[Freeipa-users] Re: Cert Issue

Rob Crittenden via FreeIPA-users Mon, 09 Sep 2019 11:45:54 -0700

Randy Morgan wrote:
> On 9/9/2019 11:31 AM, Rob Crittenden wrote:
>> Randy Morgan via FreeIPA-users wrote:
>>> We have been working to solve an expired certificate issue in IPA.
>>> There is an open ticket in Red Hat supportCASE 02438518.  We have tried
>>> many things but so far have had no luck getting the certs to update.
>>> Currently the system is running RHEL 8.0 and IPA 4.7.1.
>>>
>>> pki-server cert-fix -n 'subsystemCert cert-pki-ca' -d
>>> /var/lib/pki/pki-tomcat/alias/ -C /root/passwd -vvv
>>> INFO: Loading instance: pki-tomcat
>>> INFO: Loading instance registry:
>>> /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
>>> INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
>>> INFO: Loading subsystem: ca
>>> INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
>>> INFO: Getting signing cert info for ca from CS.cfg
>>> INFO: Getting signing cert info for ca from NSS database
>>> INFO: Getting ocsp_signing cert info for ca from CS.cfg
>>> INFO: Getting ocsp_signing cert info for ca from NSS database
>>> INFO: Getting sslserver cert info for ca from CS.cfg
>>> INFO: Getting sslserver cert info for ca from NSS database
>>> INFO: Getting subsystem cert info for ca from CS.cfg
>>> INFO: Getting subsystem cert info for ca from NSS database
>>> INFO: Getting audit_signing cert info for ca from CS.cfg
>>> INFO: Getting audit_signing cert info for ca from NSS database
>>> INFO: Fixing the following certs: ['ca_ocsp_signing', 'sslserver',
>>> 'subsystem', 'ca_audit_signing']
>>> INFO: Stopping the instance to proceed with system cert renewal
>>> INFO: Selftests disabled for subsystems: ca
>>> INFO: Getting sslserver cert info for ca from CS.cfg
>>> INFO: Getting sslserver cert info for ca from NSS database
>>> INFO: Trying to create a new temp cert for sslserver.
>>> INFO: Generate temp SSL certificate
>>> INFO: Getting sslserver cert info for ca from CS.cfg
>>> INFO: Getting sslserver cert info for ca from NSS database
>>> INFO: CSR for sslserver has been written to
>>> /tmp/tmpg_738l5a/sslserver.csr
>>> INFO: Getting signing cert info for ca from CS.cfg
>>> INFO: Getting signing cert info for ca from NSS database
>>> INFO: CA cert written to /tmp/tmpg_738l5a/ca_certificate.crt
>>> INFO: AKI: 0x1D0F356A3E7A6968A231723231EB22DA5A01F542
>>> INFO: Temp cert for sslserver is available at
>>> /etc/pki/pki-tomcat/certs/sslserver.crt.
>>> INFO: Getting sslserver cert info for ca from CS.cfg
>>> INFO: Getting sslserver cert info for ca from NSS database
>>> INFO: Getting sslserver cert info for ca from CS.cfg
>>> INFO: Getting sslserver cert info for ca from NSS database
>>> INFO: Updating CS.cfg with the new certificate
>>> INFO: Getting ocsp_signing cert info for ca from CS.cfg
>>> INFO: Getting ocsp_signing cert info for ca from NSS database
>>> INFO: Trying to setup a secure connection to CA subsystem.
>>> INFO: Secure connection with CA is established.
>>> INFO: Placing cert creation request for serial: 49
>>> Traceback (most recent call last):
>>>    File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py",
>>> line 600, in urlopen
>>>      chunked=chunked)
>>>    File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py",
>>> line 343, in _make_request
>>>      self._validate_conn(conn)
>>>    File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py",
>>> line 849, in _validate_conn
>>>      conn.connect()
>>>    File "/usr/lib/python3.6/site-packages/urllib3/connection.py",
>>> line 356, in connect
>>>      ssl_context=context)
>>>    File "/usr/lib/python3.6/site-packages/urllib3/util/ssl_.py", line
>>> 350, in ssl_wrap_socket
>>>      context.load_cert_chain(certfile, keyfile)
>>> ssl.SSLError: [X509: KEY_VALUES_MISMATCH] key values mismatch
>>> (_ssl.c:3550)
>>>
>>> During handling of the above exception, another exception occurred:
>>>
>>> Traceback (most recent call last):
>>>    File "/usr/lib/python3.6/site-packages/requests/adapters.py", line
>>> 449, in send
>>>      timeout=timeout
>>>    File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py",
>>> line 638, in urlopen
>>>      _stacktrace=sys.exc_info()[2])
>>>    File "/usr/lib/python3.6/site-packages/urllib3/util/retry.py",
>>> line 398, in increment
>>>      raise MaxRetryError(_pool, url, error or ResponseError(cause))
>>> urllib3.exceptions.MaxRetryError:
>>> HTTPSConnectionPool(host='ipa2.chem.byu.edu', port=8443): Max retries
>>> exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal
>>> (Caused by SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH]
>>> key values mismatch (_ssl.c:3550)'),))
>>>
>>> During handling of the above exception, another exception occurred:
>>>
>>> Traceback (most recent call last):
>>>    File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py",
>>> line 119, in <module>
>>>      cli.execute(sys.argv)
>>>    File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py",
>>> line 111, in execute
>>>      super(PKIServerCLI, self).execute(args)
>>>    File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line
>>> 204, in execute
>>>      module.execute(module_args)
>>>    File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line
>>> 204, in execute
>>>      module.execute(module_args)
>>>    File "/usr/lib/python3.6/site-packages/pki/server/cli/cert.py",
>>> line 1154, in execute
>>>      renew=True)
>>>    File "/usr/lib/python3.6/site-packages/pki/server/__init__.py",
>>> line 1709, in cert_create
>>>      PKIServer.renew_certificate(connection, new_cert_file, serial)
>>>    File "/usr/lib/python3.6/site-packages/pki/server/__init__.py",
>>> line 202, in renew_certificate
>>>      ret = cert_client.enroll_cert(inputs=inputs,
>>> profile_id='caManualRenewal')
>>>    File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442,
>>> in handler
>>>      return fn_call(inst, *args, **kwargs)
>>>    File "/usr/lib/python3.6/site-packages/pki/cert.py", line 1011, in
>>> enroll_cert
>>>      enroll_request = self.create_enrollment_request(profile_id, inputs)
>>>    File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442,
>>> in handler
>>>      return fn_call(inst, *args, **kwargs)
>>>    File "/usr/lib/python3.6/site-packages/pki/cert.py", line 962, in
>>> create_enrollment_request
>>>      enrollment_template = self.get_enrollment_template(profile_id)
>>>    File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442,
>>> in handler
>>>      return fn_call(inst, *args, **kwargs)
>>>    File "/usr/lib/python3.6/site-packages/pki/cert.py", line 942, in
>>> get_enrollment_template
>>>      r = self.connection.get(url, self.headers)
>>>    File "/usr/lib/python3.6/site-packages/pki/client.py", line 46, in
>>> wrapper
>>>      return func(self, *args, **kwargs)
>>>    File "/usr/lib/python3.6/site-packages/pki/client.py", line 160,
>>> in get
>>>      timeout=timeout,
>>>    File "/usr/lib/python3.6/site-packages/requests/sessions.py", line
>>> 537, in get
>>>      return self.request('GET', url, **kwargs)
>>>    File "/usr/lib/python3.6/site-packages/requests/sessions.py", line
>>> 524, in request
>>>      resp = self.send(prep, **send_kwargs)
>>>    File "/usr/lib/python3.6/site-packages/requests/sessions.py", line
>>> 637, in send
>>>      r = adapter.send(request, **kwargs)
>>>    File "/usr/lib/python3.6/site-packages/requests/adapters.py", line
>>> 514, in send
>>>      raise SSLError(e, request=request)
>>> requests.exceptions.SSLError:
>>> HTTPSConnectionPool(host='ipa2.chem.byu.edu', port=8443): Max retries
>>> exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal
>>> (Caused by SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH]
>>> key values mismatch (_ssl.c:3550)'),))
>>> ERROR: HTTPSConnectionPool(host='ipa2.chem.byu.edu', port=8443): Max
>>> retries exceeded with url:
>>> /ca/rest/certrequests/profiles/caManualRenewal (Caused by
>>> SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH] key values
>>> mismatch (_ssl.c:3550)'),))
>>>
>>> [root@ipa2 ~]# echo "--Certificate:" && openssl x509 -noout -modulus -in
>>> /var/lib/ipa/ra-agent.pem && echo "--Key:" && openssl rsa -noout
>>> -modulus -in /var/lib/ipa/ra-agent.key
>>> --Certificate:
>>> Modulus=CBA68178847F53CC0D4A45871FEA7CCFD879D6423923DF75E557011E4C458BD5207ACBB4EAFC7A460C050878621E22406E7661105F7D8E7AF448AA1F0988C908F3173B77D87581BE7006ED09F76F0D4D736050088E986133DE851A0FB93A101AA77921CC24063A94E5076FD74D4D81139E7A2AAC61B86D07D424158CE56913ABB08C1CDBDAE35CE2D7BCEB9EF9D5A909FFF502A02E1E847DC44E8672A8889A65A721DC78FE70C24D9E12BB4E88D7AD0A49948E2BF40A22431731872ADFC3B81E368C655EB9B00DC37D04526EE2917445D2FAEBCF116821486FF088E500F12128A8D90309E8ED275CDD48E77BDE0E3358A6A81BD9DD2AD5AC6F68315C96FC50E9
>>>
>>> --Key:
>>> Modulus=CBA68178847F53CC0D4A45871FEA7CCFD879D6423923DF75E557011E4C458BD5207ACBB4EAFC7A460C050878621E22406E7661105F7D8E7AF448AA1F0988C908F3173B77D87581BE7006ED09F76F0D4D736050088E986133DE851A0FB93A101AA77921CC24063A94E5076FD74D4D81139E7A2AAC61B86D07D424158CE56913ABB08C1CDBDAE35CE2D7BCEB9EF9D5A909FFF502A02E1E847DC44E8672A8889A65A721DC78FE70C24D9E12BB4E88D7AD0A49948E2BF40A22431731872ADFC3B81E368C655EB9B00DC37D04526EE2917445D2FAEBCF116821486FF088E500F12128A8D90309E8ED275CDD48E77BDE0E3358A6A81BD9DD2AD5AC6F68315C96FC50E9
>>>
>>> [root@ipa2 ~]# openssl rsa -noout -modulus -in /var/lib/ipa/ra-agent.key
>>> | openssl md5
>>> (stdin)= 0915781edbe620c5791cda50f310c538
>>> [root@ipa2 ~]# openssl x509 -noout -modulus -in
>>> /var/lib/ipa/ra-agent.pem | openssl md5
>>> (stdin)= 0915781edbe620c5791cda50f310c538
>>>
>>> Looking at the cert and the key, they are a match and modulus also
>>> matches.  What I can't figure out is why I am seeing this error if the
>>> key and cert match.  Is it possible to have a timestamp issue, or is
>>> there some other reason that I can't find.  Any help would be greatly
>>> appreciated.
>> I'm not familiar with this command but based on the options you are
>> passing you compared the wrong cert. You compared the RA agent cert and
>> you asked to renew the subsystem cert.
>>
>> You might want to see what cert owns serial number 49.
>>
>> rob
> 
> 
> The reason these are the two compared is that there are no other keys on
> the server.  Looking through the documentation seems to indicate that
> all certs are generated from this key pair.  Is that not correct, and if
> it is not correct then where are the keys located for the other certs, I
> have been unable to locate them anywhere on the server.


The certs and keys are stored in the NSS database in
/etc/pki/pki-tomcat/alias/

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Cert Issue

Reply via email to