Hi Rob:
First I wanted to thank you for all of your valuable input/tips. As you well
know, everything about certs, certmonger, dogtag and FreeIPA can get very
complicated - there’s no easy answer, so many things can go wrong :)
But, your answers to my questions got me thinking, gave me some clues, pointed
me in the right direction.
I wanted to take the time to specifically thank you because these concepts have
mystified me for quite a while, our FreeIPA system has been running for more
than a year with everything regarding certs kinda wacky and with me just
praying that that fact didn’t crash everything and make the most important
function for us (ssh, sssd, authentication, sso) stop working.
With your help I have certainly not become an expert but have gone from pretty
much clueless to having somewhat of a clue :) That’s progress !!
My issue with the CA certs themselves is solved thanks to you pointing out the
issue with creating replicas in 3.0 which has been fixed in 3.3 - the issue
that can be solved by manually exporting a new cacert.p12 file and boom, new
replicas created with expired certs issue solved.
And then there was the issue of “sec error legacy database” which would
manifest itself in various forms and can be caused by many things - it is
temporarily solved by restarting httpd but then just comes right back.
Based on your input I started looking at the certs/certmonger/getcert list - on
all my nodes/hosts and noticed that many of them had bogus certs with principal
names pointed at hosts that no longer existed. No other way to describe them
other than WTF !!.
My theory now is that all the nodes calling in to the CA with all those bogus
certs were just overloading the CA and so after restarting httpd, it would
temporarily clear up until all the nodes starting calling in to the CA again -
or something like that.
Anyways, Ansible to the rescue….
I exported a list of hosts from my IPA system, that became my Ansible inventory
file.
Now, throw together a quick playbook to look at every host, identify the bogus
cert or certs and tell certmonger to stop tracking them.
The simple Ansible playbook follows here.
Run that against all hosts and bingo !!! - my httpd logs on the CA are no
longer getting spammed with bogus cert requests, “sec error legacy database”
errors are not happening, etc , etc.
In short, my FreeIPA CA situation is now, I hope and pray, fairly stable.
So HUGE shout out to you Rob !!!
---
- hosts: ipa-hosts
gather_facts: False
tasks:
- name: get request id
shell: ipa-getcert list -r | gawk -F\' '/Request/ {print $2}'
register: my_id
#- debug: var=my_id
- name: kill bad certs
shell: ipa-getcert stop-tracking -i {{ item }}
with_items: "{{ my_id.stdout_lines }}"
Jim Richard
SYSTEM ADMINISTRATOR III
(646) 338-8905
> On Sep 30, 2016, at 4:53 AM, Rob Crittenden wrote:
>
> Jim Richard wrote:
>> Can I and how…
>>
>> delete all certs for all hosts
>>
>> I mean, we only use FreeIPA for user login/sssd
>>
>> That said, do we even need those certs?
>
> There is no simple answer, really.
>
> Yes, you can deleted all certs for all hosts (not recommended as some of
> those are for IPA services). I doubt it would do anything positive and if the
> certificate is tracked by certmonger on the client it would eventually renew.
>
> Do you need the certs? Only you would know that, but chances are the vas
