While practicing with certificates reqeust using FreeIPA, I came across this duplicated certificates for the first time. This happened because I also practiced the same thing a few weeks ago. Here is how to re-produce this message:
[root@client ~]# ipa-getcert request \
-f /etc/vsftpd/certs/cert.pem \
-k /etc/vsftpd/certs/cert.key \
-K ftp/client.lab.example.net \
-D client.lab.example.net
Certificate at same location is already used by request with nickname "20201008131445".
Because I’m still not familiar yet with FreeIPA on this certificate topic, I turned to Google search and found very useful information on this blog post: Dealing with Duplicate SSL certs from FreeIPA.
FreeIPA uses Certmonger to request and monitor certificates. We use getcert tool to interact with the Certmonger.
Now let list the existing certificates. Assuming that we already have kerberos ticket for admin account, otherwise run kinit admin first.
[root@client ~]# getcert list -i 20201008131445
Number of certificates and requests being tracked: 2.
Request ID '20201008131445':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/etc/vsftpd/certs/cert.key'
certificate: type=FILE,location='/etc/vsftpd/certs/cert.pem'
CA: IPA
issuer: CN=Certificate Authority,O=LAB.EXAMPLE.NET
subject: CN=client.lab.example.net,O=LAB.EXAMPLE.NET
expires: 2022-10-09 13:14:47 UTC
dns: client.lab.example.net
principal name: ftp/client.lab.example.net@LAB.EXAMPLE.NET
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
We need to remove this certificate first. The tricky part is to figure out the command to do that.
[root@client ~]# ipa-getcert
ipa-getcert - client certificate enrollment tool
Usage: ipa-getcert command [options]
request request a new certificate from a CA
start-tracking begin monitoring an already-issued certificate
stop-tracking stop monitoring a certificate
resubmit resubmit an in-progress enrollment request, or start a new one
refresh check on the status of an in-progress enrollment request
list list certificates being monitored and requested
status check the status of a certificate being monitored or requested
list-cas list known CA configurations
refresh-ca refresh cache of all information obtained from a CA
Again, I turned to the internet for help. I would never guess that the sub-command to remove an existing certificate is stop-tracking.
[root@client ~]# ipa-getcert stop-tracking -i 20201008131445
Request "20201008131445" removed.
Let’s try to request for a new certificate again.
[root@client ~]# ipa-getcert request -f /etc/vsftpd/certs/cert.pem -k /etc/vsftpd/certs/cert.key -K ftp/client.lab.example.net -D client.lab.example.net
New signing request "20201029144354" added.
It worked this time, and we can list and carefully check the status of this certificate. It should be “MONITORING”.
[root@client ~]# getcert list -i 20201029144354
Number of certificates and requests being tracked: 2.
Request ID '20201029144354':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/etc/vsftpd/certs/cert.key'
certificate: type=FILE,location='/etc/vsftpd/certs/cert.pem'
CA: IPA
issuer: CN=Certificate Authority,O=LAB.EXAMPLE.NET
subject: CN=client.lab.example.net,O=LAB.EXAMPLE.NET
expires: 2022-10-30 14:43:54 UTC
dns: client.lab.example.net
principal name: ftp/client.lab.example.net@LAB.EXAMPLE.NET
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Voilla! It’s all good.
References: