Hi there,
I've been using IPA 4.4.0 and pki-server 10.3.3 and have posting on freeipa mailing list, but unfortunately haven't resolved the problem so I am looking for support on this mailing list.
[1] since certmonger failed to renew certs, I believe resolution is going back in time when all certs are valid and restart certmonger service
[2] I went back into time, and verified that pki-server is running, with command:
SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt
https://`hostname`:8443/ca/agent/ca/profileReview
[3] restart certmonger and getcert list shoes four certs in submitting status
# getcert list | egrep "certificate|expire|status"
status: SUBMITTING
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:38 UTC
status: SUBMITTING
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:35 UTC
status: SUBMITTING
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:36 UTC
status: MONITORING
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2036-08-24 20:49:35 UTC
status: SUBMITTING
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' expires: 2018-08-14 20:50:00 UTC
status: MONITORING
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
expires: 2020-07-07 01:47:45 UTC
[4] Here is where problem starts, the CA stop running, and /var/lib/pki/pki-tomcat/logs/ca/selftests.log report
0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SystemCertsVerification: system certs verification
failure: Certificate auditSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification
running at startup FAILED!
[5] I see that 'auditSigningCert' and ocspSigningCert have been renewed, so obviously at this very moment their validity time is not same as for other certs. Hence selftests.logs reports auditSigningCert
is invalid, and CA stops running and I am left with tow certs not renewed. New cert list now is:
# getcert list | egrep "certificate|expires"
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2020-10-29 06:35:38 UTC
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2020-10-11 20:15:53 UTC
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:36 UTC
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
expires: 2036-08-24 20:49:35 UTC
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' expires: 2018-08-14 20:50:00 UTC
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
expires: 2020-07-07 01:47:45 UTC
The question now is how to work around this problem? Instead of restarting certmonger service, is there way to manually renew cert.
thanks, Zarko