Rob Crittenden via FreeIPA-users: > Klaus Vink Slott via FreeIPA-users wrote: >> Today Rob Crittenden wrote: >>> Klaus Vink Slott via FreeIPA-users wrote: >>>> Den 01/05/2019 kl. 21.48 skrev Rob Crittenden via FreeIPA-users: >>>>> Klaus Vink Slott via FreeIPA-users wrote: >>>>>> Have had a small FreeIPA setup running for some time, but today I was >>>>>> unable to login at the web-gui on the master. It was possible to login >>>>>> at the replica but if try to delete a host I get: >>>>>> >>>>>> cannot connect to >>>>>> 'https://ipa.int.vink-slott.dk:443/ca/rest/certs/search?size=2147483647': >>>>>> [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877) >>>>>> >>>>>> Indeed if I run a getcert list -c IPA on the master, one certificate is >>>>>> expired. >>>>>> Request ID '20190302094604': >>>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>>>> stuck: yes >>>>>> key pair storage: >>>>>> type=FILE,location='/var/lib/ipa/private/httpd.key' >>>>>> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >>>>>> CA: IPA >>>>>> issuer: CN=Certificate Authority,O=INT.VINK-SLOTT.DK >>>>>> subject: CN=ipa.int.vink-slott.dk,O=INT.VINK-SLOTT.DK >>>>>> expires: 2019-04-22 15:33:08 CEST >>>>>> dns: ipa.int.vink-slott.dk >>>>>> key usage: >>>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>> pre-save command: >>>>>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >>>>>> track: yes >>>>>> auto-renew: yes >>>>>> >>>>>> All other certificates is valid and status: MONITORING >>>>>> >>>>>> I tried different measures based on google searches and old entries on >>>>>> this list. But all I have accomplished is to change the state to: >>>>>> Request ID '20190302094604': >>>>>> status: NEED_KEYINFO_READ_PIN >>>>>> stuck: yes >>>>>> key pair storage: >>>>>> type=FILE,location='/var/lib/ipa/private/httpd.key',pin set >>>>>> >>>>>> At this state I am not sure that I added the correct pin. - And why this >>>>>> is suddenly a problem. >>>>> >>>>> It depends very much on what version of IPA you are running, perhaps the >>>>> distro, and what you did to get the tracking into this state. >>>>> >>>> >>>> It is freeipa-server-4.7.2-1.1.fc28.x86_64 on a fully patched Fedora 28 >>>> >>>> What I tried so far (rebuild from memory and bash-history): >>>> >>>> # ipa-getcert resubmit -i 20190302094604 >>>> - result: >>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN -> NEED_KEYINFO_READ_PIN >>>> >>>> Then I followed https://access.redhat.com/solutions/3939431 >>>> - no change >>>> >>>> Then I located pin in /etc/pki/pki-tomcat/password.conf and >>>> /etc/httpd/conf/password.conf and tried to add these like this: >>>> # getcert start-tracking -i 20190302094604 -P \ >>>> # [long-number from internal=] >>>> # ipa-getcert resubmit -i 20190302094604 >>>> - result: key pair storage now have " ,pin set" >>>> >>>> # getcert start-tracking -i 20190302094604 -P \ >>>> # [hexstring from internal:] >>>> - result: key pair storage now have " ,pin set" >>>> >>> >>> Those are the wrong passwords. The Apache password file should be >>> /var/lib/ipa/passwds/ipa.int.vink-slott.dk-443-RSA based on the output >>> you provided. >> I had the suspicion that they were wrong. Thanks for pointing to the >> correct file. >> >>> I'd suggest to stop tracking and start over using: >>> >>> # ipa-getcert stop-tracking -f /var/lib/ipa/certs/httpd.crt >>> # ipa-getcert start-tracking -f /var/lib/ipa/certs/httpd.crt -k >>> /var/lib/ipa/private/httpd.key -p >>> /var/lib/ipa/passwds/ipa.int.vink-slott.dk-443-RSA -C >>> /usr/libexec/ipa/certmonger/restart_httpd >> So I did and now I got: >> >> Request ID '20190502160024': >> status: MONITORING >> ca-error: Unable to determine principal name for signing request. >> stuck: no >> key pair storage: >> type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa.int.vink-slott.dk-443-RSA' >> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' >> CA: IPA >> issuer: CN=Certificate Authority,O=INT.VINK-SLOTT.DK >> subject: CN=ipa.int.vink-slott.dk,O=INT.VINK-SLOTT.DK >> expires: 2019-04-22 15:33:08 CEST >> dns: ipa.int.vink-slott.dk >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> >>> Then you'll need to go back in time to renew the certificate. >> Moving time back and resubmitting (according to the procedure in >> https://access.redhat.com/solutions/3939431) does not change anything. >> > > My bad, I missed the principal. This should fix it: > > # ipa-getcert start-tracking -K > HTTP/[email protected] -i 20190502160024
That (and a detour back in time) solved my problem. Everything is now back to normal operation. Thanks a lot for for helping me out :-) Although I do wonder how this could happen. I may consider adding a small certificate monitor to my snmp setup. -- Klaus _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
