[Freeipa-users] Expired certs not auto renewed by Cermonger
Nalin Dahyabhai
nalin at redhat.com
Thu May 2 19:35:43 UTC 2013
On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote:
> /etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority
>
> All the certs monitored by Certmonger show the same issuer.
Ok, good. (If that hadn't been the case, I wouldn't have had an
explanation to offer.)
> Wasn't getting anything back when running the ipahost script you provided,
> ran ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo
> $ipahost shows nothing so I just ran the openssl section manually:
Hmm. Curious. That might be a leftover from having different releases
installed at various times on my test box. Thanks for continuing on.
> openssl s_client -CAfile /etc/ipa/ca.crt -connect ipa01.ctidata.net:https
> -showcerts < /dev/null
>
> Results:
> CONNECTED(00000003)
> depth=1 O = CTIDATA.NET, CN = Certificate Authority
> verify return:1
> depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net
> verify error:num=10:certificate has expired
> notAfter=Mar 24 19:56:36 2013 GMT
> verify return:1
> depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net
> notAfter=Mar 24 19:56:36 2013 GMT
> verify return:1
> ---
> Certificate chain
> 0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net
> i:/O=CTIDATA.NET/CN=Certificate Authority
> -----BEGIN CERTIFICATE-----
> #####
> -----END CERTIFICATE-----
> 1 s:/O=CTIDATA.NET/CN=Certificate Authority
> i:/O=CTIDATA.NET/CN=Certificate Authority
> -----BEGIN CERTIFICATE-----
> ####
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net
> issuer=/O=CTIDATA.NET/CN=Certificate Authority
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1959 bytes and written 463 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID: #####
> Session-ID-ctx:
> Master-Key: ####
> Key-Arg : None
> Krb5 Principal: None
> PSK identity: None
> PSK identity hint: None
> Start Time: 1367518514
> Timeout : 300 (sec)
> Verify return code: 10 (certificate has expired)
> ---
> DONE
Yup, that's the problem: the IPA server's certificate wasn't able to be
replaced while it was still valid, and now it can no longer ask itself
for a new one.
With 2.1.4, I think the simplest way to sort this is to stop the
services (ipactl stop; service certmonger stop), roll the system date
back, start the services up again, possibly use 'ipa-getcert resubmit'
to force updating (it should happen automatically, but forcing it to
happen a second time won't hurt). Then shut things down, set the
correct time on the clock, and bring everything back up again.
Hopefully there's a smarter way to do it, but I'm blanking on it if
there is one.
HTH,
Nalin
More information about the Freeipa-users
mailing list