I set time back on master ca and was able to renew its certs except for one that has yet to expire but should have renewed. I tried to resubmit it but it still does not renew and status says NEED_CSR_GEN_TOKEN. We do have a go daddy cert we use as well but it is valid still. Is it because of the nickname mismatches? I am not sure how to fix that.
ipa1-example.com Request ID '20140729215756': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipa1.example.com,O=EXAMPLE.COM expires: 2016-07-29 20:39:21 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI NWF_GD u,u,u CN=Certificate Authority,O=EXAMPLE.COM CT,,C OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US CT,,C GD_CA CT,,C CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US CT,,C certutil -L -d /etc/dirsrv/slapd-PKI-IPA/ Certificate Nickname O=EXAMPLE.COM Trust Attributes SSL,S/MIME,JAR/XPI EXAMPLE.COM IPA CA CT,C, Server-Cert u,u,u certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI EXAMPLE.COM IPA CA CT,C, ipaCert u,u,u Server-Cert u,u,u My other servers had varying degrees of success with their expired certificates, I have one server that would not renew 6 of its certs, 1 that would not renew 2 of its certs and 1 that would not renew 1 of its certs. These are examples of the last two - I will save the one that won't renew 6 as I am hoping I can apply same steps to those failures. ipa2.example.com - 2 won't renew - one CA_unreachable even after successful restart of services and one NEED_CSR_GEN_TOKEN Request ID '20140729215756': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipa2.example.com,O=EXAMPLE.COM expires: 2016-07-29 20:39:21 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes Request ID '20140729215712': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa2.example.com:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipa2.example.com,O=EXAMPLE.COM expires: 2016-07-18 21:57:06 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes ipa3 - 1 won't renew NEED_CSR_GEN_TOKEN Request ID '20140729215511': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipa3.example.com,O=EXAMPLE.COM expires: 2016-07-29 20:38:41 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes From: sipazzo <sipa...@yahoo.com> To: Rob Crittenden <rcrit...@redhat.com>; "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Friday, July 29, 2016 4:06 PM Subject: Re: [Freeipa-users] certificates expired - won't renew Rob you are awesome and I don't know what I would do without you. So I have two things going on obviously. Following your instructions it looks like the DM password has correctly been set. I cannot change the admin password as a test because I get the cert errors. I am going to retry setting dates back and requesting new certs again following some of the threads I have seen. Could you please just clarify two points? On my 4 servers all running as CAs do I only need to set the date back to prior to expired certs running ipa-getcert list or the earliest expired date when running getcert list? The getcert list shows certs that have been expired since June but the ipa-getcert shows more recent. Also, does it matter which servers I do first? Meaning should I set time back on my "master" CA first. This is the expiration output info from my master: [root@ipa2 ~]# ipa-getcert list | grep expires expires: 2016-08-26 16:41:24 UTC expires: 2016-08-26 16:41:23 UTC expires: 2016-08-26 16:41:24 UTC [root@ipa2 ~]# getcert list | grep expires expires: 2016-08-26 16:41:24 UTC expires: 2016-08-15 16:47:26 UTC expires: 2016-08-26 16:41:23 UTC expires: 2016-08-26 16:41:24 UTC expires: 2016-06-06 23:36:29 UTC expires: 2016-06-06 23:36:28 UTC expires: 2016-06-06 23:36:28 UTC expires: 2016-06-06 23:37:09 UTC Again thank you, as always. From: Rob Crittenden <rcrit...@redhat.com> To: sipazzo <sipa...@yahoo.com>; "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Friday, July 29, 2016 2:10 PM Subject: Re: [Freeipa-users] certificates expired - won't renew sipazzo wrote: > I have seen many threads on this so sorry to bring it up again but I > have a freeipa domain, with 4 ipa servers running on redhat 6 version > 3.0.0-50. The certificates are expired/expiring and will not renew and > it is causing many issues for us. I have tried the many suggestions I > have see in the archives such as changing the time to prior to > expiration and attempting renew by resubmitting the requests but they > never renew. An example of getcert list from the first server that expired: > > Number of certificates and requests being tracked: 8. [snip] > localhost log in /var/log/pki-ca have errors like: > tail localhost.2016-07-29.log > Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve invoke > SEVERE: Servlet.service() for servlet caProfileSubmit threw exception > java.io.IOException: CS server is not ready to serve. > at > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at org. > > Debug log in /var/log/pki-cacd > tail debug > [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn: > netscape.ldap.LDAPException: error result (49) > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to > query sessionIds: java.io.IOException: Failed to connect to the internal > database. > [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: > getSessionIds: Error in disconnecting from database: > java.lang.NullPointerException > [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn: > netscape.ldap.LDAPException: error result (49) > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to > query sessionIds: java.io.IOException: Failed to connect to the internal > database. > [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: > getSessionIds: Error in disconnecting from database: > java.lang.NullPointerException > > > Performing most IPA commands results in errors such as ipa: ERROR: cert > validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM" > ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) > > Not sure if it is related but we lost our first IPA server some time ago > and had to promote another to the CA master. Also, due to someone > leaving the company at the beginning of the year we had to change the > directory manager password. I followed all the directions to do so but > it does not seem like it was a completely smooth transaction. It is related. Your CA can't connect to its database. You must have missed a step when updating the DM password. As a goof I just tried it on my RHEL 6 install and it seems to work, this is what I did: # service dirsrv stop # /usr/bin/pwdhash password edit both /etc/dirsrv/slapd-REALM/dse.ldif and /etc/dirsrv/slapd-PKI-IPA/dse.ldif to set nsslapd-rootpw # service dirsrv start Check both of the new passwords: # ldapsearch -x -D "cn=directory manager" -W -s base -b "" "objectclass=*" # ldapsearch -h localhost -po 7389 -x -D "cn=directory manager" -W -s base -b "" "objectclass=*" Update internaldb value in /etc/pki-ca/password.conf with the new password. Update and test the admin user password: # ldappasswd -h localhost -ZZ -p 7389 -x -D "cn=Directory Manager" -W -S uid=admin,ou=people,o=ipaca # ldapsearch -h localhost -ZZ -p 7389 -x -D "uid=admin,ou=people,o=ipaca" -W -b "" -s base Restart the CA # service pki-cad restart Note that things _still_ aren't going to work so hot with all the expired certs but if you go back in time you will at least have a chance of renewing things. rob
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project