Hi David. I had the same issue here and found your writeup to be very
helpful.
I used more or less the same ldap actions to delete the certificates
and requests (~3.6k) from LDAP. This did make 'ipa cert-find' display
just the one "used"/"correct" certificate for the host, but the main
issue is not fixed. The webUI still displays all the old certificates
that I have deleted from LDAP. Opening the "Hosts" tab or a host page
takes very long, around 1-2 minutes.
So I want to know what else needs to be done to make the webUI "forget"
about the wrongly issued certificates?
Where does the webUI get its list of certificates?
I did some searching through the code and could only find the JS
code that invokes a RPC call. But I could not find the code that
handles that call.
The webui is making a call equivalent to "ipa cert-find" which is handled by the following code:
The call looks for certificates in multiple locations:
- in the subtree "ou=certificateRepository,ou=ca,o=ipaca"
- in the suffix "dc=example,dc=com", in the users/hosts/services entries
You cleaned the certificates from the cert repository but there may be many entries (users/hosts/services) containing a userCertificate attribute. To avoid seeing those certs you would have to delete the corresponding userCertificate values.
HTH,
flo
IIRC my issue that caused certmonger to request a certificate over and
over was caused by a bug after upgrading a client from Ubuntu 14.04 to
16.04. The path to ca_external_helper changed but it was not changed in
/var/lib/certmonger/cas/* which caused certmonger to fail running
ca_external_helper. To fix it I did:
sed -i -e 's#x86_64-linux-gnu/##g; s#certmonger/certmonger#certmonger#g' /var/lib/certmonger/cas/*
Below is the exact procedure I used to delete the certificates from
LDAP.
First fix the issue that caused the issuing of too many certificates.
Make sure it successfully issued and saved the cert on the client and
that it's in status "MONITORING", "stuck: no".
Find the serial number of the cert currently present on the client.
'sudo getcert list', look at "certificate:" in my case it was in
"/etc/ssl/private/hostname-ipa-cert.crt"
openssl x509 -in /etc/ssl/private/hostname-ipa-cert.crt -noout -text
In my case it was 268369940.
Used the following shell script to revoke all the certificates with
serial not matching. I did this before I knew howo to get the cert
serials from ldap so it uses ipa cert-find. It's a slow process.
for s in $(ipa cert-find --hosts=badhost --pkey-only --sizelimit=0|awk '/Serial number/{print $3 ;}'); do if [ "$s" = "268369940" ] || [ -z "$s" ]; then continue; fi; echo "revoking $s"; ipa cert-revoke "$s"; done
You can view all the revoked cert cn's with this command before
deleting them.
ldapsearch -LLL -x -D "cn=directory manager" -W -b "ou=certificateRepository,ou=ca,o=ipaca" '(&(subjectName~="badhost")(certStatus=REVOKED))' dn certStatus|less
Make a list of all cert cn's not matching the used cert, save output
into a file, ready to be read by ldapdelete later.
ldapsearch -LLL -x -D "cn=directory manager" -W -b "ou=certificateRepository,ou=ca,o=ipaca" '(&(subjectName~="badhost")(!(cn=268369940)))' | grep -o 'cn=.*' > cert_to_delete_not_used_badhost
Make a list of all the requestId for all the certs to be deleted.
ldapsearch -LLL -x -D "cn=directory manager" -W -b "ou=certificateRepository,ou=ca,o=ipaca" '(&(subjectName~="badhost")(!(cn=268369940)))' metaInfo|grep -oP 'requestId:\K.*' > cert_request_to_delete_not_used_from_metaInfo_badhost
In my case there were a couple more requests than issued certs, I'm not
sure why. I made a list of all requests for this host excluding the
requestId of the correct cert. First find the correct/used cert
requestId. In my case it was 9990026.
ldapsearch -LLL -x -D "cn=directory manager" -W -b "ou=certificateRepository,ou=ca,o=ipaca" '(&(subjectName~="badhost")(cn=268369940))' metaInfo|grep -oP 'requestId:\K.*'
Then get a list of all requests for that host, excluding that one
requestId.
ldapsearch -LLL -x -D "cn=directory manager" -W -b "ou=ca,ou=requests,o=ipaca" '(&(extdata-req--005fsubject--005fname--002ecn=badhost)(!(cn=9990026)))' dn|grep -o 'cn=.*' > cert_request_to_delete_not_used_badhost
Count the number of certs/requests from the previous operations. The
first two must match, the 3rd shows how many extra requests there are.
wc -l cert_to_delete_not_used_badhost
cert_request_to_delete_not_used_from_metaInfo_badhost cert_request_to_delete_not_used_badhost
3982 cert_to_delete_not_used_badhost
3982 cert_request_to_delete_not_used_from_metaInfo_badhost
3990 cert_request_to_delete_not_used_badhost
So there are 8 extra requests without corresponding certs. I chose to
ignore them for now. They're probably fine to delete in the future.
Before deleting the requests, make a file in a format ldapdelete
expects.
while read -r; do printf 'cn=%s,ou=ca,ou=requests,o=ipaca\n' "$REPLY"; done < cert_request_to_delete_not_used_from_metaInfo_badhost > cert_request_to_delete_not_used_from_metaInfo_ldapdelete_badhost
Now the actual deletion steps.
Delete the certs.
ldapdelete -x -D "cn=directory manager" -W -f cert_to_delete_not_used_badhost
Delete the requests.
ldapdelete -x -D "cn=directory manager" -W -f cert_request_to_delete_not_used_from_metaInfo_ldapdelete_badhost
(you can add '-nv' to test ldapdelete)
After this, I decided to trim the changelog and tombstones from ldap.
Roughly followed the info from
https://www.port389.org/docs/389ds/FAQ/changelog-trimming.html
Do the steps on all servers.
cat > changelog_short.ldif <<-'EOF'
dn: cn=changelog5,cn=config
changetype: modify
replace: nsslapd-changelogmaxage
nsslapd-changelogmaxage: 300
-
replace: nsslapd-changelogcompactdb-interval
nsslapd-changelogcompactdb-interval: 300
-
replace: nsslapd-changelogtrim-interval
nsslapd-changelogtrim-interval: 30
-
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
changetype: modify
replace: nsds5ReplicaPurgeDelay
nsds5ReplicaPurgeDelay: 300
-
replace: nsds5ReplicaTombstonePurgeInterval
nsds5ReplicaTombstonePurgeInterval: 300
-
'EOF'
cat > changelog_normal.ldif <<-'EOF'
dn: cn=changelog5,cn=config
changetype: modify
replace: nsslapd-changelogmaxage
nsslapd-changelogmaxage: 7d
-
delete: nsslapd-changelogcompactdb-interval
-
delete: nsslapd-changelogtrim-interval
-
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
changetype: modify
replace: nsds5ReplicaPurgeDelay
nsds5ReplicaPurgeDelay: 604800
-
replace: nsds5ReplicaTombstonePurgeInterval
nsds5ReplicaTombstonePurgeInterval: 86400
-
'EOF'
ldapmodify -x -D "cn=directory manager" -W -f changelog_short.ldif
systemctl restart dirsrv@EXAMPLE-COM.service
Make a change in the webUI or ipa cli. There must be a write/change operation in LDAP.
Wait >5 minutes. Monitor /var/log/dirsrv/slapd-EXAMPLE-COM/errors on all servers, there should be no errors.
ldapmodify -x -D "cn=directory manager" -W -f changelog_normal.ldif
systemctl restart dirsrv@EXAMPLE-COM.service
Before the purge /var/lib/dirsrv/slapd-EXAMPLE-COM was 360M, after the
purge 295M. This was only on the server I executed the deletions on,
not on any replicas. So not a drastic difference.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue