[Freeipa-users] Renewing a failed to auto-renewal certificate

8 Sep 2020


      Hi,
Although I thought these certificates would all happily auto-renew, and 
auto-renew: yes is shown, one of them clearly hasn't with an obvious 
impact on services.  I recognise this is now a fairly old version of 
freeipa.
As I don't wish to break anything further, what is the correct way to 
safely and successfully renew this one certificate?
Thanks
Best wishes
Stuart
-------------------------------------------------------
ipa --version
VERSION: 4.4.4, API_VERSION: 2.215
getcert list | grep -i expi
    expires: 2022-06-13 17:57:38 BST
    expires: 2022-06-13 17:57:48 BST
    expires: 2022-06-13 17:57:28 BST
    expires: 2036-09-08 17:57:09 BST
    expires: 2022-06-13 17:57:50 BST
    expires: 2022-06-13 17:57:22 BST
    expires: 2022-07-16 17:58:18 BST
    expires: 2020-09-04 17:46:56 BST	<<<<<<<<<<<<<<<<<<<<
I've changed strings to be OUR_DOMAIN and our_server below.
getcert list 
Number of certificates and requests being tracked: 8.
Request ID '20170405152505':
    status: MONITORING
    stuck: no
    key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
    certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
    CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=OUR_DOMAIN
    subject: CN=CA Audit,O=OUR_DOMAIN
    expires: 2022-06-13 17:57:38 BST
    key usage: digitalSignature,nonRepudiation
    pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
    track: yes
    auto-renew: yes
Request ID '20170405152506':
    status: MONITORING
    stuck: no
    key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
    certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
    CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=OUR_DOMAIN
    subject: CN=OCSP Subsystem,O=OUR_DOMAIN
    expires: 2022-06-13 17:57:48 BST
    eku: id-kp-OCSPSigning
    pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
    track: yes
    auto-renew: yes
Request ID '20170405152507':
    status: MONITORING
    stuck: no
    key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
    certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
    CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=OUR_DOMAIN
    subject: CN=CA Subsystem,O=OUR_DOMAIN
    expires: 2022-06-13 17:57:28 BST
    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
    track: yes
    auto-renew: yes
Request ID '20170405152508':
    status: MONITORING
    stuck: no
    key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
    certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
    CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=OUR_DOMAIN
    subject: CN=Certificate Authority,O=OUR_DOMAIN
    expires: 2036-09-08 17:57:09 BST
    key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
    pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
    track: yes
    auto-renew: yes
Request ID '20170405152509':
    status: MONITORING
    stuck: no
    key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
    certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
    CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=OUR_DOMAIN
    subject: CN=IPA RA,O=OUR_DOMAIN
    expires: 2022-06-13 17:57:50 BST
    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
    post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
    track: yes
    auto-renew: yes
Request ID '20170405152510':
    status: MONITORING
    stuck: no
    key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
    certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
    CA: dogtag-ipa-renew-agent
    issuer: CN=Certificate Authority,O=OUR_DOMAIN
    subject: CN=our_server,O=OUR_DOMAIN
    expires: 2022-06-13 17:57:22 BST
    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
    post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
    track: yes
    auto-renew: yes
Request ID '20170405152511':
    status: MONITORING
    stuck: no
    key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-OUR_DOMAIN',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-OUR-DOMAIN/pwdfile.txt'
    certificate: type=NSSDB,location='/etc/dirsrv/slapd-OUR_DOMAIN',nickname='Server-Cert',token='NSS Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=OUR_DOMAIN
    subject: CN=our_server,O=OUR_DOMAIN
    expires: 2022-07-16 17:58:18 BST
    principal name: ldap/our_server@OUR_DOMAIN
    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv OUR_DOMAIN
    track: yes
    auto-renew: yes
Request ID '20170405152512':
    status: CA_UNREACHABLE
    ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for requested realm.
    stuck: no
    key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
    certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=OUR_DOMAIN
    subject: CN=our_server,O=OUR_DOMAIN
    expires: 2020-09-04 17:46:56 BST     <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
    principal name: HTTP/our_server@OUR_DOMAIN
    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command: /usr/libexec/ipa/certmonger/restart_httpd
    track: yes
    auto-renew: yes

2025

2024

2023

2022

2021

2020

2019

2018

2017

[Freeipa-users] Renewing a failed to auto-renewal certificate