7.5 beta - certificate-update event doesn't update server-manager certificate


(Dan) #1

I’d seen mention of this earlier, but I’d thought it was fixed. Doesn’t seem to be the case for me with 7.5 beta, though. I just did a clean installation of 7.5beta on a test VM, obtained a Let’s Encrypt cert using my procedure for using DNS validation to get certs for internal servers (in the wiki here), putting the cert files in /etc/pki/tls/, and finished by running signal-event certificate-update. But when I go to the server-manager, I’m still presented with the self-signed cert the system generated when I installed it. What gives?

Edit: Logs:

[root@neth-automx ~]# grep -C 20 certificate-update /var/log/messages 
May 24 16:33:26 neth-automx sshd[7415]: Accepted password for root from 192.168.1.241 port 60237 ssh2
May 24 16:33:26 neth-automx systemd: Created slice User Slice of root.
May 24 16:33:26 neth-automx systemd: Starting User Slice of root.
May 24 16:33:26 neth-automx systemd-logind: New session 2 of user root.
May 24 16:33:26 neth-automx systemd: Started Session 2 of user root.
May 24 16:33:26 neth-automx systemd: Starting Session 2 of user root.
May 24 16:33:36 neth-automx /sbin/e-smith/db[7450]: /var/lib/nethserver/db/configuration: OLD pki=configuration|CertificateDuration|3650|ChainFile||CommonName||CountryCode||CrtFile||EmailAddress||KeyFile||LetsEncrypt|disabled|LetsEncryptDomains||LetsEncryptMail||LetsEncryptRenewDays|30|Locality||Organization||OrganizationalUnitName||State||SubjectAltName|
May 24 16:33:36 neth-automx /sbin/e-smith/db[7450]: /var/lib/nethserver/db/configuration: NEW pki=configuration|CertificateDuration|3650|ChainFile||CommonName||CountryCode||CrtFile|/etc/pki/tls/certs/cert.pem|EmailAddress||KeyFile||LetsEncrypt|disabled|LetsEncryptDomains||LetsEncryptMail||LetsEncryptRenewDays|30|Locality||Organization||OrganizationalUnitName||State||SubjectAltName|
May 24 16:33:36 neth-automx dbus[693]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service'
May 24 16:33:36 neth-automx systemd: Starting Time & Date Service...
May 24 16:33:36 neth-automx dbus[693]: [system] Successfully activated service 'org.freedesktop.timedate1'
May 24 16:33:36 neth-automx systemd: Started Time & Date Service.
May 24 16:33:36 neth-automx /sbin/e-smith/db[7453]: /var/lib/nethserver/db/configuration: OLD pki=configuration|CertificateDuration|3650|ChainFile||CommonName||CountryCode||CrtFile|/etc/pki/tls/certs/cert.pem|EmailAddress||KeyFile||LetsEncrypt|disabled|LetsEncryptDomains||LetsEncryptMail||LetsEncryptRenewDays|30|Locality||Organization||OrganizationalUnitName||State||SubjectAltName|
May 24 16:33:36 neth-automx /sbin/e-smith/db[7453]: /var/lib/nethserver/db/configuration: NEW pki=configuration|CertificateDuration|3650|ChainFile|/etc/pki/tls/certs/chain.pem|CommonName||CountryCode||CrtFile|/etc/pki/tls/certs/cert.pem|EmailAddress||KeyFile||LetsEncrypt|disabled|LetsEncryptDomains||LetsEncryptMail||LetsEncryptRenewDays|30|Locality||Organization||OrganizationalUnitName||State||SubjectAltName|
May 24 16:33:37 neth-automx /sbin/e-smith/db[7454]: /var/lib/nethserver/db/configuration: OLD pki=configuration|CertificateDuration|3650|ChainFile|/etc/pki/tls/certs/chain.pem|CommonName||CountryCode||CrtFile|/etc/pki/tls/certs/cert.pem|EmailAddress||KeyFile||LetsEncrypt|disabled|LetsEncryptDomains||LetsEncryptMail||LetsEncryptRenewDays|30|Locality||Organization||OrganizationalUnitName||State||SubjectAltName|
May 24 16:33:37 neth-automx /sbin/e-smith/db[7454]: /var/lib/nethserver/db/configuration: NEW pki=configuration|CertificateDuration|3650|ChainFile|/etc/pki/tls/certs/chain.pem|CommonName||CountryCode||CrtFile|/etc/pki/tls/certs/cert.pem|EmailAddress||KeyFile|/etc/pki/tls/private/privkey.pem|LetsEncrypt|disabled|LetsEncryptDomains||LetsEncryptMail||LetsEncryptRenewDays|30|Locality||Organization||OrganizationalUnitName||State||SubjectAltName|
May 24 16:37:55 neth-automx dbus[693]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service'
May 24 16:37:55 neth-automx systemd: Starting Time & Date Service...
May 24 16:37:55 neth-automx dbus[693]: [system] Successfully activated service 'org.freedesktop.timedate1'
May 24 16:37:55 neth-automx systemd: Started Time & Date Service.
May 24 16:38:43 neth-automx esmith::event[9513]: Event: certificate-update
May 24 16:38:43 neth-automx esmith::event[9513]: expanding /etc/backup-config.d/nethserver-certificates.include
May 24 16:38:43 neth-automx dbus[693]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service'
May 24 16:38:43 neth-automx systemd: Starting Time & Date Service...
May 24 16:38:43 neth-automx dbus[693]: [system] Successfully activated service 'org.freedesktop.timedate1'
May 24 16:38:43 neth-automx systemd: Started Time & Date Service.
May 24 16:38:43 neth-automx esmith::event[9513]: expanding /etc/httpd/conf.d/nethserver.conf
May 24 16:38:43 neth-automx esmith::event[9513]: expanding /etc/httpd/admin-conf/httpd.conf
May 24 16:38:43 neth-automx esmith::event[9513]: expanding /etc/pki/tls/certs/localhost.crt
May 24 16:38:43 neth-automx esmith::event[9513]: expanding /etc/pki/tls/certs/httpd-admin.crt
May 24 16:38:43 neth-automx esmith::event[9513]: expanding /etc/pki/tls/private/localhost.key
May 24 16:38:43 neth-automx esmith::event[9513]: expanding /etc/pki/tls/private/httpd-admin.key
May 24 16:38:43 neth-automx esmith::event[9513]: expanding /etc/postfix/postfix.crt
May 24 16:38:43 neth-automx esmith::event[9513]: expanding /etc/postfix/postfix.key
May 24 16:38:43 neth-automx esmith::event[9513]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.564807]
May 24 16:38:43 neth-automx systemd: Reloading.
May 24 16:38:44 neth-automx esmith::event[9513]: [INFO] service httpd reload
May 24 16:38:44 neth-automx systemd: Reloaded The Apache HTTP Server.
May 24 16:38:44 neth-automx systemd: Reloading.
May 24 16:38:44 neth-automx esmith::event[9513]: [INFO] service postfix restart
May 24 16:38:44 neth-automx systemd: Stopping Postfix Mail Transport Agent...
May 24 16:38:44 neth-automx systemd: Starting Postfix Mail Transport Agent...
May 24 16:38:44 neth-automx systemd: Started Postfix Mail Transport Agent.
May 24 16:38:44 neth-automx esmith::event[9513]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.974649]
May 24 16:38:44 neth-automx systemd: Started Delayed graceful restart of httpd-admin.
May 24 16:38:44 neth-automx systemd: Starting Delayed graceful restart of httpd-admin.
May 24 16:38:44 neth-automx esmith::event[9513]: Action: /etc/e-smith/events/certificate-update/S99nethserver-httpd-admin-asyncreload SUCCESS [0.031187]
May 24 16:38:44 neth-automx esmith::event[9513]: Event: certificate-update SUCCESS
May 24 16:38:50 neth-automx systemd: Stopped Delayed graceful restart of httpd-admin.
May 24 16:38:50 neth-automx systemd: Stopping Delayed graceful restart of httpd-admin.
May 24 16:38:50 neth-automx systemd: Starting Graceful restart of httpd-admin...
May 24 16:38:50 neth-automx systemd: Started Graceful restart of httpd-admin.
May 24 16:39:31 neth-automx httpd: [NOTICE] Nethgui\Authorization\User: user `root` authenticated
May 24 16:42:04 neth-automx systemd: Starting Cleanup of Temporary Directories...
May 24 16:42:04 neth-automx systemd: Started Cleanup of Temporary Directories.
May 24 16:42:56 neth-automx dbus[693]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service'
May 24 16:42:56 neth-automx systemd: Starting Time & Date Service...
May 24 16:42:56 neth-automx dbus[693]: [system] Successfully activated service 'org.freedesktop.timedate1'
May 24 16:42:56 neth-automx systemd: Started Time & Date Service.
May 24 16:47:03 neth-automx sshd[7415]: Received disconnect from 192.168.1.241 port 60237:11: disconnected by user
May 24 16:47:03 neth-automx sshd[7415]: Disconnected from 192.168.1.241 port 60237
May 24 16:47:03 neth-automx systemd-logind: Removed session 2.
May 24 16:47:03 neth-automx systemd: Removed slice User Slice of root.
May 24 16:47:03 neth-automx systemd: Stopping User Slice of root.
May 24 16:47:35 neth-automx pkgaction[10251]: remove:
May 24 16:47:35 neth-automx pkgaction[10251]: update:
May 24 16:47:35 neth-automx pkgaction[10251]: install: @nethserver-directory
May 24 16:47:56 neth-automx dbus[693]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service'
[root@neth-automx ~]# 

localhost.crt and httpd-admin.crt are identical to the concatenation of cert.pem and chain.pem:

[root@neth-automx certs]# cat cert.pem chain.pem >> test.pem
[root@neth-automx certs]# diff test.pem httpd-admin.crt 
59a60
> 
[root@neth-automx certs]# systemctl reload httpd-admin
[root@neth-automx certs]# diff test.pem localhost.crt 
59a60
> 
[root@neth-automx certs]# 

…and cert.pem is the Let’s Encrypt cert:

[root@neth-automx certs]# openssl x509 -in cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:d4:9a:d5:94:02:0f:1e:a3:da:52:22:49:2c:60:9e:b4:12
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: May 24 19:38:42 2018 GMT
            Not After : Aug 22 19:38:42 2018 GMT
        Subject: CN=neth-automx.familybrown.org
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub: 
                    04:4a:54:d0:39:03:ea:f8:b2:42:7e:51:75:e3:87:
                    6d:aa:ec:a1:df:54:be:99:f0:65:93:fd:d8:35:84:
                    1c:60:9e:9a:cb:5d:8a:75:45:03:85:c6:93:6d:2b:
                    37:1d:5b:75:ea:00:2f:76:28:44:6f:fe:d8:3f:8f:
                    43:8b:2a:c3:81:02:2b:6b:86:40:52:94:4c:03:fb:
                    35:f3:49:a8:ea:ec:5a:6f:d4:ca:df:7b:9f:41:47:
                    bb:97:9e:08:44:e2:af
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                05:DA:21:87:55:36:85:C5:7D:C8:AD:58:77:75:19:B6:A4:DF:29:60
            X509v3 Authority Key Identifier: 
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:autoconfig.familybrown.org, DNS:neth-automx.familybrown.org
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
                                6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
                    Timestamp : May 24 20:38:42.303 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:7E:1B:76:45:D5:79:09:F6:05:8D:EB:C2:
                                91:85:97:F1:82:C1:15:CF:B4:7C:4A:4E:70:BE:61:FF:
                                38:24:CF:AA:02:21:00:A3:F6:5A:AA:5A:1B:0F:2F:15:
                                F1:E8:F1:E6:1B:D9:74:6F:95:C9:6C:F5:B8:27:FA:7C:
                                21:FB:71:45:D4:6E:CE
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : DB:74:AF:EE:CB:29:EC:B1:FE:CA:3E:71:6D:2C:E5:B9:
                                AA:BB:36:F7:84:71:83:C7:5D:9D:4F:37:B6:1F:BF:64
                    Timestamp : May 24 20:38:42.439 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:0E:F6:04:E5:CB:90:5E:0E:5C:38:F4:4E:
                                FD:F9:BE:33:53:66:78:1A:DE:FA:D8:F4:7E:3C:EC:A9:
                                6D:5B:CE:CB:02:21:00:D4:8B:F9:A8:77:A1:FD:4F:53:
                                C3:33:DB:FA:BB:C9:65:75:1D:6F:3C:A3:85:21:FA:EE:
                                B2:36:88:1D:10:CF:B6
    Signature Algorithm: sha256WithRSAEncryption
         88:16:13:81:b1:01:48:83:b7:21:a2:67:e1:c5:17:9f:ff:57:
         fe:bd:65:11:ca:25:c0:05:e0:46:d1:e9:af:5f:7d:67:be:10:
         13:57:a5:98:5c:15:38:4b:76:cd:16:2b:bf:d7:8c:71:f6:21:
         64:82:2f:b7:0e:68:4f:91:88:ab:cc:19:9d:43:5b:2e:b5:24:
         64:59:52:2b:34:3e:78:e6:88:03:b4:d1:80:65:ad:17:5a:9f:
         d1:45:96:82:c4:fb:c0:74:92:7f:d5:d5:bc:17:a3:02:b8:2c:
         77:1c:7f:e4:8c:82:3b:4c:be:92:76:8a:81:f6:04:3a:81:83:
         13:a7:a1:c9:35:d7:8f:77:9a:72:72:d9:26:8b:c7:24:b9:99:
         2d:c3:03:7d:02:93:b7:8b:eb:00:e4:d5:3a:40:13:d4:09:c5:
         8c:ff:de:b0:ea:a7:52:54:be:8a:53:8c:5d:9f:8b:ab:70:a8:
         a8:c0:07:fe:ac:6e:b3:7f:b1:cf:57:ef:2b:27:40:01:3c:07:
         fe:e9:98:7c:43:b8:6e:47:d4:73:e6:d1:35:9f:ee:97:f3:63:
         e7:76:6f:4f:ab:c7:11:8a:db:f3:65:b2:27:24:3d:8f:35:19:
         6b:42:57:66:5e:e2:7c:af:c4:a8:6b:4e:3f:39:42:a9:0b:21:
         87:3c:48:68
[root@neth-automx certs]# 

systemctl reload httpd-admin didn’t fix the problem, but systemctl restart httpd-admin did–though with a broken TLS policy (that’s another bug).


(Davide Principi) #2

As this #bug is probably caused by the lack of ECC-compatible ciphers, I close it by now. Please refer to the other thread.


(Davide Principi) #3