On 01/24/2018 12:35 PM, Harald Husemann via FreeIPA-users wrote:
Hello IPA-experts,
we are running FreeIPA version 4.4.0 with an external CA (our own one), everything was working fine until the CA certificate expired which happened at January 13th. Since i was on vacation and the basic functions were still available no-one created a new certificate, so, it's now my task. As explained in https://www.freeipa.org/page/Howto/CA_Certificate_Renewal, I've reset the time to January 10th, created a new certificate which is valid from 2017 to 2023, and installed it with ipa-cacert-manage. Afterwards, I did an ipa-certupdate, the server certificates were updated and the cert8.db in /etc/httpd/alias contains the new valid CA. But, the expiration date of the certificate itself is still January 13th, so, the certificate is still expired:
root@mat-ipa-master-1:~$ /usr/bin/certutil -d /etc/httpd/alias -L -n "MATERNA-COM.DE IPA CA" Certificate: Data: Version: 3 (0x2) Serial Number: 36 (0x24) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "E=oc-ca@materna.de,CN=Materna OC CA,OU=OC RZ,O=Materna GmbH, L=Dortmund,ST=NRW,C=DE" Validity: Not Before: Mon Jan 23 14:45:00 2017 Not After : Mon Jan 23 14:45:00 2023 Subject: "CN=Certificate Authority,O=MATERNA-COM.DE" (...) Certificate Trust Flags: SSL Flags: Valid CA Trusted CA Trusted Client CA Email Flags: Valid CA Trusted CA Object Signing Flags: Valid CA Trusted CA
Certificate: Data: Version: 3 (0x2) Serial Number: 23 (0x17) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "E=oc-ca@materna.de,CN=Materna OC CA,OU=OC RZ,O=Materna GmbH, L=Dortmund,ST=NRW,C=DE" Validity: Not Before: Fri Jan 13 14:45:00 2017 Not After : Sat Jan 13 14:45:00 2018 Subject: "CN=Certificate Authority,O=MATERNA-COM.DE" (...)
root@mat-ipa-master-1:~$
Hi,
in the above output we can see 2 different certificates for "CN=Certificate Authority,O=MATERNA-COM.DE", which is an expected behavior: the database still contains the old one (Not After: Sat Jan 13 14:45:00 2018) but also contains the new one (Not After : Mon Jan 23 14:45:00 2023). So from this point of view, IPA CA cert was properly renewed and distributed to the httpd NSS database.
I have only checked this one, but I'd suppose the others are also not updated. AFAIK certmonger is responsible the renewal, so, I've restarted it and hoped it would grab my certificate and renew it - but it seems there is a problem, journalctl -u certmonger gives
Jan 24 11:22:43 mat-ipa-master-1.materna-com.de systemd[1]: Starting Certificate monitoring and PKI enrollment... Jan 24 11:22:44 mat-ipa-master-1.materna-com.de systemd[1]: Started Certificate monitoring and PKI enrollment. Jan 24 11:22:48 mat-ipa-master-1.materna-com.de certmonger[1026]: 2018-01-24 11:22:48 [1026] Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'MATERNA-COM.DE'. Jan 24 11:22:48 mat-ipa-master-1.materna-com.de certmonger[1026]: 2018-01-24 11:22:48 [1026] Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'MATERNA-COM.DE'. Jan 24 11:22:58 mat-ipa-master-1.materna-com.de certmonger[1026]: 2018-01-24 11:22:58 [1026] Error 7 connecting to https://mat-ipa-master-1.materna-com.de:8443/ca/agent/ca/profileReview: Couldn't connect to server. Jan 24 11:23:00 mat-ipa-master-1.materna-com.de dogtag-ipa-ca-renew-agent-submit[2282]: Traceback (most recent call last): File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 511, in <module> sys.exit(main()) File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 490, in main ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1314, in kinit_keytab cred = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire usage) File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732) GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'MA Jan 24 11:23:00 mat-ipa-master-1.materna-com.de certmonger[1026]: 2018-01-24 11:23:00 [1026] Internal error
The traceback is generated by the helper launched to renew IPA CA. This helper authenticates using /etc/krb5.keytab but according to the traces, was unable to reach the Kerberos server. Can you manually try to perform $ sudo kinit -kt /etc/krb5.keytab and check its output?
Flo
Any help is greatly appreciated since I'm stuck here... If it helps, I have a clean backup of the IPA master which was written yesterday evening, so, I can use this one to "start over" if I've already mixed up things.
Thanks and kind regards from Germany,
Harald _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org