#8600 ipa-cert-fix unable to fix certs no named 'Server-cert'
Closed: fixed 3 years ago by frenaud. Opened 3 years ago by mpearsonineda.

Request for enhancement

As freeipa user , I want ipa-cert-fix to work with all certificates so that I can manage certificates regardless as to how they're stored.

Issue

the ipa-cert-fix tool is unable to automaticallly fix our certificate setup as the cert that's in use is not name 'Server-cert' but instead 'CN=*.int.i-neda.com'

Steps to Reproduce

  1. Have a none standard server-cert name assigned to the server cert
  2. Attempt to use the ipa-fix-cert tool
    3.

Actual behavior

ipa-cert-fix

Failed to get Server-Cert
The ipa-cert-fix command failed.

Expected behavior

The tool to run as expected

Version/Release/Distribution

rpm -qa | grep ipa-server
ipa-server-common-4.6.8-5.el7.centos.noarch
ipa-server-4.6.8-5.el7.centos.x86_64
ipa-server-dns-4.6.8-5.el7.centos.noarch

Additional info:

Full email chain on the freeipa-users mail group:

On 11/24/20 10:50 AM, Marc Pearson | i-Neda Ltd wrote:

Thanks Flo,

I'm suprosed I didn't catch that typeo:

certutil -L -d /etc/dirsrv/slapd-INT-I-NEDA-COM

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

CN=AddTrust External CA Root,OU=AddTrust External TTP
Network,O=AddTrust AB,C=SE C,, CN=COMODO High-Assurance Secure Server
CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,, CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,,
comodoCA C,,
INT.I-NEDA.COM IPA CA CT,C,C
INT.I-NEDA.COM IPA CA CT,C,C
INT.I-NEDA.COM IPA CA CT,C,C
CN=COMODO RSA Certification Authority,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB C,, CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB C,,
comodoCA2 C,,
INT.I-NEDA.COM IPA CA CT,C,C
INT.I-NEDA.COM IPA CA CT,C,C
comodoCA C,,
CN=*.int.i-neda.com u,u,u
INT.I-NEDA.COM IPA CA CT,C,C

Ok, so I think the issue with ipa-cert-fix comes from the fact that the LDAP server cert is not called 'Server-Cert' but rather 'CN=*.int.i-neda.com' - you can check with the following command:

grep nsSSLPersonalitySSL /etc/dirsrv/slapd-INT-I-NEDA-COM/dse.ldif

Can you log an issue at https://pagure.io/freeipa/new_issue ?
When the LDAP server cert doesn't have the default name, ipa-cert-fix fails.
A possible workaround would be to rename the cert in the NSSDB to 'Server-Cert' with certutil --rename but you will also need to update the dse.ldif file (stop ds, edit, start ds). This will allow you to use ipa-cert-fix and hopefully to move forward.

flo

Marc.

-----Original Message-----
From: Florence Blanc-Renaud flo@redhat.com
Sent: 24 November 2020 09:01
To: Marc Pearson | i-Neda Ltd mpearson@i-neda.com; FreeIPA users
list freeipa-users@lists.fedorahosted.org
Subject: Re: [Freeipa-users] subsystemCert appears out of date

On 11/24/20 9:54 AM, Marc Pearson | i-Neda Ltd wrote:

Hi Flo,

I'm getting a database error when running that command:

certutil -L -d /etc/dirsrc/slapd-INT-I-NEDA-COM

certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

Sorry, I made a typo, it should be dirsrv, not dirsrc:

certutil -L -d /etc/dirsrv/slapd-INT-I-NEDA-COM

flo

Not sure if that's of any help?

Marc.

-----Original Message-----
From: Florence Blanc-Renaud flo@redhat.com
Sent: 21 November 2020 19:06
To: Marc Pearson | i-Neda Ltd mpearson@i-neda.com; FreeIPA users
list freeipa-users@lists.fedorahosted.org
Subject: Re: [Freeipa-users] subsystemCert appears out of date

On 11/18/20 12:23 PM, Marc Pearson | i-Neda Ltd wrote:

Hi Flo,

Thanks for the information. I've tried to run the cert fix utility just now and I'm hitting an issue, ironically with the SSL certificate:

[root@red-auth01 ~]# ipa-cert-fix
Failed to get Server-Cert
The ipa-cert-fix command failed.

Hi,
I failed to notice the first time but there is no tracking for the LDAP cert that is stored in /etc/dirsrv/slapd-$DOMAIN/. What is the output of # certutil -L -d /etc/dirsrc/slapd-$DOMAIN You should see Server-Cert (=the ldap server certificate), or maybe a different nickname is used?

flo

From the message log:
Nov 18 11:18:32 red-auth01 dogtag-ipa-ca-renew-agent-submit:
Forwarding request to dogtag-ipa-renew-agent Nov 18 11:18:32
red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3 Nov 18 11:18:33 red-auth01 certmonger: 2020-11-18 11:18:33 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate.
Nov 18 11:18:35 red-auth01 dogtag-ipa-ca-renew-agent-submit:
Forwarding request to dogtag-ipa-renew-agent Nov 18 11:18:35
red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3 Nov 18 11:18:35 red-auth01 certmonger: 2020-11-18 11:18:35 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate.

Any advice?

Marc.

-----Original Message-----
From: Florence Blanc-Renaud flo@redhat.com
Sent: 17 November 2020 10:57
To: Marc Pearson | i-Neda Ltd mpearson@i-neda.com; FreeIPA users
list freeipa-users@lists.fedorahosted.org
Subject: Re: [Freeipa-users] subsystemCert appears out of date

On 11/17/20 10:19 AM, Marc Pearson | i-Neda Ltd wrote:

Hi Flo,

Thanks for the help. Included is the output of all the commands as
you requested. These were all run from a single freeIPA server (red-auth01).

kinit admin; ipa server-role-find --role "CA server"
Password for admin@INT.I-NEDA.COM:


8 server roles matched

  Server name: power-auth03.int.i-neda.com    Role name: CA

server  Role status: enabled

  Server name: power-auth04.int.i-neda.com    Role name: CA

server  Role status: absent

  Server name: red-auth01.int.i-neda.com    Role name: CA

server  Role status: enabled

  Server name: red-auth02.int.i-neda.com    Role name: CA

server  Role status: enabled

  Server name: red-auth03.int.i-neda.com    Role name: CA

server  Role status: enabled

  Server name: red-auth04.int.i-neda.com    Role name: CA

server  Role status: enabled

  Server name: white-auth01.int.i-neda.com    Role name: CA

server  Role status: enabled

  Server name: white-auth02.int.i-neda.com    Role name: CA

server  Role status: enabled

Number of entries returned 8

 kinit admin; ipa config-show | grep "renewal"

Password for admin@INT.I-NEDA.COM:
 IPA CA renewal master: red-auth01.int.i-neda.com

rpm -qa | grep ipa-server
ipa-server-common-4.6.8-5.el7.centos.noarch
ipa-server-4.6.8-5.el7.centos.x86_64
ipa-server-dns-4.6.8-5.el7.centos.noarch

getcert list
Number of certificates and requests being tracked: 8.
Request ID '20171101175244':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: SelfSign
issuer: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
expires: 2021-08-10 14:04:07 UTC
principal name: krbtgt/INT.I-NEDA.COM@INT.I-NEDA.COM
certificate template/profile: KDCs_PKINIT_Certs pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes

Request ID '20180722081853':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSign
i n g Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSign
i n g Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
subject: CN=CA Audit,O=INT.I-NEDA.COM
expires: 2022-09-16 12:36:41 UTC
key usage: digitalSignature,nonRepudiation pre-save command:
/usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes

Request ID '20180722081854':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigni
n g C ert cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigni
n g C ert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
subject: CN=OCSP Subsystem,O=INT.I-NEDA.COM
expires: 2022-09-16 12:35:31 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20180722081855':
status: CA_UNREACHABLE
ca-error: Error 58 connecting to
https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview:
Problem with the local SSL certificate.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystem
C e r t cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystem
C e r t cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
subject: CN=CA Subsystem,O=INT.I-NEDA.COM
expires: 2020-10-24 07:04:35 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
/usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes

Request ID '20180722081856':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigning
C e r t cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigning
C e r t cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
subject: CN=Certificate Authority,O=INT.I-NEDA.COM
expires: 2040-10-10 07:51:04 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes

Request ID '20180722081857':
status: CA_UNREACHABLE
ca-error: Error 58 connecting to
https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview:
Problem with the local SSL certificate.
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
subject: CN=IPA RA,O=INT.I-NEDA.COM
expires: 2020-10-24 07:03:24 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
/usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes

Request ID '20180722081858':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Ce
r t cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Ce
r t cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
expires: 2021-02-09 11:59:57 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes

Request ID '20200530130439':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes

Hi Marc,

so the current situation is the following:
- red-auth01 is the renewal master, with multiple replicas hosting the CA role.
- on this server, 'subsystemCert cert-pki-ca' is expired (expires:
2020-10-24 07:04:35 UTC) as well as /var/lib/ipa/ra-agent.pem (expires:
2020-10-24 07:03:24 UTC).
- there is also an issue with the tracking of the cert used by HTTP

But one of your comments is puzzling me:

The signing SSL (int.i-neda.com) is a full wildcard block chain
that is authorized by a recognised 3rd party. It's worth noting
though, that we had some issues with the block chain back in April
as the thrid parties block chain expired. So it's possible that
this is as a result of that issue, and may require some fettling to resolve. All help is appreciated.
Did you import the new CA chain at that time using ipa-cacert-manage install / ipa-certupdate?

According to getcert output, the IPA CA is now self-signed. It looks a lot like issue https://pagure.io/freeipa/issue/8176 where the externally-signed IPA CA is renewed/replaced with a self-signed CA.

As you have ipa 4.6.8-5, the ipa-cert-fix utility is available on your system. It will be easier to use this tool to fix the server:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_lin
u
x
/7/html-single/linux_domain_identity_authentication_and_policy_guide
/ i ndex#renewing-expired-system-certificate-when-idm-is-offline

Once the systems are up again, you can switch back to an externally-signed ipa CA:
- import the external CA chain using ipa-cacert-manage install + run
ipa-certupdate on all the ipa nodes
- switch to externally-signed CA with ipa-cacert-manage renew
--external-ca command
(https://access.redhat.com/documentation/en-us/red_hat_enterprise_li
n
u
x/7/html-single/linux_domain_identity_authentication_and_policy_guid
e
/
index#manual-cert-renewal-ext)

HTH,
flo

My current tempory work around is to set the local clock of the OS
back by over a month so the server belives the expired CA's are still valid.

Kind Regards,

Marc.

-

-

From: Florence Blanc-Renaud flo@redhat.com
Sent: 16 November 2020 14:35
To: FreeIPA users list freeipa-users@lists.fedorahosted.org
Cc: Marc Pearson | i-Neda Ltd mpearson@i-neda.com
Subject: Re: [Freeipa-users] subsystemCert appears out of date On
11/16/20 10:03 AM, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote:

Hi All,

My subsystem cert appears to have gone out of date, and Iââ,¬â"¢m
unable to get it to update. This has become an issue on my
production environment, and my current work around has been to
take the system date back by a month. Iââ,¬â"¢ve tried the cert
renew tool, but this doesnââ,¬â"¢t seem to have updated this cert.

Is anyone able to point me in the right direction to be able to
update this specific certificate as Iââ,¬â"¢ve been unable to find anything online.

[auth01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n
'subsystemCert cert-pki-ca'

Certificate:

 Ã, Ã, Ã, Data:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Version: 3 (0x2)

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Serial Number: 42 (0x2a)

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Signature Algorithm: PKCS #1
SHA-256 With RSA Encryption

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Issuer: "CN=Certificate Authority,O=INT.I-NEDA.COM"

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Validity:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Not Before: Sun
Nov
04
08:04:35 2018

Not After : Sat Oct 24 07:04:35 2020

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Subject: "CN=CA Subsystem,O=INT.I-NEDA.COM"

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Subject Public Key Info:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Public Key Algorithm:
PKCS #1 RSA Encryption

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, RSA Public Key:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Modulus:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, c6:7e:e6:40:8f:6e:77:07:8f:2a:ca:ca:63:63:cf:c6:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 5f:1c:09:63:4a:bb:17:68:17:cd:20:9b:f3:b0:5b:c0:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, f7:ff:72:07:1d:a2:29:93:61:62:5c:9f:04:d3:cb:7b:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, bf:53:de:bb:dd:d6:3f:a1:14:95:04:53:64:87:73:24:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, e3:61:66:96:ab:99:1f:2c:da:ec:22:e5:21:b1:5c:d5:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 0a:dd:4e:3f:f8:e2:90:a1:55:31:ad:11:2f:3b:d3:90:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 14:dc:b7:9d:fc:35:1a:ab:48:27:68:0a:9f:cb:95:14:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 00:93:b8:d4:d4:30:de:4e:be:20:a3:01:24:e8:f2:4a:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 1a:d2:b6:e0:09:77:3d:24:e3:5a:cf:51:d6:ca:d2:65:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 53:62:72:64:fe:7d:53:09:0e:97:b8:61:c9:c8:6d:24:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 52:15:f2:bf:40:04:38:24:22:73:fb:80:a0:ff:16:57:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, e1:0b:3c:71:02:d7:e6:2e:94:0a:e7:4e:aa:5e:6f:91:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, a5:68:65:21:cd:68:0c:2d:5d:53:fa:e0:10:75:47:43:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, 04:f2:8b:e1:1c:1c:ed:a6:c1:ee:5c:6c:72:51:b5:e6:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, cd:f9:06:45:17:00:2b:d7:34:75:8a:59:f2:21:97:c6:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
Ã, Ã, Ã, 63:d3:6f:54:d9:00:42:74:88:9e:94:d0:d4:d2:a1:b7

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
Exponent: 65537 (0x10001)

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Signed Extensions:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Certificate
Authority Key Identifier

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Key ID:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, f2:bb:9c:4f:e3:d8:c3:f9:58:eb:cc:5f:f7:be:8c:d6:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
d5:08:c0:3a

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Authority
Information Access

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Method: PKIX
Online Certificate Status Protocol

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Location:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, URI: "http://ipa-ca.int.i-neda.com/ca/ocsp"

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Certificate
Key Usage

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Critical: True

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Usages: Digital
Signature

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
Ã, Ã, Ã, Non-Repudiation

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
Ã, Ã, Ã, Key Encipherment

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
Ã, Ã, Ã, Data Encipherment

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Extended Key
Usage

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
TLS Web Server Authentication Certificate

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
TLS Web Client Authentication Certificate

 Ã, Ã, Ã, Signature Algorithm: PKCS #1 SHA-256 With RSA
Encryption

 Ã, Ã, Ã, Signature:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 5f:b7:31:25:10:ef:e7:72:44:8e:94:1d:57:4e:bb:4e:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 22:cf:9b:7e:f4:20:a2:fa:96:2a:cf:e9:70:cd:a6:82:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 4a:bd:58:4b:a7:df:4d:77:47:ba:65:d0:68:c5:dc:59:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 77:7e:bf:36:d3:55:c7:86:d3:16:77:51:46:c2:48:de:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, e8:0d:62:05:b9:8c:46:bd:22:7d:8d:d0:ad:5a:64:6b:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 9b:7d:ec:4c:e6:05:e7:02:97:cd:01:f5:19:91:15:7e:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, cc:41:5b:f2:00:2d:c0:0b:91:9e:62:d5:7a:b2:1e:8f:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 32:62:c2:ed:1a:e8:e1:56:32:e0:0e:79:55:a2:49:35:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 0e:df:5d:a3:df:e2:dd:58:60:4a:dd:19:92:f7:4d:60:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 59:0e:16:b1:ae:32:e6:c5:c5:fa:5b:2f:fe:1d:fe:e9:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, ec:67:2b:65:33:f2:57:64:8a:68:f3:91:9b:25:ff:02:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 64:4c:a1:6d:fe:f0:73:95:f2:0f:49:fb:3f:85:21:a0:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 68:37:dc:cd:73:02:73:20:22:a9:1d:c9:7e:88:4f:9b:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, 7c:92:f8:c1:50:0f:95:43:48:5b:8b:7f:0f:48:04:a8:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, c7:c0:0e:58:7c:86:2c:3a:b5:72:e3:34:3d:d8:0f:26:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
eb:44:fa:75:c1:c8:fc:b6:7d:f7:31:91:a4:71:a1:51

 Ã, Ã, Ã, Fingerprint (SHA-256):

4F:2A:1B:54:65:B6:09:3E:AD:68:08:92:CB:8D:FE:13:EF:B8:4C:F1:1E:0F:E1:
15:13:92:D3:7A:3D:F8:54:44

 Ã, Ã, Ã, Fingerprint (SHA1):

 Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
03:34:DC:55:F5:00:AF:8C:EF:AC:AA:0D:E0:44:AD:5C:6F:CF:97:A6

 Ã, Ã, Ã, Mozilla-CA-Policy: false (attribute missing)

 Ã, Ã, Ã, Certificate Trust Flags:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, SSL Flags:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Email Flags:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Object Signing Flags:

 Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User

Thanks for the help,

Marc.


FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.f
e
d
o
rahosted.org

Hi Marc,

we need more information in order to help you:
- do you have multiple master/replicas with the CA role:

kinit admin; ipa server-role-find --role "CA server"

  • which server is the renewal master:

kinit admin ; ipa config-show | grep "renewal"

  • which version is installed:

rpm -qa | grep ipa-server

  • Is the subsystemCert cert-pki-ca the only expired certificate:

getcert list

flo


ipa-cert-fix is harcoding the LDAP server cert nickname, see https://pagure.io/freeipa/blob/master/f/ipaserver/install/ipa_cert_fix.py#_197:

    # LDAPS
    ds_dbdir = dsinstance.config_dirname(realm_to_serverid(api.env.realm))
    db = NSSDatabase(nssdir=ds_dbdir)
    cert = db.get_cert('Server-Cert')
    if cert.not_valid_after <= now:
        certs.append((IPACertType.LDAPS, cert))

When the LDAP server is configured with a different cert nickname, ipa-cert-fix fails.

The nickname can be found in /etc/dirsrv/slapd-XXX/dse.ldif in the nsSSLPersonalitySSL directive, and ipa-cert-fix should support when a different nickname is used.

Metadata Update from @rcritten:
- Issue assigned to rcritten

3 years ago

master:

  • 7cfd44d ipa-cert-fix: Don't hardcode the NSS certificate nickname
  • be4195c ipatests: test third-party 389-ds cert with ipa-cert-fix
  • 146db28 Set pki-core dependency to 10.3.3 for pki-server cert-fix bug
  • dea2b8a Don't renew non-IPA issued certs in ipa-cert-fix

ipa-4-9:

  • a0626e0 ipa-cert-fix: Don't hardcode the NSS certificate nickname
  • 660507f ipatests: test third-party 389-ds cert with ipa-cert-fix
  • 4cb6f0b Set pki-core dependency to 10.3.3 for pki-server cert-fix bug
  • f346372 Don't renew non-IPA issued certs in ipa-cert-fix

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata