Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

[Natxo Asenjo <natxo asenjo gmail com>]

On Mon, Sep 19, 2016 at 5:27 PM, Rob Crittenden <rcritten redhat com> wrote:

Natxo Asenjo wrote:

hi,


On Fri, Sep 16, 2016 at 4:22 PM, Rob Crittenden <rcritten redhat com

Ok, how about we work around the problem.

Gladly ;-)
 

Since it is failing on the revocation what you might try is removing the userCertificate value from the ldap/kdc01.unix.iriszorg.nl service entry.

I think this will work:

$ ipa service-show ldap/kdc01.unix.iriszorg.nl |grep Serial
<note this down for later>

$ ipa service-mod --certificate= ldap/kdc01.unix.iriszorg.nl

If this doesn't work you can use ldapmodify to delete the usercertificate value.

This will remove the certificate value so there is nothing to revoke and a new cert will be saved (hopefully).

Now try to resubmit the request via certmonger.

It if works then you can run ipa cert-revooke <old serial #>

It isn't a great answer long-term because it is really just working around the problem but it should get the certs renewed.

ok, so I restarted the httpd service then I could use ipa service-show:

$ ipa service-show ldap/kdc01.unix.iriszorg.nl |grep Serial
  Serial Number: 175
  Serial Number (hex): 0xAF
bash-4.1$ ipa service-mod --certificate= ldap/kdc01.unix.iriszorg.nl
---------------------------------------------------------------
Modified service "ldap/kdc01 unix iriszorg nl UNIX IRISZORG NL"
---------------------------------------------------------------
  Principal: ldap/kdc01 unix iriszorg nl UNIX IRISZORG NL
  Managed by: kdc01.unix.iriszorg.nl


bash-4.1$ sudo ipa-getcert resubmit -i 20121107212513                           Resubmitting "20121107212513" to "IPA".
bash-4.1$ sudo getcert list
Number of certificates and requests being tracked: 8.
Request ID '20121107212513':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: Failure decoding Certificate Signing Request).
        stuck: yes
        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
        subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
        expires: 2016-10-12 10:49:24 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib/ipa/certmonger/restart_dirsrv UNIX-IRISZORG-NL
        track: yes
        auto-renew: yes

the certificate is gone:
$ ipa service-show ldap/kdc01.unix.iriszorg.nl
ipa: ERROR: Could not create log_dir u'/home/jose.admin/.ipa/log'
  Principal: ldap/kdc01 unix iriszorg nl UNIX IRISZORG NL
  Keytab: True
  Managed by: kdc01.unix.iriszorg.nl

But then I thought, what the hell, let's try again, restarted httpd, resubmitted it, and now it did work ;-)

$ ipa service-show ldap/kdc01.unix.iriszorg.nl
  Principal: ldap/kdc01 unix iriszorg nl UNIX IRISZORG NL
  Certificate: MIIDrDCCApSgAwIBAgICAPUwDQYJKoZIhvcNAQELBQAwOzEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDkyMDA4MDY1OFoXDTE4MDkyMTA4MDY1OFowPDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEfMB0GA1UEAxMWa2RjMDEudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO2QVqrFRb/Q5dhkAi7BK29BJhqTvbaH3bNDLvhe1snyChdlr/AIwrJj/53Ti2eJ7u1BtV7u3gSwQ3/xJ0HwUZmOEQHCNDrjcGy+iw7lqkC5NaZ8AGt8bSTGWwnJvEGWrb3uEJzVZf+xB5eZa8vFXr+Jlcfoq8DbVZhX274pmpVfQOnRckD+AmncuEItHpcJCCHneF0QzA5DQqlTPUFerFm3F/iI/k6g9XbHQaNejcUYdhXpy9q0mEuBIIsEzTeNWTTEsUYX5TPVEsN3x2feA0icxR6bUTeg2BqSu7ZOuM55iBp3l0d9UAQ7W7yh76FI/Bqz8vIMdS6VsurPS4asLa8CAwEAAaOBuDCBtTAfBgNVHSMEGDAWgBSjl+SKLrjPPuoz8ryT1iPeqYQ2aDBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAGGKGh0dHA6Ly9rZGMwMS51bml4LmlyaXN6b3JnLm5sOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUBIRsG98GBkIyB/BgQKloUlLEJeEwDQYJKoZIhvcNAQELBQADggEBAHN+ggklVf2uzaePwEI9rMObe0WZeOyCLZxEtigDaJIHkq3GzkugxcG8ivD/LnuF0D8m07npfpIMC3QRUJQjFjz6E3rKtqau0QY0BO+Dwg1TzItQqXxgHtCqcQ7bmahj2AMPRNUXeZck0p/eueG4wj2kbLwTLU6cOfwnT4IOfszAS9GCql6oQIXlOfG6i6DAodBpgWziDfIrRJsJi4ZE+FvJL/ImJDdW+En50UyGp0n31oMSDIxWf1bdWUctSEYhcy9JftzkitNm1FD+a1HzeYyuHthzlHHcSIXN/kXRSGktpe8VHE5XLtKnH92vmkMnyxZvE///2+ExHXIAOkwq3ck=
  Keytab: True
  Managed by: kdc01.unix.iriszorg.nl
  Subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
  Serial Number: 245
  Serial Number (hex): 0xF5
  Issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
  Not Before: Tue Sep 20 08:06:58 2016 UTC
  Not After: Fri Sep 21 08:06:58 2018 UTC
  Fingerprint (MD5): f8:d3:cb:6f:4c:ca:e4:f3:47:65:51:d3:2c:69:84:df
  Fingerprint (SHA1): e3:0a:66:19:d7:36:fe:c4:ff:58:bf:90:35:3e:0b:31:cb:a0:58:37

So I could revoke the old one:

$ ipa cert-revoke 175
  Revoked: True

and now getcert list shows the certificate is ok:

Number of certificates and requests being tracked: 8.
Request ID '20121107212513':
        status: MONITORING
        stuck: no
        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
        subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
        expires: 2018-09-21 08:06:58 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib/ipa/certmonger/restart_dirsrv UNIX-IRISZORG-NL
        track: yes
        auto-renew: yes

So one down, two to go, it seems.

--
Groeten,
natxo