<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="Courier New, Courier, monospace"># getcert list | grep
expires<br>
expires: 2018-04-02 13:04:51 UTC<br>
expires: 2018-04-02 13:04:31 UTC<br>
</font><font face="Courier New, Courier, monospace"> expires:
unknown<br>
expires: 2016-04-17 18:19:19 UTC<br>
expires: 2016-04-17 18:19:18 UTC<br>
expires: 2016-04-17 18:19:19 UTC<br>
expires: 2016-04-01 20:16:39 UTC<br>
expires: 2016-04-17 18:19:35 UTC<br>
expires: 2016-03-11 13:04:29 UTC<br>
expires: unknown<br>
#</font><br>
<br>
So some got updated and most didn't. Is there a recommended way to
update these all? The system is still backdated to 3 April (ntpd
disabled) at this point.<br>
<br>
<br>
Bret<br>
<br>
<br>
<div class="moz-cite-prefix">On 04/26/2016 11:46 AM, Petr Vobornik
wrote:<br>
</div>
<blockquote
cite="mid:7c9ac60d-f182-cb92-bf53-85359e5c5b81@redhat.com"
type="cite">
<pre wrap="">On 04/26/2016 03:26 PM, Bret Wortman wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On our non-CA IPA server, this is happening, in case it's related and illustrative:
# ipa host-del zw113.private.net
ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.
#
</pre>
</blockquote>
<pre wrap="">
I would start with checking on all IPA servers if and what certificates
are expired:
# getcert list
or short version to check if there are any:
# getcert list | grep expires
When CA cert is renewed, it is not automatically transfered to clients.
There one must run:
# ipa-certupdate
</pre>
<blockquote type="cite">
<pre wrap="">
On 04/26/2016 09:24 AM, Bret Wortman wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I rolled the date on the IPA server in question back to April 1 and ran
"ipa-cacert-manage renew", which said it completed successfully. I rolled the
date back to current and tried restarting ipa using ipactl stop && ipactl
start, but no joy. No more ca renewal errors, but right after the pause I see
this in /var/log/messages:
systemd: kadmin.service: main process exited, code=exited,
status=2/INVALIDARGUMENT
systemd: Unit kadmin.service entered failed state.
systemd: kadmin.service failed.
I rebooted the server just in case, and it's still getting stuck at the same
place. ipa-otpd doesn't get around to starting.
Bret
After the several-minutes-long pause after ipactl start outputs "Starting
pki-tomcatd Service", I get the
On 04/26/2016 08:14 AM, Bret Wortman wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I have an IPA server on a private network which has apparently run into
certificate issues this morning. It's been running without issue for quite a
while, and is on 4.1.4-1 on fedora 21.
This morning, the gui started giving:
IPA Error 907: NetworkError with description "cannot connect to
'<a class="moz-txt-link-freetext" href="https://zsipa.private.net:443/ca/agent/ca/displayBySerial">https://zsipa.private.net:443/ca/agent/ca/displayBySerial</a>':
(SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as expired."
I dug into the logs and after trying to restart ipa using ipactl, there was a
length pause, then:
dogtag-ipa-ca-renew-agent-submit: Updated certificate not available
certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in
database "/etc/httpd/alias" is no longer valid.
dogtag-ipa-ca-renew-agent-submit: Updated certificate not available
certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS
Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid.
dogtag-ipa-ca-renew-agent-submit: Updated certificate not available.
named-pkcs11[3437]: client 192.168.208.205#57832: update
'208.168.192.in-addr.arpa/IN' denied
and then things start shutting down. I can't start ipa at all using ipactl.
So at present, our DNS is down. Authentication should work for a while, but
I'd like to get this working again as quickly as possible. Any ideas? I deal
with certificates so infrequently (like only when something like this
happens) that I'm not sure where to start.
Thanks!
--
*Bret Wortman*
/Coming soon to Kickstarter.../
<a class="moz-txt-link-rfc2396E" href="http://wrapbuddies.co/"><http://wrapbuddies.co/></a>
<a class="moz-txt-link-freetext" href="http://wrapbuddies.co/">http://wrapbuddies.co/</a>
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<br>
</body>
</html>