Hello,
I have a freeipa server (ipa-server-4.5.0-22.el7.centos.x86_64).
Сertificates expired in April 2022 and why certmonger did not renew them is not clear.
getcert list
Request ID '20180510155654':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject: CN=IPA
RA,O=EXAMPLE.COM
expires: 2024-03-07 17:47:25 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20180510155804':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject: CN=CA
Audit,O=EXAMPLE.COM
expires: 2024-03-05 17:47:13 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180510155805':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject: CN=OCSP
Subsystem,O=EXAMPLE.COM
expires: 2024-03-07 17:47:15 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180510155806':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject: CN=CA
Subsystem,O=EXAMPLE.COM
expires: 2024-03-05 17:47:23 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180510155807':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject: CN=Certificate
Authority,O=EXAMPLE.COM
expires: 2038-05-10 15:56:32 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180510155808':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to
https://freeipa.example.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be
authenticated with given CA certificates.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject:
CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-04-15 04:47:25 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180510155834':
status: CA_UNREACHABLE
ca-error: Server at
https://freeipa.example.com/ipa/xml failed request, will
retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed
connect to freeipa.example.com:443; Connection refused).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject:
CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-04-25 20:55:59 UTC
dns:
freeipa.example.com
principal name: ldap/freeipa.example.com(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM
track: yes
auto-renew: yes
Request ID '20180510155907':
status: CA_UNREACHABLE
ca-error: Server at
https://freeipa.example.com/ipa/xml failed request, will
retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed
connect to freeipa.example.com:443; Connection refused).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject:
CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-04-26 06:11:51 UTC
dns:
freeipa.example.com
principal name: ldap/freeipa.example.com(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20180510155922':
status: CA_UNREACHABLE
ca-error: Server at
https://freeipa.example.com/ipa/xml failed request, will
retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed
connect to freeipa.example.com:443; Connection refused).
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject:
CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-04-25 20:56:54 UTC
principal name: krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20180720144614':
status: CA_REJECTED
ca-error: Server at
https://freeipa.example.com/ipa/xml denied our request, giving
up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege
to add the entry
'krbprincipalname=HTTP/pb-freeipa(a)EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=cb,dc=com'.).
stuck: yes
key pair storage:
type=FILE,location='/etc/pki/tls/private/pb-freeipa.key'
certificate: type=FILE,location='/etc/pki/tls/certs/pb-freeipa.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20180720151813':
status: NEED_KEY_GEN_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/ipa/certdb',nickname='Server-Cert',pin set
certificate:
type=NSSDB,location='/etc/ipa/certdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20180720152853':
status: CA_UNREACHABLE
ca-error: Server at
https://freeipa.example.com/ipa/xml failed request, will
retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed
connect to freeipa.example.com:443; Connection refused).
stuck: no
key pair storage:
type=FILE,location='/etc/pki/tls/private/freeipa.example.com.key'
certificate:
type=FILE,location='/etc/pki/tls/certs/freeipa.example.com.crt'
CA: IPA
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject:
CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-04-25 20:57:24 UTC
dns:
freeipa.example.com
principal name: HTTP/freeipa.example.com(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20180723075009':
status: NEED_CSR
stuck: no
key pair storage: type=FILE,location='/root/OVPN_CLIENT_1.key'
certificate: type=FILE,location='/root/OVPN_CLIENT_1.pem'
CA: IPA
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject:
CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2020-07-23 07:50:10 UTC
dns:
freeipa.example.com
principal name: host/freeipa.example.com(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20180723075356':
status: CA_REJECTED
ca-error: Server at
https://freeipa.example.com/ipa/xml denied our request, giving
up: 3009 (RPC failed at server. invalid 'csr': hostname in subject of request
'OVPN_CLIENT_1' does not match name or aliases of principal
'HTTP/freeipa.example.com(a)EXAMPLE.COM').
stuck: yes
key pair storage: type=FILE,location='/root/OVPN_CLIENT_2.key'
certificate: type=FILE,location='/root/OVPN_CLIENT_2.pem'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20180723075553':
status: CA_UNREACHABLE
ca-error: Server at
https://freeipa.example.com/ipa/xml failed request, will
retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's
Certificate has expired.).
stuck: no
key pair storage: type=FILE,location='/root/OVPN_CLIENT_3.key'
certificate: type=FILE,location='/root/OVPN_CLIENT_3.pem'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20200514145151':
status: CA_UNREACHABLE
ca-error: Server at
https://freeipa.example.com/ipa/xml failed request, will
retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's
Certificate has expired.).
stuck: no
key pair storage: type=FILE,location='/home/user/vpn-user.key'
certificate: type=FILE,location='/home/user/vpn-user.crt'
CA: IPA
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject:
CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-05-15 14:51:52 UTC
dns:
freeipa.example.com
principal name: host/freeipa.example.com(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20200514150206':
status: CA_UNREACHABLE
ca-error: Server at
https://freeipa.example.com/ipa/xml failed request, will
retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's
Certificate has expired.).
stuck: no
key pair storage: type=FILE,location='/home/user/freeipa.example.com.key'
certificate: type=FILE,location='/home/user/freeipa.example.com.crt'
CA: IPA
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject:
CN=freeipa.example.com,O=EXAMPLE.COM
expires: 2022-05-15 15:02:07 UTC
dns:
freeipa.example.com
principal name: host/freeipa.example.com(a)EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
I tried to update the certificates using the information from the following links:
https://floblanc.wordpress.com/2016/12/06/using-certmonger-to-track-certi...
https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issu...
https://listman.redhat.com/archives/freeipa-users/2017-January/msg00216.html
but it was not possible to update expired certificates.
Please would you tell how to solve the problem.