<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;"><div style="font-family: arial; font-size: 10pt; "><span style="font-size: 10pt; ">Thanks for the reply Rob.</span></div><div style="font-family: arial; font-size: 10pt; "><span style="font-size: 10pt; "><br></span></div><div style="font-family: arial; font-size: 10pt; ">Please find below the output of your guidelines.</div><div style="font-family: arial; font-size: 10pt; "><br></div><div style="font-family: arial; font-size: 10pt; "># ipa-getkeytab -s xxxxxxx.xxxxxxx.com -p host/xxxxxx.xxxxxx.com -k /etc/krb5.keytab</div><div style="font-family: arial; font-size: 10pt; ">(the command was successful; it din't show any errors in the krb5kdc.log or audit.log)</div><div style="font-family: arial; font-size: 10pt; "><br></div><div style="font-family: arial; font-size: 10pt; "># <span style="background-color: rgb(255, 255, 255); font-size: 10pt; ">kinit
-kt /etc/krb5.keytab host/xxxxxx.xxxxxx.com</span></div><div style="font-family: arial; font-size: 10pt; "><span style="background-color: rgb(255, 255, 255); font-size: 10pt; "><br></span></div><div style="font-family: arial; font-size: 10pt; ">krb5kdc.log</div><div style="font-family: arial; font-size: 10pt; ">-----------------</div><div style="font-family: arial; font-size: 10pt; "><div>Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2431](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH: host/xxxxxx.xxxxxx.com@xxxxxx.COM for krbtgt/xxxxxx.COM@xxxxxx.COM, Additional pre-authentication required</div><div>Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2427](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.10: ISSUE: authtime 1325766032, etypes {rep=18 tkt=18 ses=18}, host/xxxxxx.xxxxxx.com@xxxxxx.COM for krbtgt/xxxxxx.COM@xxxxxx.COM</div></div><div style="font-family: arial; font-size: 10pt; "><br></div><div style="font-family: arial; font-size:
10pt; "># <span style="background-color: rgb(255, 255, 255); font-size: 10pt; ">ipa-getcert list</span></div><div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); ">Number of certificates and requests being tracked: 3.</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); ">Request ID '20110619112648':</div><div style="font-family: arial; font-size: 10pt; "><span style="background-color: rgb(255, 255, 255); "> </span><span style="background-color: rgb(255, 0, 0);"> status: CA_UNREACHABLE</span></div><div style="font-family: arial; font-size: 10pt; "><span style="background-color: rgb(255, 255, 255);"> </span><span style="background-color: rgb(255, 0, 0);">ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error).</span></div><div style="font-family:
arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> stuck: yes</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxxx-COM//pwdfile.txt'</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> certificate: type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS Certificate DB'</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> CA: IPA</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> issuer: CN=Certificate Authority,O=xxxxxx.COM</div><div style="font-family: arial;
font-size: 10pt; background-color: rgb(255, 255, 255); "> subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> expires: 20111216112647</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> eku: id-kp-serverAuth</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> track: yes</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> auto-renew: yes</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); ">Request ID '20110619112705':</div><div style="font-family: arial; font-size: 10pt; "><span style="background-color: rgb(255, 255, 255); "> </span><span
style="background-color: rgb(255, 0, 0);">status: CA_UNREACHABLE</span></div><div style="font-family: arial; font-size: 10pt; "><span style="background-color: rgb(255, 255, 255); "> </span><span style="background-color: rgb(255, 0, 0);">ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error).</span></div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> stuck: yes</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> CA: IPA</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> issuer: CN=Certificate Authority,O=xxxxxx.COM</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> expires: 20111216112704</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> eku: id-kp-serverAuth</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); ">
track: yes</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> auto-renew: yes</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); ">Request ID '20110619112721':</div><div style="font-family: arial; font-size: 10pt; "><span style="background-color: rgb(255, 255, 255); "> </span><span style="background-color: rgb(255, 0, 0);"> status: CA_UNREACHABLE</span></div><div style="font-family: arial; font-size: 10pt; "><span style="background-color: rgb(255, 255, 255); "> </span><span style="background-color: rgb(255, 0, 0);"> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error).</span></div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> stuck:
yes</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> CA: IPA</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> issuer: CN=Certificate Authority,O=xxxxxx.COM</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> subject:
CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> expires: 20111216112720</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> eku: id-kp-serverAuth</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> track: yes</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "> auto-renew: yes</div><div style="font-family: arial; font-size: 10pt; background-color: rgb(255, 255, 255); "><br></div><div style="background-color: rgb(255, 255, 255); "><div><font face="arial" size="2"># ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert</font></div><div><font face="arial" size="2">Request "20110619112721" modified.</font></div></div></div><div
style="font-family: arial; font-size: 10pt; "><br></div><div><div><font face="arial" size="2"># ipa-getcert list</font></div><div><font face="arial" size="2">Number of certificates and requests being tracked: 3.</font></div><div><font face="arial" size="2">Request ID '20110619112648':</font></div><div><font face="arial" size="2"> <span style="background-color: rgb(255, 0, 0);">status: CA_UNREACHABLE</span></font></div><div><font face="arial" size="2" style="background-color: rgb(255, 0, 0);"> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error).</font></div><div><font face="arial" size="2"> stuck: yes</font></div><div><font face="arial" size="2"> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'</font></div><div><font face="arial" size="2"> certificate: type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS Certificate DB'</font></div><div><font face="arial" size="2"> CA: IPA</font></div><div><font face="arial" size="2"> issuer: CN=Certificate Authority,O=HUGAYET.COM</font></div><div><font face="arial" size="2"> subject: CN=openipa.hugayet.com,O=HUGAYET.COM</font></div><div><font face="arial" size="2"> expires: 20111216112647</font></div><div><font face="arial" size="2"> eku: id-kp-serverAuth</font></div><div><font face="arial" size="2"> track: yes</font></div><div><font face="arial" size="2"> auto-renew: yes</font></div><div><font face="arial"
size="2">Request ID '20110619112705':</font></div><div><font face="arial" size="2"> <span style="background-color: rgb(255, 0, 0);">status: CA_UNREACHABLE</span></font></div><div><font face="arial" size="2" style="background-color: rgb(255, 0, 0);"> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error).</font></div><div><font face="arial" size="2"> stuck: yes</font></div><div><font face="arial" size="2"> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'</font></div><div><font face="arial" size="2"> certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'</font></div><div><font
face="arial" size="2"> CA: IPA</font></div><div><font face="arial" size="2"> issuer: CN=Certificate Authority,O=HUGAYET.COM</font></div><div><font face="arial" size="2"> subject: CN=openipa.hugayet.com,O=HUGAYET.COM</font></div><div><font face="arial" size="2"> expires: 20111216112704</font></div><div><font face="arial" size="2"> eku: id-kp-serverAuth</font></div><div><font face="arial" size="2"> track: yes</font></div><div><font face="arial" size="2"> auto-renew: yes</font></div><div><font face="arial" size="2">Request ID '20110619112721':</font></div><div><font face="arial" size="2"> <span style="background-color: rgb(96, 191, 0);">status: SUBMITTING</span></font></div><div><font face="arial" size="2"> stuck:
no</font></div><div><font face="arial" size="2"> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</font></div><div><font face="arial" size="2"> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'</font></div><div><font face="arial" size="2"> CA: IPA</font></div><div><font face="arial" size="2"> issuer: CN=Certificate Authority,O=HUGAYET.COM</font></div><div><font face="arial" size="2"> subject: CN=openipa.hugayet.com,O=HUGAYET.COM</font></div><div><font face="arial" size="2"> expires: 20111216112720</font></div><div><font face="arial" size="2"> eku: id-kp-serverAuth</font></div><div><font face="arial" size="2">
track: yes</font></div><div><font face="arial" size="2"> auto-renew: yes</font></div><div><font face="arial" size="2"><br></font></div><div><font face="arial" size="2">and after few minutes, the status 'SUBMITTING' will be changed as 'CA_UNREACHABLE'</font></div><div><span style="font-family: arial; font-size: small; ">Do we need to restart the /etc/init.d/ipa service for this? I am working remotely.</span></div><div><font face="arial" size="2"><br></font></div><div><font face="arial" size="2">I need to upgrade my IPA version. Before going for this I need to have a replica of the existing one. Is it okay to have the replica while all these issues exist? </font></div><div><font face="arial" size="2"><br></font></div><div><font face="arial" size="2">Nidal.</font></div><div><font face="arial" size="2"><br></font></div><font face="arial" size="2">--- On </font><b style="font-family: arial; font-size: 10pt;
">Wed, 1/4/12, Rob Crittenden <i><rcritten@redhat.com></i></b><font face="arial" size="2"> wrote:</font><br><blockquote style="font-family: arial; font-size: 10pt; border-left-width: 2px; border-left-style: solid; border-left-color: rgb(16, 16, 255); margin-left: 5px; padding-left: 5px; "><br>From: Rob Crittenden <rcritten@redhat.com><br>Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA<br>To: "nasir nasir" <kollathodi@yahoo.com><br>Cc: freeipa-users@redhat.com, fasilkaks@gmail.com<br>Date: Wednesday, January 4, 2012, 2:40 PM<br><br><div class="plainMail">nasir nasir wrote:<br>> Thanks for the reply Rob,<br>><br>> Indeed there are host entries.<br>> Please find below the output of your below mentioned guidelines.<br>><br>> # klist -kt /etc/krb5.keytab<br>> Keytab name: WRFILE:/etc/krb5.keytab<br>> KVNO Timestamp Principal<br>> ---- -----------------<br>>
--------------------------------------------------------<br>> 2 06/19/11 14:27:17 host/<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a><br>> 2 06/19/11 14:27:17 host/<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a><br>> 2 06/19/11 14:27:17 host/<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a><br>> 2 06/19/11 14:27:17 host/<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a><br>> 2 06/19/11 14:27:17 host/<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a><br>> 2 06/19/11 14:27:17 host/<a
ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a><br>> 2 06/20/11 09:07:26 host/<a ymailto="mailto:test1.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=test1.xxxxxx.com@xxxxxx.COM">test1.xxxxxx.com@xxxxxx.COM</a><br>> 2 06/20/11 09:07:26 host/<a ymailto="mailto:test1.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=test1.xxxxxx.com@xxxxxx.COM">test1.xxxxxx.com@xxxxxx.COM</a><br>> 2 06/20/11 09:07:26 host/<a ymailto="mailto:test1.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=test1.xxxxxx.com@xxxxxx.COM">test1.xxxxxx.com@xxxxxx.COM</a><br>> 2 06/20/11 09:07:26 host/<a ymailto="mailto:test1.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=test1.xxxxxx.com@xxxxxx.COM">test1.xxxxxx.com@xxxxxx.COM</a><br>> 6 06/20/11 09:09:12 nfs/<a ymailto="mailto:nfs.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=nfs.xxxxxx.com@xxxxxx.COM">nfs.xxxxxx.com@xxxxxx.COM</a><br>> 6 06/20/11 09:09:12
nfs/<a ymailto="mailto:nfs.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=nfs.xxxxxx.com@xxxxxx.COM">nfs.xxxxxx.com@xxxxxx.COM</a><br>> 6 06/20/11 09:09:12 nfs/<a ymailto="mailto:nfs.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=nfs.xxxxxx.com@xxxxxx.COM">nfs.xxxxxx.com@xxxxxx.COM</a><br>> 6 06/20/11 09:09:12 nfs/<a ymailto="mailto:nfs.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=nfs.xxxxxx.com@xxxxxx.COM">nfs.xxxxxx.com@xxxxxx.COM</a><br>> 2 06/20/11 09:11:24 nfs/<a ymailto="mailto:test1.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=test1.xxxxxx.com@xxxxxx.COM">test1.xxxxxx.com@xxxxxx.COM</a><br>> 2 06/20/11 09:11:24 nfs/<a ymailto="mailto:test1.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=test1.xxxxxx.com@xxxxxx.COM">test1.xxxxxx.com@xxxxxx.COM</a><br>> 2 06/20/11 09:11:24 nfs/<a ymailto="mailto:test1.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=test1.xxxxxx.com@xxxxxx.COM">test1.xxxxxx.com@xxxxxx.COM</a><br>> 2 06/20/11 09:11:24 nfs/<a
ymailto="mailto:test1.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=test1.xxxxxx.com@xxxxxx.COM">test1.xxxxxx.com@xxxxxx.COM</a><br>><br>> # kinit -kt /etc/krb5.keytab host/openipa.hugayet.com<br>> kinit: Password incorrect while getting initial credentials<br>><br>> # kinit admin<br>> (the password is accepted successfully here)<br>><br>> # kinit -kt /etc/krb5.keytab host/openipa.hugayet.com<br>> kinit: Password incorrect while getting initial credentials<br>><br>> What could be the possible issue of the invalid credential error? Please<br>> help.<br><br>Probably the most expedient fix is to use ipa-getkeytab to get new <br>credentials for the host service. Here is an example assuming you need a <br>new keytab for your freeIPA server itself:<br><br># ipa-getkeytab -s ipa.example.com -p host/ipa.example.com -k <br>/etc/krb5.keytab<br><br>rob<br><br>><br>> Nidal<br>> --- On *Wed, 1/4/12, Rob Crittenden
/<rcritten@redhat/*<br>> */.com>/* wrote:<br>><br>><br>> From: Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a>><br>> Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA<br>> To: "nasir nasir" <<a ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a>><br>> Cc: "Rich Megginson" <<a ymailto="mailto:rmeggins@redhat.com" href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a>>,<br>> <a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a>, <a ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a><br>> Date:
Wednesday, January 4, 2012, 11:52 AM<br>><br>> nasir nasir wrote:<br>> > Thanks for all the replies.<br>> ><br>> > Rob,<br>> > Please find the output of your guidelines.<br>><br>> Here is the culprit:<br>><br>> ca-error: Error setting up ccache for local "host" service using<br>> default<br>> keytab.<br>><br>> certmonger authenticates to IPA using the host service principal<br>> installed on each client (and master). For some reason that can't be<br>> used.<br>><br>> Check the keytab:<br>><br>> # klist -kt /etc/krb5.keytab<br>><br>> If
there are host entries there, try it:<br>><br>> # kinit -kt /etc/krb5.keytab host/server.example.com<br>><br>> rob<br>><br>> ><br>> > # ipa-getcert list<br>> > Number of certificates and requests being tracked: 3.<br>> > Request ID '20110619112648':<br>> > status: MONITORING<br>> > ca-error: Error setting up ccache for local "host" service using<br>> default<br>> > keytab.<br>> > stuck: no<br>> > key pair storage:<br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS<br>> > Certificate
DB',pinfile='/etc/dirsrv/slapd-xxxxx-COM//pwdfile.txt'<br>> > certificate:<br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS<br>> > Certificate DB'<br>> > CA: IPA<br>> > issuer: CN=Certificate Authority,O=xxxxx.COM<br>> > subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM<br>> > expires: 20111216112647<br>> > eku: id-kp-serverAuth<br>> > track: yes<br>> > auto-renew: yes<br>> > Request ID '20110619112705':<br>> > status: MONITORING<br>> > ca-error: Error setting up ccache for local "host" service using<br>> default<br>>
> keytab.<br>> > stuck: no<br>> > key pair storage:<br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>> > certificate:<br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> > Certificate DB'<br>> > CA: IPA<br>> > issuer: CN=Certificate Authority,O=xxxxx.COM<br>> > subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM<br>> > expires: 20111216112704<br>> > eku: id-kp-serverAuth<br>> > track:
yes<br>> > auto-renew: yes<br>> > Request ID '20110619112721':<br>> > status: MONITORING<br>> > ca-error: Error setting up ccache for local "host" service using<br>> default<br>> > keytab.<br>> > stuck: no<br>> > key pair storage:<br>> ><br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>> > certificate:<br>> ><br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> > Certificate DB'<br>> > CA: IPA<br>>
> issuer: CN=Certificate Authority,O=xxxxx.COM<br>> > subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM<br>> > expires: 20111216112720 eku: id-kp-serverAuth track: yes<br>> > auto-renew: yes<br>> ><br>> > # certutil -L -d /etc/httpd/alias<br>> > Certificate Nickname Trust Attributes<br>> > SSL,S/MIME,JAR/XPI<br>> > Server-Cert u,u,u<br>> > HUGAYET.COM IPA CA CT,C,C<br>> > ipaCert u,u,u<br>> > Signing-Cert u,u,u<br>> ><br>> > Now track it<br>> > # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert<br>> > Request "20110619112721" modified.<br>>
><br>> > #ipa-getcert list<br>> > Number of certificates and requests being tracked: 3.<br>> > Request ID '20110619112648':<br>> > status: MONITORING<br>> > ca-error: Error setting up ccache for local "host" service using<br>> default<br>> > keytab.<br>> > stuck: no<br>> > key pair storage:<br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS<br>> > Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxx-COM//pwdfile.txt'<br>> > certificate:<br>> ><br>>
type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS<br>> > Certificate DB'<br>> > CA: IPA<br>> > issuer: CN=Certificate Authority,O=xxxxx.COM<br>> > subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM<br>> > expires: 20111216112647<br>> > eku: id-kp-serverAuth<br>> > track: yes<br>> > auto-renew: yes<br>> > Request ID '20110619112705':<br>> > status: MONITORING<br>> > ca-error: Error setting up ccache for local "host" service using<br>> default<br>> > keytab.<br>> > stuck: no<br>> > key pair storage:<br>>
><br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>> > certificate:<br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> > Certificate DB'<br>> > CA: IPA<br>> > issuer: CN=Certificate Authority,O=xxxxx.COM<br>> > subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM<br>> > expires: 20111216112704<br>> > eku: id-kp-serverAuth<br>> > track: yes<br>> > auto-renew: yes<br>> > Request ID '20110619112721':<br>> > status:
MONITORING<br>> > ca-error: Error setting up ccache for local "host" service using<br>> default<br>> > keytab.<br>> > stuck: no<br>> > key pair storage:<br>> ><br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>> > certificate:<br>> ><br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> > Certificate DB'<br>> > CA: IPA<br>> > issuer: CN=Certificate Authority,O=xxxxx.COM<br>> > subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM<br>> >
expires: 20111216112720<br>> > eku: id-kp-serverAuth<br>> > track: yes<br>> > auto-renew: yes<br>> ><br>> > The issue is still there as you can see the expiry dates are not<br>> getting<br>> > modified.<br>> ><br>> > Nidal.<br>> ><br>> > --- On *Tue, 1/3/12, Rob Crittenden /<<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a><br>> </mc/compose?to=<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a>>>/* wrote:<br>> ><br>> ><br>> > From: Rob Crittenden
<<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a><br>> </mc/compose?to=<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a>>><br>> > Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA<br>> > To: "nasir nasir" <<a ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a><br>> </mc/compose?to=<a ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a>>><br>> > Cc: "Rich Megginson" <<a ymailto="mailto:rmeggins@redhat.com" href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a><br>> </mc/compose?to=<a ymailto="mailto:rmeggins@redhat.com"
href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a>>>,<br>> > <a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>> </mc/compose?to=<a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a>>, <a ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a><br>> </mc/compose?to=<a ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a>><br>> > Date: Tuesday, January 3, 2012, 2:23 PM<br>> ><br>> > nasir nasir wrote:<br>> > ><br>> > ><br>> > > --- On *Tue, 1/3/12,
Rich Megginson /<<a ymailto="mailto:rmeggins@redhat.com" href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a><br>> </mc/compose?to=<a ymailto="mailto:rmeggins@redhat.com" href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a>><br>> > </mc/compose?to=<a ymailto="mailto:rmeggins@redhat.com" href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a><br>> </mc/compose?to=<a ymailto="mailto:rmeggins@redhat.com" href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a>>>>/*wrote:<br>> > ><br>> > ><br>> > > From: Rich Megginson <<a ymailto="mailto:rmeggins@redhat.com" href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a><br>> </mc/compose?to=<a ymailto="mailto:rmeggins@redhat.com"
href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a>><br>> > </mc/compose?to=<a ymailto="mailto:rmeggins@redhat.com" href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a><br>> </mc/compose?to=<a ymailto="mailto:rmeggins@redhat.com" href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a>>>><br>> > > Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA<br>> > > To: "nasir nasir" <<a ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a><br>> </mc/compose?to=<a ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a>><br>> > </mc/compose?to=<a ymailto="mailto:kollathodi@yahoo.com"
href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a><br>> </mc/compose?to=<a ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a>>>><br>> > > Cc: <a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>> </mc/compose?to=<a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a>><br>> > </mc/compose?to=<a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>> </mc/compose?to=<a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a>>>, <a
ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a><br>> </mc/compose?to=<a ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a>><br>> > </mc/compose?to=<a ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a><br>> </mc/compose?to=<a ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a>>><br>> > > Date: Tuesday, January 3, 2012, 7:41 AM<br>> > ><br>> > > On 01/03/2012 12:52 AM, nasir nasir wrote:<br>> > >> Hi,<br>> > >><br>> > >> I am facing a serious issue with my production IPA
server. When I<br>> > >> try to access IPA web interface using Firefox, it hangs and<br>> > >> doesn't allow me to get in. It seems to be due to expired SSL<br>> > >> certificate as seen in the apache log file,<br>> > >><br>> > >><br>> > >> [Tue Jan 03 10:34:08 2012] [error] Certificate not verified:<br>> > >> 'Server-Cert'<br>> > >> [Tue Jan 03 10:34:08 2012] [error] SSL Library Error: -8181<br>> > >> Certificate has expired<br>> > >> [Tue Jan 03 10:34:08 2012] [error] Unable to verify certificate<br>> > >> 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the<br>> >
>> server can start until the problem can be resolved.<br>> > >> [Tue Jan 03 10:34:08 2012] [error] Certificate not verified:<br>> > >> 'Server-Cert'<br>> > >><br>> > >><br>> > >> Also, when I try to use the command line (ipa user-mod or<br>> > >> user-show commands) it too just hangs and doesn't give any output<br>> > >> or allow me for any input. I can see the following in<br>> krb5kdc.log ,<br>> > >><br>> > >> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): preauth<br>> > >> (timestamp) verify failure: Decrypt integrity check failed<br>> > >> Jan 03 10:29:16
xxxxxx.xxxxxx.com krb5kdc[2426](info): AS_REQ (4<br>> > >> etypes {18 17 16 23}) 192.168.1.10: PREAUTH_FAILED:<br>> > >> host/<a ymailto="mailto:xxxxx.xxxxx.com@XXXXXX.COM" href="/mc/compose?to=xxxxx.xxxxx.com@XXXXXX.COM">xxxxx.xxxxx.com@XXXXXX.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxx.xxxxx.com@XXXXXX.COM" href="/mc/compose?to=xxxxx.xxxxx.com@XXXXXX.COM">xxxxx.xxxxx.com@XXXXXX.COM</a>><br>> > </mc/compose?to=<a ymailto="mailto:xxxxx.xxxxx.com@XXXXXX.COM" href="/mc/compose?to=xxxxx.xxxxx.com@XXXXXX.COM">xxxxx.xxxxx.com@XXXXXX.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxx.xxxxx.com@XXXXXX.COM" href="/mc/compose?to=xxxxx.xxxxx.com@XXXXXX.COM">xxxxx.xxxxx.com@XXXXXX.COM</a>>><br>> > >> </mc/compose?to=host/<a
ymailto="mailto:xxxxx.xxxxx.com@XXXXXX.COM" href="/mc/compose?to=xxxxx.xxxxx.com@XXXXXX.COM">xxxxx.xxxxx.com@XXXXXX.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxx.xxxxx.com@XXXXXX.COM" href="/mc/compose?to=xxxxx.xxxxx.com@XXXXXX.COM">xxxxx.xxxxx.com@XXXXXX.COM</a>><br>> > </mc/compose?to=<a ymailto="mailto:xxxxx.xxxxx.com@XXXXXX.COM" href="/mc/compose?to=xxxxx.xxxxx.com@XXXXXX.COM">xxxxx.xxxxx.com@XXXXXX.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxx.xxxxx.com@XXXXXX.COM" href="/mc/compose?to=xxxxx.xxxxx.com@XXXXXX.COM">xxxxx.xxxxx.com@XXXXXX.COM</a>>>> for<br>> > >> krbtgt/<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a><br>> </mc/compose?to=<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM"
href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a>><br>> </mc/compose?to=<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a><br>> </mc/compose?to=<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a>>><br>> > >> </mc/compose?to=krbtgt/<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a><br>> </mc/compose?to=<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a>><br>> > </mc/compose?to=<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a><br>>
</mc/compose?to=<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a>>>>, Decrypt integrity<br>> > >> check failed<br>> > >> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2429](info): AS_REQ (4<br>> > >> etypes {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:<br>> > >> host/<a ymailto="mailto:xxxx.xxxxx.com@XXXXX.COM" href="/mc/compose?to=xxxx.xxxxx.com@XXXXX.COM">xxxx.xxxxx.com@XXXXX.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxx.xxxxx.com@XXXXX.COM" href="/mc/compose?to=xxxx.xxxxx.com@XXXXX.COM">xxxx.xxxxx.com@XXXXX.COM</a>><br>> > </mc/compose?to=<a ymailto="mailto:xxxx.xxxxx.com@XXXXX.COM" href="/mc/compose?to=xxxx.xxxxx.com@XXXXX.COM">xxxx.xxxxx.com@XXXXX.COM</a><br>>
</mc/compose?to=<a ymailto="mailto:xxxx.xxxxx.com@XXXXX.COM" href="/mc/compose?to=xxxx.xxxxx.com@XXXXX.COM">xxxx.xxxxx.com@XXXXX.COM</a>>><br>> > >> </mc/compose?to=host/<a ymailto="mailto:xxxx.xxxxx.com@XXXXX.COM" href="/mc/compose?to=xxxx.xxxxx.com@XXXXX.COM">xxxx.xxxxx.com@XXXXX.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxx.xxxxx.com@XXXXX.COM" href="/mc/compose?to=xxxx.xxxxx.com@XXXXX.COM">xxxx.xxxxx.com@XXXXX.COM</a>><br>> > </mc/compose?to=<a ymailto="mailto:xxxx.xxxxx.com@XXXXX.COM" href="/mc/compose?to=xxxx.xxxxx.com@XXXXX.COM">xxxx.xxxxx.com@XXXXX.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxx.xxxxx.com@XXXXX.COM" href="/mc/compose?to=xxxx.xxxxx.com@XXXXX.COM">xxxx.xxxxx.com@XXXXX.COM</a>>>> for<br>> > >> krbtgt/<a
ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a><br>> </mc/compose?to=<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a>><br>> </mc/compose?to=<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a><br>> </mc/compose?to=<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a>>><br>> > >> </mc/compose?to=krbtgt/<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a><br>> </mc/compose?to=<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM"
href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a>><br>> > </mc/compose?to=<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a><br>> </mc/compose?to=<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a>>>>, Additional<br>> > >> pre-authentication required<br>> > >><br>> > >><br>> > >> The output of "certutil -L -d /etc/httpd/alias -n Server-Cert"<br>> > >> confirms that certificate is expired as given below.<br>> > >><br>> > >> Certificate:<br>> > >> Data:<br>> > >>
Version: 3 (0x2)<br>> > >> Serial Number: 10 (0xa)<br>> > >> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption<br>> > >> Issuer: "CN=Certificate Authority,O=XXXXXX.COM"<br>> > >> Validity:<br>> > >> Not Before: Sun Jun 19 11:27:20 2011<br>> > >> Not After : Fri Dec 16 11:27:20 2011<br>> > >><br>> > >><br>> > >> Relevant info<br>> > >><br>> > >> OS: RHEL 6.1<br>> > >><br>> > >><br>> > >> Output of rpm -qa | grep ipa<br>> > >><br>> > >>
ipa-client-2.0.0-23.el6.i686<br>> > >> ipa-pki-ca-theme-9.0.3-6.el6.noarch<br>> > >> ipa-pki-common-theme-9.0.3-6.el6.noarch<br>> > >> device-mapper-multipath-libs-0.4.9-41.el6.i686<br>> > >> python-iniparse-0.3.1-2.1.el6.noarch<br>> > >> ipa-python-2.0.0-23.el6.i686<br>> > >> ipa-server-selinux-2.0.0-23.el6.i686<br>> > >> ipa-server-2.0.0-23.el6.i686<br>> > >> device-mapper-multipath-0.4.9-41.el6.i686<br>> > >> ipa-admintools-2.0.0-23.el6.i686<br>> > >><br>> > >><br>> > >> I went through the documentations to check how to renew the<br>> > >>
expired certs but it seems to be confusing and different across<br>> > >> versions. Could someone please help me out by suggesting which is<br>> > >> the best way to achieve this ? Any help would be greatly<br>> > >> appreciated as I am unable to perform any task on the IPA server<br>> > >> now because of this.<br>> > >><br>> > > I suggest following the mod_nss suggestion to allow it to start and<br>> > > use the expired cert while you attempt to figure this out.<br>> > ><br>> > > Thanks indeed for the suggestion. I will consider this. But can<br>> > > anyone point me the steps to renew certificate from the expired<br>> one
?<br>> > ><br>> > > Thankds and regards,<br>> > > Nidal<br>> ><br>> > Lets start with figuring out why certmonger didn't do this for you:<br>> ><br>> > Can you run as root: ipa-getcert list<br>> ><br>> > You should have something like:<br>> ><br>> > Request ID '20111215203350':<br>> > status: MONITORING<br>> > stuck: no<br>> > key pair storage:<br>> ><br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> ><br>> > Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>> > certificate:<br>> ><br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> ><br>> > Certificate DB'<br>> > CA: IPA<br>> > issuer: CN=EXAMPLE.COM Certificate Authority<br>> > subject: CN=rawhide.example.com,O=EXAMPLE.COM<br>> > expires: 2021-12-15 20:33:50 UTC<br>> > track: yes<br>> > auto-renew: yes<br>> ><br>> > If you don't have something like this then perhaps the easiest way to<br>> > get it renewed is to tell certmonger to track it. First, look at your<br>> > current database, it should
look something like:<br>> ><br>> > # certutil -L -d /etc/httpd/alias<br>> ><br>> > Server-Cert u,u,u<br>> > EXAMPLE.COM IPA CA CTu,u,Cu<br>> > Signing-Cert u,u,u<br>> ><br>> > Now track it<br>> ><br>> > # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert<br>> ><br>> > Use ipa-getcert list to track the status of the renewal. Once it has<br>> > been completed you can reset the EnforceValidCerts option and restart<br>> > Apache.<br>> ><br>> > If certmonger is already tracking the cert and the renewal has failed<br>>
> then please provide the ipa-getcert list output.<br>> ><br>> > rob<br>> ><br>><br><br></div></blockquote></div></td></tr></table>