-- Bertrand Rétif Phosphore Services Informatiques - http://www.phosphore.eu Tel: 04 66 51 87 73 / Mob: 06 61 87 03 30 / Fax: 09 72 12 61 44
----- Mail original ----- > De: "Florence Blanc-Renaud" <f...@redhat.com> > À: "Bertrand Rétif" <bre...@phosphore.eu>, freeipa-users@redhat.com > Envoyé: Vendredi 25 Novembre 2016 11:03:53 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > On 11/23/2016 02:25 PM, Bertrand Rétif wrote: > > > > ------------------------------------------------------------------------ > > > > *De: *"Florence Blanc-Renaud" <f...@redhat.com> > > *À: *"Bertrand Rétif" <bre...@phosphore.eu>, freeipa-users@redhat.com > > *Envoyé: *Mercredi 23 Novembre 2016 08:49:28 > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > pki-tomcat issue > > > > On 11/22/2016 06:06 PM, Bertrand Rétif wrote: > > > Hi Florence, > > > > > > Thanks for clarification. > > > Your explanation was very clear and I better understand > > > > > > Now my issue is that I need to start tracking "auditSigningCert > > > cert-pki-ca", "ocspSigningCert cert-pki-ca" and "subsystemCert > > > cert-pki-ca" on a server. > > > > > > I take a look on another server where they are properly tracked. > > However > > > getcert list return me "pin set" and not a "pinfile" as described in > > > your mail. > > > In "/etc/pki/pki-tomcat/alias" I do not see any pwdfile.txt file, > > so my > > > question is where do I get the PIN? > > > > > Hi Bertrand, > > > > With IPA 4.2.0 I believe that the pin is stored in > > /var/lib/pki/pki-tomcat/conf/password.conf, in the 'internal' field: > > $ grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf > > internal=0123456789101 > > > > HTH, > > Flo > > > > > Once again, thanks for your support, I tried to fix this issue for > > days! > > > > > > Regards > > > Bertrand > > > > > > > > > -- > > > Bertrand Rétif > > > Phosphore Services Informatiques - http://www.phosphore.eu > > > Tel: 04 66 51 87 73 / Mob: 06 61 87 03 30 / Fax: 09 72 12 61 44 > > > > > > > > ------------------------------------------------------------------------ > > > > > > *De: *"Florence Blanc-Renaud" <f...@redhat.com> > > > *À: *"Bertrand Rétif" <bre...@phosphore.eu>, > > freeipa-users@redhat.com > > > *Envoyé: *Mardi 22 Novembre 2016 13:17:34 > > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > > pki-tomcat issue > > > > > > On 11/22/2016 11:50 AM, Bertrand Rétif wrote: > > > > > > > > > > > > *De: *"Florence Blanc-Renaud" <f...@redhat.com> > > > > *À: *"Bertrand Rétif" <bre...@phosphore.eu>, > > > freeipa-users@redhat.com > > > > *Envoyé: *Mardi 22 Novembre 2016 11:33:45 > > > > *Objet: *Re: [Freeipa-users] Impossible to renew > > certificate. > > > > pki-tomcat issue > > > > > > > > On 11/22/2016 10:07 AM, Bertrand Rétif wrote: > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > *De: *"Bertrand Rétif" <bre...@phosphore.eu> > > > > > *À: *freeipa-users@redhat.com > > > > > *Envoyé: *Mardi 25 Octobre 2016 17:51:09 > > > > > *Objet: *Re: [Freeipa-users] Impossible to renew > > > certificate. > > > > > pki-tomcat issue > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > *De: *"Florence Blanc-Renaud" <f...@redhat.com> > > > > > *À: *"Bertrand Rétif" <bre...@phosphore.eu>, > > > > > freeipa-users@redhat.com > > > > > *Envoyé: *Jeudi 20 Octobre 2016 18:45:21 > > > > > *Objet: *Re: [Freeipa-users] Impossible to renew > > > certificate. > > > > > pki-tomcat issue > > > > > > > > > > On 10/19/2016 08:18 PM, Bertrand Rétif wrote: > > > > > > *De: *"Bertrand Rétif" <bre...@phosphore.eu> > > > > > > > > > > > > *À: *freeipa-users@redhat.com > > > > > > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07 > > > > > > *Objet: *Re: [Freeipa-users] Impossible > > to renew > > > > certificate. > > > > > > pki-tomcat issue > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > *De: *"Rob Crittenden" > > <rcrit...@redhat.com> > > > > > > *À: *"Bertrand Rétif" > > <bre...@phosphore.eu>, > > > > > > freeipa-users@redhat.com > > > > > > *Envoyé: *Mercredi 19 Octobre 2016 > > 15:30:14 > > > > > > *Objet: *Re: [Freeipa-users] > > Impossible to > > > renew > > > > > certificate. > > > > > > pki-tomcat issue > > > > > > > > > > > > Bertrand Rétif wrote: > > > > > > >> De: "Martin Babinsky" > > <mbabi...@redhat.com> > > > > > > >> À: freeipa-users@redhat.com > > > > > > >> Envoyé: Mercredi 19 Octobre 2016 > > 08:45:49 > > > > > > >> Objet: Re: [Freeipa-users] Impossible > > > to renew > > > > > certificate. > > > > > > pki-tomcat issue > > > > > > > > > > > > > >> On 10/18/2016 11:22 PM, Bertrand > > Rétif > > > wrote: > > > > > > >>> Hello, > > > > > > >>> > > > > > > >>> I had an issue with pki-tomcat. > > > > > > >>> I had serveral certificate that was > > > expired and > > > > > pki-tomcat > > > > > > did not start > > > > > > >>> anymore. > > > > > > >>> > > > > > > >>> I set the dateon the server before > > > certificate > > > > > expiration > > > > > > and then > > > > > > >>> pki-tomcat starts properly. > > > > > > >>> Then I try to resubmit the > > > certificate, but > > > > I get > > > > > below error: > > > > > > >>> "Profile caServerCert Not Found" > > > > > > >>> > > > > > > >>> Do you have any idea how I could fix > > > this issue. > > > > > > >>> > > > > > > >>> Please find below output of > > commands: > > > > > > >>> > > > > > > >>> > > > > > > >>> # getcert resubmit -i 20160108170324 > > > > > > >>> > > > > > > >>> # getcert list -i 20160108170324 > > > > > > >>> Number of certificates and > > requests being > > > > tracked: 7. > > > > > > >>> Request ID '20160108170324': > > > > > > >>> status: MONITORING > > > > > > >>> ca-error: Server at > > > > > > >>> > > > > > > > > "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit" > > > > > > replied: > > > > > > >>> Profile caServerCert Not Found > > > > > > >>> stuck: no > > > > > > >>> key pair storage: > > > > > > >>> > > > > > > > > > > > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > > > > >>> Certificate > > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > > > > >>> certificate: > > > > > > >>> > > > > > > > > > > > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > > > > >>> Certificate DB' > > > > > > >>> CA: dogtag-ipa-ca-renew-agent > > > > > > >>> issuer: CN=Certificate > > > Authority,O=A.SKINFRA.EU > > > > > > >>> subject: CN=IPA RA,O=A.SKINFRA.EU > > > > > > >>> expires: 2016-06-28 15:25:11 UTC > > > > > > >>> key usage: > > > > > > >>> > > > > > > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > > > > >>> eku: > > id-kp-serverAuth,id-kp-clientAuth > > > > > > >>> pre-save command: > > > > > /usr/lib64/ipa/certmonger/renew_ra_cert_pre > > > > > > >>> post-save command: > > > > > /usr/lib64/ipa/certmonger/renew_ra_cert > > > > > > >>> track: yes > > > > > > >>> auto-renew: yes > > > > > > >>> > > > > > > >>> > > > > > > >>> Thanksby advance for your help. > > > > > > >>> Bertrand > > > > > > >>> > > > > > > >>> > > > > > > >>> > > > > > > >>> > > > > > > > > > > > > > >> Hi Betrand, > > > > > > > > > > > > > >> what version of FreeIPA and > > Dogtag are you > > > > running? > > > > > > > > > > > > > >> Also perform the following search on > > > the IPA > > > > master > > > > > and post > > > > > > the result: > > > > > > > > > > > > > >> """ > > > > > > >> ldapsearch -D "cn=Directory > > Manager" -W -b > > > > > > >> > > 'ou=certificateProfiles,ou=ca,o=ipaca' > > > > > > '(objectClass=certProfile)' > > > > > > >> """ > > > > > > > > > > > > > > Hi Martin, > > > > > > > > > > > > > > Thanks for your reply. > > > > > > > > > > > > > > Here is version: > > > > > > > - FreeIPA 4.2.0 > > > > > > > - Centos 7.2 > > > > > > > > > > > > > > I have been able to fix the issue with > > > "Profile > > > > > caServerCert > > > > > > Not Found" by editing > > > > > /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > > > > > > > I replace below entry > > > > > > > > > > > > > > > > > > > > > > > > > > > "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem" > > > > > > > by > > > > > > > > > > > > > > > > > > "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem" > > > > > > > > > > > > > > and then launch > > "ipa-server-upgrade" command > > > > > > > I found this solution in this post: > > > > > > > > > > http://osdir.com/ml/freeipa-users/2016-03/msg00280.html > > > > > > > > > > > > > > Then I was able to renew my > > certificate. > > > > > > > > > > > > > > However I reboot my server to and > > pki-tomcat > > > > do not > > > > > start and > > > > > > provide with a new erreor in > > > > > /var/log/pki/pki-tomcat/ca/debug > > > > > > > > > > > > > > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > > > > CertUtils: > > > > > > verifySystemCertByNickname() passed: > > > > auditSigningCert > > > > > cert-pki-ca > > > > > > > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > > > > > SignedAuditEventFactory: create() > > > > > > > > > > message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$ > > > > > > > > > > > System$][Outcome=Success][CertNickName=auditSigningCert > > > > > > cert-pki-ca] CIMC certificate > > verification > > > > > > > > > > > > > > java.lang.Exception: > > > SystemCertsVerification: > > > > system > > > > > certs > > > > > > verification failure > > > > > > > at > > > > > > > > > > > > > > > > > > > > com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198) > > > > > > > at > > > > > > > > > > > > > > > > > > > > com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861) > > > > > > > at > > > > > > > > > > > > > > > > > > > > com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797) > > > > > > > at > > > > > > > > > > > > > > > > > > > > com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701) > > > > > > > at > > > > > > > > > > > > > > > > > com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148) > > > > > > > at > > > > com.netscape.certsrv.apps.CMS.startup(CMS.java:200) > > > > > > > at > > > > com.netscape.certsrv.apps.CMS.start(CMS.java:1602) > > > > > > > at > > > > > > > > > > > > > > > > > > > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > > > > > > at > > > > > > > > javax.servlet.GenericServlet.init(GenericServlet.java:158) > > > > > > > at > > > > > > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native > > > Method) > > > > > > > at > > > > > > > > > > > > > > > > > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > > > > > > at > > > > > > > > > > > > > > > > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > > > > > at > > > > java.lang.reflect.Method.invoke(Method.java:606) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > > > > > > > at > > > > > java.security.AccessController.doPrivileged(Native > > > Method) > > > > > > > at > > > > > > > > javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > > > > > > at > > > > > java.security.AccessController.doPrivileged(Native > > > Method) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) > > > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) > > > > > > > at > > > > > > > > > > > > > > > > > > > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > > > > > > > at > > > > > > > java.util.concurrent.FutureTask.run(FutureTask.java:262) > > > > > > > at > > > > > > > > > > > > > > > > > > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > > > > > > at > > > > > > > > > > > > > > > > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > > > > > > at > > java.lang.Thread.run(Thread.java:745) > > > > > > > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > > > > > SignedAuditEventFactory: create() > > > > > > > > > > > > > > > > > > > > message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] > > > > > > self tests execution (see selftests.log > > > for details) > > > > > > > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > > > > > CMSEngine.shutdown() > > > > > > > > > > > > > > > > > > > > > I am currently stuck here. > > > > > > > Thanks a lot for your help. > > > > > > > > > > > > I'm guessing at least one of the CA > > subsystem > > > > > certificates are > > > > > > still > > > > > > expired. Look at the "getcert list" > > output > > > to see if > > > > > there are any > > > > > > expired certificates. > > > > > > > > > > > > rob > > > > > > > > > > > > > > > > > > > > Bertrand > > > > > > > > > > > > > > > > > > > > > > > > > > Hello Rob, > > > > > > > > > > > > I check on my 2 servers and no > > certificate is > > > expired > > > > > > > > > > > > [root@sdkipa03 ~]# getcert list |grep expire > > > > > > expires: 2018-06-22 22:02:26 UTC > > > > > > expires: 2018-06-22 22:02:47 UTC > > > > > > expires: 2034-07-09 15:24:34 UTC > > > > > > expires: 2016-10-30 13:35:29 UTC > > > > > > > > > > > > [root@sdkipa01 conf]# getcert list |grep > > expire > > > > > > expires: 2018-06-12 23:38:01 UTC > > > > > > expires: 2018-06-12 23:37:41 UTC > > > > > > expires: 2018-06-11 22:53:57 UTC > > > > > > expires: 2018-06-11 22:55:50 UTC > > > > > > expires: 2018-06-11 22:57:47 UTC > > > > > > expires: 2034-07-09 15:24:34 UTC > > > > > > expires: 2018-06-11 22:59:55 UTC > > > > > > > > > > > > I see that one certificate is in status: > > > CA_UNREACHABLE, > > > > > maybe I > > > > > > reboot to soon my server... > > > > > > > > > > > > I continue to investigate > > > > > > > > > > > > Thanks for your help. > > > > > > Bertrand > > > > > > > > > > > > I fix my previous issue. > > > > > > Now I have an issue with a server. > > > > > > This server can not start pki-tomcatd, I get > > this > > > error in > > > > > debug file: > > > > > > "Error netscape.ldap.LDAPExceptio n: IO > > Error creating > > > > JSS SSL > > > > > Socket (-1)" > > > > > > > > > > > > After investigation i see that I do not have > > "ipaCert" > > > > > certificat in > > > > > > "/etc/httpd/alias" > > > > > > cf below command: > > > > > > > > > > > > [root@sdkipa03 ~]# getcert list -d > > /etc/httpd/alias > > > > > > Number of certificates and requests being > > tracked: 4. > > > > > > Request ID '20141110133632': > > > > > > status: MONITORING > > > > > > stuck: no > > > > > > key pair storage: > > > > > > > > > > > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > > > > Certificate > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > > > > certificate: > > > > > > > > > > > > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > > > > Certificate DB' > > > > > > CA: IPA > > > > > > issuer: CN=Certificate > > Authority,O=A.SKINFRA.EU > > > > > > subject: > > CN=sdkipa03.skinfra.eu,O=A.SKINFRA.EU > > > > > > expires: 2018-06-22 22:02:47 UTC > > > > > > principal name: > > > HTTP/sdkipa03.skinfra...@a.skinfra.eu > > > > > > key usage: > > > > > > > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > > > > pre-save command: > > > > > > post-save command: > > > > /usr/lib64/ipa/certmonger/restart_httpd > > > > > > track: yes > > > > > > auto-renew: yes > > > > > > > > > > > > > > > > > > How can I add the certificate to > > /etc/httpd/alias? > > > > > > > > > > > Hi, > > > > > > > > > > for the record, the command getcert list that you > > > supplied > > > > shows > > > > > the > > > > > certificates in /etc/httpd/alias that are > > tracked by > > > > certmonger. > > > > > If you > > > > > want to display all the certificates contained in > > > > /etc/httpd/alias > > > > > (whether tracked or not), then you may want to use > > > > certutil -L -d > > > > > /etc/httpd/alias instead. > > > > > > > > > > If ipaCert is missing, you can export ipaCert > > > certificate from > > > > > another > > > > > master, then import it to your server. > > > > > > > > > > On a master containing the cert: > > > > > # certutil -d /etc/httpd/alias -L -n 'ipaCert' > > -a > > > > > > /tmp/newRAcert.crt > > > > > > > > > > Then copy the file /tmp/newRAcert.crt to your > > server and > > > > import > > > > > the cert: > > > > > # certutil -d /etc/httpd/alias -A -n 'ipaCert' > > -a -i > > > > > /tmp/newRAcert.crt > > > > > -t u,u,u > > > > > > > > > > And finally you need to tell certmonger to > > monitor the > > > > cert using > > > > > getcert start-tracking. > > > > > > > > > > Hope this helps, > > > > > Flo. > > > > > > > > > > > Thanks fo ryour support. > > > > > > Regards > > > > > > Bertrand > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > Florence, thanks for your help. > > > > > I was able to import correctly ipaCert with your > > commands. > > > > > Now it seems that I also have an issue on one > > server with > > > > > "subsystemCert cert-pki-ca" in > > /etc/pki/pki-tomcat/alias > > > as I get > > > > > below error when pki-tomcat try to start > > > > > > > > > > > > > > > LdapJssSSLSocket set client auth cert nickname > > subsystemCert > > > > cert-pki-ca > > > > > Could not connect to LDAP server host sdkipa03.XX.YY > > > port 636 > > > > Error > > > > > netscape.ldap.LDAPException: IO Error creating JSS SSL > > > Socket ( > > > > > -1) > > > > > > > > > > > > > > > Is there a way to restore a correct "subsystemCert > > > cert-pki-ca"? > > > > > > > > > > Regards > > > > > Bertrand > > > > > > > > > > Hello, > > > > > > > > > > I am still stuck with my IPA server. > > > > > I have issues on both servers. > > > > > On server1, below certificate is not renewed properly > > > > > certutil -L -d /etc/httpd/alias/ -n "ipaCert" > > > > > > > > > > and on server 2 this is this certificate: > > > > > certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n > > "Server-Cert > > > > cert-pki-ca" > > > > > > > > > > Could you provide me with the correct syntax with > > start-tracking > > > > command. > > > > > I tried to laucnh this command but my certificat > > remains in > > > > > "NEWLY_ADDED_NEED_KEYINFO_READ_PIN" state. > > > > > Here is the comnd I use: > > > > > getcert start-tracking -c > > dogtag-ipa-retrieve-agent-submit -d > > > > > /var/lib/pki/pki-tomcat/alias -n 'Server-Cert > > cert-pki-ca' -B > > > > > /usr/lib64/ipa/certmonger/stop_pkicad -C > > > > > '/usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert > > > cert-pki-ca"' -T > > > > > "Server-Cert cert-pki-ca" -P '20160614000000' > > > > > > > > > Hi Bertrand, > > > > > > > > to get the right command, you can check on a system > > where the > > > > certificate is properly monitored, this will show you > > the right > > > > parameters: > > > > $ sudo getcert list -n ipaCert > > > > Number of certificates and requests being tracked: 8. > > > > Request ID '20161122095344': > > > > [..] key pair storage: > > > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > > [...] > > > > CA: dogtag-ipa-ca-renew-agent > > > > [...] > > > > pre-save command: > > > /usr/lib64/ipa/certmonger/renew_ra_cert_pre > > > > post-save command: > > /usr/lib64/ipa/certmonger/renew_ra_cert > > > > [...] > > > > > > > > The relevant fields are NSSDB location, pinfile, > > nickname, CA, > > > pre and > > > > post-save commands. So in order to monitor ipaCert, you will > > > need to use > > > > $ sudo getcert start-tracking -d /etc/httpd/alias -n > > ipaCert \ > > > > -p /etc/httpd/alias/pwdfile.txt \ > > > > -c dogtag-ipa-ca-renew-agent \ > > > > -B /usr/lib64/ipa/certmonger/renew_ra_cert_pre \ > > > > -C /usr/lib64/ipa/certmonger/renew_ra_cert > > > > > > > > HTH, > > > > Flo. > > > > > > > > > Thanks by advance for your help. > > > > > > > > > > Regards > > > > > Bertrand > > > > > > > > Hello Florence, > > > > > > > > Thanks for your reply. > > > > Before doing any mistakes, I just need some explanations as I > > > think I do > > > > not well understand how it should work. > > > > > > > > Do all the certificate need to be track by certmonger on all > > > servers or > > > > they should only be tracked on one server and FreeIPA will > > update them > > > > on other servers? > > > > > > > > In my case I have below certicates outdated and not track on > > > "server 1": > > > > - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n > > > "auditSigningCert > > > > cert-pki-ca" > > > > - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n > > "ocspSigningCert > > > > cert-pki-ca" > > > > - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n > > "subsystemCert > > > > cert-pki-ca" > > > > > > > > They are tracked by certmonger and have been correctly > > renewed on > > > "server 2" > > > > Do I need to add them tracked by certmonger on "server 1"? > > > > If not, it means FreeIPA failed to update them? Should I > > delete and > > > > import them manually on server 2? > > > > > > > > If you need more details, do not hesitate to ask. > > > > > > > Hi Bertrand, > > > > > > The certificate tracking depends on the type of certificate > > and on the > > > server you're considering. For instance, if IPA includes a > > Certificate > > > Authority, then ipaCert will be present on all the IPA servers > > > (master/replicas) and tracked on all of them. The same ipaCert > > > certificate is used on all the replicas. On the renewal > > master, the > > > renewal operation actually renews the certificate and uploads > > the cert > > > on LDAP, but on the other replicas the operation consists in > > > downloading > > > the new certificate from LDAP. > > > > > > The HTTP and LDAP server certificates are present and tracked > > on all > > > the > > > IPA servers, but they are different on each server (you can > > see that > > > the > > > Subject of the certificate contains the hostname). They can be > > renewed > > > independently on each IPA server. > > > > > > The certificates used by Dogtag (the component providing the > > > Certificate > > > System) are present and tracked only on the IPA servers where > > the CA > > > was > > > setup (for instance if you installed a replica with --setup-ca > > or if > > > you > > > ran ipa-ca-install later on). The same certificates are used > > on all > > > replicas containing a CA instance. > > > They are: 'ocspSigningCert cert-pki-ca', 'subsystemCert > > cert-pki-ca', > > > 'caSigningCert cert-pki-ca' and 'Server-Cert cert-pki-ca'. > > > The renewal operation renews them on the renewal master and > > uploads > > > them > > > in LDAP, but just downloads them from LDAP on the other servers. > > > > > > In your example, if server1 also contains a CA instance then > > it should > > > also track the above certs. > > > > > > You can find the renewal master with the following ldapsearch > > command: > > > $ ldapsearch -h localhost -p 389 -D 'cn=Directory Manager' -w > > password > > > -b "cn=masters,cn=ipa,cn=etc,$BASEDN" -LLL > > > '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn > > > dn: cn=CA,cn=ipaserver.fqdn,cn=masters,cn=ipa,cn=etc,$BASEDN > > > > > > In this case the renewal master is ipaserver.fqdn > > > > > > Hope this clarifies, > > > Flo. > > > > > > > Regards > > > > Bertrand > > > > > > > > > > > > Hi Florence, > > > > Thanks. > > All my certificate are now renewed and tracked. I set back current time > > on my servers and everything is now running properly. > > > > However now I get an issue with ldap replication. > > Here are details of my 3 servers S1, S2 S3 > > > > All below commands are launched on S1 servers > > > > # ipa-replica-manage list > > S1: master > > S2: master > > S3: master > > > > # ipa-replica-manage -v list S1 > > S2: replica > > last init status: 0 Total update succeeded > > last init ended: 2016-11-23 12:56:27+00:00 > > last update status: 0 Replica acquired successfully: Incremental > > update succeeded > > last update ended: 2016-11-23 13:12:00+00:00 > > S3: replica > > last init status: 0 Total update succeeded > > last init ended: 2016-11-23 12:54:51+00:00 > > last update status: 0 Replica acquired successfully: Incremental > > update succeeded > > last update ended: 2016-11-23 13:12:00+00:00 > > > > # ipa-replica-manage -v S2 > > S1: replica > > last init status: None > > last init ended: 1970-01-01 00:00:00+00:00 > > last update status: -1 Incremental update has failed and requires > > administrator actionLDAP error: Can't contact LDAP server > > last update ended: 1970-01-01 00:00:00+00:00 > > > > > > # ipa-replica-manage -v S3 > > S3: replica > > last init status: None > > last init ended: 1970-01-01 00:00:00+00:00 > > last update status: -1 Incremental update has failed and requires > > administrator actionLDAP error: Can't contact LDAP server > > last update ended: 1970-01-01 00:00:00+00:00 > > > > > > I tried to reinitialize S2 server, however I still get the issue: > > Command below is run on S2: > > > > S2# ipa-replica-manage re-initialize --from S1 > > ipa: INFO: Setting agreement > > cn=meToS2.skinfra.eu,cn=replica,cn=dc\=a\,dc\=skinfra\,dc\=eu,cn=mapping > > tree,cn=config schedule to 2358-2359 0 to force synch > > ipa: INFO: Deleting schedule 2358-2359 0 from agreement > > cn=meToS2,cn=replica,cn=dc\=a\,dc\=skinfra\,dc\=eu,cn=mapping > > tree,cn=config > > Update in progress, 2 seconds elapsed > > Update succeeded > > > > On S2 server in /var/log/dirsrv/slapd-REALM/errors log I get > > > > [23/Nov/2016:13:54:51 +0100] agmt="cn=meToS1" (S1:389) - Can't locate > > CSN 583669ee000a000f0000 in the changelog (DB rc=-30988). If replication > > stops, the consumer may need to be reinitialized. > > [23/Nov/2016:13:54:51 +0100] NSMMReplicationPlugin - changelog program - > > agmt="cn=meToS1" (S1:389): CSN 583669ee000a000f0000 not found, we aren't > > as up to date, or we purged > > [23/Nov/2016:13:54:51 +0100] NSMMReplicationPlugin - agmt="cn=meToS1" > > (S1:389): Data required to update replica has been purged. The replica > > must be reinitialized. > > [23/Nov/2016:13:54:51 +0100] NSMMReplicationPlugin - agmt="cn=meToS1" > > (S1:389): Incremental update failed and requires administrator action > > .............. > > [23/Nov/2016:14:18:10 +0100] slapi_ldap_bind - Error: could not bind id > > [cn=Replication Manager cloneAgreement1-S2,ou=csusers,cn=config] > > authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 > > (Success) > > > > > > I search on google but I did not find any solution to fix issue and I do > > not want to break everything > > > Hi Bertrand, > Replication applies to 2 different suffixes: the domain suffix (that > contains users and groups) and o=ipaca that contains the data for the > Certificate System (see "Explaining Replication Agreements" [1]). > The entry that is missing (cn=Replication Manager > cloneAgreement1-S2,ou=csusers,cn=config) corresponds to the replication > manager entry used for authenticating the replication of the CS > component (for more information you can read "Replication Identity" [2] > in Red Hat Directory Server Administration Guide). > I don't know how the entry disappeared, but I would try the following to > re-create it: > - remove the CA replication agreement on S2 to S1 using > ipa-csreplica-manage disconnect > - re-create the CA replication agreement on S2 to S1 using > ipa-csreplica-manage connect > You need to be sure that S1 is the most up-to-date source of data though. > Flo. > [1] > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-topology-old.html#replication-agreements > [2] > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication.html#Replication_Overview-Replication_Identity > > Regards > > Bertrand > > > > Florence, I manage to have replication working between my 3 servers. You right I had issue with that entry missing. And I did what you say in your post. After I also had issues with ruv entries that I had to delete. This post https://www.redhat.com/archives/freeipa-users/2016-January/msg00257.html helped to fix all my replication issues. Now everything seems to be working fine for 24hours! My FreeIPA infra was really in a terrible shape and without your help I would certainly not to be able to fix all issues by myself. So once again thanks a lot. Hope this thread will help other people. Brgds Bertrand
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project