<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;">Thanks for the input Rob,<div><br></div><div>Please find below the /var/log/httpd/error_log</div><div><br></div><div><div>[Thu Jan 05 19:50:46 2012] [error] Certificate not verified: 'Server-Cert'</div><div>[Thu Jan 05 19:50:46 2012] [error] SSL Library Error: -8181 Certificate has expired</div><div>[Thu Jan 05 19:50:46 2012] [error] Certificate not verified: 'Server-Cert'</div><div>[Thu Jan 05 19:50:46 2012] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.</div><div><br></div><div>Do I need to add "NSSEnforceValidCerts off" in /etc/httpd/conf.d/nss.conf? Please advice.</div><div><br></div><div>Nidal.</div><div><br></div><div><br></div>--- On <b>Thu, 1/5/12, Rob Crittenden <i><rcritten@redhat.com></i></b> wrote:<br><blockquote style="border-left:
 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"><br>From: Rob Crittenden <rcritten@redhat.com><br>Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA<br>To: "nasir nasir" <kollathodi@yahoo.com><br>Cc: freeipa-users@redhat.com, fasilkaks@gmail.com<br>Date: Thursday, January 5, 2012, 7:38 AM<br><br><div class="plainMail">nasir nasir wrote:<br>> Thanks for the reply Rob.<br>><br>> Please find below the output of your guidelines.<br>><br>> # ipa-getkeytab -s xxxxxxx.xxxxxxx.com -p host/xxxxxx.xxxxxx.com -k<br>> /etc/krb5.keytab<br>> (the command was successful; it din't show any errors in the krb5kdc.log<br>> or audit.log)<br>><br>> # kinit -kt /etc/krb5.keytab host/xxxxxx.xxxxxx.com<br>><br>> krb5kdc.log<br>> -----------------<br>> Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2431](info): AS_REQ (4 etypes<br>> {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:<br>> host/<a
 ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a> for krbtgt/<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a>,<br>> Additional pre-authentication required<br>> Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2427](info): AS_REQ (4 etypes<br>> {18 17 16 23}) 192.168.1.10: ISSUE: authtime 1325766032, etypes {rep=18<br>> tkt=18 ses=18}, host/<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a> for<br>> krbtgt/<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a><br>><br>> # ipa-getcert list<br>> Number of certificates and requests being tracked: 3.<br>> Request ID '20110619112648':<br>> status: CA_UNREACHABLE<br>> ca-error: Server failed request, will
 retry: -504 (libcurl failed to<br>> execute the HTTP POST transaction. SSL connect error).<br>> stuck: yes<br>> key pair storage:<br>> type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS<br>> Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxxx-COM//pwdfile.txt'<br>> certificate:<br>> type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS<br>> Certificate DB'<br>> CA: IPA<br>> issuer: CN=Certificate Authority,O=xxxxxx.COM<br>> subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM<br>> expires: 20111216112647<br>> eku: id-kp-serverAuth<br>> track: yes<br>> auto-renew: yes<br>> Request ID '20110619112705':<br>> status: CA_UNREACHABLE<br>> ca-error: Server failed request, will retry: -504 (libcurl failed to<br>> execute the HTTP POST transaction. SSL connect error).<br>> stuck: yes<br>> key pair storage:<br>>
 type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>> certificate:<br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> Certificate DB'<br>> CA: IPA<br>> issuer: CN=Certificate Authority,O=xxxxxx.COM<br>> subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM<br>> expires: 20111216112704<br>> eku: id-kp-serverAuth<br>> track: yes<br>> auto-renew: yes<br>> Request ID '20110619112721':<br>> status: CA_UNREACHABLE<br>> ca-error: Server failed request, will retry: -504 (libcurl failed to<br>> execute the HTTP POST transaction. SSL connect error).<br>> stuck: yes<br>> key pair storage:<br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>> certificate:<br>>
 type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> Certificate DB'<br>> CA: IPA<br>> issuer: CN=Certificate Authority,O=xxxxxx.COM<br>> subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM<br>> expires: 20111216112720<br>> eku: id-kp-serverAuth<br>> track: yes<br>> auto-renew: yes<br>><br>> # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert<br>> Request "20110619112721" modified.<br>><br>> # ipa-getcert list<br>> Number of certificates and requests being tracked: 3.<br>> Request ID '20110619112648':<br>> status: CA_UNREACHABLE<br>> ca-error: Server failed request, will retry: -504 (libcurl failed to<br>> execute the HTTP POST transaction. SSL connect error).<br>> stuck: yes<br>> key pair storage:<br>> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS<br>> Certificate
 DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'<br>> certificate:<br>> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS<br>> Certificate DB'<br>> CA: IPA<br>> issuer: CN=Certificate Authority,O=HUGAYET.COM<br>> subject: CN=openipa.hugayet.com,O=HUGAYET.COM<br>> expires: 20111216112647<br>> eku: id-kp-serverAuth<br>> track: yes<br>> auto-renew: yes<br>> Request ID '20110619112705':<br>> status: CA_UNREACHABLE<br>> ca-error: Server failed request, will retry: -504 (libcurl failed to<br>> execute the HTTP POST transaction. SSL connect error).<br>> stuck: yes<br>> key pair storage:<br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>> certificate:<br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>>
 Certificate DB'<br>> CA: IPA<br>> issuer: CN=Certificate Authority,O=HUGAYET.COM<br>> subject: CN=openipa.hugayet.com,O=HUGAYET.COM<br>> expires: 20111216112704<br>> eku: id-kp-serverAuth<br>> track: yes<br>> auto-renew: yes<br>> Request ID '20110619112721':<br>> status: SUBMITTING<br>> stuck: no<br>> key pair storage:<br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>> certificate:<br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> Certificate DB'<br>> CA: IPA<br>> issuer: CN=Certificate Authority,O=HUGAYET.COM<br>> subject: CN=openipa.hugayet.com,O=HUGAYET.COM<br>> expires: 20111216112720<br>> eku: id-kp-serverAuth<br>> track: yes<br>> auto-renew: yes<br>><br>> and after few minutes, the status 'SUBMITTING' will be changed as<br>>
 'CA_UNREACHABLE'<br>> Do we need to restart the /etc/init.d/ipa service for this? I am working<br>> remotely.<br><br>It isn't logging enough information to know why it failed. Can you look <br>in the Apache error log to see why the request failed?<br><br>My first thought was that there was a CA trust issue. I believe that <br>certmonger uses the NSS database where the certificate is stored so <br>since it is also doing this against Apache (which in theory trust is ok <br>for it to start at all) so I'm baffled. Hopefully the httpd logs will be <br>enlightening.<br><br>><br>> I need to upgrade my IPA version. Before going for this I need to have a<br>> replica of the existing one. Is it okay to have the replica while all<br>> these issues exist?<br><br><br>Yes, you should be able to create a replica, this shouldn't affect it.<br><br>rob<br></div></blockquote></div></td></tr></table>