Peter Fern wrote: > Okay, with much debugging and hoop-jumping, I can say that certmonger on > Debian/Ubuntu is currently in a rather broken state, at least in a > server role. > > It links against libcurl3-nss, however on Debian/-derivs there is no > build of nss-pem, so anything built against libcurl3-nss cannot parse > PEM formatted certs. This results in a failure to process the IPA CA > from the filesystem, causing the certmonger agent to fail verification > of the server cert, producing the curl 'Error 77 connecting to<url>: Problem > with the SSL CA cert (path? access rights?)' return, which makes it > impossible to renew certificates, and resulted in wedging my deployment > as described. > > Does the FreeIPA issue tracker accept distro-specific reports, or is > there somewhere more appropriate I should be sending this? As it > stands, operating a CA on Debian/Ubuntu will break in painful and > unexpected fashion, and should be avoided.
Very nice job in tracking this down. You can certainly open a ticket against freeipa or certmonger but I think this is more a packaging issue in Debian, et al (although granted a very non-obvious one). It's been many moons since I worked on nss-pem but from what I can tell it should be buildable outside of NSS so can ship as a separate package. You might try building it locally to see if it resolves the issues for you. It resides at https://github.com/kdudka/nss-pem I don't know who does the certmonger packaging, is that you Timo? rob > > On 21/02/17 23:36, Peter Fern wrote: >> I don't know why the certs did not auto-renew originally, but now I am >> very stuck trying to get my CA functional again. I've tried setting the >> clock back to a week or two before the certs were due to expire, but I'm >> still having no luck getting the CA functional. >> >> This is a Ubuntu server, so some paths are different to what may be >> found on RPM-based distros. Any urgent help would be greatly >> appreciated - I've been bashing against this for a couple of hours now >> with no luck, and the hour is getting late. >> >> Below is my current (anonymized) `getcert list` of the problem certs, >> where you will see my current ca-error: >> >> Request ID '20160616123036': >> status: CA_UNREACHABLE >> ca-error: Error 77 connecting to >> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem >> with the SSL CA cert (path? access rights?). >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS >> Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS >> Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=IPA RA,O=EXAMPLE.COM >> expires: 2017-02-11 05:52:26 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre >> post-save command: /usr/lib/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> Request ID '20160616123427': >> status: CA_UNREACHABLE >> ca-error: Error 77 connecting to >> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem >> with the SSL CA cert (path? access rights?). >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=CA Audit,O=EXAMPLE.COM >> expires: 2017-02-11 05:52:03 UTC >> key usage: digitalSignature,nonRepudiation >> pre-save command: /usr/lib/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20160616123428': >> status: CA_UNREACHABLE >> ca-error: Error 77 connecting to >> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem >> with the SSL CA cert (path? access rights?). >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >> expires: 2017-02-11 05:52:01 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> eku: id-kp-OCSPSigning >> pre-save command: /usr/lib/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20160616123429': >> status: CA_UNREACHABLE >> ca-error: Error 77 connecting to >> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem >> with the SSL CA cert (path? access rights?). >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=CA Subsystem,O=EXAMPLE.COM >> expires: 2017-02-11 05:52:01 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/lib/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib/ipa/certmonger/renew_ca_cert >> "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> >> >> >> All I get in the logs (with debug enabled) is: >> >> Jan 20 06:52:52 ipaserver.example.com >> dogtag-ipa-ca-renew-agent-submit[2121]: Forwarding request to >> dogtag-ipa-renew-agent >> Jan 20 06:52:52 ipaserver.example.com >> dogtag-ipa-renew-agent-submit[2307]: GET >> https://ipaserver.example.com:8443/ca/agent/ca/profileReview?requestId=69960009&xml=true >> Jan 20 06:52:52 ipaserver.example.com >> dogtag-ipa-renew-agent-submit[2307]: (null) >> Jan 20 06:52:52 ipaserver.example.com >> dogtag-ipa-ca-renew-agent-submit[2121]: dogtag-ipa-renew-agent returned 3 >> Jan 20 06:52:52 ipaserver.example.com certmonger[2016]: 2017-01-20 >> 06:52:52 [2016] Error 77 connecting to >> https://ipaserver.example.com:8443/ca/agent/ca/profileReview: Problem >> with the SSL CA cert (path? access rights?). >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
