<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#ffffff" text="#000000">
    On 01/03/2012 12:52 AM, nasir nasir wrote:
    <blockquote
cite="mid:1325577162.75360.YahooMailClassic@web161303.mail.bf1.yahoo.com"
      type="cite">
      <table border="0" cellpadding="0" cellspacing="0">
        <tbody>
          <tr>
            <td style="font: inherit;" valign="top">Hi,<br>
              <br>
              I am facing a serious issue with my production IPA server.
              When I try to access IPA web interface using Firefox, it
              hangs and doesn't allow me to get in. It seems to be due
              to expired SSL certificate as seen in the apache log file,
              <br>
              <br>
              <br>
              [Tue Jan 03 10:34:08 2012] [error] Certificate not
              verified: 'Server-Cert'<br>
              [Tue Jan 03 10:34:08 2012] [error] SSL Library Error:
              -8181 Certificate has expired<br>
              [Tue Jan 03 10:34:08 2012] [error] Unable to verify
              certificate 'Server-Cert'. Add "NSSEnforceValidCerts off"
              to nss.conf so the server can start until the problem can
              be resolved.<br>
              [Tue Jan 03 10:34:08 2012] [error] Certificate not
              verified: 'Server-Cert'<br>
              <br>
              <br>
              Also, when I try to use the command line (ipa user-mod or
              user-show commands) it too just hangs and doesn't give any
              output or allow me for any input. I can see the following
              in krb5kdc.log ,<br>
              <br>
              <div>
                <div>Jan 03 10:29:16 xxxxxx.xxxxxx.com
                  krb5kdc[2426](info): preauth (timestamp) verify
                  failure: Decrypt integrity check failed</div>
                <div>Jan 03 10:29:16 xxxxxx.xxxxxx.com
                  krb5kdc[2426](info): AS_REQ (4 etypes {18 17 16 23})
                  192.168.1.10: PREAUTH_FAILED:
                  <a class="moz-txt-link-abbreviated" href="mailto:host/xxxxx.xxxxx.com@XXXXXX.COM">host/xxxxx.xxxxx.com@XXXXXX.COM</a> for
                  <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/XXXXXX.COM@XXXXXX.COM">krbtgt/XXXXXX.COM@XXXXXX.COM</a>, Decrypt integrity check
                  failed</div>
                <div>Jan 03 10:29:16 xxxxxx.xxxxxx.com
                  krb5kdc[2429](info): AS_REQ (4 etypes {18 17 16 23})
                  192.168.1.10: NEEDED_PREAUTH:
                  <a class="moz-txt-link-abbreviated" href="mailto:host/xxxx.xxxxx.com@XXXXX.COM">host/xxxx.xxxxx.com@XXXXX.COM</a> for
                  <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/XXXXXX.COM@XXXXXX.COM">krbtgt/XXXXXX.COM@XXXXXX.COM</a>, Additional
                  pre-authentication required</div>
              </div>
              <div><br>
              </div>
              <br>
              <div>The output of "certutil -L -d /etc/httpd/alias -n
                Server-Cert" confirms that certificate is expired as
                given below.<br>
                <br>
                Certificate:<br>
                Data:<br>
                Version: 3 (0x2)<br>
                Serial Number: 10 (0xa)<br>
                Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption<br>
                Issuer: "CN=Certificate Authority,O=XXXXXX.COM"<br>
                Validity:<br>
                Not Before: Sun Jun 19 11:27:20 2011<br>
                Not After : Fri Dec 16 11:27:20 2011<br>
                <br>
                <br>
                Relevant info<br>
                <br>
                OS: RHEL 6.1<br>
                <br>
                <br>
                Output of rpm -qa | grep ipa<br>
                <br>
                ipa-client-2.0.0-23.el6.i686<br>
                ipa-pki-ca-theme-9.0.3-6.el6.noarch<br>
                ipa-pki-common-theme-9.0.3-6.el6.noarch<br>
                device-mapper-multipath-libs-0.4.9-41.el6.i686<br>
                python-iniparse-0.3.1-2.1.el6.noarch<br>
                ipa-python-2.0.0-23.el6.i686<br>
                ipa-server-selinux-2.0.0-23.el6.i686<br>
                ipa-server-2.0.0-23.el6.i686<br>
                device-mapper-multipath-0.4.9-41.el6.i686<br>
                ipa-admintools-2.0.0-23.el6.i686<br>
                <br>
                <br>
                I went through the documentations to check how to renew
                the expired certs but it seems to be confusing and
                different across versions. Could someone please help me
                out by suggesting which is the best way to achieve this
                ? Any help would be greatly appreciated as I am unable
                to perform any task on the IPA server now because of
                this.<br>
              </div>
            </td>
          </tr>
        </tbody>
      </table>
    </blockquote>
    I suggest following the mod_nss suggestion to allow it to start and
    use the expired cert while you attempt to figure this out.<br>
    <blockquote
cite="mid:1325577162.75360.YahooMailClassic@web161303.mail.bf1.yahoo.com"
      type="cite">
      <table border="0" cellpadding="0" cellspacing="0">
        <tbody>
          <tr>
            <td style="font: inherit;" valign="top">
              <div><br>
                Regards,<br>
                Nidal<br>
              </div>
            </td>
          </tr>
        </tbody>
      </table>
      <pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
    </blockquote>
    <br>
  </body>
</html>