[Pki-users] expired pki-server 10.3.3 certificates
Hi there,
I've been using IPA 4.4.0 and pki-server 10.3.3 and have posting on freeipa mailing
list, but unfortunately haven't resolved the problem so I am looking for support on
this mailing list.
[1] since certmonger failed to renew certs, I believe resolution is going back in time
when all certs are valid and restart certmonger service
[2] I went back into time, and verified that pki-server is running, with command:
SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt
https://`hostname`:8443/ca/agent/ca/profileReview
[3] restart certmonger and getcert list shoes four certs in submitting status
# getcert list | egrep "certificate|expire|status"
status: SUBMITTING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:38 UTC
status: SUBMITTING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:35 UTC
status: SUBMITTING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:36 UTC
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2036-08-24 20:49:35 UTC
status: SUBMITTING
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB' expires: 2018-08-14 20:50:00 UTC
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
expires: 2020-07-07 01:47:45 UTC
[4] Here is where problem starts, the CA stop running, and
/var/lib/pki/pki-tomcat/logs/ca/selftests.log report
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] CAPresence: CA is present
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SystemCertsVerification:
system certs verification failure: Certificate auditSigningCert cert-pki-ca is invalid:
Invalid certificate: (-8181) Peer's Certificate has expired. 0.localhost-startStop-1 -
[10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin
called selftests.container.instance.SystemCertsVerification running at startup FAILED!
[5] I see that 'auditSigningCert' and ocspSigningCert have been renewed, so
obviously at this very moment their validity time is not same as for other certs. Hence
selftests.logs reports auditSigningCert is invalid, and CA stops running and I am left
with tow certs not renewed. New cert list now is:
# getcert list | egrep "certificate|expires"
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2020-10-29 06:35:38 UTC
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2020-10-11 20:15:53 UTC
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:36 UTC
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2036-08-24 20:49:35 UTC
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB' expires: 2018-08-14 20:50:00 UTC
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
expires: 2020-07-07 01:47:45 UTC
The question now is how to work around this problem? Instead of restarting certmonger
service, is there way to manually renew cert.
thanks, Zarko
Attachments:
- attachment.html (text/html — 9.0 KB)