I've inhereted an IPA infrastructure for a group in my organization.
So I've got a RHEL instance with a IPA 3.0.0 server with expired certs.
[root@ipa ~]# rpm -qa | grep ipa-server
ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
ipa-server-3.0.0-26.el6_4.2.x86_64
[root@ipa ~]#
[root@ipa ~]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20130404232110':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to
http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to
server.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='242557339296'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IDEF
subject: CN=CA Audit,O=IDEF
expires: 2017-02-15 19:26:38 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130404232111':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to
http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to
server.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='242557339296'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IDEF
subject: CN=OCSP Subsystem,O=IDEF
expires: 2017-02-15 19:25:38 UTC
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130404232112':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to
http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to
server.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='242557339296'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IDEF
subject: CN=CA Subsystem,O=IDEF
expires: 2017-02-15 19:25:38 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130404232113':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to
http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to
server.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IDEF
subject: CN=IPA RA,O=IDEF
expires: 2017-02-15 19:25:38 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130404232114':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to
http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to
server.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='242557339296'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IDEF
subject: CN=ipa.infra.idef,O=IDEF
expires: 2017-02-15 19:25:38 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130404232127':
status: CA_UNREACHABLE
ca-error: Error setting up ccache for "host" service on client using
default keytab: Cannot contact any KDC for realm 'IDEF'.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-IDEF/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IDEF
subject: CN=ipa.infra.idef,O=IDEF
expires: 2015-04-05 23:21:26 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130404232155':
status: CA_UNREACHABLE
ca-error: Error setting up ccache for "host" service on client using
default keytab: Cannot contact any KDC for realm 'IDEF'.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IDEF
subject: CN=ipa.infra.idef,O=IDEF
expires: 2015-04-05 23:21:54 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130404232517':
status: CA_UNREACHABLE
ca-error: Error setting up ccache for "host" service on client using
default keytab: Cannot contact any KDC for realm 'IDEF'.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IDEF
subject: CN=ipa.infra.idef,O=IDEF
expires: 2015-04-05 23:25:17 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Now, I've tried following the instructions under the following link
for fixing expired certs:
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
However, I run into a many issues, first I don't know what the <pin>
is referenced very early on the instruction set.
I Googled a bit an saw some advice about rolling the clock back, then
restarting certmonger to renew the certs. Here is the output of that
process.
[root@ipa ~]# date
Thu Apr 10 00:13:51 EDT 2014
[root@ipa ~]# /etc/init.d/certmonger restart
Stopping certmonger: [ OK ]
Starting certmonger: [ OK ]
[root@ipa ~]#
That did not work.
Here are some errors from syslog
Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host"
service on client using default keytab: Cannot contact any KDC for
realm 'MyORG'.
Apr 10 00:13:57 ipa certmonger: Error 7 connecting to
http://myhost.mydomain.com:9180/ca/ee/ca/profileSubmit: Couldn't
connect to server.
Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host"
service on client using default keytab: Cannot contact any KDC for
realm 'MyORG'.
Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host"
service on client using default keytab: Cannot contact any KDC for
realm 'MyORG'.
Any ideas would greatly be appreciated.
Thanks.
