[Freeipa-devel] certificate renewal
Vaede, Roger (Contractor)
Roger.Vaede at fincen.gov
Wed Oct 30 20:43:02 UTC 2013
There are two location of the alias:
In the backup: /etc/httpd/alias/
In the one that has expired: /var/lib/pki-ca/alias
Regards
Roger
-----Original Message-----
From: Vaede, Roger (Contractor)
Sent: Wednesday, October 30, 2013 4:38 PM
To: 'Rob Crittenden'; 'freeipa-devel at redhat.com'
Subject: RE: [Freeipa-devel] certificate renewal
Everyone of the nicknames have expired except for this one:
certutil -L -n "caSigningCert cert-pki-ca" -d /var/lib/pki-ca/alias | grep Not
Not Before: Thu Oct 20 11:44:18 2011
Not After : Sun Oct 20 11:44:18 2019
Regards
Roger
-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: Wednesday, October 30, 2013 4:29 PM
To: Vaede, Roger (Contractor); 'freeipa-devel at redhat.com'
Subject: Re: [Freeipa-devel] certificate renewal
Vaede, Roger (Contractor) wrote:
> The certificate that I tried to install was a self signed certificate.
> Here is the contents of the file: /var/log/ipaserver-install.log
>
> 2013-10-21 11:42:44,031 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
> 2013-10-21 11:42:44,032 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
> 2013-10-21 11:42:44,032 DEBUG httpd is configured
> 2013-10-21 11:42:44,032 DEBUG ipa_kpasswd is configured
> 2013-10-21 11:42:44,032 DEBUG dirsrv is configured
> 2013-10-21 11:42:44,033 DEBUG pki-cad is configured
> 2013-10-21 11:42:44,033 DEBUG pkids is configured
> 2013-10-21 11:42:44,033 DEBUG install is configured
> 2013-10-21 11:42:44,033 DEBUG krb5kdc is configured
> 2013-10-21 11:42:44,033 DEBUG ntpd is not configured
> 2013-10-21 11:42:44,033 DEBUG named is not configured
> 2013-10-21 11:42:44,033 DEBUG filestore has files
Ok, you have a dogtag CA. We didn't add support for automated renewal until IPA 3.0. We need to see the state of the CA itself, its subsystem certificates.
To get the list of nicknames:
# certutil -L -d /var/lib/pki-ca/alias
Then for each one do:
# certutil -L -n <nickname> -d /var/lib/pki-ca/alias | grep Not
You don't need to post this necessarily, just look to see if they are already expired.
Like I said, we didn't tackle renewal until IPA 3.0. This required some work in certmonger as well as some changes within IPA. I don't know if the same procedures will work against an IPA 2 server. The bulk of the work is done by certmonger.
But first, see what the state of the CA and its subsystem certificates are, then we can see what we need to renew.
rob
>
>
> The (good) backup server here is the contents of the certificate:
>
> [root at xxxxx ~]# ipa-getcert list
> Number of certificates and requests being tracked: 2.
> Request ID '20111020180721':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-xxx ',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxx-xxx//pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-xx',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=xxxxxx.xxx
> subject: CN=xxxxxxx.xxxxxx.xxx,O=xxxxxxx.xx
> expires: 2015-09-23 17:46:26 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> command:
> track: yes
> auto-renew: yes
> Request ID '20111020180816':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=xxxxxx.xxx
> subject: CN=xxxxxx.xxxx.xxx,O=xxxxxxx.xxx
> expires: 2015-09-23 17:46:26 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> command:
> track: yes
> auto-renew: yes
>
> regards
> Roger
>
>
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Wednesday, October 30, 2013 3:29 PM
> To: Vaede, Roger (Contractor); 'freeipa-devel at redhat.com'
> Subject: Re: [Freeipa-devel] certificate renewal
>
> Vaede, Roger (Contractor) wrote:
>> I did try to replace the certificate with a self signed one at one point but then I was getting an error saying the certificate wasn't valid.
>
> Ok, I need to get a better handle on how this was originally installed in order to guide you. Can you look to see if /var/log/ipaserver-install.log still exists? It should have the original arguments passed.
>
> What I need to know is if this was installed using a dogtag CA or if it was installed as a selfsign server.
>
> rob
>
>>
>> Regards
>> Roger
>>
>> -----Original Message-----
>> From: Vaede, Roger (Contractor)
>> Sent: Wednesday, October 30, 2013 2:37 PM
>> To: 'Rob Crittenden'; 'freeipa-devel at redhat.com'
>> Subject: RE: [Freeipa-devel] certificate renewal
>>
>> I never installed freeipa, the person that installed it left the company.
>> I removed the request ID at one point by using the stop-tracking command then I used this command to reinstate them:
>> ipa-getcert start-tracking -d /var/lib/pki-ca/alias -n ServerCert
>> -r
>>
>> Initially they expired around October 25th.
>>
>> Regards
>> Roger
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>> Sent: Wednesday, October 30, 2013 2:30 PM
>> To: Vaede, Roger (Contractor); 'freeipa-devel at redhat.com'
>> Subject: Re: [Freeipa-devel] certificate renewal
>>
>> Vaede, Roger (Contractor) wrote:
>>> I have two IPA servers, one primary and one is backup. (Redhat 5)
>>
>> What version of ipa-server is this?
>>
>>> The primary servers certificate has expired.
>>>
>>> I am not able to renew it.
>>>
>>> I turned off the ssl on the clients and now the users can login.
>>>
>>> I did a lot of research on certificate renewal and I am lost at this point.
>>>
>>> I am able to make changes using the backup IPA server.
>>
>> This getcert output is quite strange. Did you start these tracking yourself?
>>
>> Did you replace the IPA CA certificate at some point?
>>
>> rob
>>
>>
>
>
More information about the Freeipa-devel
mailing list