[Freeipa-users] Howto renew certificates with external CA?

Wed, 24 Jan 2018 03:36:50 -0800 

Hello IPA-experts,
we are running FreeIPA version 4.4.0 with an external CA (our own one), everything was working fine until the CA certificate expired which happened at January 13th. Since i was on vacation and the basic functions were still available no-one created a new certificate, so, it's now my task. As explained in https://www.freeipa.org/page/Howto/CA_Certificate_Renewal, I've reset the time to January 10th, created a new certificate which is valid from 2017 to 2023, and installed it with ipa-cacert-manage. Afterwards, I did an ipa-certupdate, the server certificates were updated and the cert8.db in /etc/httpd/alias contains the new valid CA. But, the expiration date of the certificate itself is still January 13th, so, the certificate is still expired: 


root@mat-ipa-master-1:~$ /usr/bin/certutil -d /etc/httpd/alias -L -n 
"MATERNA-COM.DE IPA CA"

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 36 (0x24)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption

        Issuer: "E=oc...@materna.de,CN=Materna OC CA,OU=OC RZ,O=Materna 
GmbH,

            L=Dortmund,ST=NRW,C=DE"
        Validity:
            Not Before: Mon Jan 23 14:45:00 2017
            Not After : Mon Jan 23 14:45:00 2023
        Subject: "CN=Certificate Authority,O=MATERNA-COM.DE"
       (...)
    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            Trusted Client CA
        Email Flags:
            Valid CA
            Trusted CA
        Object Signing Flags:
            Valid CA
            Trusted CA

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 23 (0x17)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption

        Issuer: "E=oc...@materna.de,CN=Materna OC CA,OU=OC RZ,O=Materna 
GmbH,

            L=Dortmund,ST=NRW,C=DE"
        Validity:
            Not Before: Fri Jan 13 14:45:00 2017
            Not After : Sat Jan 13 14:45:00 2018
        Subject: "CN=Certificate Authority,O=MATERNA-COM.DE"
    (...)

root@mat-ipa-master-1:~$



I have only checked this one, but I'd suppose the others are also not 
updated. AFAIK certmonger is responsible the renewal, so, I've restarted 
it and hoped it would grab my certificate and renew it - but it seems 
there is a problem, journalctl -u certmonger gives



Jan 24 11:22:43 mat-ipa-master-1.materna-com.de systemd[1]: Starting 
Certificate monitoring and PKI enrollment...
Jan 24 11:22:44 mat-ipa-master-1.materna-com.de systemd[1]: Started 
Certificate monitoring and PKI enrollment.
Jan 24 11:22:48 mat-ipa-master-1.materna-com.de certmonger[1026]: 
2018-01-24 11:22:48 [1026] Error setting up ccache for "host" service on 
client using default keytab: Cannot contact any KDC for realm 
'MATERNA-COM.DE'.
Jan 24 11:22:48 mat-ipa-master-1.materna-com.de certmonger[1026]: 
2018-01-24 11:22:48 [1026] Error setting up ccache for "host" service on 
client using default keytab: Cannot contact any KDC for realm 
'MATERNA-COM.DE'.
Jan 24 11:22:58 mat-ipa-master-1.materna-com.de certmonger[1026]: 
2018-01-24 11:22:58 [1026] Error 7 connecting to 
https://mat-ipa-master-1.materna-com.de:8443/ca/agent/ca/profileReview: 
Couldn't connect to server.
Jan 24 11:23:00 mat-ipa-master-1.materna-com.de 
dogtag-ipa-ca-renew-agent-submit[2282]: Traceback (most recent call last):
File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 
511, in <module>

sys.exit(main())

File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 
490, in main

ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)

File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1314, 
in kinit_keytab

cred = gssapi.Credentials(name=name, store=store, usage='initiate')

File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in 
__new__

store=store)

File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in 
acquire

usage)

File "ext_cred_store.pyx", line 182, in 
gssapi.raw.ext_cred_store.acquire_cred_from 
(gssapi/raw/ext_cred_store.c:1732)
GSSError: Major (851968): Unspecified GSS failure.  Minor code may 
provide more information, Minor (2529639068): Cannot contact any KDC for 
realm 'MA
Jan 24 11:23:00 mat-ipa-master-1.materna-com.de certmonger[1026]: 
2018-01-24 11:23:00 [1026] Internal error



Any help is greatly appreciated since I'm stuck here... If it helps, I 
have a clean backup of the IPA master which was written yesterday 
evening, so, I can use this one to "start over" if I've already mixed up 
things.


Thanks and kind regards from Germany,

Harald
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org






















					Reply via email to