Hide Forgot
Description of problem: ipa-cacert-manage renew self-signed CA to external CA cert fails Version-Release number of selected component (if applicable): ipa-server-4.4.0-12.el7 How reproducible: Always Steps to Reproduce: 1.Install IPA with self signed cert 2.Check certs 3.ipa-cacert-manage renew --external-ca 4.Setup a clean NSS DB dir to work in 5.Create primary CA that is first in chain 6.Sign IPA SubCA Certificate Signing Request (ipa.csr) from ipa-server-install --external-ca 7.Get Signing CA Cert to include with IPA Install 8.Finish external CA renewal 9.Check certs Actual results: Certs didn't get renewed Expected results: Certs got renewed successfully Additional info: 1. [root@wolverine ~]# ipa-server-install --setup-dns --forwarder=$DNSFORWARD --hostname=$(hostname) -r $RELM -n $DOMAIN -p $ADMINPW -a $ADMINPW -U . . . 2. [root@wolverine ~]# getcert list | egrep "status|expires|Request|subject|ca-error" Request ID '20161016144027': status: MONITORING subject: CN=CA Audit,O=TESTRELM.TEST expires: 2018-10-06 14:39:34 UTC Request ID '20161016144028': status: MONITORING subject: CN=OCSP Subsystem,O=TESTRELM.TEST expires: 2018-10-06 14:39:28 UTC Request ID '20161016144030': status: MONITORING subject: CN=CA Subsystem,O=TESTRELM.TEST expires: 2018-10-06 14:39:31 UTC Request ID '20161016144031': status: MONITORING subject: CN=Certificate Authority,O=TESTRELM.TEST expires: 2036-10-16 14:39:24 UTC Request ID '20161016144032': status: MONITORING subject: CN=IPA RA,O=TESTRELM.TEST expires: 2018-10-06 14:40:19 UTC Request ID '20161016144033': status: MONITORING subject: CN=wolverine.testrelm.test,O=TESTRELM.TEST expires: 2018-10-06 14:39:29 UTC Request ID '20161016144141': status: MONITORING subject: CN=wolverine.testrelm.test,O=TESTRELM.TEST expires: 2018-10-17 14:41:41 UTC Request ID '20161016144244': status: MONITORING subject: CN=wolverine.testrelm.test,O=TESTRELM.TEST expires: 2018-10-17 14:42:44 UTC 3. [root@wolverine ~]# ipa-cacert-manage renew --external-ca Exporting CA certificate signing request, please wait The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as: ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate The ipa-cacert-manage command was successful 4. [root@wolverine ~]# mkdir /root/RootCA1 [root@wolverine ~]# cd /root/RootCA1 [root@wolverine RootCA1]# rm -f * [root@wolverine RootCA1]# echo Secret123 > mypass1 [root@wolverine RootCA1]# certutil -N -d . -f mypass1 5. [root@wolverine RootCA1]# echo -e "y\n10\ny\n" | \ > certutil -S -d . \ > -n RootCA1 \ > -s "CN=MyRootCA1, O=fakerealm1" \ > -x \ > -t "CTu,CTu,CTu" \ > -g 2048 \ > -m $RANDOM\ > -v 60 \ > -z /etc/group \ > -2 \ > --keyUsage certSigning \ > --nsCertType sslCA,smimeCA,objectSigningCA \ > -f mypass1 Generating key. This may take a few moments... Is this a CA certificate [y/N]? Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]? Notice: Trust flag u is set automatically if the private key is present. 6. [root@wolverine RootCA1]# echo -e "y\n10\ny\n" | \ > certutil -C -d . \ > -c RootCA1 \ > -m $RANDOM \ > -v 60 \ > -2 \ > --keyUsage digitalSignature,nonRepudiation,certSigning \ > --nsCertType sslCA,smimeCA,objectSigningCA \ > -i /var/lib/ipa/ca.csr \ > -o /root/ca.crt \ > -f mypass1 \ > -a Is this a CA certificate [y/N]? Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]? 7. [root@wolverine RootCA1]# certutil -L -d . -n "RootCA1" -a >> /root/RootCA1_chain.asc 8. [root@wolverine RootCA1]# cd /root [root@wolverine ~]# ipa-cacert-manage renew \ > --external-cert-file=/root/ca.crt \ > --external-cert-file=/root/RootCA1_chain.asc Importing the renewed CA certificate, please wait CA certificate successfully renewed The ipa-cacert-manage command was successful 9. [root@wolverine ~]# getcert list | egrep "status|expires|Request|subject|ca-error" Request ID '20161016144027': status: MONITORING subject: CN=CA Audit,O=TESTRELM.TEST expires: 2018-10-06 14:39:34 UTC Request ID '20161016144028': status: MONITORING subject: CN=OCSP Subsystem,O=TESTRELM.TEST expires: 2018-10-06 14:39:28 UTC Request ID '20161016144030': status: MONITORING subject: CN=CA Subsystem,O=TESTRELM.TEST expires: 2018-10-06 14:39:31 UTC Request ID '20161016144031': status: MONITORING subject: CN=Certificate Authority,O=TESTRELM.TEST expires: 2036-10-16 14:39:24 UTC Request ID '20161016144032': status: MONITORING subject: CN=IPA RA,O=TESTRELM.TEST expires: 2018-10-06 14:40:19 UTC Request ID '20161016144033': status: MONITORING subject: CN=wolverine.testrelm.test,O=TESTRELM.TEST expires: 2018-10-06 14:39:29 UTC Request ID '20161016144141': status: MONITORING subject: CN=wolverine.testrelm.test,O=TESTRELM.TEST expires: 2018-10-17 14:41:41 UTC Request ID '20161016144244': status: MONITORING subject: CN=wolverine.testrelm.test,O=TESTRELM.TEST expires: 2018-10-17 14:42:44 UTC
Please post the output of the following command: # certutil -d /etc/pki/pki-tomcat/alias -L -n 'caSigningCert cert-pki-ca'
[root@vm-idm-005 ~]# certutil -d /etc/pki/pki-tomcat/alias -L -n 'caSigningCert cert-pki-ca' Certificate: Data: Version: 3 (0x2) Serial Number: 404 (0x194) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=MyRootCA1,O=fakerealm1" Validity: Not Before: Tue Oct 25 15:16:13 2016 Not After : Mon Oct 25 15:16:13 2021 Subject: "CN=Certificate Authority,O=TESTRELM.TEST" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d0:84:6d:05:e0:62:4d:29:73:7b:c8:13:bb:41:93:c7: 3d:10:f0:e8:d5:25:3e:0c:06:4a:09:20:80:e9:65:a6: c2:7f:b0:81:ea:3c:2b:07:53:32:8a:36:93:55:19:1b: 45:46:79:97:93:54:22:a9:71:a3:6f:7f:ad:12:fc:e5: 80:d0:17:25:46:e5:6c:77:15:1c:a9:53:ed:d1:f0:b4: b1:80:57:ad:ce:11:7d:d3:1c:52:b5:77:fb:04:d7:1c: 0d:3d:de:03:9e:b5:b2:e1:3f:f1:cf:57:57:43:f6:04: ad:d9:7e:e3:be:95:1c:fb:6f:ec:3b:33:8e:5a:81:0a: 2c:69:a2:28:04:80:f8:0e:b3:7e:f5:78:82:4d:78:a4: b6:c0:67:4a:e8:92:87:be:f7:f9:03:9e:52:c2:34:02: d5:10:af:b7:e4:41:ca:1f:09:70:00:d6:29:89:32:23: 2b:7a:c0:e0:3d:aa:98:da:ea:98:84:dc:11:62:e8:f2: f1:b2:0b:82:9a:3d:c0:bf:f4:71:e3:7a:a3:ac:27:50: db:9d:75:1f:ba:f9:ea:a0:24:7a:ce:32:f1:3e:4d:ef: 76:c2:02:18:1b:3d:fd:5d:87:1f:a9:18:1f:be:2e:ba: 0f:e0:f8:f7:9d:36:77:e1:ea:07:90:3c:4f:59:9c:b3 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Type Data: <SSL CA,S/MIME CA,ObjectSigning CA> Name: Certificate Basic Constraints Critical: True Data: Is a CA with a maximum path length of 10. Name: Certificate Key Usage Usages: Digital Signature Non-Repudiation Certificate Signing Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 9d:32:ad:11:fa:44:72:24:fa:c1:39:62:07:d8:0d:77: 6a:aa:4c:a3:c5:92:d7:3c:ee:f6:7c:e3:24:59:be:c3: 68:58:a1:c2:fb:b9:c0:8f:05:38:79:d8:10:06:b6:ab: 97:d1:ca:37:04:2b:81:b2:71:14:46:b0:f7:a0:0f:4b: d9:ac:91:0b:41:19:4d:3b:da:bd:1d:41:ed:82:be:af: df:10:9b:4d:66:06:24:c6:b1:02:5f:29:8e:7a:5f:d0: cf:56:b7:a1:1e:d0:b1:87:a1:a7:ee:a4:30:18:d8:52: cf:13:e5:a6:97:ac:89:76:0e:f4:1d:4c:14:4c:86:e6: 1b:a4:d2:c9:45:dd:35:8d:96:2a:a1:b0:91:94:8d:02: 2e:97:b5:69:a2:ed:62:7e:7c:72:6f:f3:7e:1a:b5:20: 9d:fd:0c:3c:32:5f:49:ab:09:9d:e1:68:cd:3f:c0:66: d7:17:ce:ce:99:9e:12:76:41:88:d0:0a:1c:15:e5:1d: 4d:9e:2d:da:09:c1:37:1e:d5:eb:7a:b6:d6:36:38:23: c0:4e:df:a8:50:e5:a9:07:f3:34:10:c6:1d:79:ae:62: 36:42:0e:c8:21:64:17:7f:14:85:88:cf:98:ae:69:7c: 06:29:59:69:a6:3e:32:89:2f:e8:51:b4:ef:b3:7d:10 Fingerprint (SHA-256): 1E:2E:DB:CF:D2:FF:38:18:07:CE:8B:D5:4E:B7:89:BE:81:71:BE:E4:D1:E1:36:EA:CE:C6:C1:FA:90:B6:D7:98 Fingerprint (SHA1): C2:0E:AB:E5:A9:27:D4:13:3B:2E:D1:97:CB:10:9D:2B:A6:A4:B6:8C Certificate Trust Flags: SSL Flags: Valid CA Trusted CA User Trusted Client CA Email Flags: Valid CA Trusted CA User Object Signing Flags: Valid CA Trusted CA User Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=TESTRELM.TEST" Validity: Not Before: Tue Oct 25 13:58:14 2016 Not After : Sat Oct 25 13:58:14 2036 Subject: "CN=Certificate Authority,O=TESTRELM.TEST" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d0:84:6d:05:e0:62:4d:29:73:7b:c8:13:bb:41:93:c7: 3d:10:f0:e8:d5:25:3e:0c:06:4a:09:20:80:e9:65:a6: c2:7f:b0:81:ea:3c:2b:07:53:32:8a:36:93:55:19:1b: 45:46:79:97:93:54:22:a9:71:a3:6f:7f:ad:12:fc:e5: 80:d0:17:25:46:e5:6c:77:15:1c:a9:53:ed:d1:f0:b4: b1:80:57:ad:ce:11:7d:d3:1c:52:b5:77:fb:04:d7:1c: 0d:3d:de:03:9e:b5:b2:e1:3f:f1:cf:57:57:43:f6:04: ad:d9:7e:e3:be:95:1c:fb:6f:ec:3b:33:8e:5a:81:0a: 2c:69:a2:28:04:80:f8:0e:b3:7e:f5:78:82:4d:78:a4: b6:c0:67:4a:e8:92:87:be:f7:f9:03:9e:52:c2:34:02: d5:10:af:b7:e4:41:ca:1f:09:70:00:d6:29:89:32:23: 2b:7a:c0:e0:3d:aa:98:da:ea:98:84:dc:11:62:e8:f2: f1:b2:0b:82:9a:3d:c0:bf:f4:71:e3:7a:a3:ac:27:50: db:9d:75:1f:ba:f9:ea:a0:24:7a:ce:32:f1:3e:4d:ef: 76:c2:02:18:1b:3d:fd:5d:87:1f:a9:18:1f:be:2e:ba: 0f:e0:f8:f7:9d:36:77:e1:ea:07:90:3c:4f:59:9c:b3 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: 51:a7:51:8b:52:a7:f7:61:18:66:ef:22:87:6b:ec:19: f7:e7:87:2c Name: Certificate Basic Constraints Critical: True Data: Is a CA with no maximum path length. Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Certificate Signing CRL Signing Name: Certificate Subject Key ID Data: 51:a7:51:8b:52:a7:f7:61:18:66:ef:22:87:6b:ec:19: f7:e7:87:2c Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://ipa-ca.testrelm.test/ca/ocsp" Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 06:db:f7:91:01:be:fe:b6:b5:3c:62:0f:24:62:f7:61: a6:03:d9:cb:65:2b:97:c5:9b:b7:cb:68:b9:9f:68:b5: 4e:d3:c6:fb:20:ad:5f:ce:b5:12:fc:e7:00:be:ea:05: 32:2e:01:a1:a5:40:4b:3a:d7:32:a3:0d:2c:e0:61:47: 54:2c:af:ab:74:3a:a1:7b:ab:88:05:06:ea:5b:c3:22: 8f:04:2e:04:b7:15:f6:4e:3e:f2:0a:f9:1a:f5:9c:56: 35:e8:da:ee:5f:d2:1c:05:1e:06:1e:cc:47:30:84:4a: 73:3d:4d:f2:d6:3f:a2:2d:2a:f7:56:05:b7:10:81:a1: 84:f7:af:fe:a3:c1:7f:cd:4a:93:6a:56:70:1a:0e:c1: 4d:62:c3:c0:ed:a9:60:59:b8:e6:cb:86:6b:81:23:a0: 7a:d5:61:a9:ce:ea:f9:98:65:33:8a:e9:5c:98:6a:19: b6:5d:0d:24:ec:c3:55:64:e8:5d:95:a8:67:29:f2:7a: 4d:57:dc:1a:e9:41:06:8d:78:38:25:57:68:0d:1c:a2: 36:6b:10:10:81:c0:a4:ad:1a:a1:56:d1:42:39:40:33: 24:58:32:2e:3f:62:d4:9f:7c:82:84:5f:75:fb:7c:c7: dd:54:2e:5d:cf:b1:2a:56:00:db:84:6f:71:e8:86:74 Fingerprint (SHA-256): 87:A5:31:D5:0A:C2:FF:27:95:96:4F:F0:4D:05:41:0B:19:8B:10:5D:08:09:45:20:53:3D:92:E0:58:97:CB:87 Fingerprint (SHA1): 6E:05:A9:F9:9D:15:A6:FB:B8:42:38:88:61:CF:47:D2:78:F9:D3:71 Certificate Trust Flags: SSL Flags: Valid CA Trusted CA User Trusted Client CA Email Flags: Valid CA Trusted CA User Object Signing Flags: Valid CA Trusted CA User So, it's actually renewed but not showing somehow?
I tried to run ipa-certupdate but it didn't help
In answer to comment #5: Yes, the CA certificate is properly renewed, and put in the nss dbs (/etc/pki/pki-tomcat/alias /etc/httpd/alias and /etc/dirsrv/slapd-xxx) and in /etc/ipa/ca.crt. My guess is that certmonger doesn't know how to handle the 2 certificates with the same nickname/subject but with a different issuer.
Well, my guess is that certmonger picks the cert which expires last, which in this case is the original cert, as it has validity period of 20 years, whereas the new cert has validity period of only 10 years, and thus expires earlier. Either way, this is not a bug, as ipa-cacert-manage did in fact not fail and properly renewed the cert.
Closing based on comment 8 and expected result """ Expected results: Certs got renewed successfully """