<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;">Hi Rob,<div><br></div><div>Added the directive "NSSEnforceValidCerts off" in /etc/httpd/conf.d/nss.conf and restarted httpd. Please find the /var/log/httpd/error_log</div><div><br></div><div><div>[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored</div><div>[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored</div><div>[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored</div><div>[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored</div><div>[Fri Jan 06
01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored</div><div>[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored</div><div>[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored</div><div>[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored</div><div>[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored</div><div>[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'>
ignored</div><div>[Fri Jan 06 01:06:29 2012] [notice] caught SIGTERM, shutting down</div><div>[Fri Jan 06 01:06:29 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)</div><div>[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'</div><div>[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired</div><div>[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'</div><div>[Fri Jan 06 01:06:30 2012] [notice] Digest: generating secret for digest authentication ...</div><div>[Fri Jan 06 01:06:30 2012] [notice] Digest: done</div><div>[Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Compiled for Python/2.6.2.</div><div>[Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Runtime using Python/2.6.6.</div><div>[Fri Jan 06 01:06:30 2012] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal
operations</div><div>[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'</div><div>[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired</div><div>[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'</div><div>[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'</div><div>[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired</div><div>[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'</div><div>[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'</div><div>[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired</div><div>[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'</div><div>[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'</div><div>[Fri Jan 06 01:06:30 2012] [error] SSL Library Error:
-8181 Certificate has expired</div><div>[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'</div><div>[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'</div><div>[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired</div><div>[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'</div><div>[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired</div><div>[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'</div><div>[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired</div><div>[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'</div><div>[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'</div><div>[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'</div><div>[Fri Jan 06 01:06:30 2012] [error]
SSL Library Error: -8181 Certificate has expired</div><div>[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'</div><div>[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'</div><div>[Fri Jan 06 01:06:32 2012] [error] ipa: INFO: *** PROCESS START ***</div><div>[Fri Jan 06 01:06:32 2012] [error] ipa: INFO: *** PROCESS START ***</div><div><br></div><div><div># ipa-getcert list</div><div>Number of certificates and requests being tracked: 3.</div><div>Request ID '20110619112648':</div><div> status: CA_UNREACHABLE</div><div> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error).</div><div> stuck: yes</div><div> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'</div><div> certificate: type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS Certificate DB'</div><div> CA: IPA</div><div> issuer: CN=Certificate Authority,O=HUGAYET.COM</div><div> subject: CN=openipa.hugayet.com,O=HUGAYET.COM</div><div> expires: 20111216112647</div><div> eku: id-kp-serverAuth</div><div> track: yes</div><div> auto-renew: yes</div><div>Request ID '20110619112705':</div><div> status: CA_UNREACHABLE</div><div> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error).</div><div>
stuck: yes</div><div> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'</div><div> certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'</div><div> CA: IPA</div><div> issuer: CN=Certificate Authority,O=HUGAYET.COM</div><div> subject: CN=openipa.hugayet.com,O=HUGAYET.COM</div><div> expires: 20111216112704</div><div> eku: id-kp-serverAuth</div><div> track: yes</div><div> auto-renew: yes</div><div>Request ID '20110619112721':</div><div> <span style="background-color: rgb(255, 0, 0);">status:
CA_UNREACHABLE</span></div><div><span style="background-color: rgb(255, 0, 0);"> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).</span></div><div> stuck: yes</div><div> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div><div> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'</div><div> CA: IPA</div><div> issuer: CN=Certificate Authority,O=HUGAYET.COM</div><div> subject: CN=openipa.hugayet.com,O=HUGAYET.COM</div><div> expires: 20111216112720</div><div>
eku: id-kp-serverAuth</div><div> track: yes</div><div> auto-renew: yes</div></div><div><br></div>Do we need to restart /etc/init.d/ipa service for all this to take effect?</div><div><br></div><div>Nidal.</div><div><br></div><div><br>--- On <b>Thu, 1/5/12, Rob Crittenden <i><rcritten@redhat.com></i></b> wrote:<br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"><br>From: Rob Crittenden <rcritten@redhat.com><br>Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA<br>To: "nasir nasir" <kollathodi@yahoo.com><br>Cc: freeipa-users@redhat.com, fasilkaks@gmail.com<br>Date: Thursday, January 5, 2012, 8:59 AM<br><br><div class="plainMail">nasir nasir wrote:<br>> Thanks for the input Rob,<br>><br>> Please find below the /var/log/httpd/error_log<br>><br>> [Thu Jan 05 19:50:46 2012] [error]
Certificate not verified: 'Server-Cert'<br>> [Thu Jan 05 19:50:46 2012] [error] SSL Library Error: -8181 Certificate<br>> has expired<br>> [Thu Jan 05 19:50:46 2012] [error] Certificate not verified: 'Server-Cert'<br>> [Thu Jan 05 19:50:46 2012] [error] Unable to verify certificate<br>> 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server<br>> can start until the problem can be resolved.<br>><br>> Do I need to add "NSSEnforceValidCerts off" in<br>> /etc/httpd/conf.d/nss.conf? Please advice.<br>><br><br>That explains why certmonger can't connect. Yes, for now add that <br>directive and restart httpd. Then try the start-tracking again and see <br>if it renews the cert.<br><br>rob<br><br>> Nidal.<br>><br>><br>> --- On *Thu, 1/5/12, Rob Crittenden /<<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a>>/*
wrote:<br>><br>><br>> From: Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a>><br>> Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA<br>> To: "nasir nasir" <<a ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a>><br>> Cc: <a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a>, <a ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a><br>> Date: Thursday, January 5, 2012, 7:38 AM<br>><br>> nasir nasir wrote:<br>> > Thanks for the reply Rob.<br>> ><br>>
> Please find below the output of your guidelines.<br>> ><br>> > # ipa-getkeytab -s xxxxxxx.xxxxxxx.com -p host/xxxxxx.xxxxxx.com -k<br>> > /etc/krb5.keytab<br>> > (the command was successful; it din't show any errors in the<br>> krb5kdc.log<br>> > or audit.log)<br>> ><br>> > # kinit -kt /etc/krb5.keytab host/xxxxxx.xxxxxx.com<br>> ><br>> > krb5kdc.log<br>> > -----------------<br>> > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2431](info): AS_REQ (4<br>> etypes<br>> > {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:<br>> > host/<a
ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a>> for<br>> krbtgt/<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a> </mc/compose?to=<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a>>,<br>> > Additional pre-authentication required<br>> > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2427](info): AS_REQ (4<br>> etypes<br>> > {18 17 16 23}) 192.168.1.10: ISSUE: authtime 1325766032, etypes<br>>
{rep=18<br>> > tkt=18 ses=18}, host/<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a>> for<br>> > krbtgt/<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a> </mc/compose?to=<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a>><br>> ><br>> > # ipa-getcert list<br>> > Number of certificates and requests being tracked: 3.<br>> > Request ID '20110619112648':<br>> > status:
CA_UNREACHABLE<br>> > ca-error: Server failed request, will retry: -504 (libcurl failed to<br>> > execute the HTTP POST transaction. SSL connect error).<br>> > stuck: yes<br>> > key pair storage:<br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS<br>> > Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxxx-COM//pwdfile.txt'<br>> > certificate:<br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS<br>> > Certificate DB'<br>> > CA: IPA<br>> > issuer: CN=Certificate Authority,O=xxxxxx.COM<br>> > subject:
CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM<br>> > expires: 20111216112647<br>> > eku: id-kp-serverAuth<br>> > track: yes<br>> > auto-renew: yes<br>> > Request ID '20110619112705':<br>> > status: CA_UNREACHABLE<br>> > ca-error: Server failed request, will retry: -504 (libcurl failed to<br>> > execute the HTTP POST transaction. SSL connect error).<br>> > stuck: yes<br>> > key pair storage:<br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>> > certificate:<br>>
><br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> > Certificate DB'<br>> > CA: IPA<br>> > issuer: CN=Certificate Authority,O=xxxxxx.COM<br>> > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM<br>> > expires: 20111216112704<br>> > eku: id-kp-serverAuth<br>> > track: yes<br>> > auto-renew: yes<br>> > Request ID '20110619112721':<br>> > status: CA_UNREACHABLE<br>> > ca-error: Server failed request, will retry: -504 (libcurl failed to<br>> > execute the HTTP POST transaction. SSL connect error).<br>> > stuck: yes<br>> > key pair
storage:<br>> ><br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>> > certificate:<br>> ><br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> > Certificate DB'<br>> > CA: IPA<br>> > issuer: CN=Certificate Authority,O=xxxxxx.COM<br>> > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM<br>> > expires: 20111216112720<br>> > eku: id-kp-serverAuth<br>> > track: yes<br>> > auto-renew: yes<br>> ><br>> > # ipa-getcert start-tracking -d
/etc/httpd/alias -n Server-Cert<br>> > Request "20110619112721" modified.<br>> ><br>> > # ipa-getcert list<br>> > Number of certificates and requests being tracked: 3.<br>> > Request ID '20110619112648':<br>> > status: CA_UNREACHABLE<br>> > ca-error: Server failed request, will retry: -504 (libcurl failed to<br>> > execute the HTTP POST transaction. SSL connect error).<br>> > stuck: yes<br>> > key pair storage:<br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS<br>> > Certificate DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'<br>> >
certificate:<br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS<br>> > Certificate DB'<br>> > CA: IPA<br>> > issuer: CN=Certificate Authority,O=HUGAYET.COM<br>> > subject: CN=openipa.hugayet.com,O=HUGAYET.COM<br>> > expires: 20111216112647<br>> > eku: id-kp-serverAuth<br>> > track: yes<br>> > auto-renew: yes<br>> > Request ID '20110619112705':<br>> > status: CA_UNREACHABLE<br>> > ca-error: Server failed request, will retry: -504 (libcurl failed to<br>> > execute the HTTP POST transaction. SSL connect error).<br>> > stuck:
yes<br>> > key pair storage:<br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>> > certificate:<br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> > Certificate DB'<br>> > CA: IPA<br>> > issuer: CN=Certificate Authority,O=HUGAYET.COM<br>> > subject: CN=openipa.hugayet.com,O=HUGAYET.COM<br>> > expires: 20111216112704<br>> > eku: id-kp-serverAuth<br>> > track: yes<br>> > auto-renew: yes<br>>
> Request ID '20110619112721':<br>> > status: SUBMITTING<br>> > stuck: no<br>> > key pair storage:<br>> ><br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>> > certificate:<br>> ><br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> > Certificate DB'<br>> > CA: IPA<br>> > issuer: CN=Certificate Authority,O=HUGAYET.COM<br>> > subject: CN=openipa.hugayet.com,O=HUGAYET.COM<br>> > expires: 20111216112720<br>> > eku:
id-kp-serverAuth<br>> > track: yes<br>> > auto-renew: yes<br>> ><br>> > and after few minutes, the status 'SUBMITTING' will be changed as<br>> > 'CA_UNREACHABLE'<br>> > Do we need to restart the /etc/init.d/ipa service for this? I am<br>> working<br>> > remotely.<br>><br>> It isn't logging enough information to know why it failed. Can you look<br>> in the Apache error log to see why the request failed?<br>><br>> My first thought was that there was a CA trust issue. I believe that<br>> certmonger uses the NSS database where the certificate is stored so<br>> since it is also doing this against Apache (which in
theory trust is ok<br>> for it to start at all) so I'm baffled. Hopefully the httpd logs<br>> will be<br>> enlightening.<br>><br>> ><br>> > I need to upgrade my IPA version. Before going for this I need to<br>> have a<br>> > replica of the existing one. Is it okay to have the replica while all<br>> > these issues exist?<br>><br>><br>> Yes, you should be able to create a replica, this shouldn't affect it.<br>><br>> rob<br>><br><br></div></blockquote></div></td></tr></table>