[Freeipa-users] FreeIPA webserver cert expired.
Rob Crittenden
rcritten at redhat.com
Wed Jul 18 21:16:30 UTC 2012
Paul Tader wrote:
> On 6/29/12 5:14 PM, Rob Crittenden wrote:
>> Paul Tader wrote:
>>> On 6/11/12 9:16 AM, Paul Tader wrote:
>>>> On 6/5/12 2:33 PM, Rob Crittenden wrote:
>>>>> JR Aquino wrote:
>>>>>> On Jun 5, 2012, at 11:18 AM, Paul Tader wrote:
>>>>>>
>>>>>>> A couple days ago my (apache) certificates expired. Users are
>>>>>>> able to
>>>>>>> kinit but tools such as sudo fail because of the expired
>>>>>>> certificates. Lots of reading/Google'ing later I found this script
>>>>>>> (steps) to renew these certs:
>>>>>>
>>>>>> I'm just curious, but, isn't certmonger supposed to automatically
>>>>>> renew these? Is certmonger failing in this case?
>>>>>
>>>>> Yes, the first thing to do is figure out why certmonger didn't
>>>>> automatically renew the certificates. Then it should be as simple as
>>>>> setting the date back, letting certmonger do its thing, then
>>>>> setting it
>>>>> forward again.
>>>>>
>>>>> That is very strange certmonger output. You might try setting the date
>>>>> back a couple of days and trying something like:
>>>>>
>>>>> ipa-getcert resubmit -i 20110706215145
>>>>>
>>>>> And see what the status goes to.
>>>>>
>>>>> rob
>>>>
>>>> (Sorry for the delay reply)
>>>>
>>>> No luck with setting the date back and resubmitting the certificate.
>>>>
>>>>
>>>>
>>>> # /etc/init.d/ntpd stop
>>>> Stopping ntpd (via systemctl): [ OK ]
>>>>
>>>> # date 060112002012
>>>> Fri Jun 1 12:00:00 CDT 2012
>>>>
>>>> # /etc/init.d/httpd stop
>>>> Stopping httpd (via systemctl): [ OK ]
>>>> # /etc/init.d/httpd start
>>>> Starting httpd (via systemctl): [ OK ]
>>>>
>>>> # ipa-getcert resubmit -i 20110706215145
>>>> Resubmitting "20110706215145" to "IPA".
>>>>
>>>> # ipa-getcert list
>>>> Number of certificates and requests being tracked: 3.
>>>> Request ID '20110706215109':
>>>> status: CA_UNREACHABLE
>>>> ca-error: Server failed request, will retry: -504 (libcurl failed
>>>> to execute the HTTP POST transaction, explaining: SSL connect error).
>>>> stuck: yes
>>>> key pair storage:
>>>> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
>>>>
>>>>
>>>>
>>>> Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt'
>>>> certificate:
>>>> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
>>>>
>>>>
>>>>
>>>> Certificate DB'
>>>> CA: IPA
>>>> issuer: CN=Certificate Authority,O=RELAM.NET
>>>> subject: CN=srv01.company.net,O=REALM.NET
>>>> expires: 2012-06-03 20:19:49 UTC
>>>> eku: id-kp-serverAuth
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20110706215129':
>>>> status: CA_UNREACHABLE
>>>> ca-error: Server failed request, will retry: -504 (libcurl failed
>>>> to execute the HTTP POST transaction, explaining: SSL connect error).
>>>> stuck: yes
>>>> key pair storage:
>>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>>>
>>>>
>>>>
>>>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>>>> certificate:
>>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>>>
>>>>
>>>>
>>>> Certificate DB'
>>>> CA: IPA
>>>> issuer: CN=Certificate Authority,O=REALM.NET
>>>> subject: CN=srv01.company.net,O=REALM.NET
>>>> expires: 2012-06-03 20:19:49 UTC
>>>> eku: id-kp-serverAuth
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20110706215145':
>>>> status: GENERATING_CSR
>>>> ca-error: Server failed request, will retry: 4301 (RPC failed at
>>>> server. Certificate operation cannot be completed: Unable to
>>>> communicate with CMS (Unauthorized)).
>>>> stuck: no
>>>> key pair storage:
>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>>>
>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> certificate:
>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>>>
>>>> Certificate DB'
>>>> CA: IPA
>>>> issuer: CN=Certificate Authority,O=REALM.NET
>>>> subject: CN=srv01.company.net,O=REALM.NET
>>>> expires: 2012-06-03 20:19:49 UTC
>>>> eku: id-kp-serverAuth
>>>> track: yes
>>>> auto-renew: yes
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>> Still working on this problem. I've imported new self signed certs
>>> because I don't think I can renew expired certs and now all of the
>>> entries list like this:
>>>
>>> Request ID '20110706215145':
>>> status: NEED_CSR_GEN_TOKEN
>>> ca-error: Error setting up ccache for local "host" service using
>>> default keytab.
>>> stuck: yes
>>> key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>> Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=REALM.NET
>>> subject: CN=ipa01.domain.net,O=REALM.NET
>>> expires: 2012-06-03 20:19:49 UTC
>>> eku: id-kp-serverAuth
>>> track: yes
>>> auto-renew: yes
>>>
>>>
>>> Any tips or suggestions? I've saved off the old files so I think I can
>>> go back to the expired certs.
>>
>> This means that the keytab isn't working for certmonger. This could be a
>> couple of things. I'd try this first:
>>
>> # kinit host/$(hostname) -kt /etc/krb5.keytab
>>
>> And
>>
>> # kvno host/$(hostname)
>>
>> rob
>
> Output below:
>
> # kinit host/$(hostname) -kt /etc/krb5.keytab
> kinit: Password incorrect while getting initial credentials
>
> # kvno host/$(hostname)
> kvno: Credentials cache file '/tmp/krb5cc_0' not found while getting
> client principal name
>
Not sure how or why but it would appear that the host principal on your
server is out-of-whack. I'd get a new one with:
# ipa-getkeytab -s $(hostname) -k /etc/krb5.keytab -p host/$(hostname)
That should make the kinit and kvno work, and certmonger as well.
rob
More information about the Freeipa-users
mailing list