On Fri, Sep 30, 2016 at 10:45 AM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Natxo Asenjo wrote: > >> >> >> On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >> >> Natxo Asenjo wrote: >> >> >> >> On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden >> <rcrit...@redhat.com <mailto:rcrit...@redhat.com> >> <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote: >> >> >> It's hard to say, it may in fact not be a problem. >> >> It is really a matter of what service the certificate(s) >> are related >> to. I'd look at the serial numbers and then correlate those >> to the >> issued certificates. >> >> I'd also do a service-find on the hostname to see if any >> services >> have certificates issued and with what serial numbers. >> >> >> I agree, it could be that. But just for testing I have created a >> vm, >> joined it to the domain and resubmitted the certificate. >> >> Now there are two valid host certificates with the same subject: >> >> >> $ ipa cert-find --subject=throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl> >> <http://throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl>> >> ---------------------- >> 2 certificates matched >> ---------------------- >> Serial number (hex): 0x3FFE0002 >> Serial number: 1073610754 >> Status: VALID >> Subject: CN=throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl> >> <http://throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL >> <http://UNIX.IRISZORG.NL> >> <http://UNIX.IRISZORG.NL> >> >> Serial number (hex): 0x3FFE0003 >> Serial number: 1073610755 >> Status: VALID >> Subject: CN=throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl> >> <http://throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL >> <http://UNIX.IRISZORG.NL> >> <http://UNIX.IRISZORG.NL> >> ---------------------------- >> Number of entries returned 2 >> ---------------------------- >> >> >> So it certmonger in this centos 6.8 32bit host is renewing but not >> having the old certificate revoked. >> >> >> I'd check the Apache log to find the cert_request call to see if you >> can see if there are any issues raised. It should be doing a >> cert_revoke at the same time. >> >> Can you should how this certificate is being tracked? >> >> >> sure: >> >> $ sudo getcert list >> Number of certificates and requests being tracked: 1. >> Request ID '20160929100945': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - >> throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB' >> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA >> Machine Certificate - throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL >> <http://UNIX.IRISZORG.NL> >> subject: CN=throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL >> <http://UNIX.IRISZORG.NL> >> expires: 2018-09-30 10:13:17 UTC >> principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl >> <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl> >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> >> now, let's resubmit: >> >> $ sudo ipa-getcert resubmit -i 20160929100945 >> Resubmitting "20160929100945" to "IPA". >> [jose.admin@throwaway ~]$ sudo getcert list >> Number of certificates and requests being tracked: 1. >> Request ID '20160929100945': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - >> throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB' >> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA >> Machine Certificate - throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl>',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL >> <http://UNIX.IRISZORG.NL> >> subject: CN=throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL >> <http://UNIX.IRISZORG.NL> >> expires: 2018-09-30 20:41:28 UTC >> principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl >> <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl> >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> >> so it has been successfully renewed. >> >> In the access_log of the kdc I see this: >> >> 172.20.4.228 - - [29/Sep/2016:22:41:27 +0200] "POST >> https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient >> HTTP/1.1" 200 1913 >> 172.20.6.81 - host/throwaway.unix.iriszorg...@unix.iriszorg.nl >> <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl> >> [29/Sep/2016:22:41:27 +0200] "POST /ipa/xml HTTP/1.1" 200 2929 >> >> and in the error_log: >> [Thu Sep 29 22:41:28.626669 2016] [:error] [pid 4617] ipa: INFO: >> [xmlserver] host/throwaway.unix.iriszorg...@unix.iriszorg.nl >> <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>: >> cert_request(u'MIID6DCCAtACAQAwQDEZMBcGA1UEChMQVU5JWC5JUklTW >> k9SRy5OTDEjMCEGA1UEAxMadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwg >> gEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4jBk7V2D5pX12kYrr+ >> +lwsWq1UWHy6PM9O+B/GvxaI0JoARBrhR6MKI1Ev+DV2r5ukNNWHj5+/kKbt >> W9XI2XMZ9pIBSwG3SG4m9s3gQV3dGQjlRCcU+MgXiDxRtRy2Vdzd1fZ9xdB1 >> txH3ZnZfceTosNw4Jp3bm/VtPChWJeN6K671FLRCzJkI1KrC+LHfGbvyTtOi >> pB5O9t8RkN4Qh01r/rphPvt9Gh+/mTlHnmGP9+sseqHHsgv2fPvRQowpJD >> EytTX5w/8pLrUCATqJUYfxK5RDuwD1304p3WXDFLoU6p2xaR63h34muj1a5N >> V1CvQFqJapHB5B/w6uUbLzjg3AgMBAAGgggFhMHcGCSqGSIb3DQEJFDFqHmg >> ASQBQAEEAIABNAGEAYwBoAGkAbgBlACAAQwBlAHIAdABpAGYAaQBjAGEAdAB >> lACAALQAgAHQAaAByAG8AdwBhAHcAYQB5AC4AdQBuAGkAeAAuAGkAcgBpAHM >> AegBvAHIAZwAuAG4AbDCB5QYJKoZIhvcNAQkOMYHXMIHUMIGhBgNVHREBAQA >> EgZYwgZOgQAYKKwYBBAGCNxQCA6AyDDBob3N0L3Rocm93YXdheS51bml4Lml >> yaXN6b3JnLm5sQFVOSVguSVJJU1pPUkcuTkygTwYGKwYBBQICoEUwQ6ASGxB >> VTklYLklSSVNaT1JHLk5MoS0wK6ADAgEBoSQwIhsEaG9zdBsadGhyb3dhd2F >> 5LnVuaXguaXJpc3pvcmcubmwwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQ >> UgXWL3vdW/I31tQxv5YjyMZy4x8kw! >> > DQYJKoZIhv > cNAQELBQADggEBAD674/oGYlQTQDSvwf0muYoxBsj1dc6gnArw0JJpGVCNMv > /J3FdgOLcOhxzZcOfZiQr4NdYoV+/6mISOhknMa4ErJhqSAWbUA+w3+lL3CH > fdDtNueUjZRbPZezcC0rhAlnXBT7iakjuhE56WkZz7AihEU8RAvnZfSRi1mh > ehf3wFRYKWuzK9AW1DTY/uGMmHXiFtvINpfAJ3yL66xPwTj4087nz9w4YUqN > yCX+hYL+7idCJeoMjDyCqYQpjFkdfZhRuNd+rrKWTgYvKN3w/5+ItefDCYy8 > py91V2kXS7BrsYjd+2YHtQ2AbjgIW2xpTr/+PetToZyL50oWCpduT5t+M=', > >> principal=u'host/throwaway.unix.iriszorg...@unix.iriszorg.nl >> <mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>', add=True, >> version=u'2.51'): SUCCESS >> >> and now I have 3 valid certificates: >> >> $ ipa cert-find --subject=throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl> >> ---------------------- >> 3 certificates matched >> ---------------------- >> Serial number (hex): 0xFF9000D >> Serial number: 267976717 >> Status: VALID >> Subject: CN=throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL >> <http://UNIX.IRISZORG.NL> >> >> Serial number (hex): 0x3FFE0002 >> Serial number: 1073610754 >> Status: VALID >> Subject: CN=throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL >> <http://UNIX.IRISZORG.NL> >> >> Serial number (hex): 0x3FFE0003 >> Serial number: 1073610755 >> Status: VALID >> Subject: CN=throwaway.unix.iriszorg.nl >> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL >> <http://UNIX.IRISZORG.NL> >> ---------------------------- >> Number of entries returned 3 >> ---------------------------- >> > > Ok, let me start by saying that this is not a bug in either certmonger or > dogtag. IPA is supposed to do the revocation in the cert_request command. > > The steps IPA _should_ be taking are: > > 1. Figure out if we are doing a certificate for a host or a service. > 2. See if the requester is allowed to manage this entry > 3. Look at the entry to see if it has a usercertificate attribute. If so > revoke that serial number, then clear the usercertificate value in the host > or service entry (via service_mod or host_mod) > 4. Request a new certificate > 5. Update IPA with the new value > > Does a certificate appear in ipa host-show throwaway.unix.iriszorg.nl, > and which certificate serial number? > $ ipa host-show throwaway Host name: throwaway.unix.iriszorg.nl Certificate: MIIE0DCCA7igAwIBAgIED/kADTANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MjA0MTI4WhcNMTgwOTMwMjA0MTI4WjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQB6KplOoHG5d2+3c5J/TSE/qxWkfObqPdpzYSMg5ma+PKL7ofuEgtozfoZfH/GXKIKtUpPZCJL2NQQKauagdIwto7PX184FcohCjJxHD30RRbc6q2rm3PE7Q1vDzSxW1ZCFELmpvK0XN4YX1tz6iaPgo2B7wuyhbZpT4Vd2itT1rOQ6cAnAB7BFhVNj5XDPDoMaHabtWRJVLlIOMeGyrZDUMxmoPys5g1c1SZM1ld+8+zdgqIVEsdTo9qThqPraTUi8GTjP4QvuQkLbnlFO6KQe5RqfbVXA0gKVWDtepY7h+cBQxMa/eHROFtnhW/w1+FdKHDPvOdj8aTF1tSIU2RYP, MIIE0DCCA7igAwIBAgIEP/4AAjANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MTAwOTUwWhcNMTgwOTMwMTAwOTUwWjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQCvTRaJrl3J7Ky4VkFVfkwIGoaxocXrllYSjXZzhzHV0zJtlVeQGmHwulyrEbEzaRuMqbXe7c8WseOgU/K+UwByGiZoyxUmHgBmu2mv8Cln48UbESEAm0py4hRMmE7UzIhsHzTAKjUfyQXujB21S+FYwd97QymGRgn7kJ2TtH99zslQO0kMC//LmctUxIfTOOcrBgOojIEpcbzTeWNcyuN5+MHr6H2DNUYQZpvnDBv7XVphrk7ACrh4ETeYW5E1fFl84CdSxWehhWILF6t2WdA4RSjvtg3zvMPL+uVU8w1aru33dMuCKqvMG3iaRrDjVZ4k9/36lpf4/r1PwKYxusvg, MIIE0DCCA7igAwIBAgIEP/4AAzANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MTAxMzE3WhcNMTgwOTMwMTAxMzE3WjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQCh6lySZa1AyUyP8AuaLUDj6X0Lt/tGS+ZIw/O248FVMJDwvLvkFUxOjTAK1mip0AHxkib+QtKqFgN9lbidnxeKFYNN2komTfLgFV+G+8kBIInxWbU1OsuYw4J6xCu5IE+F7jfdHX1yw6HSgDixYgKHe9mw+8HTbUR1a/ntZ90pmai8I7daem9bMrPHGSSChjcbjif6YNZ8ibmilqq0vw8CEwQopXFToO/mHfbXNDw6gJY5rKu19fWPi3VRQdQxKKtwY/gXg39q4FWBymDaMwjErC7G4AnGeeTYp4iFYZkfcjYvdxGXGF0CpLgunvcMMQ0rTYx5w1MrLbbnqjq1qBZO Principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl Password: False Keytab: True Managed by: throwaway.unix.iriszorg.nl Subject: CN=throwaway.unix.iriszorg.nl,O=UNIX.IRISZORG.NL Serial Number: 267976717 Serial Number (hex): 0xFF9000D Issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL Not Before: Thu Sep 29 20:41:28 2016 UTC Not After: Sun Sep 30 20:41:28 2018 UTC Fingerprint (MD5): 52:a1:06:a1:39:27:bc:ed:dd:45:f5:36:32:11:99:c1 Fingerprint (SHA1): 81:d4:01:5a:26:83:9c:c4:fb:76:fb:c3:29:cd:32:c1:8a:4c:eb:45 SSH public key fingerprint: 61:66:4D:D7:E6:83:B3:31:BB:50:C3:28:11:79:FD:42 (ssh-rsa), 71:80:40:26:50:64:CD:FE:9A:FB:8D:DA:55:56:18:95 (ssh-dss) so it shows the three certificates but the serial is 267976717 -- Groeten, natxo
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project