Hi Bjarne,

Thanks for the link! It helped me learn a lot about certmonger and certutil. No solution yet but I'll keep searching...

Best, Robson

Em seg., 18 de nov. de 2019 às 07:13, Bjarne Blichfeldt via FreeIPA-users < freeipa-users@lists.fedorahosted.org> escreveu:

ah yes, certificates and renewal, I have spend so much time with that!

A very good starting point for debugging is this excellent guide. https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-...

Regards

Bjarne Blichfeldt.

*From:* Robson Francisco de Souza [mailto:rfsouza@usp.br] *Sent:* 18. november 2019 03:03 *To:* freeipa-users@lists.fedorahosted.org *Subject:* [Freeipa-users] certmonger error on ubuntu

Hello!

I've been running FreeIPA 4.3.1 on Ubuntu 16.04 for almost two years and most certificates should expire within three weeks. As this deadline approaches, I noticed certmonger has been unable to renew certificates due to the error below.

After googling for two days, I found this issue has been observed by many people before, mostly after expiration of the certificates, as in https://tinyurl.com/vajmocw

Still, I couldn't find a solution to this problem.

If it is impossible to fix this issue while using FreeIPA 4.3.1, I would like to:

1. Find a way to renew all certificates even if certmonger can't be fixed.

This would allow me to postpone the solution to after the next OS and/or FreeIPA upgrade

2. Find out what version of FreeIPA I should upgrade to while the

operating system remains Ubuntu 16.04

Any help would be appreciated!

Thanks!

Robson

======> Command: systemctl status certmonger

Nov 17 20:53:08 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 20:53:08 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).

Nov 17 21:10:13 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875188]: Forwarding request to dogtag-ipa-renew-agent

Nov 17 21:10:13 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875188]: dogtag-ipa-renew-agent returned 3

Nov 17 21:10:13 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:10:13 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).

Nov 17 21:25:20 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875738]: Forwarding request to dogtag-ipa-renew-agent

Nov 17 21:25:20 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875738]: dogtag-ipa-renew-agent returned 3

Nov 17 21:25:21 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:25:21 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).

Nov 17 21:25:31 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875766]: Forwarding request to dogtag-ipa-renew-agent

Nov 17 21:25:31 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875766]: dogtag-ipa-renew-agent returned 3

Nov 17 21:25:31 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:25:31 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).

--

Robson Francisco de Souza, PhD Laboratório de Estrutura e Evolução de Proteínas (LEEP/PSEL) Departamento de Microbiologia Instituto de Ciências Biomédicas Universidade de São Paulo Av. Prof. Lineu Prestes, 1374 - Ed. Biomédicas II - Sala 250 - 2o. andar Tel: 3091-0891 Cidade Universitária - CEP 05508-900 - São Paulo - SP - Brasil

---

Robson Francisco de Souza, PhD Protein Structure and Evolution Laboratory (LEEP/PSEL) Microbiology Departament Biomedical Sciences Institute University of Sao Paulo Av. Prof. Lineu Prestes, 1374 - Biomédicas II - Sala 250 Phone: 55-11-3091-0891 Cidade Universitária - ZIP 05508-900 - São Paulo - SP - Brazil _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

Hi Timo,

Thanks for your reply.

I have searched the web a lot and attempt several solutions but all fail because certmonger cannot talk to the FreeIPA web interface. A few words on my setup:

- I have two FreeIPA servers (4.3.1-0ubuntu1), one is the original master and the other is a replica, but both are ca and renew masters - Everything was installed using apt-get on Ubuntu 16.04 and I've always updated regularly - FreeIPA was installed with DNS for our intranet and configured to talk to intranet IPs only, thus ignoring the WAN interface - None of my certificates is expired and all NSS databases and PEM files match the corresponding LDAP entries

My objective, as I said, is to make sure certificates are renewed before expiring. My problem is that certmonger shows:

ca-error: Error 60 connecting to https://<snip>:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.

What I have tried to do:

- I did install libnsspem (1.0.3-0ubuntu2) but this only changed https Error 77 to 60 - I attempted to bypass the IPA web server and certmonger to renew the by using

/usr/lib/certmonger/dogtag-ipa-renew-agent-submit -i /etc/ipa/ca.crt -d /etc/apache2/nssdb -n ipaCert -p /etc/apache2/nssdb/pwdfile.txt -D 5 -v

The command above seemed to succeed but only generated a bunch of cookie errors in certmonger's output. I would latter remove some of these cookie errors using getcert resubmit on the original master but that would only bring back the https error. No progress here.

- After a lot of web research, I found a reference to a problem with the Trust Attributes in the NSS database:

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

It seemed analogous to my problem and I decided to give it a try:

certutil -d /etc/ipa/nssdb/ -M -n 'CEFAPNET.ICB.USP.BR IPA CA' -t ',,' certutil -d /etc/ipa/nssdb/ -M -n 'CEFAPNET.ICB.USP.BR IPA CA' -t 'C,C,C'

but, even after this, certmonger continues to be unable to communicate with the ipa web server/proxy. I don't know if the problem is authentication against apache or tomcat but this curl command:

SSL_DIR=/etc/apache2/nssdb/ curl -s -v -o /dev/null --cacert /etc/ipa/ca.crt https://<snip>:8443/ca/agent/ca/profileReview

returns a gnutls_handshake failure:

% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 10.1.1.1... * Connected to <snip> (10.1.1.1) port 8443 (#0) * found 1 certificates in /etc/ipa/ca.crt * found 600 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1 * server certificate verification OK * server certificate status verification SKIPPED * common name: ipa.cefapnet.icb.usp.br (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: O=REALM,CN=server * start date: Wed, 20 Dec 2017 17:36:53 GMT * expire date: Tue, 10 Dec 2019 17:36:53 GMT * issuer: O=REALM,CN=Certificate Authority * compression: NULL * ALPN, server did not agree to a protocol

GET /ca/agent/ca/profileReview HTTP/1.1 Host: <snip>:8443 User-Agent: curl/7.47.0 Accept: */*

* gnutls_handshake() failed: Illegal parameter * Closing connection 0 curl: (35) gnutls_handshake() failed: Illegal parameter

Questions:

1) Is this a compatibility issue between Dogtag or the IPA server NSS or TLS libraries and those of certmonger or its helpers? 2) Can I disable the need for a certificate to connect to the server while asking IPA to renew my certificates?

This is a production system and I really would like to make sure it doesn't become unavailable next month.

I'm pasting some more information below.

Thanks again! Robson

========> certutil -L /etc/dirsrv/slapd-CEFAPNET-ICB-USP-BR/: Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI Server-Cert u,u,u CEFAPNET.ICB.USP.BR IPA CA CT,C,C

/etc/pki/pki-tomcat/alias/: Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu

/etc/ipa/nssdb/: Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

CEFAPNET.ICB.USP.BR IPA CA C,C,C

/etc/apache2/nssdb/: Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

Signing-Cert u,u,u ipaCert u,u,u Server-Cert u,u,u CEFAPNET.ICB.USP.BR IPA CA C,C,C

========> getcert list Number of certificates and requests being tracked: 8. Request ID '20171220173724': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=CA Audit,O=REALM.LOCAL expires: 2019-12-10 17:36:54 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171220173725': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=OCSP Subsystem,O=REALM.LOCAL expires: 2019-12-10 17:36:53 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171220173726': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=CA Subsystem,O=REALM.LOCAL expires: 2019-12-10 17:36:53 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171220173727': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=Certificate Authority,O=REALM.LOCAL expires: 2037-12-20 17:36:53 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171220173728': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=IPA RA,O=REALM.LOCAL expires: 2019-12-10 17:37:21 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20171220173729': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://server.local:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=server.local,O=REALM.LOCAL expires: 2019-12-10 17:36:53 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20171220173759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-REALM.LOCAL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-CEFAPNET-ICB-USP-BR/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-REALM.LOCAL',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=server.local,O=REALM.LOCAL expires: 2019-12-21 17:37:59 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv REALM.LOCAL track: yes auto-renew: yes Request ID '20171220173822': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.LOCAL subject: CN=server.local,O=REALM.LOCAL expires: 2019-12-21 17:38:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes

Em seg., 18 de nov. de 2019 às 09:09, Timo Aaltonen tjaalton@ubuntu.com escreveu:

On 18.11.2019 4.03, Robson Francisco de Souza via FreeIPA-users wrote:

...

Hello!

I've been running FreeIPA 4.3.1 on Ubuntu 16.04 for almost two years and most certificates should expire within three weeks. As this deadline approaches, I noticed certmonger has been unable to renew certificates due to the error below.

After googling for two days, I found this issue has been observed by many people before, mostly after expiration of the certificates, as in https://tinyurl.com/vajmocw

Still, I couldn't find a solution to this problem. If it is impossible to fix this issue while using FreeIPA 4.3.1, I would like to:

1. Find a way to renew all certificates even if certmonger can't be

fixed. This would allow me to postpone the solution to after the next OS and/or FreeIPA upgrade 2) Find out what version of FreeIPA I should upgrade to while the operating system remains Ubuntu 16.04

Any help would be appreciated! Thanks!

Hi,

This probably needs libnsspem, you can find it in 18.04.. not 100% sure but I think it should at least install fine.

-- t