sipazzo wrote:
I set time back on master ca and was able to renew its certs except for
one that has yet to expire but should have renewed. I tried to resubmit
it but it still does not renew and status says NEED_CSR_GEN_TOKEN. We do
have a go daddy cert we use as well but it is valid still. Is it because
of the nickname mismatches? I am not sure how to fix that.
There is no cert to renew. You replaced the IPA-issued certificates with
GoDaddy certs. The NSS_CSR_GEN_TOKEN is there because there is no
private key for a certificate named Server-Cert so certmonger doesn't
know what to do. To make this go away you can tell certmonger to stop
tracking this non-existent certificate with something like:
# ipa-getcert stop-tracking -i <request_id>
certmonger cannot auto-renew your GoDaddy certficate.
and see below.
ipa1-example.com
Request ID '20140729215756':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa1.example.com,O=EXAMPLE.COM
expires: 2016-07-29 20:39:21 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM
track: yes
auto-renew: yes
certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
NWF_GD u,u,u
CN=Certificate Authority,O=EXAMPLE.COM CT,,C
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\,
Inc.,C=US CT,,C
GD_CA CT,,C
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\,
Inc.,L=Scottsdale,ST=Arizona,C=US CT,,C
certutil -L -d /etc/dirsrv/slapd-PKI-IPA/
Certificate Nickname
O=EXAMPLE.COM Trust Attributes
SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,
Server-Cert u,u,u
certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,
ipaCert u,u,u
Server-Cert u,u,u
My other servers had varying degrees of success with their expired
certificates, I have one server that would not renew 6 of its certs, 1
that would not renew 2 of its certs and 1 that would not renew 1 of its
certs. These are examples of the last two - I will save the one that
won't renew 6 as I am hoping I can apply same steps to those failures.
*ipa2.example.com - 2 won't renew - one CA_unreachable even after
successful restart of services and one NEED_CSR_GEN_TOKEN*
Request ID '20140729215756':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa2.example.com,O=EXAMPLE.COM
expires: 2016-07-29 20:39:21 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM
track: yes
auto-renew: yes
I'm guessing same GoDaddy issue.
Request ID '20140729215712':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://ipa2.example.com:9443/ca/agent/ca/profileReview: Peer
certificate cannot be authenticated with known CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa2.example.com,O=EXAMPLE.COM
expires: 2016-07-18 21:57:06 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
You should update certmonger. The version you have doesn't include the
pre/save commands in its output.
But going back in time should get this one renewed.
*ipa3 - 1 won't renew NEED_CSR_GEN_TOKEN*
Request ID '20140729215511':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa3.example.com,O=EXAMPLE.COM
expires: 2016-07-29 20:38:41 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM
track: yes
auto-renew: yes
More GoDaddy I assume.
rob
------------------------------------------------------------------------
*From:* sipazzo <[email protected]>
*To:* Rob Crittenden <[email protected]>; "[email protected]"
<[email protected]>
*Sent:* Friday, July 29, 2016 4:06 PM
*Subject:* Re: [Freeipa-users] certificates expired - won't renew
Rob you are awesome and I don't know what I would do without you. So I
have two things going on obviously. Following your instructions it looks
like the DM password has correctly been set. I cannot change the admin
password as a test because I get the cert errors. I am going to retry
setting dates back and requesting new certs again following some of the
threads I have seen. Could you please just clarify two points? On my 4
servers all running as CAs do I only need to set the date back to prior
to expired certs running ipa-getcert list or the earliest expired date
when running getcert list? The getcert list shows certs that have been
expired since June but the ipa-getcert shows more recent. Also, does it
matter which servers I do first? Meaning should I set time back on my
"master" CA first.
This is the expiration output info from my master:
[root@ipa2 ~]# ipa-getcert list | grep expires
expires: 2016-08-26 16:41:24 UTC
expires: 2016-08-26 16:41:23 UTC
expires: 2016-08-26 16:41:24 UTC
[root@ipa2 ~]# getcert list | grep expires
expires: 2016-08-26 16:41:24 UTC
expires: 2016-08-15 16:47:26 UTC
expires: 2016-08-26 16:41:23 UTC
expires: 2016-08-26 16:41:24 UTC
expires: 2016-06-06 23:36:29 UTC
expires: 2016-06-06 23:36:28 UTC
expires: 2016-06-06 23:36:28 UTC
expires: 2016-06-06 23:37:09 UTC
Again thank you, as always.
------------------------------------------------------------------------
*From:* Rob Crittenden <[email protected]>
*To:* sipazzo <[email protected]>; "[email protected]"
<[email protected]>
*Sent:* Friday, July 29, 2016 2:10 PM
*Subject:* Re: [Freeipa-users] certificates expired - won't renew
sipazzo wrote:
> I have seen many threads on this so sorry to bring it up again but I
> have a freeipa domain, with 4 ipa servers running on redhat 6 version
> 3.0.0-50. The certificates are expired/expiring and will not renew and
> it is causing many issues for us. I have tried the many suggestions I
> have see in the archives such as changing the time to prior to
> expiration and attempting renew by resubmitting the requests but they
> never renew. An example of getcert list from the first server that
expired:
>
> Number of certificates and requests being tracked: 8.
[snip]
> localhost log in /var/log/pki-ca have errors like:
> tail localhost.2016-07-29.log
> Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve
invoke
> SEVERE: Servlet.service() for servlet caProfileSubmit threw exception
> java.io.IOException: CS server is not ready to serve.
> at
> com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
>
com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
> at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.
>
> Debug log in /var/log/pki-cacd
> tail debug
> [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password
> store initialized before.
> [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password
> store initialized.
> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:
> netscape.ldap.LDAPException: error result (49)
> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to
> query sessionIds: java.io.IOException: Failed to connect to the internal
> database.
> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable:
> getSessionIds: Error in disconnecting from database:
> java.lang.NullPointerException
> [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password
> store initialized before.
> [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password
> store initialized.
> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:
> netscape.ldap.LDAPException: error result (49)
> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to
> query sessionIds: java.io.IOException: Failed to connect to the internal
> database.
> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable:
> getSessionIds: Error in disconnecting from database:
> java.lang.NullPointerException
>
>
> Performing most IPA commands results in errors such as ipa: ERROR: cert
> validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM"
> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
>
> Not sure if it is related but we lost our first IPA server some time ago
> and had to promote another to the CA master. Also, due to someone
> leaving the company at the beginning of the year we had to change the
> directory manager password. I followed all the directions to do so but
> it does not seem like it was a completely smooth transaction.
It is related. Your CA can't connect to its database. You must have
missed a step when updating the DM password.
As a goof I just tried it on my RHEL 6 install and it seems to work,
this is what I did:
# service dirsrv stop
# /usr/bin/pwdhash password
edit both /etc/dirsrv/slapd-REALM/dse.ldif and
/etc/dirsrv/slapd-PKI-IPA/dse.ldif to set nsslapd-rootpw
# service dirsrv start
Check both of the new passwords:
# ldapsearch -x -D "cn=directory manager" -W -s base -b ""
"objectclass=*"
# ldapsearch -h localhost -po 7389 -x -D "cn=directory manager" -W -s
base -b "" "objectclass=*"
Update internaldb value in /etc/pki-ca/password.conf with the new password.
Update and test the admin user password:
# ldappasswd -h localhost -ZZ -p 7389 -x -D "cn=Directory Manager" -W -S
uid=admin,ou=people,o=ipaca
# ldapsearch -h localhost -ZZ -p 7389 -x -D
"uid=admin,ou=people,o=ipaca" -W -b "" -s base
Restart the CA
# service pki-cad restart
Note that things _still_ aren't going to work so hot with all the
expired certs but if you go back in time you will at least have a chance
of renewing things.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
