Default Trust View --> not able to resolve AD user on clients
by Pieter Baele
Hi,
We only used the default trust view. Recently a colleague added another ID
View.
After that when adding a lot of new users from AD, with overrides in the
Default Trust View we were not able to resolve the new users (id: ‘xxxxxx’:
no such user)
on IPA clients. No problem on the IPA servers (at first sight)
After searching a lot on different parameters (pam_id_timeout etc)and
clearing caches we found that the problem disappeared
when adding users to a new ID View and removing them from the Default Trust
View.
Running latest on RHEL 7.x (VERSION: 4.6.8, API_VERSION: 2.237)
Any similar reports?
Sincerely Pieter
3 years, 4 months
FreeIPA - Windows 10 Dynamic Dns Updates
by Ben Lewis
Hi All,
I have installed a freeipa server an configured a Windows 10 client to authenticate against it. I am able to login to the Windows machine against the IPA realm, the issue I am seeing relates to the Windows client updating its DNS records. I could see ZONENAME/IN denied errors in /var/log/messages, what i also noticed in /var/log/krb5kdc.log at around the same time that the dns update errors occur I see a kerberos error. It seems that the Windows host is attempting to obtain a ticket using the format COMPUTERNAME$(a)EXAMPLE.COM instead of the FQDN.
I am using Free IPA Server 4.8.4-7 on a Centos 8.2 server.
I have a host and principal in freeipa for the Windows host.
3 years, 4 months
replica install DNS failure on master CNAME
by Stijn De Weirdt
hello,
we are trying to migrate our ipa setup to el8, and are adding a el8 host
as a replica.
however, this master is somewhat special as it involves classless
delegation. it is part of a /27 subnet, so we added it as a ptr record
to 0/27.the.24.prefix, and put a cname on the ip in the.24.prefix (not
sure i'm using the correct terminology here, but it's done as described
in https://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation)
the master is a functional ipa client before the replica-install is started.
running the ipa-replica-install --setup-dns, we get an error:
the installer seems to try to always add the master ip as a ptr record,
and treats duplicates and something called a EmptyModlist as ok.
however, in our case, there's a cname in place, and our install fails
with a
> 2020-11-26T07:52:36Z DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'cnamerecord': CNAME record is not allowed to coexist with any ot\
> her record (RFC 1034, section 3.6.2)
my question is the following: is there any hard requirement for a fully
functional master to have a ptr record instead of a cname (and/or is it
allowed to use the classless setup for a master).
if not, is it ok to comment out the part of the install code that tries
to add this record, and retry the install?
there is a similar/identical issue reported 2 years ago
https://pagure.io/freeipa/issue/7693 (and the bugzilla referenced
there), but there is a comment "from IPA team" that says "I don't know
if using this also for IPA server is a good or desired thing."; so some
feedback/guidance is welcome.
many thanks,
stijn
error log
> 2020-11-26T07:52:36Z DEBUG step duration: named __generate_rndc_key 0.03 sec
> 2020-11-26T07:52:36Z DEBUG [2/8]: setting up our own record
> 2020-11-26T07:52:36Z DEBUG raw: dnszone_show('our.domain', version='2.235')
> 2020-11-26T07:52:36Z DEBUG dnszone_show(<DNS name our.domain.>, rights=False, all=False, raw=False, version='2.235')
> 2020-11-26T07:52:36Z DEBUG raw: dnsrecord_add('our.domain', 'hostname', arecord='1.2.3.4', version='2.235')
> 2020-11-26T07:52:36Z DEBUG dnsrecord_add(<DNS name our.domain.>, <DNS name hostname>, arecord=('1.2.3.4',), a_extra_create_reverse=False, aaaa_extra_create_reverse=False, force=False, structured=False, all=False, raw=False, version='2.235')
> 2020-11-26T07:52:36Z DEBUG raw: dnszone_show('4.3.2.1.in-addr.arpa.', version='2.235')
> 2020-11-26T07:52:36Z DEBUG dnszone_show(<DNS name 4.3.2.1.in-addr.arpa.>, rights=False, all=False, raw=False, version='2.235')
> 2020-11-26T07:52:36Z DEBUG raw: dnszone_show('3.2.1.in-addr.arpa.', version='2.235')
> 2020-11-26T07:52:36Z DEBUG dnszone_show(<DNS name 3.2.1.in-addr.arpa.>, rights=False, all=False, raw=False, version='2.235')
> 2020-11-26T07:52:36Z DEBUG raw: dnsrecord_add('3.2.1.in-addr.arpa.', '5', ptrrecord='hostname.our.domain.', version='2.235')
> 2020-11-26T07:52:36Z DEBUG dnsrecord_add(<DNS name 3.2.1.in-addr.arpa.>, <DNS name 5>, a_extra_create_reverse=False, aaaa_extra_create_reverse=False, ptrrecord=('hostname.our.domain.',), force=False, structured=False, all=False, raw=False, version='2.235')
> 2020-11-26T07:52:36Z DEBUG Traceback (most recent call last):
> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step
> method()
> File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 921, in __add_self
> self.__add_master_records(self.fqdn, self.ip_addresses)
> File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 918, in __add_master_records
> add_ptr_rr(reverse_zone, addr, fqdn, None, api=self.api)
> File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 414, in add_ptr_rr
> add_rr(zone, name, "PTR", normalize_zone(fqdn), dns_backup, api)
> File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 397, in add_rr
> api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw)
> File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 450, in __call__
> return self.__do_call(*args, **options)
> File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 478, in __do_call
> ret = self.run(*args, **options)
> File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 800, in run
> return self.execute(*args, **options)
> File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dns.py", line 3655, in execute
> result = super(dnsrecord_add, self).execute(*keys, **options)
> File "/usr/lib/python3.6/site-packages/ipaserver/plugins/baseldap.py", line 1199, in execute
> *keys, **options)
> File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dns.py", line 3647, in pre_callback
> self.obj.check_record_type_collisions(keys, rrattrs)
> File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dns.py", line 3261, in check_record_type_collisions
> error=_('CNAME record is not allowed to coexist '
> ipalib.errors.ValidationError: invalid 'cnamerecord': CNAME record is not allowed to coexist with any other record (RFC 1034, section 3.6.2)
>
> 2020-11-26T07:52:36Z DEBUG [error] ValidationError: invalid 'cnamerecord': CNAME record is not allowed to coexist with any other record (RFC 1034, section 3.6.2)
> 2020-11-26T07:52:36Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
> return_value = self.run()
> File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 340, in run
> return cfgr.run()
> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
> return self.execute()
> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
> for rval in self._executor():
> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
> exc_handler(exc_info)
> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
> self._handle_exception(exc_info)
> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
> raise value
> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
> step()
> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
> step = lambda: next(self.__gen)
> File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
> six.reraise(*exc_info)
> File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
> raise value
> File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
> value = gen.send(prev_value)
> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
> next(executor)
> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
> exc_handler(exc_info)
> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
> self._handle_exception(exc_info)
> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
> self.__parent._handle_exception(exc_info)
> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
> raise value
> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
> super(ComponentBase, self)._handle_exception(exc_info)
> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
> raise value
> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
> step()
> File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
> step = lambda: next(self.__gen)
> File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
> six.reraise(*exc_info)
> File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
> raise value
> File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
> value = gen.send(prev_value)
> File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
> for unused in self._installer(self.parent):
> File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 597, in main
> replica_install(self)
> File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 402, in decorated
> func(installer)
> File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 1339, in install
> dns.install(False, True, options, api)
> File "/usr/lib/python3.6/site-packages/ipaserver/install/dns.py", line 342, in install
> bind.create_instance()
> File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 774, in create_instance
> self.start_creation()
> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 603, in start_creation
> run_step(full_msg, method)
> File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 589, in run_step
> method()
> File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 921, in __add_self
> self.__add_master_records(self.fqdn, self.ip_addresses)
> File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 918, in __add_master_records
> add_ptr_rr(reverse_zone, addr, fqdn, None, api=self.api)
> File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 414, in add_ptr_rr
> add_rr(zone, name, "PTR", normalize_zone(fqdn), dns_backup, api)
> File "/usr/lib/python3.6/site-packages/ipaserver/install/bindinstance.py", line 397, in add_rr
> api.Command.dnsrecord_add(unicode(zone), unicode(name), **addkw)
> File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 450, in __call__
> return self.__do_call(*args, **options)
> File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 478, in __do_call
> ret = self.run(*args, **options)
> File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 800, in run
> return self.execute(*args, **options)
> File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dns.py", line 3655, in execute
> result = super(dnsrecord_add, self).execute(*keys, **options)
> File "/usr/lib/python3.6/site-packages/ipaserver/plugins/baseldap.py", line 1199, in execute
> *keys, **options)
> File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dns.py", line 3647, in pre_callback
> self.obj.check_record_type_collisions(keys, rrattrs)
> File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dns.py", line 3261, in check_record_type_collisions
> error=_('CNAME record is not allowed to coexist '
>
> 2020-11-26T07:52:36Z DEBUG The ipa-replica-install command failed, exception: ValidationError: invalid 'cnamerecord': CNAME record is not allowed to coexist with any other record (RFC 1034, section 3.6.2)
> 2020-11-26T07:52:36Z ERROR invalid 'cnamerecord': CNAME record is not allowed to coexist with any other record (RFC 1034, section 3.6.2)
> 2020-11-26T07:52:36Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
3 years, 4 months
Replication Error
by Ronald Wimmer
By coincidence I found something in /var/log/messages that does not look
too good:
Oct 2 09:41:30 pipa02.linux.mydomain.at ns-slapd[1905]:
[02/Oct/2020:09:41:30.887447735 +0200] - ERR - NSMMReplicationPlugin -
send_updates -
agmt="cn=pipa02.linux.oebb.at-to-pipa06.linux.mydomain.at" (pipa06:389):
Data required to update replica has been purged from the changelog. If
the error persists the replica must be reinitialized.
The error seems to persist. What has do be done? Do i have to uninstall
ipa replica and do an ipa-replica-install agein?
Cheers,
Ronald
3 years, 4 months
recover - Entry "cn=schema" single-valued attribute "nsSchemaCSN" has multiple values - how?
by lejeczek
Hi guys.
One of IPA masters somehow got itself into trouble:
[25/Nov/2020:10:42:51.918481532 +0000] - ERR -
slapi_entry_schema_check_ext - Entry "cn=schema"
single-valued attribute "nsSchemaCSN" has multiple values
[25/Nov/2020:10:42:51.924870263 +0000] - ERR -
setup_internal_backends - Please edit the file to correct
the reported problems and then restart the server.
It would be nice to know how such a case can occur but most
important question is - how to fix it?
Any suggestions I'll greatly appreciate.
many thanks, L.
3 years, 4 months
how to create system user account, hide ipa data from users, have a default group list
by Jelle de Jong
Hello everybody,
1. How can I make a system user like the admin account only without
admin rights, but still available with id and getent tools. I need
machine account for a holds a kerberos ticket. A normal user shows up
everywhere through LDAP, the admin user does not but is still available
in sssd and other integrations.
2. How can I hide the Telephone Number, Address data etc from the public
active user list, so not all users can access this data? Is is possible
to hide all the active users from each other?
3. How can I configure multiple default groups for new created users, so
a list like ipausers, groupone, grouptwo?
4. Thank you!
Kind regards,
Jelle de Jong
3 years, 4 months
Unable to remove incomplete replication entry - topology plugin?
by Robert.Mattson@L3Harris.com
Dear FreeIPA Community,
We're having a problem joining a host to an IPA realm.
We created a host account in the realm and added that host to the IPA replicas group.
We installed the ipa-client and ipa-server RPMS on the incoming replica (host2). Using ipa-client-install then used ipa-replica-install to upgrade it to a replica, the data replication phase inside the replica-install process failed because the time on the replica was many hours in advance of the existing master/replica in the realm.
In other failed installs where this occurs (typically VM development environments where snapshotting is frequent), we've had success forcing removal of the failed replica using ipa host-del <hostname> --force, or of necessary a 'ipa-replica-manage clean-dangling-ruv' or 'ipa-replica-manage clean-ruv <n>' to help remove left-over data. Should that fail, manually removing the LDAP entry corresponding to the incoming host is necessary, the stale entry is;
cn=meTohost2.system,cn=replica,cn=dc\3Dsystem,cn=mapping tree,cn=config
When we attempt to delete that entry in the LDAP tree, 389-ds rejects the operation and logs the message; "RESULT err=53 tag=107 nentries=0 etime=0.0002043881 - Entry is managed by topology plugin.Deletion not allowed".
How can we remove data from the replica to attempt to re-join the failed host?
Both the incoming replica and existing realm master/replica are running CentOS 7.6;
ipa-client-4.6.4-10.el7.centos.3.x86_64
ipa-client-common-4.6.4-10.el7.centos.3.noarch
ipa-common-4.6.4-10.el7.centos.3.noarch
ipa-server-4.6.4-10.el7.centos.3.x86_64
ipa-server-common-4.6.4-10.el7.centos.3.noarch
Thanks in advance,
Rob
CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
3 years, 4 months
Re: subsystemCert appears out of date
by Florence Blanc-Renaud
On 11/24/20 9:54 AM, Marc Pearson | i-Neda Ltd wrote:
> Hi Flo,
>
> I'm getting a database error when running that command:
>
> # certutil -L -d /etc/dirsrc/slapd-INT-I-NEDA-COM
> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
>
Sorry, I made a typo, it should be dirsrv, not dirsrc:
# certutil -L -d /etc/dirsrv/slapd-INT-I-NEDA-COM
flo
>
> Not sure if that's of any help?
>
> Marc.
>
> -----Original Message-----
> From: Florence Blanc-Renaud <flo(a)redhat.com>
> Sent: 21 November 2020 19:06
> To: Marc Pearson | i-Neda Ltd <mpearson(a)i-neda.com>; FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> Subject: Re: [Freeipa-users] subsystemCert appears out of date
>
> On 11/18/20 12:23 PM, Marc Pearson | i-Neda Ltd wrote:
>> Hi Flo,
>>
>> Thanks for the information. I've tried to run the cert fix utility just now and I'm hitting an issue, ironically with the SSL certificate:
>>
>> [root@red-auth01 ~]# ipa-cert-fix
>> Failed to get Server-Cert
>> The ipa-cert-fix command failed.
>>
> Hi,
> I failed to notice the first time but there is no tracking for the LDAP cert that is stored in /etc/dirsrv/slapd-$DOMAIN/. What is the output of # certutil -L -d /etc/dirsrc/slapd-$DOMAIN You should see Server-Cert (=the ldap server certificate), or maybe a different nickname is used?
>
> flo
>
>> From the message log:
>> Nov 18 11:18:32 red-auth01 dogtag-ipa-ca-renew-agent-submit:
>> Forwarding request to dogtag-ipa-renew-agent Nov 18 11:18:32
>> red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3 Nov 18 11:18:33 red-auth01 certmonger: 2020-11-18 11:18:33 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate.
>> Nov 18 11:18:35 red-auth01 dogtag-ipa-ca-renew-agent-submit:
>> Forwarding request to dogtag-ipa-renew-agent Nov 18 11:18:35
>> red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3 Nov 18 11:18:35 red-auth01 certmonger: 2020-11-18 11:18:35 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate.
>>
>> Any advice?
>>
>> Marc.
>>
>> -----Original Message-----
>> From: Florence Blanc-Renaud <flo(a)redhat.com>
>> Sent: 17 November 2020 10:57
>> To: Marc Pearson | i-Neda Ltd <mpearson(a)i-neda.com>; FreeIPA users
>> list <freeipa-users(a)lists.fedorahosted.org>
>> Subject: Re: [Freeipa-users] subsystemCert appears out of date
>>
>> On 11/17/20 10:19 AM, Marc Pearson | i-Neda Ltd wrote:
>>> Hi Flo,
>>>
>>> Thanks for the help. Included is the output of all the commands as
>>> you requested. These were all run from a single freeIPA server (red-auth01).
>>>
>>> kinit admin; ipa server-role-find --role "CA server"
>>> Password for admin(a)INT.I-NEDA.COM:
>>> ----------------------
>>> 8 server roles matched
>>> ----------------------
>>>  Server name: power-auth03.int.i-neda.com  Role name: CA
>>> server  Role status: enabled
>>>
>>>  Server name: power-auth04.int.i-neda.com  Role name: CA
>>> server  Role status: absent
>>>
>>>  Server name: red-auth01.int.i-neda.com  Role name: CA server
>>> Â Role status: enabled
>>>
>>>  Server name: red-auth02.int.i-neda.com  Role name: CA server
>>> Â Role status: enabled
>>>
>>>  Server name: red-auth03.int.i-neda.com  Role name: CA server
>>> Â Role status: enabled
>>>
>>>  Server name: red-auth04.int.i-neda.com  Role name: CA server
>>> Â Role status: enabled
>>>
>>>  Server name: white-auth01.int.i-neda.com  Role name: CA
>>> server  Role status: enabled
>>>
>>>  Server name: white-auth02.int.i-neda.com  Role name: CA
>>> server  Role status: enabled
>>> ----------------------------
>>> Number of entries returned 8
>>> ----------------------------
>>>
>>>
>>> Â kinit admin; ipa config-show | grep "renewal"
>>> Password for admin(a)INT.I-NEDA.COM:
>>> Â IPA CA renewal master: red-auth01.int.i-neda.com
>>>
>>>
>>> rpm -qa | grep ipa-server
>>> ipa-server-common-4.6.8-5.el7.centos.noarch
>>> ipa-server-4.6.8-5.el7.centos.x86_64
>>> ipa-server-dns-4.6.8-5.el7.centos.noarch
>>>
>>>
>>> getcert list
>>> Number of certificates and requests being tracked: 8.
>>> Request ID '20171101175244':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
>>> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
>>> CA: SelfSign
>>> issuer: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
>>> subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
>>> expires: 2021-08-10 14:04:07 UTC
>>> principal name: krbtgt/INT.I-NEDA.COM(a)INT.I-NEDA.COM
>>> certificate template/profile: KDCs_PKINIT_Certs pre-save command:
>>> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
>>> track: yes
>>> auto-renew: yes
>>>
>>> Request ID '20180722081853':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSignin
>>> g Cert cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSignin
>>> g Cert cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>>> subject: CN=CA Audit,O=INT.I-NEDA.COM
>>> expires: 2022-09-16 12:36:41 UTC
>>> key usage: digitalSignature,nonRepudiation pre-save command:
>>> /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "auditSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>>
>>> Request ID '20180722081854':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigning
>>> C ert cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigning
>>> C ert cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>>> subject: CN=OCSP Subsystem,O=INT.I-NEDA.COM
>>> expires: 2022-09-16 12:35:31 UTC
>>> eku: id-kp-OCSPSigning
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20180722081855':
>>> status: CA_UNREACHABLE
>>> ca-error: Error 58 connecting to
>>> https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview:
>>> Problem with the local SSL certificate.
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCe
>>> r t cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCe
>>> r t cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>>> subject: CN=CA Subsystem,O=INT.I-NEDA.COM
>>> expires: 2020-10-24 07:04:35 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>>> /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "subsystemCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>>
>>> Request ID '20180722081856':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCe
>>> r t cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCe
>>> r t cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>>> subject: CN=Certificate Authority,O=INT.I-NEDA.COM
>>> expires: 2040-10-10 07:51:04 UTC
>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "caSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>>
>>> Request ID '20180722081857':
>>> status: CA_UNREACHABLE
>>> ca-error: Error 58 connecting to
>>> https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview:
>>> Problem with the local SSL certificate.
>>> stuck: no
>>> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>>> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>>> subject: CN=IPA RA,O=INT.I-NEDA.COM
>>> expires: 2020-10-24 07:03:24 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>>> /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>>> track: yes
>>> auto-renew: yes
>>>
>>> Request ID '20180722081858':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>>> cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>>> subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
>>> expires: 2021-02-09 11:59:57 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "Server-Cert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>>
>>> Request ID '20200530130439':
>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>>> stuck: yes
>>> key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
>>> CA: IPA
>>> issuer:
>>> subject:
>>> expires: unknown
>>> pre-save command:
>>> post-save command:
>>> track: yes
>>> auto-renew: yes
>>>
>> Hi Marc,
>>
>> so the current situation is the following:
>> - red-auth01 is the renewal master, with multiple replicas hosting the CA role.
>> - on this server, 'subsystemCert cert-pki-ca' is expired (expires:
>> 2020-10-24 07:04:35 UTC) as well as /var/lib/ipa/ra-agent.pem (expires:
>> 2020-10-24 07:03:24 UTC).
>> - there is also an issue with the tracking of the cert used by HTTP
>>
>> But one of your comments is puzzling me:
>>
>>> The signing SSL (int.i-neda.com) is a full wildcard block chain that
>>> is authorized by a recognised 3rd party. It's worth noting though,
>>> that we had some issues with the block chain back in April as the
>>> thrid parties block chain expired. So it's possible that this is as a
>>> result of that issue, and may require some fettling to resolve. All help is appreciated.
>> Did you import the new CA chain at that time using ipa-cacert-manage install / ipa-certupdate?
>>
>> According to getcert output, the IPA CA is now self-signed. It looks a lot like issue https://pagure.io/freeipa/issue/8176 where the externally-signed IPA CA is renewed/replaced with a self-signed CA.
>>
>> As you have ipa 4.6.8-5, the ipa-cert-fix utility is available on your system. It will be easier to use this tool to fix the server:
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux
>> /7/html-single/linux_domain_identity_authentication_and_policy_guide/i
>> ndex#renewing-expired-system-certificate-when-idm-is-offline
>>
>> Once the systems are up again, you can switch back to an externally-signed ipa CA:
>> - import the external CA chain using ipa-cacert-manage install + run
>> ipa-certupdate on all the ipa nodes
>> - switch to externally-signed CA with ipa-cacert-manage renew
>> --external-ca command
>> (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linu
>> x/7/html-single/linux_domain_identity_authentication_and_policy_guide/
>> index#manual-cert-renewal-ext)
>>
>> HTH,
>> flo
>>>
>>> My current tempory work around is to set the local clock of the OS
>>> back by over a month so the server belives the expired CA's are still valid.
>>>
>>> Kind Regards,
>>>
>>> Marc.
>>> ---------------------------------------------------------------------
>>> -
>>> --
>>> *From:* Florence Blanc-Renaud <flo(a)redhat.com>
>>> *Sent:* 16 November 2020 14:35
>>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>>> *Cc:* Marc Pearson | i-Neda Ltd <mpearson(a)i-neda.com>
>>> *Subject:* Re: [Freeipa-users] subsystemCert appears out of date On
>>> 11/16/20 10:03 AM, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote:
>>>> Hi All,
>>>>
>>>> My subsystem cert appears to have gone out of date, and Iââ,¬â"¢m
>>>> unable to get it to update. This has become an issue on my
>>>> production environment, and my current work around has been to take
>>>> the system date back by a month. Iââ,¬â"¢ve tried the cert renew
>>>> tool, but this doesnââ,¬â"¢t seem to have updated this cert.
>>>>
>>>> Is anyone able to point me in the right direction to be able to
>>>> update this specific certificate as Iââ,¬â"¢ve been unable to find anything online.
>>>>
>>>> [auth01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n
>>>> 'subsystemCert cert-pki-ca'
>>>>
>>>> Certificate:
>>>>
>>>>  Ã, Ã, Ã, Data:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Version: 3 (0x2)
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Serial Number: 42 (0x2a)
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Signature Algorithm: PKCS #1 SHA-256
>>>> With RSA Encryption
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Issuer: "CN=Certificate Authority,O=INT.I-NEDA.COM"
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Validity:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Not Before: Sun Nov
>>>> 04
>>>> 08:04:35 2018
>>>>
>>>> Not After : Sat Oct 24 07:04:35 2020
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Subject: "CN=CA Subsystem,O=INT.I-NEDA.COM"
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Subject Public Key Info:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Public Key Algorithm:
>>>> PKCS #1 RSA Encryption
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, RSA Public Key:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Modulus:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, c6:7e:e6:40:8f:6e:77:07:8f:2a:ca:ca:63:63:cf:c6:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 5f:1c:09:63:4a:bb:17:68:17:cd:20:9b:f3:b0:5b:c0:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, f7:ff:72:07:1d:a2:29:93:61:62:5c:9f:04:d3:cb:7b:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, bf:53:de:bb:dd:d6:3f:a1:14:95:04:53:64:87:73:24:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, e3:61:66:96:ab:99:1f:2c:da:ec:22:e5:21:b1:5c:d5:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 0a:dd:4e:3f:f8:e2:90:a1:55:31:ad:11:2f:3b:d3:90:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 14:dc:b7:9d:fc:35:1a:ab:48:27:68:0a:9f:cb:95:14:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 00:93:b8:d4:d4:30:de:4e:be:20:a3:01:24:e8:f2:4a:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 1a:d2:b6:e0:09:77:3d:24:e3:5a:cf:51:d6:ca:d2:65:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 53:62:72:64:fe:7d:53:09:0e:97:b8:61:c9:c8:6d:24:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 52:15:f2:bf:40:04:38:24:22:73:fb:80:a0:ff:16:57:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, e1:0b:3c:71:02:d7:e6:2e:94:0a:e7:4e:aa:5e:6f:91:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, a5:68:65:21:cd:68:0c:2d:5d:53:fa:e0:10:75:47:43:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 04:f2:8b:e1:1c:1c:ed:a6:c1:ee:5c:6c:72:51:b5:e6:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, cd:f9:06:45:17:00:2b:d7:34:75:8a:59:f2:21:97:c6:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, Ã, Ã, 63:d3:6f:54:d9:00:42:74:88:9e:94:d0:d4:d2:a1:b7
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Exponent: 65537 (0x10001)
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Signed Extensions:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Certificate
>>>> Authority Key Identifier
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Key ID:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, f2:bb:9c:4f:e3:d8:c3:f9:58:eb:cc:5f:f7:be:8c:d6:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> d5:08:c0:3a
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Authority
>>>> Information Access
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Method: PKIX Online
>>>> Certificate Status Protocol
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Location:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, URI: "http://ipa-ca.int.i-neda.com/ca/ocsp"
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Certificate
>>>> Key Usage
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Critical: True
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Usages: Digital
>>>> Signature
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, Ã, Ã, Non-Repudiation
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, Ã, Ã, Key Encipherment
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, Ã, Ã, Data Encipherment
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Extended Key
>>>> Usage
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, TLS
>>>> Web Server Authentication Certificate
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, TLS
>>>> Web Client Authentication Certificate
>>>>
>>>>  Ã, Ã, Ã, Signature Algorithm: PKCS #1 SHA-256 With RSA
>>>> Encryption
>>>>
>>>>  Ã, Ã, Ã, Signature:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 5f:b7:31:25:10:ef:e7:72:44:8e:94:1d:57:4e:bb:4e:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 22:cf:9b:7e:f4:20:a2:fa:96:2a:cf:e9:70:cd:a6:82:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 4a:bd:58:4b:a7:df:4d:77:47:ba:65:d0:68:c5:dc:59:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 77:7e:bf:36:d3:55:c7:86:d3:16:77:51:46:c2:48:de:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, e8:0d:62:05:b9:8c:46:bd:22:7d:8d:d0:ad:5a:64:6b:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 9b:7d:ec:4c:e6:05:e7:02:97:cd:01:f5:19:91:15:7e:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, cc:41:5b:f2:00:2d:c0:0b:91:9e:62:d5:7a:b2:1e:8f:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 32:62:c2:ed:1a:e8:e1:56:32:e0:0e:79:55:a2:49:35:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 0e:df:5d:a3:df:e2:dd:58:60:4a:dd:19:92:f7:4d:60:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 59:0e:16:b1:ae:32:e6:c5:c5:fa:5b:2f:fe:1d:fe:e9:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, ec:67:2b:65:33:f2:57:64:8a:68:f3:91:9b:25:ff:02:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 64:4c:a1:6d:fe:f0:73:95:f2:0f:49:fb:3f:85:21:a0:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 68:37:dc:cd:73:02:73:20:22:a9:1d:c9:7e:88:4f:9b:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 7c:92:f8:c1:50:0f:95:43:48:5b:8b:7f:0f:48:04:a8:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, c7:c0:0e:58:7c:86:2c:3a:b5:72:e3:34:3d:d8:0f:26:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> eb:44:fa:75:c1:c8:fc:b6:7d:f7:31:91:a4:71:a1:51
>>>>
>>>>  Ã, Ã, Ã, Fingerprint (SHA-256):
>>>>
>>>>
>>>> 4F:2A:1B:54:65:B6:09:3E:AD:68:08:92:CB:8D:FE:13:EF:B8:4C:F1:1E:0F:E1:
>>>> 15:13:92:D3:7A:3D:F8:54:44
>>>>
>>>>  Ã, Ã, Ã, Fingerprint (SHA1):
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> 03:34:DC:55:F5:00:AF:8C:EF:AC:AA:0D:E0:44:AD:5C:6F:CF:97:A6
>>>>
>>>>  Ã, Ã, Ã, Mozilla-CA-Policy: false (attribute missing)
>>>>
>>>>  Ã, Ã, Ã, Certificate Trust Flags:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, SSL Flags:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Email Flags:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Object Signing Flags:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
>>>>
>>>> Thanks for the help,
>>>>
>>>> Marc.
>>>>
>>>>
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to
>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>> Fedora Code of Conduct:
>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines:
>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fed
>>>> o
>>>> rahosted.org
>>>>
>>> Hi Marc,
>>>
>>> we need more information in order to help you:
>>> - do you have multiple master/replicas with the CA role:
>>> # kinit admin; ipa server-role-find --role "CA server"
>>>
>>> - which server is the renewal master:
>>> # kinit admin ; ipa config-show | grep "renewal"
>>>
>>> - which version is installed:
>>> # rpm -qa | grep ipa-server
>>>
>>> - Is the subsystemCert cert-pki-ca the only expired certificate:
>>> # getcert list
>>>
>>> flo
>>>
>>
>
3 years, 4 months
List of supported client operating systems
by Ronald Wimmer
Is there a list of officially supported client operating systems and
versions? Or is it just a matter of having a recent version of sssd (>=
1.9)?
Cheers,
Ronald
3 years, 4 months
Re: subsystemCert appears out of date
by Rob Crittenden
Marc Pearson | i-Neda Ltd via FreeIPA-users wrote:
> Hi Flo,
>
> Thanks for the information. I've tried to run the cert fix utility just now and I'm hitting an issue, ironically with the SSL certificate:
>
> [root@red-auth01 ~]# ipa-cert-fix
> Failed to get Server-Cert
> The ipa-cert-fix command failed.
>
> From the message log:
> Nov 18 11:18:32 red-auth01 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
> Nov 18 11:18:32 red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3
> Nov 18 11:18:33 red-auth01 certmonger: 2020-11-18 11:18:33 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate.
> Nov 18 11:18:35 red-auth01 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
> Nov 18 11:18:35 red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3
> Nov 18 11:18:35 red-auth01 certmonger: 2020-11-18 11:18:35 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate.
Does /var/lib/ipa/ra-agent.[pem|key] exist? They should be mode 0440
owned by root:ipaapi.
rob
>
> Any advice?
>
> Marc.
>
> -----Original Message-----
> From: Florence Blanc-Renaud <flo(a)redhat.com>
> Sent: 17 November 2020 10:57
> To: Marc Pearson | i-Neda Ltd <mpearson(a)i-neda.com>; FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> Subject: Re: [Freeipa-users] subsystemCert appears out of date
>
> On 11/17/20 10:19 AM, Marc Pearson | i-Neda Ltd wrote:
>> Hi Flo,
>>
>> Thanks for the help. Included is the output of all the commands as you
>> requested. These were all run from a single freeIPA server (red-auth01).
>>
>> kinit admin; ipa server-role-find --role "CA server"
>> Password for admin(a)INT.I-NEDA.COM:
>> ----------------------
>> 8 server roles matched
>> ----------------------
>>  Server name: power-auth03.int.i-neda.com  Role name: CA server
>> Â Role status: enabled
>>
>>  Server name: power-auth04.int.i-neda.com  Role name: CA server
>> Â Role status: absent
>>
>>  Server name: red-auth01.int.i-neda.com  Role name: CA server Â
>> Role status: enabled
>>
>>  Server name: red-auth02.int.i-neda.com  Role name: CA server Â
>> Role status: enabled
>>
>>  Server name: red-auth03.int.i-neda.com  Role name: CA server Â
>> Role status: enabled
>>
>>  Server name: red-auth04.int.i-neda.com  Role name: CA server Â
>> Role status: enabled
>>
>>  Server name: white-auth01.int.i-neda.com  Role name: CA server
>> Â Role status: enabled
>>
>>  Server name: white-auth02.int.i-neda.com  Role name: CA server
>> Â Role status: enabled
>> ----------------------------
>> Number of entries returned 8
>> ----------------------------
>>
>>
>> Â kinit admin; ipa config-show | grep "renewal"
>> Password for admin(a)INT.I-NEDA.COM:
>> Â IPA CA renewal master: red-auth01.int.i-neda.com
>>
>>
>> rpm -qa | grep ipa-server
>> ipa-server-common-4.6.8-5.el7.centos.noarch
>> ipa-server-4.6.8-5.el7.centos.x86_64
>> ipa-server-dns-4.6.8-5.el7.centos.noarch
>>
>>
>> getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20171101175244':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
>> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
>> CA: SelfSign
>> issuer: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
>> subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
>> expires: 2021-08-10 14:04:07 UTC
>> principal name: krbtgt/INT.I-NEDA.COM(a)INT.I-NEDA.COM
>> certificate template/profile: KDCs_PKINIT_Certs pre-save command:
>> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
>> track: yes
>> auto-renew: yes
>>
>> Request ID '20180722081853':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigning
>> Cert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigning
>> Cert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>> subject: CN=CA Audit,O=INT.I-NEDA.COM
>> expires: 2022-09-16 12:36:41 UTC
>> key usage: digitalSignature,nonRepudiation pre-save command:
>> /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>>
>> Request ID '20180722081854':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningC
>> ert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningC
>> ert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>> subject: CN=OCSP Subsystem,O=INT.I-NEDA.COM
>> expires: 2022-09-16 12:35:31 UTC
>> eku: id-kp-OCSPSigning
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20180722081855':
>> status: CA_UNREACHABLE
>> ca-error: Error 58 connecting to
>> https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview:
>> Problem with the local SSL certificate.
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCer
>> t cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCer
>> t cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>> subject: CN=CA Subsystem,O=INT.I-NEDA.COM
>> expires: 2020-10-24 07:04:35 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>> /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "subsystemCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>>
>> Request ID '20180722081856':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCer
>> t cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCer
>> t cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>> subject: CN=Certificate Authority,O=INT.I-NEDA.COM
>> expires: 2040-10-10 07:51:04 UTC
>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "caSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>>
>> Request ID '20180722081857':
>> status: CA_UNREACHABLE
>> ca-error: Error 58 connecting to
>> https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview:
>> Problem with the local SSL certificate.
>> stuck: no
>> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>> subject: CN=IPA RA,O=INT.I-NEDA.COM
>> expires: 2020-10-24 07:03:24 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>> /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>> track: yes
>> auto-renew: yes
>>
>> Request ID '20180722081858':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>> subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
>> expires: 2021-02-09 11:59:57 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "Server-Cert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>>
>> Request ID '20200530130439':
>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
>> CA: IPA
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
> Hi Marc,
>
> so the current situation is the following:
> - red-auth01 is the renewal master, with multiple replicas hosting the CA role.
> - on this server, 'subsystemCert cert-pki-ca' is expired (expires:
> 2020-10-24 07:04:35 UTC) as well as /var/lib/ipa/ra-agent.pem (expires:
> 2020-10-24 07:03:24 UTC).
> - there is also an issue with the tracking of the cert used by HTTP
>
> But one of your comments is puzzling me:
>
>> The signing SSL (int.i-neda.com) is a full wildcard block chain that
>> is authorized by a recognised 3rd party. It's worth noting though,
>> that we had some issues with the block chain back in April as the
>> thrid parties block chain expired. So it's possible that this is as a
>> result of that issue, and may require some fettling to resolve. All help is appreciated.
> Did you import the new CA chain at that time using ipa-cacert-manage install / ipa-certupdate?
>
> According to getcert output, the IPA CA is now self-signed. It looks a lot like issue https://pagure.io/freeipa/issue/8176 where the externally-signed IPA CA is renewed/replaced with a self-signed CA.
>
> As you have ipa 4.6.8-5, the ipa-cert-fix utility is available on your system. It will be easier to use this tool to fix the server:
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
>
> Once the systems are up again, you can switch back to an externally-signed ipa CA:
> - import the external CA chain using ipa-cacert-manage install + run ipa-certupdate on all the ipa nodes
> - switch to externally-signed CA with ipa-cacert-manage renew --external-ca command
> (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...)
>
> HTH,
> flo
>>
>> My current tempory work around is to set the local clock of the OS
>> back by over a month so the server belives the expired CA's are still valid.
>>
>> Kind Regards,
>>
>> Marc.
>> ----------------------------------------------------------------------
>> --
>> *From:* Florence Blanc-Renaud <flo(a)redhat.com>
>> *Sent:* 16 November 2020 14:35
>> *To:* FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>> *Cc:* Marc Pearson | i-Neda Ltd <mpearson(a)i-neda.com>
>> *Subject:* Re: [Freeipa-users] subsystemCert appears out of date On
>> 11/16/20 10:03 AM, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote:
>>> Hi All,
>>>
>>> My subsystem cert appears to have gone out of date, and Iââ,¬â"¢m
>>> unable to get it to update. This has become an issue on my production
>>> environment, and my current work around has been to take the system
>>> date back by a month. Iââ,¬â"¢ve tried the cert renew tool, but this
>>> doesnââ,¬â"¢t seem to have updated this cert.
>>>
>>> Is anyone able to point me in the right direction to be able to
>>> update this specific certificate as Iââ,¬â"¢ve been unable to find anything online.
>>>
>>> [auth01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n
>>> 'subsystemCert cert-pki-ca'
>>>
>>> Certificate:
>>>
>>>  Ã, Ã, Ã, Data:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Version: 3 (0x2)
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Serial Number: 42 (0x2a)
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Signature Algorithm: PKCS #1 SHA-256
>>> With RSA Encryption
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Issuer: "CN=Certificate Authority,O=INT.I-NEDA.COM"
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Validity:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Not Before: Sun Nov 04
>>> 08:04:35 2018
>>>
>>> Not After : Sat Oct 24 07:04:35 2020
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Subject: "CN=CA Subsystem,O=INT.I-NEDA.COM"
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Subject Public Key Info:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Public Key Algorithm:
>>> PKCS #1 RSA Encryption
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, RSA Public Key:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Modulus:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, c6:7e:e6:40:8f:6e:77:07:8f:2a:ca:ca:63:63:cf:c6:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 5f:1c:09:63:4a:bb:17:68:17:cd:20:9b:f3:b0:5b:c0:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, f7:ff:72:07:1d:a2:29:93:61:62:5c:9f:04:d3:cb:7b:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, bf:53:de:bb:dd:d6:3f:a1:14:95:04:53:64:87:73:24:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, e3:61:66:96:ab:99:1f:2c:da:ec:22:e5:21:b1:5c:d5:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 0a:dd:4e:3f:f8:e2:90:a1:55:31:ad:11:2f:3b:d3:90:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 14:dc:b7:9d:fc:35:1a:ab:48:27:68:0a:9f:cb:95:14:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 00:93:b8:d4:d4:30:de:4e:be:20:a3:01:24:e8:f2:4a:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 1a:d2:b6:e0:09:77:3d:24:e3:5a:cf:51:d6:ca:d2:65:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 53:62:72:64:fe:7d:53:09:0e:97:b8:61:c9:c8:6d:24:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 52:15:f2:bf:40:04:38:24:22:73:fb:80:a0:ff:16:57:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, e1:0b:3c:71:02:d7:e6:2e:94:0a:e7:4e:aa:5e:6f:91:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, a5:68:65:21:cd:68:0c:2d:5d:53:fa:e0:10:75:47:43:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 04:f2:8b:e1:1c:1c:ed:a6:c1:ee:5c:6c:72:51:b5:e6:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, cd:f9:06:45:17:00:2b:d7:34:75:8a:59:f2:21:97:c6:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>> Ã, Ã, 63:d3:6f:54:d9:00:42:74:88:9e:94:d0:d4:d2:a1:b7
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>> Exponent: 65537 (0x10001)
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Signed Extensions:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Certificate
>>> Authority Key Identifier
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Key ID:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, f2:bb:9c:4f:e3:d8:c3:f9:58:eb:cc:5f:f7:be:8c:d6:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>> d5:08:c0:3a
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Authority
>>> Information Access
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Method: PKIX Online
>>> Certificate Status Protocol
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Location:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, URI: "http://ipa-ca.int.i-neda.com/ca/ocsp"
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Certificate Key
>>> Usage
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Critical: True
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Usages: Digital
>>> Signature
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>> Ã, Ã, Non-Repudiation
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>> Ã, Ã, Key Encipherment
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>> Ã, Ã, Data Encipherment
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Extended Key
>>> Usage
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, TLS
>>> Web Server Authentication Certificate
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, TLS
>>> Web Client Authentication Certificate
>>>
>>>  Ã, Ã, Ã, Signature Algorithm: PKCS #1 SHA-256 With RSA
>>> Encryption
>>>
>>>  Ã, Ã, Ã, Signature:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 5f:b7:31:25:10:ef:e7:72:44:8e:94:1d:57:4e:bb:4e:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 22:cf:9b:7e:f4:20:a2:fa:96:2a:cf:e9:70:cd:a6:82:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 4a:bd:58:4b:a7:df:4d:77:47:ba:65:d0:68:c5:dc:59:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 77:7e:bf:36:d3:55:c7:86:d3:16:77:51:46:c2:48:de:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, e8:0d:62:05:b9:8c:46:bd:22:7d:8d:d0:ad:5a:64:6b:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 9b:7d:ec:4c:e6:05:e7:02:97:cd:01:f5:19:91:15:7e:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, cc:41:5b:f2:00:2d:c0:0b:91:9e:62:d5:7a:b2:1e:8f:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 32:62:c2:ed:1a:e8:e1:56:32:e0:0e:79:55:a2:49:35:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 0e:df:5d:a3:df:e2:dd:58:60:4a:dd:19:92:f7:4d:60:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 59:0e:16:b1:ae:32:e6:c5:c5:fa:5b:2f:fe:1d:fe:e9:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, ec:67:2b:65:33:f2:57:64:8a:68:f3:91:9b:25:ff:02:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 64:4c:a1:6d:fe:f0:73:95:f2:0f:49:fb:3f:85:21:a0:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 68:37:dc:cd:73:02:73:20:22:a9:1d:c9:7e:88:4f:9b:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, 7c:92:f8:c1:50:0f:95:43:48:5b:8b:7f:0f:48:04:a8:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, c7:c0:0e:58:7c:86:2c:3a:b5:72:e3:34:3d:d8:0f:26:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>> eb:44:fa:75:c1:c8:fc:b6:7d:f7:31:91:a4:71:a1:51
>>>
>>>  Ã, Ã, Ã, Fingerprint (SHA-256):
>>>
>>>
>>> 4F:2A:1B:54:65:B6:09:3E:AD:68:08:92:CB:8D:FE:13:EF:B8:4C:F1:1E:0F:E1:
>>> 15:13:92:D3:7A:3D:F8:54:44
>>>
>>>  Ã, Ã, Ã, Fingerprint (SHA1):
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>> 03:34:DC:55:F5:00:AF:8C:EF:AC:AA:0D:E0:44:AD:5C:6F:CF:97:A6
>>>
>>>  Ã, Ã, Ã, Mozilla-CA-Policy: false (attribute missing)
>>>
>>>  Ã, Ã, Ã, Certificate Trust Flags:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, SSL Flags:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Email Flags:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Object Signing Flags:
>>>
>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
>>>
>>> Thanks for the help,
>>>
>>> Marc.
>>>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedo
>>> rahosted.org
>>>
>> Hi Marc,
>>
>> we need more information in order to help you:
>> - do you have multiple master/replicas with the CA role:
>> # kinit admin; ipa server-role-find --role "CA server"
>>
>> - which server is the renewal master:
>> # kinit admin ; ipa config-show | grep "renewal"
>>
>> - which version is installed:
>> # rpm -qa | grep ipa-server
>>
>> - Is the subsystemCert cert-pki-ca the only expired certificate:
>> # getcert list
>>
>> flo
>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
3 years, 4 months