[Freeipa-users] Certificate format error: [Errno -8018]

craig.freeipa at noboost.org craig.freeipa at noboost.org
Thu Jan 30 00:47:20 UTC 2014 

On Wed, Jan 29, 2014 at 09:15:50AM -0500, Rob Crittenden wrote:
> craig.freeipa at noboost.org wrote:
> >On Tue, Jan 28, 2014 at 01:25:56PM -0500, Rob Crittenden wrote:
> >>craig.freeipa at noboost.org wrote:
> >>>On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote:
> >>>>Alexander Bokovoy wrote:
> >>>>>On Thu, 23 Jan 2014, craig.freeipa at noboost.org wrote:
> >>>>>>Hi Guys,
> >>>>>>
> >>>>>>I'm sure this is an easy issue to fix!
> >>>>>>
> >>>>>>First the specs;
> >>>>>>Red Hat Enterprise Linux Server release 6.3 (Santiago)
> >>>>>>ipa-client-2.2.0-16.el6.x86_64
> >>>>>>ipa-server-2.2.0-16.el6.x86_64
> >>>>>>
> >>>>>>
> >>>>>>Issue:
> >>>>>>When I click on the hosts TAB from inside the Identity Managemnt GUI, I
> >>>>>>get the following error;
> >>>>>>* Certificate format error: [Errno -8018] None (repeated many times)
> >>>>>>
> >>>>>>* Cannot connect to
> >>>>>>'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
> >>>>>>
> >>>>>>[Errno -8018] None
> >>>>>>
> >>>>>>Also seen this error;
> >>>>>>cannot connect to
> >>>>>>'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
> >>>>>>[Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
> >>>>>>certificate as expired.
> >>>>>>
> >>>>>>
> >>>>>>Any advise would be greatly appreciated!
> >>>>>http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
> >>>>>
> >>>>>Since you have FreeIPA before 3.4, you need to follow manual procedure
> >>>>>outlined on that page. 2.2 might also be a bit different than 3.x but
> >>>>>this is a starting point.
> >>>>>
> >>>>>
> >>>>
> >>>>For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
> >>>>
> >>>>rob
> >>>>
> >>>Just running into a couple of issues with then manual SSL cert process;
> >>>
> >>>1) ERROR when telling certmonger about all the CA certificates
> >>>
> >>>#Command:
> >>>for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
> >>>do
> >>>     echo $nickname
> >>>     certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after
> >>>done
> >>>
> >>>
> >>>#Result:
> >>>auditSigningCert cert-pki-ca
> >>>             Not After : Tue Jan 14 06:45:05 2014
> >>>ocspSigningCert cert-pki-ca
> >>>             Not After : Tue Jan 14 06:45:05 2014
> >>>subsystemCert cert-pki-ca
> >>>             Not After : Tue Jan 14 06:45:05 2014
> >>>Server-Cert cert-pki-ca
> >>>             Not After : Tue Jan 14 06:45:05 2014
> >>>
> >>>#Command:
> >>>for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
> >>>do
> >>>     /usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n "${nickname}" -c dogtag-ipa-renew-agent -P 705114231111
> >>>done
> >>>
> >>>#Result:
> >>>No CA with name "dogtag-ipa-renew-agent" found.
> >>>No CA with name "dogtag-ipa-renew-agent" found.
> >>>No CA with name "dogtag-ipa-renew-agent" found.
> >>>No CA with name "dogtag-ipa-renew-agent" found.
> >>>
> >>>
> >>>2)Upgrade instead?
> >>>I could potentionally upgrade the ipa-server to "3.0.0-37.el6", would this version be able to automatically update the certificates?
> >>>
> >>>cya
> >>>
> >>>Craig
> >>>
> >>
> >>You need certmonger-0.58-1 or higher to get the
> >>dogtag-ipa-renew-agent CA and other fixed. I'll update the wiki with
> >>that, sorry for the oversight.
> >>
> >>You could try updating to 3.0. If you do decide to try upgrading I
> >>think I'd go back in time when all the certs are valid first as some
> >>services will be restarted during the upgrade and we don't want the
> >>upgrade blowing up in the middle because of expired certs.
> >>
> >>rob
> >I'll give the upgrade a go, say I go back to the older date and IPA
> >starts fine. Won't the certs still have a hard expiry date on them, so
> >I'll need to follow the
> >http://www.freeipa.org/page/IPA_2x_Certificate_Renewal procedure?
> 
> It depends in part how far back in time you go. I'd go back a day or
> two before the oldest date (not all certs expire at the same time).
> 
> The upgrade will configure automatic renewal. I think what I'd
> recommend is do the upgrade then restart the certmonger service on
> the machine.
> 
> Run `getcert list` to check the status of the certs. After the
> restart they should all renew.
> 
> rob
Well progress :) just not quite fully fixed, seems three certificates have updated just not the others yet. Do I need to "tell them to update", or let the server roll over until it hits Jan 14?

Server: Red Hat Enterprise Linux Server release 6.5 (Santiago)
ipa-server-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
---
~/Scripts>date
Sat Jan 11 19:29:02 EST 2014
---
~/Scripts>certutil -L -d /etc/httpd/alias -n ipaCert | grep After
            Not After : Fri Jan 01 07:44:45 2016
---
Ran script:
for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
do
    echo $nickname
    certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after
done

---
auditSigningCert cert-pki-ca
            Not After : Thu Jul 10 07:45:42 2014
            Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
            Not After : Fri Jan 01 07:44:43 2016
subsystemCert cert-pki-ca
            Not After : Fri Jan 01 07:44:44 2016
Server-Cert cert-pki-ca
            Not After : Tue Jan 14 06:45:05 2014
---

The apache cert did update which is good!
~/Scripts>certutil -L -d /etc/httpd/alias -n ipaCert | grep After
            Not After : Fri Jan 01 07:44:45 2016

cya

Craig

More information about the Freeipa-users mailing list