Natxo Asenjo wrote:
On Fri, Sep 30, 2016 at 10:45 AM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:
Natxo Asenjo wrote:
On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden
<rcrit...@redhat.com <mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:
Natxo Asenjo wrote:
On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden
<rcrit...@redhat.com <mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
<mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>>> wrote:
It's hard to say, it may in fact not be a problem.
It is really a matter of what service the
certificate(s)
are related
to. I'd look at the serial numbers and then
correlate those
to the
issued certificates.
I'd also do a service-find on the hostname to see
if any
services
have certificates issued and with what serial numbers.
I agree, it could be that. But just for testing I have
created a vm,
joined it to the domain and resubmitted the certificate.
Now there are two valid host certificates with the same
subject:
$ ipa cert-find --subject=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>>
----------------------
2 certificates matched
----------------------
Serial number (hex): 0x3FFE0002
Serial number: 1073610754
Status: VALID
Subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
<http://UNIX.IRISZORG.NL>
<http://UNIX.IRISZORG.NL>
Serial number (hex): 0x3FFE0003
Serial number: 1073610755
Status: VALID
Subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
<http://UNIX.IRISZORG.NL>
<http://UNIX.IRISZORG.NL>
----------------------------
Number of entries returned 2
----------------------------
So it certmonger in this centos 6.8 32bit host is
renewing but not
having the old certificate revoked.
I'd check the Apache log to find the cert_request call to
see if you
can see if there are any issues raised. It should be doing a
cert_revoke at the same time.
Can you should how this certificate is being tracked?
sure:
$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160929100945':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
Certificate -
throwaway.unix.iriszorg.nl <http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>',token='NSS Certificate DB'
certificate:
type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
Machine Certificate - throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
<http://UNIX.IRISZORG.NL>
subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
<http://UNIX.IRISZORG.NL>
expires: 2018-09-30 10:13:17 UTC
principal name:
host/throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>>
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
now, let's resubmit:
$ sudo ipa-getcert resubmit -i 20160929100945
Resubmitting "20160929100945" to "IPA".
[jose.admin@throwaway ~]$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20160929100945':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
Certificate -
throwaway.unix.iriszorg.nl <http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>',token='NSS Certificate DB'
certificate:
type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
Machine Certificate - throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
<http://UNIX.IRISZORG.NL>
subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
<http://UNIX.IRISZORG.NL>
expires: 2018-09-30 20:41:28 UTC
principal name:
host/throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>>
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
so it has been successfully renewed.
In the access_log of the kdc I see this:
172.20.4.228 - - [29/Sep/2016:22:41:27 +0200] "POST
https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient
<https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient>
HTTP/1.1" 200 1913
172.20.6.81 - host/throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>>
[29/Sep/2016:22:41:27 +0200] "POST /ipa/xml HTTP/1.1" 200 2929
and in the error_log:
[Thu Sep 29 22:41:28.626669 2016 <tel:626669%202016>] [:error]
[pid 4617] ipa: INFO:
[xmlserver] host/throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>>:
cert_request(u'MIID6DCCAtACAQAwQDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEjMCEGA1UEAxMadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4jBk7V2D5pX12kYrr++lwsWq1UWHy6PM9O+B/GvxaI0JoARBrhR6MKI1Ev+DV2r5ukNNWHj5+/kKbtW9XI2XMZ9pIBSwG3SG4m9s3gQV3dGQjlRCcU+MgXiDxRtRy2Vdzd1fZ9xdB1txH3ZnZfceTosNw4Jp3bm/VtPChWJeN6K671FLRCzJkI1KrC+LHfGbvyTtOipB5O9t8RkN4Qh01r/rphPvt9Gh+/mTlHnmGP9+sseqHHsgv2fPvRQowpJDEytTX5w/8pLrUCATqJUYfxK5RDuwD1304p3WXDFLoU6p2xaR63h34muj1a5NV1CvQFqJapHB5B/w6uUbLzjg3AgMBAAGgggFhMHcGCSqGSIb3DQEJFDFqHmgASQBQAEEAIABNAGEAYwBoAGkAbgBlACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAALQAgAHQAaAByAG8AdwBhAHcAYQB5AC4AdQBuAGkAeAAuAGkAcgBpAHMAegBvAHIAZwAuAG4AbDCB5QYJKoZIhvcNAQkOMYHXMIHUMIGhBgNVHREBAQAEgZYwgZOgQAYKKwYBBAGCNxQCA6AyDDBob3N0L3Rocm93YXdheS51bml4LmlyaXN6b3JnLm5sQFVOSVguSVJJU1pPUkcuTkygTwYGKwYBBQICoEUwQ6ASGxBVTklYLklSSVNaT1JHLk5MoS0wK6ADAgEBoSQwIhsEaG9zdBsadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUgXWL3vdW/I31tQxv5Yjy!
MZy4x8kw!
DQYJKoZIhv
cNAQELBQADggEBAD674/oGYlQTQDSvwf0muYoxBsj1dc6gnArw0JJpGVCNMv/J3FdgOLcOhxzZcOfZiQr4NdYoV+/6mISOhknMa4ErJhqSAWbUA+w3+lL3CHfdDtNueUjZRbPZezcC0rhAlnXBT7iakjuhE56WkZz7AihEU8RAvnZfSRi1mhehf3wFRYKWuzK9AW1DTY/uGMmHXiFtvINpfAJ3yL66xPwTj4087nz9w4YUqNyCX+hYL+7idCJeoMjDyCqYQpjFkdfZhRuNd+rrKWTgYvKN3w/5+ItefDCYy8py91V2kXS7BrsYjd+2YHtQ2AbjgIW2xpTr/+PetToZyL50oWCpduT5t+M=',
principal=u'host/throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>>', add=True,
version=u'2.51'): SUCCESS
and now I have 3 valid certificates:
$ ipa cert-find --subject=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>
----------------------
3 certificates matched
----------------------
Serial number (hex): 0xFF9000D
Serial number: 267976717
Status: VALID
Subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
<http://UNIX.IRISZORG.NL>
Serial number (hex): 0x3FFE0002
Serial number: 1073610754
Status: VALID
Subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
<http://UNIX.IRISZORG.NL>
Serial number (hex): 0x3FFE0003
Serial number: 1073610755
Status: VALID
Subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
<http://throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
<http://UNIX.IRISZORG.NL>
----------------------------
Number of entries returned 3
----------------------------
Ok, let me start by saying that this is not a bug in either
certmonger or dogtag. IPA is supposed to do the revocation in the
cert_request command.
The steps IPA _should_ be taking are:
1. Figure out if we are doing a certificate for a host or a service.
2. See if the requester is allowed to manage this entry
3. Look at the entry to see if it has a usercertificate attribute.
If so revoke that serial number, then clear the usercertificate
value in the host or service entry (via service_mod or host_mod)
4. Request a new certificate
5. Update IPA with the new value
Does a certificate appear in ipa host-show
throwaway.unix.iriszorg.nl <http://throwaway.unix.iriszorg.nl>, and
which certificate serial number?
$ ipa host-show throwaway
Host name: throwaway.unix.iriszorg.nl <http://throwaway.unix.iriszorg.nl>
Certificate:
MIIE0DCCA7igAwIBAgIED/kADTANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MjA0MTI4WhcNMTgwOTMwMjA0MTI4WjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBw!
GA1UEAwwVQ
2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQB6KplOoHG5d2+3c5J/TSE/qxWkfObqPdpzYSMg5ma+PKL7ofuEgtozfoZfH/GXKIKtUpPZCJL2NQQKauagdIwto7PX184FcohCjJxHD30RRbc6q2rm3PE7Q1vDzSxW1ZCFELmpvK0XN4YX1tz6iaPgo2B7wuyhbZpT4Vd2itT1rOQ6cAnAB7BFhVNj5XDPDoMaHabtWRJVLlIOMeGyrZDUMxmoPys5g1c1SZM1ld+8+zdgqIVEsdTo9qThqPraTUi8GTjP4QvuQkLbnlFO6KQe5RqfbVXA0gKVWDtepY7h+cBQxMa/eHROFtnhW/w1+FdKHDPvOdj8aTF1tSIU2RYP,
MIIE0DCCA7igAwIBAgIEP/4AAjANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MTAwOTUwWhcNMTgwOTMwMTAwOTUwWjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBw!
GA1UEAwwVQ
2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQCvTRaJrl3J7Ky4VkFVfkwIGoaxocXrllYSjXZzhzHV0zJtlVeQGmHwulyrEbEzaRuMqbXe7c8WseOgU/K+UwByGiZoyxUmHgBmu2mv8Cln48UbESEAm0py4hRMmE7UzIhsHzTAKjUfyQXujB21S+FYwd97QymGRgn7kJ2TtH99zslQO0kMC//LmctUxIfTOOcrBgOojIEpcbzTeWNcyuN5+MHr6H2DNUYQZpvnDBv7XVphrk7ACrh4ETeYW5E1fFl84CdSxWehhWILF6t2WdA4RSjvtg3zvMPL+uVU8w1aru33dMuCKqvMG3iaRrDjVZ4k9/36lpf4/r1PwKYxusvg,
MIIE0DCCA7igAwIBAgIEP/4AAzANBgkqhkiG9w0BAQsFADA7MRkwFwYDVQQKExBVTklYLklSSVNaT1JHLk5MMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwOTI5MTAxMzE3WhcNMTgwOTMwMTAxMzE3WjBAMRkwFwYDVQQKDBBVTklYLklSSVNaT1JHLk5MMSMwIQYDVQQDDBp0aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiMGTtXYPmlfXaRiuv76XCxarVRYfLo8z074H8a/FojQmgBEGuFHowojUS/4NXavm6Q01YePn7+Qpu1b1cjZcxn2kgFLAbdIbib2zeBBXd0ZCOVEJxT4yBeIPFG1HLZV3N3V9n3F0HW3Efdmdl9x5Oiw3Dgmndub9W08KFYl43orrvUUtELMmQjUqsL4sd8Zu/JO06KkHk723xGQ3hCHTWv+umE++30aH7+ZOUeeYY/36yx6oceyC/Z8+9FCjCkkMTK1NfnD/ykutQIBOolRh/ErlEO7APXfTindZcMUuhTqnbFpHreHfia6PVrk1XUK9AWolqkcHkH/Dq5RsvOODcCAwEAAaOCAdUwggHRMB8GA1UdIwQYMBaAFKOX5IouuM8+6jPyvJPWI96phDZoMEIGCCsGAQUFBwEBBDYwNDAyBggrBgEFBQcwAYYmaHR0cDovL2lwYS1jYS51bml4LmlyaXN6b3JnLm5sL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB7BgNVHR8EdDByMHCgOKA2hjRodHRwOi8vaXBhLWNhLnVuaXguaXJpc3pvcmcubmwvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBw!
GA1UEAwwVQ
2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBSBdYve91b8jfW1DG/liPIxnLjHyTCBngYDVR0RBIGWMIGToEAGCisGAQQBgjcUAgOgMgwwaG9zdC90aHJvd2F3YXkudW5peC5pcmlzem9yZy5ubEBVTklYLklSSVNaT1JHLk5MoE8GBisGAQUCAqBFMEOgEhsQVU5JWC5JUklTWk9SRy5OTKEtMCugAwIBAaEkMCIbBGhvc3QbGnRocm93YXdheS51bml4LmlyaXN6b3JnLm5sMA0GCSqGSIb3DQEBCwUAA4IBAQCh6lySZa1AyUyP8AuaLUDj6X0Lt/tGS+ZIw/O248FVMJDwvLvkFUxOjTAK1mip0AHxkib+QtKqFgN9lbidnxeKFYNN2komTfLgFV+G+8kBIInxWbU1OsuYw4J6xCu5IE+F7jfdHX1yw6HSgDixYgKHe9mw+8HTbUR1a/ntZ90pmai8I7daem9bMrPHGSSChjcbjif6YNZ8ibmilqq0vw8CEwQopXFToO/mHfbXNDw6gJY5rKu19fWPi3VRQdQxKKtwY/gXg39q4FWBymDaMwjErC7G4AnGeeTYp4iFYZkfcjYvdxGXGF0CpLgunvcMMQ0rTYx5w1MrLbbnqjq1qBZO
Principal name: host/throwaway.unix.iriszorg...@unix.iriszorg.nl
<mailto:throwaway.unix.iriszorg...@unix.iriszorg.nl>
Password: False
Keytab: True
Managed by: throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
Subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
Serial Number: 267976717
Serial Number (hex): 0xFF9000D
Issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
Not Before: Thu Sep 29 20:41:28 2016 UTC
Not After: Sun Sep 30 20:41:28 2018 UTC
Fingerprint (MD5): 52:a1:06:a1:39:27:bc:ed:dd:45:f5:36:32:11:99:c1
Fingerprint (SHA1):
81:d4:01:5a:26:83:9c:c4:fb:76:fb:c3:29:cd:32:c1:8a:4c:eb:45
SSH public key fingerprint:
61:66:4D:D7:E6:83:B3:31:BB:50:C3:28:11:79:FD:42 (ssh-rsa),
71:80:40:26:50:64:CD:FE:9A:FB:8D:DA:55:56:18:95 (ssh-dss)
so it shows the three certificates but the serial is 267976717
Sadly I don't have much useful information for you. This is what I found.
usercertificate is a multi-valued LDAP attribute but IPA 3.0 only really
operates on the "first" value returned (I didn't look at more recent
versions). In this case it is the 267976717 cert. The other certs shown
without details are for the other serial numbers that cert-find is
reporting.
I can't see a way that this first usercertificate value isn't revoked
and removed upon renewal so I can't quite figure out how you got into
this state (and so easily as I understand it). I wasn't able to
reproduce it myself. Do you have any idea how wide-spread this is in
your infrastructure?
I can see that once in this state that any "extra" certs would just be
stuck there, never to be revoked.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project