<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;">Thanks for the input Rob,<div><br></div><div>We have already did it with your previous input and everything got normal.</div><div><br></div><div>But the ipa user-show admin command gave the following errors.</div><div><span style="font-size: 10pt; "># ipa user-show admin</span></div><div><div><div>ipa: ERROR: cert validation failed for "CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)</div><div>ipa: ERROR: cert validation failed for "CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)</div><div>ipa: ERROR: cannot connect to 'any of the configured servers': https://xxxxxx.xxxxxx.com/ipa/xml, https://xxxxxx.xxxxxx.com/ipa/xml</div></div></div><div><br></div><div>Regardless of the above error,
everything seems to be working fine.</div><div><span style="font-size: 10pt; ">Now we need to have the replica of the server before going for an upgrade of IPA. </span></div><div><br></div><div>Thank you all for the wonderful support during our hard times. </div><div><br></div><div>Nidal.</div><div><br></div><div><br></div><div>--- On <b>Fri, 1/6/12, Rob Crittenden <i><rcritten@redhat.com></i></b> wrote:<br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"><br>From: Rob Crittenden <rcritten@redhat.com><br>Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA<br>To: "nasir nasir" <kollathodi@yahoo.com><br>Cc: freeipa-users@redhat.com, fasilkaks@gmail.com<br>Date: Friday, January 6, 2012, 7:21 AM<br><br><div class="plainMail">nasir nasir wrote:<br>> Rob,<br>><br>> # ipa user-show admin<br>> ipa: ERROR: cert validation failed for<br>>
"CN=openipa.hugayet.com,O=HUGAYET.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE)<br>> Peer's Certificate has expired.)<br>> ipa: ERROR: cert validation failed for<br>> "CN=openipa.hugayet.com,O=HUGAYET.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE)<br>> Peer's Certificate has expired.)<br>> ipa: ERROR: cannot connect to 'any of the configured servers':<br>> <a href="https://openipa.hugayet.com/ipa/xml" target="_blank">https://openipa.hugayet.com/ipa/xml</a>, <a href="https://openipa.hugayet.com/ipa/xml" target="_blank">https://openipa.hugayet.com/ipa/xml</a><br>><br>> >>>>From what Nalin said, certmonger users /etc/ipa/ca.crt. This needs<br>> to match the CA that issued your Apache cert.>>>>>><br>><br>> How can we proceed further?<br><br>I think you're going to need to set the system time back to when the <br>certificate is valid to do the renewal.<br><br>rob<br><br>><br>>
Nidal.<br>><br>><br>> --- On *Thu, 1/5/12, Rob Crittenden /<<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a>>/*wrote:<br>><br>><br>> From: Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a>><br>> Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA<br>> To: "nasir nasir" <<a ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a>><br>> Cc: <a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a>, <a ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a><br>> Date: Thursday, January 5,
2012, 2:21 PM<br>><br>> nasir nasir wrote:<br>> > Hi Rob,<br>> ><br>> > Added the directive "NSSEnforceValidCerts off" in<br>> > /etc/httpd/conf.d/nss.conf and restarted httpd. Please find the<br>> > /var/log/httpd/error_log<br>> ><br>> > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:<br>> > KeyError(-1215723696,) in <module 'threading' from<br>> > '/usr/lib/python2.6/threading.pyc'> ignored<br>> > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:<br>> > KeyError(-1215723696,) in <module 'threading' from<br>> > '/usr/lib/python2.6/threading.pyc'> ignored<br>> > [Fri
Jan 06 01:06:29 2012] [error] Exception KeyError:<br>> > KeyError(-1215723696,) in <module 'threading' from<br>> > '/usr/lib/python2.6/threading.pyc'> ignored<br>> > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:<br>> > KeyError(-1215723696,) in <module 'threading' from<br>> > '/usr/lib/python2.6/threading.pyc'> ignored<br>> > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:<br>> > KeyError(-1215723696,) in <module 'threading' from<br>> > '/usr/lib/python2.6/threading.pyc'> ignored<br>> > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:<br>> > KeyError(-1215723696,) in <module 'threading' from<br>> >
'/usr/lib/python2.6/threading.pyc'> ignored<br>> > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:<br>> > KeyError(-1215723696,) in <module 'threading' from<br>> > '/usr/lib/python2.6/threading.pyc'> ignored<br>> > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:<br>> > KeyError(-1215723696,) in <module 'threading' from<br>> > '/usr/lib/python2.6/threading.pyc'> ignored<br>> > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:<br>> > KeyError(-1215723696,) in <module 'threading' from<br>> > '/usr/lib/python2.6/threading.pyc'> ignored<br>> > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:<br>> > KeyError(-1215723696,) in
<module 'threading' from<br>> > '/usr/lib/python2.6/threading.pyc'> ignored<br>> > [Fri Jan 06 01:06:29 2012] [notice] caught SIGTERM, shutting down<br>> > [Fri Jan 06 01:06:29 2012] [notice] suEXEC mechanism enabled<br>> (wrapper:<br>> > /usr/sbin/suexec)<br>> > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:<br>> 'Server-Cert'<br>> > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181<br>> Certificate<br>> > has expired<br>> > [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:<br>> > 'Server-Cert'<br>> > [Fri Jan 06 01:06:30 2012] [notice] Digest: generating secret
for<br>> digest<br>> > authentication ...<br>> > [Fri Jan 06 01:06:30 2012] [notice] Digest: done<br>> > [Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Compiled for<br>> Python/2.6.2.<br>> > [Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Runtime using<br>> Python/2.6.6.<br>> > [Fri Jan 06 01:06:30 2012] [notice] Apache/2.2.15 (Unix) DAV/2<br>> > mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2<br>> Python/2.6.6<br>> > configured -- resuming normal operations<br>> > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:<br>> 'Server-Cert'<br>> > [Fri Jan 06 01:06:30 2012] [error]
SSL Library Error: -8181<br>> Certificate<br>> > has expired<br>> > [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:<br>> > 'Server-Cert'<br>> > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:<br>> 'Server-Cert'<br>> > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181<br>> Certificate<br>> > has expired<br>> > [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:<br>> > 'Server-Cert'<br>> > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:<br>> 'Server-Cert'<br>> > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error:
-8181<br>> Certificate<br>> > has expired<br>> > [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:<br>> > 'Server-Cert'<br>> > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:<br>> 'Server-Cert'<br>> > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181<br>> Certificate<br>> > has expired<br>> > [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:<br>> > 'Server-Cert'<br>> > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:<br>> 'Server-Cert'<br>> > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181<br>>
Certificate<br>> > has expired<br>> > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:<br>> 'Server-Cert'<br>> > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181<br>> Certificate<br>> > has expired<br>> > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:<br>> 'Server-Cert'<br>> > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181<br>> Certificate<br>> > has expired<br>> > [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:<br>> > 'Server-Cert'<br>> > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
expired:<br>> > 'Server-Cert'<br>> > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:<br>> 'Server-Cert'<br>> > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181<br>> Certificate<br>> > has expired<br>> > [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:<br>> > 'Server-Cert'<br>> > [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:<br>> > 'Server-Cert'<br>> > [Fri Jan 06 01:06:32 2012] [error] ipa: INFO: *** PROCESS START ***<br>> > [Fri Jan 06 01:06:32 2012] [error] ipa: INFO: *** PROCESS START ***<br>> ><br>> > # ipa-getcert
list<br>> > Number of certificates and requests being tracked: 3.<br>> > Request ID '20110619112648':<br>> > status: CA_UNREACHABLE<br>> > ca-error: Server failed request, will retry: -504 (libcurl failed to<br>> > execute the HTTP POST transaction. SSL connect error).<br>> > stuck: yes<br>> > key pair storage:<br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS<br>> > Certificate DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'<br>> > certificate:<br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS<br>>
> Certificate DB'<br>> > CA: IPA<br>> > issuer: CN=Certificate Authority,O=HUGAYET.COM<br>> > subject: CN=openipa.hugayet.com,O=HUGAYET.COM<br>> > expires: 20111216112647<br>> > eku: id-kp-serverAuth<br>> > track: yes<br>> > auto-renew: yes<br>> > Request ID '20110619112705':<br>> > status: CA_UNREACHABLE<br>> > ca-error: Server failed request, will retry: -504 (libcurl failed to<br>> > execute the HTTP POST transaction. SSL connect error).<br>> > stuck: yes<br>> > key pair storage:<br>> ><br>>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>> > certificate:<br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> > Certificate DB'<br>> > CA: IPA<br>> > issuer: CN=Certificate Authority,O=HUGAYET.COM<br>> > subject: CN=openipa.hugayet.com,O=HUGAYET.COM<br>> > expires: 20111216112704<br>> > eku: id-kp-serverAuth<br>> > track: yes<br>> > auto-renew: yes<br>> > Request ID '20110619112721':<br>> > status:
CA_UNREACHABLE<br>> > ca-error: Server failed request, will retry: -504 (libcurl failed to<br>> > execute the HTTP POST transaction. Peer certificate cannot be<br>> > authenticated with known CA certificates).<br>> > stuck: yes<br>> > key pair storage:<br>> ><br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>> > certificate:<br>> ><br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> > Certificate DB'<br>> > CA: IPA<br>> > issuer: CN=Certificate
Authority,O=HUGAYET.COM<br>> > subject: CN=openipa.hugayet.com,O=HUGAYET.COM<br>> > expires: 20111216112720<br>> > eku: id-kp-serverAuth<br>> > track: yes<br>> > auto-renew: yes<br>> ><br>> > Do we need to restart /etc/init.d/ipa service for all this to<br>> take effect?<br>><br>> No, and be very careful if your 389-ds cert is also expired.<br>><br>> This error really does mean that certmonger doesn't trust the SSL cert<br>> of your web server. Have you replaced your certs with something else?<br>><br>> Does a simple command like: ipa user-show admin work?<br>><br>> It may fail too due to the expired
cert. You may have to turn time back<br>> on this machine, but that won't affect the untrusted CA. From what<br>> Nalin<br>> said, certmonger users /etc/ipa/ca.crt. This needs to match the CA that<br>> issued your Apache cert.<br>><br>> rob<br>><br>> ><br>> > Nidal.<br>> ><br>> ><br>> > --- On *Thu, 1/5/12, Rob Crittenden /<<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a><br>> </mc/compose?to=<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a>>>/* wrote:<br>> ><br>> ><br>>
> From: Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a><br>> </mc/compose?to=<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a>>><br>> > Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA<br>> > To: "nasir nasir" <<a ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a><br>> </mc/compose?to=<a ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a>>><br>> > Cc: <a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>> </mc/compose?to=<a
ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a>>, <a ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a><br>> </mc/compose?to=<a ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a>><br>> > Date: Thursday, January 5, 2012, 8:59 AM<br>> ><br>> > nasir nasir wrote:<br>> > > Thanks for the input Rob,<br>> > ><br>> > > Please find below the /var/log/httpd/error_log<br>> > ><br>> > > [Thu Jan 05 19:50:46 2012] [error] Certificate not verified:<br>> > 'Server-Cert'<br>> > > [Thu Jan
05 19:50:46 2012] [error] SSL Library Error: -8181<br>> > Certificate<br>> > > has expired<br>> > > [Thu Jan 05 19:50:46 2012] [error] Certificate not verified:<br>> > 'Server-Cert'<br>> > > [Thu Jan 05 19:50:46 2012] [error] Unable to verify certificate<br>> > > 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the<br>> > server<br>> > > can start until the problem can be resolved.<br>> > ><br>> > > Do I need to add "NSSEnforceValidCerts off" in<br>> > > /etc/httpd/conf.d/nss.conf? Please advice.<br>> > ><br>> ><br>> > That explains why certmonger can't
connect. Yes, for now add that<br>> > directive and restart httpd. Then try the start-tracking again<br>> and see<br>> > if it renews the cert.<br>> ><br>> > rob<br>> ><br>> > > Nidal.<br>> > ><br>> > ><br>> > > --- On *Thu, 1/5/12, Rob Crittenden /<<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a><br>> </mc/compose?to=<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a>><br>> > </mc/compose?to=<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a><br>>
</mc/compose?to=<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a>>>>/* wrote:<br>> > ><br>> > ><br>> > > From: Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a><br>> </mc/compose?to=<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a>><br>> > </mc/compose?to=<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a><br>> </mc/compose?to=<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a>>>><br>> > > Subject: Re: [Freeipa-users]
Expired SSL certificate issue with IPA<br>> > > To: "nasir nasir" <<a ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a><br>> </mc/compose?to=<a ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a>><br>> > </mc/compose?to=<a ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a><br>> </mc/compose?to=<a ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a>>>><br>> > > Cc: <a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>> </mc/compose?to=<a ymailto="mailto:freeipa-users@redhat.com"
href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a>><br>> > </mc/compose?to=<a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>> </mc/compose?to=<a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a>>>, <a ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a><br>> </mc/compose?to=<a ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a>><br>> > </mc/compose?to=<a ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a><br>> </mc/compose?to=<a ymailto="mailto:fasilkaks@gmail.com"
href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a>>><br>> > > Date: Thursday, January 5, 2012, 7:38 AM<br>> > ><br>> > > nasir nasir wrote:<br>> > > > Thanks for the reply Rob.<br>> > > ><br>> > > > Please find below the output of your guidelines.<br>> > > ><br>> > > > # ipa-getkeytab -s xxxxxxx.xxxxxxx.com -p<br>> host/xxxxxx.xxxxxx.com -k<br>> > > > /etc/krb5.keytab<br>> > > > (the command was successful; it din't show any errors in the<br>> > > krb5kdc.log<br>> > > > or audit.log)<br>> > > ><br>>
> > > # kinit -kt /etc/krb5.keytab host/xxxxxx.xxxxxx.com<br>> > > ><br>> > > > krb5kdc.log<br>> > > > -----------------<br>> > > > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2431](info): AS_REQ (4<br>> > > etypes<br>> > > > {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:<br>> > > > host/<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a>><br>> > </mc/compose?to=<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM"
href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a>>><br>> > > </mc/compose?to=<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a>><br>> > </mc/compose?to=<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM"
href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a>>>> for<br>> > > krbtgt/<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a> </mc/compose?to=<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a>><br>> > </mc/compose?to=<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a>>><br>> > </mc/compose?to=<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a><br>> </mc/compose?to=<a
ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a>><br>> > </mc/compose?to=<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a>>>>,<br>> > > > Additional pre-authentication required<br>> > > > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2427](info): AS_REQ (4<br>> > > etypes<br>> > > > {18 17 16 23}) 192.168.1.10: ISSUE: authtime 1325766032, etypes<br>> > > {rep=18<br>> > > > tkt=18 ses=18}, host/<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM"
href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a>><br>> > </mc/compose?to=<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a>>><br>> > > </mc/compose?to=<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM"
href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a>><br>> > </mc/compose?to=<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxxx.xxxxxx.com@xxxxxx.COM" href="/mc/compose?to=xxxxxx.xxxxxx.com@xxxxxx.COM">xxxxxx.xxxxxx.com@xxxxxx.COM</a>>>> for<br>> > > > krbtgt/<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a>><br>> > </mc/compose?to=<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM"
href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a>>><br>> > </mc/compose?to=<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a>><br>> > </mc/compose?to=<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a><br>> </mc/compose?to=<a ymailto="mailto:xxxxxx.COM@xxxxxx.COM" href="/mc/compose?to=xxxxxx.COM@xxxxxx.COM">xxxxxx.COM@xxxxxx.COM</a>>>><br>> > > ><br>>
> > > # ipa-getcert list<br>> > > > Number of certificates and requests being tracked: 3.<br>> > > > Request ID '20110619112648':<br>> > > > status: CA_UNREACHABLE<br>> > > > ca-error: Server failed request, will retry: -504 (libcurl<br>> > failed to<br>> > > > execute the HTTP POST transaction. SSL connect error).<br>> > > > stuck: yes<br>> > > > key pair storage:<br>> > > ><br>> > ><br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS<br>> > > > Certificate<br>>
DB',pinfile='/etc/dirsrv/slapd-xxxxxx-COM//pwdfile.txt'<br>> > > > certificate:<br>> > > ><br>> > ><br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS<br>> > > > Certificate DB'<br>> > > > CA: IPA<br>> > > > issuer: CN=Certificate Authority,O=xxxxxx.COM<br>> > > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM<br>> > > > expires: 20111216112647<br>> > > > eku: id-kp-serverAuth<br>> > > > track: yes<br>> > > > auto-renew: yes<br>> > > > Request ID
'20110619112705':<br>> > > > status: CA_UNREACHABLE<br>> > > > ca-error: Server failed request, will retry: -504 (libcurl<br>> > failed to<br>> > > > execute the HTTP POST transaction. SSL connect error).<br>> > > > stuck: yes<br>> > > > key pair storage:<br>> > > ><br>> > ><br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> > > > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>> > > > certificate:<br>> > > ><br>> > ><br>> ><br>>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> > > > Certificate DB'<br>> > > > CA: IPA<br>> > > > issuer: CN=Certificate Authority,O=xxxxxx.COM<br>> > > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM<br>> > > > expires: 20111216112704<br>> > > > eku: id-kp-serverAuth<br>> > > > track: yes<br>> > > > auto-renew: yes<br>> > > > Request ID '20110619112721':<br>> > > > status: CA_UNREACHABLE<br>> > > > ca-error: Server failed request, will retry: -504 (libcurl<br>> > failed to<br>> > > > execute the
HTTP POST transaction. SSL connect error).<br>> > > > stuck: yes<br>> > > > key pair storage:<br>> > > ><br>> > ><br>> ><br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>> > > > certificate:<br>> > > ><br>> > ><br>> ><br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> > > > Certificate DB'<br>> > > > CA: IPA<br>> > > > issuer: CN=Certificate Authority,O=xxxxxx.COM<br>>
> > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM<br>> > > > expires: 20111216112720<br>> > > > eku: id-kp-serverAuth<br>> > > > track: yes<br>> > > > auto-renew: yes<br>> > > ><br>> > > > # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert<br>> > > > Request "20110619112721" modified.<br>> > > ><br>> > > > # ipa-getcert list<br>> > > > Number of certificates and requests being tracked: 3.<br>> > > > Request ID '20110619112648':<br>> > > > status: CA_UNREACHABLE<br>> > > > ca-error: Server failed request, will
retry: -504 (libcurl<br>> > failed to<br>> > > > execute the HTTP POST transaction. SSL connect error).<br>> > > > stuck: yes<br>> > > > key pair storage:<br>> > > ><br>> > ><br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS<br>> > > > Certificate<br>> > DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'<br>> > > > certificate:<br>> > > ><br>> > ><br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS<br>>
> > > Certificate DB'<br>> > > > CA: IPA<br>> > > > issuer: CN=Certificate Authority,O=HUGAYET.COM<br>> > > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM<br>> > > > expires: 20111216112647<br>> > > > eku: id-kp-serverAuth<br>> > > > track: yes<br>> > > > auto-renew: yes<br>> > > > Request ID '20110619112705':<br>> > > > status: CA_UNREACHABLE<br>> > > > ca-error: Server failed request, will retry: -504 (libcurl<br>> > failed to<br>> > > > execute the HTTP POST transaction. SSL connect error).<br>> > > > stuck: yes<br>>
> > > key pair storage:<br>> > > ><br>> > ><br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> > > > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>> > > > certificate:<br>> > > ><br>> > ><br>> ><br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> > > > Certificate DB'<br>> > > > CA: IPA<br>> > > > issuer: CN=Certificate Authority,O=HUGAYET.COM<br>> > > > subject:
CN=openipa.hugayet.com,O=HUGAYET.COM<br>> > > > expires: 20111216112704<br>> > > > eku: id-kp-serverAuth<br>> > > > track: yes<br>> > > > auto-renew: yes<br>> > > > Request ID '20110619112721':<br>> > > > status: SUBMITTING<br>> > > > stuck: no<br>> > > > key pair storage:<br>> > > ><br>> > ><br>> ><br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>> > > > certificate:<br>> > > ><br>>
> ><br>> ><br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> > > > Certificate DB'<br>> > > > CA: IPA<br>> > > > issuer: CN=Certificate Authority,O=HUGAYET.COM<br>> > > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM<br>> > > > expires: 20111216112720<br>> > > > eku: id-kp-serverAuth<br>> > > > track: yes<br>> > > > auto-renew: yes<br>> > > ><br>> > > > and after few minutes, the status 'SUBMITTING' will be changed as<br>> > > > 'CA_UNREACHABLE'<br>> > > > Do we need to restart
the /etc/init.d/ipa service for this? I am<br>> > > working<br>> > > > remotely.<br>> > ><br>> > > It isn't logging enough information to know why it failed. Can<br>> > you look<br>> > > in the Apache error log to see why the request failed?<br>> > ><br>> > > My first thought was that there was a CA trust issue. I believe<br>> that<br>> > > certmonger uses the NSS database where the certificate is stored so<br>> > > since it is also doing this against Apache (which in theory trust<br>> > is ok<br>> > > for it to start at all) so I'm baffled. Hopefully the httpd logs<br>>
> > will be<br>> > > enlightening.<br>> > ><br>> > > ><br>> > > > I need to upgrade my IPA version. Before going for this I need to<br>> > > have a<br>> > > > replica of the existing one. Is it okay to have the replica<br>> > while all<br>> > > > these issues exist?<br>> > ><br>> > ><br>> > > Yes, you should be able to create a replica, this shouldn't<br>> > affect it.<br>> > ><br>> > > rob<br>> > ><br>> ><br>><br><br></div></blockquote></div></td></tr></table>