[Freeipa-users] Expired certs not auto renewed by Cermonger

Thu May 2 17:45:34 UTC 2013

Here is the output from the submit:

 /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
Submitting request to "https://ipa01.ctidata.net/ipa/xml".
Fault -504: (libcurl failed to execute the HTTP POST transaction,
explaining:  Peer certificate cannot be authenticated with known CA
certificates).
Server failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining:  Peer certificate cannot be authenticated
with known CA certificates).

Regarding /etc/ipa/ca.crt, it isn't expired it shows its valid until July
6, 2019.

On Thu, May 2, 2013 at 12:30 PM, Nalin Dahyabhai <nalin at redhat.com> wrote:

> On Thu, May 02, 2013 at 11:45:51AM -0500, Toasted Penguin wrote:
> > Nalin,
> >
> > Thanks for your response.  Running `hostname` does result in
> > ipa01.ctidata.net and kinit -k host/ipa01.ctidata.net does also succeed.
> >
> > I ran ` ipa-getcert resubmit -i 20120925200227  -K HTTP/
> > ipa01.ctidata.net at CTIDATA.NET`
> >
> > and it resulted in this:
> >
> > Request ID '20120615190133':
> > status: CA_UNCONFIGURED
> > ca-error: Error setting up ccache for local "host" service using default
> keytab.
> > stuck: yes
> > key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
> Certificate DB'
> > certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
> > CA: IPA
> > issuer:
> > subject:
> > expires: unknown
> > track: yes
> > auto-renew: yes
>
> Can you retrieve the contents of the request and save it to a temporary
> file, like so:
>   reqfile=`grep -l '^id=20120615190133' /var/lib/certmonger/requests/*`
>   awk '/BEGIN .*REQ/,/END .*REQ/ {sub("^( |csr=)","");print}' $reqfile >\
>       ~/req.csr
>
> And then try to manually submit it to the server for signing, in the way
> that certmonger would, like so:
>   /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
>
> Hopefully the error output there will give us more information about
> what's going on when the submission helper's failing to set up a ccache.
>
> If it manages to get past that point, I expect it to fail because you
> hopefully don't have a principal named "bogus" defined on the local
> host.  But at that point we'll have gotten past errors creating the
> ccache, and we'll have to find another way to figure out why it failed
> here.
>
> As an aside, we provide better information for this error in the
> "ca-error" note with later versions than you appear to have, so tracking
> down this information won't always be this complicated.
>
> > Request ID '20120925200227':
> > status: CA_UNREACHABLE
> > ca-error: Server failed request, will retry: -504 (libcurl failed to
> > execute the HTTP POST transaction, explaining:  Peer certificate cannot
> be
> > authenticated with known CA certificates).
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=CTIDATA.NET
> > subject: CN=ipa01.ctidata.net,O=CTIDATA.NET
> > expires: 2013-03-24 19:56:36 UTC
> > eku: id-kp-serverAuth
> > track: yes
> > auto-renew: yes
>
> There's an error verifying the server's certificate using the local copy
> of the CA certificate in /etc/ipa/ca.crt.  Is it also expired?
>
> Nalin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130502/da7a0480/attachment.htm>