On Wed, Jul 12, 2017 at 05:37:54PM +0200, Karl Forner via FreeIPA-users wrote:
Hello,
I'm getting desperate, I'm still unable to fix my expired certificates on
my freeIPA master.
Summary:
- I discovered that my web ui SSL certificate had expired.
- the certificate lives in /etc/httpd/alias, is named Server-Cert
- for some reason, it is not tracked by ipa-getcert list
- from the web-ui, Authentication --> certificates fail:
- IPA Error 4301: CertificateOperationError
- Certificate operation cannot be completed: Unable to communicate
with CMS (Internal Server Error)
- I tried to set the system time back in time -> was unable to get
kinit credentials (revoked)
This seems odd. You are performing `kinit` on the affected master,
right? After changing the time, did you restart IPA and execute
`kdestroy -A` before trying to `kinit`?
- I tried to set certmonger to track the expired certificate:
- ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert -p
/etc/httpd/alias/pwdfile.txt
- status from ipa-getcert list:
- ca-error: Unable to determine principal name for signing
request.
You need some additional options to `ipa-getcert start-tracking`:
-D <dnsname> # SAN dnsName (for RFC 2818 compliance)
-K HTTP/<dnsname> # kerberos principal name
- I followed some instructions to manually renew the
certificates.
- at one point I need ipa cert-request to sign the request.
- but the ipa cert commands do not work, e.g.
- ipa cert-find
ipa: ERROR: cert validation failed for "CN=ipa.quartzbio.com,O=
QUARTZBIO.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate
has expired.)
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)
What could/should I do !?!?
Is is possible to manually renew the certificate using only certutil ?
Yes. certutil(1) can do it. The NSSDB with the IPA CA signing cert
is /etc/pki/pki-tomcat/alias. I don't know the arcane incantation
of certutil(1) required, but hopefully the manpage will be useful.
This should be an absolute last resort. Be very careful to:
- choose a serial number that has not already been used and is not
likely to be used in the lifetime of the deployment (IPA uses
sequential serial numbers so pick something large and random and
you should be OK).
- make sure Dogtag is NOT RUNNING when you use certutil in a way
that accesses Dogtag NSSDB.
Good luck!
Thanks for any help.
Karl
P.S
this runs in a freeipa-server docker container.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org