Roderick Johnstone via FreeIPA-users wrote: > Hi > > Our freeipa certificates need to be renewed due to passing their expiry > dates. > > While some certificates have renewed ok, the ipaCert and > auditSigningCert are renewing but the new certificates have the wrong > Subject. > > Environment is: > serverA (CRL, first, master) RHEL 7.3, ipa 4.4 > serverB (replica) RHEL 7.3, ipa 4.4 > serverC (replica) RHEL 7.4, ipa 4.5 > > Once there are renewed certificates with the wrong Subject present, > there are various problems with renewing the remaining certificates, > which I think might be related to the bad Subject: > > 1) When just ipaCert has the wrong subject no further renewals happen > > 2) When auditSigningCert has the wrong subject the ipa pki-tomcatd > service will not start and no further renewals happen. > > I've been round the following loop many times on ServerA, our first master: > > 1) Restore good certificates from backup > 2) Put the clock back to a time when certificates are all valid > 3) Resubmit certificates for renewal > > Each time the ipaCert renews it has the same wrong Subject. The wrong > Subject includes the host name of one of our ipa client systems. > > Each time the auditSigningCert renews it has the same wrong Subject but > a different subject to the ipaCert. The wrong Subject in this case > includes the host name of a system which has never been an ipa client, > but might have been added and removed with ipa host-add and ipa host-del > for testing something, a while ago. > > As far as I can see, the "cert_subject" is set correctly in the file > /var/lib/certmonger/<request id> until the point at which the > certificate is actually renewed. > > I'd be very grateful for some pointers as to which configuration options > and logs to check through to resolve this problem on our production system. > > If its of any relevance we did change which server is the first master > some time ago.
I'd pull the CSR out of dogtag (CS.cfg) and/or certmonger to see what the subject is. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org