Re: [Freeipa-users] Expired certs not auto renewed by Cermonger

[Rob Crittenden]

Toasted Penguin wrote:
Yes that helped fix 2012092520027 (thank you!!)
But I am still seeing an error with:

Request ID '20120615190133':
status: CA_UNCONFIGURED
ca-error: Error setting up ccache for local "host" service using default
keytab.
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
track: yes
auto-renew: yes

I noticed that the request ID doesn't show up
in /var/lib/certmonger/requests/, does that make a difference?

The request ID usually, but not always matches the name of the request 
files.

We don't usually issue a Server-Cert for an IPA server. Could this be a 
remnant of an older client install?

Is there a Server-Cert in /etc/pki/nssdb? certutil -L -d /etc/pki/nssdb

rob

David


On Thu, May 2, 2013 at 2:35 PM, Nalin Dahyabhai <na...@redhat.com
<mailto:na...@redhat.com>> wrote:

    On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote:
     > /etc/ipa/ca.crt was issued by O=CTIDATA.NET <http://CTIDATA.NET>,
    CN=Certificate Authority
     >
     > All the certs monitored by Certmonger show the same issuer.

    Ok, good.  (If that hadn't been the case, I wouldn't have had an
    explanation to offer.)

     > Wasn't getting anything back when running the ipahost script you
    provided,
     > ran  ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=`
    and echo
     > $ipahost shows nothing so I just ran the openssl section manually:

    Hmm.  Curious.  That might be a leftover from having different releases
    installed at various times on my test box.  Thanks for continuing on.

     > openssl s_client -CAfile /etc/ipa/ca.crt -connect
    ipa01.ctidata.net:https
     > -showcerts < /dev/null
     >
     > Results:
     > CONNECTED(00000003)
     > depth=1 O = CTIDATA.NET <http://CTIDATA.NET>, CN = Certificate
    Authority
     > verify return:1
     > depth=0 O = CTIDATA.NET <http://CTIDATA.NET>, CN =
    ipa01.ctidata.net <http://ipa01.ctidata.net>
     > verify error:num=10:certificate has expired
     > notAfter=Mar 24 19:56:36 2013 GMT
     > verify return:1
     > depth=0 O = CTIDATA.NET <http://CTIDATA.NET>, CN =
    ipa01.ctidata.net <http://ipa01.ctidata.net>
     > notAfter=Mar 24 19:56:36 2013 GMT
     > verify return:1
     > ---
     > Certificate chain
     >  0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net
    <http://CTIDATA.NET/CN=ipa01.ctidata.net>
     >    i:/O=CTIDATA.NET/CN=Certificate
    <http://CTIDATA.NET/CN=Certificate> Authority
     > -----BEGIN CERTIFICATE-----
     > #####
     > -----END CERTIFICATE-----
     >  1 s:/O=CTIDATA.NET/CN=Certificate
    <http://CTIDATA.NET/CN=Certificate> Authority
     >    i:/O=CTIDATA.NET/CN=Certificate
    <http://CTIDATA.NET/CN=Certificate> Authority
     > -----BEGIN CERTIFICATE-----
     > ####
     > -----END CERTIFICATE-----
     > ---
     > Server certificate
     > subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net
    <http://CTIDATA.NET/CN=ipa01.ctidata.net>
     > issuer=/O=CTIDATA.NET/CN=Certificate
    <http://CTIDATA.NET/CN=Certificate> Authority
     > ---
     > No client certificate CA names sent
     > ---
     > SSL handshake has read 1959 bytes and written 463 bytes
     > ---
     > New, TLSv1/SSLv3, Cipher is AES256-SHA
     > Server public key is 2048 bit
     > Secure Renegotiation IS supported
     > Compression: NONE
     > Expansion: NONE
     > SSL-Session:
     >     Protocol  : TLSv1
     >     Cipher    : AES256-SHA
     >     Session-ID: #####
     >     Session-ID-ctx:
     >     Master-Key: ####
     >     Key-Arg   : None
     >     Krb5 Principal: None
     >     PSK identity: None
     >     PSK identity hint: None
     >     Start Time: 1367518514
     >     Timeout   : 300 (sec)
     >     Verify return code: 10 (certificate has expired)
     > ---
     > DONE

    Yup, that's the problem: the IPA server's certificate wasn't able to be
    replaced while it was still valid, and now it can no longer ask itself
    for a new one.

    With 2.1.4, I think the simplest way to sort this is to stop the
    services (ipactl stop; service certmonger stop), roll the system date
    back, start the services up again, possibly use 'ipa-getcert resubmit'
    to force updating (it should happen automatically, but forcing it to
    happen a second time won't hurt).  Then shut things down, set the
    correct time on the clock, and bring everything back up again.

    Hopefully there's a smarter way to do it, but I'm blanking on it if
    there is one.

    HTH,

    Nalin




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users