[Freeipa-users] Re: Expired Certificates, rolling back time didn't help

Tue, 17 Mar 2020 01:18:28 -0700 

On 3/16/20 11:44 PM, Bhavin Vaidya via FreeIPA-users wrote:

Hello,

We had similar issue 2 yrs back, and resurface as it didn't auto-renew.
Went back in time to 2016-06-11 as well as 2020-02-20, restarted "certmonger", didn't update. 


Hi,

you need to check first which server is your renewal master:

$ kinit admin

$ ipa config-show | grep renewal
The output should display the name of the renewal master. This host is the first server that needs to be fixed. 


In the getcert list output that you provided, we can see that:
- the PKI certificates shared between the servers expired on 2020-02-25 (auditSigningCert cert-pki-ca, ocspSigningCert cert-pki-ca, subsystemCert cert-ki-ca) 

- the CA cert is still valid

- the RA cert expired on 2018-06-15

- the HTTP and LDAP server certs expired on 2020-03-07
You need to carefully pick the date you go back in time: at that given date, all the certs must be valid (not expired yet but *already valid*).
From your output, the date needs to be before 2018-06-15 but after 
2018-03-08 (=the validFrom date for the PKI certs).


HTH,

flo
FreeIPA Master:*CentOS 7.4.1708, FreeIPA Version: **4.5.0, API_VERSION: 2.228*
whileipactl start, it will not start pki-tomcat with message,pki-tomcatd Service: STOPPED.
Referring toRob's blog <https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-authenticated-with-given-ca-certificates/>
[root@srv01 ~]# curl --cacert /etc/ipa/ca.crt -v[https://%60hostname%60:8443/ca/ww/ca/getCertChain]https://`hostname`:8443/ca/ww/ca/getCertChain 

* About to connect() to srv01.example.com port 8443 (#0)

*Trying 192.168.10.146...

* Connected to srv01.example.com (192.168.10.146) port 8443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

*CAfile: /etc/ipa/ca.crt

CApath: none

* Server certificate:

*subject: CN=srv01.example.com,O=EXAMPLE.COM

*start date: Dec 26 21:02:44 2016 GMT

*expire date: Dec 16 21:02:44 2018 GMT

*common name: srv01.example.com

*issuer: CN=Certificate Authority,O=EXAMPLE.COM

* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)

* Peer's certificate issuer has been marked as not trusted by the user.

* Closing connection 0
curl: (60) Peer's certificate issuer has been marked as not trusted by the user. 

More details here:http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the defaultbundle file isn't adequate, you can specify an alternate fileusing the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented inthe bundle, the certificate verification probably failed due to aproblem with the certificate (it might be expired, or the name mightnot match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, usethe -k (or --insecure) option.
While, CA cert check asper <https://www.freeipa.org/page/V4/CA_certificate_renewal>,
[root@srv01 ~]# getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' 

Number of certificates and requests being tracked: 8.

Request ID '20180315021502':

status: MONITORING

stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' 

CA: dogtag-ipa-ca-renew-agent

issuer: CN=Certificate Authority,O=EXAMPLE.COM

subject: CN=Certificate Authority,O=EXAMPLE.COM

expires: 2038-03-07 03:47:46 UTC

key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign

pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" 

track: yes

auto-renew: yes

We also have few others certificates, which are not renewed.


[root@srv01 ~]# getcert list

Number of certificates and requests being tracked: 8.

Request ID '20180228053337':

status: MONITORING

stuck: no

key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'

certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'

CA: SelfSign

issuer: CN=srv01.example.com,O=EXAMPLE.COM

subject: CN=srv01.example.com,O=EXAMPLE.COM

expires: 2021-01-11 21:56:57 UTC
principal name:krbtgt/example....@example.com <mailto:krbtgt/example....@example.com> 

certificate template/profile: KDCs_PKINIT_Certs

pre-save command:

post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert

track: yes

auto-renew: yes

Request ID '20180315021457':

status: MONITORING

stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' 

CA: dogtag-ipa-ca-renew-agent

issuer: CN=Certificate Authority,O=EXAMPLE.COM

subject: CN=CA Audit,O=EXAMPLE.COM

expires: 2020-02-25 04:27:49 UTC

key usage: digitalSignature,nonRepudiation

pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" 

track: yes

auto-renew: yes

Request ID '20180315021500':

status: MONITORING

stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' 

CA: dogtag-ipa-ca-renew-agent

issuer: CN=Certificate Authority,O=EXAMPLE.COM

subject: CN=OCSP Subsystem,O=EXAMPLE.COM

expires: 2020-02-25 04:28:38 UTC

eku: id-kp-OCSPSigning

pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" 

track: yes

auto-renew: yes

Request ID '20180315021501':

status: MONITORING

stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' 

CA: dogtag-ipa-ca-renew-agent

issuer: CN=Certificate Authority,O=EXAMPLE.COM

subject: CN=CA Subsystem,O=EXAMPLE.COM

expires: 2020-02-25 04:31:47 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment 

eku: id-kp-serverAuth,id-kp-clientAuth

pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" 

track: yes

auto-renew: yes

Request ID '20180315021502':

status: MONITORING

stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' 

CA: dogtag-ipa-ca-renew-agent

issuer: CN=Certificate Authority,O=EXAMPLE.COM

subject: CN=Certificate Authority,O=EXAMPLE.COM

expires: 2038-03-07 03:47:46 UTC

key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign

pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" 

track: yes

auto-renew: yes

Request ID '20180315021503':

status: CA_UNREACHABLE
ca-error: Error 60 connecting tohttps://srv01.example.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. 

stuck: no

key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'

certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'

CA: dogtag-ipa-ca-renew-agent

issuer: CN=Certificate Authority,O=EXAMPLE.COM

subject: CN=IPA RA,O=EXAMPLE.COM

expires: 2018-06-15 23:15:23 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment 

eku: id-kp-serverAuth,id-kp-clientAuth

pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre

post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert

track: yes

auto-renew: yes

Request ID '20180315021505':

status: CA_UNREACHABLE
ca-error: Server athttps://srv01.example.com/ipa/xmlfailed request, will retry: 4016 (RPC failed at server.Failed to authenticate to CA REST API). 

stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwd 

file.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' 

CA: IPA

issuer: CN=Certificate Authority,O=EXAMPLE.COM

subject: CN=srv01.example.com,O=EXAMPLE.COM

expires: 2020-03-07 08:49:36 UTC
principal name:ldap/srv01.example....@example.com <mailto:ldap/srv01.example....@example.com>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment 

eku: id-kp-serverAuth,id-kp-clientAuth

pre-save command:

post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM

track: yes

auto-renew: yes

Request ID '20180315021510':

status: CA_UNREACHABLE
ca-error: Server athttps://srv01.example.com/ipa/xmlfailed request, will retry: 4016 (RPC failed at server.Failed to authenticate to CA REST API). 

stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' 

CA: IPA

issuer: CN=Certificate Authority,O=EXAMPLE.COM

subject: CN=srv01.example.com,O=EXAMPLE.COM

expires: 2020-03-07 08:49:51 UTC
principal name:HTTP/srv01.example....@example.com <mailto:HTTP/srv01.example....@example.com>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment 

eku: id-kp-serverAuth,id-kp-clientAuth

pre-save command:

post-save command: /usr/libexec/ipa/certmonger/restart_httpd

track: yes

auto-renew: yes


thank you for your help.
Bhavin



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org




_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to