ca-error: Internal error: no response to
"http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='x'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
subject: CN=CA Audit,O=IGLASS.NET <http://IGLASS.NET>
expires: 2015-05-31 18:48:55 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150604181956':
status: MONITORING
ca-error: Internal error: no response to
"http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=2&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS
Certificate DB',pin='x'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
subject: CN=OCSP Subsystem,O=IGLASS.NET <http://IGLASS.NET>
expires: 2015-05-31 18:48:54 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150604182006':
status: MONITORING
ca-error: Internal error: no response to
"http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=4&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='x'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
subject: CN=CA Subsystem,O=IGLASS.NET <http://IGLASS.NET>
expires: 2015-05-31 18:48:54 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150604182012':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
subject: CN=IPA RA,O=IGLASS.NET <http://IGLASS.NET>
expires: 2017-05-25 13:58:36 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
thanks again. -Marc
On Fri, Jun 5, 2015 at 1:03 PM, John Desantis <[email protected]
<mailto:[email protected]>> wrote:
Marc,
I experienced a similar issue earlier this year.
Try restarting certmonger after temporarily changing the date
back on
the master. In our case that service had failed miserably and it
didn't allow FreeIPA to renew the certificates properly.
Our replicas however were hit with a bug [1] during this
process. We
applied the patched code and followed the same process and all was
well.
John DeSantis
[1] https://fedorahosted.org/freeipa/ticket/4064
2015-06-05 11:12 GMT-04:00 Marc Wiatrowski <[email protected]
<mailto:[email protected]>>:
> hello,
>
> I've got a problem with expired certificates in my ipa/IdM
setup. I believe
> the root issue to be from the fact that when everything was
first setup
> about a year ago and everything was replicated from a first
ipa server which
> no longer exists. There are currently 3 ipa servers but none
of them are
> the original.
>
> Couple days ago I started getting errors similar to
> '(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
> certificate as expired' through the web management
interface. After
> investigating with 'getcert list' I found that several
certificates expired
> at 2015-05-31 18:48:55 UTC.
>
> I found
>
http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
and
> followed the procedure for ipa <4.0 and everything seemed to
go as expected.
> However this did not fix my issue.
>
> With more searching it looked like once the certificates are
expired the
> auto renew will not work. Finding
>
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0
> to try to manually renew I am stuck at the the beginning with
'Give the CSR
> to your external CA.' I don't believe we had our
certificates externally
> signed. They are whatever the original install put in
place. Setting the
> date back in time reeks havoc on our environment so I'm
reluctant to leave
> it for to long. I can get what I believe is the original CSR
from
> /etc/pki-ca/CS.cfg but unsure what to do next or if this is
even the road I
> should be going down.
>
> Things seem to be working for the most part except trying to
make updates.
> Any help on what to do next, somewhere else to look, or if
I'm going in the
> right direction would be greatly appreciated.
>
> thanks,
> Marc
>
> Info:
> CentOS 6.5 with some current updates including
> ipa-server-3.0.0-42.el6.centos.i686
> certmonger-0.75.13-1.el6.i686
>
> $ getcert list-cas
> CA 'SelfSign':
> is-default: no
> ca-type: INTERNAL:SELF
> next-serial-number: 01
> CA 'IPA':
> is-default: no
> ca-type: EXTERNAL
> helper-location: /usr/libexec/certmonger/ipa-submit
> CA 'certmaster':
> is-default: no
> ca-type: EXTERNAL
> helper-location: /usr/libexec/certmonger/certmaster-submit
> CA 'dogtag-ipa-renew-agent':
> is-default: no
> ca-type: EXTERNAL
> helper-location:
/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
> CA 'local':
> is-default: no
> ca-type: EXTERNAL
> helper-location: /usr/libexec/certmonger/local-submit
> CA 'dogtag-ipa-retrieve-agent-submit':
> is-default: no
> ca-type: EXTERNAL
> helper-location:
/usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit
>
> $ getcert list
> Number of certificates and requests being tracked: 9.
> Request ID '20131204194012':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
> Certificate DB'
> certificate:
>
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
> subject: CN=spider01o,O=IGLASS.NET <http://IGLASS.NET>
> expires: 2015-12-05 19:40:13 UTC
> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20141114162346':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
> subject: CN=spider01o.iglass.net
<http://spider01o.iglass.net>,O=IGLASS.NET <http://IGLASS.NET>
> expires: 2016-11-14 16:22:37 UTC
> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20141114162434':
> status: MONITORING
> ca-error: Internal error: no response to
>
"http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true";.
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin='x'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
> subject: CN=spider01o.iglass.net
<http://spider01o.iglass.net>,O=IGLASS.NET <http://IGLASS.NET>
> expires: 2016-11-03 16:24:27 UTC
> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20141114162522':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
> Certificate
DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
> subject: CN=spider01o.iglass.net
<http://spider01o.iglass.net>,O=IGLASS.NET <http://IGLASS.NET>
> expires: 2016-11-14 16:22:36 UTC
> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20141114162610':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
> subject: CN=spider01o.iglass.net
<http://spider01o.iglass.net>,O=IGLASS.NET <http://IGLASS.NET>
> expires: 2016-11-14 16:22:42 UTC
> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20150604181945':
> status: CA_UNREACHABLE
> ca-error: Error 35 connecting to
> https://spider01o.iglass.net:9443/ca/agent/ca/profileReview:
SSL connect
> error.
> stuck: no
> key pair storage:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='x'
> certificate:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
> subject: CN=CA Audit,O=IGLASS.NET <http://IGLASS.NET>
> expires: 2015-05-31 18:48:55 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20150604181956':
> status: CA_UNREACHABLE
> ca-error: Error 35 connecting to
> https://spider01o.iglass.net:9443/ca/agent/ca/profileReview:
SSL connect
> error.
> stuck: no
> key pair storage:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='x'
> certificate:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
> subject: CN=OCSP Subsystem,O=IGLASS.NET <http://IGLASS.NET>
> expires: 2015-05-31 18:48:54 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> eku: id-kp-OCSPSigning
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20150604182006':
> status: CA_UNREACHABLE
> ca-error: Error 35 connecting to
> https://spider01o.iglass.net:9443/ca/agent/ca/profileReview:
SSL connect
> error.
> stuck: no
> key pair storage:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='x'
> certificate:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
> subject: CN=CA Subsystem,O=IGLASS.NET <http://IGLASS.NET>
> expires: 2015-05-31 18:48:54 UTC
> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20150604182012':
> status: CA_UNREACHABLE
> ca-error: Error 35 connecting to
> https://spider01o.iglass.net:9443/ca/agent/ca/profileReview:
SSL connect
> error.
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
> subject: CN=IPA RA,O=IGLASS.NET <http://IGLASS.NET>
> expires: 2015-05-31 18:49:37 UTC
> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
> Go tohttp://freeipa.org for more info on the project
