[RFE] Check for certs in stuck status #123

yrro · 2020-03-19T09:20:17Z

I noticed one of the certs on a CentOS 8 server got stuck:

Request ID '20200123083218':
        status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
        stuck: yes
        key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key'
        certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM
        subject: CN=ipa2.ipa.example.com,O=IPA.EXAMPLE.COM
        expires: 2021-12-19 18:32:27 UTC
        dns: ipa2.ipa.example.com
        principal name: HTTP/ipa2.ipa.example.com@IPA.EXAMPLE.COM
        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes

ipahealthcheck.ipa.certs doesn't complain about this. It would be useful if the module checked for the stuck status of each certificate request.

The text was updated successfully, but these errors were encountered:

yrro · 2020-03-19T09:56:31Z

I guess that if I didn't fix this problem then ipa-healthcheck would have notified me 28 days before the cert expired so this isn't strictly necessary...

rcritten · 2020-03-19T12:33:48Z

Thanks for the suggestion, I think this has value even if another check would eventually notice.

yrro · 2020-03-19T14:24:15Z

Yes - the user gets a notification immediately rather than 28 days before expiry.

rcritten · 2020-03-19T17:24:51Z

In this particular case I guess I'm surprised that an issue about unexpected cert tracking and a missing cert wasn't raised since the pinfile wasn't included. I'll also look at that code, perhaps the pin isn't considered in that check.

BornTKill · 2020-07-17T08:37:16Z

Dear,

I also had an issue with "stuck" certificat.
Request ID '20200713131458':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20200713131500':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20200713131501':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20200713131502':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes

I stop-tracking this cert with ipa-getcert stop-tracking -i XXX. Then Start tracking them again with specifying password file.

getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' -p /etc/pki/pki-tomcat/alias/pwdfile.txt -c dogtag-ipa-ca-renew-agent -B /usr/libexec/ipa/certmonger/stop_pkicad -C /usr/libexec/ipa/certmonger/renew_ca_cert 'caSigningCert cert-pki-ca'

getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' -p /etc/pki/pki-tomcat/alias/pwdfile.txt -c dogtag-ipa-ca-renew-agent -B /usr/libexec/ipa/certmonger/stop_pkicad -C /usr/libexec/ipa/certmonger/renew_ca_cert 'auditSigningCert cert-pki-ca'

getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'ocspSigningCert cert-pki-ca' -p /etc/pki/pki-tomcat/alias/pwdfile.txt -c dogtag-ipa-ca-renew-agent -B /usr/libexec/ipa/certmonger/stop_pkicad -C /usr/libexec/ipa/certmonger/renew_ca_cert 'ocspSigningCert cert-pki-ca'

getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -p /etc/pki/pki-tomcat/alias/pwdfile.txt -c dogtag-ipa-ca-renew-agent -B /usr/libexec/ipa/certmonger/stop_pkicad -C /usr/libexec/ipa/certmonger/renew_ca_cert 'subsystemCert cert-pki-ca'

After that, all the cert are in "MONITORING" status.

Request ID '20200715122055':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O= EXAMPLE.COM
expires: 2040-05-25 12:20:15 CEST
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20200715122120':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O= EXAMPLE.COM
subject: CN=CA Audit,O= EXAMPLE.COM
expires: 2022-05-15 12:20:16 CEST
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20200715122137':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O= EXAMPLE.COM
subject: CN=OCSP Subsystem,O= EXAMPLE.COM
expires: 2022-05-15 12:20:15 CEST
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20200715122151':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O= EXAMPLE.COM
subject: CN=CA Subsystem,O= EXAMPLE.COM
expires: 2022-05-15 12:20:15 CEST
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes

But I still have issue with ipa-healthcheck --failures-only --output-type human

ERROR: ipahealthcheck.ipa.certs.IPACertTracking.cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=auditSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca", template-profile=caSignedLogCert: Missing tracking for cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=auditSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca", template-profile=caSignedLogCert
ERROR: ipahealthcheck.ipa.certs.IPACertTracking.cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=ocspSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca", template-profile=caOCSPCert: Missing tracking for cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=ocspSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca", template-profile=caOCSPCert
ERROR: ipahealthcheck.ipa.certs.IPACertTracking.cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=subsystemCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca", template-profile=caSubsystemCert: Missing tracking for cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=subsystemCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca", template-profile=caSubsystemCert
ERROR: ipahealthcheck.ipa.certs.IPACertTracking.cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca", template-profile=caCACert: Missing tracking for cert-database=/etc/pki/pki-tomcat/alias, cert-nickname=caSigningCert cert-pki-ca, ca-name=dogtag-ipa-ca-renew-agent, cert-presave-command=/usr/libexec/ipa/certmonger/stop_pkicad, cert-postsave-command=/usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca", template-profile=caCACert
WARNING: ipahealthcheck.ipa.certs.IPACertTracking.20200715122055: Unknown certmonger id 20200715122055
WARNING: ipahealthcheck.ipa.certs.IPACertTracking.20200715122120: Unknown certmonger id 20200715122120
WARNING: ipahealthcheck.ipa.certs.IPACertTracking.20200715122137: Unknown certmonger id 20200715122137
WARNING: ipahealthcheck.ipa.certs.IPACertTracking.20200715122151: Unknown certmonger id 20200715122151

Anyone can help ?
FYI I noticed

sudo journalctl -xe -t certmonger

Jul 17 10:44:23 ipa2.example.com certmonger[1131]: 2020-07-17 10:44:23 [1993770] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping.
Jul 17 10:44:47 ipa2. example.com certmonger[1131]: 2020-07-17 10:44:47 [1993962] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping.
Jul 17 10:44:51 ipa2. example.com certmonger[1131]: 2020-07-17 10:44:51 [1993983] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping.
Jul 17 10:44:56 ipa2. example.com certmonger[1131]: 2020-07-17 10:44:56 [1994022] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping.
Jul 17 10:45:00 ipa2. example.com certmonger[1131]: 2020-07-17 10:45:00 [1994052] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping.

rcritten · 2020-07-17T13:12:55Z

Your tracking is still not setup properly. You can try running ipa-server-upgrade which may well fix it. You'd need to use getcert list -i to see what those unknown certs are but in all likelihood they are the ones with bad tracking.

BornTKill · 2020-07-20T08:08:11Z

@rcritten Thank you for your useful answer. It solves my issue.

These may be caught already by other checks if the tracking is configured incorrectly but it's a belt-and-suspenders approach to ensure that the certificates have been issued properly. Fixes: freeipa#123 Signed-off-by: Rob Crittenden <rcritten@redhat.com>

These may be caught already by other checks if the tracking is configured incorrectly but it's a belt-and-suspenders approach to ensure that the certificates have been issued properly. Fixes: #123 Signed-off-by: Rob Crittenden <rcritten@redhat.com>

rcritten self-assigned this Mar 31, 2023

rcritten mentioned this issue Mar 31, 2023

Report certmonger requests that are in the stuck state #291

Merged

rcritten closed this as completed in #291 Apr 7, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[RFE] Check for certs in stuck status #123

[RFE] Check for certs in stuck status #123

yrro commented Mar 19, 2020 •

edited

yrro commented Mar 19, 2020

rcritten commented Mar 19, 2020

yrro commented Mar 19, 2020

rcritten commented Mar 19, 2020

BornTKill commented Jul 17, 2020 •

edited

rcritten commented Jul 17, 2020

BornTKill commented Jul 20, 2020 •

edited

[RFE] Check for certs in stuck status #123

[RFE] Check for certs in stuck status #123

Comments

yrro commented Mar 19, 2020 • edited

yrro commented Mar 19, 2020

rcritten commented Mar 19, 2020

yrro commented Mar 19, 2020

rcritten commented Mar 19, 2020

BornTKill commented Jul 17, 2020 • edited

rcritten commented Jul 17, 2020

BornTKill commented Jul 20, 2020 • edited

yrro commented Mar 19, 2020 •

edited

BornTKill commented Jul 17, 2020 •

edited

BornTKill commented Jul 20, 2020 •

edited