I think if you stop IPA, go back in time to when this server cert is
valid (it is the TLS cert for the CA server) and manually start dirsrv,
dogtag and krb5 then run certmonger resubmit -i 20170214143200
You want to be sure ntpd (or chronyc) isn't running to force time back
to now.
rob
[root@sl1mmgplidm0002 ~]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20170214143155':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
subject: CN=CA Audit,O=IPA.GEN.ZONE
expires: 2020-12-01 18:52:55 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170214143156':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
subject: CN=OCSP Subsystem,O=IPA.GEN.ZONE
expires: 2020-12-01 18:52:54 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170214143157':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
subject: CN=CA Subsystem,O=IPA.GEN.ZONE
expires: 2020-12-01 18:53:15 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170214143158':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
subject: CN=Certificate Authority,O=IPA.GEN.ZONE
expires: 2037-01-18 20:02:36 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170214143159':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
subject: CN=IPA RA,O=IPA.GEN.ZONE
expires: 2020-12-01 18:52:44 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20170214143200':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://sl1mmgplidm0002.ipa.gen.zone:8443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
expires: 2019-01-08 20:16:52 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170214143201':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-GEN-ZONE/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
expires: 2020-12-23 03:40:21 UTC
principal name: ldap/sl1mmgplidm0002.ipa.gen.zone(a)IPA.GEN.ZONE
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-GEN-ZONE
track: yes
auto-renew: yes
Request ID '20170214143202':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
expires: 2020-12-23 03:40:31 UTC
principal name: HTTP/sl1mmgplidm0002.ipa.gen.zone(a)IPA.GEN.ZONE
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Already tried this solution with no luck:
https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpress.c...
[root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
ipaCert u,u,u
IPA.GEN.ZONE IPA CA CT,C,C
[root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE IPA
CA' -t ',,'
[root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE IPA
CA' -t 'CT,C,C'
Curl command still fails
[root@sl1mmgplidm0002 ~]# SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert
/etc/ipa/ca.crt https://`hostname`:8443/ca/agent/ca/profileReview
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to
connect() to sl1mmgplidm0002.ipa.gen.zone port 8443 (#0)
* Trying 172.20.0.36...
* Connected to sl1mmgplidm0002.ipa.gen.zone (172.20.0.36) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/httpd/alias/
* CAfile: /etc/ipa/ca.crt
CApath: none
* Server certificate:
* subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
* start date: Jan 18 20:16:52 2017 GMT
* expire date: Jan 08 20:16:52 2019 GMT
* common name: sl1mmgplidm0002.ipa.gen.zone
* issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
* NSS error -8181 (SEC_ERROR_EXPIRED_CERTIFICATE)
* Peer's Certificate has expired.
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
curl: (60) Peer's Certificate has expired.
More details here:
http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
-----Original Message-----
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: Thursday, June 13, 2019 4:08 PM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Sayfiddin, Farhad <fsayfiddin(a)tkcholdings.com>
Subject: Re: [Freeipa-users] Cert expired for pki-tomcat and process would not start
Sayfiddin, Farhad via FreeIPA-users wrote:
> We have two replica servers sl1mmgplidm0001/2.
>
>
>
> sl1mmgplidm0001 is functioning as CRL master and has no issues.
>
>
>
> [root@sl1mmgplidm0001 ~]# ipa config-show | grep 'CA renewal master'
>
> IPA CA renewal master: sl1mmgplidm0001
>
> [root@sl1mmgplidm0001 ~]#
>
>
>
> [root@sl1mmgplidm0001 ~]# ipactl status
>
> Directory Service: RUNNING
>
> krb5kdc Service: RUNNING
>
> kadmin Service: RUNNING
>
> named Service: RUNNING
>
> ipa_memcached Service: RUNNING
>
> httpd Service: RUNNING
>
> ipa-custodia Service: RUNNING
>
> pki-tomcatd Service: RUNNING
>
> smb Service: RUNNING
>
> winbind Service: RUNNING
>
> ipa-otpd Service: RUNNING
>
> ipa-dnskeysyncd Service: RUNNING
>
> ipa: INFO: The ipactl command was successful
>
> [root@sl1mmgplidm0001 ~]#
>
>
>
> sl1mmgplidm0002 is having an issue where pki-tomcat process would not
> start due to expired cert. It has CA_UNREACHABLE error
>
>
>
> [root@sl1mmgplidm0002 ~]# ipactl status
>
> Directory Service: RUNNING
>
> krb5kdc Service: RUNNING
>
> kadmin Service: RUNNING
>
> named Service: RUNNING
>
> ipa_memcached Service: RUNNING
>
> httpd Service: RUNNING
>
> ipa-custodia Service: RUNNING
>
> pki-tomcatd Service: STOPPED
>
> smb Service: RUNNING
>
> winbind Service: RUNNING
>
> ipa-otpd Service: RUNNING
>
> ipa-dnskeysyncd Service: RUNNING
>
> ipa: INFO: The ipactl command was successful
>
> [root@sl1mmgplidm0002 ~]#
>
>
>
> [root@sl1mmgplidm0002 ~]# getcert list | grep -A 10 20170214143200
> Request ID '20170214143200':
>
> status: CA_UNREACHABLE
>
> ca-error: Error 60 connecting to
>
https://urldefense.proofpoint.com/v2/url?u=https-3A__sl1mmgplidm0002-3
>
A8443_ca_agent_ca_profileReview&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrpSyubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnOqUeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=EvNOXdLcm_vL9kIJfZltxwLVIojayf1wau_ByrzA_m0&e=
: Peer certificate cannot be authenticated with given CA certificates.
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin set
>
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O=IPA
>
> subject: CN=sl1mmgplidm0002,O=IPA
>
> expires: 2019-01-08 20:16:52 UTC
>
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> [root@sl1mmgplidm0002 ~]#
>
>
>
> Tried running renew_ca_cert command and "getcert resubmit -i" with no
luck.
Don't run ipa-cacert-manage renew. It renews only the root CA cert which won't
help.
We need to see the full output of getcert list to see what status all the certs are in.
You might also try this:
https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpress.c...
rob