Grant Janssen via FreeIPA-users wrote: > When I upgraded the servers to EL8 (I rebuilt from scratch using the old > hostnames), I had neglected to assign an IPA CA renewal master after the > old “boss” was retired. > This crime is of course it’s own punishment. > > I found the documentation for handling this to actually be pretty good. > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_certificates_in_idm/renewing-expired-system-certificates-when-idm-is-offline_working-with-idm-certificates#doc-wrapper > > fraser’s blog was also helpful (in confirming I executed this correctly) > https://frasertweedale.github.io/blog-redhat/posts/2019-05-24-ipa-cert-fix.html > > I progressed through the other three IPA servers, but the last one still > has a bad expiration on the CA cert. > > [root@ef-idm01 ~]# date > Wed Feb 14 07:08:38 PST 2024 > [root@ef-idm01 ~]# getcert list | egrep > '^Request|status:|subject:|expir' > Request ID '20230530175932': > status: MONITORING > subject: CN=ef-idm01.production.efilm.com > <http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM > <http://PRODUCTION.EFILM.COM> > expires: 2025-05-30 10:59:53 PDT > Request ID '20230530180022': > status: MONITORING > subject: CN=ef-idm01.production.efilm.com > <http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM > <http://PRODUCTION.EFILM.COM> > expires: 2025-05-30 11:00:30 PDT > Request ID '20230530180438': > status: NEED_CA > subject: CN=IPA RA,O=PRODUCTION.EFILM.COM > <http://PRODUCTION.EFILM.COM> > expires: 2024-01-02 07:58:28 PST > [root@ef-idm01 ~]# ipa-cert-fix > > WARNING > > ipa-cert-fix is intended for recovery when expired certificates > prevent the normal operation of IPA. It should ONLY be used > in such scenarios, and backup of the system, especially certificates > and keys, is STRONGLY RECOMMENDED. > > > The following certificates will be renewed: > > IPA IPA RA certificate: > Subject: CN=IPA RA,O=PRODUCTION.EFILM.COM > <http://PRODUCTION.EFILM.COM> > Serial: 162 > Expires: 2024-01-02 15:58:28 > > Enter "yes" to proceed: yes > Proceeding. > Renewed IPA IPA RA certificate: > Subject: CN=IPA RA,O=PRODUCTION.EFILM.COM > <http://PRODUCTION.EFILM.COM> > Serial: 1341915142 > Expires: 2026-02-03 20:18:20 > > Becoming renewal master. > Restarting IPA > > Note: Monitor the certmonger-initiated renewal of > certificates after ipa-cert-fix and wait for its completion before > any other administrative task. > > The ipa-cert-fix command was successful > [root@ef-idm01 ~]# > > > I checked the cert expiration several times yesterday, but it never > updated on this server. > I waited a full day to let certmonger do its thing, below is my result > this morning. > > [root@ef-idm01 ~]#ipactl restart > Restarting Directory Service > Restarting krb5kdc Service > Restarting kadmin Service > Restarting httpd Service > Restarting ipa-custodia Service > Restarting pki-tomcatd Service > Restarting ipa-otpd Service > ipa: INFO: The ipactl command was successful > [root@ef-idm01 ~]# ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa: INFO: The ipactl command was successful > [root@ef-idm01 ~]# getcert list | egrep > '^Request|status:|subject:|expir' > Request ID '20230530175932': > status: MONITORING > subject: CN=ef-idm01.production.efilm.com > <http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM > <http://PRODUCTION.EFILM.COM> > expires: 2025-05-30 10:59:53 PDT > Request ID '20230530180022': > status: MONITORING > subject: CN=ef-idm01.production.efilm.com > <http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM > <http://PRODUCTION.EFILM.COM> > expires: 2025-05-30 11:00:30 PDT > Request ID '20230530180438': > status: NEED_CA > subject: CN=IPA RA,O=PRODUCTION.EFILM.COM > <http://PRODUCTION.EFILM.COM> > expires: 2024-01-02 07:58:28 PST > [root@ef-idm01 ~]#ipa-cert-fix > Nothing to do. > The ipa-cert-fix command was successful > [root@ef-idm01 ~]# getcert list | egrep > '^Request|status:|subject:|expir' > Request ID '20230530175932': > status: MONITORING > subject: CN=ef-idm01.production.efilm.com > <http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM > <http://PRODUCTION.EFILM.COM> > expires: 2025-05-30 10:59:53 PDT > Request ID '20230530180022': > status: MONITORING > subject: CN=ef-idm01.production.efilm.com > <http://ef-idm01.production.efilm.com>,O=PRODUCTION.EFILM.COM > <http://PRODUCTION.EFILM.COM> > expires: 2025-05-30 11:00:30 PDT > Request ID '20230530180438': > status: NEED_CA > subject: CN=IPA RA,O=PRODUCTION.EFILM.COM > <http://PRODUCTION.EFILM.COM> > expires: 2024-01-02 07:58:28 PST > [root@ef-idm01 ~]# > > > How can I sort out this one remaining issue? > Do I just make assign another server as the renewal master?
You only need to run ipa-cert-fix on the CA renewal master. Once that is done the RA Agent can be renewed on the machine and made available to the replicas. Updated CA/RA certificates are stored in LDAP. Once replication is working then all replicas will pick up the necessary certificates from there. In fact you don't want to renew the CA/RA certificates per-machine. They all must be the same. I'd need to see the full RA cert tracking to be able to tell what is going on but I'd suggest running ipa-server-upgrade first. That will fix any bad tracking. Then manually resubmit it with getcert if it is still in the NEED_CA state and it should pull the updated cert out of LDAP. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue