[Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert
Alexander Bokovoy
abokovoy at redhat.com
Thu Oct 8 13:00:24 UTC 2015
Hi,
On Thu, 08 Oct 2015, Gronde, Christopher (Contractor) wrote:
>Thank you for your response!
Do not respond directly, send your emails to the mailing list, please.
>Yes "getent passwd admin" does work
>
># getent passwd admin
>admin:*:1278200000:1278200000:Administrator:/home/admin:/bin/bash
>
>The second not returned:
>
># ipa-getcert resubmit -i 20151007150853 -p /etc/httpd/alias/pwdfile.txt
>Resubmitting "20151007150853" to "IPA".
>
>]# ipa-getcert resubmit -i 20151007150853 -p /etc/httpd/alias/pwdfile.txt
>Resubmitting "20151007150853" to "IPA".
>[root at comipa02 conf.d]# ipa-getcert list
>Number of certificates and requests being tracked: 2.
>Request ID '20151007150853':
> status: MONITORING
> ca-error: Unable to determine principal name for signing request.
So it doesn't know whom to map the cert to.
When re-submitting the request with ipa-getcert, add
-K HTTP/comipa02.itmodev.gov
While at it, I've looked at my test setup and I can see that your
configuration below lacks restart of httpd after certificate was
rotated:
-C /usr/lib64/ipa/certmonger/restart_httpd
> stuck: no
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<example>.GOV
> subject: CN=comipa02.itmodev.gov,O=<example>.GOV
> expires: 2015-09-23 17:46:26 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
>This Cert however still shows expired. What do I need to do to go about renewing it?
>
># certutil -V -u V -n Server-Cert -d /etc/httpd/alias
>certutil: certificate is invalid: Peer's Certificate has expired.
>
>
>
>-----Original Message-----
>From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
>Sent: Thursday, October 08, 2015 2:22 AM
>To: Gronde, Christopher (Contractor) <Christopher.Gronde at fincen.gov>
>Cc: freeipa-users at redhat.com
>Subject: Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert
>
>On Wed, 07 Oct 2015, Gronde, Christopher (Contractor) wrote:
>>I am new to FreeIPA and have inherited two IPA servers not sure if one
>>is a master/slave or how they are different. I will try to give some
>>pertinent outputs below of some of the things I am seeing. I know the
>>Server-Cert is expired but can't figure out how to renew it. There
>>also appears to be Kerberos authentication issues going on as I'm
>>trying to fix it.
>>
>>#getcert list -d /etc/httpd/alias -n ipaCert Number of certificates and
>>requests being tracked: 2.
>>Request ID '20150922143354':
>> status: NEED_TO_SUBMIT
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
>> CA: dogtag-ipa-retrieve-agent-submit
>> issuer: CN=Certificate Authority,O=<example>.GOV
>> subject: CN=IPA RA,O=<example>.GOV
>> expires: 2013-10-09 11:45:01 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>>
>>#certutil -V -u V -n Server-Cert -d /etc/httpd/alias
>>certutil: certificate is invalid: Peer's Certificate has expired.
>>
>>
>>#certutil -L -d /etc/httpd/alias -n Server-Cert
>>Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 166 (0xa6)
>> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
>> Issuer: "CN=Certificate Authority,O=<example>.GOV"
>> Validity:
>> Not Before: Sun Sep 22 17:46:26 2013
>> Not After : Wed Sep 23 17:46:26 2015
>> Subject: "CN=comipa02.<example>.gov,O=<example>.GOV"
>> Subject Public Key Info:
>> Public Key Algorithm: PKCS #1 RSA Encryption
>> RSA Public Key:
>> Modulus:
>> c6:8e:37:ee:72:82:58:78:4e:16:b8:18:f3:28:05:d9:
>> e5:3c:ee:01:ec:3e:28:d5:87:be:e4:74:ec:e5:27:40:
>> ca:9c:eb:61:a2:ad:44:c0:d9:2e:6d:93:fd:67:4c:f8:
>> 6d:f6:f2:63:6f:e6:00:4a:2a:c4:44:f5:e7:32:50:40:
>> 51:5b:0e:15:69:25:ef:c9:4f:47:ad:ba:90:fb:36:6d:
>> 14:3f:04:c4:7b:c3:e6:b1:30:7b:56:2d:d3:0f:d9:2f:
>> c9:57:89:c7:21:8a:a6:d4:2a:63:27:6c:54:53:7b:44:
>> 9a:0b:da:8f:b9:88:ec:b4:95:d3:5c:6c:cf:7b:dc:30:
>> ef:25:db:fd:89:26:7f:25:34:9d:6e:7b:b0:94:62:81:
>> 0e:b8:d6:3e:95:0e:71:e2:3f:6b:e2:3d:f2:71:8d:4c:
>> ec:41:e2:fa:c7:8b:50:80:90:68:a8:88:5c:07:c6:cc:
>> 5a:48:fc:7f:37:28:78:b3:2e:79:05:73:a5:9d:75:ae:
>> 15:bc:55:6c:85:ab:cd:2e:44:6b:10:c2:25:d8:bb:03:
>> 11:3f:69:44:3e:1c:ba:a3:c9:fa:36:ae:a6:6e:f4:51:
>> a0:74:ff:e9:31:40:51:69:d2:49:47:a8:38:7a:9b:b8:
>> 32:04:4c:ad:6d:52:91:53:61:a3:fa:37:82:f4:38:cb
>> Exponent: 65537 (0x10001)
>> Signed Extensions:
>> Name: Certificate Authority Key Identifier
>> Key ID:
>> ab:01:f6:f0:b1:f6:58:15:f9:0d:e6:35:83:44:ab:50:
>> c3:13:4b:16
>>
>> Name: Authority Information Access
>> Method: PKIX Online Certificate Status Protocol
>> Location:
>> URI: "http://comipa01.<example>.gov:80/ca/ocsp"
>>
>> Name: Certificate Key Usage
>> Critical: True
>> Usages: Digital Signature
>> Non-Repudiation
>> Key Encipherment
>> Data Encipherment
>>
>> Name: Extended Key Usage
>> TLS Web Server Authentication Certificate
>> TLS Web Client Authentication Certificate
>>
>> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
>> Signature:
>> 2d:e0:48:99:ca:e8:e3:33:40:de:9b:a9:bf:a0:37:98:
>> d3:22:f7:d5:ff:a6:2b:fd:b3:fc:c8:c3:f0:16:ee:a5:
>> 44:5a:8d:d8:eb:eb:56:08:95:3e:48:2d:a1:be:a0:c2:
>> 64:a3:55:62:ab:42:3b:e6:ff:90:3e:0f:a2:59:2a:7a:
>> c0:f3:81:bb:6d:27:6a:1d:12:41:89:cb:fc:cf:5d:fa:
>> b5:f6:6d:b9:1a:b8:fb:cc:84:3c:5d:98:da:79:64:07:
>> 6f:c0:d1:9d:8a:e1:03:70:71:87:39:f6:fc:a0:4a:a2:
>> 43:57:0a:dc:33:6b:f4:4e:be:0a:5b:26:83:eb:e3:57:
>> ad:aa:5c:d4:f7:1f:0d:38:f2:71:85:b0:27:9c:8e:57:
>> 01:51:b5:e8:e7:a4:9f:a0:0b:bd:96:45:ac:30:86:d5:
>> b8:78:56:5e:29:3e:70:9d:80:b0:25:50:fc:c6:e1:a7:
>> 0a:1c:e9:da:1d:00:1f:53:9b:fd:9b:a9:74:1b:45:8f:
>> 7d:f0:c4:cc:ff:ae:1f:0f:3e:2d:8f:81:80:ee:27:38:
>> f6:5b:39:b4:54:7c:56:c5:b4:0e:93:b8:24:18:42:70:
>> 5d:d3:7b:c9:db:be:14:22:1c:29:16:84:ab:4d:05:b0:
>> 7b:1b:7d:e4:94:0d:39:42:71:33:94:57:16:7b:90:6f
>> Fingerprint (SHA-256):
>> DD:B0:8E:6B:5F:61:D1:7C:29:ED:CB:8C:8D:7E:9F:94:BE:40:E7:8B:AD:55:ED:14:E9:32:C4:7A:F0:0A:F3:2C
>> Fingerprint (SHA1):
>> 88:51:F1:8F:3A:BD:7E:24:0D:4D:4A:CE:94:FB:A9:75:14:82:58:FA
>>
>> Certificate Trust Flags:
>> SSL Flags:
>> User
>> Email Flags:
>> User
>> Object Signing Flags:
>> User
>>
>>#ipa-getkeytab -s compia02.itmodev.gov -p host/comipa02.itmodev.gov -k
>>/etc/krb5.keytab Kerberos User Principal not found. Do you have a valid Credential Cache?
>So, let's start here.
>
>First above you have a typo: compia02.itmodev.gov versus comipa02.itmodev.gov. However, as this is your IPA master, I'm not sure why you need to re-retrieve its host keytab. Does user name resolution (getent passwd admin) work on the master? If it does, you *don't* need to change existing keytab.
>
>Second, in the output below we can see that certmonger needs a PIN for the request to proceed:
>>#ipa-getcert list
>>Number of certificates and requests being tracked: 2.
>>Request ID '20151007150853':
>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>'Newly added request needs a PIN to read the key material'
>
>> stuck: yes
>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
>> CA: IPA
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>
>The PIN is in /etc/httpd/alias/pwdfile.txt, to supply it to certmonger, you need to re-submit the request and specify the pin:
>
>ipa-getcert resubmit -i 20151007150853 -p /etc/httpd/alias/pwdfile.txt
>
>--
>/ Alexander Bokovoy
>
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list