I'm trying to fix a freeipa 4.6 cluster running on centos 7 that
has
expired directory and http certificates. I turned back the clock so
that the certs would be valid and am trying to run ipa-cert-fix but its
failing with:
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Fixing the following system certs: ['sslserver']
INFO: Renewing the following additional certs: ['21']
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Stopping the instance to proceed with system cert renewal
INFO: Configuring LDAP password authentication
INFO: Setting pkidbuser password via ldappasswd
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Selftests disabled for subsystems: ca
INFO: Resetting password for uid=ipara,ou=people,o=ipaca
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Creating a temporary sslserver cert
INFO: Getting sslserver cert info for ca
INFO: Trying to create a new temp cert for sslserver.
INFO: Generate temp SSL certificate
INFO: Getting sslserver cert info for ca
INFO: Selftests enabled for subsystems: ca
INFO: Restoring previous LDAP configuration
ERROR: Unable to find CSR for sslserver cert
AFter doing some searching I
found https://access.redhat.com/solutions/4852721 but the instructions
aren't applying to me because there's no CSR in the request:
Request ID '20210601131820':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=CA Subsystem,O=RHELENT.LAN
expires: 2023-05-01 18:04:11 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
then look for a csr:
[root@freeipa ~]# grep -A 19 csr
/var/lib/certmonger/requests/20210601131820
[root@freeipa ~]#
Is there something i can do to get the ca subsystem cert re-issued?
It didn't fail on the subsystem certificate, it failed on the TLS
certificate for the CA itself (it seems). You can check that with:
getcert list -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca"
If it expires in 2023 then you're ok with the CA anyhow.
rob