Hi there, still working on cert renewal with little bit of progress, hence asking kindly
for more support until final resolution. As per the subject, certmonger renews two out of
four certificates.
[1] stop ntpd, go back in time (Aug 10 2018), where all certs are valid
[2] restart krb5kdc, 389, httpd, CA
[3] Verify that CA is running.
# SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt
https://`hostname`:8443/ca/agent/ca/profileReview
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to
connect() to
ca-ldap01.domain.com port 8443 (#0)
* Trying x.x.x.x...
* Connected to
ca-ldap01.domain.com (IP) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/httpd/alias/
* CAfile: /etc/ipa/ca.crt
CApath: none
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject:
CN=ca-ldap01.domain.com,O=domain.com
* start date: Jul 18 01:47:45 2018 GMT
* expire date: Jul 07 01:47:45 2020 GMT
* common name:
ca-ldap01.domain.com
* issuer: CN=Certificate
Authority,O=domain.com
GET /ca/agent/ca/profileReview HTTP/1.1
User-Agent: curl/7.29.0
Host: ca-ldap01.domain.com:8443
Accept: */*
* NSS: client certificate not found (nickname not specified)
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Content-Type: text/html;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Fri, 10 Aug 2018 08:54:11 GMT
<
{ [data not shown]
100 17641 0 17641 0 0 203k 0 --:--:-- --:--:-- --:--:-- 205k
* Connection #0 to host
ca-ldap01.domain.com left intact
[4] ipactl status reads:
# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: STOPPED
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[5] restart certmonger, four cert are in submitting status
# getcert list | egrep "certificate|expire|status"
Number of certificates and requests being tracked: 6.
status: SUBMITTING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:38 UTC
status: SUBMITTING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:35 UTC
status: SUBMITTING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:36 UTC
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2036-08-24 20:49:35 UTC
status: SUBMITTING
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
expires: 2018-08-14 20:50:00 UTC
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
expires: 2020-07-07 01:47:45 UTC
[6] Here is where problem starts, the CA stop running, and
/var/lib/pki/pki-tomcat/logs/ca/selftests.log report
0.localhost-startStop-1 - [10/Aug/2018:01:52:12 PDT] [20] [1] CAPresence: CA is present
0.localhost-startStop-1 - [10/Aug/2018:01:52:12 PDT] [20] [1] SystemCertsVerification:
system certs verification success
0.localhost-startStop-1 - [10/Aug/2018:01:52:12 PDT] [20] [1] SelfTestSubsystem: All
CRITICAL self test plugins ran SUCCESSFULLY at startup!
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem:
Initializing self test plugins:
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading
all self test plugin logger parameters
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading
all self test plugin instances
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading
all self test plugin instance parameters
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading
self test plugins in on-demand order
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: loading
self test plugins in startup order
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: Self test
plugins have been successfully loaded!
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: Running
self test plugins specified to be executed at startup:
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] CAPresence: CA is present
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SystemCertsVerification:
system certs verification failure: Certificate auditSigningCert cert-pki-ca is invalid:
Invalid certificate: (-8181) Peer's Certificate has expired.
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification
running at startup FAILED!
[7] I see that 'auditSigningCert' and ocspSigningCert have been renewed, so
obviously at this very moment their validity time is not same as for other certs. Hence
selftests.logs reports auditSigningCert is invalid, and CA stops running and I am left
with tow certs not renewed. New cert list now is:
# getcert list | egrep "certificate|expires"
Number of certificates and requests being tracked: 6.
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2020-10-29 06:35:38 UTC
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2020-10-11 20:15:53 UTC
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:36 UTC
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2036-08-24 20:49:35 UTC
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
expires: 2018-08-14 20:50:00 UTC
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
expires: 2020-07-07 01:47:45 UTC
The question now is how to work around this problem?
Instead of restarting certmonger service, is it better to renew certs with 'getcert
resubmit' in some specific order?
thanks, Zarko