[Freeipa-users] Re: http Certificate expired

Klaus Vink Slott via FreeIPA-users Thu, 02 May 2019 09:21:00 -0700

Today Rob Crittenden wrote:
> Klaus Vink Slott via FreeIPA-users wrote:
>> Den 01/05/2019 kl. 21.48 skrev Rob Crittenden via FreeIPA-users:
>>> Klaus Vink Slott via FreeIPA-users wrote:
>>>> Have had a small FreeIPA setup running for some time, but today I was 
>>>> unable to login at the web-gui on the master. It was possible to login at 
>>>> the replica but if try to delete a host I get:
>>>>
>>>> cannot connect to 
>>>> 'https://ipa.int.vink-slott.dk:443/ca/rest/certs/search?size=2147483647': 
>>>> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)
>>>>
>>>> Indeed if I run a getcert list -c IPA on the master, one certificate is 
>>>> expired.
>>>> Request ID '20190302094604':
>>>>         status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>>>>         stuck: yes
>>>>         key pair storage: 
>>>> type=FILE,location='/var/lib/ipa/private/httpd.key'
>>>>         certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
>>>>         CA: IPA
>>>>         issuer: CN=Certificate Authority,O=INT.VINK-SLOTT.DK
>>>>         subject: CN=ipa.int.vink-slott.dk,O=INT.VINK-SLOTT.DK
>>>>         expires: 2019-04-22 15:33:08 CEST
>>>>         dns: ipa.int.vink-slott.dk
>>>>         key usage: 
>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>>>         pre-save command: 
>>>>         post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>>>>         track: yes
>>>>         auto-renew: yes
>>>>
>>>> All other certificates is valid and status: MONITORING
>>>>
>>>> I tried different measures based on google searches and old entries on 
>>>> this list. But all I have accomplished  is to change the state to:
>>>> Request ID '20190302094604':
>>>>         status: NEED_KEYINFO_READ_PIN
>>>>         stuck: yes
>>>>         key pair storage: 
>>>> type=FILE,location='/var/lib/ipa/private/httpd.key',pin set
>>>>
>>>> At this state I am not sure that I added the correct pin. - And why this 
>>>> is suddenly a problem. 
>>>
>>> It depends very much on what version of IPA you are running, perhaps the
>>> distro, and what you did to get the tracking into this state.
>>>
>>
>> It is freeipa-server-4.7.2-1.1.fc28.x86_64 on a fully patched Fedora 28
>>
>> What I tried so far (rebuild from memory and bash-history):
>>
>> # ipa-getcert resubmit -i 20190302094604
>> - result:
>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN -> NEED_KEYINFO_READ_PIN
>>
>> Then I followed https://access.redhat.com/solutions/3939431
>> - no change
>>
>> Then I located pin in /etc/pki/pki-tomcat/password.conf and
>> /etc/httpd/conf/password.conf and tried to add these like this:
>> # getcert start-tracking -i 20190302094604 -P \
>> # [long-number from internal=]
>> # ipa-getcert resubmit -i 20190302094604
>> - result: key pair storage now have " ,pin set"
>>
>> # getcert start-tracking -i 20190302094604 -P \
>> # [hexstring from internal:]
>> - result: key pair storage now have " ,pin set"
>>
> 
> Those are the wrong passwords. The Apache password file should be
> /var/lib/ipa/passwds/ipa.int.vink-slott.dk-443-RSA based on the output
> you provided.
I had the suspicion that they were wrong. Thanks for pointing to the
correct file.


> I'd suggest to stop tracking and start over using:
> 
> # ipa-getcert stop-tracking -f /var/lib/ipa/certs/httpd.crt
> # ipa-getcert start-tracking -f /var/lib/ipa/certs/httpd.crt -k
> /var/lib/ipa/private/httpd.key -p
> /var/lib/ipa/passwds/ipa.int.vink-slott.dk-443-RSA -C
> /usr/libexec/ipa/certmonger/restart_httpd
So I did and now I got:

Request ID '20190502160024':
        status: MONITORING
        ca-error: Unable to determine principal name for signing request.
        stuck: no
        key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa.int.vink-slott.dk-443-RSA'
        certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=INT.VINK-SLOTT.DK
        subject: CN=ipa.int.vink-slott.dk,O=INT.VINK-SLOTT.DK
        expires: 2019-04-22 15:33:08 CEST
        dns: ipa.int.vink-slott.dk
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes

> Then you'll need to go back in time to renew the certificate.
Moving time back and resubmitting (according to the procedure in
https://access.redhat.com/solutions/3939431) does not change anything.

-- 
Klaus
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: http Certificate expired

Reply via email to