On 08/07/2014 01:25 PM, Rob Crittenden wrote: > Lucas Yamanishi wrote: >> Hello, I'm a bit of a pickle with the PKI system. I have three >> replicas, but only one contains the CA. I realize how poor a decision >> it was to do that. I plan to create more complete replicas, but right >> now I can't even create a replica file, much less a full replica. >> >> The problem started when the CA subsystem certificates expired. I read >> several threads explaining how to roll back time and renew them, but I >> then discovered that the host and HTTP certificates for the server were >> missing. I checked for backups, but we erroneously did not cover those >> files. Because they are missing I was unable to rewnew any certificates. >> >> Is there a way to manually create host and service certificates? When I >> search for this, the "manual" procedure listed in the documentation >> requires `ipa cert-request` which does not work. I did try installing a >> self-signed cert for HTTP with `ipa-server-certinstall`. That changed >> the errors, but the commands still fail. The pki-ca services is running >> OK, as far as I can tell. >> >> I also tried adding a CA instance to one of the other replicas with >> `ipa-ca-install`, but it failed during the configuration phase. > The subsystem certificate renewal should be independent of the web (and > host) certificates. I'd focus on getting the CA back up, then we can see > about getting a new web server certificate. > > Can you share the output of: getcert list > > You'll probably want to obfuscate the output as it contains the PIN to > the private key database of the CA. > > rob Here you go. I've also included `certutil -L` outputs.
The *auditSigningCert* I tried resubmitting with the time rolled back. The post-save command was also updated, because it wasn't done a year or two back when it replaced our old CRL-signer. `getcert list`: ``` Number of certificates and requests being tracked: 7. Request ID '20130321103859': status: CA_UNREACHABLE ca-error: Error 35 connecting to https://badca.example.com:9443/ca/agent/ca/profileReview: SSL connect error. stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='XXXXXXXXXXXX' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2014-07-31 21:29:35 UTC pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130321103900': status: NEED_GUIDANCE stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='XXXXXXXXXXXX' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2014-07-31 21:29:33 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130321103901': status: NEED_GUIDANCE stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='XXXXXXXXXXXX' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2014-07-31 21:29:34 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130321103902': status: NEED_GUIDANCE stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2014-07-31 21:30:34 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20130321103903': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='XXXXXXXXXXXX' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=badca.example.com,O=EXAMPLE.COM expires: 2016-07-03 23:53:02 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20140724160403': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=badca.example.com,O=EXAMPLE.COM expires: 2016-07-28 18:28:51 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes Request ID '20140807180016': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=badca.example.com,O=EXAMPLE.COM expires: 2016-07-25 23:53:04 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA track: yes auto-renew: yes ``` `certutil -L -d /var/lib/pki-ca/alias`: ``` Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,u,u auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u ``` `certutil -L -d /etc/httpd/alias` (most of these were re-added after `ipa-server-certinstall` removed them): ``` Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI badca.example.com - self-signed CTu,Cu,u EXAMPLE.COM IPA CA CT,C, ipaCert u,u,u Server-Cert ,, ``` `certutil -L -d /etc/pki/nssdb`: ``` Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI badca.example.com - self-signed CT,C,C IPA CA CT,C,C ``` -- ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xD354B2CB
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project