Few days ago my Master CA was messed up and getcert list was showing empty list (no cert to track)
So i run following command to add certs manually:
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'ocspSigningCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy Intermediate' -P XXXXXXX
And after that i am seeing this status (status: NEED_CA ) it should be MONITORING right?
# getcert list Number of certificates and requests being tracked: 12. Request ID '20190915042927': status: NEED_CA stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=example.com subject: CN=Certificate Authority,O=example.com expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
Request ID '20190915043150': status: NEED_CA stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alaas',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=example.com subject: CN=ldap-example-5-1.foo.example.com,O=example.com expires: 2020-11-17 18:30:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
Request ID '20190915043212': status: NEED_CA stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=example.com subject: CN=OCSP Subsystem,O=example.com expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yes
Satish Patel via FreeIPA-users wrote:
Few days ago my Master CA was messed up and getcert list was showing empty list (no cert to track)
So i run following command to add certs manually:
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'ocspSigningCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy Intermediate' -P XXXXXXX
And after that i am seeing this status (status: NEED_CA ) it should be MONITORING right?
# getcert list Number of certificates and requests being tracked: 12.
You setup the tracking wrong. Your output only shows 3 certs and yet certmonger thinks it has 12. Where are the other 9?
rob
Rob sorry, i trim my output thought not necessary but anyway here is the full list (ignore CAPS letter in output)
[root@ldap-ca-master ~]# getcert list
Number of certificates and requests being tracked: 12.
Request ID '20190915042927':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043150':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM
expires: 2020-11-17 18:30:29 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043212':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:26 UTC
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043224':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2020-11-17 18:32:07 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043237':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:16 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043246':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043304':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045112':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045148':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045156':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Object Signing Cert,O=EXAMPLE.COM
expires: 2021-01-05 14:49:59 UTC
key usage: digitalSignature,keyCertSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045206':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045216':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2020-11-17 18:31:36 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
Few days ago my Master CA was messed up and getcert list was showing empty list (no cert to track)
So i run following command to add certs manually:
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'ocspSigningCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy Intermediate' -P XXXXXXX
And after that i am seeing this status (status: NEED_CA ) it should be MONITORING right?
# getcert list Number of certificates and requests being tracked: 12.
You setup the tracking wrong. Your output only shows 3 certs and yet certmonger thinks it has 12. Where are the other 9?
rob
Any thought ?
Sent from my iPhone
On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote:
Rob sorry, i trim my output thought not necessary but anyway here is the full list (ignore CAPS letter in output)
[root@ldap-ca-master ~]# getcert list
Number of certificates and requests being tracked: 12.
Request ID '20190915042927':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043150':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM
expires: 2020-11-17 18:30:29 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043212':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:26 UTC
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043224':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2020-11-17 18:32:07 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043237':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:16 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043246':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043304':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045112':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045148':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045156':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Object Signing Cert,O=EXAMPLE.COM
expires: 2021-01-05 14:49:59 UTC
key usage: digitalSignature,keyCertSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045206':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045216':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2020-11-17 18:31:36 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
Few days ago my Master CA was messed up and getcert list was showing empty list (no cert to track)
So i run following command to add certs manually:
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'ocspSigningCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy Intermediate' -P XXXXXXX
And after that i am seeing this status (status: NEED_CA ) it should be MONITORING right?
# getcert list Number of certificates and requests being tracked: 12.
You setup the tracking wrong. Your output only shows 3 certs and yet certmonger thinks it has 12. Where are the other 9?
rob
On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote:
Any thought ?
Hi, if you run ipa-server-upgrade on this node, the command will fix the tracking of certs. You should see in the output; [Update certmonger certificate renewal configuration]
HTH, flo
Sent from my iPhone
On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote:
Rob sorry, i trim my output thought not necessary but anyway here is the full list (ignore CAPS letter in output)
[root@ldap-ca-master ~]# getcert list
Number of certificates and requests being tracked: 12.
Request ID '20190915042927':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043150':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM
expires: 2020-11-17 18:30:29 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043212':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:26 UTC
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043224':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2020-11-17 18:32:07 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043237':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:16 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043246':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043304':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045112':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045148':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045156':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Object Signing Cert,O=EXAMPLE.COM
expires: 2021-01-05 14:49:59 UTC
key usage: digitalSignature,keyCertSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045206':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045216':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2020-11-17 18:31:36 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
Few days ago my Master CA was messed up and getcert list was showing empty list (no cert to track)
So i run following command to add certs manually:
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'ocspSigningCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy Intermediate' -P XXXXXXX
And after that i am seeing this status (status: NEED_CA ) it should be MONITORING right?
# getcert list Number of certificates and requests being tracked: 12.
You setup the tracking wrong. Your output only shows 3 certs and yet certmonger thinks it has 12. Where are the other 9?
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thanks Florence,
is it safe to run "ipa-server-upgrade" ?
Do i need to provide any option with "ipa-server-upgrade" command? i believe few month back when i tried to do "ipa-server-upgrade" it broke some stuff but anyway i will take snapshot of VM and try in worst case scenario.
On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote:
On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote:
Any thought ?
Hi, if you run ipa-server-upgrade on this node, the command will fix the tracking of certs. You should see in the output; [Update certmonger certificate renewal configuration]
HTH, flo
Sent from my iPhone
On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote:
Rob sorry, i trim my output thought not necessary but anyway here is the full list (ignore CAPS letter in output)
[root@ldap-ca-master ~]# getcert list
Number of certificates and requests being tracked: 12.
Request ID '20190915042927':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043150':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM
expires: 2020-11-17 18:30:29 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043212':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:26 UTC
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043224':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2020-11-17 18:32:07 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043237':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:16 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043246':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043304':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045112':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045148':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045156':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Object Signing Cert,O=EXAMPLE.COM
expires: 2021-01-05 14:49:59 UTC
key usage: digitalSignature,keyCertSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045206':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045216':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2020-11-17 18:31:36 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
Few days ago my Master CA was messed up and getcert list was showing empty list (no cert to track)
So i run following command to add certs manually:
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'ocspSigningCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy Intermediate' -P XXXXXXX
And after that i am seeing this status (status: NEED_CA ) it should be MONITORING right?
# getcert list Number of certificates and requests being tracked: 12.
You setup the tracking wrong. Your output only shows 3 certs and yet certmonger thinks it has 12. Where are the other 9?
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote:
Thanks Florence,
is it safe to run "ipa-server-upgrade" ?
Hi, generally yes :)
We had a few tickets related to upgrade but they are mainly revealing already present issues (for instance because this CLI stops and starts the services, expired certs would prevent successful completion).
Do i need to provide any option with "ipa-server-upgrade" command? i believe few month back when i tried to do "ipa-server-upgrade" it broke some stuff but anyway i will take snapshot of VM and try in worst case scenario.
With the VM snapshot you are on the safe side.
flo
On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote:
On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote:
Any thought ?
Hi, if you run ipa-server-upgrade on this node, the command will fix the tracking of certs. You should see in the output; [Update certmonger certificate renewal configuration]
HTH, flo
Sent from my iPhone
On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote:
Rob sorry, i trim my output thought not necessary but anyway here is the full list (ignore CAPS letter in output)
[root@ldap-ca-master ~]# getcert list
Number of certificates and requests being tracked: 12.
Request ID '20190915042927':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043150':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM
expires: 2020-11-17 18:30:29 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043212':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:26 UTC
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043224':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2020-11-17 18:32:07 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043237':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:16 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043246':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043304':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045112':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045148':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045156':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Object Signing Cert,O=EXAMPLE.COM
expires: 2021-01-05 14:49:59 UTC
key usage: digitalSignature,keyCertSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045206':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045216':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2020-11-17 18:31:36 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
Few days ago my Master CA was messed up and getcert list was showing empty list (no cert to track)
So i run following command to add certs manually:
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'ocspSigningCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy Intermediate' -P XXXXXXX
And after that i am seeing this status (status: NEED_CA ) it should be MONITORING right?
# getcert list Number of certificates and requests being tracked: 12.
You setup the tracking wrong. Your output only shows 3 certs and yet certmonger thinks it has 12. Where are the other 9?
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I did run "ipa-server-upgrade" and look like it was successful but still in getcert list showing CA_NEED :(
[root@ldap-ca-master ~]# ipa-server-upgrade Upgrading IPA: [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: starting directory server [6/10]: updating schema [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made. [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating mod_nss protocol versions] Protocol versions already updated [Updating mod_nss cipher suite] [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Exporting KRA agent PEM file] KRA is not enabled [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] DNS is not configured [Ensuring minimal number of connections] DNS is not configured [Enabling serial autoincrement in DNS] DNS is not configured [Updating GSSAPI configuration in DNS] DNS is not configured [Updating pid-file configuration in DNS] DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration to version 5] [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] [Ensuring presence of included profiles] [Add default CA ACL] Default CA ACL already added [Set up lightweight CA key retrieval] Creating principal Retrieving keytab Creating Custodia keys Configuring key retriever The IPA services were upgraded The ipa-server-upgrade command was successful
[root@ldap-ca-master ~]# getcert list | grep status status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_CA status: NEED_KEY_PAIR status: NEED_CA
On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote:
On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote:
Thanks Florence,
is it safe to run "ipa-server-upgrade" ?
Hi, generally yes :)
We had a few tickets related to upgrade but they are mainly revealing already present issues (for instance because this CLI stops and starts the services, expired certs would prevent successful completion).
Do i need to provide any option with "ipa-server-upgrade" command? i believe few month back when i tried to do "ipa-server-upgrade" it broke some stuff but anyway i will take snapshot of VM and try in worst case scenario.
With the VM snapshot you are on the safe side.
flo
On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote:
On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote:
Any thought ?
Hi, if you run ipa-server-upgrade on this node, the command will fix the tracking of certs. You should see in the output; [Update certmonger certificate renewal configuration]
HTH, flo
Sent from my iPhone
On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote:
Rob sorry, i trim my output thought not necessary but anyway here is the full list (ignore CAPS letter in output)
[root@ldap-ca-master ~]# getcert list
Number of certificates and requests being tracked: 12.
Request ID '20190915042927':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043150':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM
expires: 2020-11-17 18:30:29 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043212':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:26 UTC
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043224':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2020-11-17 18:32:07 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043237':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:16 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043246':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043304':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045112':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045148':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045156':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Object Signing Cert,O=EXAMPLE.COM
expires: 2021-01-05 14:49:59 UTC
key usage: digitalSignature,keyCertSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045206':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045216':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2020-11-17 18:31:36 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote: > Few days ago my Master CA was messed up and getcert list was showing > empty list (no cert to track) > > So i run following command to add certs manually: > > getcert start-tracking -d /etc/pki/pki-tomcat/alias -n > 'ocspSigningCert cert-pki-ca' -P XXXXXXX > getcert start-tracking -d /etc/pki/pki-tomcat/alias -n > 'auditSigningCert cert-pki-ca' -P XXXXXXX > getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert > cert-pki-ca' -P XXXXXXX > getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX > getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy > Intermediate' -P XXXXXXX > > And after that i am seeing this status (status: NEED_CA ) it should > be MONITORING right? > > # getcert list > Number of certificates and requests being tracked: 12.
You setup the tracking wrong. Your output only shows 3 certs and yet certmonger thinks it has 12. Where are the other 9?
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Satish Patel via FreeIPA-users wrote:
I did run "ipa-server-upgrade" and look like it was successful but still in getcert list showing CA_NEED :(
Remind me what the package version of IPA is. I'm confused by the version 5 in the output about renewal configuration.
You might also want to try running with --debug as depending on release it will give more information about this.
rob
[root@ldap-ca-master ~]# ipa-server-upgrade Upgrading IPA: [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: starting directory server [6/10]: updating schema [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made. [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating mod_nss protocol versions] Protocol versions already updated [Updating mod_nss cipher suite] [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Exporting KRA agent PEM file] KRA is not enabled [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] DNS is not configured [Ensuring minimal number of connections] DNS is not configured [Enabling serial autoincrement in DNS] DNS is not configured [Updating GSSAPI configuration in DNS] DNS is not configured [Updating pid-file configuration in DNS] DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration to version 5] [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] [Ensuring presence of included profiles] [Add default CA ACL] Default CA ACL already added [Set up lightweight CA key retrieval] Creating principal Retrieving keytab Creating Custodia keys Configuring key retriever The IPA services were upgraded The ipa-server-upgrade command was successful
[root@ldap-ca-master ~]# getcert list | grep status status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_CA status: NEED_KEY_PAIR status: NEED_CA
On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote:
On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote:
Thanks Florence,
is it safe to run "ipa-server-upgrade" ?
Hi, generally yes :)
We had a few tickets related to upgrade but they are mainly revealing already present issues (for instance because this CLI stops and starts the services, expired certs would prevent successful completion).
Do i need to provide any option with "ipa-server-upgrade" command? i believe few month back when i tried to do "ipa-server-upgrade" it broke some stuff but anyway i will take snapshot of VM and try in worst case scenario.
With the VM snapshot you are on the safe side.
flo
On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote:
On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote:
Any thought ?
Hi, if you run ipa-server-upgrade on this node, the command will fix the tracking of certs. You should see in the output; [Update certmonger certificate renewal configuration]
HTH, flo
Sent from my iPhone
On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote:
Rob sorry, i trim my output thought not necessary but anyway here is the full list (ignore CAPS letter in output)
[root@ldap-ca-master ~]# getcert list
Number of certificates and requests being tracked: 12.
Request ID '20190915042927':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043150':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM
expires: 2020-11-17 18:30:29 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043212':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:26 UTC
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043224':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2020-11-17 18:32:07 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043237':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:16 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043246':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043304':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045112':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045148':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045156':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Object Signing Cert,O=EXAMPLE.COM
expires: 2021-01-05 14:49:59 UTC
key usage: digitalSignature,keyCertSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045206':
status: NEED_KEY_PAIR
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045216':
status: NEED_CA
stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2020-11-17 18:31:36 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: > > Satish Patel via FreeIPA-users wrote: >> Few days ago my Master CA was messed up and getcert list was showing >> empty list (no cert to track) >> >> So i run following command to add certs manually: >> >> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >> 'auditSigningCert cert-pki-ca' -P XXXXXXX >> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >> cert-pki-ca' -P XXXXXXX >> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >> Intermediate' -P XXXXXXX >> >> And after that i am seeing this status (status: NEED_CA ) it should >> be MONITORING right? >> >> # getcert list >> Number of certificates and requests being tracked: 12. > > You setup the tracking wrong. Your output only shows 3 certs and yet > certmonger thinks it has 12. Where are the other 9? > > rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64"
On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
I did run "ipa-server-upgrade" and look like it was successful but still in getcert list showing CA_NEED :(
Remind me what the package version of IPA is. I'm confused by the version 5 in the output about renewal configuration.
You might also want to try running with --debug as depending on release it will give more information about this.
rob
[root@ldap-ca-master ~]# ipa-server-upgrade Upgrading IPA: [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: starting directory server [6/10]: updating schema [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made. [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating mod_nss protocol versions] Protocol versions already updated [Updating mod_nss cipher suite] [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Exporting KRA agent PEM file] KRA is not enabled [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] DNS is not configured [Ensuring minimal number of connections] DNS is not configured [Enabling serial autoincrement in DNS] DNS is not configured [Updating GSSAPI configuration in DNS] DNS is not configured [Updating pid-file configuration in DNS] DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration to version 5] [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] [Ensuring presence of included profiles] [Add default CA ACL] Default CA ACL already added [Set up lightweight CA key retrieval] Creating principal Retrieving keytab Creating Custodia keys Configuring key retriever The IPA services were upgraded The ipa-server-upgrade command was successful
[root@ldap-ca-master ~]# getcert list | grep status status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_CA status: NEED_KEY_PAIR status: NEED_CA
On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote:
On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote:
Thanks Florence,
is it safe to run "ipa-server-upgrade" ?
Hi, generally yes :)
We had a few tickets related to upgrade but they are mainly revealing already present issues (for instance because this CLI stops and starts the services, expired certs would prevent successful completion).
Do i need to provide any option with "ipa-server-upgrade" command? i believe few month back when i tried to do "ipa-server-upgrade" it broke some stuff but anyway i will take snapshot of VM and try in worst case scenario.
With the VM snapshot you are on the safe side.
flo
On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote:
On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote:
Any thought ?
Hi, if you run ipa-server-upgrade on this node, the command will fix the tracking of certs. You should see in the output; [Update certmonger certificate renewal configuration]
HTH, flo
Sent from my iPhone
> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: > > Rob sorry, i trim my output thought not necessary but anyway here is > the full list (ignore CAPS letter in output) > > [root@ldap-ca-master ~]# getcert list > > Number of certificates and requests being tracked: 12. > > Request ID '20190915042927': > > status: NEED_CA > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=Certificate Authority,O=EXAMPLE.COM > > expires: 2037-01-05 14:47:24 UTC > > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20190915043150': > > status: NEED_CA > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM > > expires: 2020-11-17 18:30:29 UTC > > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20190915043212': > > status: NEED_CA > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=OCSP Subsystem,O=EXAMPLE.COM > > expires: 2020-11-17 18:31:26 UTC > > eku: id-kp-OCSPSigning > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20190915043224': > > status: NEED_CA > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=CA Audit,O=EXAMPLE.COM > > expires: 2020-11-17 18:32:07 UTC > > key usage: digitalSignature,nonRepudiation > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20190915043237': > > status: NEED_CA > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=CA Subsystem,O=EXAMPLE.COM > > expires: 2020-11-17 18:31:16 UTC > > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20190915043246': > > status: NEED_KEY_PAIR > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin > set > > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS > Certificate DB' > > issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > > subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > > expires: 2037-12-31 23:59:59 UTC > > key usage: keyCertSign,cRLSign > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20190915043304': > > status: NEED_KEY_PAIR > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy > Intermediate',pin set > > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy > Intermediate',token='NSS Certificate DB' > > issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > > subject: CN=Go Daddy Secure Certificate Authority - > G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > > expires: 2031-05-03 07:00:00 UTC > > key usage: keyCertSign,cRLSign > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20190915045112': > > status: NEED_KEY_PAIR > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA > CA',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM > IPA CA',token='NSS Certificate DB' > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=Certificate Authority,O=EXAMPLE.COM > > expires: 2037-01-05 14:47:24 UTC > > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20190915045148': > > status: NEED_KEY_PAIR > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS > Certificate DB' > > issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > > subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > > expires: 2037-12-31 23:59:59 UTC > > key usage: keyCertSign,cRLSign > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20190915045156': > > status: NEED_CA > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS > Certificate DB' > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=Object Signing Cert,O=EXAMPLE.COM > > expires: 2021-01-05 14:49:59 UTC > > key usage: digitalSignature,keyCertSign > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20190915045206': > > status: NEED_KEY_PAIR > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy > Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy > Intermediate',token='NSS Certificate DB' > > issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > > subject: CN=Go Daddy Secure Certificate Authority - > G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > > expires: 2031-05-03 07:00:00 UTC > > key usage: keyCertSign,cRLSign > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20190915045216': > > status: NEED_CA > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=IPA RA,O=EXAMPLE.COM > > expires: 2020-11-17 18:31:36 UTC > > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > >> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >> >> Satish Patel via FreeIPA-users wrote: >>> Few days ago my Master CA was messed up and getcert list was showing >>> empty list (no cert to track) >>> >>> So i run following command to add certs manually: >>> >>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>> cert-pki-ca' -P XXXXXXX >>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>> Intermediate' -P XXXXXXX >>> >>> And after that i am seeing this status (status: NEED_CA ) it should >>> be MONITORING right? >>> >>> # getcert list >>> Number of certificates and requests being tracked: 12. >> >> You setup the tracking wrong. Your output only shows 3 certs and yet >> certmonger thinks it has 12. Where are the other 9? >> >> rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
It doesn't have --debug option (in ipa-server-4.4.0)
[root@ldap-ca-master ~]# ipa-server-upgrade --debug Usage: ipa-server-upgrade [options]
ipa-server-upgrade: error: no such option: --debug
On Wed, Sep 25, 2019 at 8:49 PM Satish Patel satish.txt@gmail.com wrote:
I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64"
On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
I did run "ipa-server-upgrade" and look like it was successful but still in getcert list showing CA_NEED :(
Remind me what the package version of IPA is. I'm confused by the version 5 in the output about renewal configuration.
You might also want to try running with --debug as depending on release it will give more information about this.
rob
[root@ldap-ca-master ~]# ipa-server-upgrade Upgrading IPA: [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: starting directory server [6/10]: updating schema [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made. [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating mod_nss protocol versions] Protocol versions already updated [Updating mod_nss cipher suite] [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Exporting KRA agent PEM file] KRA is not enabled [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] DNS is not configured [Ensuring minimal number of connections] DNS is not configured [Enabling serial autoincrement in DNS] DNS is not configured [Updating GSSAPI configuration in DNS] DNS is not configured [Updating pid-file configuration in DNS] DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration to version 5] [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] [Ensuring presence of included profiles] [Add default CA ACL] Default CA ACL already added [Set up lightweight CA key retrieval] Creating principal Retrieving keytab Creating Custodia keys Configuring key retriever The IPA services were upgraded The ipa-server-upgrade command was successful
[root@ldap-ca-master ~]# getcert list | grep status status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_CA status: NEED_KEY_PAIR status: NEED_CA
On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote:
On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote:
Thanks Florence,
is it safe to run "ipa-server-upgrade" ?
Hi, generally yes :)
We had a few tickets related to upgrade but they are mainly revealing already present issues (for instance because this CLI stops and starts the services, expired certs would prevent successful completion).
Do i need to provide any option with "ipa-server-upgrade" command? i believe few month back when i tried to do "ipa-server-upgrade" it broke some stuff but anyway i will take snapshot of VM and try in worst case scenario.
With the VM snapshot you are on the safe side.
flo
On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote:
On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: > Any thought ? Hi, if you run ipa-server-upgrade on this node, the command will fix the tracking of certs. You should see in the output; [Update certmonger certificate renewal configuration]
HTH, flo
> > Sent from my iPhone > >> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: >> >> Rob sorry, i trim my output thought not necessary but anyway here is >> the full list (ignore CAPS letter in output) >> >> [root@ldap-ca-master ~]# getcert list >> >> Number of certificates and requests being tracked: 12. >> >> Request ID '20190915042927': >> >> status: NEED_CA >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=Certificate Authority,O=EXAMPLE.COM >> >> expires: 2037-01-05 14:47:24 UTC >> >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915043150': >> >> status: NEED_CA >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB',pin set >> >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB' >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >> >> expires: 2020-11-17 18:30:29 UTC >> >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915043212': >> >> status: NEED_CA >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >> >> expires: 2020-11-17 18:31:26 UTC >> >> eku: id-kp-OCSPSigning >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915043224': >> >> status: NEED_CA >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=CA Audit,O=EXAMPLE.COM >> >> expires: 2020-11-17 18:32:07 UTC >> >> key usage: digitalSignature,nonRepudiation >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915043237': >> >> status: NEED_CA >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=CA Subsystem,O=EXAMPLE.COM >> >> expires: 2020-11-17 18:31:16 UTC >> >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915043246': >> >> status: NEED_KEY_PAIR >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >> set >> >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >> Certificate DB' >> >> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> >> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> >> expires: 2037-12-31 23:59:59 UTC >> >> key usage: keyCertSign,cRLSign >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915043304': >> >> status: NEED_KEY_PAIR >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >> Intermediate',pin set >> >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >> Intermediate',token='NSS Certificate DB' >> >> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> >> subject: CN=Go Daddy Secure Certificate Authority - >> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> >> expires: 2031-05-03 07:00:00 UTC >> >> key usage: keyCertSign,cRLSign >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915045112': >> >> status: NEED_KEY_PAIR >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >> >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >> IPA CA',token='NSS Certificate DB' >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=Certificate Authority,O=EXAMPLE.COM >> >> expires: 2037-01-05 14:47:24 UTC >> >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915045148': >> >> status: NEED_KEY_PAIR >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >> >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >> Certificate DB' >> >> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> >> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> >> expires: 2037-12-31 23:59:59 UTC >> >> key usage: keyCertSign,cRLSign >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915045156': >> >> status: NEED_CA >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >> Certificate DB' >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=Object Signing Cert,O=EXAMPLE.COM >> >> expires: 2021-01-05 14:49:59 UTC >> >> key usage: digitalSignature,keyCertSign >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915045206': >> >> status: NEED_KEY_PAIR >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >> >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >> Intermediate',token='NSS Certificate DB' >> >> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> >> subject: CN=Go Daddy Secure Certificate Authority - >> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> >> expires: 2031-05-03 07:00:00 UTC >> >> key usage: keyCertSign,cRLSign >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915045216': >> >> status: NEED_CA >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=IPA RA,O=EXAMPLE.COM >> >> expires: 2020-11-17 18:31:36 UTC >> >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >>> >>> Satish Patel via FreeIPA-users wrote: >>>> Few days ago my Master CA was messed up and getcert list was showing >>>> empty list (no cert to track) >>>> >>>> So i run following command to add certs manually: >>>> >>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>>> cert-pki-ca' -P XXXXXXX >>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>>> Intermediate' -P XXXXXXX >>>> >>>> And after that i am seeing this status (status: NEED_CA ) it should >>>> be MONITORING right? >>>> >>>> # getcert list >>>> Number of certificates and requests being tracked: 12. >>> >>> You setup the tracking wrong. Your output only shows 3 certs and yet >>> certmonger thinks it has 12. Where are the other 9? >>> >>> rob > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Satish Patel wrote:
I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64"
Ok, that explains what is happening.
Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag] section. Remove the entry for certificate_renewal_update_5.
This being present is preventing the tracking to be repaired.
Then run ipa-server-upgrade again and your tracking should be fixed.
Use the -v flag for additional debugging, not --debug, I was mistaken.
rob
On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
I did run "ipa-server-upgrade" and look like it was successful but still in getcert list showing CA_NEED :(
Remind me what the package version of IPA is. I'm confused by the version 5 in the output about renewal configuration.
You might also want to try running with --debug as depending on release it will give more information about this.
rob
[root@ldap-ca-master ~]# ipa-server-upgrade Upgrading IPA: [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: starting directory server [6/10]: updating schema [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made. [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating mod_nss protocol versions] Protocol versions already updated [Updating mod_nss cipher suite] [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Exporting KRA agent PEM file] KRA is not enabled [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] DNS is not configured [Ensuring minimal number of connections] DNS is not configured [Enabling serial autoincrement in DNS] DNS is not configured [Updating GSSAPI configuration in DNS] DNS is not configured [Updating pid-file configuration in DNS] DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration to version 5] [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] [Ensuring presence of included profiles] [Add default CA ACL] Default CA ACL already added [Set up lightweight CA key retrieval] Creating principal Retrieving keytab Creating Custodia keys Configuring key retriever The IPA services were upgraded The ipa-server-upgrade command was successful
[root@ldap-ca-master ~]# getcert list | grep status status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_CA status: NEED_KEY_PAIR status: NEED_CA
On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote:
On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote:
Thanks Florence,
is it safe to run "ipa-server-upgrade" ?
Hi, generally yes :)
We had a few tickets related to upgrade but they are mainly revealing already present issues (for instance because this CLI stops and starts the services, expired certs would prevent successful completion).
Do i need to provide any option with "ipa-server-upgrade" command? i believe few month back when i tried to do "ipa-server-upgrade" it broke some stuff but anyway i will take snapshot of VM and try in worst case scenario.
With the VM snapshot you are on the safe side.
flo
On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote:
On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: > Any thought ? Hi, if you run ipa-server-upgrade on this node, the command will fix the tracking of certs. You should see in the output; [Update certmonger certificate renewal configuration]
HTH, flo
> > Sent from my iPhone > >> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: >> >> Rob sorry, i trim my output thought not necessary but anyway here is >> the full list (ignore CAPS letter in output) >> >> [root@ldap-ca-master ~]# getcert list >> >> Number of certificates and requests being tracked: 12. >> >> Request ID '20190915042927': >> >> status: NEED_CA >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=Certificate Authority,O=EXAMPLE.COM >> >> expires: 2037-01-05 14:47:24 UTC >> >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915043150': >> >> status: NEED_CA >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB',pin set >> >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB' >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >> >> expires: 2020-11-17 18:30:29 UTC >> >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915043212': >> >> status: NEED_CA >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >> >> expires: 2020-11-17 18:31:26 UTC >> >> eku: id-kp-OCSPSigning >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915043224': >> >> status: NEED_CA >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=CA Audit,O=EXAMPLE.COM >> >> expires: 2020-11-17 18:32:07 UTC >> >> key usage: digitalSignature,nonRepudiation >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915043237': >> >> status: NEED_CA >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=CA Subsystem,O=EXAMPLE.COM >> >> expires: 2020-11-17 18:31:16 UTC >> >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915043246': >> >> status: NEED_KEY_PAIR >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >> set >> >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >> Certificate DB' >> >> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> >> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> >> expires: 2037-12-31 23:59:59 UTC >> >> key usage: keyCertSign,cRLSign >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915043304': >> >> status: NEED_KEY_PAIR >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >> Intermediate',pin set >> >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >> Intermediate',token='NSS Certificate DB' >> >> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> >> subject: CN=Go Daddy Secure Certificate Authority - >> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> >> expires: 2031-05-03 07:00:00 UTC >> >> key usage: keyCertSign,cRLSign >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915045112': >> >> status: NEED_KEY_PAIR >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >> >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >> IPA CA',token='NSS Certificate DB' >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=Certificate Authority,O=EXAMPLE.COM >> >> expires: 2037-01-05 14:47:24 UTC >> >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915045148': >> >> status: NEED_KEY_PAIR >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >> >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >> Certificate DB' >> >> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> >> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> >> expires: 2037-12-31 23:59:59 UTC >> >> key usage: keyCertSign,cRLSign >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915045156': >> >> status: NEED_CA >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >> Certificate DB' >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=Object Signing Cert,O=EXAMPLE.COM >> >> expires: 2021-01-05 14:49:59 UTC >> >> key usage: digitalSignature,keyCertSign >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915045206': >> >> status: NEED_KEY_PAIR >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >> >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >> Intermediate',token='NSS Certificate DB' >> >> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> >> subject: CN=Go Daddy Secure Certificate Authority - >> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> >> expires: 2031-05-03 07:00:00 UTC >> >> key usage: keyCertSign,cRLSign >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190915045216': >> >> status: NEED_CA >> >> stuck: yes >> >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> >> subject: CN=IPA RA,O=EXAMPLE.COM >> >> expires: 2020-11-17 18:31:36 UTC >> >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> >> eku: id-kp-serverAuth,id-kp-clientAuth >> >> pre-save command: >> >> post-save command: >> >> track: yes >> >> auto-renew: yes >> >>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >>> >>> Satish Patel via FreeIPA-users wrote: >>>> Few days ago my Master CA was messed up and getcert list was showing >>>> empty list (no cert to track) >>>> >>>> So i run following command to add certs manually: >>>> >>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>>> cert-pki-ca' -P XXXXXXX >>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>>> Intermediate' -P XXXXXXX >>>> >>>> And after that i am seeing this status (status: NEED_CA ) it should >>>> be MONITORING right? >>>> >>>> # getcert list >>>> Number of certificates and requests being tracked: 12. >>> >>> You setup the tracking wrong. Your output only shows 3 certs and yet >>> certmonger thinks it has 12. Where are the other 9? >>> >>> rob > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Rob,
now i got error and here is the output, output was very long so i crop it down and here is the error piece.
ipa: INFO: [Upgrading CA schema] ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file /usr/share/pki/server/conf/schema-certProfile.ldif ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file /usr/share/pki/server/conf/schema-authority.ldif ipa.ipaserver.install.schemaupdate: DEBUG: Not updating schema ipa: INFO: CA schema update complete (no changes) ipa: INFO: [Verifying that CA audit signing cert has 2 year validity] ipa.ipaserver.install.cainstance.CAInstance: DEBUG: caSignedLogCert.cfg profile validity range is 720 ipa: INFO: [Update certmonger certificate renewal configuration to version 5] ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipa: DEBUG: Configuring certmonger to stop tracking system certificates for CA Configuring certmonger to stop tracking system certificates for CA ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl stop certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl enable certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM -L -n Server-Cert -a ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1863, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1769, in upgrade_configuration certificate_renewal_update(ca, ds, http), File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1027, in certificate_renewal_update ds.start_tracking_certificates(serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 983, in start_tracking_certificates 'restart_dirsrv %s' % serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 307, in track_server_cert nsscert = x509.load_certificate(cert, dbdir=self.secdir) File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in load_certificate return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The ipa-server-upgrade command failed, exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: Unexpected error - see /var/log/ipaupgrade.log for details: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64"
Ok, that explains what is happening.
Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag] section. Remove the entry for certificate_renewal_update_5.
This being present is preventing the tracking to be repaired.
Then run ipa-server-upgrade again and your tracking should be fixed.
Use the -v flag for additional debugging, not --debug, I was mistaken.
rob
On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
I did run "ipa-server-upgrade" and look like it was successful but still in getcert list showing CA_NEED :(
Remind me what the package version of IPA is. I'm confused by the version 5 in the output about renewal configuration.
You might also want to try running with --debug as depending on release it will give more information about this.
rob
[root@ldap-ca-master ~]# ipa-server-upgrade Upgrading IPA: [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: starting directory server [6/10]: updating schema [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made. [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating mod_nss protocol versions] Protocol versions already updated [Updating mod_nss cipher suite] [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Exporting KRA agent PEM file] KRA is not enabled [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] DNS is not configured [Ensuring minimal number of connections] DNS is not configured [Enabling serial autoincrement in DNS] DNS is not configured [Updating GSSAPI configuration in DNS] DNS is not configured [Updating pid-file configuration in DNS] DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration to version 5] [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] [Ensuring presence of included profiles] [Add default CA ACL] Default CA ACL already added [Set up lightweight CA key retrieval] Creating principal Retrieving keytab Creating Custodia keys Configuring key retriever The IPA services were upgraded The ipa-server-upgrade command was successful
[root@ldap-ca-master ~]# getcert list | grep status status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_CA status: NEED_KEY_PAIR status: NEED_CA
On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote:
On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote:
Thanks Florence,
is it safe to run "ipa-server-upgrade" ?
Hi, generally yes :)
We had a few tickets related to upgrade but they are mainly revealing already present issues (for instance because this CLI stops and starts the services, expired certs would prevent successful completion).
Do i need to provide any option with "ipa-server-upgrade" command? i believe few month back when i tried to do "ipa-server-upgrade" it broke some stuff but anyway i will take snapshot of VM and try in worst case scenario.
With the VM snapshot you are on the safe side.
flo
On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote: > > On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: >> Any thought ? > Hi, > if you run ipa-server-upgrade on this node, the command will fix the > tracking of certs. You should see in the output; > [Update certmonger certificate renewal configuration] > > HTH, > flo > >> >> Sent from my iPhone >> >>> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: >>> >>> Rob sorry, i trim my output thought not necessary but anyway here is >>> the full list (ignore CAPS letter in output) >>> >>> [root@ldap-ca-master ~]# getcert list >>> >>> Number of certificates and requests being tracked: 12. >>> >>> Request ID '20190915042927': >>> >>> status: NEED_CA >>> >>> stuck: yes >>> >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>> cert-pki-ca',token='NSS Certificate DB',pin set >>> >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>> cert-pki-ca',token='NSS Certificate DB' >>> >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> >>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>> >>> expires: 2037-01-05 14:47:24 UTC >>> >>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20190915043150': >>> >>> status: NEED_CA >>> >>> stuck: yes >>> >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>> cert-pki-ca',token='NSS Certificate DB',pin set >>> >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>> cert-pki-ca',token='NSS Certificate DB' >>> >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> >>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>> >>> expires: 2020-11-17 18:30:29 UTC >>> >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20190915043212': >>> >>> status: NEED_CA >>> >>> stuck: yes >>> >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>> cert-pki-ca',token='NSS Certificate DB',pin set >>> >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>> cert-pki-ca',token='NSS Certificate DB' >>> >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> >>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>> >>> expires: 2020-11-17 18:31:26 UTC >>> >>> eku: id-kp-OCSPSigning >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20190915043224': >>> >>> status: NEED_CA >>> >>> stuck: yes >>> >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>> cert-pki-ca',token='NSS Certificate DB',pin set >>> >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>> cert-pki-ca',token='NSS Certificate DB' >>> >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> >>> subject: CN=CA Audit,O=EXAMPLE.COM >>> >>> expires: 2020-11-17 18:32:07 UTC >>> >>> key usage: digitalSignature,nonRepudiation >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20190915043237': >>> >>> status: NEED_CA >>> >>> stuck: yes >>> >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>> cert-pki-ca',token='NSS Certificate DB',pin set >>> >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>> cert-pki-ca',token='NSS Certificate DB' >>> >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> >>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>> >>> expires: 2020-11-17 18:31:16 UTC >>> >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20190915043246': >>> >>> status: NEED_KEY_PAIR >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>> set >>> >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>> Certificate DB' >>> >>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>> Inc.",L=Scottsdale,ST=Arizona,C=US >>> >>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>> Inc.",L=Scottsdale,ST=Arizona,C=US >>> >>> expires: 2037-12-31 23:59:59 UTC >>> >>> key usage: keyCertSign,cRLSign >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20190915043304': >>> >>> status: NEED_KEY_PAIR >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>> Intermediate',pin set >>> >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>> Intermediate',token='NSS Certificate DB' >>> >>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>> Inc.",L=Scottsdale,ST=Arizona,C=US >>> >>> subject: CN=Go Daddy Secure Certificate Authority - >>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>> Inc.",L=Scottsdale,ST=Arizona,C=US >>> >>> expires: 2031-05-03 07:00:00 UTC >>> >>> key usage: keyCertSign,cRLSign >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20190915045112': >>> >>> status: NEED_KEY_PAIR >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>> >>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>> IPA CA',token='NSS Certificate DB' >>> >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> >>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>> >>> expires: 2037-01-05 14:47:24 UTC >>> >>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20190915045148': >>> >>> status: NEED_KEY_PAIR >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>> >>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>> Certificate DB' >>> >>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>> Inc.",L=Scottsdale,ST=Arizona,C=US >>> >>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>> Inc.",L=Scottsdale,ST=Arizona,C=US >>> >>> expires: 2037-12-31 23:59:59 UTC >>> >>> key usage: keyCertSign,cRLSign >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20190915045156': >>> >>> status: NEED_CA >>> >>> stuck: yes >>> >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> >>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>> Certificate DB' >>> >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> >>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>> >>> expires: 2021-01-05 14:49:59 UTC >>> >>> key usage: digitalSignature,keyCertSign >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20190915045206': >>> >>> status: NEED_KEY_PAIR >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>> >>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>> Intermediate',token='NSS Certificate DB' >>> >>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>> Inc.",L=Scottsdale,ST=Arizona,C=US >>> >>> subject: CN=Go Daddy Secure Certificate Authority - >>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>> Inc.",L=Scottsdale,ST=Arizona,C=US >>> >>> expires: 2031-05-03 07:00:00 UTC >>> >>> key usage: keyCertSign,cRLSign >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20190915045216': >>> >>> status: NEED_CA >>> >>> stuck: yes >>> >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> >>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate DB' >>> >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> >>> subject: CN=IPA RA,O=EXAMPLE.COM >>> >>> expires: 2020-11-17 18:31:36 UTC >>> >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >>>> >>>> Satish Patel via FreeIPA-users wrote: >>>>> Few days ago my Master CA was messed up and getcert list was showing >>>>> empty list (no cert to track) >>>>> >>>>> So i run following command to add certs manually: >>>>> >>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>>>> cert-pki-ca' -P XXXXXXX >>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>>>> Intermediate' -P XXXXXXX >>>>> >>>>> And after that i am seeing this status (status: NEED_CA ) it should >>>>> be MONITORING right? >>>>> >>>>> # getcert list >>>>> Number of certificates and requests being tracked: 12. >>>> >>>> You setup the tracking wrong. Your output only shows 3 certs and yet >>>> certmonger thinks it has 12. Where are the other 9? >>>> >>>> rob >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >> > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Addition to last email:
I can't see Server-Cert here but interesting thing i can see Server-Cert in my CA replica node on ldap-2 (why my primary ldap-ca-master not showing that cert?)
[root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C Godaddy C,, CN=*.foo.example.com,OU=Domain Control Validated u,u,u Godaddy Intermediate C,,
On Thu, Sep 26, 2019 at 10:22 AM Satish Patel satish.txt@gmail.com wrote:
Rob,
now i got error and here is the output, output was very long so i crop it down and here is the error piece.
ipa: INFO: [Upgrading CA schema] ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file /usr/share/pki/server/conf/schema-certProfile.ldif ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file /usr/share/pki/server/conf/schema-authority.ldif ipa.ipaserver.install.schemaupdate: DEBUG: Not updating schema ipa: INFO: CA schema update complete (no changes) ipa: INFO: [Verifying that CA audit signing cert has 2 year validity] ipa.ipaserver.install.cainstance.CAInstance: DEBUG: caSignedLogCert.cfg profile validity range is 720 ipa: INFO: [Update certmonger certificate renewal configuration to version 5] ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipa: DEBUG: Configuring certmonger to stop tracking system certificates for CA Configuring certmonger to stop tracking system certificates for CA ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl stop certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl enable certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM -L -n Server-Cert -a ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1863, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1769, in upgrade_configuration certificate_renewal_update(ca, ds, http), File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1027, in certificate_renewal_update ds.start_tracking_certificates(serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 983, in start_tracking_certificates 'restart_dirsrv %s' % serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 307, in track_server_cert nsscert = x509.load_certificate(cert, dbdir=self.secdir) File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in load_certificate return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The ipa-server-upgrade command failed, exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: Unexpected error - see /var/log/ipaupgrade.log for details: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64"
Ok, that explains what is happening.
Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag] section. Remove the entry for certificate_renewal_update_5.
This being present is preventing the tracking to be repaired.
Then run ipa-server-upgrade again and your tracking should be fixed.
Use the -v flag for additional debugging, not --debug, I was mistaken.
rob
On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
I did run "ipa-server-upgrade" and look like it was successful but still in getcert list showing CA_NEED :(
Remind me what the package version of IPA is. I'm confused by the version 5 in the output about renewal configuration.
You might also want to try running with --debug as depending on release it will give more information about this.
rob
[root@ldap-ca-master ~]# ipa-server-upgrade Upgrading IPA: [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: starting directory server [6/10]: updating schema [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made. [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating mod_nss protocol versions] Protocol versions already updated [Updating mod_nss cipher suite] [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Exporting KRA agent PEM file] KRA is not enabled [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] DNS is not configured [Ensuring minimal number of connections] DNS is not configured [Enabling serial autoincrement in DNS] DNS is not configured [Updating GSSAPI configuration in DNS] DNS is not configured [Updating pid-file configuration in DNS] DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration to version 5] [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] [Ensuring presence of included profiles] [Add default CA ACL] Default CA ACL already added [Set up lightweight CA key retrieval] Creating principal Retrieving keytab Creating Custodia keys Configuring key retriever The IPA services were upgraded The ipa-server-upgrade command was successful
[root@ldap-ca-master ~]# getcert list | grep status status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_CA status: NEED_KEY_PAIR status: NEED_CA
On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote:
On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote: > Thanks Florence, > > is it safe to run "ipa-server-upgrade" ? > Hi, generally yes :)
We had a few tickets related to upgrade but they are mainly revealing already present issues (for instance because this CLI stops and starts the services, expired certs would prevent successful completion).
> Do i need to provide any option with "ipa-server-upgrade" command? i > believe few month back when i tried to do "ipa-server-upgrade" it > broke some stuff but anyway i will take snapshot of VM and try in > worst case scenario. With the VM snapshot you are on the safe side.
flo
> > On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote: >> >> On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: >>> Any thought ? >> Hi, >> if you run ipa-server-upgrade on this node, the command will fix the >> tracking of certs. You should see in the output; >> [Update certmonger certificate renewal configuration] >> >> HTH, >> flo >> >>> >>> Sent from my iPhone >>> >>>> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: >>>> >>>> Rob sorry, i trim my output thought not necessary but anyway here is >>>> the full list (ignore CAPS letter in output) >>>> >>>> [root@ldap-ca-master ~]# getcert list >>>> >>>> Number of certificates and requests being tracked: 12. >>>> >>>> Request ID '20190915042927': >>>> >>>> status: NEED_CA >>>> >>>> stuck: yes >>>> >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>> >>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>> cert-pki-ca',token='NSS Certificate DB' >>>> >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> >>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>> >>>> expires: 2037-01-05 14:47:24 UTC >>>> >>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>> >>>> pre-save command: >>>> >>>> post-save command: >>>> >>>> track: yes >>>> >>>> auto-renew: yes >>>> >>>> Request ID '20190915043150': >>>> >>>> status: NEED_CA >>>> >>>> stuck: yes >>>> >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>> >>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>> cert-pki-ca',token='NSS Certificate DB' >>>> >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> >>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>>> >>>> expires: 2020-11-17 18:30:29 UTC >>>> >>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>> >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> >>>> pre-save command: >>>> >>>> post-save command: >>>> >>>> track: yes >>>> >>>> auto-renew: yes >>>> >>>> Request ID '20190915043212': >>>> >>>> status: NEED_CA >>>> >>>> stuck: yes >>>> >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>> >>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>> cert-pki-ca',token='NSS Certificate DB' >>>> >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> >>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>> >>>> expires: 2020-11-17 18:31:26 UTC >>>> >>>> eku: id-kp-OCSPSigning >>>> >>>> pre-save command: >>>> >>>> post-save command: >>>> >>>> track: yes >>>> >>>> auto-renew: yes >>>> >>>> Request ID '20190915043224': >>>> >>>> status: NEED_CA >>>> >>>> stuck: yes >>>> >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>> >>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>> cert-pki-ca',token='NSS Certificate DB' >>>> >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> >>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>> >>>> expires: 2020-11-17 18:32:07 UTC >>>> >>>> key usage: digitalSignature,nonRepudiation >>>> >>>> pre-save command: >>>> >>>> post-save command: >>>> >>>> track: yes >>>> >>>> auto-renew: yes >>>> >>>> Request ID '20190915043237': >>>> >>>> status: NEED_CA >>>> >>>> stuck: yes >>>> >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>> >>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>> cert-pki-ca',token='NSS Certificate DB' >>>> >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> >>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>> >>>> expires: 2020-11-17 18:31:16 UTC >>>> >>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>> >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> >>>> pre-save command: >>>> >>>> post-save command: >>>> >>>> track: yes >>>> >>>> auto-renew: yes >>>> >>>> Request ID '20190915043246': >>>> >>>> status: NEED_KEY_PAIR >>>> >>>> stuck: no >>>> >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>>> set >>>> >>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>>> Certificate DB' >>>> >>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>> >>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>> >>>> expires: 2037-12-31 23:59:59 UTC >>>> >>>> key usage: keyCertSign,cRLSign >>>> >>>> pre-save command: >>>> >>>> post-save command: >>>> >>>> track: yes >>>> >>>> auto-renew: yes >>>> >>>> Request ID '20190915043304': >>>> >>>> status: NEED_KEY_PAIR >>>> >>>> stuck: no >>>> >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>> Intermediate',pin set >>>> >>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>> Intermediate',token='NSS Certificate DB' >>>> >>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>> >>>> subject: CN=Go Daddy Secure Certificate Authority - >>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>> >>>> expires: 2031-05-03 07:00:00 UTC >>>> >>>> key usage: keyCertSign,cRLSign >>>> >>>> pre-save command: >>>> >>>> post-save command: >>>> >>>> track: yes >>>> >>>> auto-renew: yes >>>> >>>> Request ID '20190915045112': >>>> >>>> status: NEED_KEY_PAIR >>>> >>>> stuck: no >>>> >>>> key pair storage: >>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> >>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>>> IPA CA',token='NSS Certificate DB' >>>> >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> >>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>> >>>> expires: 2037-01-05 14:47:24 UTC >>>> >>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>> >>>> pre-save command: >>>> >>>> post-save command: >>>> >>>> track: yes >>>> >>>> auto-renew: yes >>>> >>>> Request ID '20190915045148': >>>> >>>> status: NEED_KEY_PAIR >>>> >>>> stuck: no >>>> >>>> key pair storage: >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> >>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>>> Certificate DB' >>>> >>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>> >>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>> >>>> expires: 2037-12-31 23:59:59 UTC >>>> >>>> key usage: keyCertSign,cRLSign >>>> >>>> pre-save command: >>>> >>>> post-save command: >>>> >>>> track: yes >>>> >>>> auto-renew: yes >>>> >>>> Request ID '20190915045156': >>>> >>>> status: NEED_CA >>>> >>>> stuck: yes >>>> >>>> key pair storage: >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> >>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>> Certificate DB' >>>> >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> >>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>>> >>>> expires: 2021-01-05 14:49:59 UTC >>>> >>>> key usage: digitalSignature,keyCertSign >>>> >>>> pre-save command: >>>> >>>> post-save command: >>>> >>>> track: yes >>>> >>>> auto-renew: yes >>>> >>>> Request ID '20190915045206': >>>> >>>> status: NEED_KEY_PAIR >>>> >>>> stuck: no >>>> >>>> key pair storage: >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> >>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>> Intermediate',token='NSS Certificate DB' >>>> >>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>> >>>> subject: CN=Go Daddy Secure Certificate Authority - >>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>> >>>> expires: 2031-05-03 07:00:00 UTC >>>> >>>> key usage: keyCertSign,cRLSign >>>> >>>> pre-save command: >>>> >>>> post-save command: >>>> >>>> track: yes >>>> >>>> auto-renew: yes >>>> >>>> Request ID '20190915045216': >>>> >>>> status: NEED_CA >>>> >>>> stuck: yes >>>> >>>> key pair storage: >>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> >>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>> Certificate DB' >>>> >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> >>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>> >>>> expires: 2020-11-17 18:31:36 UTC >>>> >>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>> >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> >>>> pre-save command: >>>> >>>> post-save command: >>>> >>>> track: yes >>>> >>>> auto-renew: yes >>>> >>>>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >>>>> >>>>> Satish Patel via FreeIPA-users wrote: >>>>>> Few days ago my Master CA was messed up and getcert list was showing >>>>>> empty list (no cert to track) >>>>>> >>>>>> So i run following command to add certs manually: >>>>>> >>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>>>>> cert-pki-ca' -P XXXXXXX >>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>>>>> Intermediate' -P XXXXXXX >>>>>> >>>>>> And after that i am seeing this status (status: NEED_CA ) it should >>>>>> be MONITORING right? >>>>>> >>>>>> # getcert list >>>>>> Number of certificates and requests being tracked: 12. >>>>> >>>>> You setup the tracking wrong. Your output only shows 3 certs and yet >>>>> certmonger thinks it has 12. Where are the other 9? >>>>> >>>>> rob >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>> >> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Satish Patel wrote:
Addition to last email:
I can't see Server-Cert here but interesting thing i can see Server-Cert in my CA replica node on ldap-2 (why my primary ldap-ca-master not showing that cert?)
[root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C Godaddy C,, CN=*.foo.example.com,OU=Domain Control Validated u,u,u Godaddy Intermediate C,,
At some point someone replaced the IPA-signed LDAP certificate with one signed by GoDaddy (which is fine).
It appears that the version of IPA you're using (at least) doesn't handle this case.
Now, fortunately it's one of the last things done so this may be just fine.
Can you see if your web server cert was also replaced? The database is /etc/httpd/alias.
Also, check your current tracking. The CA subsystem certs should be properly tracked now. It is just the LDAP and web certs that should not be (and if it is still using GoDaddy that is fine).
rob
On Thu, Sep 26, 2019 at 10:22 AM Satish Patel satish.txt@gmail.com wrote:
Rob,
now i got error and here is the output, output was very long so i crop it down and here is the error piece.
ipa: INFO: [Upgrading CA schema] ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file /usr/share/pki/server/conf/schema-certProfile.ldif ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file /usr/share/pki/server/conf/schema-authority.ldif ipa.ipaserver.install.schemaupdate: DEBUG: Not updating schema ipa: INFO: CA schema update complete (no changes) ipa: INFO: [Verifying that CA audit signing cert has 2 year validity] ipa.ipaserver.install.cainstance.CAInstance: DEBUG: caSignedLogCert.cfg profile validity range is 720 ipa: INFO: [Update certmonger certificate renewal configuration to version 5] ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipa: DEBUG: Configuring certmonger to stop tracking system certificates for CA Configuring certmonger to stop tracking system certificates for CA ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl stop certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl enable certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM -L -n Server-Cert -a ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1863, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1769, in upgrade_configuration certificate_renewal_update(ca, ds, http), File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1027, in certificate_renewal_update ds.start_tracking_certificates(serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 983, in start_tracking_certificates 'restart_dirsrv %s' % serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 307, in track_server_cert nsscert = x509.load_certificate(cert, dbdir=self.secdir) File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in load_certificate return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The ipa-server-upgrade command failed, exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: Unexpected error - see /var/log/ipaupgrade.log for details: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64"
Ok, that explains what is happening.
Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag] section. Remove the entry for certificate_renewal_update_5.
This being present is preventing the tracking to be repaired.
Then run ipa-server-upgrade again and your tracking should be fixed.
Use the -v flag for additional debugging, not --debug, I was mistaken.
rob
On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
I did run "ipa-server-upgrade" and look like it was successful but still in getcert list showing CA_NEED :(
Remind me what the package version of IPA is. I'm confused by the version 5 in the output about renewal configuration.
You might also want to try running with --debug as depending on release it will give more information about this.
rob
[root@ldap-ca-master ~]# ipa-server-upgrade Upgrading IPA: [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: starting directory server [6/10]: updating schema [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It will be overwritten. A backup of the original will be made. [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating mod_nss protocol versions] Protocol versions already updated [Updating mod_nss cipher suite] [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Exporting KRA agent PEM file] KRA is not enabled [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] DNS is not configured [Ensuring minimal number of connections] DNS is not configured [Enabling serial autoincrement in DNS] DNS is not configured [Updating GSSAPI configuration in DNS] DNS is not configured [Updating pid-file configuration in DNS] DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured DNS is not configured [Upgrading CA schema] CA schema update complete (no changes) [Verifying that CA audit signing cert has 2 year validity] [Update certmonger certificate renewal configuration to version 5] [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] [Ensuring presence of included profiles] [Add default CA ACL] Default CA ACL already added [Set up lightweight CA key retrieval] Creating principal Retrieving keytab Creating Custodia keys Configuring key retriever The IPA services were upgraded The ipa-server-upgrade command was successful
[root@ldap-ca-master ~]# getcert list | grep status status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_CA status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_KEY_PAIR status: NEED_CA status: NEED_KEY_PAIR status: NEED_CA
On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote: > > On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote: >> Thanks Florence, >> >> is it safe to run "ipa-server-upgrade" ? >> > Hi, > generally yes :) > > We had a few tickets related to upgrade but they are mainly revealing > already present issues (for instance because this CLI stops and starts > the services, expired certs would prevent successful completion). > >> Do i need to provide any option with "ipa-server-upgrade" command? i >> believe few month back when i tried to do "ipa-server-upgrade" it >> broke some stuff but anyway i will take snapshot of VM and try in >> worst case scenario. > With the VM snapshot you are on the safe side. > > flo > >> >> On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote: >>> >>> On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: >>>> Any thought ? >>> Hi, >>> if you run ipa-server-upgrade on this node, the command will fix the >>> tracking of certs. You should see in the output; >>> [Update certmonger certificate renewal configuration] >>> >>> HTH, >>> flo >>> >>>> >>>> Sent from my iPhone >>>> >>>>> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: >>>>> >>>>> Rob sorry, i trim my output thought not necessary but anyway here is >>>>> the full list (ignore CAPS letter in output) >>>>> >>>>> [root@ldap-ca-master ~]# getcert list >>>>> >>>>> Number of certificates and requests being tracked: 12. >>>>> >>>>> Request ID '20190915042927': >>>>> >>>>> status: NEED_CA >>>>> >>>>> stuck: yes >>>>> >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>> >>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> >>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>> >>>>> expires: 2037-01-05 14:47:24 UTC >>>>> >>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>> >>>>> pre-save command: >>>>> >>>>> post-save command: >>>>> >>>>> track: yes >>>>> >>>>> auto-renew: yes >>>>> >>>>> Request ID '20190915043150': >>>>> >>>>> status: NEED_CA >>>>> >>>>> stuck: yes >>>>> >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>> >>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> >>>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>>>> >>>>> expires: 2020-11-17 18:30:29 UTC >>>>> >>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>> >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> >>>>> pre-save command: >>>>> >>>>> post-save command: >>>>> >>>>> track: yes >>>>> >>>>> auto-renew: yes >>>>> >>>>> Request ID '20190915043212': >>>>> >>>>> status: NEED_CA >>>>> >>>>> stuck: yes >>>>> >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>> >>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> >>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>>> >>>>> expires: 2020-11-17 18:31:26 UTC >>>>> >>>>> eku: id-kp-OCSPSigning >>>>> >>>>> pre-save command: >>>>> >>>>> post-save command: >>>>> >>>>> track: yes >>>>> >>>>> auto-renew: yes >>>>> >>>>> Request ID '20190915043224': >>>>> >>>>> status: NEED_CA >>>>> >>>>> stuck: yes >>>>> >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>> >>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> >>>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>>> >>>>> expires: 2020-11-17 18:32:07 UTC >>>>> >>>>> key usage: digitalSignature,nonRepudiation >>>>> >>>>> pre-save command: >>>>> >>>>> post-save command: >>>>> >>>>> track: yes >>>>> >>>>> auto-renew: yes >>>>> >>>>> Request ID '20190915043237': >>>>> >>>>> status: NEED_CA >>>>> >>>>> stuck: yes >>>>> >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>> >>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> >>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>>> >>>>> expires: 2020-11-17 18:31:16 UTC >>>>> >>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>> >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> >>>>> pre-save command: >>>>> >>>>> post-save command: >>>>> >>>>> track: yes >>>>> >>>>> auto-renew: yes >>>>> >>>>> Request ID '20190915043246': >>>>> >>>>> status: NEED_KEY_PAIR >>>>> >>>>> stuck: no >>>>> >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>>>> set >>>>> >>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>>>> Certificate DB' >>>>> >>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>> >>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>> >>>>> expires: 2037-12-31 23:59:59 UTC >>>>> >>>>> key usage: keyCertSign,cRLSign >>>>> >>>>> pre-save command: >>>>> >>>>> post-save command: >>>>> >>>>> track: yes >>>>> >>>>> auto-renew: yes >>>>> >>>>> Request ID '20190915043304': >>>>> >>>>> status: NEED_KEY_PAIR >>>>> >>>>> stuck: no >>>>> >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>> Intermediate',pin set >>>>> >>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>> Intermediate',token='NSS Certificate DB' >>>>> >>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>> >>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>> >>>>> expires: 2031-05-03 07:00:00 UTC >>>>> >>>>> key usage: keyCertSign,cRLSign >>>>> >>>>> pre-save command: >>>>> >>>>> post-save command: >>>>> >>>>> track: yes >>>>> >>>>> auto-renew: yes >>>>> >>>>> Request ID '20190915045112': >>>>> >>>>> status: NEED_KEY_PAIR >>>>> >>>>> stuck: no >>>>> >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>> >>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>>>> IPA CA',token='NSS Certificate DB' >>>>> >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> >>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>> >>>>> expires: 2037-01-05 14:47:24 UTC >>>>> >>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>> >>>>> pre-save command: >>>>> >>>>> post-save command: >>>>> >>>>> track: yes >>>>> >>>>> auto-renew: yes >>>>> >>>>> Request ID '20190915045148': >>>>> >>>>> status: NEED_KEY_PAIR >>>>> >>>>> stuck: no >>>>> >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>> >>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>>>> Certificate DB' >>>>> >>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>> >>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>> >>>>> expires: 2037-12-31 23:59:59 UTC >>>>> >>>>> key usage: keyCertSign,cRLSign >>>>> >>>>> pre-save command: >>>>> >>>>> post-save command: >>>>> >>>>> track: yes >>>>> >>>>> auto-renew: yes >>>>> >>>>> Request ID '20190915045156': >>>>> >>>>> status: NEED_CA >>>>> >>>>> stuck: yes >>>>> >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>> >>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>> Certificate DB' >>>>> >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> >>>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>>>> >>>>> expires: 2021-01-05 14:49:59 UTC >>>>> >>>>> key usage: digitalSignature,keyCertSign >>>>> >>>>> pre-save command: >>>>> >>>>> post-save command: >>>>> >>>>> track: yes >>>>> >>>>> auto-renew: yes >>>>> >>>>> Request ID '20190915045206': >>>>> >>>>> status: NEED_KEY_PAIR >>>>> >>>>> stuck: no >>>>> >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>> >>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>> Intermediate',token='NSS Certificate DB' >>>>> >>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>> >>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>> >>>>> expires: 2031-05-03 07:00:00 UTC >>>>> >>>>> key usage: keyCertSign,cRLSign >>>>> >>>>> pre-save command: >>>>> >>>>> post-save command: >>>>> >>>>> track: yes >>>>> >>>>> auto-renew: yes >>>>> >>>>> Request ID '20190915045216': >>>>> >>>>> status: NEED_CA >>>>> >>>>> stuck: yes >>>>> >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>> >>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>> Certificate DB' >>>>> >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> >>>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>>> >>>>> expires: 2020-11-17 18:31:36 UTC >>>>> >>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>> >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> >>>>> pre-save command: >>>>> >>>>> post-save command: >>>>> >>>>> track: yes >>>>> >>>>> auto-renew: yes >>>>> >>>>>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>> >>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>> Few days ago my Master CA was messed up and getcert list was showing >>>>>>> empty list (no cert to track) >>>>>>> >>>>>>> So i run following command to add certs manually: >>>>>>> >>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>>>>>> cert-pki-ca' -P XXXXXXX >>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>>>>>> Intermediate' -P XXXXXXX >>>>>>> >>>>>>> And after that i am seeing this status (status: NEED_CA ) it should >>>>>>> be MONITORING right? >>>>>>> >>>>>>> # getcert list >>>>>>> Number of certificates and requests being tracked: 12. >>>>>> >>>>>> You setup the tracking wrong. Your output only shows 3 certs and yet >>>>>> certmonger thinks it has 12. Where are the other 9? >>>>>> >>>>>> rob >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>> >>> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >> > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Rob,
Here is the web certs
[root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/httpd/alias -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C Godaddy C,, CN=*.foo.example.com,OU=Domain Control Validated u,u,u Signing-Cert u,u,u Godaddy Intermediate C,, ipaCert u,u,u
Here is the fill output of getcert and i can see some certs showing MONITORING
[root@ldap-ca-master ~]# getcert list Number of certificates and requests being tracked: 13. Request ID '20190915043246': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2037-12-31 23:59:59 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes Request ID '20190915043304': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2031-05-03 07:00:00 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes Request ID '20190915045112': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes Request ID '20190915045148': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2037-12-31 23:59:59 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes Request ID '20190915045156': status: NEED_CA stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Object Signing Cert,O=EXAMPLE.COM expires: 2021-01-05 14:49:59 UTC key usage: digitalSignature,keyCertSign pre-save command: post-save command: track: yes auto-renew: yes Request ID '20190915045206': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2031-05-03 07:00:00 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes Request ID '20190926141756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190926141801': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-11-17 18:30:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141802': status: CA_UNCONFIGURED ca-error: Unable to determine principal name for signing request. stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes
On Thu, Sep 26, 2019 at 10:31 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Addition to last email:
I can't see Server-Cert here but interesting thing i can see Server-Cert in my CA replica node on ldap-2 (why my primary ldap-ca-master not showing that cert?)
[root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C Godaddy C,, CN=*.foo.example.com,OU=Domain Control Validated u,u,u Godaddy Intermediate C,,
At some point someone replaced the IPA-signed LDAP certificate with one signed by GoDaddy (which is fine).
It appears that the version of IPA you're using (at least) doesn't handle this case.
Now, fortunately it's one of the last things done so this may be just fine.
Can you see if your web server cert was also replaced? The database is /etc/httpd/alias.
Also, check your current tracking. The CA subsystem certs should be properly tracked now. It is just the LDAP and web certs that should not be (and if it is still using GoDaddy that is fine).
rob
On Thu, Sep 26, 2019 at 10:22 AM Satish Patel satish.txt@gmail.com wrote:
Rob,
now i got error and here is the output, output was very long so i crop it down and here is the error piece.
ipa: INFO: [Upgrading CA schema] ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file /usr/share/pki/server/conf/schema-certProfile.ldif ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file /usr/share/pki/server/conf/schema-authority.ldif ipa.ipaserver.install.schemaupdate: DEBUG: Not updating schema ipa: INFO: CA schema update complete (no changes) ipa: INFO: [Verifying that CA audit signing cert has 2 year validity] ipa.ipaserver.install.cainstance.CAInstance: DEBUG: caSignedLogCert.cfg profile validity range is 720 ipa: INFO: [Update certmonger certificate renewal configuration to version 5] ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipa: DEBUG: Configuring certmonger to stop tracking system certificates for CA Configuring certmonger to stop tracking system certificates for CA ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl stop certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl enable certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM -L -n Server-Cert -a ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1863, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1769, in upgrade_configuration certificate_renewal_update(ca, ds, http), File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1027, in certificate_renewal_update ds.start_tracking_certificates(serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 983, in start_tracking_certificates 'restart_dirsrv %s' % serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 307, in track_server_cert nsscert = x509.load_certificate(cert, dbdir=self.secdir) File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in load_certificate return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The ipa-server-upgrade command failed, exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: Unexpected error - see /var/log/ipaupgrade.log for details: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64"
Ok, that explains what is happening.
Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag] section. Remove the entry for certificate_renewal_update_5.
This being present is preventing the tracking to be repaired.
Then run ipa-server-upgrade again and your tracking should be fixed.
Use the -v flag for additional debugging, not --debug, I was mistaken.
rob
On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote: > I did run "ipa-server-upgrade" and look like it was successful but > still in getcert list showing CA_NEED :(
Remind me what the package version of IPA is. I'm confused by the version 5 in the output about renewal configuration.
You might also want to try running with --debug as depending on release it will give more information about this.
rob
> > > [root@ldap-ca-master ~]# ipa-server-upgrade > Upgrading IPA: > [1/10]: stopping directory server > [2/10]: saving configuration > [3/10]: disabling listeners > [4/10]: enabling DS global lock > [5/10]: starting directory server > [6/10]: updating schema > [7/10]: upgrading server > [8/10]: stopping directory server > [9/10]: restoring configuration > [10/10]: starting directory server > Done. > Update complete > Upgrading IPA services > Upgrading the configuration of the IPA services > [Verifying that root certificate is published] > [Migrate CRL publish directory] > CRL tree already moved > /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It > will be overwritten. A backup of the original will be made. > [Verifying that CA proxy configuration is correct] > [Verifying that KDC configuration is using ipa-kdb backend] > [Fix DS schema file syntax] > Syntax already fixed > [Removing RA cert from DS NSS database] > RA cert already removed > [Enable sidgen and extdom plugins by default] > [Updating HTTPD service IPA configuration] > [Updating mod_nss protocol versions] > Protocol versions already updated > [Updating mod_nss cipher suite] > [Fixing trust flags in /etc/httpd/alias] > Trust flags already processed > [Exporting KRA agent PEM file] > KRA is not enabled > [Removing self-signed CA] > [Removing Dogtag 9 CA] > [Checking for deprecated KDC configuration files] > [Checking for deprecated backups of Samba configuration files] > [Setting up Firefox extension] > [Add missing CA DNS records] > IPA CA DNS records already processed > [Removing deprecated DNS configuration options] > DNS is not configured > [Ensuring minimal number of connections] > DNS is not configured > [Enabling serial autoincrement in DNS] > DNS is not configured > [Updating GSSAPI configuration in DNS] > DNS is not configured > [Updating pid-file configuration in DNS] > DNS is not configured > DNS is not configured > DNS is not configured > DNS is not configured > DNS is not configured > DNS is not configured > DNS is not configured > DNS is not configured > [Upgrading CA schema] > CA schema update complete (no changes) > [Verifying that CA audit signing cert has 2 year validity] > [Update certmonger certificate renewal configuration to version 5] > [Enable PKIX certificate path discovery and validation] > PKIX already enabled > [Authorizing RA Agent to modify profiles] > [Authorizing RA Agent to manage lightweight CAs] > [Ensuring Lightweight CAs container exists in Dogtag database] > [Adding default OCSP URI configuration] > [Ensuring CA is using LDAPProfileSubsystem] > [Migrating certificate profiles to LDAP] > [Ensuring presence of included profiles] > [Add default CA ACL] > Default CA ACL already added > [Set up lightweight CA key retrieval] > Creating principal > Retrieving keytab > Creating Custodia keys > Configuring key retriever > The IPA services were upgraded > The ipa-server-upgrade command was successful > > > [root@ldap-ca-master ~]# getcert list | grep status > status: NEED_CA > status: NEED_CA > status: NEED_CA > status: NEED_CA > status: NEED_CA > status: NEED_KEY_PAIR > status: NEED_KEY_PAIR > status: NEED_KEY_PAIR > status: NEED_KEY_PAIR > status: NEED_CA > status: NEED_KEY_PAIR > status: NEED_CA > > On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote: >> >> On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote: >>> Thanks Florence, >>> >>> is it safe to run "ipa-server-upgrade" ? >>> >> Hi, >> generally yes :) >> >> We had a few tickets related to upgrade but they are mainly revealing >> already present issues (for instance because this CLI stops and starts >> the services, expired certs would prevent successful completion). >> >>> Do i need to provide any option with "ipa-server-upgrade" command? i >>> believe few month back when i tried to do "ipa-server-upgrade" it >>> broke some stuff but anyway i will take snapshot of VM and try in >>> worst case scenario. >> With the VM snapshot you are on the safe side. >> >> flo >> >>> >>> On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>> >>>> On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: >>>>> Any thought ? >>>> Hi, >>>> if you run ipa-server-upgrade on this node, the command will fix the >>>> tracking of certs. You should see in the output; >>>> [Update certmonger certificate renewal configuration] >>>> >>>> HTH, >>>> flo >>>> >>>>> >>>>> Sent from my iPhone >>>>> >>>>>> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: >>>>>> >>>>>> Rob sorry, i trim my output thought not necessary but anyway here is >>>>>> the full list (ignore CAPS letter in output) >>>>>> >>>>>> [root@ldap-ca-master ~]# getcert list >>>>>> >>>>>> Number of certificates and requests being tracked: 12. >>>>>> >>>>>> Request ID '20190915042927': >>>>>> >>>>>> status: NEED_CA >>>>>> >>>>>> stuck: yes >>>>>> >>>>>> key pair storage: >>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>> >>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>> >>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>> >>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>> >>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>> >>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>> >>>>>> pre-save command: >>>>>> >>>>>> post-save command: >>>>>> >>>>>> track: yes >>>>>> >>>>>> auto-renew: yes >>>>>> >>>>>> Request ID '20190915043150': >>>>>> >>>>>> status: NEED_CA >>>>>> >>>>>> stuck: yes >>>>>> >>>>>> key pair storage: >>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>> >>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>> >>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>> >>>>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>>>>> >>>>>> expires: 2020-11-17 18:30:29 UTC >>>>>> >>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>> >>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>> >>>>>> pre-save command: >>>>>> >>>>>> post-save command: >>>>>> >>>>>> track: yes >>>>>> >>>>>> auto-renew: yes >>>>>> >>>>>> Request ID '20190915043212': >>>>>> >>>>>> status: NEED_CA >>>>>> >>>>>> stuck: yes >>>>>> >>>>>> key pair storage: >>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>> >>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>> >>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>> >>>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>>>> >>>>>> expires: 2020-11-17 18:31:26 UTC >>>>>> >>>>>> eku: id-kp-OCSPSigning >>>>>> >>>>>> pre-save command: >>>>>> >>>>>> post-save command: >>>>>> >>>>>> track: yes >>>>>> >>>>>> auto-renew: yes >>>>>> >>>>>> Request ID '20190915043224': >>>>>> >>>>>> status: NEED_CA >>>>>> >>>>>> stuck: yes >>>>>> >>>>>> key pair storage: >>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>> >>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>> >>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>> >>>>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>>>> >>>>>> expires: 2020-11-17 18:32:07 UTC >>>>>> >>>>>> key usage: digitalSignature,nonRepudiation >>>>>> >>>>>> pre-save command: >>>>>> >>>>>> post-save command: >>>>>> >>>>>> track: yes >>>>>> >>>>>> auto-renew: yes >>>>>> >>>>>> Request ID '20190915043237': >>>>>> >>>>>> status: NEED_CA >>>>>> >>>>>> stuck: yes >>>>>> >>>>>> key pair storage: >>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>> >>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>> >>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>> >>>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>>>> >>>>>> expires: 2020-11-17 18:31:16 UTC >>>>>> >>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>> >>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>> >>>>>> pre-save command: >>>>>> >>>>>> post-save command: >>>>>> >>>>>> track: yes >>>>>> >>>>>> auto-renew: yes >>>>>> >>>>>> Request ID '20190915043246': >>>>>> >>>>>> status: NEED_KEY_PAIR >>>>>> >>>>>> stuck: no >>>>>> >>>>>> key pair storage: >>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>>>>> set >>>>>> >>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>>>>> Certificate DB' >>>>>> >>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>> >>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>> >>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>> >>>>>> key usage: keyCertSign,cRLSign >>>>>> >>>>>> pre-save command: >>>>>> >>>>>> post-save command: >>>>>> >>>>>> track: yes >>>>>> >>>>>> auto-renew: yes >>>>>> >>>>>> Request ID '20190915043304': >>>>>> >>>>>> status: NEED_KEY_PAIR >>>>>> >>>>>> stuck: no >>>>>> >>>>>> key pair storage: >>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>> Intermediate',pin set >>>>>> >>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>> Intermediate',token='NSS Certificate DB' >>>>>> >>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>> >>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>> >>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>> >>>>>> key usage: keyCertSign,cRLSign >>>>>> >>>>>> pre-save command: >>>>>> >>>>>> post-save command: >>>>>> >>>>>> track: yes >>>>>> >>>>>> auto-renew: yes >>>>>> >>>>>> Request ID '20190915045112': >>>>>> >>>>>> status: NEED_KEY_PAIR >>>>>> >>>>>> stuck: no >>>>>> >>>>>> key pair storage: >>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>>>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>> >>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>>>>> IPA CA',token='NSS Certificate DB' >>>>>> >>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>> >>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>> >>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>> >>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>> >>>>>> pre-save command: >>>>>> >>>>>> post-save command: >>>>>> >>>>>> track: yes >>>>>> >>>>>> auto-renew: yes >>>>>> >>>>>> Request ID '20190915045148': >>>>>> >>>>>> status: NEED_KEY_PAIR >>>>>> >>>>>> stuck: no >>>>>> >>>>>> key pair storage: >>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>> >>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>>>>> Certificate DB' >>>>>> >>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>> >>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>> >>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>> >>>>>> key usage: keyCertSign,cRLSign >>>>>> >>>>>> pre-save command: >>>>>> >>>>>> post-save command: >>>>>> >>>>>> track: yes >>>>>> >>>>>> auto-renew: yes >>>>>> >>>>>> Request ID '20190915045156': >>>>>> >>>>>> status: NEED_CA >>>>>> >>>>>> stuck: yes >>>>>> >>>>>> key pair storage: >>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>> >>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>> Certificate DB' >>>>>> >>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>> >>>>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>>>>> >>>>>> expires: 2021-01-05 14:49:59 UTC >>>>>> >>>>>> key usage: digitalSignature,keyCertSign >>>>>> >>>>>> pre-save command: >>>>>> >>>>>> post-save command: >>>>>> >>>>>> track: yes >>>>>> >>>>>> auto-renew: yes >>>>>> >>>>>> Request ID '20190915045206': >>>>>> >>>>>> status: NEED_KEY_PAIR >>>>>> >>>>>> stuck: no >>>>>> >>>>>> key pair storage: >>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>> >>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>> Intermediate',token='NSS Certificate DB' >>>>>> >>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>> >>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>> >>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>> >>>>>> key usage: keyCertSign,cRLSign >>>>>> >>>>>> pre-save command: >>>>>> >>>>>> post-save command: >>>>>> >>>>>> track: yes >>>>>> >>>>>> auto-renew: yes >>>>>> >>>>>> Request ID '20190915045216': >>>>>> >>>>>> status: NEED_CA >>>>>> >>>>>> stuck: yes >>>>>> >>>>>> key pair storage: >>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>> >>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>> Certificate DB' >>>>>> >>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>> >>>>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>>>> >>>>>> expires: 2020-11-17 18:31:36 UTC >>>>>> >>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>> >>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>> >>>>>> pre-save command: >>>>>> >>>>>> post-save command: >>>>>> >>>>>> track: yes >>>>>> >>>>>> auto-renew: yes >>>>>> >>>>>>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>>> >>>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>>> Few days ago my Master CA was messed up and getcert list was showing >>>>>>>> empty list (no cert to track) >>>>>>>> >>>>>>>> So i run following command to add certs manually: >>>>>>>> >>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>>>>>>> cert-pki-ca' -P XXXXXXX >>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>>>>>>> Intermediate' -P XXXXXXX >>>>>>>> >>>>>>>> And after that i am seeing this status (status: NEED_CA ) it should >>>>>>>> be MONITORING right? >>>>>>>> >>>>>>>> # getcert list >>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>> >>>>>>> You setup the tracking wrong. Your output only shows 3 certs and yet >>>>>>> certmonger thinks it has 12. Where are the other 9? >>>>>>> >>>>>>> rob >>>>> _______________________________________________ >>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>> >>>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>> >> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >
Satish Patel via FreeIPA-users wrote:
Rob,
Here is the web certs
[root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/httpd/alias -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C Godaddy C,, CN=*.foo.example.com,OU=Domain Control Validated u,u,u Signing-Cert u,u,u Godaddy Intermediate C,, ipaCert u,u,u
Ok, good. Also using a Godaddy cert.
Here is the fill output of getcert and i can see some certs showing MONITORING
Ok. I've annotated each cert you should stop tracking. It looks like the CA subsystem certs are ok.
You will need to watch the Godaddy certs yourself and manually renew when the time comes. certmonger has no way to renew those.
To stop tracking these run: getcert stop-tracking -i <request_id>
[root@ldap-ca-master ~]# getcert list Number of certificates and requests being tracked: 13. Request ID '20190915043246': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2037-12-31 23:59:59 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
No need to track this one. You'd have no way of renewing it anyway.
Request ID '20190915043304': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2031-05-03 07:00:00 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
No need to track this one.
Request ID '20190915045112': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
You don't need to track the CA cert here.
Request ID '20190915045148': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2037-12-31 23:59:59 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
Same, stop the tracking.
Request ID '20190915045156': status: NEED_CA stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Object Signing Cert,O=EXAMPLE.COM expires: 2021-01-05 14:49:59 UTC key usage: digitalSignature,keyCertSign pre-save command: post-save command: track: yes auto-renew: yes
This one too.
Request ID '20190915045206': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2031-05-03 07:00:00 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
And this, stop tracking.
Request ID '20190926141756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190926141801': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-11-17 18:30:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141802': status: CA_UNCONFIGURED ca-error: Unable to determine principal name for signing request. stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes
The tracking on this one is wrong and since you don't have Server-Cert anyway, just stop tracking this one.
rob
On Thu, Sep 26, 2019 at 10:31 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Addition to last email:
I can't see Server-Cert here but interesting thing i can see Server-Cert in my CA replica node on ldap-2 (why my primary ldap-ca-master not showing that cert?)
[root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C Godaddy C,, CN=*.foo.example.com,OU=Domain Control Validated u,u,u Godaddy Intermediate C,,
At some point someone replaced the IPA-signed LDAP certificate with one signed by GoDaddy (which is fine).
It appears that the version of IPA you're using (at least) doesn't handle this case.
Now, fortunately it's one of the last things done so this may be just fine.
Can you see if your web server cert was also replaced? The database is /etc/httpd/alias.
Also, check your current tracking. The CA subsystem certs should be properly tracked now. It is just the LDAP and web certs that should not be (and if it is still using GoDaddy that is fine).
rob
On Thu, Sep 26, 2019 at 10:22 AM Satish Patel satish.txt@gmail.com wrote:
Rob,
now i got error and here is the output, output was very long so i crop it down and here is the error piece.
ipa: INFO: [Upgrading CA schema] ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file /usr/share/pki/server/conf/schema-certProfile.ldif ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file /usr/share/pki/server/conf/schema-authority.ldif ipa.ipaserver.install.schemaupdate: DEBUG: Not updating schema ipa: INFO: CA schema update complete (no changes) ipa: INFO: [Verifying that CA audit signing cert has 2 year validity] ipa.ipaserver.install.cainstance.CAInstance: DEBUG: caSignedLogCert.cfg profile validity range is 720 ipa: INFO: [Update certmonger certificate renewal configuration to version 5] ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipa: DEBUG: Configuring certmonger to stop tracking system certificates for CA Configuring certmonger to stop tracking system certificates for CA ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl stop certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl enable certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM -L -n Server-Cert -a ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1863, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1769, in upgrade_configuration certificate_renewal_update(ca, ds, http), File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1027, in certificate_renewal_update ds.start_tracking_certificates(serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 983, in start_tracking_certificates 'restart_dirsrv %s' % serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 307, in track_server_cert nsscert = x509.load_certificate(cert, dbdir=self.secdir) File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in load_certificate return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The ipa-server-upgrade command failed, exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: Unexpected error - see /var/log/ipaupgrade.log for details: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64"
Ok, that explains what is happening.
Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag] section. Remove the entry for certificate_renewal_update_5.
This being present is preventing the tracking to be repaired.
Then run ipa-server-upgrade again and your tracking should be fixed.
Use the -v flag for additional debugging, not --debug, I was mistaken.
rob
On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote: > > Satish Patel via FreeIPA-users wrote: >> I did run "ipa-server-upgrade" and look like it was successful but >> still in getcert list showing CA_NEED :( > > Remind me what the package version of IPA is. I'm confused by the > version 5 in the output about renewal configuration. > > You might also want to try running with --debug as depending on release > it will give more information about this. > > rob > >> >> >> [root@ldap-ca-master ~]# ipa-server-upgrade >> Upgrading IPA: >> [1/10]: stopping directory server >> [2/10]: saving configuration >> [3/10]: disabling listeners >> [4/10]: enabling DS global lock >> [5/10]: starting directory server >> [6/10]: updating schema >> [7/10]: upgrading server >> [8/10]: stopping directory server >> [9/10]: restoring configuration >> [10/10]: starting directory server >> Done. >> Update complete >> Upgrading IPA services >> Upgrading the configuration of the IPA services >> [Verifying that root certificate is published] >> [Migrate CRL publish directory] >> CRL tree already moved >> /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It >> will be overwritten. A backup of the original will be made. >> [Verifying that CA proxy configuration is correct] >> [Verifying that KDC configuration is using ipa-kdb backend] >> [Fix DS schema file syntax] >> Syntax already fixed >> [Removing RA cert from DS NSS database] >> RA cert already removed >> [Enable sidgen and extdom plugins by default] >> [Updating HTTPD service IPA configuration] >> [Updating mod_nss protocol versions] >> Protocol versions already updated >> [Updating mod_nss cipher suite] >> [Fixing trust flags in /etc/httpd/alias] >> Trust flags already processed >> [Exporting KRA agent PEM file] >> KRA is not enabled >> [Removing self-signed CA] >> [Removing Dogtag 9 CA] >> [Checking for deprecated KDC configuration files] >> [Checking for deprecated backups of Samba configuration files] >> [Setting up Firefox extension] >> [Add missing CA DNS records] >> IPA CA DNS records already processed >> [Removing deprecated DNS configuration options] >> DNS is not configured >> [Ensuring minimal number of connections] >> DNS is not configured >> [Enabling serial autoincrement in DNS] >> DNS is not configured >> [Updating GSSAPI configuration in DNS] >> DNS is not configured >> [Updating pid-file configuration in DNS] >> DNS is not configured >> DNS is not configured >> DNS is not configured >> DNS is not configured >> DNS is not configured >> DNS is not configured >> DNS is not configured >> DNS is not configured >> [Upgrading CA schema] >> CA schema update complete (no changes) >> [Verifying that CA audit signing cert has 2 year validity] >> [Update certmonger certificate renewal configuration to version 5] >> [Enable PKIX certificate path discovery and validation] >> PKIX already enabled >> [Authorizing RA Agent to modify profiles] >> [Authorizing RA Agent to manage lightweight CAs] >> [Ensuring Lightweight CAs container exists in Dogtag database] >> [Adding default OCSP URI configuration] >> [Ensuring CA is using LDAPProfileSubsystem] >> [Migrating certificate profiles to LDAP] >> [Ensuring presence of included profiles] >> [Add default CA ACL] >> Default CA ACL already added >> [Set up lightweight CA key retrieval] >> Creating principal >> Retrieving keytab >> Creating Custodia keys >> Configuring key retriever >> The IPA services were upgraded >> The ipa-server-upgrade command was successful >> >> >> [root@ldap-ca-master ~]# getcert list | grep status >> status: NEED_CA >> status: NEED_CA >> status: NEED_CA >> status: NEED_CA >> status: NEED_CA >> status: NEED_KEY_PAIR >> status: NEED_KEY_PAIR >> status: NEED_KEY_PAIR >> status: NEED_KEY_PAIR >> status: NEED_CA >> status: NEED_KEY_PAIR >> status: NEED_CA >> >> On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote: >>> >>> On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote: >>>> Thanks Florence, >>>> >>>> is it safe to run "ipa-server-upgrade" ? >>>> >>> Hi, >>> generally yes :) >>> >>> We had a few tickets related to upgrade but they are mainly revealing >>> already present issues (for instance because this CLI stops and starts >>> the services, expired certs would prevent successful completion). >>> >>>> Do i need to provide any option with "ipa-server-upgrade" command? i >>>> believe few month back when i tried to do "ipa-server-upgrade" it >>>> broke some stuff but anyway i will take snapshot of VM and try in >>>> worst case scenario. >>> With the VM snapshot you are on the safe side. >>> >>> flo >>> >>>> >>>> On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>> >>>>> On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: >>>>>> Any thought ? >>>>> Hi, >>>>> if you run ipa-server-upgrade on this node, the command will fix the >>>>> tracking of certs. You should see in the output; >>>>> [Update certmonger certificate renewal configuration] >>>>> >>>>> HTH, >>>>> flo >>>>> >>>>>> >>>>>> Sent from my iPhone >>>>>> >>>>>>> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: >>>>>>> >>>>>>> Rob sorry, i trim my output thought not necessary but anyway here is >>>>>>> the full list (ignore CAPS letter in output) >>>>>>> >>>>>>> [root@ldap-ca-master ~]# getcert list >>>>>>> >>>>>>> Number of certificates and requests being tracked: 12. >>>>>>> >>>>>>> Request ID '20190915042927': >>>>>>> >>>>>>> status: NEED_CA >>>>>>> >>>>>>> stuck: yes >>>>>>> >>>>>>> key pair storage: >>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>> >>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>> >>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>> >>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>> >>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>> >>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>> >>>>>>> pre-save command: >>>>>>> >>>>>>> post-save command: >>>>>>> >>>>>>> track: yes >>>>>>> >>>>>>> auto-renew: yes >>>>>>> >>>>>>> Request ID '20190915043150': >>>>>>> >>>>>>> status: NEED_CA >>>>>>> >>>>>>> stuck: yes >>>>>>> >>>>>>> key pair storage: >>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>> >>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>> >>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>> >>>>>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>>>>>> >>>>>>> expires: 2020-11-17 18:30:29 UTC >>>>>>> >>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>> >>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>> >>>>>>> pre-save command: >>>>>>> >>>>>>> post-save command: >>>>>>> >>>>>>> track: yes >>>>>>> >>>>>>> auto-renew: yes >>>>>>> >>>>>>> Request ID '20190915043212': >>>>>>> >>>>>>> status: NEED_CA >>>>>>> >>>>>>> stuck: yes >>>>>>> >>>>>>> key pair storage: >>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>> >>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>> >>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>> >>>>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>>>>> >>>>>>> expires: 2020-11-17 18:31:26 UTC >>>>>>> >>>>>>> eku: id-kp-OCSPSigning >>>>>>> >>>>>>> pre-save command: >>>>>>> >>>>>>> post-save command: >>>>>>> >>>>>>> track: yes >>>>>>> >>>>>>> auto-renew: yes >>>>>>> >>>>>>> Request ID '20190915043224': >>>>>>> >>>>>>> status: NEED_CA >>>>>>> >>>>>>> stuck: yes >>>>>>> >>>>>>> key pair storage: >>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>> >>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>> >>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>> >>>>>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>>>>> >>>>>>> expires: 2020-11-17 18:32:07 UTC >>>>>>> >>>>>>> key usage: digitalSignature,nonRepudiation >>>>>>> >>>>>>> pre-save command: >>>>>>> >>>>>>> post-save command: >>>>>>> >>>>>>> track: yes >>>>>>> >>>>>>> auto-renew: yes >>>>>>> >>>>>>> Request ID '20190915043237': >>>>>>> >>>>>>> status: NEED_CA >>>>>>> >>>>>>> stuck: yes >>>>>>> >>>>>>> key pair storage: >>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>> >>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>> >>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>> >>>>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>>>>> >>>>>>> expires: 2020-11-17 18:31:16 UTC >>>>>>> >>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>> >>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>> >>>>>>> pre-save command: >>>>>>> >>>>>>> post-save command: >>>>>>> >>>>>>> track: yes >>>>>>> >>>>>>> auto-renew: yes >>>>>>> >>>>>>> Request ID '20190915043246': >>>>>>> >>>>>>> status: NEED_KEY_PAIR >>>>>>> >>>>>>> stuck: no >>>>>>> >>>>>>> key pair storage: >>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>>>>>> set >>>>>>> >>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>>>>>> Certificate DB' >>>>>>> >>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>> >>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>> >>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>> >>>>>>> key usage: keyCertSign,cRLSign >>>>>>> >>>>>>> pre-save command: >>>>>>> >>>>>>> post-save command: >>>>>>> >>>>>>> track: yes >>>>>>> >>>>>>> auto-renew: yes >>>>>>> >>>>>>> Request ID '20190915043304': >>>>>>> >>>>>>> status: NEED_KEY_PAIR >>>>>>> >>>>>>> stuck: no >>>>>>> >>>>>>> key pair storage: >>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>> Intermediate',pin set >>>>>>> >>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>> >>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>> >>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>> >>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>> >>>>>>> key usage: keyCertSign,cRLSign >>>>>>> >>>>>>> pre-save command: >>>>>>> >>>>>>> post-save command: >>>>>>> >>>>>>> track: yes >>>>>>> >>>>>>> auto-renew: yes >>>>>>> >>>>>>> Request ID '20190915045112': >>>>>>> >>>>>>> status: NEED_KEY_PAIR >>>>>>> >>>>>>> stuck: no >>>>>>> >>>>>>> key pair storage: >>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>>>>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>> >>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>>>>>> IPA CA',token='NSS Certificate DB' >>>>>>> >>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>> >>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>> >>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>> >>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>> >>>>>>> pre-save command: >>>>>>> >>>>>>> post-save command: >>>>>>> >>>>>>> track: yes >>>>>>> >>>>>>> auto-renew: yes >>>>>>> >>>>>>> Request ID '20190915045148': >>>>>>> >>>>>>> status: NEED_KEY_PAIR >>>>>>> >>>>>>> stuck: no >>>>>>> >>>>>>> key pair storage: >>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>> >>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>>>>>> Certificate DB' >>>>>>> >>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>> >>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>> >>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>> >>>>>>> key usage: keyCertSign,cRLSign >>>>>>> >>>>>>> pre-save command: >>>>>>> >>>>>>> post-save command: >>>>>>> >>>>>>> track: yes >>>>>>> >>>>>>> auto-renew: yes >>>>>>> >>>>>>> Request ID '20190915045156': >>>>>>> >>>>>>> status: NEED_CA >>>>>>> >>>>>>> stuck: yes >>>>>>> >>>>>>> key pair storage: >>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>> >>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>> Certificate DB' >>>>>>> >>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>> >>>>>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>>>>>> >>>>>>> expires: 2021-01-05 14:49:59 UTC >>>>>>> >>>>>>> key usage: digitalSignature,keyCertSign >>>>>>> >>>>>>> pre-save command: >>>>>>> >>>>>>> post-save command: >>>>>>> >>>>>>> track: yes >>>>>>> >>>>>>> auto-renew: yes >>>>>>> >>>>>>> Request ID '20190915045206': >>>>>>> >>>>>>> status: NEED_KEY_PAIR >>>>>>> >>>>>>> stuck: no >>>>>>> >>>>>>> key pair storage: >>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>> >>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>> >>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>> >>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>> >>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>> >>>>>>> key usage: keyCertSign,cRLSign >>>>>>> >>>>>>> pre-save command: >>>>>>> >>>>>>> post-save command: >>>>>>> >>>>>>> track: yes >>>>>>> >>>>>>> auto-renew: yes >>>>>>> >>>>>>> Request ID '20190915045216': >>>>>>> >>>>>>> status: NEED_CA >>>>>>> >>>>>>> stuck: yes >>>>>>> >>>>>>> key pair storage: >>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>> >>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>> Certificate DB' >>>>>>> >>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>> >>>>>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>>>>> >>>>>>> expires: 2020-11-17 18:31:36 UTC >>>>>>> >>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>> >>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>> >>>>>>> pre-save command: >>>>>>> >>>>>>> post-save command: >>>>>>> >>>>>>> track: yes >>>>>>> >>>>>>> auto-renew: yes >>>>>>> >>>>>>>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>>>> >>>>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>>>> Few days ago my Master CA was messed up and getcert list was showing >>>>>>>>> empty list (no cert to track) >>>>>>>>> >>>>>>>>> So i run following command to add certs manually: >>>>>>>>> >>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>>>>>>>> cert-pki-ca' -P XXXXXXX >>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>>>>>>>> Intermediate' -P XXXXXXX >>>>>>>>> >>>>>>>>> And after that i am seeing this status (status: NEED_CA ) it should >>>>>>>>> be MONITORING right? >>>>>>>>> >>>>>>>>> # getcert list >>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>> >>>>>>>> You setup the tracking wrong. Your output only shows 3 certs and yet >>>>>>>> certmonger thinks it has 12. Where are the other 9? >>>>>>>> >>>>>>>> rob >>>>>> _______________________________________________ >>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>> >>>>> >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>> >>> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >> >
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Rob,
I got your point and i will remove all Godaddy certs but i wanted to say one thing, if i look into ldap-ca-replica server which is other server i can see Server-Cert, is there a way i can sync all these replica cert with master and fix them ?
This is replica node output, look like replica is very clean..
[root@ldap-ca-replica ~]# getcert list Number of certificates and requests being tracked: 10. Request ID '20190918205044': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS Certificate DB',pinfile='/etc/ipa/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:50:45 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: host/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20190918205212': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:52:12 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: ldap/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes Request ID '20190918205232': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:52:32 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: HTTP/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20190918205418': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190918205431': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205432': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205433': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205434': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205435': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-07 20:54:00 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918210008': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-09-18 21:00:08 UTC principal name: krbtgt/EXAMPLE.COM@EXAMPLE.COM certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
On Thu, Sep 26, 2019 at 1:35 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
Rob,
Here is the web certs
[root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/httpd/alias -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C Godaddy C,, CN=*.foo.example.com,OU=Domain Control Validated u,u,u Signing-Cert u,u,u Godaddy Intermediate C,, ipaCert u,u,u
Ok, good. Also using a Godaddy cert.
Here is the fill output of getcert and i can see some certs showing MONITORING
Ok. I've annotated each cert you should stop tracking. It looks like the CA subsystem certs are ok.
You will need to watch the Godaddy certs yourself and manually renew when the time comes. certmonger has no way to renew those.
To stop tracking these run: getcert stop-tracking -i <request_id>
[root@ldap-ca-master ~]# getcert list Number of certificates and requests being tracked: 13. Request ID '20190915043246': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2037-12-31 23:59:59 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
No need to track this one. You'd have no way of renewing it anyway.
Request ID '20190915043304': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2031-05-03 07:00:00 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
No need to track this one.
Request ID '20190915045112': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
You don't need to track the CA cert here.
Request ID '20190915045148': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2037-12-31 23:59:59 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
Same, stop the tracking.
Request ID '20190915045156': status: NEED_CA stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Object Signing Cert,O=EXAMPLE.COM expires: 2021-01-05 14:49:59 UTC key usage: digitalSignature,keyCertSign pre-save command: post-save command: track: yes auto-renew: yes
This one too.
Request ID '20190915045206': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2031-05-03 07:00:00 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
And this, stop tracking.
Request ID '20190926141756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190926141801': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-11-17 18:30:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141802': status: CA_UNCONFIGURED ca-error: Unable to determine principal name for signing request. stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes
The tracking on this one is wrong and since you don't have Server-Cert anyway, just stop tracking this one.
rob
On Thu, Sep 26, 2019 at 10:31 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Addition to last email:
I can't see Server-Cert here but interesting thing i can see Server-Cert in my CA replica node on ldap-2 (why my primary ldap-ca-master not showing that cert?)
[root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C Godaddy C,, CN=*.foo.example.com,OU=Domain Control Validated u,u,u Godaddy Intermediate C,,
At some point someone replaced the IPA-signed LDAP certificate with one signed by GoDaddy (which is fine).
It appears that the version of IPA you're using (at least) doesn't handle this case.
Now, fortunately it's one of the last things done so this may be just fine.
Can you see if your web server cert was also replaced? The database is /etc/httpd/alias.
Also, check your current tracking. The CA subsystem certs should be properly tracked now. It is just the LDAP and web certs that should not be (and if it is still using GoDaddy that is fine).
rob
On Thu, Sep 26, 2019 at 10:22 AM Satish Patel satish.txt@gmail.com wrote:
Rob,
now i got error and here is the output, output was very long so i crop it down and here is the error piece.
ipa: INFO: [Upgrading CA schema] ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file /usr/share/pki/server/conf/schema-certProfile.ldif ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file /usr/share/pki/server/conf/schema-authority.ldif ipa.ipaserver.install.schemaupdate: DEBUG: Not updating schema ipa: INFO: CA schema update complete (no changes) ipa: INFO: [Verifying that CA audit signing cert has 2 year validity] ipa.ipaserver.install.cainstance.CAInstance: DEBUG: caSignedLogCert.cfg profile validity range is 720 ipa: INFO: [Update certmonger certificate renewal configuration to version 5] ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipa: DEBUG: Configuring certmonger to stop tracking system certificates for CA Configuring certmonger to stop tracking system certificates for CA ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl stop certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl enable certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM -L -n Server-Cert -a ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1863, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1769, in upgrade_configuration certificate_renewal_update(ca, ds, http), File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1027, in certificate_renewal_update ds.start_tracking_certificates(serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 983, in start_tracking_certificates 'restart_dirsrv %s' % serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 307, in track_server_cert nsscert = x509.load_certificate(cert, dbdir=self.secdir) File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in load_certificate return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The ipa-server-upgrade command failed, exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: Unexpected error - see /var/log/ipaupgrade.log for details: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote: > I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64"
Ok, that explains what is happening.
Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag] section. Remove the entry for certificate_renewal_update_5.
This being present is preventing the tracking to be repaired.
Then run ipa-server-upgrade again and your tracking should be fixed.
Use the -v flag for additional debugging, not --debug, I was mistaken.
rob
> > On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote: >> >> Satish Patel via FreeIPA-users wrote: >>> I did run "ipa-server-upgrade" and look like it was successful but >>> still in getcert list showing CA_NEED :( >> >> Remind me what the package version of IPA is. I'm confused by the >> version 5 in the output about renewal configuration. >> >> You might also want to try running with --debug as depending on release >> it will give more information about this. >> >> rob >> >>> >>> >>> [root@ldap-ca-master ~]# ipa-server-upgrade >>> Upgrading IPA: >>> [1/10]: stopping directory server >>> [2/10]: saving configuration >>> [3/10]: disabling listeners >>> [4/10]: enabling DS global lock >>> [5/10]: starting directory server >>> [6/10]: updating schema >>> [7/10]: upgrading server >>> [8/10]: stopping directory server >>> [9/10]: restoring configuration >>> [10/10]: starting directory server >>> Done. >>> Update complete >>> Upgrading IPA services >>> Upgrading the configuration of the IPA services >>> [Verifying that root certificate is published] >>> [Migrate CRL publish directory] >>> CRL tree already moved >>> /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It >>> will be overwritten. A backup of the original will be made. >>> [Verifying that CA proxy configuration is correct] >>> [Verifying that KDC configuration is using ipa-kdb backend] >>> [Fix DS schema file syntax] >>> Syntax already fixed >>> [Removing RA cert from DS NSS database] >>> RA cert already removed >>> [Enable sidgen and extdom plugins by default] >>> [Updating HTTPD service IPA configuration] >>> [Updating mod_nss protocol versions] >>> Protocol versions already updated >>> [Updating mod_nss cipher suite] >>> [Fixing trust flags in /etc/httpd/alias] >>> Trust flags already processed >>> [Exporting KRA agent PEM file] >>> KRA is not enabled >>> [Removing self-signed CA] >>> [Removing Dogtag 9 CA] >>> [Checking for deprecated KDC configuration files] >>> [Checking for deprecated backups of Samba configuration files] >>> [Setting up Firefox extension] >>> [Add missing CA DNS records] >>> IPA CA DNS records already processed >>> [Removing deprecated DNS configuration options] >>> DNS is not configured >>> [Ensuring minimal number of connections] >>> DNS is not configured >>> [Enabling serial autoincrement in DNS] >>> DNS is not configured >>> [Updating GSSAPI configuration in DNS] >>> DNS is not configured >>> [Updating pid-file configuration in DNS] >>> DNS is not configured >>> DNS is not configured >>> DNS is not configured >>> DNS is not configured >>> DNS is not configured >>> DNS is not configured >>> DNS is not configured >>> DNS is not configured >>> [Upgrading CA schema] >>> CA schema update complete (no changes) >>> [Verifying that CA audit signing cert has 2 year validity] >>> [Update certmonger certificate renewal configuration to version 5] >>> [Enable PKIX certificate path discovery and validation] >>> PKIX already enabled >>> [Authorizing RA Agent to modify profiles] >>> [Authorizing RA Agent to manage lightweight CAs] >>> [Ensuring Lightweight CAs container exists in Dogtag database] >>> [Adding default OCSP URI configuration] >>> [Ensuring CA is using LDAPProfileSubsystem] >>> [Migrating certificate profiles to LDAP] >>> [Ensuring presence of included profiles] >>> [Add default CA ACL] >>> Default CA ACL already added >>> [Set up lightweight CA key retrieval] >>> Creating principal >>> Retrieving keytab >>> Creating Custodia keys >>> Configuring key retriever >>> The IPA services were upgraded >>> The ipa-server-upgrade command was successful >>> >>> >>> [root@ldap-ca-master ~]# getcert list | grep status >>> status: NEED_CA >>> status: NEED_CA >>> status: NEED_CA >>> status: NEED_CA >>> status: NEED_CA >>> status: NEED_KEY_PAIR >>> status: NEED_KEY_PAIR >>> status: NEED_KEY_PAIR >>> status: NEED_KEY_PAIR >>> status: NEED_CA >>> status: NEED_KEY_PAIR >>> status: NEED_CA >>> >>> On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>> >>>> On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote: >>>>> Thanks Florence, >>>>> >>>>> is it safe to run "ipa-server-upgrade" ? >>>>> >>>> Hi, >>>> generally yes :) >>>> >>>> We had a few tickets related to upgrade but they are mainly revealing >>>> already present issues (for instance because this CLI stops and starts >>>> the services, expired certs would prevent successful completion). >>>> >>>>> Do i need to provide any option with "ipa-server-upgrade" command? i >>>>> believe few month back when i tried to do "ipa-server-upgrade" it >>>>> broke some stuff but anyway i will take snapshot of VM and try in >>>>> worst case scenario. >>>> With the VM snapshot you are on the safe side. >>>> >>>> flo >>>> >>>>> >>>>> On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>> >>>>>> On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: >>>>>>> Any thought ? >>>>>> Hi, >>>>>> if you run ipa-server-upgrade on this node, the command will fix the >>>>>> tracking of certs. You should see in the output; >>>>>> [Update certmonger certificate renewal configuration] >>>>>> >>>>>> HTH, >>>>>> flo >>>>>> >>>>>>> >>>>>>> Sent from my iPhone >>>>>>> >>>>>>>> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: >>>>>>>> >>>>>>>> Rob sorry, i trim my output thought not necessary but anyway here is >>>>>>>> the full list (ignore CAPS letter in output) >>>>>>>> >>>>>>>> [root@ldap-ca-master ~]# getcert list >>>>>>>> >>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>> >>>>>>>> Request ID '20190915042927': >>>>>>>> >>>>>>>> status: NEED_CA >>>>>>>> >>>>>>>> stuck: yes >>>>>>>> >>>>>>>> key pair storage: >>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>> >>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>> >>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>> >>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>> >>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>> >>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>> >>>>>>>> pre-save command: >>>>>>>> >>>>>>>> post-save command: >>>>>>>> >>>>>>>> track: yes >>>>>>>> >>>>>>>> auto-renew: yes >>>>>>>> >>>>>>>> Request ID '20190915043150': >>>>>>>> >>>>>>>> status: NEED_CA >>>>>>>> >>>>>>>> stuck: yes >>>>>>>> >>>>>>>> key pair storage: >>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>> >>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>> >>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>> >>>>>>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>>>>>>> >>>>>>>> expires: 2020-11-17 18:30:29 UTC >>>>>>>> >>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>> >>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>> >>>>>>>> pre-save command: >>>>>>>> >>>>>>>> post-save command: >>>>>>>> >>>>>>>> track: yes >>>>>>>> >>>>>>>> auto-renew: yes >>>>>>>> >>>>>>>> Request ID '20190915043212': >>>>>>>> >>>>>>>> status: NEED_CA >>>>>>>> >>>>>>>> stuck: yes >>>>>>>> >>>>>>>> key pair storage: >>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>> >>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>> >>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>> >>>>>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>>>>>> >>>>>>>> expires: 2020-11-17 18:31:26 UTC >>>>>>>> >>>>>>>> eku: id-kp-OCSPSigning >>>>>>>> >>>>>>>> pre-save command: >>>>>>>> >>>>>>>> post-save command: >>>>>>>> >>>>>>>> track: yes >>>>>>>> >>>>>>>> auto-renew: yes >>>>>>>> >>>>>>>> Request ID '20190915043224': >>>>>>>> >>>>>>>> status: NEED_CA >>>>>>>> >>>>>>>> stuck: yes >>>>>>>> >>>>>>>> key pair storage: >>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>> >>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>> >>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>> >>>>>>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>>>>>> >>>>>>>> expires: 2020-11-17 18:32:07 UTC >>>>>>>> >>>>>>>> key usage: digitalSignature,nonRepudiation >>>>>>>> >>>>>>>> pre-save command: >>>>>>>> >>>>>>>> post-save command: >>>>>>>> >>>>>>>> track: yes >>>>>>>> >>>>>>>> auto-renew: yes >>>>>>>> >>>>>>>> Request ID '20190915043237': >>>>>>>> >>>>>>>> status: NEED_CA >>>>>>>> >>>>>>>> stuck: yes >>>>>>>> >>>>>>>> key pair storage: >>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>> >>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>> >>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>> >>>>>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>>>>>> >>>>>>>> expires: 2020-11-17 18:31:16 UTC >>>>>>>> >>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>> >>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>> >>>>>>>> pre-save command: >>>>>>>> >>>>>>>> post-save command: >>>>>>>> >>>>>>>> track: yes >>>>>>>> >>>>>>>> auto-renew: yes >>>>>>>> >>>>>>>> Request ID '20190915043246': >>>>>>>> >>>>>>>> status: NEED_KEY_PAIR >>>>>>>> >>>>>>>> stuck: no >>>>>>>> >>>>>>>> key pair storage: >>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>>>>>>> set >>>>>>>> >>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>>>>>>> Certificate DB' >>>>>>>> >>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>> >>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>> >>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>> >>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>> >>>>>>>> pre-save command: >>>>>>>> >>>>>>>> post-save command: >>>>>>>> >>>>>>>> track: yes >>>>>>>> >>>>>>>> auto-renew: yes >>>>>>>> >>>>>>>> Request ID '20190915043304': >>>>>>>> >>>>>>>> status: NEED_KEY_PAIR >>>>>>>> >>>>>>>> stuck: no >>>>>>>> >>>>>>>> key pair storage: >>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>> Intermediate',pin set >>>>>>>> >>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>> >>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>> >>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>> >>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>> >>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>> >>>>>>>> pre-save command: >>>>>>>> >>>>>>>> post-save command: >>>>>>>> >>>>>>>> track: yes >>>>>>>> >>>>>>>> auto-renew: yes >>>>>>>> >>>>>>>> Request ID '20190915045112': >>>>>>>> >>>>>>>> status: NEED_KEY_PAIR >>>>>>>> >>>>>>>> stuck: no >>>>>>>> >>>>>>>> key pair storage: >>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>>>>>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>> >>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>>>>>>> IPA CA',token='NSS Certificate DB' >>>>>>>> >>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>> >>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>> >>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>> >>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>> >>>>>>>> pre-save command: >>>>>>>> >>>>>>>> post-save command: >>>>>>>> >>>>>>>> track: yes >>>>>>>> >>>>>>>> auto-renew: yes >>>>>>>> >>>>>>>> Request ID '20190915045148': >>>>>>>> >>>>>>>> status: NEED_KEY_PAIR >>>>>>>> >>>>>>>> stuck: no >>>>>>>> >>>>>>>> key pair storage: >>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>> >>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>>>>>>> Certificate DB' >>>>>>>> >>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>> >>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>> >>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>> >>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>> >>>>>>>> pre-save command: >>>>>>>> >>>>>>>> post-save command: >>>>>>>> >>>>>>>> track: yes >>>>>>>> >>>>>>>> auto-renew: yes >>>>>>>> >>>>>>>> Request ID '20190915045156': >>>>>>>> >>>>>>>> status: NEED_CA >>>>>>>> >>>>>>>> stuck: yes >>>>>>>> >>>>>>>> key pair storage: >>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>> >>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>> Certificate DB' >>>>>>>> >>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>> >>>>>>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>>>>>>> >>>>>>>> expires: 2021-01-05 14:49:59 UTC >>>>>>>> >>>>>>>> key usage: digitalSignature,keyCertSign >>>>>>>> >>>>>>>> pre-save command: >>>>>>>> >>>>>>>> post-save command: >>>>>>>> >>>>>>>> track: yes >>>>>>>> >>>>>>>> auto-renew: yes >>>>>>>> >>>>>>>> Request ID '20190915045206': >>>>>>>> >>>>>>>> status: NEED_KEY_PAIR >>>>>>>> >>>>>>>> stuck: no >>>>>>>> >>>>>>>> key pair storage: >>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>> >>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>> >>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>> >>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>> >>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>> >>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>> >>>>>>>> pre-save command: >>>>>>>> >>>>>>>> post-save command: >>>>>>>> >>>>>>>> track: yes >>>>>>>> >>>>>>>> auto-renew: yes >>>>>>>> >>>>>>>> Request ID '20190915045216': >>>>>>>> >>>>>>>> status: NEED_CA >>>>>>>> >>>>>>>> stuck: yes >>>>>>>> >>>>>>>> key pair storage: >>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>> >>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>> Certificate DB' >>>>>>>> >>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>> >>>>>>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>>>>>> >>>>>>>> expires: 2020-11-17 18:31:36 UTC >>>>>>>> >>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>> >>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>> >>>>>>>> pre-save command: >>>>>>>> >>>>>>>> post-save command: >>>>>>>> >>>>>>>> track: yes >>>>>>>> >>>>>>>> auto-renew: yes >>>>>>>> >>>>>>>>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>>>>> >>>>>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>>>>> Few days ago my Master CA was messed up and getcert list was showing >>>>>>>>>> empty list (no cert to track) >>>>>>>>>> >>>>>>>>>> So i run following command to add certs manually: >>>>>>>>>> >>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>>>>>>>>> cert-pki-ca' -P XXXXXXX >>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>>>>>>>>> Intermediate' -P XXXXXXX >>>>>>>>>> >>>>>>>>>> And after that i am seeing this status (status: NEED_CA ) it should >>>>>>>>>> be MONITORING right? >>>>>>>>>> >>>>>>>>>> # getcert list >>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>> >>>>>>>>> You setup the tracking wrong. Your output only shows 3 certs and yet >>>>>>>>> certmonger thinks it has 12. Where are the other 9? >>>>>>>>> >>>>>>>>> rob >>>>>>> _______________________________________________ >>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>> >>>>>> >>>>> _______________________________________________ >>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>> >>>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>> >>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Satish Patel wrote:
Rob,
I got your point and i will remove all Godaddy certs but i wanted to say one thing, if i look into ldap-ca-replica server which is other server i can see Server-Cert, is there a way i can sync all these replica cert with master and fix them ?
These certs are master-specific. ldap-ca-replica is using IPA-issued server certifiactes and the other is using Godaddy-issued certificates.
It's possible to issue certificates using the IPA CA to replace these Godaddy certs but I guess I'd check to be sure that's what you really want to do. Most people do this kind of replacement so they don't need to distribute the IPA CA to non-IPA-enrolled systems so they can do self-service management.
Roughly speaking, you'd do something like this:
# ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/<hostname> -C /usr/libexec/ipa/certmonger/restart_httpd -D <hostname> # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -K ldap/<hostname> -C "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM" -D <hostname>
That will issue the new certs and set them up for tracking.
You can verify that they will work with:
# certutil -V -u V -d <database> -n Server-Cert
Both should return 'certificate is valid'
If so then you can swap the config to use them. Edit /etc/httpd/conf.d/nss.conf and replace the NSSNickname value with Server-Cert and restart httpd
For 389-ds:
# ldapmodify -x -D 'cn=directory manager' -W dn: cn=RSA,cn=encryption,cn=config changetype: modify replace: nsSSLPersonalitySSL nsSSLPersonalitySSL: Server-Cert <blank line> ^D
Then restart 389-ds-base, or do both then run ipactl restart
The old certs will still exist in the NSS databases so you can always switch them back if you need to.
rob
This is replica node output, look like replica is very clean..
[root@ldap-ca-replica ~]# getcert list Number of certificates and requests being tracked: 10. Request ID '20190918205044': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS Certificate DB',pinfile='/etc/ipa/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:50:45 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: host/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20190918205212': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:52:12 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: ldap/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes Request ID '20190918205232': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:52:32 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: HTTP/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20190918205418': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190918205431': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205432': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205433': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205434': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205435': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-07 20:54:00 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918210008': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-09-18 21:00:08 UTC principal name: krbtgt/EXAMPLE.COM@EXAMPLE.COM certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
On Thu, Sep 26, 2019 at 1:35 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
Rob,
Here is the web certs
[root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/httpd/alias -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C Godaddy C,, CN=*.foo.example.com,OU=Domain Control Validated u,u,u Signing-Cert u,u,u Godaddy Intermediate C,, ipaCert u,u,u
Ok, good. Also using a Godaddy cert.
Here is the fill output of getcert and i can see some certs showing MONITORING
Ok. I've annotated each cert you should stop tracking. It looks like the CA subsystem certs are ok.
You will need to watch the Godaddy certs yourself and manually renew when the time comes. certmonger has no way to renew those.
To stop tracking these run: getcert stop-tracking -i <request_id>
[root@ldap-ca-master ~]# getcert list Number of certificates and requests being tracked: 13. Request ID '20190915043246': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2037-12-31 23:59:59 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
No need to track this one. You'd have no way of renewing it anyway.
Request ID '20190915043304': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2031-05-03 07:00:00 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
No need to track this one.
Request ID '20190915045112': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
You don't need to track the CA cert here.
Request ID '20190915045148': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2037-12-31 23:59:59 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
Same, stop the tracking.
Request ID '20190915045156': status: NEED_CA stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Object Signing Cert,O=EXAMPLE.COM expires: 2021-01-05 14:49:59 UTC key usage: digitalSignature,keyCertSign pre-save command: post-save command: track: yes auto-renew: yes
This one too.
Request ID '20190915045206': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2031-05-03 07:00:00 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
And this, stop tracking.
Request ID '20190926141756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190926141801': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-11-17 18:30:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141802': status: CA_UNCONFIGURED ca-error: Unable to determine principal name for signing request. stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes
The tracking on this one is wrong and since you don't have Server-Cert anyway, just stop tracking this one.
rob
On Thu, Sep 26, 2019 at 10:31 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Addition to last email:
I can't see Server-Cert here but interesting thing i can see Server-Cert in my CA replica node on ldap-2 (why my primary ldap-ca-master not showing that cert?)
[root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C Godaddy C,, CN=*.foo.example.com,OU=Domain Control Validated u,u,u Godaddy Intermediate C,,
At some point someone replaced the IPA-signed LDAP certificate with one signed by GoDaddy (which is fine).
It appears that the version of IPA you're using (at least) doesn't handle this case.
Now, fortunately it's one of the last things done so this may be just fine.
Can you see if your web server cert was also replaced? The database is /etc/httpd/alias.
Also, check your current tracking. The CA subsystem certs should be properly tracked now. It is just the LDAP and web certs that should not be (and if it is still using GoDaddy that is fine).
rob
On Thu, Sep 26, 2019 at 10:22 AM Satish Patel satish.txt@gmail.com wrote:
Rob,
now i got error and here is the output, output was very long so i crop it down and here is the error piece.
ipa: INFO: [Upgrading CA schema] ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file /usr/share/pki/server/conf/schema-certProfile.ldif ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file /usr/share/pki/server/conf/schema-authority.ldif ipa.ipaserver.install.schemaupdate: DEBUG: Not updating schema ipa: INFO: CA schema update complete (no changes) ipa: INFO: [Verifying that CA audit signing cert has 2 year validity] ipa.ipaserver.install.cainstance.CAInstance: DEBUG: caSignedLogCert.cfg profile validity range is 720 ipa: INFO: [Update certmonger certificate renewal configuration to version 5] ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipa: DEBUG: Configuring certmonger to stop tracking system certificates for CA Configuring certmonger to stop tracking system certificates for CA ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl stop certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl enable certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active messagebus.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl is-active certmonger.service ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=active
ipa: DEBUG: stderr= ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM -L -n Server-Cert -a ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1863, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1769, in upgrade_configuration certificate_renewal_update(ca, ds, http), File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1027, in certificate_renewal_update ds.start_tracking_certificates(serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 983, in start_tracking_certificates 'restart_dirsrv %s' % serverid) File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", line 307, in track_server_cert nsscert = x509.load_certificate(cert, dbdir=self.secdir) File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in load_certificate return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The ipa-server-upgrade command failed, exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: Unexpected error - see /var/log/ipaupgrade.log for details: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden rcritten@redhat.com wrote: > > Satish Patel wrote: >> I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64" > > Ok, that explains what is happening. > > Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag] > section. Remove the entry for certificate_renewal_update_5. > > This being present is preventing the tracking to be repaired. > > Then run ipa-server-upgrade again and your tracking should be fixed. > > Use the -v flag for additional debugging, not --debug, I was mistaken. > > rob > >> >> On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote: >>> >>> Satish Patel via FreeIPA-users wrote: >>>> I did run "ipa-server-upgrade" and look like it was successful but >>>> still in getcert list showing CA_NEED :( >>> >>> Remind me what the package version of IPA is. I'm confused by the >>> version 5 in the output about renewal configuration. >>> >>> You might also want to try running with --debug as depending on release >>> it will give more information about this. >>> >>> rob >>> >>>> >>>> >>>> [root@ldap-ca-master ~]# ipa-server-upgrade >>>> Upgrading IPA: >>>> [1/10]: stopping directory server >>>> [2/10]: saving configuration >>>> [3/10]: disabling listeners >>>> [4/10]: enabling DS global lock >>>> [5/10]: starting directory server >>>> [6/10]: updating schema >>>> [7/10]: upgrading server >>>> [8/10]: stopping directory server >>>> [9/10]: restoring configuration >>>> [10/10]: starting directory server >>>> Done. >>>> Update complete >>>> Upgrading IPA services >>>> Upgrading the configuration of the IPA services >>>> [Verifying that root certificate is published] >>>> [Migrate CRL publish directory] >>>> CRL tree already moved >>>> /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It >>>> will be overwritten. A backup of the original will be made. >>>> [Verifying that CA proxy configuration is correct] >>>> [Verifying that KDC configuration is using ipa-kdb backend] >>>> [Fix DS schema file syntax] >>>> Syntax already fixed >>>> [Removing RA cert from DS NSS database] >>>> RA cert already removed >>>> [Enable sidgen and extdom plugins by default] >>>> [Updating HTTPD service IPA configuration] >>>> [Updating mod_nss protocol versions] >>>> Protocol versions already updated >>>> [Updating mod_nss cipher suite] >>>> [Fixing trust flags in /etc/httpd/alias] >>>> Trust flags already processed >>>> [Exporting KRA agent PEM file] >>>> KRA is not enabled >>>> [Removing self-signed CA] >>>> [Removing Dogtag 9 CA] >>>> [Checking for deprecated KDC configuration files] >>>> [Checking for deprecated backups of Samba configuration files] >>>> [Setting up Firefox extension] >>>> [Add missing CA DNS records] >>>> IPA CA DNS records already processed >>>> [Removing deprecated DNS configuration options] >>>> DNS is not configured >>>> [Ensuring minimal number of connections] >>>> DNS is not configured >>>> [Enabling serial autoincrement in DNS] >>>> DNS is not configured >>>> [Updating GSSAPI configuration in DNS] >>>> DNS is not configured >>>> [Updating pid-file configuration in DNS] >>>> DNS is not configured >>>> DNS is not configured >>>> DNS is not configured >>>> DNS is not configured >>>> DNS is not configured >>>> DNS is not configured >>>> DNS is not configured >>>> DNS is not configured >>>> [Upgrading CA schema] >>>> CA schema update complete (no changes) >>>> [Verifying that CA audit signing cert has 2 year validity] >>>> [Update certmonger certificate renewal configuration to version 5] >>>> [Enable PKIX certificate path discovery and validation] >>>> PKIX already enabled >>>> [Authorizing RA Agent to modify profiles] >>>> [Authorizing RA Agent to manage lightweight CAs] >>>> [Ensuring Lightweight CAs container exists in Dogtag database] >>>> [Adding default OCSP URI configuration] >>>> [Ensuring CA is using LDAPProfileSubsystem] >>>> [Migrating certificate profiles to LDAP] >>>> [Ensuring presence of included profiles] >>>> [Add default CA ACL] >>>> Default CA ACL already added >>>> [Set up lightweight CA key retrieval] >>>> Creating principal >>>> Retrieving keytab >>>> Creating Custodia keys >>>> Configuring key retriever >>>> The IPA services were upgraded >>>> The ipa-server-upgrade command was successful >>>> >>>> >>>> [root@ldap-ca-master ~]# getcert list | grep status >>>> status: NEED_CA >>>> status: NEED_CA >>>> status: NEED_CA >>>> status: NEED_CA >>>> status: NEED_CA >>>> status: NEED_KEY_PAIR >>>> status: NEED_KEY_PAIR >>>> status: NEED_KEY_PAIR >>>> status: NEED_KEY_PAIR >>>> status: NEED_CA >>>> status: NEED_KEY_PAIR >>>> status: NEED_CA >>>> >>>> On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>> >>>>> On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote: >>>>>> Thanks Florence, >>>>>> >>>>>> is it safe to run "ipa-server-upgrade" ? >>>>>> >>>>> Hi, >>>>> generally yes :) >>>>> >>>>> We had a few tickets related to upgrade but they are mainly revealing >>>>> already present issues (for instance because this CLI stops and starts >>>>> the services, expired certs would prevent successful completion). >>>>> >>>>>> Do i need to provide any option with "ipa-server-upgrade" command? i >>>>>> believe few month back when i tried to do "ipa-server-upgrade" it >>>>>> broke some stuff but anyway i will take snapshot of VM and try in >>>>>> worst case scenario. >>>>> With the VM snapshot you are on the safe side. >>>>> >>>>> flo >>>>> >>>>>> >>>>>> On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>>> >>>>>>> On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: >>>>>>>> Any thought ? >>>>>>> Hi, >>>>>>> if you run ipa-server-upgrade on this node, the command will fix the >>>>>>> tracking of certs. You should see in the output; >>>>>>> [Update certmonger certificate renewal configuration] >>>>>>> >>>>>>> HTH, >>>>>>> flo >>>>>>> >>>>>>>> >>>>>>>> Sent from my iPhone >>>>>>>> >>>>>>>>> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: >>>>>>>>> >>>>>>>>> Rob sorry, i trim my output thought not necessary but anyway here is >>>>>>>>> the full list (ignore CAPS letter in output) >>>>>>>>> >>>>>>>>> [root@ldap-ca-master ~]# getcert list >>>>>>>>> >>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>> >>>>>>>>> Request ID '20190915042927': >>>>>>>>> >>>>>>>>> status: NEED_CA >>>>>>>>> >>>>>>>>> stuck: yes >>>>>>>>> >>>>>>>>> key pair storage: >>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>> >>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>> >>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>> >>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>> >>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>> >>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>> >>>>>>>>> pre-save command: >>>>>>>>> >>>>>>>>> post-save command: >>>>>>>>> >>>>>>>>> track: yes >>>>>>>>> >>>>>>>>> auto-renew: yes >>>>>>>>> >>>>>>>>> Request ID '20190915043150': >>>>>>>>> >>>>>>>>> status: NEED_CA >>>>>>>>> >>>>>>>>> stuck: yes >>>>>>>>> >>>>>>>>> key pair storage: >>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>> >>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>> >>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>> >>>>>>>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>>>>>>>> >>>>>>>>> expires: 2020-11-17 18:30:29 UTC >>>>>>>>> >>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>> >>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>> >>>>>>>>> pre-save command: >>>>>>>>> >>>>>>>>> post-save command: >>>>>>>>> >>>>>>>>> track: yes >>>>>>>>> >>>>>>>>> auto-renew: yes >>>>>>>>> >>>>>>>>> Request ID '20190915043212': >>>>>>>>> >>>>>>>>> status: NEED_CA >>>>>>>>> >>>>>>>>> stuck: yes >>>>>>>>> >>>>>>>>> key pair storage: >>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>> >>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>> >>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>> >>>>>>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>>>>>>> >>>>>>>>> expires: 2020-11-17 18:31:26 UTC >>>>>>>>> >>>>>>>>> eku: id-kp-OCSPSigning >>>>>>>>> >>>>>>>>> pre-save command: >>>>>>>>> >>>>>>>>> post-save command: >>>>>>>>> >>>>>>>>> track: yes >>>>>>>>> >>>>>>>>> auto-renew: yes >>>>>>>>> >>>>>>>>> Request ID '20190915043224': >>>>>>>>> >>>>>>>>> status: NEED_CA >>>>>>>>> >>>>>>>>> stuck: yes >>>>>>>>> >>>>>>>>> key pair storage: >>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>> >>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>> >>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>> >>>>>>>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>>>>>>> >>>>>>>>> expires: 2020-11-17 18:32:07 UTC >>>>>>>>> >>>>>>>>> key usage: digitalSignature,nonRepudiation >>>>>>>>> >>>>>>>>> pre-save command: >>>>>>>>> >>>>>>>>> post-save command: >>>>>>>>> >>>>>>>>> track: yes >>>>>>>>> >>>>>>>>> auto-renew: yes >>>>>>>>> >>>>>>>>> Request ID '20190915043237': >>>>>>>>> >>>>>>>>> status: NEED_CA >>>>>>>>> >>>>>>>>> stuck: yes >>>>>>>>> >>>>>>>>> key pair storage: >>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>> >>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>> >>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>> >>>>>>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>>>>>>> >>>>>>>>> expires: 2020-11-17 18:31:16 UTC >>>>>>>>> >>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>> >>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>> >>>>>>>>> pre-save command: >>>>>>>>> >>>>>>>>> post-save command: >>>>>>>>> >>>>>>>>> track: yes >>>>>>>>> >>>>>>>>> auto-renew: yes >>>>>>>>> >>>>>>>>> Request ID '20190915043246': >>>>>>>>> >>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>> >>>>>>>>> stuck: no >>>>>>>>> >>>>>>>>> key pair storage: >>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>>>>>>>> set >>>>>>>>> >>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>>>>>>>> Certificate DB' >>>>>>>>> >>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>> >>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>> >>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>> >>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>> >>>>>>>>> pre-save command: >>>>>>>>> >>>>>>>>> post-save command: >>>>>>>>> >>>>>>>>> track: yes >>>>>>>>> >>>>>>>>> auto-renew: yes >>>>>>>>> >>>>>>>>> Request ID '20190915043304': >>>>>>>>> >>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>> >>>>>>>>> stuck: no >>>>>>>>> >>>>>>>>> key pair storage: >>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>> Intermediate',pin set >>>>>>>>> >>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>> >>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>> >>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>> >>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>> >>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>> >>>>>>>>> pre-save command: >>>>>>>>> >>>>>>>>> post-save command: >>>>>>>>> >>>>>>>>> track: yes >>>>>>>>> >>>>>>>>> auto-renew: yes >>>>>>>>> >>>>>>>>> Request ID '20190915045112': >>>>>>>>> >>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>> >>>>>>>>> stuck: no >>>>>>>>> >>>>>>>>> key pair storage: >>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>>>>>>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>> >>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>>>>>>>> IPA CA',token='NSS Certificate DB' >>>>>>>>> >>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>> >>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>> >>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>> >>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>> >>>>>>>>> pre-save command: >>>>>>>>> >>>>>>>>> post-save command: >>>>>>>>> >>>>>>>>> track: yes >>>>>>>>> >>>>>>>>> auto-renew: yes >>>>>>>>> >>>>>>>>> Request ID '20190915045148': >>>>>>>>> >>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>> >>>>>>>>> stuck: no >>>>>>>>> >>>>>>>>> key pair storage: >>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>> >>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>>>>>>>> Certificate DB' >>>>>>>>> >>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>> >>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>> >>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>> >>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>> >>>>>>>>> pre-save command: >>>>>>>>> >>>>>>>>> post-save command: >>>>>>>>> >>>>>>>>> track: yes >>>>>>>>> >>>>>>>>> auto-renew: yes >>>>>>>>> >>>>>>>>> Request ID '20190915045156': >>>>>>>>> >>>>>>>>> status: NEED_CA >>>>>>>>> >>>>>>>>> stuck: yes >>>>>>>>> >>>>>>>>> key pair storage: >>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>> >>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>> Certificate DB' >>>>>>>>> >>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>> >>>>>>>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>>>>>>>> >>>>>>>>> expires: 2021-01-05 14:49:59 UTC >>>>>>>>> >>>>>>>>> key usage: digitalSignature,keyCertSign >>>>>>>>> >>>>>>>>> pre-save command: >>>>>>>>> >>>>>>>>> post-save command: >>>>>>>>> >>>>>>>>> track: yes >>>>>>>>> >>>>>>>>> auto-renew: yes >>>>>>>>> >>>>>>>>> Request ID '20190915045206': >>>>>>>>> >>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>> >>>>>>>>> stuck: no >>>>>>>>> >>>>>>>>> key pair storage: >>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>> >>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>> >>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>> >>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>> >>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>> >>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>> >>>>>>>>> pre-save command: >>>>>>>>> >>>>>>>>> post-save command: >>>>>>>>> >>>>>>>>> track: yes >>>>>>>>> >>>>>>>>> auto-renew: yes >>>>>>>>> >>>>>>>>> Request ID '20190915045216': >>>>>>>>> >>>>>>>>> status: NEED_CA >>>>>>>>> >>>>>>>>> stuck: yes >>>>>>>>> >>>>>>>>> key pair storage: >>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>> >>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>> Certificate DB' >>>>>>>>> >>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>> >>>>>>>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>>>>>>> >>>>>>>>> expires: 2020-11-17 18:31:36 UTC >>>>>>>>> >>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>> >>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>> >>>>>>>>> pre-save command: >>>>>>>>> >>>>>>>>> post-save command: >>>>>>>>> >>>>>>>>> track: yes >>>>>>>>> >>>>>>>>> auto-renew: yes >>>>>>>>> >>>>>>>>>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>>>>>> >>>>>>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>>>>>> Few days ago my Master CA was messed up and getcert list was showing >>>>>>>>>>> empty list (no cert to track) >>>>>>>>>>> >>>>>>>>>>> So i run following command to add certs manually: >>>>>>>>>>> >>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>>>>>>>>>> cert-pki-ca' -P XXXXXXX >>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>>>>>>>>>> Intermediate' -P XXXXXXX >>>>>>>>>>> >>>>>>>>>>> And after that i am seeing this status (status: NEED_CA ) it should >>>>>>>>>>> be MONITORING right? >>>>>>>>>>> >>>>>>>>>>> # getcert list >>>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>>> >>>>>>>>>> You setup the tracking wrong. Your output only shows 3 certs and yet >>>>>>>>>> certmonger thinks it has 12. Where are the other 9? >>>>>>>>>> >>>>>>>>>> rob >>>>>>>> _______________________________________________ >>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>> >>>>> >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>> >>> >
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Rob,
As you suggested i did following ( it required password so i used -P <PIN> )
# ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/ldap-ca-master.example.com -C /usr/libexec/ipa/certmonger/restart_httpd -D ldap-ca-master.example.com -P 9e8c1a9447d56236733f
# ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -K ldap/ldap-ca-master.example.com -C "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM" -D ldap-ca-master.example.com -P 013fcd26f4dfa18c4d1bcaac0dbac44f3ad75698
# certutil -V -u V -d /etc/httpd/alias -n Server-Cert certutil: certificate is valid # certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert certutil: certificate is valid
If so then you can swap the config to use them. Edit
/etc/httpd/conf.d/nss.conf and replace the NSSNickname value with Server-Cert and restart httpd
Do i need to edit above nss.conf file?
Currently i have following NSSNickname in file.
# grep "NSSNickname" /etc/httpd/conf.d/nss.conf NSSNickname "CN=*.foo.example.com,OU=Domain Control Validated"
Here is the full output of getcet list (Do you think it's looking good? i compare with Replica and i can see Master has 2 less cert compare to Replica hope that is ok)
# getcert list Number of certificates and requests being tracked: 8. Request ID '20190926141756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190926141801': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-11-17 18:30:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190927010638': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM expires: 2021-09-27 01:06:39 UTC dns: ldap-ca-master.foo.EXAMPLE.com principal name: HTTP/ldap-ca-master.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20190927011037': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM expires: 2021-09-27 01:10:38 UTC dns: ldap-ca-master.foo.EXAMPLE.com principal name: ldap/ldap-ca-master.foo.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM track: yes auto-renew: yes
On Thu, Sep 26, 2019 at 2:52 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Rob,
I got your point and i will remove all Godaddy certs but i wanted to say one thing, if i look into ldap-ca-replica server which is other server i can see Server-Cert, is there a way i can sync all these replica cert with master and fix them ?
These certs are master-specific. ldap-ca-replica is using IPA-issued server certifiactes and the other is using Godaddy-issued certificates.
It's possible to issue certificates using the IPA CA to replace these Godaddy certs but I guess I'd check to be sure that's what you really want to do. Most people do this kind of replacement so they don't need to distribute the IPA CA to non-IPA-enrolled systems so they can do self-service management.
Roughly speaking, you'd do something like this:
# ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/<hostname> -C /usr/libexec/ipa/certmonger/restart_httpd -D <hostname> # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -K ldap/<hostname> -C "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM" -D <hostname>
That will issue the new certs and set them up for tracking.
You can verify that they will work with:
# certutil -V -u V -d <database> -n Server-Cert
Both should return 'certificate is valid'
If so then you can swap the config to use them. Edit /etc/httpd/conf.d/nss.conf and replace the NSSNickname value with Server-Cert and restart httpd
For 389-ds:
# ldapmodify -x -D 'cn=directory manager' -W dn: cn=RSA,cn=encryption,cn=config changetype: modify replace: nsSSLPersonalitySSL nsSSLPersonalitySSL: Server-Cert
<blank line> ^D
Then restart 389-ds-base, or do both then run ipactl restart
The old certs will still exist in the NSS databases so you can always switch them back if you need to.
rob
This is replica node output, look like replica is very clean..
[root@ldap-ca-replica ~]# getcert list Number of certificates and requests being tracked: 10. Request ID '20190918205044': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS Certificate DB',pinfile='/etc/ipa/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:50:45 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: host/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20190918205212': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:52:12 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: ldap/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes Request ID '20190918205232': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:52:32 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: HTTP/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20190918205418': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190918205431': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205432': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205433': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205434': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205435': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-07 20:54:00 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918210008': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-09-18 21:00:08 UTC principal name: krbtgt/EXAMPLE.COM@EXAMPLE.COM certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
On Thu, Sep 26, 2019 at 1:35 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
Rob,
Here is the web certs
[root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/httpd/alias -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C Godaddy C,, CN=*.foo.example.com,OU=Domain Control Validated u,u,u Signing-Cert u,u,u Godaddy Intermediate C,, ipaCert u,u,u
Ok, good. Also using a Godaddy cert.
Here is the fill output of getcert and i can see some certs showing MONITORING
Ok. I've annotated each cert you should stop tracking. It looks like the CA subsystem certs are ok.
You will need to watch the Godaddy certs yourself and manually renew when the time comes. certmonger has no way to renew those.
To stop tracking these run: getcert stop-tracking -i <request_id>
[root@ldap-ca-master ~]# getcert list Number of certificates and requests being tracked: 13. Request ID '20190915043246': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2037-12-31 23:59:59 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
No need to track this one. You'd have no way of renewing it anyway.
Request ID '20190915043304': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2031-05-03 07:00:00 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
No need to track this one.
Request ID '20190915045112': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
You don't need to track the CA cert here.
Request ID '20190915045148': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2037-12-31 23:59:59 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
Same, stop the tracking.
Request ID '20190915045156': status: NEED_CA stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Object Signing Cert,O=EXAMPLE.COM expires: 2021-01-05 14:49:59 UTC key usage: digitalSignature,keyCertSign pre-save command: post-save command: track: yes auto-renew: yes
This one too.
Request ID '20190915045206': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2031-05-03 07:00:00 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
And this, stop tracking.
Request ID '20190926141756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190926141801': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-11-17 18:30:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141802': status: CA_UNCONFIGURED ca-error: Unable to determine principal name for signing request. stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes
The tracking on this one is wrong and since you don't have Server-Cert anyway, just stop tracking this one.
rob
On Thu, Sep 26, 2019 at 10:31 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Addition to last email:
I can't see Server-Cert here but interesting thing i can see Server-Cert in my CA replica node on ldap-2 (why my primary ldap-ca-master not showing that cert?)
[root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C Godaddy C,, CN=*.foo.example.com,OU=Domain Control Validated u,u,u Godaddy Intermediate C,,
At some point someone replaced the IPA-signed LDAP certificate with one signed by GoDaddy (which is fine).
It appears that the version of IPA you're using (at least) doesn't handle this case.
Now, fortunately it's one of the last things done so this may be just fine.
Can you see if your web server cert was also replaced? The database is /etc/httpd/alias.
Also, check your current tracking. The CA subsystem certs should be properly tracked now. It is just the LDAP and web certs that should not be (and if it is still using GoDaddy that is fine).
rob
On Thu, Sep 26, 2019 at 10:22 AM Satish Patel satish.txt@gmail.com wrote: > > Rob, > > now i got error and here is the output, output was very long so i crop > it down and here is the error piece. > > ipa: INFO: [Upgrading CA schema] > ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing > ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache > ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for > SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket > conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80> > ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file > /usr/share/pki/server/conf/schema-certProfile.ldif > ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file > /usr/share/pki/server/conf/schema-authority.ldif > ipa.ipaserver.install.schemaupdate: DEBUG: Not updating schema > ipa: INFO: CA schema update complete (no changes) > ipa: INFO: [Verifying that CA audit signing cert has 2 year validity] > ipa.ipaserver.install.cainstance.CAInstance: DEBUG: > caSignedLogCert.cfg profile validity range is 720 > ipa: INFO: [Update certmonger certificate renewal configuration to version 5] > ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' > ipa: DEBUG: Configuring certmonger to stop tracking system certificates for CA > Configuring certmonger to stop tracking system certificates for CA > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/bin/systemctl start messagebus.service > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr= > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/bin/systemctl is-active messagebus.service > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout=active > > ipa: DEBUG: stderr= > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/bin/systemctl start certmonger.service > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr= > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/bin/systemctl is-active certmonger.service > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout=active > > ipa: DEBUG: stderr= > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/bin/systemctl stop certmonger.service > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr= > ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/bin/systemctl start certmonger.service > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr= > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/bin/systemctl is-active certmonger.service > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout=active > > ipa: DEBUG: stderr= > ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' > ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/bin/systemctl enable certmonger.service > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr= > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/bin/systemctl start messagebus.service > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr= > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/bin/systemctl is-active messagebus.service > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout=active > > ipa: DEBUG: stderr= > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/bin/systemctl start certmonger.service > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr= > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/bin/systemctl is-active certmonger.service > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout=active > > ipa: DEBUG: stderr= > ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM -L > -n Server-Cert -a > ipa: DEBUG: Process finished, return code=255 > ipa: DEBUG: stdout= > ipa: DEBUG: stderr=certutil: Could not find cert: Server-Cert > : PR_FILE_NOT_FOUND_ERROR: File not found > > ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA > server upgrade failed: Inspect /var/log/ipaupgrade.log and run command > ipa-server-upgrade manually. > ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, > in execute > return_value = self.run() > File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", > line 46, in run > server.upgrade() > File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", > line 1863, in upgrade > upgrade_configuration() > File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", > line 1769, in upgrade_configuration > certificate_renewal_update(ca, ds, http), > File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", > line 1027, in certificate_renewal_update > ds.start_tracking_certificates(serverid) > File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", > line 983, in start_tracking_certificates > 'restart_dirsrv %s' % serverid) > File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", > line 307, in track_server_cert > nsscert = x509.load_certificate(cert, dbdir=self.secdir) > File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in > load_certificate > return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin > > ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The > ipa-server-upgrade command failed, exception: NSPRError: > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: > Unexpected error - see /var/log/ipaupgrade.log for details: > NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. > ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The > ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for > more information > > On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden rcritten@redhat.com wrote: >> >> Satish Patel wrote: >>> I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64" >> >> Ok, that explains what is happening. >> >> Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag] >> section. Remove the entry for certificate_renewal_update_5. >> >> This being present is preventing the tracking to be repaired. >> >> Then run ipa-server-upgrade again and your tracking should be fixed. >> >> Use the -v flag for additional debugging, not --debug, I was mistaken. >> >> rob >> >>> >>> On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote: >>>> >>>> Satish Patel via FreeIPA-users wrote: >>>>> I did run "ipa-server-upgrade" and look like it was successful but >>>>> still in getcert list showing CA_NEED :( >>>> >>>> Remind me what the package version of IPA is. I'm confused by the >>>> version 5 in the output about renewal configuration. >>>> >>>> You might also want to try running with --debug as depending on release >>>> it will give more information about this. >>>> >>>> rob >>>> >>>>> >>>>> >>>>> [root@ldap-ca-master ~]# ipa-server-upgrade >>>>> Upgrading IPA: >>>>> [1/10]: stopping directory server >>>>> [2/10]: saving configuration >>>>> [3/10]: disabling listeners >>>>> [4/10]: enabling DS global lock >>>>> [5/10]: starting directory server >>>>> [6/10]: updating schema >>>>> [7/10]: upgrading server >>>>> [8/10]: stopping directory server >>>>> [9/10]: restoring configuration >>>>> [10/10]: starting directory server >>>>> Done. >>>>> Update complete >>>>> Upgrading IPA services >>>>> Upgrading the configuration of the IPA services >>>>> [Verifying that root certificate is published] >>>>> [Migrate CRL publish directory] >>>>> CRL tree already moved >>>>> /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It >>>>> will be overwritten. A backup of the original will be made. >>>>> [Verifying that CA proxy configuration is correct] >>>>> [Verifying that KDC configuration is using ipa-kdb backend] >>>>> [Fix DS schema file syntax] >>>>> Syntax already fixed >>>>> [Removing RA cert from DS NSS database] >>>>> RA cert already removed >>>>> [Enable sidgen and extdom plugins by default] >>>>> [Updating HTTPD service IPA configuration] >>>>> [Updating mod_nss protocol versions] >>>>> Protocol versions already updated >>>>> [Updating mod_nss cipher suite] >>>>> [Fixing trust flags in /etc/httpd/alias] >>>>> Trust flags already processed >>>>> [Exporting KRA agent PEM file] >>>>> KRA is not enabled >>>>> [Removing self-signed CA] >>>>> [Removing Dogtag 9 CA] >>>>> [Checking for deprecated KDC configuration files] >>>>> [Checking for deprecated backups of Samba configuration files] >>>>> [Setting up Firefox extension] >>>>> [Add missing CA DNS records] >>>>> IPA CA DNS records already processed >>>>> [Removing deprecated DNS configuration options] >>>>> DNS is not configured >>>>> [Ensuring minimal number of connections] >>>>> DNS is not configured >>>>> [Enabling serial autoincrement in DNS] >>>>> DNS is not configured >>>>> [Updating GSSAPI configuration in DNS] >>>>> DNS is not configured >>>>> [Updating pid-file configuration in DNS] >>>>> DNS is not configured >>>>> DNS is not configured >>>>> DNS is not configured >>>>> DNS is not configured >>>>> DNS is not configured >>>>> DNS is not configured >>>>> DNS is not configured >>>>> DNS is not configured >>>>> [Upgrading CA schema] >>>>> CA schema update complete (no changes) >>>>> [Verifying that CA audit signing cert has 2 year validity] >>>>> [Update certmonger certificate renewal configuration to version 5] >>>>> [Enable PKIX certificate path discovery and validation] >>>>> PKIX already enabled >>>>> [Authorizing RA Agent to modify profiles] >>>>> [Authorizing RA Agent to manage lightweight CAs] >>>>> [Ensuring Lightweight CAs container exists in Dogtag database] >>>>> [Adding default OCSP URI configuration] >>>>> [Ensuring CA is using LDAPProfileSubsystem] >>>>> [Migrating certificate profiles to LDAP] >>>>> [Ensuring presence of included profiles] >>>>> [Add default CA ACL] >>>>> Default CA ACL already added >>>>> [Set up lightweight CA key retrieval] >>>>> Creating principal >>>>> Retrieving keytab >>>>> Creating Custodia keys >>>>> Configuring key retriever >>>>> The IPA services were upgraded >>>>> The ipa-server-upgrade command was successful >>>>> >>>>> >>>>> [root@ldap-ca-master ~]# getcert list | grep status >>>>> status: NEED_CA >>>>> status: NEED_CA >>>>> status: NEED_CA >>>>> status: NEED_CA >>>>> status: NEED_CA >>>>> status: NEED_KEY_PAIR >>>>> status: NEED_KEY_PAIR >>>>> status: NEED_KEY_PAIR >>>>> status: NEED_KEY_PAIR >>>>> status: NEED_CA >>>>> status: NEED_KEY_PAIR >>>>> status: NEED_CA >>>>> >>>>> On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>> >>>>>> On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote: >>>>>>> Thanks Florence, >>>>>>> >>>>>>> is it safe to run "ipa-server-upgrade" ? >>>>>>> >>>>>> Hi, >>>>>> generally yes :) >>>>>> >>>>>> We had a few tickets related to upgrade but they are mainly revealing >>>>>> already present issues (for instance because this CLI stops and starts >>>>>> the services, expired certs would prevent successful completion). >>>>>> >>>>>>> Do i need to provide any option with "ipa-server-upgrade" command? i >>>>>>> believe few month back when i tried to do "ipa-server-upgrade" it >>>>>>> broke some stuff but anyway i will take snapshot of VM and try in >>>>>>> worst case scenario. >>>>>> With the VM snapshot you are on the safe side. >>>>>> >>>>>> flo >>>>>> >>>>>>> >>>>>>> On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>>>> >>>>>>>> On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: >>>>>>>>> Any thought ? >>>>>>>> Hi, >>>>>>>> if you run ipa-server-upgrade on this node, the command will fix the >>>>>>>> tracking of certs. You should see in the output; >>>>>>>> [Update certmonger certificate renewal configuration] >>>>>>>> >>>>>>>> HTH, >>>>>>>> flo >>>>>>>> >>>>>>>>> >>>>>>>>> Sent from my iPhone >>>>>>>>> >>>>>>>>>> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: >>>>>>>>>> >>>>>>>>>> Rob sorry, i trim my output thought not necessary but anyway here is >>>>>>>>>> the full list (ignore CAPS letter in output) >>>>>>>>>> >>>>>>>>>> [root@ldap-ca-master ~]# getcert list >>>>>>>>>> >>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>>> >>>>>>>>>> Request ID '20190915042927': >>>>>>>>>> >>>>>>>>>> status: NEED_CA >>>>>>>>>> >>>>>>>>>> stuck: yes >>>>>>>>>> >>>>>>>>>> key pair storage: >>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>> >>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>> >>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>> >>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>> >>>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>>> >>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>>> >>>>>>>>>> pre-save command: >>>>>>>>>> >>>>>>>>>> post-save command: >>>>>>>>>> >>>>>>>>>> track: yes >>>>>>>>>> >>>>>>>>>> auto-renew: yes >>>>>>>>>> >>>>>>>>>> Request ID '20190915043150': >>>>>>>>>> >>>>>>>>>> status: NEED_CA >>>>>>>>>> >>>>>>>>>> stuck: yes >>>>>>>>>> >>>>>>>>>> key pair storage: >>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>> >>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>> >>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>> >>>>>>>>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>>>>>>>>> >>>>>>>>>> expires: 2020-11-17 18:30:29 UTC >>>>>>>>>> >>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>> >>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>> >>>>>>>>>> pre-save command: >>>>>>>>>> >>>>>>>>>> post-save command: >>>>>>>>>> >>>>>>>>>> track: yes >>>>>>>>>> >>>>>>>>>> auto-renew: yes >>>>>>>>>> >>>>>>>>>> Request ID '20190915043212': >>>>>>>>>> >>>>>>>>>> status: NEED_CA >>>>>>>>>> >>>>>>>>>> stuck: yes >>>>>>>>>> >>>>>>>>>> key pair storage: >>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>> >>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>> >>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>> >>>>>>>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>>>>>>>> >>>>>>>>>> expires: 2020-11-17 18:31:26 UTC >>>>>>>>>> >>>>>>>>>> eku: id-kp-OCSPSigning >>>>>>>>>> >>>>>>>>>> pre-save command: >>>>>>>>>> >>>>>>>>>> post-save command: >>>>>>>>>> >>>>>>>>>> track: yes >>>>>>>>>> >>>>>>>>>> auto-renew: yes >>>>>>>>>> >>>>>>>>>> Request ID '20190915043224': >>>>>>>>>> >>>>>>>>>> status: NEED_CA >>>>>>>>>> >>>>>>>>>> stuck: yes >>>>>>>>>> >>>>>>>>>> key pair storage: >>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>> >>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>> >>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>> >>>>>>>>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>>>>>>>> >>>>>>>>>> expires: 2020-11-17 18:32:07 UTC >>>>>>>>>> >>>>>>>>>> key usage: digitalSignature,nonRepudiation >>>>>>>>>> >>>>>>>>>> pre-save command: >>>>>>>>>> >>>>>>>>>> post-save command: >>>>>>>>>> >>>>>>>>>> track: yes >>>>>>>>>> >>>>>>>>>> auto-renew: yes >>>>>>>>>> >>>>>>>>>> Request ID '20190915043237': >>>>>>>>>> >>>>>>>>>> status: NEED_CA >>>>>>>>>> >>>>>>>>>> stuck: yes >>>>>>>>>> >>>>>>>>>> key pair storage: >>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>> >>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>> >>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>> >>>>>>>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>>>>>>>> >>>>>>>>>> expires: 2020-11-17 18:31:16 UTC >>>>>>>>>> >>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>> >>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>> >>>>>>>>>> pre-save command: >>>>>>>>>> >>>>>>>>>> post-save command: >>>>>>>>>> >>>>>>>>>> track: yes >>>>>>>>>> >>>>>>>>>> auto-renew: yes >>>>>>>>>> >>>>>>>>>> Request ID '20190915043246': >>>>>>>>>> >>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>> >>>>>>>>>> stuck: no >>>>>>>>>> >>>>>>>>>> key pair storage: >>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>>>>>>>>> set >>>>>>>>>> >>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>>>>>>>>> Certificate DB' >>>>>>>>>> >>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>> >>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>> >>>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>>> >>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>> >>>>>>>>>> pre-save command: >>>>>>>>>> >>>>>>>>>> post-save command: >>>>>>>>>> >>>>>>>>>> track: yes >>>>>>>>>> >>>>>>>>>> auto-renew: yes >>>>>>>>>> >>>>>>>>>> Request ID '20190915043304': >>>>>>>>>> >>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>> >>>>>>>>>> stuck: no >>>>>>>>>> >>>>>>>>>> key pair storage: >>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>>> Intermediate',pin set >>>>>>>>>> >>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>>> >>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>> >>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>> >>>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>>> >>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>> >>>>>>>>>> pre-save command: >>>>>>>>>> >>>>>>>>>> post-save command: >>>>>>>>>> >>>>>>>>>> track: yes >>>>>>>>>> >>>>>>>>>> auto-renew: yes >>>>>>>>>> >>>>>>>>>> Request ID '20190915045112': >>>>>>>>>> >>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>> >>>>>>>>>> stuck: no >>>>>>>>>> >>>>>>>>>> key pair storage: >>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>>>>>>>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>> >>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>>>>>>>>> IPA CA',token='NSS Certificate DB' >>>>>>>>>> >>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>> >>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>> >>>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>>> >>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>>> >>>>>>>>>> pre-save command: >>>>>>>>>> >>>>>>>>>> post-save command: >>>>>>>>>> >>>>>>>>>> track: yes >>>>>>>>>> >>>>>>>>>> auto-renew: yes >>>>>>>>>> >>>>>>>>>> Request ID '20190915045148': >>>>>>>>>> >>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>> >>>>>>>>>> stuck: no >>>>>>>>>> >>>>>>>>>> key pair storage: >>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>> >>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>>>>>>>>> Certificate DB' >>>>>>>>>> >>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>> >>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>> >>>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>>> >>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>> >>>>>>>>>> pre-save command: >>>>>>>>>> >>>>>>>>>> post-save command: >>>>>>>>>> >>>>>>>>>> track: yes >>>>>>>>>> >>>>>>>>>> auto-renew: yes >>>>>>>>>> >>>>>>>>>> Request ID '20190915045156': >>>>>>>>>> >>>>>>>>>> status: NEED_CA >>>>>>>>>> >>>>>>>>>> stuck: yes >>>>>>>>>> >>>>>>>>>> key pair storage: >>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>> >>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>>> Certificate DB' >>>>>>>>>> >>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>> >>>>>>>>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>>>>>>>>> >>>>>>>>>> expires: 2021-01-05 14:49:59 UTC >>>>>>>>>> >>>>>>>>>> key usage: digitalSignature,keyCertSign >>>>>>>>>> >>>>>>>>>> pre-save command: >>>>>>>>>> >>>>>>>>>> post-save command: >>>>>>>>>> >>>>>>>>>> track: yes >>>>>>>>>> >>>>>>>>>> auto-renew: yes >>>>>>>>>> >>>>>>>>>> Request ID '20190915045206': >>>>>>>>>> >>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>> >>>>>>>>>> stuck: no >>>>>>>>>> >>>>>>>>>> key pair storage: >>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>> >>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>>> >>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>> >>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>> >>>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>>> >>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>> >>>>>>>>>> pre-save command: >>>>>>>>>> >>>>>>>>>> post-save command: >>>>>>>>>> >>>>>>>>>> track: yes >>>>>>>>>> >>>>>>>>>> auto-renew: yes >>>>>>>>>> >>>>>>>>>> Request ID '20190915045216': >>>>>>>>>> >>>>>>>>>> status: NEED_CA >>>>>>>>>> >>>>>>>>>> stuck: yes >>>>>>>>>> >>>>>>>>>> key pair storage: >>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>> >>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>>> Certificate DB' >>>>>>>>>> >>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>> >>>>>>>>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>>>>>>>> >>>>>>>>>> expires: 2020-11-17 18:31:36 UTC >>>>>>>>>> >>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>> >>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>> >>>>>>>>>> pre-save command: >>>>>>>>>> >>>>>>>>>> post-save command: >>>>>>>>>> >>>>>>>>>> track: yes >>>>>>>>>> >>>>>>>>>> auto-renew: yes >>>>>>>>>> >>>>>>>>>>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>>>>>>> >>>>>>>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>>>>>>> Few days ago my Master CA was messed up and getcert list was showing >>>>>>>>>>>> empty list (no cert to track) >>>>>>>>>>>> >>>>>>>>>>>> So i run following command to add certs manually: >>>>>>>>>>>> >>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>>>>>>>>>>> cert-pki-ca' -P XXXXXXX >>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>>>>>>>>>>> Intermediate' -P XXXXXXX >>>>>>>>>>>> >>>>>>>>>>>> And after that i am seeing this status (status: NEED_CA ) it should >>>>>>>>>>>> be MONITORING right? >>>>>>>>>>>> >>>>>>>>>>>> # getcert list >>>>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>>>> >>>>>>>>>>> You setup the tracking wrong. Your output only shows 3 certs and yet >>>>>>>>>>> certmonger thinks it has 12. Where are the other 9? >>>>>>>>>>> >>>>>>>>>>> rob >>>>>>>>> _______________________________________________ >>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>> >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>> >>>>>> >>>>> _______________________________________________ >>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>> >>>> >>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Satish Patel wrote:
Rob,
As you suggested i did following ( it required password so i used -P <PIN> )
# ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/ldap-ca-master.example.com -C /usr/libexec/ipa/certmonger/restart_httpd -D ldap-ca-master.example.com -P 9e8c1a9447d56236733f
# ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -K ldap/ldap-ca-master.example.com -C "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM" -D ldap-ca-master.example.com -P 013fcd26f4dfa18c4d1bcaac0dbac44f3ad75698
# certutil -V -u V -d /etc/httpd/alias -n Server-Cert certutil: certificate is valid # certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert certutil: certificate is valid
If so then you can swap the config to use them. Edit
/etc/httpd/conf.d/nss.conf and replace the NSSNickname value with Server-Cert and restart httpd
Do i need to edit above nss.conf file?
Currently i have following NSSNickname in file.
# grep "NSSNickname" /etc/httpd/conf.d/nss.conf NSSNickname "CN=*.foo.example.com,OU=Domain Control Validated"
Yes.
Here is the full output of getcet list (Do you think it's looking good? i compare with Replica and i can see Master has 2 less cert compare to Replica hope that is ok)
Due to difference in versions of IPA. This looks ok for a version 4.4.x master.
rob
# getcert list Number of certificates and requests being tracked: 8. Request ID '20190926141756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190926141801': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-11-17 18:30:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190927010638': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM expires: 2021-09-27 01:06:39 UTC dns: ldap-ca-master.foo.EXAMPLE.com principal name: HTTP/ldap-ca-master.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20190927011037': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM expires: 2021-09-27 01:10:38 UTC dns: ldap-ca-master.foo.EXAMPLE.com principal name: ldap/ldap-ca-master.foo.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM track: yes auto-renew: yes
On Thu, Sep 26, 2019 at 2:52 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Rob,
I got your point and i will remove all Godaddy certs but i wanted to say one thing, if i look into ldap-ca-replica server which is other server i can see Server-Cert, is there a way i can sync all these replica cert with master and fix them ?
These certs are master-specific. ldap-ca-replica is using IPA-issued server certifiactes and the other is using Godaddy-issued certificates.
It's possible to issue certificates using the IPA CA to replace these Godaddy certs but I guess I'd check to be sure that's what you really want to do. Most people do this kind of replacement so they don't need to distribute the IPA CA to non-IPA-enrolled systems so they can do self-service management.
Roughly speaking, you'd do something like this:
# ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/<hostname> -C /usr/libexec/ipa/certmonger/restart_httpd -D <hostname> # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -K ldap/<hostname> -C "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM" -D <hostname>
That will issue the new certs and set them up for tracking.
You can verify that they will work with:
# certutil -V -u V -d <database> -n Server-Cert
Both should return 'certificate is valid'
If so then you can swap the config to use them. Edit /etc/httpd/conf.d/nss.conf and replace the NSSNickname value with Server-Cert and restart httpd
For 389-ds:
# ldapmodify -x -D 'cn=directory manager' -W dn: cn=RSA,cn=encryption,cn=config changetype: modify replace: nsSSLPersonalitySSL nsSSLPersonalitySSL: Server-Cert
<blank line> ^D
Then restart 389-ds-base, or do both then run ipactl restart
The old certs will still exist in the NSS databases so you can always switch them back if you need to.
rob
This is replica node output, look like replica is very clean..
[root@ldap-ca-replica ~]# getcert list Number of certificates and requests being tracked: 10. Request ID '20190918205044': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS Certificate DB',pinfile='/etc/ipa/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:50:45 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: host/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20190918205212': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:52:12 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: ldap/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes Request ID '20190918205232': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:52:32 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: HTTP/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20190918205418': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190918205431': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205432': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205433': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205434': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205435': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-07 20:54:00 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918210008': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-09-18 21:00:08 UTC principal name: krbtgt/EXAMPLE.COM@EXAMPLE.COM certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
On Thu, Sep 26, 2019 at 1:35 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
Rob,
Here is the web certs
[root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/httpd/alias -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C Godaddy C,, CN=*.foo.example.com,OU=Domain Control Validated u,u,u Signing-Cert u,u,u Godaddy Intermediate C,, ipaCert u,u,u
Ok, good. Also using a Godaddy cert.
Here is the fill output of getcert and i can see some certs showing MONITORING
Ok. I've annotated each cert you should stop tracking. It looks like the CA subsystem certs are ok.
You will need to watch the Godaddy certs yourself and manually renew when the time comes. certmonger has no way to renew those.
To stop tracking these run: getcert stop-tracking -i <request_id>
[root@ldap-ca-master ~]# getcert list Number of certificates and requests being tracked: 13. Request ID '20190915043246': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2037-12-31 23:59:59 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
No need to track this one. You'd have no way of renewing it anyway.
Request ID '20190915043304': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2031-05-03 07:00:00 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
No need to track this one.
Request ID '20190915045112': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
You don't need to track the CA cert here.
Request ID '20190915045148': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2037-12-31 23:59:59 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
Same, stop the tracking.
Request ID '20190915045156': status: NEED_CA stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Object Signing Cert,O=EXAMPLE.COM expires: 2021-01-05 14:49:59 UTC key usage: digitalSignature,keyCertSign pre-save command: post-save command: track: yes auto-renew: yes
This one too.
Request ID '20190915045206': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2031-05-03 07:00:00 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
And this, stop tracking.
Request ID '20190926141756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190926141801': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-11-17 18:30:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141802': status: CA_UNCONFIGURED ca-error: Unable to determine principal name for signing request. stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes
The tracking on this one is wrong and since you don't have Server-Cert anyway, just stop tracking this one.
rob
On Thu, Sep 26, 2019 at 10:31 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote: > Addition to last email: > > I can't see Server-Cert here but interesting thing i can see > Server-Cert in my CA replica node on ldap-2 (why my primary > ldap-ca-master not showing that cert?) > > [root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > EXAMPLE.COM IPA CA CT,C,C > Godaddy C,, > CN=*.foo.example.com,OU=Domain Control Validated u,u,u > Godaddy Intermediate C,,
At some point someone replaced the IPA-signed LDAP certificate with one signed by GoDaddy (which is fine).
It appears that the version of IPA you're using (at least) doesn't handle this case.
Now, fortunately it's one of the last things done so this may be just fine.
Can you see if your web server cert was also replaced? The database is /etc/httpd/alias.
Also, check your current tracking. The CA subsystem certs should be properly tracked now. It is just the LDAP and web certs that should not be (and if it is still using GoDaddy that is fine).
rob
> > On Thu, Sep 26, 2019 at 10:22 AM Satish Patel satish.txt@gmail.com wrote: >> >> Rob, >> >> now i got error and here is the output, output was very long so i crop >> it down and here is the error piece. >> >> ipa: INFO: [Upgrading CA schema] >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing >> ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for >> SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket >> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80> >> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file >> /usr/share/pki/server/conf/schema-certProfile.ldif >> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file >> /usr/share/pki/server/conf/schema-authority.ldif >> ipa.ipaserver.install.schemaupdate: DEBUG: Not updating schema >> ipa: INFO: CA schema update complete (no changes) >> ipa: INFO: [Verifying that CA audit signing cert has 2 year validity] >> ipa.ipaserver.install.cainstance.CAInstance: DEBUG: >> caSignedLogCert.cfg profile validity range is 720 >> ipa: INFO: [Update certmonger certificate renewal configuration to version 5] >> ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' >> ipa: DEBUG: Configuring certmonger to stop tracking system certificates for CA >> Configuring certmonger to stop tracking system certificates for CA >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args=/bin/systemctl start messagebus.service >> ipa: DEBUG: Process finished, return code=0 >> ipa: DEBUG: stdout= >> ipa: DEBUG: stderr= >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service >> ipa: DEBUG: Process finished, return code=0 >> ipa: DEBUG: stdout=active >> >> ipa: DEBUG: stderr= >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args=/bin/systemctl start certmonger.service >> ipa: DEBUG: Process finished, return code=0 >> ipa: DEBUG: stdout= >> ipa: DEBUG: stderr= >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >> ipa: DEBUG: Process finished, return code=0 >> ipa: DEBUG: stdout=active >> >> ipa: DEBUG: stderr= >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args=/bin/systemctl stop certmonger.service >> ipa: DEBUG: Process finished, return code=0 >> ipa: DEBUG: stdout= >> ipa: DEBUG: stderr= >> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args=/bin/systemctl start certmonger.service >> ipa: DEBUG: Process finished, return code=0 >> ipa: DEBUG: stdout= >> ipa: DEBUG: stderr= >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >> ipa: DEBUG: Process finished, return code=0 >> ipa: DEBUG: stdout=active >> >> ipa: DEBUG: stderr= >> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >> ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args=/bin/systemctl enable certmonger.service >> ipa: DEBUG: Process finished, return code=0 >> ipa: DEBUG: stdout= >> ipa: DEBUG: stderr= >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args=/bin/systemctl start messagebus.service >> ipa: DEBUG: Process finished, return code=0 >> ipa: DEBUG: stdout= >> ipa: DEBUG: stderr= >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service >> ipa: DEBUG: Process finished, return code=0 >> ipa: DEBUG: stdout=active >> >> ipa: DEBUG: stderr= >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args=/bin/systemctl start certmonger.service >> ipa: DEBUG: Process finished, return code=0 >> ipa: DEBUG: stdout= >> ipa: DEBUG: stderr= >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >> ipa: DEBUG: Process finished, return code=0 >> ipa: DEBUG: stdout=active >> >> ipa: DEBUG: stderr= >> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >> ipa: DEBUG: Starting external process >> ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM -L >> -n Server-Cert -a >> ipa: DEBUG: Process finished, return code=255 >> ipa: DEBUG: stdout= >> ipa: DEBUG: stderr=certutil: Could not find cert: Server-Cert >> : PR_FILE_NOT_FOUND_ERROR: File not found >> >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA >> server upgrade failed: Inspect /var/log/ipaupgrade.log and run command >> ipa-server-upgrade manually. >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >> in execute >> return_value = self.run() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >> line 46, in run >> server.upgrade() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 1863, in upgrade >> upgrade_configuration() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 1769, in upgrade_configuration >> certificate_renewal_update(ca, ds, http), >> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >> line 1027, in certificate_renewal_update >> ds.start_tracking_certificates(serverid) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", >> line 983, in start_tracking_certificates >> 'restart_dirsrv %s' % serverid) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >> line 307, in track_server_cert >> nsscert = x509.load_certificate(cert, dbdir=self.secdir) >> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in >> load_certificate >> return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin >> >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The >> ipa-server-upgrade command failed, exception: NSPRError: >> (SEC_ERROR_LIBRARY_FAILURE) security library failure. >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: >> Unexpected error - see /var/log/ipaupgrade.log for details: >> NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The >> ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >> more information >> >> On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden rcritten@redhat.com wrote: >>> >>> Satish Patel wrote: >>>> I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64" >>> >>> Ok, that explains what is happening. >>> >>> Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag] >>> section. Remove the entry for certificate_renewal_update_5. >>> >>> This being present is preventing the tracking to be repaired. >>> >>> Then run ipa-server-upgrade again and your tracking should be fixed. >>> >>> Use the -v flag for additional debugging, not --debug, I was mistaken. >>> >>> rob >>> >>>> >>>> On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote: >>>>> >>>>> Satish Patel via FreeIPA-users wrote: >>>>>> I did run "ipa-server-upgrade" and look like it was successful but >>>>>> still in getcert list showing CA_NEED :( >>>>> >>>>> Remind me what the package version of IPA is. I'm confused by the >>>>> version 5 in the output about renewal configuration. >>>>> >>>>> You might also want to try running with --debug as depending on release >>>>> it will give more information about this. >>>>> >>>>> rob >>>>> >>>>>> >>>>>> >>>>>> [root@ldap-ca-master ~]# ipa-server-upgrade >>>>>> Upgrading IPA: >>>>>> [1/10]: stopping directory server >>>>>> [2/10]: saving configuration >>>>>> [3/10]: disabling listeners >>>>>> [4/10]: enabling DS global lock >>>>>> [5/10]: starting directory server >>>>>> [6/10]: updating schema >>>>>> [7/10]: upgrading server >>>>>> [8/10]: stopping directory server >>>>>> [9/10]: restoring configuration >>>>>> [10/10]: starting directory server >>>>>> Done. >>>>>> Update complete >>>>>> Upgrading IPA services >>>>>> Upgrading the configuration of the IPA services >>>>>> [Verifying that root certificate is published] >>>>>> [Migrate CRL publish directory] >>>>>> CRL tree already moved >>>>>> /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It >>>>>> will be overwritten. A backup of the original will be made. >>>>>> [Verifying that CA proxy configuration is correct] >>>>>> [Verifying that KDC configuration is using ipa-kdb backend] >>>>>> [Fix DS schema file syntax] >>>>>> Syntax already fixed >>>>>> [Removing RA cert from DS NSS database] >>>>>> RA cert already removed >>>>>> [Enable sidgen and extdom plugins by default] >>>>>> [Updating HTTPD service IPA configuration] >>>>>> [Updating mod_nss protocol versions] >>>>>> Protocol versions already updated >>>>>> [Updating mod_nss cipher suite] >>>>>> [Fixing trust flags in /etc/httpd/alias] >>>>>> Trust flags already processed >>>>>> [Exporting KRA agent PEM file] >>>>>> KRA is not enabled >>>>>> [Removing self-signed CA] >>>>>> [Removing Dogtag 9 CA] >>>>>> [Checking for deprecated KDC configuration files] >>>>>> [Checking for deprecated backups of Samba configuration files] >>>>>> [Setting up Firefox extension] >>>>>> [Add missing CA DNS records] >>>>>> IPA CA DNS records already processed >>>>>> [Removing deprecated DNS configuration options] >>>>>> DNS is not configured >>>>>> [Ensuring minimal number of connections] >>>>>> DNS is not configured >>>>>> [Enabling serial autoincrement in DNS] >>>>>> DNS is not configured >>>>>> [Updating GSSAPI configuration in DNS] >>>>>> DNS is not configured >>>>>> [Updating pid-file configuration in DNS] >>>>>> DNS is not configured >>>>>> DNS is not configured >>>>>> DNS is not configured >>>>>> DNS is not configured >>>>>> DNS is not configured >>>>>> DNS is not configured >>>>>> DNS is not configured >>>>>> DNS is not configured >>>>>> [Upgrading CA schema] >>>>>> CA schema update complete (no changes) >>>>>> [Verifying that CA audit signing cert has 2 year validity] >>>>>> [Update certmonger certificate renewal configuration to version 5] >>>>>> [Enable PKIX certificate path discovery and validation] >>>>>> PKIX already enabled >>>>>> [Authorizing RA Agent to modify profiles] >>>>>> [Authorizing RA Agent to manage lightweight CAs] >>>>>> [Ensuring Lightweight CAs container exists in Dogtag database] >>>>>> [Adding default OCSP URI configuration] >>>>>> [Ensuring CA is using LDAPProfileSubsystem] >>>>>> [Migrating certificate profiles to LDAP] >>>>>> [Ensuring presence of included profiles] >>>>>> [Add default CA ACL] >>>>>> Default CA ACL already added >>>>>> [Set up lightweight CA key retrieval] >>>>>> Creating principal >>>>>> Retrieving keytab >>>>>> Creating Custodia keys >>>>>> Configuring key retriever >>>>>> The IPA services were upgraded >>>>>> The ipa-server-upgrade command was successful >>>>>> >>>>>> >>>>>> [root@ldap-ca-master ~]# getcert list | grep status >>>>>> status: NEED_CA >>>>>> status: NEED_CA >>>>>> status: NEED_CA >>>>>> status: NEED_CA >>>>>> status: NEED_CA >>>>>> status: NEED_KEY_PAIR >>>>>> status: NEED_KEY_PAIR >>>>>> status: NEED_KEY_PAIR >>>>>> status: NEED_KEY_PAIR >>>>>> status: NEED_CA >>>>>> status: NEED_KEY_PAIR >>>>>> status: NEED_CA >>>>>> >>>>>> On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>>> >>>>>>> On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote: >>>>>>>> Thanks Florence, >>>>>>>> >>>>>>>> is it safe to run "ipa-server-upgrade" ? >>>>>>>> >>>>>>> Hi, >>>>>>> generally yes :) >>>>>>> >>>>>>> We had a few tickets related to upgrade but they are mainly revealing >>>>>>> already present issues (for instance because this CLI stops and starts >>>>>>> the services, expired certs would prevent successful completion). >>>>>>> >>>>>>>> Do i need to provide any option with "ipa-server-upgrade" command? i >>>>>>>> believe few month back when i tried to do "ipa-server-upgrade" it >>>>>>>> broke some stuff but anyway i will take snapshot of VM and try in >>>>>>>> worst case scenario. >>>>>>> With the VM snapshot you are on the safe side. >>>>>>> >>>>>>> flo >>>>>>> >>>>>>>> >>>>>>>> On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>>>>> >>>>>>>>> On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: >>>>>>>>>> Any thought ? >>>>>>>>> Hi, >>>>>>>>> if you run ipa-server-upgrade on this node, the command will fix the >>>>>>>>> tracking of certs. You should see in the output; >>>>>>>>> [Update certmonger certificate renewal configuration] >>>>>>>>> >>>>>>>>> HTH, >>>>>>>>> flo >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Sent from my iPhone >>>>>>>>>> >>>>>>>>>>> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: >>>>>>>>>>> >>>>>>>>>>> Rob sorry, i trim my output thought not necessary but anyway here is >>>>>>>>>>> the full list (ignore CAPS letter in output) >>>>>>>>>>> >>>>>>>>>>> [root@ldap-ca-master ~]# getcert list >>>>>>>>>>> >>>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>>>> >>>>>>>>>>> Request ID '20190915042927': >>>>>>>>>>> >>>>>>>>>>> status: NEED_CA >>>>>>>>>>> >>>>>>>>>>> stuck: yes >>>>>>>>>>> >>>>>>>>>>> key pair storage: >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>> >>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>> >>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>> >>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>> >>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>>>> >>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>>>> >>>>>>>>>>> pre-save command: >>>>>>>>>>> >>>>>>>>>>> post-save command: >>>>>>>>>>> >>>>>>>>>>> track: yes >>>>>>>>>>> >>>>>>>>>>> auto-renew: yes >>>>>>>>>>> >>>>>>>>>>> Request ID '20190915043150': >>>>>>>>>>> >>>>>>>>>>> status: NEED_CA >>>>>>>>>>> >>>>>>>>>>> stuck: yes >>>>>>>>>>> >>>>>>>>>>> key pair storage: >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>> >>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>> >>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>> >>>>>>>>>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>>>>>>>>>> >>>>>>>>>>> expires: 2020-11-17 18:30:29 UTC >>>>>>>>>>> >>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>> >>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>> >>>>>>>>>>> pre-save command: >>>>>>>>>>> >>>>>>>>>>> post-save command: >>>>>>>>>>> >>>>>>>>>>> track: yes >>>>>>>>>>> >>>>>>>>>>> auto-renew: yes >>>>>>>>>>> >>>>>>>>>>> Request ID '20190915043212': >>>>>>>>>>> >>>>>>>>>>> status: NEED_CA >>>>>>>>>>> >>>>>>>>>>> stuck: yes >>>>>>>>>>> >>>>>>>>>>> key pair storage: >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>> >>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>> >>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>> >>>>>>>>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>>>>>>>>> >>>>>>>>>>> expires: 2020-11-17 18:31:26 UTC >>>>>>>>>>> >>>>>>>>>>> eku: id-kp-OCSPSigning >>>>>>>>>>> >>>>>>>>>>> pre-save command: >>>>>>>>>>> >>>>>>>>>>> post-save command: >>>>>>>>>>> >>>>>>>>>>> track: yes >>>>>>>>>>> >>>>>>>>>>> auto-renew: yes >>>>>>>>>>> >>>>>>>>>>> Request ID '20190915043224': >>>>>>>>>>> >>>>>>>>>>> status: NEED_CA >>>>>>>>>>> >>>>>>>>>>> stuck: yes >>>>>>>>>>> >>>>>>>>>>> key pair storage: >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>> >>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>> >>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>> >>>>>>>>>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>>>>>>>>> >>>>>>>>>>> expires: 2020-11-17 18:32:07 UTC >>>>>>>>>>> >>>>>>>>>>> key usage: digitalSignature,nonRepudiation >>>>>>>>>>> >>>>>>>>>>> pre-save command: >>>>>>>>>>> >>>>>>>>>>> post-save command: >>>>>>>>>>> >>>>>>>>>>> track: yes >>>>>>>>>>> >>>>>>>>>>> auto-renew: yes >>>>>>>>>>> >>>>>>>>>>> Request ID '20190915043237': >>>>>>>>>>> >>>>>>>>>>> status: NEED_CA >>>>>>>>>>> >>>>>>>>>>> stuck: yes >>>>>>>>>>> >>>>>>>>>>> key pair storage: >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>> >>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>> >>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>> >>>>>>>>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>>>>>>>>> >>>>>>>>>>> expires: 2020-11-17 18:31:16 UTC >>>>>>>>>>> >>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>> >>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>> >>>>>>>>>>> pre-save command: >>>>>>>>>>> >>>>>>>>>>> post-save command: >>>>>>>>>>> >>>>>>>>>>> track: yes >>>>>>>>>>> >>>>>>>>>>> auto-renew: yes >>>>>>>>>>> >>>>>>>>>>> Request ID '20190915043246': >>>>>>>>>>> >>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>> >>>>>>>>>>> stuck: no >>>>>>>>>>> >>>>>>>>>>> key pair storage: >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>>>>>>>>>> set >>>>>>>>>>> >>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>>>>>>>>>> Certificate DB' >>>>>>>>>>> >>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>> >>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>> >>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>>>> >>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>> >>>>>>>>>>> pre-save command: >>>>>>>>>>> >>>>>>>>>>> post-save command: >>>>>>>>>>> >>>>>>>>>>> track: yes >>>>>>>>>>> >>>>>>>>>>> auto-renew: yes >>>>>>>>>>> >>>>>>>>>>> Request ID '20190915043304': >>>>>>>>>>> >>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>> >>>>>>>>>>> stuck: no >>>>>>>>>>> >>>>>>>>>>> key pair storage: >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>>>> Intermediate',pin set >>>>>>>>>>> >>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>>>> >>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>> >>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>> >>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>>>> >>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>> >>>>>>>>>>> pre-save command: >>>>>>>>>>> >>>>>>>>>>> post-save command: >>>>>>>>>>> >>>>>>>>>>> track: yes >>>>>>>>>>> >>>>>>>>>>> auto-renew: yes >>>>>>>>>>> >>>>>>>>>>> Request ID '20190915045112': >>>>>>>>>>> >>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>> >>>>>>>>>>> stuck: no >>>>>>>>>>> >>>>>>>>>>> key pair storage: >>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>>>>>>>>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>> >>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>>>>>>>>>> IPA CA',token='NSS Certificate DB' >>>>>>>>>>> >>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>> >>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>> >>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>>>> >>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>>>> >>>>>>>>>>> pre-save command: >>>>>>>>>>> >>>>>>>>>>> post-save command: >>>>>>>>>>> >>>>>>>>>>> track: yes >>>>>>>>>>> >>>>>>>>>>> auto-renew: yes >>>>>>>>>>> >>>>>>>>>>> Request ID '20190915045148': >>>>>>>>>>> >>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>> >>>>>>>>>>> stuck: no >>>>>>>>>>> >>>>>>>>>>> key pair storage: >>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>> >>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>>>>>>>>>> Certificate DB' >>>>>>>>>>> >>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>> >>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>> >>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>>>> >>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>> >>>>>>>>>>> pre-save command: >>>>>>>>>>> >>>>>>>>>>> post-save command: >>>>>>>>>>> >>>>>>>>>>> track: yes >>>>>>>>>>> >>>>>>>>>>> auto-renew: yes >>>>>>>>>>> >>>>>>>>>>> Request ID '20190915045156': >>>>>>>>>>> >>>>>>>>>>> status: NEED_CA >>>>>>>>>>> >>>>>>>>>>> stuck: yes >>>>>>>>>>> >>>>>>>>>>> key pair storage: >>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>> >>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>>>> Certificate DB' >>>>>>>>>>> >>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>> >>>>>>>>>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>>>>>>>>>> >>>>>>>>>>> expires: 2021-01-05 14:49:59 UTC >>>>>>>>>>> >>>>>>>>>>> key usage: digitalSignature,keyCertSign >>>>>>>>>>> >>>>>>>>>>> pre-save command: >>>>>>>>>>> >>>>>>>>>>> post-save command: >>>>>>>>>>> >>>>>>>>>>> track: yes >>>>>>>>>>> >>>>>>>>>>> auto-renew: yes >>>>>>>>>>> >>>>>>>>>>> Request ID '20190915045206': >>>>>>>>>>> >>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>> >>>>>>>>>>> stuck: no >>>>>>>>>>> >>>>>>>>>>> key pair storage: >>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>> >>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>>>> >>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>> >>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>> >>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>>>> >>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>> >>>>>>>>>>> pre-save command: >>>>>>>>>>> >>>>>>>>>>> post-save command: >>>>>>>>>>> >>>>>>>>>>> track: yes >>>>>>>>>>> >>>>>>>>>>> auto-renew: yes >>>>>>>>>>> >>>>>>>>>>> Request ID '20190915045216': >>>>>>>>>>> >>>>>>>>>>> status: NEED_CA >>>>>>>>>>> >>>>>>>>>>> stuck: yes >>>>>>>>>>> >>>>>>>>>>> key pair storage: >>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>> >>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>>>> Certificate DB' >>>>>>>>>>> >>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>> >>>>>>>>>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>>>>>>>>> >>>>>>>>>>> expires: 2020-11-17 18:31:36 UTC >>>>>>>>>>> >>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>> >>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>> >>>>>>>>>>> pre-save command: >>>>>>>>>>> >>>>>>>>>>> post-save command: >>>>>>>>>>> >>>>>>>>>>> track: yes >>>>>>>>>>> >>>>>>>>>>> auto-renew: yes >>>>>>>>>>> >>>>>>>>>>>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>>>>>>>> >>>>>>>>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>>>>>>>> Few days ago my Master CA was messed up and getcert list was showing >>>>>>>>>>>>> empty list (no cert to track) >>>>>>>>>>>>> >>>>>>>>>>>>> So i run following command to add certs manually: >>>>>>>>>>>>> >>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>>>>>>>>>>>> cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>>>>>>>>>>>> Intermediate' -P XXXXXXX >>>>>>>>>>>>> >>>>>>>>>>>>> And after that i am seeing this status (status: NEED_CA ) it should >>>>>>>>>>>>> be MONITORING right? >>>>>>>>>>>>> >>>>>>>>>>>>> # getcert list >>>>>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>>>>> >>>>>>>>>>>> You setup the tracking wrong. Your output only shows 3 certs and yet >>>>>>>>>>>> certmonger thinks it has 12. Where are the other 9? >>>>>>>>>>>> >>>>>>>>>>>> rob >>>>>>>>>> _______________________________________________ >>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>>> >>>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>> >>>>> >>>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Rob,
Last question, when certmonger renew all certificates automatically, i meant before 24 hours ago? Just want to make sure it does otherwise i will be in trouble again :)
Done, i did that change and restart httpd. I believe now my all issue has been fixed. Thank you so much for your support
[root@ldap-ca-master conf.d]# grep "NSSNickname" /etc/httpd/conf.d/nss.conf NSSNickname Server-Cert
On Fri, Sep 27, 2019 at 8:41 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Rob,
As you suggested i did following ( it required password so i used -P <PIN> )
# ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/ldap-ca-master.example.com -C /usr/libexec/ipa/certmonger/restart_httpd -D ldap-ca-master.example.com -P 9e8c1a9447d56236733f
# ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -K ldap/ldap-ca-master.example.com -C "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM" -D ldap-ca-master.example.com -P 013fcd26f4dfa18c4d1bcaac0dbac44f3ad75698
# certutil -V -u V -d /etc/httpd/alias -n Server-Cert certutil: certificate is valid # certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert certutil: certificate is valid
If so then you can swap the config to use them. Edit
/etc/httpd/conf.d/nss.conf and replace the NSSNickname value with Server-Cert and restart httpd
Do i need to edit above nss.conf file?
Currently i have following NSSNickname in file.
# grep "NSSNickname" /etc/httpd/conf.d/nss.conf NSSNickname "CN=*.foo.example.com,OU=Domain Control Validated"
Yes.
Here is the full output of getcet list (Do you think it's looking good? i compare with Replica and i can see Master has 2 less cert compare to Replica hope that is ok)
Due to difference in versions of IPA. This looks ok for a version 4.4.x master.
rob
# getcert list Number of certificates and requests being tracked: 8. Request ID '20190926141756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190926141801': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-11-17 18:30:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190927010638': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM expires: 2021-09-27 01:06:39 UTC dns: ldap-ca-master.foo.EXAMPLE.com principal name: HTTP/ldap-ca-master.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20190927011037': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM expires: 2021-09-27 01:10:38 UTC dns: ldap-ca-master.foo.EXAMPLE.com principal name: ldap/ldap-ca-master.foo.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM track: yes auto-renew: yes
On Thu, Sep 26, 2019 at 2:52 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Rob,
I got your point and i will remove all Godaddy certs but i wanted to say one thing, if i look into ldap-ca-replica server which is other server i can see Server-Cert, is there a way i can sync all these replica cert with master and fix them ?
These certs are master-specific. ldap-ca-replica is using IPA-issued server certifiactes and the other is using Godaddy-issued certificates.
It's possible to issue certificates using the IPA CA to replace these Godaddy certs but I guess I'd check to be sure that's what you really want to do. Most people do this kind of replacement so they don't need to distribute the IPA CA to non-IPA-enrolled systems so they can do self-service management.
Roughly speaking, you'd do something like this:
# ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/<hostname> -C /usr/libexec/ipa/certmonger/restart_httpd -D <hostname> # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -K ldap/<hostname> -C "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM" -D <hostname>
That will issue the new certs and set them up for tracking.
You can verify that they will work with:
# certutil -V -u V -d <database> -n Server-Cert
Both should return 'certificate is valid'
If so then you can swap the config to use them. Edit /etc/httpd/conf.d/nss.conf and replace the NSSNickname value with Server-Cert and restart httpd
For 389-ds:
# ldapmodify -x -D 'cn=directory manager' -W dn: cn=RSA,cn=encryption,cn=config changetype: modify replace: nsSSLPersonalitySSL nsSSLPersonalitySSL: Server-Cert
<blank line> ^D
Then restart 389-ds-base, or do both then run ipactl restart
The old certs will still exist in the NSS databases so you can always switch them back if you need to.
rob
This is replica node output, look like replica is very clean..
[root@ldap-ca-replica ~]# getcert list Number of certificates and requests being tracked: 10. Request ID '20190918205044': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS Certificate DB',pinfile='/etc/ipa/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:50:45 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: host/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20190918205212': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:52:12 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: ldap/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes Request ID '20190918205232': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:52:32 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: HTTP/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20190918205418': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190918205431': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205432': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205433': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205434': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205435': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-07 20:54:00 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918210008': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-09-18 21:00:08 UTC principal name: krbtgt/EXAMPLE.COM@EXAMPLE.COM certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
On Thu, Sep 26, 2019 at 1:35 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
Rob,
Here is the web certs
[root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/httpd/alias -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C Godaddy C,, CN=*.foo.example.com,OU=Domain Control Validated u,u,u Signing-Cert u,u,u Godaddy Intermediate C,, ipaCert u,u,u
Ok, good. Also using a Godaddy cert.
Here is the fill output of getcert and i can see some certs showing MONITORING
Ok. I've annotated each cert you should stop tracking. It looks like the CA subsystem certs are ok.
You will need to watch the Godaddy certs yourself and manually renew when the time comes. certmonger has no way to renew those.
To stop tracking these run: getcert stop-tracking -i <request_id>
[root@ldap-ca-master ~]# getcert list Number of certificates and requests being tracked: 13. Request ID '20190915043246': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2037-12-31 23:59:59 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
No need to track this one. You'd have no way of renewing it anyway.
Request ID '20190915043304': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2031-05-03 07:00:00 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
No need to track this one.
Request ID '20190915045112': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA CA',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
You don't need to track the CA cert here.
Request ID '20190915045148': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2037-12-31 23:59:59 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
Same, stop the tracking.
Request ID '20190915045156': status: NEED_CA stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Object Signing Cert,O=EXAMPLE.COM expires: 2021-01-05 14:49:59 UTC key usage: digitalSignature,keyCertSign pre-save command: post-save command: track: yes auto-renew: yes
This one too.
Request ID '20190915045206': status: NEED_KEY_PAIR stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy Intermediate',token='NSS Certificate DB' issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US subject: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US expires: 2031-05-03 07:00:00 UTC key usage: keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes
And this, stop tracking.
Request ID '20190926141756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190926141801': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-11-17 18:30:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141802': status: CA_UNCONFIGURED ca-error: Unable to determine principal name for signing request. stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes
The tracking on this one is wrong and since you don't have Server-Cert anyway, just stop tracking this one.
rob
On Thu, Sep 26, 2019 at 10:31 AM Rob Crittenden rcritten@redhat.com wrote: > > Satish Patel wrote: >> Addition to last email: >> >> I can't see Server-Cert here but interesting thing i can see >> Server-Cert in my CA replica node on ldap-2 (why my primary >> ldap-ca-master not showing that cert?) >> >> [root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L >> >> Certificate Nickname Trust Attributes >> SSL,S/MIME,JAR/XPI >> >> EXAMPLE.COM IPA CA CT,C,C >> Godaddy C,, >> CN=*.foo.example.com,OU=Domain Control Validated u,u,u >> Godaddy Intermediate C,, > > At some point someone replaced the IPA-signed LDAP certificate with one > signed by GoDaddy (which is fine). > > It appears that the version of IPA you're using (at least) doesn't > handle this case. > > Now, fortunately it's one of the last things done so this may be just fine. > > Can you see if your web server cert was also replaced? The database is > /etc/httpd/alias. > > Also, check your current tracking. The CA subsystem certs should be > properly tracked now. It is just the LDAP and web certs that should not > be (and if it is still using GoDaddy that is fine). > > rob > >> >> On Thu, Sep 26, 2019 at 10:22 AM Satish Patel satish.txt@gmail.com wrote: >>> >>> Rob, >>> >>> now i got error and here is the output, output was very long so i crop >>> it down and here is the error piece. >>> >>> ipa: INFO: [Upgrading CA schema] >>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing >>> ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache >>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for >>> SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket >>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80> >>> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file >>> /usr/share/pki/server/conf/schema-certProfile.ldif >>> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file >>> /usr/share/pki/server/conf/schema-authority.ldif >>> ipa.ipaserver.install.schemaupdate: DEBUG: Not updating schema >>> ipa: INFO: CA schema update complete (no changes) >>> ipa: INFO: [Verifying that CA audit signing cert has 2 year validity] >>> ipa.ipaserver.install.cainstance.CAInstance: DEBUG: >>> caSignedLogCert.cfg profile validity range is 720 >>> ipa: INFO: [Update certmonger certificate renewal configuration to version 5] >>> ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' >>> ipa: DEBUG: Configuring certmonger to stop tracking system certificates for CA >>> Configuring certmonger to stop tracking system certificates for CA >>> ipa: DEBUG: Starting external process >>> ipa: DEBUG: args=/bin/systemctl start messagebus.service >>> ipa: DEBUG: Process finished, return code=0 >>> ipa: DEBUG: stdout= >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: Starting external process >>> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service >>> ipa: DEBUG: Process finished, return code=0 >>> ipa: DEBUG: stdout=active >>> >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: Starting external process >>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>> ipa: DEBUG: Process finished, return code=0 >>> ipa: DEBUG: stdout= >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: Starting external process >>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>> ipa: DEBUG: Process finished, return code=0 >>> ipa: DEBUG: stdout=active >>> >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: Starting external process >>> ipa: DEBUG: args=/bin/systemctl stop certmonger.service >>> ipa: DEBUG: Process finished, return code=0 >>> ipa: DEBUG: stdout= >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>> ipa: DEBUG: Starting external process >>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>> ipa: DEBUG: Process finished, return code=0 >>> ipa: DEBUG: stdout= >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: Starting external process >>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>> ipa: DEBUG: Process finished, return code=0 >>> ipa: DEBUG: stdout=active >>> >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>> ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' >>> ipa: DEBUG: Starting external process >>> ipa: DEBUG: args=/bin/systemctl enable certmonger.service >>> ipa: DEBUG: Process finished, return code=0 >>> ipa: DEBUG: stdout= >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: Starting external process >>> ipa: DEBUG: args=/bin/systemctl start messagebus.service >>> ipa: DEBUG: Process finished, return code=0 >>> ipa: DEBUG: stdout= >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: Starting external process >>> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service >>> ipa: DEBUG: Process finished, return code=0 >>> ipa: DEBUG: stdout=active >>> >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: Starting external process >>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>> ipa: DEBUG: Process finished, return code=0 >>> ipa: DEBUG: stdout= >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: Starting external process >>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>> ipa: DEBUG: Process finished, return code=0 >>> ipa: DEBUG: stdout=active >>> >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>> ipa: DEBUG: Starting external process >>> ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM -L >>> -n Server-Cert -a >>> ipa: DEBUG: Process finished, return code=255 >>> ipa: DEBUG: stdout= >>> ipa: DEBUG: stderr=certutil: Could not find cert: Server-Cert >>> : PR_FILE_NOT_FOUND_ERROR: File not found >>> >>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA >>> server upgrade failed: Inspect /var/log/ipaupgrade.log and run command >>> ipa-server-upgrade manually. >>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File >>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >>> in execute >>> return_value = self.run() >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >>> line 46, in run >>> server.upgrade() >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>> line 1863, in upgrade >>> upgrade_configuration() >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>> line 1769, in upgrade_configuration >>> certificate_renewal_update(ca, ds, http), >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>> line 1027, in certificate_renewal_update >>> ds.start_tracking_certificates(serverid) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", >>> line 983, in start_tracking_certificates >>> 'restart_dirsrv %s' % serverid) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>> line 307, in track_server_cert >>> nsscert = x509.load_certificate(cert, dbdir=self.secdir) >>> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in >>> load_certificate >>> return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin >>> >>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The >>> ipa-server-upgrade command failed, exception: NSPRError: >>> (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: >>> Unexpected error - see /var/log/ipaupgrade.log for details: >>> NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The >>> ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >>> more information >>> >>> On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden rcritten@redhat.com wrote: >>>> >>>> Satish Patel wrote: >>>>> I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64" >>>> >>>> Ok, that explains what is happening. >>>> >>>> Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag] >>>> section. Remove the entry for certificate_renewal_update_5. >>>> >>>> This being present is preventing the tracking to be repaired. >>>> >>>> Then run ipa-server-upgrade again and your tracking should be fixed. >>>> >>>> Use the -v flag for additional debugging, not --debug, I was mistaken. >>>> >>>> rob >>>> >>>>> >>>>> On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote: >>>>>> >>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>> I did run "ipa-server-upgrade" and look like it was successful but >>>>>>> still in getcert list showing CA_NEED :( >>>>>> >>>>>> Remind me what the package version of IPA is. I'm confused by the >>>>>> version 5 in the output about renewal configuration. >>>>>> >>>>>> You might also want to try running with --debug as depending on release >>>>>> it will give more information about this. >>>>>> >>>>>> rob >>>>>> >>>>>>> >>>>>>> >>>>>>> [root@ldap-ca-master ~]# ipa-server-upgrade >>>>>>> Upgrading IPA: >>>>>>> [1/10]: stopping directory server >>>>>>> [2/10]: saving configuration >>>>>>> [3/10]: disabling listeners >>>>>>> [4/10]: enabling DS global lock >>>>>>> [5/10]: starting directory server >>>>>>> [6/10]: updating schema >>>>>>> [7/10]: upgrading server >>>>>>> [8/10]: stopping directory server >>>>>>> [9/10]: restoring configuration >>>>>>> [10/10]: starting directory server >>>>>>> Done. >>>>>>> Update complete >>>>>>> Upgrading IPA services >>>>>>> Upgrading the configuration of the IPA services >>>>>>> [Verifying that root certificate is published] >>>>>>> [Migrate CRL publish directory] >>>>>>> CRL tree already moved >>>>>>> /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It >>>>>>> will be overwritten. A backup of the original will be made. >>>>>>> [Verifying that CA proxy configuration is correct] >>>>>>> [Verifying that KDC configuration is using ipa-kdb backend] >>>>>>> [Fix DS schema file syntax] >>>>>>> Syntax already fixed >>>>>>> [Removing RA cert from DS NSS database] >>>>>>> RA cert already removed >>>>>>> [Enable sidgen and extdom plugins by default] >>>>>>> [Updating HTTPD service IPA configuration] >>>>>>> [Updating mod_nss protocol versions] >>>>>>> Protocol versions already updated >>>>>>> [Updating mod_nss cipher suite] >>>>>>> [Fixing trust flags in /etc/httpd/alias] >>>>>>> Trust flags already processed >>>>>>> [Exporting KRA agent PEM file] >>>>>>> KRA is not enabled >>>>>>> [Removing self-signed CA] >>>>>>> [Removing Dogtag 9 CA] >>>>>>> [Checking for deprecated KDC configuration files] >>>>>>> [Checking for deprecated backups of Samba configuration files] >>>>>>> [Setting up Firefox extension] >>>>>>> [Add missing CA DNS records] >>>>>>> IPA CA DNS records already processed >>>>>>> [Removing deprecated DNS configuration options] >>>>>>> DNS is not configured >>>>>>> [Ensuring minimal number of connections] >>>>>>> DNS is not configured >>>>>>> [Enabling serial autoincrement in DNS] >>>>>>> DNS is not configured >>>>>>> [Updating GSSAPI configuration in DNS] >>>>>>> DNS is not configured >>>>>>> [Updating pid-file configuration in DNS] >>>>>>> DNS is not configured >>>>>>> DNS is not configured >>>>>>> DNS is not configured >>>>>>> DNS is not configured >>>>>>> DNS is not configured >>>>>>> DNS is not configured >>>>>>> DNS is not configured >>>>>>> DNS is not configured >>>>>>> [Upgrading CA schema] >>>>>>> CA schema update complete (no changes) >>>>>>> [Verifying that CA audit signing cert has 2 year validity] >>>>>>> [Update certmonger certificate renewal configuration to version 5] >>>>>>> [Enable PKIX certificate path discovery and validation] >>>>>>> PKIX already enabled >>>>>>> [Authorizing RA Agent to modify profiles] >>>>>>> [Authorizing RA Agent to manage lightweight CAs] >>>>>>> [Ensuring Lightweight CAs container exists in Dogtag database] >>>>>>> [Adding default OCSP URI configuration] >>>>>>> [Ensuring CA is using LDAPProfileSubsystem] >>>>>>> [Migrating certificate profiles to LDAP] >>>>>>> [Ensuring presence of included profiles] >>>>>>> [Add default CA ACL] >>>>>>> Default CA ACL already added >>>>>>> [Set up lightweight CA key retrieval] >>>>>>> Creating principal >>>>>>> Retrieving keytab >>>>>>> Creating Custodia keys >>>>>>> Configuring key retriever >>>>>>> The IPA services were upgraded >>>>>>> The ipa-server-upgrade command was successful >>>>>>> >>>>>>> >>>>>>> [root@ldap-ca-master ~]# getcert list | grep status >>>>>>> status: NEED_CA >>>>>>> status: NEED_CA >>>>>>> status: NEED_CA >>>>>>> status: NEED_CA >>>>>>> status: NEED_CA >>>>>>> status: NEED_KEY_PAIR >>>>>>> status: NEED_KEY_PAIR >>>>>>> status: NEED_KEY_PAIR >>>>>>> status: NEED_KEY_PAIR >>>>>>> status: NEED_CA >>>>>>> status: NEED_KEY_PAIR >>>>>>> status: NEED_CA >>>>>>> >>>>>>> On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>>>> >>>>>>>> On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote: >>>>>>>>> Thanks Florence, >>>>>>>>> >>>>>>>>> is it safe to run "ipa-server-upgrade" ? >>>>>>>>> >>>>>>>> Hi, >>>>>>>> generally yes :) >>>>>>>> >>>>>>>> We had a few tickets related to upgrade but they are mainly revealing >>>>>>>> already present issues (for instance because this CLI stops and starts >>>>>>>> the services, expired certs would prevent successful completion). >>>>>>>> >>>>>>>>> Do i need to provide any option with "ipa-server-upgrade" command? i >>>>>>>>> believe few month back when i tried to do "ipa-server-upgrade" it >>>>>>>>> broke some stuff but anyway i will take snapshot of VM and try in >>>>>>>>> worst case scenario. >>>>>>>> With the VM snapshot you are on the safe side. >>>>>>>> >>>>>>>> flo >>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>>>>>> >>>>>>>>>> On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: >>>>>>>>>>> Any thought ? >>>>>>>>>> Hi, >>>>>>>>>> if you run ipa-server-upgrade on this node, the command will fix the >>>>>>>>>> tracking of certs. You should see in the output; >>>>>>>>>> [Update certmonger certificate renewal configuration] >>>>>>>>>> >>>>>>>>>> HTH, >>>>>>>>>> flo >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Sent from my iPhone >>>>>>>>>>> >>>>>>>>>>>> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: >>>>>>>>>>>> >>>>>>>>>>>> Rob sorry, i trim my output thought not necessary but anyway here is >>>>>>>>>>>> the full list (ignore CAPS letter in output) >>>>>>>>>>>> >>>>>>>>>>>> [root@ldap-ca-master ~]# getcert list >>>>>>>>>>>> >>>>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>>>>> >>>>>>>>>>>> Request ID '20190915042927': >>>>>>>>>>>> >>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>> >>>>>>>>>>>> stuck: yes >>>>>>>>>>>> >>>>>>>>>>>> key pair storage: >>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>> >>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>> >>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>> >>>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>> >>>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>>>>> >>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>>>>> >>>>>>>>>>>> pre-save command: >>>>>>>>>>>> >>>>>>>>>>>> post-save command: >>>>>>>>>>>> >>>>>>>>>>>> track: yes >>>>>>>>>>>> >>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>> >>>>>>>>>>>> Request ID '20190915043150': >>>>>>>>>>>> >>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>> >>>>>>>>>>>> stuck: yes >>>>>>>>>>>> >>>>>>>>>>>> key pair storage: >>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>> >>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>> >>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>> >>>>>>>>>>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>>>>>>>>>>> >>>>>>>>>>>> expires: 2020-11-17 18:30:29 UTC >>>>>>>>>>>> >>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>> >>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>> >>>>>>>>>>>> pre-save command: >>>>>>>>>>>> >>>>>>>>>>>> post-save command: >>>>>>>>>>>> >>>>>>>>>>>> track: yes >>>>>>>>>>>> >>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>> >>>>>>>>>>>> Request ID '20190915043212': >>>>>>>>>>>> >>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>> >>>>>>>>>>>> stuck: yes >>>>>>>>>>>> >>>>>>>>>>>> key pair storage: >>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>> >>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>> >>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>> >>>>>>>>>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>>>>>>>>>> >>>>>>>>>>>> expires: 2020-11-17 18:31:26 UTC >>>>>>>>>>>> >>>>>>>>>>>> eku: id-kp-OCSPSigning >>>>>>>>>>>> >>>>>>>>>>>> pre-save command: >>>>>>>>>>>> >>>>>>>>>>>> post-save command: >>>>>>>>>>>> >>>>>>>>>>>> track: yes >>>>>>>>>>>> >>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>> >>>>>>>>>>>> Request ID '20190915043224': >>>>>>>>>>>> >>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>> >>>>>>>>>>>> stuck: yes >>>>>>>>>>>> >>>>>>>>>>>> key pair storage: >>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>> >>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>> >>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>> >>>>>>>>>>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>>>>>>>>>> >>>>>>>>>>>> expires: 2020-11-17 18:32:07 UTC >>>>>>>>>>>> >>>>>>>>>>>> key usage: digitalSignature,nonRepudiation >>>>>>>>>>>> >>>>>>>>>>>> pre-save command: >>>>>>>>>>>> >>>>>>>>>>>> post-save command: >>>>>>>>>>>> >>>>>>>>>>>> track: yes >>>>>>>>>>>> >>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>> >>>>>>>>>>>> Request ID '20190915043237': >>>>>>>>>>>> >>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>> >>>>>>>>>>>> stuck: yes >>>>>>>>>>>> >>>>>>>>>>>> key pair storage: >>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>> >>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>> >>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>> >>>>>>>>>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>>>>>>>>>> >>>>>>>>>>>> expires: 2020-11-17 18:31:16 UTC >>>>>>>>>>>> >>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>> >>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>> >>>>>>>>>>>> pre-save command: >>>>>>>>>>>> >>>>>>>>>>>> post-save command: >>>>>>>>>>>> >>>>>>>>>>>> track: yes >>>>>>>>>>>> >>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>> >>>>>>>>>>>> Request ID '20190915043246': >>>>>>>>>>>> >>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>> >>>>>>>>>>>> stuck: no >>>>>>>>>>>> >>>>>>>>>>>> key pair storage: >>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>>>>>>>>>>> set >>>>>>>>>>>> >>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>>>>>>>>>>> Certificate DB' >>>>>>>>>>>> >>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>> >>>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>> >>>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>>>>> >>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>> >>>>>>>>>>>> pre-save command: >>>>>>>>>>>> >>>>>>>>>>>> post-save command: >>>>>>>>>>>> >>>>>>>>>>>> track: yes >>>>>>>>>>>> >>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>> >>>>>>>>>>>> Request ID '20190915043304': >>>>>>>>>>>> >>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>> >>>>>>>>>>>> stuck: no >>>>>>>>>>>> >>>>>>>>>>>> key pair storage: >>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>>>>> Intermediate',pin set >>>>>>>>>>>> >>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>>>>> >>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>> >>>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>> >>>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>>>>> >>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>> >>>>>>>>>>>> pre-save command: >>>>>>>>>>>> >>>>>>>>>>>> post-save command: >>>>>>>>>>>> >>>>>>>>>>>> track: yes >>>>>>>>>>>> >>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>> >>>>>>>>>>>> Request ID '20190915045112': >>>>>>>>>>>> >>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>> >>>>>>>>>>>> stuck: no >>>>>>>>>>>> >>>>>>>>>>>> key pair storage: >>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>>>>>>>>>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>> >>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>>>>>>>>>>> IPA CA',token='NSS Certificate DB' >>>>>>>>>>>> >>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>> >>>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>> >>>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>>>>> >>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>>>>> >>>>>>>>>>>> pre-save command: >>>>>>>>>>>> >>>>>>>>>>>> post-save command: >>>>>>>>>>>> >>>>>>>>>>>> track: yes >>>>>>>>>>>> >>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>> >>>>>>>>>>>> Request ID '20190915045148': >>>>>>>>>>>> >>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>> >>>>>>>>>>>> stuck: no >>>>>>>>>>>> >>>>>>>>>>>> key pair storage: >>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>> >>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>>>>>>>>>>> Certificate DB' >>>>>>>>>>>> >>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>> >>>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>> >>>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>>>>> >>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>> >>>>>>>>>>>> pre-save command: >>>>>>>>>>>> >>>>>>>>>>>> post-save command: >>>>>>>>>>>> >>>>>>>>>>>> track: yes >>>>>>>>>>>> >>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>> >>>>>>>>>>>> Request ID '20190915045156': >>>>>>>>>>>> >>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>> >>>>>>>>>>>> stuck: yes >>>>>>>>>>>> >>>>>>>>>>>> key pair storage: >>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>> >>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>>>>> Certificate DB' >>>>>>>>>>>> >>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>> >>>>>>>>>>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>>>>>>>>>>> >>>>>>>>>>>> expires: 2021-01-05 14:49:59 UTC >>>>>>>>>>>> >>>>>>>>>>>> key usage: digitalSignature,keyCertSign >>>>>>>>>>>> >>>>>>>>>>>> pre-save command: >>>>>>>>>>>> >>>>>>>>>>>> post-save command: >>>>>>>>>>>> >>>>>>>>>>>> track: yes >>>>>>>>>>>> >>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>> >>>>>>>>>>>> Request ID '20190915045206': >>>>>>>>>>>> >>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>> >>>>>>>>>>>> stuck: no >>>>>>>>>>>> >>>>>>>>>>>> key pair storage: >>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>>>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>> >>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>>>>> >>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>> >>>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>> >>>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>>>>> >>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>> >>>>>>>>>>>> pre-save command: >>>>>>>>>>>> >>>>>>>>>>>> post-save command: >>>>>>>>>>>> >>>>>>>>>>>> track: yes >>>>>>>>>>>> >>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>> >>>>>>>>>>>> Request ID '20190915045216': >>>>>>>>>>>> >>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>> >>>>>>>>>>>> stuck: yes >>>>>>>>>>>> >>>>>>>>>>>> key pair storage: >>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>> >>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>>>>> Certificate DB' >>>>>>>>>>>> >>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>> >>>>>>>>>>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>>>>>>>>>> >>>>>>>>>>>> expires: 2020-11-17 18:31:36 UTC >>>>>>>>>>>> >>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>> >>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>> >>>>>>>>>>>> pre-save command: >>>>>>>>>>>> >>>>>>>>>>>> post-save command: >>>>>>>>>>>> >>>>>>>>>>>> track: yes >>>>>>>>>>>> >>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>> >>>>>>>>>>>>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>>>>>>>>> Few days ago my Master CA was messed up and getcert list was showing >>>>>>>>>>>>>> empty list (no cert to track) >>>>>>>>>>>>>> >>>>>>>>>>>>>> So i run following command to add certs manually: >>>>>>>>>>>>>> >>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>>>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>>>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>>>>>>>>>>>>> cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>>>>>>>>>>>>> Intermediate' -P XXXXXXX >>>>>>>>>>>>>> >>>>>>>>>>>>>> And after that i am seeing this status (status: NEED_CA ) it should >>>>>>>>>>>>>> be MONITORING right? >>>>>>>>>>>>>> >>>>>>>>>>>>>> # getcert list >>>>>>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>>>>>> >>>>>>>>>>>>> You setup the tracking wrong. Your output only shows 3 certs and yet >>>>>>>>>>>>> certmonger thinks it has 12. Where are the other 9? >>>>>>>>>>>>> >>>>>>>>>>>>> rob >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>> >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>> >>>>>> >>>> > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Satish Patel wrote:
Rob,
Last question, when certmonger renew all certificates automatically, i meant before 24 hours ago? Just want to make sure it does otherwise i will be in trouble again :)
It should. I'd work on upgrading all the masters to run the same version of IPA once you're sure things are working and you have a working second CA master.
The renewal happens by default 28 days before expiration.
Also be sure that one of the masters is defined as the CA renewal master in ipa config-show.
rob
Done, i did that change and restart httpd. I believe now my all issue has been fixed. Thank you so much for your support
[root@ldap-ca-master conf.d]# grep "NSSNickname" /etc/httpd/conf.d/nss.conf NSSNickname Server-Cert
On Fri, Sep 27, 2019 at 8:41 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Rob,
As you suggested i did following ( it required password so i used -P <PIN> )
# ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/ldap-ca-master.example.com -C /usr/libexec/ipa/certmonger/restart_httpd -D ldap-ca-master.example.com -P 9e8c1a9447d56236733f
# ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -K ldap/ldap-ca-master.example.com -C "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM" -D ldap-ca-master.example.com -P 013fcd26f4dfa18c4d1bcaac0dbac44f3ad75698
# certutil -V -u V -d /etc/httpd/alias -n Server-Cert certutil: certificate is valid # certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert certutil: certificate is valid
> If so then you can swap the config to use them. Edit
/etc/httpd/conf.d/nss.conf and replace the NSSNickname value with Server-Cert and restart httpd
Do i need to edit above nss.conf file?
Currently i have following NSSNickname in file.
# grep "NSSNickname" /etc/httpd/conf.d/nss.conf NSSNickname "CN=*.foo.example.com,OU=Domain Control Validated"
Yes.
Here is the full output of getcet list (Do you think it's looking good? i compare with Replica and i can see Master has 2 less cert compare to Replica hope that is ok)
Due to difference in versions of IPA. This looks ok for a version 4.4.x master.
rob
# getcert list Number of certificates and requests being tracked: 8. Request ID '20190926141756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190926141801': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-11-17 18:30:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190927010638': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM expires: 2021-09-27 01:06:39 UTC dns: ldap-ca-master.foo.EXAMPLE.com principal name: HTTP/ldap-ca-master.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20190927011037': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM expires: 2021-09-27 01:10:38 UTC dns: ldap-ca-master.foo.EXAMPLE.com principal name: ldap/ldap-ca-master.foo.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM track: yes auto-renew: yes
On Thu, Sep 26, 2019 at 2:52 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Rob,
I got your point and i will remove all Godaddy certs but i wanted to say one thing, if i look into ldap-ca-replica server which is other server i can see Server-Cert, is there a way i can sync all these replica cert with master and fix them ?
These certs are master-specific. ldap-ca-replica is using IPA-issued server certifiactes and the other is using Godaddy-issued certificates.
It's possible to issue certificates using the IPA CA to replace these Godaddy certs but I guess I'd check to be sure that's what you really want to do. Most people do this kind of replacement so they don't need to distribute the IPA CA to non-IPA-enrolled systems so they can do self-service management.
Roughly speaking, you'd do something like this:
# ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/<hostname> -C /usr/libexec/ipa/certmonger/restart_httpd -D <hostname> # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -K ldap/<hostname> -C "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM" -D <hostname>
That will issue the new certs and set them up for tracking.
You can verify that they will work with:
# certutil -V -u V -d <database> -n Server-Cert
Both should return 'certificate is valid'
If so then you can swap the config to use them. Edit /etc/httpd/conf.d/nss.conf and replace the NSSNickname value with Server-Cert and restart httpd
For 389-ds:
# ldapmodify -x -D 'cn=directory manager' -W dn: cn=RSA,cn=encryption,cn=config changetype: modify replace: nsSSLPersonalitySSL nsSSLPersonalitySSL: Server-Cert
<blank line> ^D
Then restart 389-ds-base, or do both then run ipactl restart
The old certs will still exist in the NSS databases so you can always switch them back if you need to.
rob
This is replica node output, look like replica is very clean..
[root@ldap-ca-replica ~]# getcert list Number of certificates and requests being tracked: 10. Request ID '20190918205044': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS Certificate DB',pinfile='/etc/ipa/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:50:45 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: host/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20190918205212': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:52:12 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: ldap/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes Request ID '20190918205232': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:52:32 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: HTTP/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20190918205418': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190918205431': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205432': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205433': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205434': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205435': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-07 20:54:00 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918210008': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-09-18 21:00:08 UTC principal name: krbtgt/EXAMPLE.COM@EXAMPLE.COM certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
On Thu, Sep 26, 2019 at 1:35 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote: > Rob, > > Here is the web certs > > [root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/httpd/alias -L > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > EXAMPLE.COM IPA CA CT,C,C > Godaddy C,, > CN=*.foo.example.com,OU=Domain Control Validated u,u,u > Signing-Cert u,u,u > Godaddy Intermediate C,, > ipaCert u,u,u
Ok, good. Also using a Godaddy cert.
> Here is the fill output of getcert and i can see some certs showing MONITORING
Ok. I've annotated each cert you should stop tracking. It looks like the CA subsystem certs are ok.
You will need to watch the Godaddy certs yourself and manually renew when the time comes. certmonger has no way to renew those.
To stop tracking these run: getcert stop-tracking -i <request_id>
> > [root@ldap-ca-master ~]# getcert list > Number of certificates and requests being tracked: 13. > Request ID '20190915043246': > status: NEED_KEY_PAIR > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin > set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS > Certificate DB' > issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > expires: 2037-12-31 23:59:59 UTC > key usage: keyCertSign,cRLSign > pre-save command: > post-save command: > track: yes > auto-renew: yes
No need to track this one. You'd have no way of renewing it anyway.
> Request ID '20190915043304': > status: NEED_KEY_PAIR > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy > Intermediate',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy > Intermediate',token='NSS Certificate DB' > issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > subject: CN=Go Daddy Secure Certificate Authority - > G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > expires: 2031-05-03 07:00:00 UTC > key usage: keyCertSign,cRLSign > pre-save command: > post-save command: > track: yes > auto-renew: yes
No need to track this one.
> Request ID '20190915045112': > status: NEED_KEY_PAIR > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA > CA',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM > IPA CA',token='NSS Certificate DB' > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=Certificate Authority,O=EXAMPLE.COM > expires: 2037-01-05 14:47:24 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: > post-save command: > track: yes > auto-renew: yes
You don't need to track the CA cert here.
> Request ID '20190915045148': > status: NEED_KEY_PAIR > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS > Certificate DB' > issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > expires: 2037-12-31 23:59:59 UTC > key usage: keyCertSign,cRLSign > pre-save command: > post-save command: > track: yes > auto-renew: yes
Same, stop the tracking.
> Request ID '20190915045156': > status: NEED_CA > stuck: yes > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS > Certificate DB' > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=Object Signing Cert,O=EXAMPLE.COM > expires: 2021-01-05 14:49:59 UTC > key usage: digitalSignature,keyCertSign > pre-save command: > post-save command: > track: yes > auto-renew: yes
This one too.
> Request ID '20190915045206': > status: NEED_KEY_PAIR > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy > Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy > Intermediate',token='NSS Certificate DB' > issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > subject: CN=Go Daddy Secure Certificate Authority - > G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US > expires: 2031-05-03 07:00:00 UTC > key usage: keyCertSign,cRLSign > pre-save command: > post-save command: > track: yes > auto-renew: yes
And this, stop tracking.
> Request ID '20190926141756': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=CA Audit,O=EXAMPLE.COM > expires: 2020-11-17 18:32:07 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190926141757': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=OCSP Subsystem,O=EXAMPLE.COM > expires: 2020-11-17 18:31:26 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190926141758': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=CA Subsystem,O=EXAMPLE.COM > expires: 2020-11-17 18:31:16 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190926141759': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=Certificate Authority,O=EXAMPLE.COM > expires: 2037-01-05 14:47:24 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190926141800': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=IPA RA,O=EXAMPLE.COM > expires: 2020-11-17 18:31:36 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20190926141801': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM > expires: 2020-11-17 18:30:29 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190926141802': > status: CA_UNCONFIGURED > ca-error: Unable to determine principal name for signing request. > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' > certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM > track: yes > auto-renew: yes
The tracking on this one is wrong and since you don't have Server-Cert anyway, just stop tracking this one.
rob > > On Thu, Sep 26, 2019 at 10:31 AM Rob Crittenden rcritten@redhat.com wrote: >> >> Satish Patel wrote: >>> Addition to last email: >>> >>> I can't see Server-Cert here but interesting thing i can see >>> Server-Cert in my CA replica node on ldap-2 (why my primary >>> ldap-ca-master not showing that cert?) >>> >>> [root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L >>> >>> Certificate Nickname Trust Attributes >>> SSL,S/MIME,JAR/XPI >>> >>> EXAMPLE.COM IPA CA CT,C,C >>> Godaddy C,, >>> CN=*.foo.example.com,OU=Domain Control Validated u,u,u >>> Godaddy Intermediate C,, >> >> At some point someone replaced the IPA-signed LDAP certificate with one >> signed by GoDaddy (which is fine). >> >> It appears that the version of IPA you're using (at least) doesn't >> handle this case. >> >> Now, fortunately it's one of the last things done so this may be just fine. >> >> Can you see if your web server cert was also replaced? The database is >> /etc/httpd/alias. >> >> Also, check your current tracking. The CA subsystem certs should be >> properly tracked now. It is just the LDAP and web certs that should not >> be (and if it is still using GoDaddy that is fine). >> >> rob >> >>> >>> On Thu, Sep 26, 2019 at 10:22 AM Satish Patel satish.txt@gmail.com wrote: >>>> >>>> Rob, >>>> >>>> now i got error and here is the output, output was very long so i crop >>>> it down and here is the error piece. >>>> >>>> ipa: INFO: [Upgrading CA schema] >>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing >>>> ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache >>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for >>>> SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket >>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80> >>>> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file >>>> /usr/share/pki/server/conf/schema-certProfile.ldif >>>> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file >>>> /usr/share/pki/server/conf/schema-authority.ldif >>>> ipa.ipaserver.install.schemaupdate: DEBUG: Not updating schema >>>> ipa: INFO: CA schema update complete (no changes) >>>> ipa: INFO: [Verifying that CA audit signing cert has 2 year validity] >>>> ipa.ipaserver.install.cainstance.CAInstance: DEBUG: >>>> caSignedLogCert.cfg profile validity range is 720 >>>> ipa: INFO: [Update certmonger certificate renewal configuration to version 5] >>>> ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' >>>> ipa: DEBUG: Configuring certmonger to stop tracking system certificates for CA >>>> Configuring certmonger to stop tracking system certificates for CA >>>> ipa: DEBUG: Starting external process >>>> ipa: DEBUG: args=/bin/systemctl start messagebus.service >>>> ipa: DEBUG: Process finished, return code=0 >>>> ipa: DEBUG: stdout= >>>> ipa: DEBUG: stderr= >>>> ipa: DEBUG: Starting external process >>>> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service >>>> ipa: DEBUG: Process finished, return code=0 >>>> ipa: DEBUG: stdout=active >>>> >>>> ipa: DEBUG: stderr= >>>> ipa: DEBUG: Starting external process >>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>>> ipa: DEBUG: Process finished, return code=0 >>>> ipa: DEBUG: stdout= >>>> ipa: DEBUG: stderr= >>>> ipa: DEBUG: Starting external process >>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>>> ipa: DEBUG: Process finished, return code=0 >>>> ipa: DEBUG: stdout=active >>>> >>>> ipa: DEBUG: stderr= >>>> ipa: DEBUG: Starting external process >>>> ipa: DEBUG: args=/bin/systemctl stop certmonger.service >>>> ipa: DEBUG: Process finished, return code=0 >>>> ipa: DEBUG: stdout= >>>> ipa: DEBUG: stderr= >>>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>>> ipa: DEBUG: Starting external process >>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>>> ipa: DEBUG: Process finished, return code=0 >>>> ipa: DEBUG: stdout= >>>> ipa: DEBUG: stderr= >>>> ipa: DEBUG: Starting external process >>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>>> ipa: DEBUG: Process finished, return code=0 >>>> ipa: DEBUG: stdout=active >>>> >>>> ipa: DEBUG: stderr= >>>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>>> ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' >>>> ipa: DEBUG: Starting external process >>>> ipa: DEBUG: args=/bin/systemctl enable certmonger.service >>>> ipa: DEBUG: Process finished, return code=0 >>>> ipa: DEBUG: stdout= >>>> ipa: DEBUG: stderr= >>>> ipa: DEBUG: Starting external process >>>> ipa: DEBUG: args=/bin/systemctl start messagebus.service >>>> ipa: DEBUG: Process finished, return code=0 >>>> ipa: DEBUG: stdout= >>>> ipa: DEBUG: stderr= >>>> ipa: DEBUG: Starting external process >>>> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service >>>> ipa: DEBUG: Process finished, return code=0 >>>> ipa: DEBUG: stdout=active >>>> >>>> ipa: DEBUG: stderr= >>>> ipa: DEBUG: Starting external process >>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>>> ipa: DEBUG: Process finished, return code=0 >>>> ipa: DEBUG: stdout= >>>> ipa: DEBUG: stderr= >>>> ipa: DEBUG: Starting external process >>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>>> ipa: DEBUG: Process finished, return code=0 >>>> ipa: DEBUG: stdout=active >>>> >>>> ipa: DEBUG: stderr= >>>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>>> ipa: DEBUG: Starting external process >>>> ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM -L >>>> -n Server-Cert -a >>>> ipa: DEBUG: Process finished, return code=255 >>>> ipa: DEBUG: stdout= >>>> ipa: DEBUG: stderr=certutil: Could not find cert: Server-Cert >>>> : PR_FILE_NOT_FOUND_ERROR: File not found >>>> >>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA >>>> server upgrade failed: Inspect /var/log/ipaupgrade.log and run command >>>> ipa-server-upgrade manually. >>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File >>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >>>> in execute >>>> return_value = self.run() >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>> line 46, in run >>>> server.upgrade() >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>> line 1863, in upgrade >>>> upgrade_configuration() >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>> line 1769, in upgrade_configuration >>>> certificate_renewal_update(ca, ds, http), >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>> line 1027, in certificate_renewal_update >>>> ds.start_tracking_certificates(serverid) >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", >>>> line 983, in start_tracking_certificates >>>> 'restart_dirsrv %s' % serverid) >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>> line 307, in track_server_cert >>>> nsscert = x509.load_certificate(cert, dbdir=self.secdir) >>>> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in >>>> load_certificate >>>> return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin >>>> >>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The >>>> ipa-server-upgrade command failed, exception: NSPRError: >>>> (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: >>>> Unexpected error - see /var/log/ipaupgrade.log for details: >>>> NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The >>>> ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >>>> more information >>>> >>>> On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden rcritten@redhat.com wrote: >>>>> >>>>> Satish Patel wrote: >>>>>> I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64" >>>>> >>>>> Ok, that explains what is happening. >>>>> >>>>> Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag] >>>>> section. Remove the entry for certificate_renewal_update_5. >>>>> >>>>> This being present is preventing the tracking to be repaired. >>>>> >>>>> Then run ipa-server-upgrade again and your tracking should be fixed. >>>>> >>>>> Use the -v flag for additional debugging, not --debug, I was mistaken. >>>>> >>>>> rob >>>>> >>>>>> >>>>>> On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote: >>>>>>> >>>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>>> I did run "ipa-server-upgrade" and look like it was successful but >>>>>>>> still in getcert list showing CA_NEED :( >>>>>>> >>>>>>> Remind me what the package version of IPA is. I'm confused by the >>>>>>> version 5 in the output about renewal configuration. >>>>>>> >>>>>>> You might also want to try running with --debug as depending on release >>>>>>> it will give more information about this. >>>>>>> >>>>>>> rob >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> [root@ldap-ca-master ~]# ipa-server-upgrade >>>>>>>> Upgrading IPA: >>>>>>>> [1/10]: stopping directory server >>>>>>>> [2/10]: saving configuration >>>>>>>> [3/10]: disabling listeners >>>>>>>> [4/10]: enabling DS global lock >>>>>>>> [5/10]: starting directory server >>>>>>>> [6/10]: updating schema >>>>>>>> [7/10]: upgrading server >>>>>>>> [8/10]: stopping directory server >>>>>>>> [9/10]: restoring configuration >>>>>>>> [10/10]: starting directory server >>>>>>>> Done. >>>>>>>> Update complete >>>>>>>> Upgrading IPA services >>>>>>>> Upgrading the configuration of the IPA services >>>>>>>> [Verifying that root certificate is published] >>>>>>>> [Migrate CRL publish directory] >>>>>>>> CRL tree already moved >>>>>>>> /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It >>>>>>>> will be overwritten. A backup of the original will be made. >>>>>>>> [Verifying that CA proxy configuration is correct] >>>>>>>> [Verifying that KDC configuration is using ipa-kdb backend] >>>>>>>> [Fix DS schema file syntax] >>>>>>>> Syntax already fixed >>>>>>>> [Removing RA cert from DS NSS database] >>>>>>>> RA cert already removed >>>>>>>> [Enable sidgen and extdom plugins by default] >>>>>>>> [Updating HTTPD service IPA configuration] >>>>>>>> [Updating mod_nss protocol versions] >>>>>>>> Protocol versions already updated >>>>>>>> [Updating mod_nss cipher suite] >>>>>>>> [Fixing trust flags in /etc/httpd/alias] >>>>>>>> Trust flags already processed >>>>>>>> [Exporting KRA agent PEM file] >>>>>>>> KRA is not enabled >>>>>>>> [Removing self-signed CA] >>>>>>>> [Removing Dogtag 9 CA] >>>>>>>> [Checking for deprecated KDC configuration files] >>>>>>>> [Checking for deprecated backups of Samba configuration files] >>>>>>>> [Setting up Firefox extension] >>>>>>>> [Add missing CA DNS records] >>>>>>>> IPA CA DNS records already processed >>>>>>>> [Removing deprecated DNS configuration options] >>>>>>>> DNS is not configured >>>>>>>> [Ensuring minimal number of connections] >>>>>>>> DNS is not configured >>>>>>>> [Enabling serial autoincrement in DNS] >>>>>>>> DNS is not configured >>>>>>>> [Updating GSSAPI configuration in DNS] >>>>>>>> DNS is not configured >>>>>>>> [Updating pid-file configuration in DNS] >>>>>>>> DNS is not configured >>>>>>>> DNS is not configured >>>>>>>> DNS is not configured >>>>>>>> DNS is not configured >>>>>>>> DNS is not configured >>>>>>>> DNS is not configured >>>>>>>> DNS is not configured >>>>>>>> DNS is not configured >>>>>>>> [Upgrading CA schema] >>>>>>>> CA schema update complete (no changes) >>>>>>>> [Verifying that CA audit signing cert has 2 year validity] >>>>>>>> [Update certmonger certificate renewal configuration to version 5] >>>>>>>> [Enable PKIX certificate path discovery and validation] >>>>>>>> PKIX already enabled >>>>>>>> [Authorizing RA Agent to modify profiles] >>>>>>>> [Authorizing RA Agent to manage lightweight CAs] >>>>>>>> [Ensuring Lightweight CAs container exists in Dogtag database] >>>>>>>> [Adding default OCSP URI configuration] >>>>>>>> [Ensuring CA is using LDAPProfileSubsystem] >>>>>>>> [Migrating certificate profiles to LDAP] >>>>>>>> [Ensuring presence of included profiles] >>>>>>>> [Add default CA ACL] >>>>>>>> Default CA ACL already added >>>>>>>> [Set up lightweight CA key retrieval] >>>>>>>> Creating principal >>>>>>>> Retrieving keytab >>>>>>>> Creating Custodia keys >>>>>>>> Configuring key retriever >>>>>>>> The IPA services were upgraded >>>>>>>> The ipa-server-upgrade command was successful >>>>>>>> >>>>>>>> >>>>>>>> [root@ldap-ca-master ~]# getcert list | grep status >>>>>>>> status: NEED_CA >>>>>>>> status: NEED_CA >>>>>>>> status: NEED_CA >>>>>>>> status: NEED_CA >>>>>>>> status: NEED_CA >>>>>>>> status: NEED_KEY_PAIR >>>>>>>> status: NEED_KEY_PAIR >>>>>>>> status: NEED_KEY_PAIR >>>>>>>> status: NEED_KEY_PAIR >>>>>>>> status: NEED_CA >>>>>>>> status: NEED_KEY_PAIR >>>>>>>> status: NEED_CA >>>>>>>> >>>>>>>> On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>>>>> >>>>>>>>> On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote: >>>>>>>>>> Thanks Florence, >>>>>>>>>> >>>>>>>>>> is it safe to run "ipa-server-upgrade" ? >>>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> generally yes :) >>>>>>>>> >>>>>>>>> We had a few tickets related to upgrade but they are mainly revealing >>>>>>>>> already present issues (for instance because this CLI stops and starts >>>>>>>>> the services, expired certs would prevent successful completion). >>>>>>>>> >>>>>>>>>> Do i need to provide any option with "ipa-server-upgrade" command? i >>>>>>>>>> believe few month back when i tried to do "ipa-server-upgrade" it >>>>>>>>>> broke some stuff but anyway i will take snapshot of VM and try in >>>>>>>>>> worst case scenario. >>>>>>>>> With the VM snapshot you are on the safe side. >>>>>>>>> >>>>>>>>> flo >>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>>>>>>> >>>>>>>>>>> On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: >>>>>>>>>>>> Any thought ? >>>>>>>>>>> Hi, >>>>>>>>>>> if you run ipa-server-upgrade on this node, the command will fix the >>>>>>>>>>> tracking of certs. You should see in the output; >>>>>>>>>>> [Update certmonger certificate renewal configuration] >>>>>>>>>>> >>>>>>>>>>> HTH, >>>>>>>>>>> flo >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Sent from my iPhone >>>>>>>>>>>> >>>>>>>>>>>>> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Rob sorry, i trim my output thought not necessary but anyway here is >>>>>>>>>>>>> the full list (ignore CAPS letter in output) >>>>>>>>>>>>> >>>>>>>>>>>>> [root@ldap-ca-master ~]# getcert list >>>>>>>>>>>>> >>>>>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>>>>>> >>>>>>>>>>>>> Request ID '20190915042927': >>>>>>>>>>>>> >>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>> >>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>> >>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>> >>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>> >>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>> >>>>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>> >>>>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>>>>>> >>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>>>>>> >>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> post-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> track: yes >>>>>>>>>>>>> >>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>> >>>>>>>>>>>>> Request ID '20190915043150': >>>>>>>>>>>>> >>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>> >>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>> >>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>> >>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>> >>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>> >>>>>>>>>>>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>>>>>>>>>>>> >>>>>>>>>>>>> expires: 2020-11-17 18:30:29 UTC >>>>>>>>>>>>> >>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>>> >>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>>> >>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> post-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> track: yes >>>>>>>>>>>>> >>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>> >>>>>>>>>>>>> Request ID '20190915043212': >>>>>>>>>>>>> >>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>> >>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>> >>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>> >>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>> >>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>> >>>>>>>>>>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>>>>>>>>>>> >>>>>>>>>>>>> expires: 2020-11-17 18:31:26 UTC >>>>>>>>>>>>> >>>>>>>>>>>>> eku: id-kp-OCSPSigning >>>>>>>>>>>>> >>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> post-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> track: yes >>>>>>>>>>>>> >>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>> >>>>>>>>>>>>> Request ID '20190915043224': >>>>>>>>>>>>> >>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>> >>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>> >>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>> >>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>> >>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>> >>>>>>>>>>>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>>>>>>>>>>> >>>>>>>>>>>>> expires: 2020-11-17 18:32:07 UTC >>>>>>>>>>>>> >>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation >>>>>>>>>>>>> >>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> post-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> track: yes >>>>>>>>>>>>> >>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>> >>>>>>>>>>>>> Request ID '20190915043237': >>>>>>>>>>>>> >>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>> >>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>> >>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>> >>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>> >>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>> >>>>>>>>>>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>>>>>>>>>>> >>>>>>>>>>>>> expires: 2020-11-17 18:31:16 UTC >>>>>>>>>>>>> >>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>>> >>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>>> >>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> post-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> track: yes >>>>>>>>>>>>> >>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>> >>>>>>>>>>>>> Request ID '20190915043246': >>>>>>>>>>>>> >>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>> >>>>>>>>>>>>> stuck: no >>>>>>>>>>>>> >>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>>>>>>>>>>>> set >>>>>>>>>>>>> >>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>> >>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>> >>>>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>> >>>>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>>>>>> >>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>> >>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> post-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> track: yes >>>>>>>>>>>>> >>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>> >>>>>>>>>>>>> Request ID '20190915043304': >>>>>>>>>>>>> >>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>> >>>>>>>>>>>>> stuck: no >>>>>>>>>>>>> >>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>>>>>> Intermediate',pin set >>>>>>>>>>>>> >>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>>>>>> >>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>> >>>>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>> >>>>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>>>>>> >>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>> >>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> post-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> track: yes >>>>>>>>>>>>> >>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>> >>>>>>>>>>>>> Request ID '20190915045112': >>>>>>>>>>>>> >>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>> >>>>>>>>>>>>> stuck: no >>>>>>>>>>>>> >>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>>>>>>>>>>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>> >>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>>>>>>>>>>>> IPA CA',token='NSS Certificate DB' >>>>>>>>>>>>> >>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>> >>>>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>> >>>>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>>>>>> >>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>>>>>> >>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> post-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> track: yes >>>>>>>>>>>>> >>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>> >>>>>>>>>>>>> Request ID '20190915045148': >>>>>>>>>>>>> >>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>> >>>>>>>>>>>>> stuck: no >>>>>>>>>>>>> >>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>> >>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>> >>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>> >>>>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>> >>>>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>>>>>> >>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>> >>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> post-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> track: yes >>>>>>>>>>>>> >>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>> >>>>>>>>>>>>> Request ID '20190915045156': >>>>>>>>>>>>> >>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>> >>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>> >>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>> >>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>> >>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>> >>>>>>>>>>>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>>>>>>>>>>>> >>>>>>>>>>>>> expires: 2021-01-05 14:49:59 UTC >>>>>>>>>>>>> >>>>>>>>>>>>> key usage: digitalSignature,keyCertSign >>>>>>>>>>>>> >>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> post-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> track: yes >>>>>>>>>>>>> >>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>> >>>>>>>>>>>>> Request ID '20190915045206': >>>>>>>>>>>>> >>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>> >>>>>>>>>>>>> stuck: no >>>>>>>>>>>>> >>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>>>>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>> >>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>>>>>> >>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>> >>>>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>> >>>>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>>>>>> >>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>> >>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> post-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> track: yes >>>>>>>>>>>>> >>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>> >>>>>>>>>>>>> Request ID '20190915045216': >>>>>>>>>>>>> >>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>> >>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>> >>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>> >>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>> >>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>> >>>>>>>>>>>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>>>>>>>>>>> >>>>>>>>>>>>> expires: 2020-11-17 18:31:36 UTC >>>>>>>>>>>>> >>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>>> >>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>>> >>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> post-save command: >>>>>>>>>>>>> >>>>>>>>>>>>> track: yes >>>>>>>>>>>>> >>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>> >>>>>>>>>>>>>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>>>>>>>>>> Few days ago my Master CA was messed up and getcert list was showing >>>>>>>>>>>>>>> empty list (no cert to track) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> So i run following command to add certs manually: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>>>>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>>>>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>>>>>>>>>>>>>> cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>>>>>>>>>>>>>> Intermediate' -P XXXXXXX >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> And after that i am seeing this status (status: NEED_CA ) it should >>>>>>>>>>>>>>> be MONITORING right? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> # getcert list >>>>>>>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>>>>>>> >>>>>>>>>>>>>> You setup the tracking wrong. Your output only shows 3 certs and yet >>>>>>>>>>>>>> certmonger thinks it has 12. Where are the other 9? >>>>>>>>>>>>>> >>>>>>>>>>>>>> rob >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>>> >>>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>> >>>>>>> >>>>> >> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >
Can i upgrade my existing 4.4.x ldap-ca-master with "ipa-server-upgrade" command?
Currently i have following CA master version:
ldap-ca-master - 4.4.x (renewal master) ldap-ca-replica - 4.6.x
Or
I can do one thing create fresh machine and make it one more CA replica and destroy older ldap-ca-master - 4.4.x
On Fri, Sep 27, 2019 at 11:23 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Rob,
Last question, when certmonger renew all certificates automatically, i meant before 24 hours ago? Just want to make sure it does otherwise i will be in trouble again :)
It should. I'd work on upgrading all the masters to run the same version of IPA once you're sure things are working and you have a working second CA master.
The renewal happens by default 28 days before expiration.
Also be sure that one of the masters is defined as the CA renewal master in ipa config-show.
rob
Done, i did that change and restart httpd. I believe now my all issue has been fixed. Thank you so much for your support
[root@ldap-ca-master conf.d]# grep "NSSNickname" /etc/httpd/conf.d/nss.conf NSSNickname Server-Cert
On Fri, Sep 27, 2019 at 8:41 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Rob,
As you suggested i did following ( it required password so i used -P <PIN> )
# ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/ldap-ca-master.example.com -C /usr/libexec/ipa/certmonger/restart_httpd -D ldap-ca-master.example.com -P 9e8c1a9447d56236733f
# ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -K ldap/ldap-ca-master.example.com -C "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM" -D ldap-ca-master.example.com -P 013fcd26f4dfa18c4d1bcaac0dbac44f3ad75698
# certutil -V -u V -d /etc/httpd/alias -n Server-Cert certutil: certificate is valid # certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert certutil: certificate is valid
>> If so then you can swap the config to use them. Edit
/etc/httpd/conf.d/nss.conf and replace the NSSNickname value with Server-Cert and restart httpd
Do i need to edit above nss.conf file?
Currently i have following NSSNickname in file.
# grep "NSSNickname" /etc/httpd/conf.d/nss.conf NSSNickname "CN=*.foo.example.com,OU=Domain Control Validated"
Yes.
Here is the full output of getcet list (Do you think it's looking good? i compare with Replica and i can see Master has 2 less cert compare to Replica hope that is ok)
Due to difference in versions of IPA. This looks ok for a version 4.4.x master.
rob
# getcert list Number of certificates and requests being tracked: 8. Request ID '20190926141756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190926141801': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-11-17 18:30:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190927010638': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM expires: 2021-09-27 01:06:39 UTC dns: ldap-ca-master.foo.EXAMPLE.com principal name: HTTP/ldap-ca-master.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20190927011037': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM expires: 2021-09-27 01:10:38 UTC dns: ldap-ca-master.foo.EXAMPLE.com principal name: ldap/ldap-ca-master.foo.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM track: yes auto-renew: yes
On Thu, Sep 26, 2019 at 2:52 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Rob,
I got your point and i will remove all Godaddy certs but i wanted to say one thing, if i look into ldap-ca-replica server which is other server i can see Server-Cert, is there a way i can sync all these replica cert with master and fix them ?
These certs are master-specific. ldap-ca-replica is using IPA-issued server certifiactes and the other is using Godaddy-issued certificates.
It's possible to issue certificates using the IPA CA to replace these Godaddy certs but I guess I'd check to be sure that's what you really want to do. Most people do this kind of replacement so they don't need to distribute the IPA CA to non-IPA-enrolled systems so they can do self-service management.
Roughly speaking, you'd do something like this:
# ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/<hostname> -C /usr/libexec/ipa/certmonger/restart_httpd -D <hostname> # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -K ldap/<hostname> -C "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM" -D <hostname>
That will issue the new certs and set them up for tracking.
You can verify that they will work with:
# certutil -V -u V -d <database> -n Server-Cert
Both should return 'certificate is valid'
If so then you can swap the config to use them. Edit /etc/httpd/conf.d/nss.conf and replace the NSSNickname value with Server-Cert and restart httpd
For 389-ds:
# ldapmodify -x -D 'cn=directory manager' -W dn: cn=RSA,cn=encryption,cn=config changetype: modify replace: nsSSLPersonalitySSL nsSSLPersonalitySSL: Server-Cert
<blank line> ^D
Then restart 389-ds-base, or do both then run ipactl restart
The old certs will still exist in the NSS databases so you can always switch them back if you need to.
rob
This is replica node output, look like replica is very clean..
[root@ldap-ca-replica ~]# getcert list Number of certificates and requests being tracked: 10. Request ID '20190918205044': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS Certificate DB',pinfile='/etc/ipa/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA host',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:50:45 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: host/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20190918205212': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:52:12 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: ldap/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes Request ID '20190918205232': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-18 20:52:32 UTC dns: ldap-ca-replica.foo.EXAMPLE.com principal name: HTTP/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20190918205418': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190918205431': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205432': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205433': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205434': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918205435': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2021-09-07 20:54:00 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190918210008': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-09-18 21:00:08 UTC principal name: krbtgt/EXAMPLE.COM@EXAMPLE.COM certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
On Thu, Sep 26, 2019 at 1:35 PM Rob Crittenden rcritten@redhat.com wrote: > > Satish Patel via FreeIPA-users wrote: >> Rob, >> >> Here is the web certs >> >> [root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/httpd/alias -L >> >> Certificate Nickname Trust Attributes >> SSL,S/MIME,JAR/XPI >> >> EXAMPLE.COM IPA CA CT,C,C >> Godaddy C,, >> CN=*.foo.example.com,OU=Domain Control Validated u,u,u >> Signing-Cert u,u,u >> Godaddy Intermediate C,, >> ipaCert u,u,u > > Ok, good. Also using a Godaddy cert. > >> Here is the fill output of getcert and i can see some certs showing MONITORING > > Ok. I've annotated each cert you should stop tracking. It looks like the > CA subsystem certs are ok. > > You will need to watch the Godaddy certs yourself and manually renew > when the time comes. certmonger has no way to renew those. > > To stop tracking these run: getcert stop-tracking -i <request_id> > >> >> [root@ldap-ca-master ~]# getcert list >> Number of certificates and requests being tracked: 13. >> Request ID '20190915043246': >> status: NEED_KEY_PAIR >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >> set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >> Certificate DB' >> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> expires: 2037-12-31 23:59:59 UTC >> key usage: keyCertSign,cRLSign >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes > > No need to track this one. You'd have no way of renewing it anyway. > >> Request ID '20190915043304': >> status: NEED_KEY_PAIR >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >> Intermediate',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >> Intermediate',token='NSS Certificate DB' >> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> subject: CN=Go Daddy Secure Certificate Authority - >> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> expires: 2031-05-03 07:00:00 UTC >> key usage: keyCertSign,cRLSign >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes > > No need to track this one. > >> Request ID '20190915045112': >> status: NEED_KEY_PAIR >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >> IPA CA',token='NSS Certificate DB' >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=Certificate Authority,O=EXAMPLE.COM >> expires: 2037-01-05 14:47:24 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes > > You don't need to track the CA cert here. > >> Request ID '20190915045148': >> status: NEED_KEY_PAIR >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >> Certificate DB' >> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> expires: 2037-12-31 23:59:59 UTC >> key usage: keyCertSign,cRLSign >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes > > Same, stop the tracking. > >> Request ID '20190915045156': >> status: NEED_CA >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >> Certificate DB' >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=Object Signing Cert,O=EXAMPLE.COM >> expires: 2021-01-05 14:49:59 UTC >> key usage: digitalSignature,keyCertSign >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes > > This one too. > >> Request ID '20190915045206': >> status: NEED_KEY_PAIR >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >> Intermediate',token='NSS Certificate DB' >> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> subject: CN=Go Daddy Secure Certificate Authority - >> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >> Inc.",L=Scottsdale,ST=Arizona,C=US >> expires: 2031-05-03 07:00:00 UTC >> key usage: keyCertSign,cRLSign >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes > > And this, stop tracking. > >> Request ID '20190926141756': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=CA Audit,O=EXAMPLE.COM >> expires: 2020-11-17 18:32:07 UTC >> key usage: digitalSignature,nonRepudiation >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20190926141757': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >> expires: 2020-11-17 18:31:26 UTC >> eku: id-kp-OCSPSigning >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20190926141758': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=CA Subsystem,O=EXAMPLE.COM >> expires: 2020-11-17 18:31:16 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20190926141759': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=Certificate Authority,O=EXAMPLE.COM >> expires: 2037-01-05 14:47:24 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "caSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20190926141800': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=IPA RA,O=EXAMPLE.COM >> expires: 2020-11-17 18:31:36 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> Request ID '20190926141801': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >> expires: 2020-11-17 18:30:29 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "Server-Cert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20190926141802': >> status: CA_UNCONFIGURED >> ca-error: Unable to determine principal name for signing request. >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert' >> CA: IPA >> issuer: >> subject: >> expires: unknown >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM >> track: yes >> auto-renew: yes > > The tracking on this one is wrong and since you don't have Server-Cert > anyway, just stop tracking this one. > > rob >> >> On Thu, Sep 26, 2019 at 10:31 AM Rob Crittenden rcritten@redhat.com wrote: >>> >>> Satish Patel wrote: >>>> Addition to last email: >>>> >>>> I can't see Server-Cert here but interesting thing i can see >>>> Server-Cert in my CA replica node on ldap-2 (why my primary >>>> ldap-ca-master not showing that cert?) >>>> >>>> [root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L >>>> >>>> Certificate Nickname Trust Attributes >>>> SSL,S/MIME,JAR/XPI >>>> >>>> EXAMPLE.COM IPA CA CT,C,C >>>> Godaddy C,, >>>> CN=*.foo.example.com,OU=Domain Control Validated u,u,u >>>> Godaddy Intermediate C,, >>> >>> At some point someone replaced the IPA-signed LDAP certificate with one >>> signed by GoDaddy (which is fine). >>> >>> It appears that the version of IPA you're using (at least) doesn't >>> handle this case. >>> >>> Now, fortunately it's one of the last things done so this may be just fine. >>> >>> Can you see if your web server cert was also replaced? The database is >>> /etc/httpd/alias. >>> >>> Also, check your current tracking. The CA subsystem certs should be >>> properly tracked now. It is just the LDAP and web certs that should not >>> be (and if it is still using GoDaddy that is fine). >>> >>> rob >>> >>>> >>>> On Thu, Sep 26, 2019 at 10:22 AM Satish Patel satish.txt@gmail.com wrote: >>>>> >>>>> Rob, >>>>> >>>>> now i got error and here is the output, output was very long so i crop >>>>> it down and here is the error piece. >>>>> >>>>> ipa: INFO: [Upgrading CA schema] >>>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing >>>>> ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache >>>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for >>>>> SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket >>>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80> >>>>> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file >>>>> /usr/share/pki/server/conf/schema-certProfile.ldif >>>>> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file >>>>> /usr/share/pki/server/conf/schema-authority.ldif >>>>> ipa.ipaserver.install.schemaupdate: DEBUG: Not updating schema >>>>> ipa: INFO: CA schema update complete (no changes) >>>>> ipa: INFO: [Verifying that CA audit signing cert has 2 year validity] >>>>> ipa.ipaserver.install.cainstance.CAInstance: DEBUG: >>>>> caSignedLogCert.cfg profile validity range is 720 >>>>> ipa: INFO: [Update certmonger certificate renewal configuration to version 5] >>>>> ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' >>>>> ipa: DEBUG: Configuring certmonger to stop tracking system certificates for CA >>>>> Configuring certmonger to stop tracking system certificates for CA >>>>> ipa: DEBUG: Starting external process >>>>> ipa: DEBUG: args=/bin/systemctl start messagebus.service >>>>> ipa: DEBUG: Process finished, return code=0 >>>>> ipa: DEBUG: stdout= >>>>> ipa: DEBUG: stderr= >>>>> ipa: DEBUG: Starting external process >>>>> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service >>>>> ipa: DEBUG: Process finished, return code=0 >>>>> ipa: DEBUG: stdout=active >>>>> >>>>> ipa: DEBUG: stderr= >>>>> ipa: DEBUG: Starting external process >>>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>>>> ipa: DEBUG: Process finished, return code=0 >>>>> ipa: DEBUG: stdout= >>>>> ipa: DEBUG: stderr= >>>>> ipa: DEBUG: Starting external process >>>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>>>> ipa: DEBUG: Process finished, return code=0 >>>>> ipa: DEBUG: stdout=active >>>>> >>>>> ipa: DEBUG: stderr= >>>>> ipa: DEBUG: Starting external process >>>>> ipa: DEBUG: args=/bin/systemctl stop certmonger.service >>>>> ipa: DEBUG: Process finished, return code=0 >>>>> ipa: DEBUG: stdout= >>>>> ipa: DEBUG: stderr= >>>>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>>>> ipa: DEBUG: Starting external process >>>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>>>> ipa: DEBUG: Process finished, return code=0 >>>>> ipa: DEBUG: stdout= >>>>> ipa: DEBUG: stderr= >>>>> ipa: DEBUG: Starting external process >>>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>>>> ipa: DEBUG: Process finished, return code=0 >>>>> ipa: DEBUG: stdout=active >>>>> >>>>> ipa: DEBUG: stderr= >>>>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>>>> ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' >>>>> ipa: DEBUG: Starting external process >>>>> ipa: DEBUG: args=/bin/systemctl enable certmonger.service >>>>> ipa: DEBUG: Process finished, return code=0 >>>>> ipa: DEBUG: stdout= >>>>> ipa: DEBUG: stderr= >>>>> ipa: DEBUG: Starting external process >>>>> ipa: DEBUG: args=/bin/systemctl start messagebus.service >>>>> ipa: DEBUG: Process finished, return code=0 >>>>> ipa: DEBUG: stdout= >>>>> ipa: DEBUG: stderr= >>>>> ipa: DEBUG: Starting external process >>>>> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service >>>>> ipa: DEBUG: Process finished, return code=0 >>>>> ipa: DEBUG: stdout=active >>>>> >>>>> ipa: DEBUG: stderr= >>>>> ipa: DEBUG: Starting external process >>>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>>>> ipa: DEBUG: Process finished, return code=0 >>>>> ipa: DEBUG: stdout= >>>>> ipa: DEBUG: stderr= >>>>> ipa: DEBUG: Starting external process >>>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>>>> ipa: DEBUG: Process finished, return code=0 >>>>> ipa: DEBUG: stdout=active >>>>> >>>>> ipa: DEBUG: stderr= >>>>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>>>> ipa: DEBUG: Starting external process >>>>> ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM -L >>>>> -n Server-Cert -a >>>>> ipa: DEBUG: Process finished, return code=255 >>>>> ipa: DEBUG: stdout= >>>>> ipa: DEBUG: stderr=certutil: Could not find cert: Server-Cert >>>>> : PR_FILE_NOT_FOUND_ERROR: File not found >>>>> >>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA >>>>> server upgrade failed: Inspect /var/log/ipaupgrade.log and run command >>>>> ipa-server-upgrade manually. >>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File >>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >>>>> in execute >>>>> return_value = self.run() >>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>>> line 46, in run >>>>> server.upgrade() >>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>>> line 1863, in upgrade >>>>> upgrade_configuration() >>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>>> line 1769, in upgrade_configuration >>>>> certificate_renewal_update(ca, ds, http), >>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>>> line 1027, in certificate_renewal_update >>>>> ds.start_tracking_certificates(serverid) >>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", >>>>> line 983, in start_tracking_certificates >>>>> 'restart_dirsrv %s' % serverid) >>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>>> line 307, in track_server_cert >>>>> nsscert = x509.load_certificate(cert, dbdir=self.secdir) >>>>> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in >>>>> load_certificate >>>>> return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin >>>>> >>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The >>>>> ipa-server-upgrade command failed, exception: NSPRError: >>>>> (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: >>>>> Unexpected error - see /var/log/ipaupgrade.log for details: >>>>> NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The >>>>> ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >>>>> more information >>>>> >>>>> On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>> >>>>>> Satish Patel wrote: >>>>>>> I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64" >>>>>> >>>>>> Ok, that explains what is happening. >>>>>> >>>>>> Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag] >>>>>> section. Remove the entry for certificate_renewal_update_5. >>>>>> >>>>>> This being present is preventing the tracking to be repaired. >>>>>> >>>>>> Then run ipa-server-upgrade again and your tracking should be fixed. >>>>>> >>>>>> Use the -v flag for additional debugging, not --debug, I was mistaken. >>>>>> >>>>>> rob >>>>>> >>>>>>> >>>>>>> On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote: >>>>>>>> >>>>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>>>> I did run "ipa-server-upgrade" and look like it was successful but >>>>>>>>> still in getcert list showing CA_NEED :( >>>>>>>> >>>>>>>> Remind me what the package version of IPA is. I'm confused by the >>>>>>>> version 5 in the output about renewal configuration. >>>>>>>> >>>>>>>> You might also want to try running with --debug as depending on release >>>>>>>> it will give more information about this. >>>>>>>> >>>>>>>> rob >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> [root@ldap-ca-master ~]# ipa-server-upgrade >>>>>>>>> Upgrading IPA: >>>>>>>>> [1/10]: stopping directory server >>>>>>>>> [2/10]: saving configuration >>>>>>>>> [3/10]: disabling listeners >>>>>>>>> [4/10]: enabling DS global lock >>>>>>>>> [5/10]: starting directory server >>>>>>>>> [6/10]: updating schema >>>>>>>>> [7/10]: upgrading server >>>>>>>>> [8/10]: stopping directory server >>>>>>>>> [9/10]: restoring configuration >>>>>>>>> [10/10]: starting directory server >>>>>>>>> Done. >>>>>>>>> Update complete >>>>>>>>> Upgrading IPA services >>>>>>>>> Upgrading the configuration of the IPA services >>>>>>>>> [Verifying that root certificate is published] >>>>>>>>> [Migrate CRL publish directory] >>>>>>>>> CRL tree already moved >>>>>>>>> /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It >>>>>>>>> will be overwritten. A backup of the original will be made. >>>>>>>>> [Verifying that CA proxy configuration is correct] >>>>>>>>> [Verifying that KDC configuration is using ipa-kdb backend] >>>>>>>>> [Fix DS schema file syntax] >>>>>>>>> Syntax already fixed >>>>>>>>> [Removing RA cert from DS NSS database] >>>>>>>>> RA cert already removed >>>>>>>>> [Enable sidgen and extdom plugins by default] >>>>>>>>> [Updating HTTPD service IPA configuration] >>>>>>>>> [Updating mod_nss protocol versions] >>>>>>>>> Protocol versions already updated >>>>>>>>> [Updating mod_nss cipher suite] >>>>>>>>> [Fixing trust flags in /etc/httpd/alias] >>>>>>>>> Trust flags already processed >>>>>>>>> [Exporting KRA agent PEM file] >>>>>>>>> KRA is not enabled >>>>>>>>> [Removing self-signed CA] >>>>>>>>> [Removing Dogtag 9 CA] >>>>>>>>> [Checking for deprecated KDC configuration files] >>>>>>>>> [Checking for deprecated backups of Samba configuration files] >>>>>>>>> [Setting up Firefox extension] >>>>>>>>> [Add missing CA DNS records] >>>>>>>>> IPA CA DNS records already processed >>>>>>>>> [Removing deprecated DNS configuration options] >>>>>>>>> DNS is not configured >>>>>>>>> [Ensuring minimal number of connections] >>>>>>>>> DNS is not configured >>>>>>>>> [Enabling serial autoincrement in DNS] >>>>>>>>> DNS is not configured >>>>>>>>> [Updating GSSAPI configuration in DNS] >>>>>>>>> DNS is not configured >>>>>>>>> [Updating pid-file configuration in DNS] >>>>>>>>> DNS is not configured >>>>>>>>> DNS is not configured >>>>>>>>> DNS is not configured >>>>>>>>> DNS is not configured >>>>>>>>> DNS is not configured >>>>>>>>> DNS is not configured >>>>>>>>> DNS is not configured >>>>>>>>> DNS is not configured >>>>>>>>> [Upgrading CA schema] >>>>>>>>> CA schema update complete (no changes) >>>>>>>>> [Verifying that CA audit signing cert has 2 year validity] >>>>>>>>> [Update certmonger certificate renewal configuration to version 5] >>>>>>>>> [Enable PKIX certificate path discovery and validation] >>>>>>>>> PKIX already enabled >>>>>>>>> [Authorizing RA Agent to modify profiles] >>>>>>>>> [Authorizing RA Agent to manage lightweight CAs] >>>>>>>>> [Ensuring Lightweight CAs container exists in Dogtag database] >>>>>>>>> [Adding default OCSP URI configuration] >>>>>>>>> [Ensuring CA is using LDAPProfileSubsystem] >>>>>>>>> [Migrating certificate profiles to LDAP] >>>>>>>>> [Ensuring presence of included profiles] >>>>>>>>> [Add default CA ACL] >>>>>>>>> Default CA ACL already added >>>>>>>>> [Set up lightweight CA key retrieval] >>>>>>>>> Creating principal >>>>>>>>> Retrieving keytab >>>>>>>>> Creating Custodia keys >>>>>>>>> Configuring key retriever >>>>>>>>> The IPA services were upgraded >>>>>>>>> The ipa-server-upgrade command was successful >>>>>>>>> >>>>>>>>> >>>>>>>>> [root@ldap-ca-master ~]# getcert list | grep status >>>>>>>>> status: NEED_CA >>>>>>>>> status: NEED_CA >>>>>>>>> status: NEED_CA >>>>>>>>> status: NEED_CA >>>>>>>>> status: NEED_CA >>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>> status: NEED_CA >>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>> status: NEED_CA >>>>>>>>> >>>>>>>>> On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>>>>>> >>>>>>>>>> On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote: >>>>>>>>>>> Thanks Florence, >>>>>>>>>>> >>>>>>>>>>> is it safe to run "ipa-server-upgrade" ? >>>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> generally yes :) >>>>>>>>>> >>>>>>>>>> We had a few tickets related to upgrade but they are mainly revealing >>>>>>>>>> already present issues (for instance because this CLI stops and starts >>>>>>>>>> the services, expired certs would prevent successful completion). >>>>>>>>>> >>>>>>>>>>> Do i need to provide any option with "ipa-server-upgrade" command? i >>>>>>>>>>> believe few month back when i tried to do "ipa-server-upgrade" it >>>>>>>>>>> broke some stuff but anyway i will take snapshot of VM and try in >>>>>>>>>>> worst case scenario. >>>>>>>>>> With the VM snapshot you are on the safe side. >>>>>>>>>> >>>>>>>>>> flo >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>>>>>>>> >>>>>>>>>>>> On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: >>>>>>>>>>>>> Any thought ? >>>>>>>>>>>> Hi, >>>>>>>>>>>> if you run ipa-server-upgrade on this node, the command will fix the >>>>>>>>>>>> tracking of certs. You should see in the output; >>>>>>>>>>>> [Update certmonger certificate renewal configuration] >>>>>>>>>>>> >>>>>>>>>>>> HTH, >>>>>>>>>>>> flo >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Sent from my iPhone >>>>>>>>>>>>> >>>>>>>>>>>>>> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Rob sorry, i trim my output thought not necessary but anyway here is >>>>>>>>>>>>>> the full list (ignore CAPS letter in output) >>>>>>>>>>>>>> >>>>>>>>>>>>>> [root@ldap-ca-master ~]# getcert list >>>>>>>>>>>>>> >>>>>>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Request ID '20190915042927': >>>>>>>>>>>>>> >>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>> >>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>> >>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>> >>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>> >>>>>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>> >>>>>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>>>>>>> >>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>>>>>>> >>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> Request ID '20190915043150': >>>>>>>>>>>>>> >>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>> >>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>> >>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>> >>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>> >>>>>>>>>>>>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>>>>>>>>>>>>> >>>>>>>>>>>>>> expires: 2020-11-17 18:30:29 UTC >>>>>>>>>>>>>> >>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>>>> >>>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>>>> >>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> Request ID '20190915043212': >>>>>>>>>>>>>> >>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>> >>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>> >>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>> >>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>> >>>>>>>>>>>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>>>>>>>>>>>> >>>>>>>>>>>>>> expires: 2020-11-17 18:31:26 UTC >>>>>>>>>>>>>> >>>>>>>>>>>>>> eku: id-kp-OCSPSigning >>>>>>>>>>>>>> >>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> Request ID '20190915043224': >>>>>>>>>>>>>> >>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>> >>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>> >>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>> >>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>> >>>>>>>>>>>>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>>>>>>>>>>>> >>>>>>>>>>>>>> expires: 2020-11-17 18:32:07 UTC >>>>>>>>>>>>>> >>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation >>>>>>>>>>>>>> >>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> Request ID '20190915043237': >>>>>>>>>>>>>> >>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>> >>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>> >>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>> >>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>> >>>>>>>>>>>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>>>>>>>>>>>> >>>>>>>>>>>>>> expires: 2020-11-17 18:31:16 UTC >>>>>>>>>>>>>> >>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>>>> >>>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>>>> >>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> Request ID '20190915043246': >>>>>>>>>>>>>> >>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>> >>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>> >>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>>>>>>>>>>>>> set >>>>>>>>>>>>>> >>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>>> >>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>> >>>>>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>> >>>>>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>>>>>>> >>>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>>> >>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> Request ID '20190915043304': >>>>>>>>>>>>>> >>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>> >>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>> >>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>>>>>>> Intermediate',pin set >>>>>>>>>>>>>> >>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>>>>>>> >>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>> >>>>>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>> >>>>>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>>>>>>> >>>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>>> >>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> Request ID '20190915045112': >>>>>>>>>>>>>> >>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>> >>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>> >>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>>>>>>>>>>>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>> >>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>>>>>>>>>>>>> IPA CA',token='NSS Certificate DB' >>>>>>>>>>>>>> >>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>> >>>>>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>> >>>>>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>>>>>>> >>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>>>>>>> >>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> Request ID '20190915045148': >>>>>>>>>>>>>> >>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>> >>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>> >>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>> >>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>>> >>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>> >>>>>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>> >>>>>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>>>>>>> >>>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>>> >>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> Request ID '20190915045156': >>>>>>>>>>>>>> >>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>> >>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>> >>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>>> >>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>> >>>>>>>>>>>>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>>>>>>>>>>>>> >>>>>>>>>>>>>> expires: 2021-01-05 14:49:59 UTC >>>>>>>>>>>>>> >>>>>>>>>>>>>> key usage: digitalSignature,keyCertSign >>>>>>>>>>>>>> >>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> Request ID '20190915045206': >>>>>>>>>>>>>> >>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>> >>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>> >>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>>>>>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>> >>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>>>>>>> >>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>> >>>>>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>> >>>>>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>>>>>>> >>>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>>> >>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> Request ID '20190915045216': >>>>>>>>>>>>>> >>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>> >>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>> >>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>>> >>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>> >>>>>>>>>>>>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>>>>>>>>>>>> >>>>>>>>>>>>>> expires: 2020-11-17 18:31:36 UTC >>>>>>>>>>>>>> >>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>>>> >>>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>>>> >>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>> >>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>>>>>>>>>>> Few days ago my Master CA was messed up and getcert list was showing >>>>>>>>>>>>>>>> empty list (no cert to track) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> So i run following command to add certs manually: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>>>>>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>>>>>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>>>>>>>>>>>>>>> cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>>>>>>>>>>>>>>> Intermediate' -P XXXXXXX >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> And after that i am seeing this status (status: NEED_CA ) it should >>>>>>>>>>>>>>>> be MONITORING right? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> # getcert list >>>>>>>>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> You setup the tracking wrong. Your output only shows 3 certs and yet >>>>>>>>>>>>>>> certmonger thinks it has 12. Where are the other 9? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> rob >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>> >>>>>>>> >>>>>> >>> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >> >
Satish Patel via FreeIPA-users wrote:
Can i upgrade my existing 4.4.x ldap-ca-master with "ipa-server-upgrade" command?
No, update the distribution/packages so it is the same level as the other master(s).
The IPA team recommends to run all the IPA masters at the same level. There are sometimes subtle differences between different versions and while they can interoperate ok it isn't recommended to keep this type of configuration for too long.
Currently i have following CA master version:
ldap-ca-master - 4.4.x (renewal master) ldap-ca-replica - 4.6.x
Or
I can do one thing create fresh machine and make it one more CA replica and destroy older ldap-ca-master - 4.4.x
That is certainly one way of achieving it.
rob
On Fri, Sep 27, 2019 at 11:23 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Rob,
Last question, when certmonger renew all certificates automatically, i meant before 24 hours ago? Just want to make sure it does otherwise i will be in trouble again :)
It should. I'd work on upgrading all the masters to run the same version of IPA once you're sure things are working and you have a working second CA master.
The renewal happens by default 28 days before expiration.
Also be sure that one of the masters is defined as the CA renewal master in ipa config-show.
rob
Done, i did that change and restart httpd. I believe now my all issue has been fixed. Thank you so much for your support
[root@ldap-ca-master conf.d]# grep "NSSNickname" /etc/httpd/conf.d/nss.conf NSSNickname Server-Cert
On Fri, Sep 27, 2019 at 8:41 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Rob,
As you suggested i did following ( it required password so i used -P <PIN> )
# ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/ldap-ca-master.example.com -C /usr/libexec/ipa/certmonger/restart_httpd -D ldap-ca-master.example.com -P 9e8c1a9447d56236733f
# ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -K ldap/ldap-ca-master.example.com -C "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM" -D ldap-ca-master.example.com -P 013fcd26f4dfa18c4d1bcaac0dbac44f3ad75698
# certutil -V -u V -d /etc/httpd/alias -n Server-Cert certutil: certificate is valid # certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert certutil: certificate is valid
>>> If so then you can swap the config to use them. Edit
/etc/httpd/conf.d/nss.conf and replace the NSSNickname value with Server-Cert and restart httpd
Do i need to edit above nss.conf file?
Currently i have following NSSNickname in file.
# grep "NSSNickname" /etc/httpd/conf.d/nss.conf NSSNickname "CN=*.foo.example.com,OU=Domain Control Validated"
Yes.
Here is the full output of getcet list (Do you think it's looking good? i compare with Replica and i can see Master has 2 less cert compare to Replica hope that is ok)
Due to difference in versions of IPA. This looks ok for a version 4.4.x master.
rob
# getcert list Number of certificates and requests being tracked: 8. Request ID '20190926141756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190926141801': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-11-17 18:30:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190927010638': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM expires: 2021-09-27 01:06:39 UTC dns: ldap-ca-master.foo.EXAMPLE.com principal name: HTTP/ldap-ca-master.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20190927011037': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM expires: 2021-09-27 01:10:38 UTC dns: ldap-ca-master.foo.EXAMPLE.com principal name: ldap/ldap-ca-master.foo.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM track: yes auto-renew: yes
On Thu, Sep 26, 2019 at 2:52 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote: > Rob, > > I got your point and i will remove all Godaddy certs but i wanted to > say one thing, if i look into ldap-ca-replica server which is other > server i can see Server-Cert, is there a way i can sync all these > replica cert with master and fix them ?
These certs are master-specific. ldap-ca-replica is using IPA-issued server certifiactes and the other is using Godaddy-issued certificates.
It's possible to issue certificates using the IPA CA to replace these Godaddy certs but I guess I'd check to be sure that's what you really want to do. Most people do this kind of replacement so they don't need to distribute the IPA CA to non-IPA-enrolled systems so they can do self-service management.
Roughly speaking, you'd do something like this:
# ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/<hostname> -C /usr/libexec/ipa/certmonger/restart_httpd -D <hostname> # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -K ldap/<hostname> -C "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM" -D <hostname>
That will issue the new certs and set them up for tracking.
You can verify that they will work with:
# certutil -V -u V -d <database> -n Server-Cert
Both should return 'certificate is valid'
If so then you can swap the config to use them. Edit /etc/httpd/conf.d/nss.conf and replace the NSSNickname value with Server-Cert and restart httpd
For 389-ds:
# ldapmodify -x -D 'cn=directory manager' -W dn: cn=RSA,cn=encryption,cn=config changetype: modify replace: nsSSLPersonalitySSL nsSSLPersonalitySSL: Server-Cert
<blank line> ^D
Then restart 389-ds-base, or do both then run ipactl restart
The old certs will still exist in the NSS databases so you can always switch them back if you need to.
rob
> > This is replica node output, look like replica is very clean.. > > [root@ldap-ca-replica ~]# getcert list > Number of certificates and requests being tracked: 10. > Request ID '20190918205044': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local > IPA host',token='NSS Certificate > DB',pinfile='/etc/ipa/nssdb/pwdfile.txt' > certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA > host',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM > expires: 2021-09-18 20:50:45 UTC > dns: ldap-ca-replica.foo.EXAMPLE.com > principal name: host/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20190918205212': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' > certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM > expires: 2021-09-18 20:52:12 UTC > dns: ldap-ca-replica.foo.EXAMPLE.com > principal name: ldap/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM > track: yes > auto-renew: yes > Request ID '20190918205232': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM > expires: 2021-09-18 20:52:32 UTC > dns: ldap-ca-replica.foo.EXAMPLE.com > principal name: HTTP/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20190918205418': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=IPA RA,O=EXAMPLE.COM > expires: 2020-11-17 18:31:36 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20190918205431': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=CA Audit,O=EXAMPLE.COM > expires: 2020-11-17 18:32:07 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190918205432': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=OCSP Subsystem,O=EXAMPLE.COM > expires: 2020-11-17 18:31:26 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190918205433': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=CA Subsystem,O=EXAMPLE.COM > expires: 2020-11-17 18:31:16 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190918205434': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=Certificate Authority,O=EXAMPLE.COM > expires: 2037-01-05 14:47:24 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190918205435': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM > expires: 2021-09-07 20:54:00 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190918210008': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: SelfSign > issuer: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM > subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM > expires: 2020-09-18 21:00:08 UTC > principal name: krbtgt/EXAMPLE.COM@EXAMPLE.COM > certificate template/profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > > On Thu, Sep 26, 2019 at 1:35 PM Rob Crittenden rcritten@redhat.com wrote: >> >> Satish Patel via FreeIPA-users wrote: >>> Rob, >>> >>> Here is the web certs >>> >>> [root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/httpd/alias -L >>> >>> Certificate Nickname Trust Attributes >>> SSL,S/MIME,JAR/XPI >>> >>> EXAMPLE.COM IPA CA CT,C,C >>> Godaddy C,, >>> CN=*.foo.example.com,OU=Domain Control Validated u,u,u >>> Signing-Cert u,u,u >>> Godaddy Intermediate C,, >>> ipaCert u,u,u >> >> Ok, good. Also using a Godaddy cert. >> >>> Here is the fill output of getcert and i can see some certs showing MONITORING >> >> Ok. I've annotated each cert you should stop tracking. It looks like the >> CA subsystem certs are ok. >> >> You will need to watch the Godaddy certs yourself and manually renew >> when the time comes. certmonger has no way to renew those. >> >> To stop tracking these run: getcert stop-tracking -i <request_id> >> >>> >>> [root@ldap-ca-master ~]# getcert list >>> Number of certificates and requests being tracked: 13. >>> Request ID '20190915043246': >>> status: NEED_KEY_PAIR >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>> set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>> Certificate DB' >>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>> Inc.",L=Scottsdale,ST=Arizona,C=US >>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>> Inc.",L=Scottsdale,ST=Arizona,C=US >>> expires: 2037-12-31 23:59:59 UTC >>> key usage: keyCertSign,cRLSign >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >> >> No need to track this one. You'd have no way of renewing it anyway. >> >>> Request ID '20190915043304': >>> status: NEED_KEY_PAIR >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>> Intermediate',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>> Intermediate',token='NSS Certificate DB' >>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>> Inc.",L=Scottsdale,ST=Arizona,C=US >>> subject: CN=Go Daddy Secure Certificate Authority - >>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>> Inc.",L=Scottsdale,ST=Arizona,C=US >>> expires: 2031-05-03 07:00:00 UTC >>> key usage: keyCertSign,cRLSign >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >> >> No need to track this one. >> >>> Request ID '20190915045112': >>> status: NEED_KEY_PAIR >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>> IPA CA',token='NSS Certificate DB' >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>> expires: 2037-01-05 14:47:24 UTC >>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >> >> You don't need to track the CA cert here. >> >>> Request ID '20190915045148': >>> status: NEED_KEY_PAIR >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>> Certificate DB' >>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>> Inc.",L=Scottsdale,ST=Arizona,C=US >>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>> Inc.",L=Scottsdale,ST=Arizona,C=US >>> expires: 2037-12-31 23:59:59 UTC >>> key usage: keyCertSign,cRLSign >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >> >> Same, stop the tracking. >> >>> Request ID '20190915045156': >>> status: NEED_CA >>> stuck: yes >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>> Certificate DB' >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>> expires: 2021-01-05 14:49:59 UTC >>> key usage: digitalSignature,keyCertSign >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >> >> This one too. >> >>> Request ID '20190915045206': >>> status: NEED_KEY_PAIR >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>> Intermediate',token='NSS Certificate DB' >>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>> Inc.",L=Scottsdale,ST=Arizona,C=US >>> subject: CN=Go Daddy Secure Certificate Authority - >>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>> Inc.",L=Scottsdale,ST=Arizona,C=US >>> expires: 2031-05-03 07:00:00 UTC >>> key usage: keyCertSign,cRLSign >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >> >> And this, stop tracking. >> >>> Request ID '20190926141756': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>> cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>> cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> subject: CN=CA Audit,O=EXAMPLE.COM >>> expires: 2020-11-17 18:32:07 UTC >>> key usage: digitalSignature,nonRepudiation >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> "auditSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20190926141757': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>> cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>> cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>> expires: 2020-11-17 18:31:26 UTC >>> eku: id-kp-OCSPSigning >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> "ocspSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20190926141758': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>> cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>> cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>> expires: 2020-11-17 18:31:16 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> "subsystemCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20190926141759': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>> cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>> cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>> expires: 2037-01-05 14:47:24 UTC >>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> "caSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20190926141800': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> subject: CN=IPA RA,O=EXAMPLE.COM >>> expires: 2020-11-17 18:31:36 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >>> track: yes >>> auto-renew: yes >>> Request ID '20190926141801': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>> cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>> cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>> expires: 2020-11-17 18:30:29 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> "Server-Cert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20190926141802': >>> status: CA_UNCONFIGURED >>> ca-error: Unable to determine principal name for signing request. >>> stuck: yes >>> key pair storage: >>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS >>> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert' >>> CA: IPA >>> issuer: >>> subject: >>> expires: unknown >>> pre-save command: >>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM >>> track: yes >>> auto-renew: yes >> >> The tracking on this one is wrong and since you don't have Server-Cert >> anyway, just stop tracking this one. >> >> rob >>> >>> On Thu, Sep 26, 2019 at 10:31 AM Rob Crittenden rcritten@redhat.com wrote: >>>> >>>> Satish Patel wrote: >>>>> Addition to last email: >>>>> >>>>> I can't see Server-Cert here but interesting thing i can see >>>>> Server-Cert in my CA replica node on ldap-2 (why my primary >>>>> ldap-ca-master not showing that cert?) >>>>> >>>>> [root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L >>>>> >>>>> Certificate Nickname Trust Attributes >>>>> SSL,S/MIME,JAR/XPI >>>>> >>>>> EXAMPLE.COM IPA CA CT,C,C >>>>> Godaddy C,, >>>>> CN=*.foo.example.com,OU=Domain Control Validated u,u,u >>>>> Godaddy Intermediate C,, >>>> >>>> At some point someone replaced the IPA-signed LDAP certificate with one >>>> signed by GoDaddy (which is fine). >>>> >>>> It appears that the version of IPA you're using (at least) doesn't >>>> handle this case. >>>> >>>> Now, fortunately it's one of the last things done so this may be just fine. >>>> >>>> Can you see if your web server cert was also replaced? The database is >>>> /etc/httpd/alias. >>>> >>>> Also, check your current tracking. The CA subsystem certs should be >>>> properly tracked now. It is just the LDAP and web certs that should not >>>> be (and if it is still using GoDaddy that is fine). >>>> >>>> rob >>>> >>>>> >>>>> On Thu, Sep 26, 2019 at 10:22 AM Satish Patel satish.txt@gmail.com wrote: >>>>>> >>>>>> Rob, >>>>>> >>>>>> now i got error and here is the output, output was very long so i crop >>>>>> it down and here is the error piece. >>>>>> >>>>>> ipa: INFO: [Upgrading CA schema] >>>>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing >>>>>> ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache >>>>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for >>>>>> SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket >>>>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80> >>>>>> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file >>>>>> /usr/share/pki/server/conf/schema-certProfile.ldif >>>>>> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file >>>>>> /usr/share/pki/server/conf/schema-authority.ldif >>>>>> ipa.ipaserver.install.schemaupdate: DEBUG: Not updating schema >>>>>> ipa: INFO: CA schema update complete (no changes) >>>>>> ipa: INFO: [Verifying that CA audit signing cert has 2 year validity] >>>>>> ipa.ipaserver.install.cainstance.CAInstance: DEBUG: >>>>>> caSignedLogCert.cfg profile validity range is 720 >>>>>> ipa: INFO: [Update certmonger certificate renewal configuration to version 5] >>>>>> ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' >>>>>> ipa: DEBUG: Configuring certmonger to stop tracking system certificates for CA >>>>>> Configuring certmonger to stop tracking system certificates for CA >>>>>> ipa: DEBUG: Starting external process >>>>>> ipa: DEBUG: args=/bin/systemctl start messagebus.service >>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>> ipa: DEBUG: stdout= >>>>>> ipa: DEBUG: stderr= >>>>>> ipa: DEBUG: Starting external process >>>>>> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service >>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>> ipa: DEBUG: stdout=active >>>>>> >>>>>> ipa: DEBUG: stderr= >>>>>> ipa: DEBUG: Starting external process >>>>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>> ipa: DEBUG: stdout= >>>>>> ipa: DEBUG: stderr= >>>>>> ipa: DEBUG: Starting external process >>>>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>> ipa: DEBUG: stdout=active >>>>>> >>>>>> ipa: DEBUG: stderr= >>>>>> ipa: DEBUG: Starting external process >>>>>> ipa: DEBUG: args=/bin/systemctl stop certmonger.service >>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>> ipa: DEBUG: stdout= >>>>>> ipa: DEBUG: stderr= >>>>>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>>>>> ipa: DEBUG: Starting external process >>>>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>> ipa: DEBUG: stdout= >>>>>> ipa: DEBUG: stderr= >>>>>> ipa: DEBUG: Starting external process >>>>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>> ipa: DEBUG: stdout=active >>>>>> >>>>>> ipa: DEBUG: stderr= >>>>>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>>>>> ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' >>>>>> ipa: DEBUG: Starting external process >>>>>> ipa: DEBUG: args=/bin/systemctl enable certmonger.service >>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>> ipa: DEBUG: stdout= >>>>>> ipa: DEBUG: stderr= >>>>>> ipa: DEBUG: Starting external process >>>>>> ipa: DEBUG: args=/bin/systemctl start messagebus.service >>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>> ipa: DEBUG: stdout= >>>>>> ipa: DEBUG: stderr= >>>>>> ipa: DEBUG: Starting external process >>>>>> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service >>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>> ipa: DEBUG: stdout=active >>>>>> >>>>>> ipa: DEBUG: stderr= >>>>>> ipa: DEBUG: Starting external process >>>>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>> ipa: DEBUG: stdout= >>>>>> ipa: DEBUG: stderr= >>>>>> ipa: DEBUG: Starting external process >>>>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>> ipa: DEBUG: stdout=active >>>>>> >>>>>> ipa: DEBUG: stderr= >>>>>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>>>>> ipa: DEBUG: Starting external process >>>>>> ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM -L >>>>>> -n Server-Cert -a >>>>>> ipa: DEBUG: Process finished, return code=255 >>>>>> ipa: DEBUG: stdout= >>>>>> ipa: DEBUG: stderr=certutil: Could not find cert: Server-Cert >>>>>> : PR_FILE_NOT_FOUND_ERROR: File not found >>>>>> >>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA >>>>>> server upgrade failed: Inspect /var/log/ipaupgrade.log and run command >>>>>> ipa-server-upgrade manually. >>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File >>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >>>>>> in execute >>>>>> return_value = self.run() >>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>>>> line 46, in run >>>>>> server.upgrade() >>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>>>> line 1863, in upgrade >>>>>> upgrade_configuration() >>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>>>> line 1769, in upgrade_configuration >>>>>> certificate_renewal_update(ca, ds, http), >>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>>>> line 1027, in certificate_renewal_update >>>>>> ds.start_tracking_certificates(serverid) >>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", >>>>>> line 983, in start_tracking_certificates >>>>>> 'restart_dirsrv %s' % serverid) >>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>>>> line 307, in track_server_cert >>>>>> nsscert = x509.load_certificate(cert, dbdir=self.secdir) >>>>>> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in >>>>>> load_certificate >>>>>> return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin >>>>>> >>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The >>>>>> ipa-server-upgrade command failed, exception: NSPRError: >>>>>> (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: >>>>>> Unexpected error - see /var/log/ipaupgrade.log for details: >>>>>> NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The >>>>>> ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >>>>>> more information >>>>>> >>>>>> On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>>> >>>>>>> Satish Patel wrote: >>>>>>>> I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64" >>>>>>> >>>>>>> Ok, that explains what is happening. >>>>>>> >>>>>>> Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag] >>>>>>> section. Remove the entry for certificate_renewal_update_5. >>>>>>> >>>>>>> This being present is preventing the tracking to be repaired. >>>>>>> >>>>>>> Then run ipa-server-upgrade again and your tracking should be fixed. >>>>>>> >>>>>>> Use the -v flag for additional debugging, not --debug, I was mistaken. >>>>>>> >>>>>>> rob >>>>>>> >>>>>>>> >>>>>>>> On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote: >>>>>>>>> >>>>>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>>>>> I did run "ipa-server-upgrade" and look like it was successful but >>>>>>>>>> still in getcert list showing CA_NEED :( >>>>>>>>> >>>>>>>>> Remind me what the package version of IPA is. I'm confused by the >>>>>>>>> version 5 in the output about renewal configuration. >>>>>>>>> >>>>>>>>> You might also want to try running with --debug as depending on release >>>>>>>>> it will give more information about this. >>>>>>>>> >>>>>>>>> rob >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [root@ldap-ca-master ~]# ipa-server-upgrade >>>>>>>>>> Upgrading IPA: >>>>>>>>>> [1/10]: stopping directory server >>>>>>>>>> [2/10]: saving configuration >>>>>>>>>> [3/10]: disabling listeners >>>>>>>>>> [4/10]: enabling DS global lock >>>>>>>>>> [5/10]: starting directory server >>>>>>>>>> [6/10]: updating schema >>>>>>>>>> [7/10]: upgrading server >>>>>>>>>> [8/10]: stopping directory server >>>>>>>>>> [9/10]: restoring configuration >>>>>>>>>> [10/10]: starting directory server >>>>>>>>>> Done. >>>>>>>>>> Update complete >>>>>>>>>> Upgrading IPA services >>>>>>>>>> Upgrading the configuration of the IPA services >>>>>>>>>> [Verifying that root certificate is published] >>>>>>>>>> [Migrate CRL publish directory] >>>>>>>>>> CRL tree already moved >>>>>>>>>> /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It >>>>>>>>>> will be overwritten. A backup of the original will be made. >>>>>>>>>> [Verifying that CA proxy configuration is correct] >>>>>>>>>> [Verifying that KDC configuration is using ipa-kdb backend] >>>>>>>>>> [Fix DS schema file syntax] >>>>>>>>>> Syntax already fixed >>>>>>>>>> [Removing RA cert from DS NSS database] >>>>>>>>>> RA cert already removed >>>>>>>>>> [Enable sidgen and extdom plugins by default] >>>>>>>>>> [Updating HTTPD service IPA configuration] >>>>>>>>>> [Updating mod_nss protocol versions] >>>>>>>>>> Protocol versions already updated >>>>>>>>>> [Updating mod_nss cipher suite] >>>>>>>>>> [Fixing trust flags in /etc/httpd/alias] >>>>>>>>>> Trust flags already processed >>>>>>>>>> [Exporting KRA agent PEM file] >>>>>>>>>> KRA is not enabled >>>>>>>>>> [Removing self-signed CA] >>>>>>>>>> [Removing Dogtag 9 CA] >>>>>>>>>> [Checking for deprecated KDC configuration files] >>>>>>>>>> [Checking for deprecated backups of Samba configuration files] >>>>>>>>>> [Setting up Firefox extension] >>>>>>>>>> [Add missing CA DNS records] >>>>>>>>>> IPA CA DNS records already processed >>>>>>>>>> [Removing deprecated DNS configuration options] >>>>>>>>>> DNS is not configured >>>>>>>>>> [Ensuring minimal number of connections] >>>>>>>>>> DNS is not configured >>>>>>>>>> [Enabling serial autoincrement in DNS] >>>>>>>>>> DNS is not configured >>>>>>>>>> [Updating GSSAPI configuration in DNS] >>>>>>>>>> DNS is not configured >>>>>>>>>> [Updating pid-file configuration in DNS] >>>>>>>>>> DNS is not configured >>>>>>>>>> DNS is not configured >>>>>>>>>> DNS is not configured >>>>>>>>>> DNS is not configured >>>>>>>>>> DNS is not configured >>>>>>>>>> DNS is not configured >>>>>>>>>> DNS is not configured >>>>>>>>>> DNS is not configured >>>>>>>>>> [Upgrading CA schema] >>>>>>>>>> CA schema update complete (no changes) >>>>>>>>>> [Verifying that CA audit signing cert has 2 year validity] >>>>>>>>>> [Update certmonger certificate renewal configuration to version 5] >>>>>>>>>> [Enable PKIX certificate path discovery and validation] >>>>>>>>>> PKIX already enabled >>>>>>>>>> [Authorizing RA Agent to modify profiles] >>>>>>>>>> [Authorizing RA Agent to manage lightweight CAs] >>>>>>>>>> [Ensuring Lightweight CAs container exists in Dogtag database] >>>>>>>>>> [Adding default OCSP URI configuration] >>>>>>>>>> [Ensuring CA is using LDAPProfileSubsystem] >>>>>>>>>> [Migrating certificate profiles to LDAP] >>>>>>>>>> [Ensuring presence of included profiles] >>>>>>>>>> [Add default CA ACL] >>>>>>>>>> Default CA ACL already added >>>>>>>>>> [Set up lightweight CA key retrieval] >>>>>>>>>> Creating principal >>>>>>>>>> Retrieving keytab >>>>>>>>>> Creating Custodia keys >>>>>>>>>> Configuring key retriever >>>>>>>>>> The IPA services were upgraded >>>>>>>>>> The ipa-server-upgrade command was successful >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [root@ldap-ca-master ~]# getcert list | grep status >>>>>>>>>> status: NEED_CA >>>>>>>>>> status: NEED_CA >>>>>>>>>> status: NEED_CA >>>>>>>>>> status: NEED_CA >>>>>>>>>> status: NEED_CA >>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>> status: NEED_CA >>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>> status: NEED_CA >>>>>>>>>> >>>>>>>>>> On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>>>>>>> >>>>>>>>>>> On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote: >>>>>>>>>>>> Thanks Florence, >>>>>>>>>>>> >>>>>>>>>>>> is it safe to run "ipa-server-upgrade" ? >>>>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> generally yes :) >>>>>>>>>>> >>>>>>>>>>> We had a few tickets related to upgrade but they are mainly revealing >>>>>>>>>>> already present issues (for instance because this CLI stops and starts >>>>>>>>>>> the services, expired certs would prevent successful completion). >>>>>>>>>>> >>>>>>>>>>>> Do i need to provide any option with "ipa-server-upgrade" command? i >>>>>>>>>>>> believe few month back when i tried to do "ipa-server-upgrade" it >>>>>>>>>>>> broke some stuff but anyway i will take snapshot of VM and try in >>>>>>>>>>>> worst case scenario. >>>>>>>>>>> With the VM snapshot you are on the safe side. >>>>>>>>>>> >>>>>>>>>>> flo >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: >>>>>>>>>>>>>> Any thought ? >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> if you run ipa-server-upgrade on this node, the command will fix the >>>>>>>>>>>>> tracking of certs. You should see in the output; >>>>>>>>>>>>> [Update certmonger certificate renewal configuration] >>>>>>>>>>>>> >>>>>>>>>>>>> HTH, >>>>>>>>>>>>> flo >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Sent from my iPhone >>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Rob sorry, i trim my output thought not necessary but anyway here is >>>>>>>>>>>>>>> the full list (ignore CAPS letter in output) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> [root@ldap-ca-master ~]# getcert list >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Request ID '20190915042927': >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Request ID '20190915043150': >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> expires: 2020-11-17 18:30:29 UTC >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Request ID '20190915043212': >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> expires: 2020-11-17 18:31:26 UTC >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> eku: id-kp-OCSPSigning >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Request ID '20190915043224': >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> expires: 2020-11-17 18:32:07 UTC >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Request ID '20190915043237': >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> expires: 2020-11-17 18:31:16 UTC >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Request ID '20190915043246': >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>>>>>>>>>>>>>> set >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>>>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Request ID '20190915043304': >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>>>>>>>> Intermediate',pin set >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Request ID '20190915045112': >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>>>>>>>>>>>>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>>>>>>>>>>>>>> IPA CA',token='NSS Certificate DB' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Request ID '20190915045148': >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>>>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Request ID '20190915045156': >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> expires: 2021-01-05 14:49:59 UTC >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key usage: digitalSignature,keyCertSign >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Request ID '20190915045206': >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>>>>>>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Request ID '20190915045216': >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> expires: 2020-11-17 18:31:36 UTC >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>>>>>>>>>>>> Few days ago my Master CA was messed up and getcert list was showing >>>>>>>>>>>>>>>>> empty list (no cert to track) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> So i run following command to add certs manually: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>>>>>>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>>>>>>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>>>>>>>>>>>>>>>> cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>>>>>>>>>>>>>>>> Intermediate' -P XXXXXXX >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> And after that i am seeing this status (status: NEED_CA ) it should >>>>>>>>>>>>>>>>> be MONITORING right? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> # getcert list >>>>>>>>>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> You setup the tracking wrong. Your output only shows 3 certs and yet >>>>>>>>>>>>>>>> certmonger thinks it has 12. Where are the other 9? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> rob >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>>> >>>>>>>>> >>>>>>> >>>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>> >>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Ok, thanks for the clarification. I will create brand new CA Master and retire older version.
On Fri, Sep 27, 2019 at 12:02 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
Can i upgrade my existing 4.4.x ldap-ca-master with "ipa-server-upgrade" command?
No, update the distribution/packages so it is the same level as the other master(s).
The IPA team recommends to run all the IPA masters at the same level. There are sometimes subtle differences between different versions and while they can interoperate ok it isn't recommended to keep this type of configuration for too long.
Currently i have following CA master version:
ldap-ca-master - 4.4.x (renewal master) ldap-ca-replica - 4.6.x
Or
I can do one thing create fresh machine and make it one more CA replica and destroy older ldap-ca-master - 4.4.x
That is certainly one way of achieving it.
rob
On Fri, Sep 27, 2019 at 11:23 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Rob,
Last question, when certmonger renew all certificates automatically, i meant before 24 hours ago? Just want to make sure it does otherwise i will be in trouble again :)
It should. I'd work on upgrading all the masters to run the same version of IPA once you're sure things are working and you have a working second CA master.
The renewal happens by default 28 days before expiration.
Also be sure that one of the masters is defined as the CA renewal master in ipa config-show.
rob
Done, i did that change and restart httpd. I believe now my all issue has been fixed. Thank you so much for your support
[root@ldap-ca-master conf.d]# grep "NSSNickname" /etc/httpd/conf.d/nss.conf NSSNickname Server-Cert
On Fri, Sep 27, 2019 at 8:41 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Rob,
As you suggested i did following ( it required password so i used -P <PIN> )
# ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/ldap-ca-master.example.com -C /usr/libexec/ipa/certmonger/restart_httpd -D ldap-ca-master.example.com -P 9e8c1a9447d56236733f
# ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -K ldap/ldap-ca-master.example.com -C "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM" -D ldap-ca-master.example.com -P 013fcd26f4dfa18c4d1bcaac0dbac44f3ad75698
# certutil -V -u V -d /etc/httpd/alias -n Server-Cert certutil: certificate is valid # certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert certutil: certificate is valid
>>>> If so then you can swap the config to use them. Edit /etc/httpd/conf.d/nss.conf and replace the NSSNickname value with Server-Cert and restart httpd
Do i need to edit above nss.conf file?
Currently i have following NSSNickname in file.
# grep "NSSNickname" /etc/httpd/conf.d/nss.conf NSSNickname "CN=*.foo.example.com,OU=Domain Control Validated"
Yes.
Here is the full output of getcet list (Do you think it's looking good? i compare with Replica and i can see Master has 2 less cert compare to Replica hope that is ok)
Due to difference in versions of IPA. This looks ok for a version 4.4.x master.
rob
# getcert list Number of certificates and requests being tracked: 8. Request ID '20190926141756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2020-11-17 18:32:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2020-11-17 18:31:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2037-01-05 14:47:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190926141800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2020-11-17 18:31:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190926141801': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM expires: 2020-11-17 18:30:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190927010638': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM expires: 2021-09-27 01:06:39 UTC dns: ldap-ca-master.foo.EXAMPLE.com principal name: HTTP/ldap-ca-master.foo.EXAMPLE.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20190927011037': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM expires: 2021-09-27 01:10:38 UTC dns: ldap-ca-master.foo.EXAMPLE.com principal name: ldap/ldap-ca-master.foo.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM track: yes auto-renew: yes
On Thu, Sep 26, 2019 at 2:52 PM Rob Crittenden rcritten@redhat.com wrote: > > Satish Patel wrote: >> Rob, >> >> I got your point and i will remove all Godaddy certs but i wanted to >> say one thing, if i look into ldap-ca-replica server which is other >> server i can see Server-Cert, is there a way i can sync all these >> replica cert with master and fix them ? > > These certs are master-specific. ldap-ca-replica is using IPA-issued > server certifiactes and the other is using Godaddy-issued certificates. > > It's possible to issue certificates using the IPA CA to replace these > Godaddy certs but I guess I'd check to be sure that's what you really > want to do. Most people do this kind of replacement so they don't need > to distribute the IPA CA to non-IPA-enrolled systems so they can do > self-service management. > > Roughly speaking, you'd do something like this: > > # ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K > HTTP/<hostname> -C /usr/libexec/ipa/certmonger/restart_httpd -D <hostname> > # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -K > ldap/<hostname> -C "/usr/libexec/ipa/certmonger/restart_dirsrv > EXAMPLE-COM" -D <hostname> > > That will issue the new certs and set them up for tracking. > > You can verify that they will work with: > > # certutil -V -u V -d <database> -n Server-Cert > > Both should return 'certificate is valid' > > If so then you can swap the config to use them. Edit > /etc/httpd/conf.d/nss.conf and replace the NSSNickname value with > Server-Cert and restart httpd > > For 389-ds: > > # ldapmodify -x -D 'cn=directory manager' -W > dn: cn=RSA,cn=encryption,cn=config > changetype: modify > replace: nsSSLPersonalitySSL > nsSSLPersonalitySSL: Server-Cert > <blank line> > ^D > > Then restart 389-ds-base, or do both then run ipactl restart > > The old certs will still exist in the NSS databases so you can always > switch them back if you need to. > > rob > >> >> This is replica node output, look like replica is very clean.. >> >> [root@ldap-ca-replica ~]# getcert list >> Number of certificates and requests being tracked: 10. >> Request ID '20190918205044': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local >> IPA host',token='NSS Certificate >> DB',pinfile='/etc/ipa/nssdb/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA >> host',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM >> expires: 2021-09-18 20:50:45 UTC >> dns: ldap-ca-replica.foo.EXAMPLE.com >> principal name: host/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20190918205212': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM >> expires: 2021-09-18 20:52:12 UTC >> dns: ldap-ca-replica.foo.EXAMPLE.com >> principal name: ldap/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM >> track: yes >> auto-renew: yes >> Request ID '20190918205232': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM >> expires: 2021-09-18 20:52:32 UTC >> dns: ldap-ca-replica.foo.EXAMPLE.com >> principal name: HTTP/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> Request ID '20190918205418': >> status: MONITORING >> stuck: no >> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' >> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=IPA RA,O=EXAMPLE.COM >> expires: 2020-11-17 18:31:36 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> Request ID '20190918205431': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=CA Audit,O=EXAMPLE.COM >> expires: 2020-11-17 18:32:07 UTC >> key usage: digitalSignature,nonRepudiation >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20190918205432': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >> expires: 2020-11-17 18:31:26 UTC >> eku: id-kp-OCSPSigning >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20190918205433': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=CA Subsystem,O=EXAMPLE.COM >> expires: 2020-11-17 18:31:16 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20190918205434': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=Certificate Authority,O=EXAMPLE.COM >> expires: 2037-01-05 14:47:24 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "caSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20190918205435': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM >> expires: 2021-09-07 20:54:00 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "Server-Cert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20190918210008': >> status: MONITORING >> stuck: no >> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' >> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' >> CA: SelfSign >> issuer: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM >> subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM >> expires: 2020-09-18 21:00:08 UTC >> principal name: krbtgt/EXAMPLE.COM@EXAMPLE.COM >> certificate template/profile: KDCs_PKINIT_Certs >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert >> track: yes >> auto-renew: yes >> >> On Thu, Sep 26, 2019 at 1:35 PM Rob Crittenden rcritten@redhat.com wrote: >>> >>> Satish Patel via FreeIPA-users wrote: >>>> Rob, >>>> >>>> Here is the web certs >>>> >>>> [root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/httpd/alias -L >>>> >>>> Certificate Nickname Trust Attributes >>>> SSL,S/MIME,JAR/XPI >>>> >>>> EXAMPLE.COM IPA CA CT,C,C >>>> Godaddy C,, >>>> CN=*.foo.example.com,OU=Domain Control Validated u,u,u >>>> Signing-Cert u,u,u >>>> Godaddy Intermediate C,, >>>> ipaCert u,u,u >>> >>> Ok, good. Also using a Godaddy cert. >>> >>>> Here is the fill output of getcert and i can see some certs showing MONITORING >>> >>> Ok. I've annotated each cert you should stop tracking. It looks like the >>> CA subsystem certs are ok. >>> >>> You will need to watch the Godaddy certs yourself and manually renew >>> when the time comes. certmonger has no way to renew those. >>> >>> To stop tracking these run: getcert stop-tracking -i <request_id> >>> >>>> >>>> [root@ldap-ca-master ~]# getcert list >>>> Number of certificates and requests being tracked: 13. >>>> Request ID '20190915043246': >>>> status: NEED_KEY_PAIR >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>>> set >>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>>> Certificate DB' >>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>> expires: 2037-12-31 23:59:59 UTC >>>> key usage: keyCertSign,cRLSign >>>> pre-save command: >>>> post-save command: >>>> track: yes >>>> auto-renew: yes >>> >>> No need to track this one. You'd have no way of renewing it anyway. >>> >>>> Request ID '20190915043304': >>>> status: NEED_KEY_PAIR >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>> Intermediate',pin set >>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>> Intermediate',token='NSS Certificate DB' >>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>> subject: CN=Go Daddy Secure Certificate Authority - >>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>> expires: 2031-05-03 07:00:00 UTC >>>> key usage: keyCertSign,cRLSign >>>> pre-save command: >>>> post-save command: >>>> track: yes >>>> auto-renew: yes >>> >>> No need to track this one. >>> >>>> Request ID '20190915045112': >>>> status: NEED_KEY_PAIR >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>>> IPA CA',token='NSS Certificate DB' >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>> expires: 2037-01-05 14:47:24 UTC >>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>> pre-save command: >>>> post-save command: >>>> track: yes >>>> auto-renew: yes >>> >>> You don't need to track the CA cert here. >>> >>>> Request ID '20190915045148': >>>> status: NEED_KEY_PAIR >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>>> Certificate DB' >>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>> expires: 2037-12-31 23:59:59 UTC >>>> key usage: keyCertSign,cRLSign >>>> pre-save command: >>>> post-save command: >>>> track: yes >>>> auto-renew: yes >>> >>> Same, stop the tracking. >>> >>>> Request ID '20190915045156': >>>> status: NEED_CA >>>> stuck: yes >>>> key pair storage: >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>> Certificate DB' >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>>> expires: 2021-01-05 14:49:59 UTC >>>> key usage: digitalSignature,keyCertSign >>>> pre-save command: >>>> post-save command: >>>> track: yes >>>> auto-renew: yes >>> >>> This one too. >>> >>>> Request ID '20190915045206': >>>> status: NEED_KEY_PAIR >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>> Intermediate',token='NSS Certificate DB' >>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>> subject: CN=Go Daddy Secure Certificate Authority - >>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>> expires: 2031-05-03 07:00:00 UTC >>>> key usage: keyCertSign,cRLSign >>>> pre-save command: >>>> post-save command: >>>> track: yes >>>> auto-renew: yes >>> >>> And this, stop tracking. >>> >>>> Request ID '20190926141756': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>> cert-pki-ca',token='NSS Certificate DB' >>>> CA: dogtag-ipa-ca-renew-agent >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>> expires: 2020-11-17 18:32:07 UTC >>>> key usage: digitalSignature,nonRepudiation >>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "auditSigningCert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20190926141757': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>> cert-pki-ca',token='NSS Certificate DB' >>>> CA: dogtag-ipa-ca-renew-agent >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>> expires: 2020-11-17 18:31:26 UTC >>>> eku: id-kp-OCSPSigning >>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "ocspSigningCert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20190926141758': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>> cert-pki-ca',token='NSS Certificate DB' >>>> CA: dogtag-ipa-ca-renew-agent >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>> expires: 2020-11-17 18:31:16 UTC >>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "subsystemCert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20190926141759': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>> cert-pki-ca',token='NSS Certificate DB' >>>> CA: dogtag-ipa-ca-renew-agent >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>> expires: 2037-01-05 14:47:24 UTC >>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "caSigningCert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20190926141800': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>> Certificate DB' >>>> CA: dogtag-ipa-ca-renew-agent >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>> expires: 2020-11-17 18:31:36 UTC >>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >>>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20190926141801': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>> cert-pki-ca',token='NSS Certificate DB' >>>> CA: dogtag-ipa-renew-agent >>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>>> expires: 2020-11-17 18:30:29 UTC >>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "Server-Cert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20190926141802': >>>> status: CA_UNCONFIGURED >>>> ca-error: Unable to determine principal name for signing request. >>>> stuck: yes >>>> key pair storage: >>>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS >>>> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert' >>>> CA: IPA >>>> issuer: >>>> subject: >>>> expires: unknown >>>> pre-save command: >>>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM >>>> track: yes >>>> auto-renew: yes >>> >>> The tracking on this one is wrong and since you don't have Server-Cert >>> anyway, just stop tracking this one. >>> >>> rob >>>> >>>> On Thu, Sep 26, 2019 at 10:31 AM Rob Crittenden rcritten@redhat.com wrote: >>>>> >>>>> Satish Patel wrote: >>>>>> Addition to last email: >>>>>> >>>>>> I can't see Server-Cert here but interesting thing i can see >>>>>> Server-Cert in my CA replica node on ldap-2 (why my primary >>>>>> ldap-ca-master not showing that cert?) >>>>>> >>>>>> [root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L >>>>>> >>>>>> Certificate Nickname Trust Attributes >>>>>> SSL,S/MIME,JAR/XPI >>>>>> >>>>>> EXAMPLE.COM IPA CA CT,C,C >>>>>> Godaddy C,, >>>>>> CN=*.foo.example.com,OU=Domain Control Validated u,u,u >>>>>> Godaddy Intermediate C,, >>>>> >>>>> At some point someone replaced the IPA-signed LDAP certificate with one >>>>> signed by GoDaddy (which is fine). >>>>> >>>>> It appears that the version of IPA you're using (at least) doesn't >>>>> handle this case. >>>>> >>>>> Now, fortunately it's one of the last things done so this may be just fine. >>>>> >>>>> Can you see if your web server cert was also replaced? The database is >>>>> /etc/httpd/alias. >>>>> >>>>> Also, check your current tracking. The CA subsystem certs should be >>>>> properly tracked now. It is just the LDAP and web certs that should not >>>>> be (and if it is still using GoDaddy that is fine). >>>>> >>>>> rob >>>>> >>>>>> >>>>>> On Thu, Sep 26, 2019 at 10:22 AM Satish Patel satish.txt@gmail.com wrote: >>>>>>> >>>>>>> Rob, >>>>>>> >>>>>>> now i got error and here is the output, output was very long so i crop >>>>>>> it down and here is the error piece. >>>>>>> >>>>>>> ipa: INFO: [Upgrading CA schema] >>>>>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing >>>>>>> ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache >>>>>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for >>>>>>> SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket >>>>>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80> >>>>>>> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file >>>>>>> /usr/share/pki/server/conf/schema-certProfile.ldif >>>>>>> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file >>>>>>> /usr/share/pki/server/conf/schema-authority.ldif >>>>>>> ipa.ipaserver.install.schemaupdate: DEBUG: Not updating schema >>>>>>> ipa: INFO: CA schema update complete (no changes) >>>>>>> ipa: INFO: [Verifying that CA audit signing cert has 2 year validity] >>>>>>> ipa.ipaserver.install.cainstance.CAInstance: DEBUG: >>>>>>> caSignedLogCert.cfg profile validity range is 720 >>>>>>> ipa: INFO: [Update certmonger certificate renewal configuration to version 5] >>>>>>> ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' >>>>>>> ipa: DEBUG: Configuring certmonger to stop tracking system certificates for CA >>>>>>> Configuring certmonger to stop tracking system certificates for CA >>>>>>> ipa: DEBUG: Starting external process >>>>>>> ipa: DEBUG: args=/bin/systemctl start messagebus.service >>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>> ipa: DEBUG: stdout= >>>>>>> ipa: DEBUG: stderr= >>>>>>> ipa: DEBUG: Starting external process >>>>>>> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service >>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>> ipa: DEBUG: stdout=active >>>>>>> >>>>>>> ipa: DEBUG: stderr= >>>>>>> ipa: DEBUG: Starting external process >>>>>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>> ipa: DEBUG: stdout= >>>>>>> ipa: DEBUG: stderr= >>>>>>> ipa: DEBUG: Starting external process >>>>>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>> ipa: DEBUG: stdout=active >>>>>>> >>>>>>> ipa: DEBUG: stderr= >>>>>>> ipa: DEBUG: Starting external process >>>>>>> ipa: DEBUG: args=/bin/systemctl stop certmonger.service >>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>> ipa: DEBUG: stdout= >>>>>>> ipa: DEBUG: stderr= >>>>>>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>>>>>> ipa: DEBUG: Starting external process >>>>>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>> ipa: DEBUG: stdout= >>>>>>> ipa: DEBUG: stderr= >>>>>>> ipa: DEBUG: Starting external process >>>>>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>> ipa: DEBUG: stdout=active >>>>>>> >>>>>>> ipa: DEBUG: stderr= >>>>>>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>>>>>> ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' >>>>>>> ipa: DEBUG: Starting external process >>>>>>> ipa: DEBUG: args=/bin/systemctl enable certmonger.service >>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>> ipa: DEBUG: stdout= >>>>>>> ipa: DEBUG: stderr= >>>>>>> ipa: DEBUG: Starting external process >>>>>>> ipa: DEBUG: args=/bin/systemctl start messagebus.service >>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>> ipa: DEBUG: stdout= >>>>>>> ipa: DEBUG: stderr= >>>>>>> ipa: DEBUG: Starting external process >>>>>>> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service >>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>> ipa: DEBUG: stdout=active >>>>>>> >>>>>>> ipa: DEBUG: stderr= >>>>>>> ipa: DEBUG: Starting external process >>>>>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>> ipa: DEBUG: stdout= >>>>>>> ipa: DEBUG: stderr= >>>>>>> ipa: DEBUG: Starting external process >>>>>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>> ipa: DEBUG: stdout=active >>>>>>> >>>>>>> ipa: DEBUG: stderr= >>>>>>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>>>>>> ipa: DEBUG: Starting external process >>>>>>> ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM -L >>>>>>> -n Server-Cert -a >>>>>>> ipa: DEBUG: Process finished, return code=255 >>>>>>> ipa: DEBUG: stdout= >>>>>>> ipa: DEBUG: stderr=certutil: Could not find cert: Server-Cert >>>>>>> : PR_FILE_NOT_FOUND_ERROR: File not found >>>>>>> >>>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA >>>>>>> server upgrade failed: Inspect /var/log/ipaupgrade.log and run command >>>>>>> ipa-server-upgrade manually. >>>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File >>>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >>>>>>> in execute >>>>>>> return_value = self.run() >>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>>>>> line 46, in run >>>>>>> server.upgrade() >>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>>>>> line 1863, in upgrade >>>>>>> upgrade_configuration() >>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>>>>> line 1769, in upgrade_configuration >>>>>>> certificate_renewal_update(ca, ds, http), >>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>>>>> line 1027, in certificate_renewal_update >>>>>>> ds.start_tracking_certificates(serverid) >>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", >>>>>>> line 983, in start_tracking_certificates >>>>>>> 'restart_dirsrv %s' % serverid) >>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>>>>> line 307, in track_server_cert >>>>>>> nsscert = x509.load_certificate(cert, dbdir=self.secdir) >>>>>>> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in >>>>>>> load_certificate >>>>>>> return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin >>>>>>> >>>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The >>>>>>> ipa-server-upgrade command failed, exception: NSPRError: >>>>>>> (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: >>>>>>> Unexpected error - see /var/log/ipaupgrade.log for details: >>>>>>> NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The >>>>>>> ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >>>>>>> more information >>>>>>> >>>>>>> On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>>>> >>>>>>>> Satish Patel wrote: >>>>>>>>> I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64" >>>>>>>> >>>>>>>> Ok, that explains what is happening. >>>>>>>> >>>>>>>> Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag] >>>>>>>> section. Remove the entry for certificate_renewal_update_5. >>>>>>>> >>>>>>>> This being present is preventing the tracking to be repaired. >>>>>>>> >>>>>>>> Then run ipa-server-upgrade again and your tracking should be fixed. >>>>>>>> >>>>>>>> Use the -v flag for additional debugging, not --debug, I was mistaken. >>>>>>>> >>>>>>>> rob >>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote: >>>>>>>>>> >>>>>>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>>>>>> I did run "ipa-server-upgrade" and look like it was successful but >>>>>>>>>>> still in getcert list showing CA_NEED :( >>>>>>>>>> >>>>>>>>>> Remind me what the package version of IPA is. I'm confused by the >>>>>>>>>> version 5 in the output about renewal configuration. >>>>>>>>>> >>>>>>>>>> You might also want to try running with --debug as depending on release >>>>>>>>>> it will give more information about this. >>>>>>>>>> >>>>>>>>>> rob >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [root@ldap-ca-master ~]# ipa-server-upgrade >>>>>>>>>>> Upgrading IPA: >>>>>>>>>>> [1/10]: stopping directory server >>>>>>>>>>> [2/10]: saving configuration >>>>>>>>>>> [3/10]: disabling listeners >>>>>>>>>>> [4/10]: enabling DS global lock >>>>>>>>>>> [5/10]: starting directory server >>>>>>>>>>> [6/10]: updating schema >>>>>>>>>>> [7/10]: upgrading server >>>>>>>>>>> [8/10]: stopping directory server >>>>>>>>>>> [9/10]: restoring configuration >>>>>>>>>>> [10/10]: starting directory server >>>>>>>>>>> Done. >>>>>>>>>>> Update complete >>>>>>>>>>> Upgrading IPA services >>>>>>>>>>> Upgrading the configuration of the IPA services >>>>>>>>>>> [Verifying that root certificate is published] >>>>>>>>>>> [Migrate CRL publish directory] >>>>>>>>>>> CRL tree already moved >>>>>>>>>>> /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It >>>>>>>>>>> will be overwritten. A backup of the original will be made. >>>>>>>>>>> [Verifying that CA proxy configuration is correct] >>>>>>>>>>> [Verifying that KDC configuration is using ipa-kdb backend] >>>>>>>>>>> [Fix DS schema file syntax] >>>>>>>>>>> Syntax already fixed >>>>>>>>>>> [Removing RA cert from DS NSS database] >>>>>>>>>>> RA cert already removed >>>>>>>>>>> [Enable sidgen and extdom plugins by default] >>>>>>>>>>> [Updating HTTPD service IPA configuration] >>>>>>>>>>> [Updating mod_nss protocol versions] >>>>>>>>>>> Protocol versions already updated >>>>>>>>>>> [Updating mod_nss cipher suite] >>>>>>>>>>> [Fixing trust flags in /etc/httpd/alias] >>>>>>>>>>> Trust flags already processed >>>>>>>>>>> [Exporting KRA agent PEM file] >>>>>>>>>>> KRA is not enabled >>>>>>>>>>> [Removing self-signed CA] >>>>>>>>>>> [Removing Dogtag 9 CA] >>>>>>>>>>> [Checking for deprecated KDC configuration files] >>>>>>>>>>> [Checking for deprecated backups of Samba configuration files] >>>>>>>>>>> [Setting up Firefox extension] >>>>>>>>>>> [Add missing CA DNS records] >>>>>>>>>>> IPA CA DNS records already processed >>>>>>>>>>> [Removing deprecated DNS configuration options] >>>>>>>>>>> DNS is not configured >>>>>>>>>>> [Ensuring minimal number of connections] >>>>>>>>>>> DNS is not configured >>>>>>>>>>> [Enabling serial autoincrement in DNS] >>>>>>>>>>> DNS is not configured >>>>>>>>>>> [Updating GSSAPI configuration in DNS] >>>>>>>>>>> DNS is not configured >>>>>>>>>>> [Updating pid-file configuration in DNS] >>>>>>>>>>> DNS is not configured >>>>>>>>>>> DNS is not configured >>>>>>>>>>> DNS is not configured >>>>>>>>>>> DNS is not configured >>>>>>>>>>> DNS is not configured >>>>>>>>>>> DNS is not configured >>>>>>>>>>> DNS is not configured >>>>>>>>>>> DNS is not configured >>>>>>>>>>> [Upgrading CA schema] >>>>>>>>>>> CA schema update complete (no changes) >>>>>>>>>>> [Verifying that CA audit signing cert has 2 year validity] >>>>>>>>>>> [Update certmonger certificate renewal configuration to version 5] >>>>>>>>>>> [Enable PKIX certificate path discovery and validation] >>>>>>>>>>> PKIX already enabled >>>>>>>>>>> [Authorizing RA Agent to modify profiles] >>>>>>>>>>> [Authorizing RA Agent to manage lightweight CAs] >>>>>>>>>>> [Ensuring Lightweight CAs container exists in Dogtag database] >>>>>>>>>>> [Adding default OCSP URI configuration] >>>>>>>>>>> [Ensuring CA is using LDAPProfileSubsystem] >>>>>>>>>>> [Migrating certificate profiles to LDAP] >>>>>>>>>>> [Ensuring presence of included profiles] >>>>>>>>>>> [Add default CA ACL] >>>>>>>>>>> Default CA ACL already added >>>>>>>>>>> [Set up lightweight CA key retrieval] >>>>>>>>>>> Creating principal >>>>>>>>>>> Retrieving keytab >>>>>>>>>>> Creating Custodia keys >>>>>>>>>>> Configuring key retriever >>>>>>>>>>> The IPA services were upgraded >>>>>>>>>>> The ipa-server-upgrade command was successful >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> [root@ldap-ca-master ~]# getcert list | grep status >>>>>>>>>>> status: NEED_CA >>>>>>>>>>> status: NEED_CA >>>>>>>>>>> status: NEED_CA >>>>>>>>>>> status: NEED_CA >>>>>>>>>>> status: NEED_CA >>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>> status: NEED_CA >>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>> status: NEED_CA >>>>>>>>>>> >>>>>>>>>>> On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>>>>>>>> >>>>>>>>>>>> On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote: >>>>>>>>>>>>> Thanks Florence, >>>>>>>>>>>>> >>>>>>>>>>>>> is it safe to run "ipa-server-upgrade" ? >>>>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> generally yes :) >>>>>>>>>>>> >>>>>>>>>>>> We had a few tickets related to upgrade but they are mainly revealing >>>>>>>>>>>> already present issues (for instance because this CLI stops and starts >>>>>>>>>>>> the services, expired certs would prevent successful completion). >>>>>>>>>>>> >>>>>>>>>>>>> Do i need to provide any option with "ipa-server-upgrade" command? i >>>>>>>>>>>>> believe few month back when i tried to do "ipa-server-upgrade" it >>>>>>>>>>>>> broke some stuff but anyway i will take snapshot of VM and try in >>>>>>>>>>>>> worst case scenario. >>>>>>>>>>>> With the VM snapshot you are on the safe side. >>>>>>>>>>>> >>>>>>>>>>>> flo >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: >>>>>>>>>>>>>>> Any thought ? >>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>> if you run ipa-server-upgrade on this node, the command will fix the >>>>>>>>>>>>>> tracking of certs. You should see in the output; >>>>>>>>>>>>>> [Update certmonger certificate renewal configuration] >>>>>>>>>>>>>> >>>>>>>>>>>>>> HTH, >>>>>>>>>>>>>> flo >>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Sent from my iPhone >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Rob sorry, i trim my output thought not necessary but anyway here is >>>>>>>>>>>>>>>> the full list (ignore CAPS letter in output) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> [root@ldap-ca-master ~]# getcert list >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Request ID '20190915042927': >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Request ID '20190915043150': >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> expires: 2020-11-17 18:30:29 UTC >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Request ID '20190915043212': >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> expires: 2020-11-17 18:31:26 UTC >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> eku: id-kp-OCSPSigning >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Request ID '20190915043224': >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> expires: 2020-11-17 18:32:07 UTC >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Request ID '20190915043237': >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> expires: 2020-11-17 18:31:16 UTC >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Request ID '20190915043246': >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>>>>>>>>>>>>>>> set >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>>>>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Request ID '20190915043304': >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>>>>>>>>> Intermediate',pin set >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Request ID '20190915045112': >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>>>>>>>>>>>>>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>>>>>>>>>>>>>>> IPA CA',token='NSS Certificate DB' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Request ID '20190915045148': >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>>>>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Request ID '20190915045156': >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> expires: 2021-01-05 14:49:59 UTC >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key usage: digitalSignature,keyCertSign >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Request ID '20190915045206': >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>>>>>>>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Request ID '20190915045216': >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> expires: 2020-11-17 18:31:36 UTC >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>>>>>>>>>>>>> Few days ago my Master CA was messed up and getcert list was showing >>>>>>>>>>>>>>>>>> empty list (no cert to track) >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> So i run following command to add certs manually: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>>>>>>>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>>>>>>>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>>>>>>>>>>>>>>>>> cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>>>>>>>>>>>>>>>>> Intermediate' -P XXXXXXX >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> And after that i am seeing this status (status: NEED_CA ) it should >>>>>>>>>>>>>>>>>> be MONITORING right? >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> # getcert list >>>>>>>>>>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> You setup the tracking wrong. Your output only shows 3 certs and yet >>>>>>>>>>>>>>>>> certmonger thinks it has 12. Where are the other 9? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> rob >>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>> >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>> >>> >
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Rob,
I have installed brand new fresh OS and install new CA on it and change its role to renewal master.
I am going to shutdown old CA master, is there any specific steps to decommission server or just remove it from all replica and shutdown?
On Fri, Sep 27, 2019 at 12:13 PM Satish Patel satish.txt@gmail.com wrote:
Ok, thanks for the clarification. I will create brand new CA Master and retire older version.
On Fri, Sep 27, 2019 at 12:02 PM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel via FreeIPA-users wrote:
Can i upgrade my existing 4.4.x ldap-ca-master with "ipa-server-upgrade" command?
No, update the distribution/packages so it is the same level as the other master(s).
The IPA team recommends to run all the IPA masters at the same level. There are sometimes subtle differences between different versions and while they can interoperate ok it isn't recommended to keep this type of configuration for too long.
Currently i have following CA master version:
ldap-ca-master - 4.4.x (renewal master) ldap-ca-replica - 4.6.x
Or
I can do one thing create fresh machine and make it one more CA replica and destroy older ldap-ca-master - 4.4.x
That is certainly one way of achieving it.
rob
On Fri, Sep 27, 2019 at 11:23 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote:
Rob,
Last question, when certmonger renew all certificates automatically, i meant before 24 hours ago? Just want to make sure it does otherwise i will be in trouble again :)
It should. I'd work on upgrading all the masters to run the same version of IPA once you're sure things are working and you have a working second CA master.
The renewal happens by default 28 days before expiration.
Also be sure that one of the masters is defined as the CA renewal master in ipa config-show.
rob
Done, i did that change and restart httpd. I believe now my all issue has been fixed. Thank you so much for your support
[root@ldap-ca-master conf.d]# grep "NSSNickname" /etc/httpd/conf.d/nss.conf NSSNickname Server-Cert
On Fri, Sep 27, 2019 at 8:41 AM Rob Crittenden rcritten@redhat.com wrote:
Satish Patel wrote: > Rob, > > As you suggested i did following ( it required password so i used -P <PIN> ) > > # ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K > HTTP/ldap-ca-master.example.com -C > /usr/libexec/ipa/certmonger/restart_httpd -D > ldap-ca-master.example.com -P 9e8c1a9447d56236733f > > # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert > -K ldap/ldap-ca-master.example.com -C > "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM" -D > ldap-ca-master.example.com -P 013fcd26f4dfa18c4d1bcaac0dbac44f3ad75698 > > > # certutil -V -u V -d /etc/httpd/alias -n Server-Cert > certutil: certificate is valid > # certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert > certutil: certificate is valid > >>>>> If so then you can swap the config to use them. Edit > /etc/httpd/conf.d/nss.conf and replace the NSSNickname value with > Server-Cert and restart httpd > > Do i need to edit above nss.conf file? > > Currently i have following NSSNickname in file. > > # grep "NSSNickname" /etc/httpd/conf.d/nss.conf > NSSNickname "CN=*.foo.example.com,OU=Domain Control Validated"
Yes.
> > > > Here is the full output of getcet list (Do you think it's looking > good? i compare with Replica and i can see Master has 2 less cert > compare to Replica hope that is ok)
Due to difference in versions of IPA. This looks ok for a version 4.4.x master.
rob
> > # getcert list > Number of certificates and requests being tracked: 8. > Request ID '20190926141756': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=CA Audit,O=EXAMPLE.COM > expires: 2020-11-17 18:32:07 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190926141757': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=OCSP Subsystem,O=EXAMPLE.COM > expires: 2020-11-17 18:31:26 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190926141758': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=CA Subsystem,O=EXAMPLE.COM > expires: 2020-11-17 18:31:16 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190926141759': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=Certificate Authority,O=EXAMPLE.COM > expires: 2037-01-05 14:47:24 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190926141800': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=IPA RA,O=EXAMPLE.COM > expires: 2020-11-17 18:31:36 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20190926141801': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM > expires: 2020-11-17 18:30:29 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190927010638': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pin set > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM > expires: 2021-09-27 01:06:39 UTC > dns: ldap-ca-master.foo.EXAMPLE.com > principal name: HTTP/ldap-ca-master.foo.EXAMPLE.com@EXAMPLE.COM > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20190927011037': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS > Certificate DB',pin set > certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM > expires: 2021-09-27 01:10:38 UTC > dns: ldap-ca-master.foo.EXAMPLE.com > principal name: ldap/ldap-ca-master.foo.example.com@EXAMPLE.COM > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM > track: yes > auto-renew: yes > > On Thu, Sep 26, 2019 at 2:52 PM Rob Crittenden rcritten@redhat.com wrote: >> >> Satish Patel wrote: >>> Rob, >>> >>> I got your point and i will remove all Godaddy certs but i wanted to >>> say one thing, if i look into ldap-ca-replica server which is other >>> server i can see Server-Cert, is there a way i can sync all these >>> replica cert with master and fix them ? >> >> These certs are master-specific. ldap-ca-replica is using IPA-issued >> server certifiactes and the other is using Godaddy-issued certificates. >> >> It's possible to issue certificates using the IPA CA to replace these >> Godaddy certs but I guess I'd check to be sure that's what you really >> want to do. Most people do this kind of replacement so they don't need >> to distribute the IPA CA to non-IPA-enrolled systems so they can do >> self-service management. >> >> Roughly speaking, you'd do something like this: >> >> # ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K >> HTTP/<hostname> -C /usr/libexec/ipa/certmonger/restart_httpd -D <hostname> >> # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -K >> ldap/<hostname> -C "/usr/libexec/ipa/certmonger/restart_dirsrv >> EXAMPLE-COM" -D <hostname> >> >> That will issue the new certs and set them up for tracking. >> >> You can verify that they will work with: >> >> # certutil -V -u V -d <database> -n Server-Cert >> >> Both should return 'certificate is valid' >> >> If so then you can swap the config to use them. Edit >> /etc/httpd/conf.d/nss.conf and replace the NSSNickname value with >> Server-Cert and restart httpd >> >> For 389-ds: >> >> # ldapmodify -x -D 'cn=directory manager' -W >> dn: cn=RSA,cn=encryption,cn=config >> changetype: modify >> replace: nsSSLPersonalitySSL >> nsSSLPersonalitySSL: Server-Cert >> <blank line> >> ^D >> >> Then restart 389-ds-base, or do both then run ipactl restart >> >> The old certs will still exist in the NSS databases so you can always >> switch them back if you need to. >> >> rob >> >>> >>> This is replica node output, look like replica is very clean.. >>> >>> [root@ldap-ca-replica ~]# getcert list >>> Number of certificates and requests being tracked: 10. >>> Request ID '20190918205044': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local >>> IPA host',token='NSS Certificate >>> DB',pinfile='/etc/ipa/nssdb/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA >>> host',token='NSS Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM >>> expires: 2021-09-18 20:50:45 UTC >>> dns: ldap-ca-replica.foo.EXAMPLE.com >>> principal name: host/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >>> Request ID '20190918205212': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS >>> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS >>> Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM >>> expires: 2021-09-18 20:52:12 UTC >>> dns: ldap-ca-replica.foo.EXAMPLE.com >>> principal name: ldap/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM >>> track: yes >>> auto-renew: yes >>> Request ID '20190918205232': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM >>> expires: 2021-09-18 20:52:32 UTC >>> dns: ldap-ca-replica.foo.EXAMPLE.com >>> principal name: HTTP/ldap-ca-replica.foo.EXAMPLE.com@EXAMPLE.COM >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >>> track: yes >>> auto-renew: yes >>> Request ID '20190918205418': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' >>> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> subject: CN=IPA RA,O=EXAMPLE.COM >>> expires: 2020-11-17 18:31:36 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >>> track: yes >>> auto-renew: yes >>> Request ID '20190918205431': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>> cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>> cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> subject: CN=CA Audit,O=EXAMPLE.COM >>> expires: 2020-11-17 18:32:07 UTC >>> key usage: digitalSignature,nonRepudiation >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> "auditSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20190918205432': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>> cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>> cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>> expires: 2020-11-17 18:31:26 UTC >>> eku: id-kp-OCSPSigning >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> "ocspSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20190918205433': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>> cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>> cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>> expires: 2020-11-17 18:31:16 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> "subsystemCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20190918205434': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>> cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>> cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>> expires: 2037-01-05 14:47:24 UTC >>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> "caSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20190918205435': >>> status: MONITORING >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>> cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>> cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>> subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM >>> expires: 2021-09-07 20:54:00 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> "Server-Cert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20190918210008': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' >>> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' >>> CA: SelfSign >>> issuer: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM >>> subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM >>> expires: 2020-09-18 21:00:08 UTC >>> principal name: krbtgt/EXAMPLE.COM@EXAMPLE.COM >>> certificate template/profile: KDCs_PKINIT_Certs >>> pre-save command: >>> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert >>> track: yes >>> auto-renew: yes >>> >>> On Thu, Sep 26, 2019 at 1:35 PM Rob Crittenden rcritten@redhat.com wrote: >>>> >>>> Satish Patel via FreeIPA-users wrote: >>>>> Rob, >>>>> >>>>> Here is the web certs >>>>> >>>>> [root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/httpd/alias -L >>>>> >>>>> Certificate Nickname Trust Attributes >>>>> SSL,S/MIME,JAR/XPI >>>>> >>>>> EXAMPLE.COM IPA CA CT,C,C >>>>> Godaddy C,, >>>>> CN=*.foo.example.com,OU=Domain Control Validated u,u,u >>>>> Signing-Cert u,u,u >>>>> Godaddy Intermediate C,, >>>>> ipaCert u,u,u >>>> >>>> Ok, good. Also using a Godaddy cert. >>>> >>>>> Here is the fill output of getcert and i can see some certs showing MONITORING >>>> >>>> Ok. I've annotated each cert you should stop tracking. It looks like the >>>> CA subsystem certs are ok. >>>> >>>> You will need to watch the Godaddy certs yourself and manually renew >>>> when the time comes. certmonger has no way to renew those. >>>> >>>> To stop tracking these run: getcert stop-tracking -i <request_id> >>>> >>>>> >>>>> [root@ldap-ca-master ~]# getcert list >>>>> Number of certificates and requests being tracked: 13. >>>>> Request ID '20190915043246': >>>>> status: NEED_KEY_PAIR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>>>> set >>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>>>> Certificate DB' >>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>> expires: 2037-12-31 23:59:59 UTC >>>>> key usage: keyCertSign,cRLSign >>>>> pre-save command: >>>>> post-save command: >>>>> track: yes >>>>> auto-renew: yes >>>> >>>> No need to track this one. You'd have no way of renewing it anyway. >>>> >>>>> Request ID '20190915043304': >>>>> status: NEED_KEY_PAIR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>> Intermediate',pin set >>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>> Intermediate',token='NSS Certificate DB' >>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>> expires: 2031-05-03 07:00:00 UTC >>>>> key usage: keyCertSign,cRLSign >>>>> pre-save command: >>>>> post-save command: >>>>> track: yes >>>>> auto-renew: yes >>>> >>>> No need to track this one. >>>> >>>>> Request ID '20190915045112': >>>>> status: NEED_KEY_PAIR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>>>> IPA CA',token='NSS Certificate DB' >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>> expires: 2037-01-05 14:47:24 UTC >>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>> pre-save command: >>>>> post-save command: >>>>> track: yes >>>>> auto-renew: yes >>>> >>>> You don't need to track the CA cert here. >>>> >>>>> Request ID '20190915045148': >>>>> status: NEED_KEY_PAIR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>>>> Certificate DB' >>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>> expires: 2037-12-31 23:59:59 UTC >>>>> key usage: keyCertSign,cRLSign >>>>> pre-save command: >>>>> post-save command: >>>>> track: yes >>>>> auto-renew: yes >>>> >>>> Same, stop the tracking. >>>> >>>>> Request ID '20190915045156': >>>>> status: NEED_CA >>>>> stuck: yes >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>> Certificate DB' >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>>>> expires: 2021-01-05 14:49:59 UTC >>>>> key usage: digitalSignature,keyCertSign >>>>> pre-save command: >>>>> post-save command: >>>>> track: yes >>>>> auto-renew: yes >>>> >>>> This one too. >>>> >>>>> Request ID '20190915045206': >>>>> status: NEED_KEY_PAIR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>> Intermediate',token='NSS Certificate DB' >>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>> expires: 2031-05-03 07:00:00 UTC >>>>> key usage: keyCertSign,cRLSign >>>>> pre-save command: >>>>> post-save command: >>>>> track: yes >>>>> auto-renew: yes >>>> >>>> And this, stop tracking. >>>> >>>>> Request ID '20190926141756': >>>>> status: MONITORING >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-ca-renew-agent >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>>> expires: 2020-11-17 18:32:07 UTC >>>>> key usage: digitalSignature,nonRepudiation >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>>> "auditSigningCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20190926141757': >>>>> status: MONITORING >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-ca-renew-agent >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>>> expires: 2020-11-17 18:31:26 UTC >>>>> eku: id-kp-OCSPSigning >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>>> "ocspSigningCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20190926141758': >>>>> status: MONITORING >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-ca-renew-agent >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>>> expires: 2020-11-17 18:31:16 UTC >>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>>> "subsystemCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20190926141759': >>>>> status: MONITORING >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-ca-renew-agent >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>> expires: 2037-01-05 14:47:24 UTC >>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>>> "caSigningCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20190926141800': >>>>> status: MONITORING >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>> Certificate DB' >>>>> CA: dogtag-ipa-ca-renew-agent >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>>> expires: 2020-11-17 18:31:36 UTC >>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20190926141801': >>>>> status: MONITORING >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-renew-agent >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>>>> expires: 2020-11-17 18:30:29 UTC >>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>>> "Server-Cert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20190926141802': >>>>> status: CA_UNCONFIGURED >>>>> ca-error: Unable to determine principal name for signing request. >>>>> stuck: yes >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS >>>>> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' >>>>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert' >>>>> CA: IPA >>>>> issuer: >>>>> subject: >>>>> expires: unknown >>>>> pre-save command: >>>>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM >>>>> track: yes >>>>> auto-renew: yes >>>> >>>> The tracking on this one is wrong and since you don't have Server-Cert >>>> anyway, just stop tracking this one. >>>> >>>> rob >>>>> >>>>> On Thu, Sep 26, 2019 at 10:31 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>> >>>>>> Satish Patel wrote: >>>>>>> Addition to last email: >>>>>>> >>>>>>> I can't see Server-Cert here but interesting thing i can see >>>>>>> Server-Cert in my CA replica node on ldap-2 (why my primary >>>>>>> ldap-ca-master not showing that cert?) >>>>>>> >>>>>>> [root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L >>>>>>> >>>>>>> Certificate Nickname Trust Attributes >>>>>>> SSL,S/MIME,JAR/XPI >>>>>>> >>>>>>> EXAMPLE.COM IPA CA CT,C,C >>>>>>> Godaddy C,, >>>>>>> CN=*.foo.example.com,OU=Domain Control Validated u,u,u >>>>>>> Godaddy Intermediate C,, >>>>>> >>>>>> At some point someone replaced the IPA-signed LDAP certificate with one >>>>>> signed by GoDaddy (which is fine). >>>>>> >>>>>> It appears that the version of IPA you're using (at least) doesn't >>>>>> handle this case. >>>>>> >>>>>> Now, fortunately it's one of the last things done so this may be just fine. >>>>>> >>>>>> Can you see if your web server cert was also replaced? The database is >>>>>> /etc/httpd/alias. >>>>>> >>>>>> Also, check your current tracking. The CA subsystem certs should be >>>>>> properly tracked now. It is just the LDAP and web certs that should not >>>>>> be (and if it is still using GoDaddy that is fine). >>>>>> >>>>>> rob >>>>>> >>>>>>> >>>>>>> On Thu, Sep 26, 2019 at 10:22 AM Satish Patel satish.txt@gmail.com wrote: >>>>>>>> >>>>>>>> Rob, >>>>>>>> >>>>>>>> now i got error and here is the output, output was very long so i crop >>>>>>>> it down and here is the error piece. >>>>>>>> >>>>>>>> ipa: INFO: [Upgrading CA schema] >>>>>>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing >>>>>>>> ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache >>>>>>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for >>>>>>>> SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket >>>>>>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80> >>>>>>>> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file >>>>>>>> /usr/share/pki/server/conf/schema-certProfile.ldif >>>>>>>> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file >>>>>>>> /usr/share/pki/server/conf/schema-authority.ldif >>>>>>>> ipa.ipaserver.install.schemaupdate: DEBUG: Not updating schema >>>>>>>> ipa: INFO: CA schema update complete (no changes) >>>>>>>> ipa: INFO: [Verifying that CA audit signing cert has 2 year validity] >>>>>>>> ipa.ipaserver.install.cainstance.CAInstance: DEBUG: >>>>>>>> caSignedLogCert.cfg profile validity range is 720 >>>>>>>> ipa: INFO: [Update certmonger certificate renewal configuration to version 5] >>>>>>>> ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' >>>>>>>> ipa: DEBUG: Configuring certmonger to stop tracking system certificates for CA >>>>>>>> Configuring certmonger to stop tracking system certificates for CA >>>>>>>> ipa: DEBUG: Starting external process >>>>>>>> ipa: DEBUG: args=/bin/systemctl start messagebus.service >>>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>>> ipa: DEBUG: stdout= >>>>>>>> ipa: DEBUG: stderr= >>>>>>>> ipa: DEBUG: Starting external process >>>>>>>> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service >>>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>>> ipa: DEBUG: stdout=active >>>>>>>> >>>>>>>> ipa: DEBUG: stderr= >>>>>>>> ipa: DEBUG: Starting external process >>>>>>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>>> ipa: DEBUG: stdout= >>>>>>>> ipa: DEBUG: stderr= >>>>>>>> ipa: DEBUG: Starting external process >>>>>>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>>> ipa: DEBUG: stdout=active >>>>>>>> >>>>>>>> ipa: DEBUG: stderr= >>>>>>>> ipa: DEBUG: Starting external process >>>>>>>> ipa: DEBUG: args=/bin/systemctl stop certmonger.service >>>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>>> ipa: DEBUG: stdout= >>>>>>>> ipa: DEBUG: stderr= >>>>>>>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>>>>>>> ipa: DEBUG: Starting external process >>>>>>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>>> ipa: DEBUG: stdout= >>>>>>>> ipa: DEBUG: stderr= >>>>>>>> ipa: DEBUG: Starting external process >>>>>>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>>> ipa: DEBUG: stdout=active >>>>>>>> >>>>>>>> ipa: DEBUG: stderr= >>>>>>>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>>>>>>> ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' >>>>>>>> ipa: DEBUG: Starting external process >>>>>>>> ipa: DEBUG: args=/bin/systemctl enable certmonger.service >>>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>>> ipa: DEBUG: stdout= >>>>>>>> ipa: DEBUG: stderr= >>>>>>>> ipa: DEBUG: Starting external process >>>>>>>> ipa: DEBUG: args=/bin/systemctl start messagebus.service >>>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>>> ipa: DEBUG: stdout= >>>>>>>> ipa: DEBUG: stderr= >>>>>>>> ipa: DEBUG: Starting external process >>>>>>>> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service >>>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>>> ipa: DEBUG: stdout=active >>>>>>>> >>>>>>>> ipa: DEBUG: stderr= >>>>>>>> ipa: DEBUG: Starting external process >>>>>>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service >>>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>>> ipa: DEBUG: stdout= >>>>>>>> ipa: DEBUG: stderr= >>>>>>>> ipa: DEBUG: Starting external process >>>>>>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service >>>>>>>> ipa: DEBUG: Process finished, return code=0 >>>>>>>> ipa: DEBUG: stdout=active >>>>>>>> >>>>>>>> ipa: DEBUG: stderr= >>>>>>>> ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' >>>>>>>> ipa: DEBUG: Starting external process >>>>>>>> ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM -L >>>>>>>> -n Server-Cert -a >>>>>>>> ipa: DEBUG: Process finished, return code=255 >>>>>>>> ipa: DEBUG: stdout= >>>>>>>> ipa: DEBUG: stderr=certutil: Could not find cert: Server-Cert >>>>>>>> : PR_FILE_NOT_FOUND_ERROR: File not found >>>>>>>> >>>>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA >>>>>>>> server upgrade failed: Inspect /var/log/ipaupgrade.log and run command >>>>>>>> ipa-server-upgrade manually. >>>>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File >>>>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, >>>>>>>> in execute >>>>>>>> return_value = self.run() >>>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>>>>>> line 46, in run >>>>>>>> server.upgrade() >>>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>>>>>> line 1863, in upgrade >>>>>>>> upgrade_configuration() >>>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>>>>>> line 1769, in upgrade_configuration >>>>>>>> certificate_renewal_update(ca, ds, http), >>>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>>>>>> line 1027, in certificate_renewal_update >>>>>>>> ds.start_tracking_certificates(serverid) >>>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", >>>>>>>> line 983, in start_tracking_certificates >>>>>>>> 'restart_dirsrv %s' % serverid) >>>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", >>>>>>>> line 307, in track_server_cert >>>>>>>> nsscert = x509.load_certificate(cert, dbdir=self.secdir) >>>>>>>> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in >>>>>>>> load_certificate >>>>>>>> return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin >>>>>>>> >>>>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The >>>>>>>> ipa-server-upgrade command failed, exception: NSPRError: >>>>>>>> (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>>>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: >>>>>>>> Unexpected error - see /var/log/ipaupgrade.log for details: >>>>>>>> NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. >>>>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The >>>>>>>> ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >>>>>>>> more information >>>>>>>> >>>>>>>> On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>>>>> >>>>>>>>> Satish Patel wrote: >>>>>>>>>> I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64" >>>>>>>>> >>>>>>>>> Ok, that explains what is happening. >>>>>>>>> >>>>>>>>> Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag] >>>>>>>>> section. Remove the entry for certificate_renewal_update_5. >>>>>>>>> >>>>>>>>> This being present is preventing the tracking to be repaired. >>>>>>>>> >>>>>>>>> Then run ipa-server-upgrade again and your tracking should be fixed. >>>>>>>>> >>>>>>>>> Use the -v flag for additional debugging, not --debug, I was mistaken. >>>>>>>>> >>>>>>>>> rob >>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden rcritten@redhat.com wrote: >>>>>>>>>>> >>>>>>>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>>>>>>> I did run "ipa-server-upgrade" and look like it was successful but >>>>>>>>>>>> still in getcert list showing CA_NEED :( >>>>>>>>>>> >>>>>>>>>>> Remind me what the package version of IPA is. I'm confused by the >>>>>>>>>>> version 5 in the output about renewal configuration. >>>>>>>>>>> >>>>>>>>>>> You might also want to try running with --debug as depending on release >>>>>>>>>>> it will give more information about this. >>>>>>>>>>> >>>>>>>>>>> rob >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> [root@ldap-ca-master ~]# ipa-server-upgrade >>>>>>>>>>>> Upgrading IPA: >>>>>>>>>>>> [1/10]: stopping directory server >>>>>>>>>>>> [2/10]: saving configuration >>>>>>>>>>>> [3/10]: disabling listeners >>>>>>>>>>>> [4/10]: enabling DS global lock >>>>>>>>>>>> [5/10]: starting directory server >>>>>>>>>>>> [6/10]: updating schema >>>>>>>>>>>> [7/10]: upgrading server >>>>>>>>>>>> [8/10]: stopping directory server >>>>>>>>>>>> [9/10]: restoring configuration >>>>>>>>>>>> [10/10]: starting directory server >>>>>>>>>>>> Done. >>>>>>>>>>>> Update complete >>>>>>>>>>>> Upgrading IPA services >>>>>>>>>>>> Upgrading the configuration of the IPA services >>>>>>>>>>>> [Verifying that root certificate is published] >>>>>>>>>>>> [Migrate CRL publish directory] >>>>>>>>>>>> CRL tree already moved >>>>>>>>>>>> /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It >>>>>>>>>>>> will be overwritten. A backup of the original will be made. >>>>>>>>>>>> [Verifying that CA proxy configuration is correct] >>>>>>>>>>>> [Verifying that KDC configuration is using ipa-kdb backend] >>>>>>>>>>>> [Fix DS schema file syntax] >>>>>>>>>>>> Syntax already fixed >>>>>>>>>>>> [Removing RA cert from DS NSS database] >>>>>>>>>>>> RA cert already removed >>>>>>>>>>>> [Enable sidgen and extdom plugins by default] >>>>>>>>>>>> [Updating HTTPD service IPA configuration] >>>>>>>>>>>> [Updating mod_nss protocol versions] >>>>>>>>>>>> Protocol versions already updated >>>>>>>>>>>> [Updating mod_nss cipher suite] >>>>>>>>>>>> [Fixing trust flags in /etc/httpd/alias] >>>>>>>>>>>> Trust flags already processed >>>>>>>>>>>> [Exporting KRA agent PEM file] >>>>>>>>>>>> KRA is not enabled >>>>>>>>>>>> [Removing self-signed CA] >>>>>>>>>>>> [Removing Dogtag 9 CA] >>>>>>>>>>>> [Checking for deprecated KDC configuration files] >>>>>>>>>>>> [Checking for deprecated backups of Samba configuration files] >>>>>>>>>>>> [Setting up Firefox extension] >>>>>>>>>>>> [Add missing CA DNS records] >>>>>>>>>>>> IPA CA DNS records already processed >>>>>>>>>>>> [Removing deprecated DNS configuration options] >>>>>>>>>>>> DNS is not configured >>>>>>>>>>>> [Ensuring minimal number of connections] >>>>>>>>>>>> DNS is not configured >>>>>>>>>>>> [Enabling serial autoincrement in DNS] >>>>>>>>>>>> DNS is not configured >>>>>>>>>>>> [Updating GSSAPI configuration in DNS] >>>>>>>>>>>> DNS is not configured >>>>>>>>>>>> [Updating pid-file configuration in DNS] >>>>>>>>>>>> DNS is not configured >>>>>>>>>>>> DNS is not configured >>>>>>>>>>>> DNS is not configured >>>>>>>>>>>> DNS is not configured >>>>>>>>>>>> DNS is not configured >>>>>>>>>>>> DNS is not configured >>>>>>>>>>>> DNS is not configured >>>>>>>>>>>> DNS is not configured >>>>>>>>>>>> [Upgrading CA schema] >>>>>>>>>>>> CA schema update complete (no changes) >>>>>>>>>>>> [Verifying that CA audit signing cert has 2 year validity] >>>>>>>>>>>> [Update certmonger certificate renewal configuration to version 5] >>>>>>>>>>>> [Enable PKIX certificate path discovery and validation] >>>>>>>>>>>> PKIX already enabled >>>>>>>>>>>> [Authorizing RA Agent to modify profiles] >>>>>>>>>>>> [Authorizing RA Agent to manage lightweight CAs] >>>>>>>>>>>> [Ensuring Lightweight CAs container exists in Dogtag database] >>>>>>>>>>>> [Adding default OCSP URI configuration] >>>>>>>>>>>> [Ensuring CA is using LDAPProfileSubsystem] >>>>>>>>>>>> [Migrating certificate profiles to LDAP] >>>>>>>>>>>> [Ensuring presence of included profiles] >>>>>>>>>>>> [Add default CA ACL] >>>>>>>>>>>> Default CA ACL already added >>>>>>>>>>>> [Set up lightweight CA key retrieval] >>>>>>>>>>>> Creating principal >>>>>>>>>>>> Retrieving keytab >>>>>>>>>>>> Creating Custodia keys >>>>>>>>>>>> Configuring key retriever >>>>>>>>>>>> The IPA services were upgraded >>>>>>>>>>>> The ipa-server-upgrade command was successful >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> [root@ldap-ca-master ~]# getcert list | grep status >>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote: >>>>>>>>>>>>>> Thanks Florence, >>>>>>>>>>>>>> >>>>>>>>>>>>>> is it safe to run "ipa-server-upgrade" ? >>>>>>>>>>>>>> >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> generally yes :) >>>>>>>>>>>>> >>>>>>>>>>>>> We had a few tickets related to upgrade but they are mainly revealing >>>>>>>>>>>>> already present issues (for instance because this CLI stops and starts >>>>>>>>>>>>> the services, expired certs would prevent successful completion). >>>>>>>>>>>>> >>>>>>>>>>>>>> Do i need to provide any option with "ipa-server-upgrade" command? i >>>>>>>>>>>>>> believe few month back when i tried to do "ipa-server-upgrade" it >>>>>>>>>>>>>> broke some stuff but anyway i will take snapshot of VM and try in >>>>>>>>>>>>>> worst case scenario. >>>>>>>>>>>>> With the VM snapshot you are on the safe side. >>>>>>>>>>>>> >>>>>>>>>>>>> flo >>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud flo@redhat.com wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: >>>>>>>>>>>>>>>> Any thought ? >>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>> if you run ipa-server-upgrade on this node, the command will fix the >>>>>>>>>>>>>>> tracking of certs. You should see in the output; >>>>>>>>>>>>>>> [Update certmonger certificate renewal configuration] >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> HTH, >>>>>>>>>>>>>>> flo >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Sent from my iPhone >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Sep 20, 2019, at 11:35 AM, Satish Patel satish.txt@gmail.com wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Rob sorry, i trim my output thought not necessary but anyway here is >>>>>>>>>>>>>>>>> the full list (ignore CAPS letter in output) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> [root@ldap-ca-master ~]# getcert list >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Request ID '20190915042927': >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Request ID '20190915043150': >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> expires: 2020-11-17 18:30:29 UTC >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Request ID '20190915043212': >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> expires: 2020-11-17 18:31:26 UTC >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> eku: id-kp-OCSPSigning >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Request ID '20190915043224': >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> expires: 2020-11-17 18:32:07 UTC >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Request ID '20190915043237': >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> expires: 2020-11-17 18:31:16 UTC >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Request ID '20190915043246': >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin >>>>>>>>>>>>>>>>> set >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS >>>>>>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Request ID '20190915043304': >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>>>>>>>>>> Intermediate',pin set >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy >>>>>>>>>>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Request ID '20190915045112': >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA >>>>>>>>>>>>>>>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM >>>>>>>>>>>>>>>>> IPA CA',token='NSS Certificate DB' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Request ID '20190915045148': >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS >>>>>>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Request ID '20190915045156': >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS >>>>>>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> expires: 2021-01-05 14:49:59 UTC >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key usage: digitalSignature,keyCertSign >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Request ID '20190915045206': >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> status: NEED_KEY_PAIR >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> stuck: no >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>>>>>>>>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy >>>>>>>>>>>>>>>>> Intermediate',token='NSS Certificate DB' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, >>>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - >>>>>>>>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O=%22GoDaddy.com, >>>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key usage: keyCertSign,cRLSign >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Request ID '20190915045216': >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> status: NEED_CA >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> stuck: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key pair storage: >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>>>>>>>>>>>>>> Certificate DB' >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> expires: 2020-11-17 18:31:36 UTC >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> pre-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> post-save command: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> track: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden rcritten@redhat.com wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Satish Patel via FreeIPA-users wrote: >>>>>>>>>>>>>>>>>>> Few days ago my Master CA was messed up and getcert list was showing >>>>>>>>>>>>>>>>>>> empty list (no cert to track) >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> So i run following command to add certs manually: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>>>>>>>>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n >>>>>>>>>>>>>>>>>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >>>>>>>>>>>>>>>>>>> cert-pki-ca' -P XXXXXXX >>>>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX >>>>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy >>>>>>>>>>>>>>>>>>> Intermediate' -P XXXXXXX >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> And after that i am seeing this status (status: NEED_CA ) it should >>>>>>>>>>>>>>>>>>> be MONITORING right? >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> # getcert list
>>>>>>>>>>>>>>>>>>> Number of certificates and requests being tracked: 12. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> You setup the tracking wrong. Your output only shows 3 certs and yet >>>>>>>>>>>>>>>>>> certmonger thinks it has 12. Where are the other 9? >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> rob >>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>>>>>>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>> >>>>> _______________________________________________ >>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org >>>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... >>>>> >>>> >>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org