[Freeipa-users] Expired certs not auto renewed by Cermonger
Toasted Penguin
toastedpenguininfo at gmail.com
Thu May 2 15:59:11 UTC 2013
Running FreeIPA 2.1.4 and ran into an issue where a Server-Cert did not
auto-renew.
ipa-getcert list
Number of certificates and requests being tracked: 4.
Request ID '20110706215109':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CTIDATA.NET
subject: CN=ipa01.ctidata.net,O=CTIDATA.NET
expires: 2013-08-23 20:20:10 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110706215129':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CTIDATA.NET
subject: CN=ipa01.ctidata.net,O=CTIDATA.NET
expires: 2013-08-23 20:30:21 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20120615190133':
status: CA_UNCONFIGURED
ca-error: Error setting up ccache for local "host" service using default
keytab.
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
track: yes
auto-renew: yes
Request ID '20120925200227':
status: GENERATING_CSR
ca-error: Unable to determine principal name for signing request.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=CTIDATA.NET
subject: CN=ipa01.ctidata.net,O=CTIDATA.NET
expires: 2013-03-24 19:56:36 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
I verified that the IPA keytab is populated:
klist -kt /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
2 07/06/11 21:51:43 host/ipa01.ctidata.net at CTIDATA.NET
2 07/06/11 21:51:43 host/ipa01.ctidata.net at CTIDATA.NET
2 07/06/11 21:51:43 host/ipa01.ctidata.net at CTIDATA.NET
2 07/06/11 21:51:43 host/ipa01.ctidata.net at CTIDATA.NET
2 07/06/11 21:51:43 host/ipa01.ctidata.net at CTIDATA.NET
2 07/06/11 21:51:43 host/ipa01.ctidata.net at CTIDATA.NET
4 07/18/12 21:20:41 host/ipa01.ctidata.net at CTIDATA.NET
4 07/18/12 21:20:41 host/ipa01.ctidata.net at CTIDATA.NET
4 07/18/12 21:20:41 host/ipa01.ctidata.net at CTIDATA.NET
4 07/18/12 21:20:41 host/ipa01.ctidata.net at CTIDATA.NET
5 07/18/12 21:21:00 host/ipa01.ctidata.net at CTIDATA.NET
5 07/18/12 21:21:00 host/ipa01.ctidata.net at CTIDATA.NET
5 07/18/12 21:21:00 host/ipa01.ctidata.net at CTIDATA.NET
5 07/18/12 21:21:00 host/ipa01.ctidata.net at CTIDATA.NET
6 05/02/13 15:02:10 host/ipa01.ctidata.net at CTIDATA.NET
6 05/02/13 15:02:10 host/ipa01.ctidata.net at CTIDATA.NET
6 05/02/13 15:02:10 host/ipa01.ctidata.net at CTIDATA.NET
6 05/02/13 15:02:10 host/ipa01.ctidata.net at CTIDATA.NET
and ran kvno host/ipa01.ctidata.net to see what the KDC shows for this
principle:
host/ipa01.ctidata.net at CTIDATA.NET: kvno = 6
Not sure what caused the ca_errors but I need to at least manually renew
the certs and then figure out what went wrong.
Any advice on what the ca_errors mean and how I can fix the issue?
Thanks,
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130502/e5d4177d/attachment.htm>
More information about the Freeipa-users
mailing list