Louis Lagendijk via FreeIPA-users wrote:
> On Mon, 2018-10-22 at 12:07 -0400, Rob Crittenden via FreeIPA-users
> wrote:
>> Gah, regarding
>>
>> Missing tracking for {'cert-nickname': 'Server-Cert', 'ca-name':
>> 'IPA',
>> 'cert-database': '/etc/httpd/alias', 'cert-postsave-command':
>> '/usr/libexec/ipa/certmonger/restart_httpd'}
>>
>> never mind. The cert is in the verbose output you sent! It is fine
>> and
>> issued by IPA.
>>
>> So this looks like the tracking is simply missing. Can you run:
>>
>> # ipa-getcert list
>>
>> You should have two certs, one for Apache tracking /etc/httpd/alias
>> and
>> one for LDAP tracking /etc/dirsrv/slapd-REALM
>>
>> If you have one for Apache can you provide the output of the list
>> command?
>>
>> If you don't then you can re-create it (this doesn't touch the certs
>> themselves) via:
>>
>> # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert -C
>> /usr/libexec/ipa/certmonger/restart_httpd
>>
> Thanks for looking into my output! Much appreciated
>
> /etc/httpd/alias is being tracked. Here is the output:
> [root@ipa1 checkcerts]# ipa-getcert list
> Number of certificates and requests being tracked: 9.
> Request ID '20181001153507':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-HOME-
> FAZANT-NET',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/dirsrv/slapd-HOME-FAZANT-NET/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-HOME-
> FAZANT-NET',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=HOME.FAZANT.NET
> subject: CN=ipa1.home.fazant.net,O=HOME.FAZANT.NET
> expires: 2020-10-03 21:06:09 UTC
> principal name: ldap/ipa1.home.fazant....@home.fazant.net
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
> HOME-FAZANT-NET
> track: yes
> auto-renew: yes
> Request ID '20181003195731':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=HOME.FAZANT.NET
> subject: CN=ipa1.home.fazant.net,O=HOME.FAZANT.NET
> expires: 2020-05-21 13:53:40 UTC
> principal name: HTTP/ipa1.home.fazant....@home.fazant.net
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
It is missing the post-save command. To fix it run:
# ipa-getcert -i 20181003195731 -C /usr/libexec/ipa/certmonger/restart_httpd
The consequence of not having the post-save command is that after the
cert is renewed Apache wouldn't be restarted to utilize it potentially
giving you a bit of downtime.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
