[Freeipa-users] FreeIPA webserver cert expired.
Paul Tader
ptader at linuxscope.com
Wed Jul 18 20:58:19 UTC 2012
On 6/29/12 5:14 PM, Rob Crittenden wrote:
> Paul Tader wrote:
>> On 6/11/12 9:16 AM, Paul Tader wrote:
>>> On 6/5/12 2:33 PM, Rob Crittenden wrote:
>>>> JR Aquino wrote:
>>>>> On Jun 5, 2012, at 11:18 AM, Paul Tader wrote:
>>>>>
>>>>>> A couple days ago my (apache) certificates expired. Users are able to
>>>>>> kinit but tools such as sudo fail because of the expired
>>>>>> certificates. Lots of reading/Google'ing later I found this script
>>>>>> (steps) to renew these certs:
>>>>>
>>>>> I'm just curious, but, isn't certmonger supposed to automatically
>>>>> renew these? Is certmonger failing in this case?
>>>>
>>>> Yes, the first thing to do is figure out why certmonger didn't
>>>> automatically renew the certificates. Then it should be as simple as
>>>> setting the date back, letting certmonger do its thing, then setting it
>>>> forward again.
>>>>
>>>> That is very strange certmonger output. You might try setting the date
>>>> back a couple of days and trying something like:
>>>>
>>>> ipa-getcert resubmit -i 20110706215145
>>>>
>>>> And see what the status goes to.
>>>>
>>>> rob
>>>
>>> (Sorry for the delay reply)
>>>
>>> No luck with setting the date back and resubmitting the certificate.
>>>
>>>
>>>
>>> # /etc/init.d/ntpd stop
>>> Stopping ntpd (via systemctl): [ OK ]
>>>
>>> # date 060112002012
>>> Fri Jun 1 12:00:00 CDT 2012
>>>
>>> # /etc/init.d/httpd stop
>>> Stopping httpd (via systemctl): [ OK ]
>>> # /etc/init.d/httpd start
>>> Starting httpd (via systemctl): [ OK ]
>>>
>>> # ipa-getcert resubmit -i 20110706215145
>>> Resubmitting "20110706215145" to "IPA".
>>>
>>> # ipa-getcert list
>>> Number of certificates and requests being tracked: 3.
>>> Request ID '20110706215109':
>>> status: CA_UNREACHABLE
>>> ca-error: Server failed request, will retry: -504 (libcurl failed
>>> to execute the HTTP POST transaction, explaining: SSL connect error).
>>> stuck: yes
>>> key pair storage:
>>> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
>>>
>>>
>>> Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt'
>>> certificate:
>>> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
>>>
>>>
>>> Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=RELAM.NET
>>> subject: CN=srv01.company.net,O=REALM.NET
>>> expires: 2012-06-03 20:19:49 UTC
>>> eku: id-kp-serverAuth
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20110706215129':
>>> status: CA_UNREACHABLE
>>> ca-error: Server failed request, will retry: -504 (libcurl failed
>>> to execute the HTTP POST transaction, explaining: SSL connect error).
>>> stuck: yes
>>> key pair storage:
>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>>
>>>
>>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>>> certificate:
>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>>
>>>
>>> Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=REALM.NET
>>> subject: CN=srv01.company.net,O=REALM.NET
>>> expires: 2012-06-03 20:19:49 UTC
>>> eku: id-kp-serverAuth
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20110706215145':
>>> status: GENERATING_CSR
>>> ca-error: Server failed request, will retry: 4301 (RPC failed at
>>> server. Certificate operation cannot be completed: Unable to
>>> communicate with CMS (Unauthorized)).
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=REALM.NET
>>> subject: CN=srv01.company.net,O=REALM.NET
>>> expires: 2012-06-03 20:19:49 UTC
>>> eku: id-kp-serverAuth
>>> track: yes
>>> auto-renew: yes
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> Still working on this problem. I've imported new self signed certs
>> because I don't think I can renew expired certs and now all of the
>> entries list like this:
>>
>> Request ID '20110706215145':
>> status: NEED_CSR_GEN_TOKEN
>> ca-error: Error setting up ccache for local "host" service using
>> default keytab.
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=REALM.NET
>> subject: CN=ipa01.domain.net,O=REALM.NET
>> expires: 2012-06-03 20:19:49 UTC
>> eku: id-kp-serverAuth
>> track: yes
>> auto-renew: yes
>>
>>
>> Any tips or suggestions? I've saved off the old files so I think I can
>> go back to the expired certs.
>
> This means that the keytab isn't working for certmonger. This could be a
> couple of things. I'd try this first:
>
> # kinit host/$(hostname) -kt /etc/krb5.keytab
>
> And
>
> # kvno host/$(hostname)
>
> rob
Output below:
# kinit host/$(hostname) -kt /etc/krb5.keytab
kinit: Password incorrect while getting initial credentials
# kvno host/$(hostname)
kvno: Credentials cache file '/tmp/krb5cc_0' not found while getting
client principal name
More information about the Freeipa-users
mailing list