Re: [Freeipa-users] another certmonger question

Tue, 27 Sep 2016 04:48:07 -0700 

Natxo Asenjo wrote:

hi,

after our upgrade from centos 6.8 to 7.2, when I renew a certificate
using ipa-getcert resubmit -i xxxxxx the certificate is properly
renewed, but the info on ipa host-show still shows the old certificate
info. Is this normal?

$ sudo getcert list | grep expires
     expires: 2018-09-27 19:46:03 UTC

so that certificate has successfully been renewed, but this is the
host's info:

$ ipa host-show hostname | grep -i after
      Not After: Wed Jun 07 14:30:47 2017 UTC

and I see there as well more than one certificate for that host:

$ ipa cert-find --subject=hostname
----------------------
5 certificates matched
----------------------
   Serial number (hex): 0xFF90008
   Serial number: 267976712
   Status: VALID
   Subject: CN=hostname.unix.iriszorg.nl
<http://hostname.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>

   Serial number (hex): 0xFF90009
   Serial number: 267976713
   Status: VALID
   Subject: CN=hostname.unix.iriszorg.nl
<http://hostname.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>

   Serial number (hex): 0xFF9000A
   Serial number: 267976714
   Status: VALID
   Subject: CN=hostname.unix.iriszorg.nl
<http://hostname.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>

   Serial number (hex): 0xFFF001D
   Serial number: 268369949
   Status: REVOKED_EXPIRED
   Subject: CN=hostname.unix.iriszorg.nl
<http://hostname.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>

   Serial number (hex): 0xFFF0093
   Serial number: 268370067
   Status: REVOKED
   Subject: CN=hostname.unix.iriszorg.nl
<http://hostname.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
----------------------------
Number of entries returned 5
----------------------------

And three of them are still valid. As a comparison, another hosts which
was installed about the same time also has 5 certificates, but 4 are
revoked and the expires info of getcert list and of the valid
certificate are the same.

So how do I correct this?


It's hard to say, it may in fact not be a problem.
It is really a matter of what service the certificate(s) are related to. I'd look at the serial numbers and then correlate those to the issued certificates.
I'd also do a service-find on the hostname to see if any services have certificates issued and with what serial numbers. 

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to