[Freeipa-users] FreeIPA webserver cert expired.

Paul Tader ptader at linuxscope.com
Wed Jul 18 20:58:19 UTC 2012 

On 6/29/12 5:14 PM, Rob Crittenden wrote:
> Paul Tader wrote:
>> On 6/11/12 9:16 AM, Paul Tader wrote:
>>> On 6/5/12 2:33 PM, Rob Crittenden wrote:
>>>> JR Aquino wrote:
>>>>> On Jun 5, 2012, at 11:18 AM, Paul Tader wrote:
>>>>>
>>>>>> A couple days ago my (apache) certificates expired. Users are able to
>>>>>> kinit but tools such as sudo fail because of the expired
>>>>>> certificates. Lots of reading/Google'ing later I found this script
>>>>>> (steps) to renew these certs:
>>>>>
>>>>> I'm just curious, but, isn't certmonger supposed to automatically
>>>>> renew these? Is certmonger failing in this case?
>>>>
>>>> Yes, the first thing to do is figure out why certmonger didn't
>>>> automatically renew the certificates. Then it should be as simple as
>>>> setting the date back, letting certmonger do its thing, then setting it
>>>> forward again.
>>>>
>>>> That is very strange certmonger output. You might try setting the date
>>>> back a couple of days and trying something like:
>>>>
>>>> ipa-getcert resubmit -i 20110706215145
>>>>
>>>> And see what the status goes to.
>>>>
>>>> rob
>>>
>>> (Sorry for the delay reply)
>>>
>>> No luck with setting the date back and resubmitting the certificate.
>>>
>>>
>>>
>>> # /etc/init.d/ntpd stop
>>> Stopping ntpd (via systemctl):                             [  OK  ]
>>>
>>> # date 060112002012
>>> Fri Jun  1 12:00:00 CDT 2012
>>>
>>> # /etc/init.d/httpd stop
>>> Stopping httpd (via systemctl):                            [  OK  ]
>>> # /etc/init.d/httpd start
>>> Starting httpd (via systemctl):                            [  OK  ]
>>>
>>> # ipa-getcert resubmit -i 20110706215145
>>> Resubmitting "20110706215145" to "IPA".
>>>
>>> # ipa-getcert list
>>> Number of certificates and requests being tracked: 3.
>>> Request ID '20110706215109':
>>>      status: CA_UNREACHABLE
>>>      ca-error: Server failed request, will retry: -504 (libcurl failed
>>> to execute the HTTP POST transaction, explaining:  SSL connect error).
>>>      stuck: yes
>>>      key pair storage:
>>> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
>>>
>>>
>>> Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt'
>>>      certificate:
>>> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
>>>
>>>
>>> Certificate DB'
>>>      CA: IPA
>>>      issuer: CN=Certificate Authority,O=RELAM.NET
>>>      subject: CN=srv01.company.net,O=REALM.NET
>>>      expires: 2012-06-03 20:19:49 UTC
>>>      eku: id-kp-serverAuth
>>>      track: yes
>>>      auto-renew: yes
>>> Request ID '20110706215129':
>>>      status: CA_UNREACHABLE
>>>      ca-error: Server failed request, will retry: -504 (libcurl failed
>>> to execute the HTTP POST transaction, explaining:  SSL connect error).
>>>      stuck: yes
>>>      key pair storage:
>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>>
>>>
>>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>>>      certificate:
>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>>
>>>
>>> Certificate DB'
>>>      CA: IPA
>>>      issuer: CN=Certificate Authority,O=REALM.NET
>>>      subject: CN=srv01.company.net,O=REALM.NET
>>>      expires: 2012-06-03 20:19:49 UTC
>>>      eku: id-kp-serverAuth
>>>      track: yes
>>>      auto-renew: yes
>>> Request ID '20110706215145':
>>>      status: GENERATING_CSR
>>>      ca-error: Server failed request, will retry: 4301 (RPC failed at
>>> server.  Certificate operation cannot be completed: Unable to
>>> communicate with CMS (Unauthorized)).
>>>      stuck: no
>>>      key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>      certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> Certificate DB'
>>>      CA: IPA
>>>      issuer: CN=Certificate Authority,O=REALM.NET
>>>      subject: CN=srv01.company.net,O=REALM.NET
>>>      expires: 2012-06-03 20:19:49 UTC
>>>      eku: id-kp-serverAuth
>>>      track: yes
>>>      auto-renew: yes
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> Still working on this problem.  I've imported new self signed certs
>> because I don't think I can renew expired certs and now all of the
>> entries list like this:
>>
>> Request ID '20110706215145':
>>      status: NEED_CSR_GEN_TOKEN
>>      ca-error: Error setting up ccache for local "host" service using
>> default keytab.
>>      stuck: yes
>>      key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>      certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>>      CA: IPA
>>      issuer: CN=Certificate Authority,O=REALM.NET
>>      subject: CN=ipa01.domain.net,O=REALM.NET
>>      expires: 2012-06-03 20:19:49 UTC
>>      eku: id-kp-serverAuth
>>      track: yes
>>      auto-renew: yes
>>
>>
>> Any tips or suggestions? I've saved off the old files so I think I can
>> go back to the expired certs.
>
> This means that the keytab isn't working for certmonger. This could be a
> couple of things. I'd try this first:
>
> # kinit host/$(hostname) -kt /etc/krb5.keytab
>
> And
>
> # kvno host/$(hostname)
>
> rob

Output below:

# kinit host/$(hostname) -kt /etc/krb5.keytab
kinit: Password incorrect while getting initial credentials

# kvno host/$(hostname)
kvno: Credentials cache file '/tmp/krb5cc_0' not found while getting 
client principal name

More information about the Freeipa-users mailing list