On ma, 19 elo 2019, Thomas Kropeit via FreeIPA-users wrote:
Over the weekend, my original "NSS Certificate DB" certificate expired. It was automatically renewed, however in a new location:
# ipa-getcert list Number of certificates and requests being tracked: 10. Request ID '20180929060059': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-PHYSEC-DE',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-PHYSEC-DE certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-PHYSEC-DE',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.PHYSEC.DE subject: CN=master.ipa.physec.de,O=IPA.PHYSEC.DE expires: 2021-07-20 14:25:43 UTC principal name: ldap/master.ipa.physec.de@IPA.PHYSEC.DE key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-PHYSEC-DE track: yes auto-renew: yes Request ID '20180929060107': status: MONITORING ca-error: Unable to determine principal name for signing request. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.PHYSEC.DE subject: CN=master.ipa.physec.de,O=IPA.PHYSEC.DE expires: 2019-08-17 12:45:50 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
I managed to restart the FreeIPA service by adding `NSSEnforceValidCerts off` to `/etc/httpd/conf.d/nss.conf`. But logging into the webinterface still yields the following error in httpd: [Mon Aug 19 10:36:05.722736 2019] [:error] [pid 12798] ipa: INFO: 401 Unauthorized: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) [Mon Aug 19 10:36:05.723894 2019] [:error] [pid 12802] SSL Library Error: -12269 The server has rejected your certificate as expired
I have intentionally not copied the new certificate to `/etc/httpd/alias` as I am not aware of all the involved components and fear that this might break something.
My system is running a fully patched CentOS 7.6, running FreeIPA 4.6.4-10.el7.centos.6.
What should I do to resolve this issue, simply replacing the certificates, or is there a better method?
These two certificates are different as they issued to different Kerberos principals (ldap/... and HTTP/...). In the other case you just need to add
ipa-getcert resubmit -i 20180929060107 -K HTTP/master.ipa.physec.de
as this is what your ca-error says:
ca-error: Unable to determine principal name for signing request.
But to submit it you'd need to get back in time when HTTP cert is valid yet (before 2019-08-17) and not too far to have LDAP certificate invalid yet (after 2019-07-20).