Hi,
there is only one certificate that failed to renew, and the repair should (hopefully) be straightforward.
First of all, please confirm that the server is the CA renewal master: # ipa config-show | grep "CA renewal"
The output should display your hostname. If that's not the case, we need more information (which host is CA renewal master, are all the certs valid on this host?)
Let's assume that the host is CA renewal master. In this case, you need to change the date on the host and go back to a date when the cert was still valid (and the renewed certs are *already* valid). Any date in August should do the trick: # ipactl start --ignore-service-failures (note which services failed to start, I would expect httpd as its cert is expired) # systemctl stop ntpd (or systemctl stop chronyd, depending on the time sync daemon the system is using) # date -s <date in the past>
Now start the services which were previously failing, for instance # systemctl start httpd (warning: don't use "ipactl start" as it would restart the ntp server and move the date back to the present!)
Manually trigger renewal of the cert: # getcert resubmit -i <ID of the cert>
Wait a few minutes, check if the cert was renewed: # getcert list -i <ID of the cert>
When the status is MONITORING, you can restart ntpd/chronyd, force the date to the current date and that's it!
HTH, flo
On 9/8/20 5:06 PM, Stuart McRobert via FreeIPA-users wrote:
Hi,
Although I thought these certificates would all happily auto-renew, and auto-renew: yes is shown, one of them clearly hasn't with an obvious impact on services. I recognise this is now a fairly old version of freeipa.
As I don't wish to break anything further, what is the correct way to safely and successfully renew this one certificate?
Thanks
Best wishes
Stuart
ipa --version VERSION: 4.4.4, API_VERSION: 2.215
getcert list | grep -i expi expires: 2022-06-13 17:57:38 BST expires: 2022-06-13 17:57:48 BST expires: 2022-06-13 17:57:28 BST expires: 2036-09-08 17:57:09 BST expires: 2022-06-13 17:57:50 BST expires: 2022-06-13 17:57:22 BST expires: 2022-07-16 17:58:18 BST expires: 2020-09-04 17:46:56 BST <<<<<<<<<<<<<<<<<<<<
I've changed strings to be OUR_DOMAIN and our_server below.
getcert list Number of certificates and requests being tracked: 8. Request ID '20170405152505': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=OUR_DOMAIN subject: CN=CA Audit,O=OUR_DOMAIN expires: 2022-06-13 17:57:38 BST key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170405152506': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=OUR_DOMAIN subject: CN=OCSP Subsystem,O=OUR_DOMAIN expires: 2022-06-13 17:57:48 BST eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170405152507': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=OUR_DOMAIN subject: CN=CA Subsystem,O=OUR_DOMAIN expires: 2022-06-13 17:57:28 BST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170405152508': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=OUR_DOMAIN subject: CN=Certificate Authority,O=OUR_DOMAIN expires: 2036-09-08 17:57:09 BST key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170405152509': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=OUR_DOMAIN subject: CN=IPA RA,O=OUR_DOMAIN expires: 2022-06-13 17:57:50 BST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20170405152510': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=OUR_DOMAIN subject: CN=our_server,O=OUR_DOMAIN expires: 2022-06-13 17:57:22 BST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20170405152511': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-OUR_DOMAIN',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-OUR-DOMAIN/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-OUR_DOMAIN',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=OUR_DOMAIN subject: CN=our_server,O=OUR_DOMAIN expires: 2022-07-16 17:58:18 BST principal name: ldap/our_server@OUR_DOMAIN key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv OUR_DOMAIN track: yes auto-renew: yes Request ID '20170405152512': status: CA_UNREACHABLE ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for requested realm. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=OUR_DOMAIN subject: CN=our_server,O=OUR_DOMAIN expires: 2020-09-04 17:46:56 BST <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< principal name: HTTP/our_server@OUR_DOMAIN key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...