Re: [Freeipa-users] Expired Certs
You are going way to far back in time AFAICT. The certs expired on April 5 of this year so you don't need to go back to 2014. Just go back to April 3 or 4. You'll also need to restart IPA before kicking certmonger ipactl restart rob *** SNIP *** Thanks!! Following your advice, it looks like only one of the eight certificates are now monitoring. Check out the following: [root@ipa ~]# getcert list | grep -A1 status status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)).-- status: CA_UNREACHABLE ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)).-- status: MONITORING ca-error: Server at https://ipa.infra.idef/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: hostname in subject of request 'ipa.infra.idef' does not match principal hostname 'ipa'). How can I get the remaining certs fixed as well? Thanks in advance. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Expired Certs
John Williams wrote: You are going way to far back in time AFAICT. The certs expired on April 5 of this year so you don't need to go back to 2014. Just go back to April 3 or 4. You'll also need to restart IPA before kicking certmonger ipactl restart rob *** SNIP *** Thanks!! Following your advice, it looks like only one of the eight certificates are now monitoring. Check out the following: It's impossible to see what is going on with this output, other than the fact that your hostname seems to be using the shortname rather than FQDN (or order is bad in /etc/hosts), based on the error for the cert in MONITORING. rob [root@ipa ~]# getcert list | grep -A1 status status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. -- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. -- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. -- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. -- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates. -- status: CA_UNREACHABLE ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)). -- status: CA_UNREACHABLE ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)). -- status: MONITORING ca-error: Server at https://ipa.infra.idef/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: hostname in subject of request 'ipa.infra.idef' does not match principal hostname 'ipa'). How can I get the remaining certs fixed as well? Thanks in advance. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Expired Certs
[ snip ] [root@ipa ~]# date Thu Apr 10 00:13:51 EDT 2014 [root@ipa ~]# /etc/init.d/certmonger restart Stopping certmonger: [ OK ] Starting certmonger: [ OK ] [root@ipa ~]# You are going way to far back in time AFAICT. The certs expired on April 5 of this year so you don't need to go back to 2014. Just go back to April 3 or 4. You'll also need to restart IPA before kicking certmonger ipactl restart rob Thanks Rob, Following your advice, it looks like only one of the eight certificates are now monitoring. Check out the following: [root@ipa ~]# getcert list | grep -A1 status status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)).-- status: CA_UNREACHABLE ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)).-- status: MONITORING ca-error: Server at https://ipa.infra.idef/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: hostname in subject of request 'ipa.infra.idef' does not match principal hostname 'ipa'). How can I get the remaining certs fixed as well? Thanks in advance. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Expired Certs
On 04/10/2015 03:58 PM, John Williams wrote: I've inhereted an IPA infrastructure for a group in my organization. So I've got a RHEL instance with a IPA 3.0.0 server with expired certs. [root@ipa ~]# rpm -qa | grep ipa-server ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 ipa-server-3.0.0-26.el6_4.2.x86_64 [root@ipa ~]# [root@ipa ~]# getcert list Number of certificates and requests being tracked: 8. Request ID '20130404232110': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='242557339296' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=CA Audit,O=IDEF expires: 2017-02-15 19:26:38 UTC key usage: digitalSignature,nonRepudiation pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130404232111': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='242557339296' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=OCSP Subsystem,O=IDEF expires: 2017-02-15 19:25:38 UTC eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130404232112': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='242557339296' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=CA Subsystem,O=IDEF expires: 2017-02-15 19:25:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130404232113': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=IPA RA,O=IDEF expires: 2017-02-15 19:25:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130404232114': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='242557339296' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=ipa.infra.idef,O=IDEF expires: 2017-02-15 19:25:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130404232127': status: CA_UNREACHABLE ca-error: Error setting up ccache for host service on client using default keytab: Cannot contact any KDC for realm 'IDEF'. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IDEF/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IDEF subject: CN=ipa.infra.idef,O=IDEF expires: 2015-04-05 23:21:26 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130404232155': status: CA_UNREACHABLE ca-error: Error setting up ccache for host service on client using default keytab: Cannot contact any KDC for realm 'IDEF'. stuck: no key pair storage:
Re: [Freeipa-users] Expired Certs
John Williams wrote: I've inhereted an IPA infrastructure for a group in my organization. So I've got a RHEL instance with a IPA 3.0.0 server with expired certs. [root@ipa ~]# rpm -qa | grep ipa-server ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 ipa-server-3.0.0-26.el6_4.2.x86_64 [root@ipa ~]# [root@ipa ~]# getcert list [ snip ] [root@ipa ~]# date Thu Apr 10 00:13:51 EDT 2014 [root@ipa ~]# /etc/init.d/certmonger restart Stopping certmonger: [ OK ] Starting certmonger: [ OK ] [root@ipa ~]# You are going way to far back in time AFAICT. The certs expired on April 5 of this year so you don't need to go back to 2014. Just go back to April 3 or 4. You'll also need to restart IPA before kicking certmonger ipactl restart rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Expired Certs on 3.0.0 IPA host
John Williams wrote: I'm looking at the following link for recovering expired certificates on FreeeIPA 3.0.0: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal Problem is when Iook inside my /etc/pki-ca/CS.cfg file for a subsystemCert I do not find one. I see the other three: auditSigningCert cert-pki-ca = updated ocspSigningCert cert-pki-ca = updated Server-Cert cert-pki-ca = no cert here subsystemCert cert-pki-ca = updated Has anyone ever run across this? Any suggestions or hints would be appreciated. If I role the clock back on my system I can login to IPA, but if the time is updated, I cannot login. Please help. Why do you need this value? For the record it is ca.sslserver.cert. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Expired certs not auto renewed by Cermonger
On Thu, May 02, 2013 at 10:59:11AM -0500, Toasted Penguin wrote: Running FreeIPA 2.1.4 and ran into an issue where a Server-Cert did not auto-renew. ipa-getcert list Number of certificates and requests being tracked: 4. [snip] Request ID '20120615190133': status: CA_UNCONFIGURED ca-error: Error setting up ccache for local host service using default keytab. stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown track: yes auto-renew: yes That error's not expected. Assuming there aren't any permissions- related problems (due to SELinux policy or regular filesystem permissions) preventing the submission helper from reading the keytab, can you verify that hostname prints ipa01.ctidata.net, and that kinit -k host/ipa01.ctidata.net succeeds? Request ID '20120925200227': status: GENERATING_CSR ca-error: Unable to determine principal name for signing request. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=CTIDATA.NET subject: CN=ipa01.ctidata.net,O=CTIDATA.NET expires: 2013-03-24 19:56:36 UTC eku: id-kp-serverAuth track: yes auto-renew: yes I verified that the IPA keytab is populated: klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal - 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 2 07/06/11 21:51:43 host/ipa01.ctidata@ctidata.net 4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net 4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net 4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net 4 07/18/12 21:20:41 host/ipa01.ctidata@ctidata.net 5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net 5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net 5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net 5 07/18/12 21:21:00 host/ipa01.ctidata@ctidata.net 6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net 6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net 6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net 6 05/02/13 15:02:10 host/ipa01.ctidata@ctidata.net and ran kvno host/ipa01.ctidata.net to see what the KDC shows for this principle: host/ipa01.ctidata@ctidata.net: kvno = 6 Not sure what caused the ca_errors but I need to at least manually renew the certs and then figure out what went wrong. Any advice on what the ca_errors mean and how I can fix the issue? The Unable to determine principal name for signing request. stems from IPA's certificate submission API's requirement that each certificate request include the associated Kerberos principal name, and certmonger not knowing what value to send. I'm guessing that there wasn't one specified with the -K option when certmonger was told to keep an eye on the certificate, and if there was already a certificate there, a principla name couldn't be read from it. Based on where the certificate's being stored, it's probably intended to be used for the HTTP service on the host, so its principal name would be HTTP/ipa01.ctidata@ctidata.net. If you run: ipa-getcert resubmit -i 20120925200227 \ -K HTTP/ipa01.ctidata@ctidata.net that should provide certmonger with the missing information and get things going again. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired certs not auto renewed by Cermonger
On Thu, May 02, 2013 at 11:45:51AM -0500, Toasted Penguin wrote:
Nalin,
Thanks for your response. Running `hostname` does result in
ipa01.ctidata.net and kinit -k host/ipa01.ctidata.net does also succeed.
I ran ` ipa-getcert resubmit -i 20120925200227 -K HTTP/
ipa01.ctidata@ctidata.net`
and it resulted in this:
Request ID '20120615190133':
status: CA_UNCONFIGURED
ca-error: Error setting up ccache for local host service using default
keytab.
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
track: yes
auto-renew: yes
Can you retrieve the contents of the request and save it to a temporary
file, like so:
reqfile=`grep -l '^id=20120615190133' /var/lib/certmonger/requests/*`
awk '/BEGIN .*REQ/,/END .*REQ/ {sub(^( |csr=),);print}' $reqfile \
~/req.csr
And then try to manually submit it to the server for signing, in the way
that certmonger would, like so:
/usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
Hopefully the error output there will give us more information about
what's going on when the submission helper's failing to set up a ccache.
If it manages to get past that point, I expect it to fail because you
hopefully don't have a principal named bogus defined on the local
host. But at that point we'll have gotten past errors creating the
ccache, and we'll have to find another way to figure out why it failed
here.
As an aside, we provide better information for this error in the
ca-error note with later versions than you appear to have, so tracking
down this information won't always be this complicated.
Request ID '20120925200227':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining: Peer certificate cannot be
authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CTIDATA.NET
subject: CN=ipa01.ctidata.net,O=CTIDATA.NET
expires: 2013-03-24 19:56:36 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
There's an error verifying the server's certificate using the local copy
of the CA certificate in /etc/ipa/ca.crt. Is it also expired?
Nalin
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired certs not auto renewed by Cermonger
Here is the output from the submit:
/usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
Submitting request to https://ipa01.ctidata.net/ipa/xml;.
Fault -504: (libcurl failed to execute the HTTP POST transaction,
explaining: Peer certificate cannot be authenticated with known CA
certificates).
Server failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining: Peer certificate cannot be authenticated
with known CA certificates).
Regarding /etc/ipa/ca.crt, it isn't expired it shows its valid until July
6, 2019.
On Thu, May 2, 2013 at 12:30 PM, Nalin Dahyabhai na...@redhat.com wrote:
On Thu, May 02, 2013 at 11:45:51AM -0500, Toasted Penguin wrote:
Nalin,
Thanks for your response. Running `hostname` does result in
ipa01.ctidata.net and kinit -k host/ipa01.ctidata.net does also succeed.
I ran ` ipa-getcert resubmit -i 20120925200227 -K HTTP/
ipa01.ctidata@ctidata.net`
and it resulted in this:
Request ID '20120615190133':
status: CA_UNCONFIGURED
ca-error: Error setting up ccache for local host service using default
keytab.
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
track: yes
auto-renew: yes
Can you retrieve the contents of the request and save it to a temporary
file, like so:
reqfile=`grep -l '^id=20120615190133' /var/lib/certmonger/requests/*`
awk '/BEGIN .*REQ/,/END .*REQ/ {sub(^( |csr=),);print}' $reqfile \
~/req.csr
And then try to manually submit it to the server for signing, in the way
that certmonger would, like so:
/usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
Hopefully the error output there will give us more information about
what's going on when the submission helper's failing to set up a ccache.
If it manages to get past that point, I expect it to fail because you
hopefully don't have a principal named bogus defined on the local
host. But at that point we'll have gotten past errors creating the
ccache, and we'll have to find another way to figure out why it failed
here.
As an aside, we provide better information for this error in the
ca-error note with later versions than you appear to have, so tracking
down this information won't always be this complicated.
Request ID '20120925200227':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining: Peer certificate cannot
be
authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CTIDATA.NET
subject: CN=ipa01.ctidata.net,O=CTIDATA.NET
expires: 2013-03-24 19:56:36 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
There's an error verifying the server's certificate using the local copy
of the CA certificate in /etc/ipa/ca.crt. Is it also expired?
Nalin
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired certs not auto renewed by Cermonger
On Thu, May 02, 2013 at 12:45:34PM -0500, Toasted Penguin wrote: Here is the output from the submit: /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr Submitting request to https://ipa01.ctidata.net/ipa/xml;. Fault -504: (libcurl failed to execute the HTTP POST transaction, explaining: Peer certificate cannot be authenticated with known CA certificates). Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer certificate cannot be authenticated with known CA certificates). Regarding /etc/ipa/ca.crt, it isn't expired it shows its valid until July 6, 2019. Hmm, so for both cases, you're seeing errors verifying the IPA server's certificate. Can you double-check the certificates and that the server's looks like it was issued by the CA? This should more or less repeat the part of the process that's giving libcurl trouble, and show us the certificates, too: ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` openssl s_client -CAfile /etc/ipa/ca.crt \ -connect $ipahost:https -showcerts /dev/null Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired certs not auto renewed by Cermonger
/etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority All the certs monitored by Certmonger show the same issuer. Wasn't getting anything back when running the ipahost script you provided, ran ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo $ipahost shows nothing so I just ran the openssl section manually: openssl s_client -CAfile /etc/ipa/ca.crt -connect ipa01.ctidata.net:https -showcerts /dev/null Results: CONNECTED(0003) depth=1 O = CTIDATA.NET, CN = Certificate Authority verify return:1 depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net verify error:num=10:certificate has expired notAfter=Mar 24 19:56:36 2013 GMT verify return:1 depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net notAfter=Mar 24 19:56:36 2013 GMT verify return:1 --- Certificate chain 0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net i:/O=CTIDATA.NET/CN=Certificate Authority -BEGIN CERTIFICATE- # -END CERTIFICATE- 1 s:/O=CTIDATA.NET/CN=Certificate Authority i:/O=CTIDATA.NET/CN=Certificate Authority -BEGIN CERTIFICATE- -END CERTIFICATE- --- Server certificate subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net issuer=/O=CTIDATA.NET/CN=Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 1959 bytes and written 463 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: # Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1367518514 Timeout : 300 (sec) Verify return code: 10 (certificate has expired) --- DONE On Thu, May 2, 2013 at 12:53 PM, Nalin Dahyabhai na...@redhat.com wrote: On Thu, May 02, 2013 at 12:45:34PM -0500, Toasted Penguin wrote: Here is the output from the submit: /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr Submitting request to https://ipa01.ctidata.net/ipa/xml;. Fault -504: (libcurl failed to execute the HTTP POST transaction, explaining: Peer certificate cannot be authenticated with known CA certificates). Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer certificate cannot be authenticated with known CA certificates). Regarding /etc/ipa/ca.crt, it isn't expired it shows its valid until July 6, 2019. Hmm, so for both cases, you're seeing errors verifying the IPA server's certificate. Can you double-check the certificates and that the server's looks like it was issued by the CA? This should more or less repeat the part of the process that's giving libcurl trouble, and show us the certificates, too: ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` openssl s_client -CAfile /etc/ipa/ca.crt \ -connect $ipahost:https -showcerts /dev/null Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired certs not auto renewed by Cermonger
On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote: /etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority All the certs monitored by Certmonger show the same issuer. Ok, good. (If that hadn't been the case, I wouldn't have had an explanation to offer.) Wasn't getting anything back when running the ipahost script you provided, ran ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo $ipahost shows nothing so I just ran the openssl section manually: Hmm. Curious. That might be a leftover from having different releases installed at various times on my test box. Thanks for continuing on. openssl s_client -CAfile /etc/ipa/ca.crt -connect ipa01.ctidata.net:https -showcerts /dev/null Results: CONNECTED(0003) depth=1 O = CTIDATA.NET, CN = Certificate Authority verify return:1 depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net verify error:num=10:certificate has expired notAfter=Mar 24 19:56:36 2013 GMT verify return:1 depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net notAfter=Mar 24 19:56:36 2013 GMT verify return:1 --- Certificate chain 0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net i:/O=CTIDATA.NET/CN=Certificate Authority -BEGIN CERTIFICATE- # -END CERTIFICATE- 1 s:/O=CTIDATA.NET/CN=Certificate Authority i:/O=CTIDATA.NET/CN=Certificate Authority -BEGIN CERTIFICATE- -END CERTIFICATE- --- Server certificate subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net issuer=/O=CTIDATA.NET/CN=Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 1959 bytes and written 463 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: # Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1367518514 Timeout : 300 (sec) Verify return code: 10 (certificate has expired) --- DONE Yup, that's the problem: the IPA server's certificate wasn't able to be replaced while it was still valid, and now it can no longer ask itself for a new one. With 2.1.4, I think the simplest way to sort this is to stop the services (ipactl stop; service certmonger stop), roll the system date back, start the services up again, possibly use 'ipa-getcert resubmit' to force updating (it should happen automatically, but forcing it to happen a second time won't hurt). Then shut things down, set the correct time on the clock, and bring everything back up again. Hopefully there's a smarter way to do it, but I'm blanking on it if there is one. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired certs not auto renewed by Cermonger
Yes that helped fix 2012092520027 (thank you!!) But I am still seeing an error with: Request ID '20120615190133': status: CA_UNCONFIGURED ca-error: Error setting up ccache for local host service using default keytab. stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown track: yes auto-renew: yes I noticed that the request ID doesn't show up in /var/lib/certmonger/requests/, does that make a difference? David On Thu, May 2, 2013 at 2:35 PM, Nalin Dahyabhai na...@redhat.com wrote: On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote: /etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority All the certs monitored by Certmonger show the same issuer. Ok, good. (If that hadn't been the case, I wouldn't have had an explanation to offer.) Wasn't getting anything back when running the ipahost script you provided, ran ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo $ipahost shows nothing so I just ran the openssl section manually: Hmm. Curious. That might be a leftover from having different releases installed at various times on my test box. Thanks for continuing on. openssl s_client -CAfile /etc/ipa/ca.crt -connect ipa01.ctidata.net: https -showcerts /dev/null Results: CONNECTED(0003) depth=1 O = CTIDATA.NET, CN = Certificate Authority verify return:1 depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net verify error:num=10:certificate has expired notAfter=Mar 24 19:56:36 2013 GMT verify return:1 depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net notAfter=Mar 24 19:56:36 2013 GMT verify return:1 --- Certificate chain 0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net i:/O=CTIDATA.NET/CN=Certificate Authority -BEGIN CERTIFICATE- # -END CERTIFICATE- 1 s:/O=CTIDATA.NET/CN=Certificate Authority i:/O=CTIDATA.NET/CN=Certificate Authority -BEGIN CERTIFICATE- -END CERTIFICATE- --- Server certificate subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net issuer=/O=CTIDATA.NET/CN=Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 1959 bytes and written 463 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: # Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1367518514 Timeout : 300 (sec) Verify return code: 10 (certificate has expired) --- DONE Yup, that's the problem: the IPA server's certificate wasn't able to be replaced while it was still valid, and now it can no longer ask itself for a new one. With 2.1.4, I think the simplest way to sort this is to stop the services (ipactl stop; service certmonger stop), roll the system date back, start the services up again, possibly use 'ipa-getcert resubmit' to force updating (it should happen automatically, but forcing it to happen a second time won't hurt). Then shut things down, set the correct time on the clock, and bring everything back up again. Hopefully there's a smarter way to do it, but I'm blanking on it if there is one. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired certs not auto renewed by Cermonger
Toasted Penguin wrote: Yes that helped fix 2012092520027 (thank you!!) But I am still seeing an error with: Request ID '20120615190133': status: CA_UNCONFIGURED ca-error: Error setting up ccache for local host service using default keytab. stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown track: yes auto-renew: yes I noticed that the request ID doesn't show up in /var/lib/certmonger/requests/, does that make a difference? The request ID usually, but not always matches the name of the request files. We don't usually issue a Server-Cert for an IPA server. Could this be a remnant of an older client install? Is there a Server-Cert in /etc/pki/nssdb? certutil -L -d /etc/pki/nssdb rob David On Thu, May 2, 2013 at 2:35 PM, Nalin Dahyabhai na...@redhat.com mailto:na...@redhat.com wrote: On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote: /etc/ipa/ca.crt was issued by O=CTIDATA.NET http://CTIDATA.NET, CN=Certificate Authority All the certs monitored by Certmonger show the same issuer. Ok, good. (If that hadn't been the case, I wouldn't have had an explanation to offer.) Wasn't getting anything back when running the ipahost script you provided, ran ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo $ipahost shows nothing so I just ran the openssl section manually: Hmm. Curious. That might be a leftover from having different releases installed at various times on my test box. Thanks for continuing on. openssl s_client -CAfile /etc/ipa/ca.crt -connect ipa01.ctidata.net:https -showcerts /dev/null Results: CONNECTED(0003) depth=1 O = CTIDATA.NET http://CTIDATA.NET, CN = Certificate Authority verify return:1 depth=0 O = CTIDATA.NET http://CTIDATA.NET, CN = ipa01.ctidata.net http://ipa01.ctidata.net verify error:num=10:certificate has expired notAfter=Mar 24 19:56:36 2013 GMT verify return:1 depth=0 O = CTIDATA.NET http://CTIDATA.NET, CN = ipa01.ctidata.net http://ipa01.ctidata.net notAfter=Mar 24 19:56:36 2013 GMT verify return:1 --- Certificate chain 0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net http://CTIDATA.NET/CN=ipa01.ctidata.net i:/O=CTIDATA.NET/CN=Certificate http://CTIDATA.NET/CN=Certificate Authority -BEGIN CERTIFICATE- # -END CERTIFICATE- 1 s:/O=CTIDATA.NET/CN=Certificate http://CTIDATA.NET/CN=Certificate Authority i:/O=CTIDATA.NET/CN=Certificate http://CTIDATA.NET/CN=Certificate Authority -BEGIN CERTIFICATE- -END CERTIFICATE- --- Server certificate subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net http://CTIDATA.NET/CN=ipa01.ctidata.net issuer=/O=CTIDATA.NET/CN=Certificate http://CTIDATA.NET/CN=Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 1959 bytes and written 463 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: # Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1367518514 Timeout : 300 (sec) Verify return code: 10 (certificate has expired) --- DONE Yup, that's the problem: the IPA server's certificate wasn't able to be replaced while it was still valid, and now it can no longer ask itself for a new one. With 2.1.4, I think the simplest way to sort this is to stop the services (ipactl stop; service certmonger stop), roll the system date back, start the services up again, possibly use 'ipa-getcert resubmit' to force updating (it should happen automatically, but forcing it to happen a second time won't hurt). Then shut things down, set the correct time on the clock, and bring everything back up again. Hopefully there's a smarter way to do it, but I'm blanking on it if there is one. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
