[Freeipa-users] FreeIPA webserver cert expired.

Rob Crittenden rcritten at redhat.com
Fri Jun 29 22:14:10 UTC 2012 

Paul Tader wrote:
> On 6/11/12 9:16 AM, Paul Tader wrote:
>> On 6/5/12 2:33 PM, Rob Crittenden wrote:
>>> JR Aquino wrote:
>>>> On Jun 5, 2012, at 11:18 AM, Paul Tader wrote:
>>>>
>>>>> A couple days ago my (apache) certificates expired. Users are able to
>>>>> kinit but tools such as sudo fail because of the expired
>>>>> certificates. Lots of reading/Google'ing later I found this script
>>>>> (steps) to renew these certs:
>>>>
>>>> I'm just curious, but, isn't certmonger supposed to automatically
>>>> renew these? Is certmonger failing in this case?
>>>
>>> Yes, the first thing to do is figure out why certmonger didn't
>>> automatically renew the certificates. Then it should be as simple as
>>> setting the date back, letting certmonger do its thing, then setting it
>>> forward again.
>>>
>>> That is very strange certmonger output. You might try setting the date
>>> back a couple of days and trying something like:
>>>
>>> ipa-getcert resubmit -i 20110706215145
>>>
>>> And see what the status goes to.
>>>
>>> rob
>>
>> (Sorry for the delay reply)
>>
>> No luck with setting the date back and resubmitting the certificate.
>>
>>
>>
>> # /etc/init.d/ntpd stop
>> Stopping ntpd (via systemctl):                             [  OK  ]
>>
>> # date 060112002012
>> Fri Jun  1 12:00:00 CDT 2012
>>
>> # /etc/init.d/httpd stop
>> Stopping httpd (via systemctl):                            [  OK  ]
>> # /etc/init.d/httpd start
>> Starting httpd (via systemctl):                            [  OK  ]
>>
>> # ipa-getcert resubmit -i 20110706215145
>> Resubmitting "20110706215145" to "IPA".
>>
>> # ipa-getcert list
>> Number of certificates and requests being tracked: 3.
>> Request ID '20110706215109':
>>      status: CA_UNREACHABLE
>>      ca-error: Server failed request, will retry: -504 (libcurl failed
>> to execute the HTTP POST transaction, explaining:  SSL connect error).
>>      stuck: yes
>>      key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
>>
>> Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt'
>>      certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
>>
>> Certificate DB'
>>      CA: IPA
>>      issuer: CN=Certificate Authority,O=RELAM.NET
>>      subject: CN=srv01.company.net,O=REALM.NET
>>      expires: 2012-06-03 20:19:49 UTC
>>      eku: id-kp-serverAuth
>>      track: yes
>>      auto-renew: yes
>> Request ID '20110706215129':
>>      status: CA_UNREACHABLE
>>      ca-error: Server failed request, will retry: -504 (libcurl failed
>> to execute the HTTP POST transaction, explaining:  SSL connect error).
>>      stuck: yes
>>      key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>
>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>>      certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>
>> Certificate DB'
>>      CA: IPA
>>      issuer: CN=Certificate Authority,O=REALM.NET
>>      subject: CN=srv01.company.net,O=REALM.NET
>>      expires: 2012-06-03 20:19:49 UTC
>>      eku: id-kp-serverAuth
>>      track: yes
>>      auto-renew: yes
>> Request ID '20110706215145':
>>      status: GENERATING_CSR
>>      ca-error: Server failed request, will retry: 4301 (RPC failed at
>> server.  Certificate operation cannot be completed: Unable to
>> communicate with CMS (Unauthorized)).
>>      stuck: no
>>      key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>      certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>>      CA: IPA
>>      issuer: CN=Certificate Authority,O=REALM.NET
>>      subject: CN=srv01.company.net,O=REALM.NET
>>      expires: 2012-06-03 20:19:49 UTC
>>      eku: id-kp-serverAuth
>>      track: yes
>>      auto-renew: yes
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> Still working on this problem.  I've imported new self signed certs
> because I don't think I can renew expired certs and now all of the
> entries list like this:
>
> Request ID '20110706215145':
>      status: NEED_CSR_GEN_TOKEN
>      ca-error: Error setting up ccache for local "host" service using
> default keytab.
>      stuck: yes
>      key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>      certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
>      CA: IPA
>      issuer: CN=Certificate Authority,O=REALM.NET
>      subject: CN=ipa01.domain.net,O=REALM.NET
>      expires: 2012-06-03 20:19:49 UTC
>      eku: id-kp-serverAuth
>      track: yes
>      auto-renew: yes
>
>
> Any tips or suggestions? I've saved off the old files so I think I can
> go back to the expired certs.

This means that the keytab isn't working for certmonger. This could be a 
couple of things. I'd try this first:

# kinit host/$(hostname) -kt /etc/krb5.keytab

And

# kvno host/$(hostname)

rob

More information about the Freeipa-users mailing list