<html><head></head><body><div style="color:#000; background-color:#fff; font-family:bookman old style, new york, times, serif;font-size:13px"><div id="yui_3_16_0_ym19_1_1469814286243_17234">Rob you are awesome and I don't know what I would do without you. So I have two things going on obviously. Following your instructions it looks like the DM password has correctly been set. I cannot change the admin password as a test because I get the cert errors. I am going to retry setting dates back and requesting new certs again following some of the threads I have seen. Could you please just clarify two points? On my 4 servers all running as CAs do I only need to set the date back to prior to expired certs running ipa-getcert list or the earliest expired date when running getcert list? The getcert list shows certs that have been expired since June but the ipa-getcert shows more recent. Also, does it matter which servers I do first? Meaning should I set time back on my "master" CA first.</div><div id="yui_3_16_0_ym19_1_1469814286243_17248"><br></div><div id="yui_3_16_0_ym19_1_1469814286243_17249">This is the expiration output info from my master:</div><div id="yui_3_16_0_ym19_1_1469814286243_17251"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1469814286243_17271">[root@ipa2 ~]# ipa-getcert list | grep expires<br id="yui_3_16_0_ym19_1_1469814286243_17296">    expires: 2016-08-26 16:41:24 UTC<br id="yui_3_16_0_ym19_1_1469814286243_17297">    expires: 2016-08-26 16:41:23 UTC<br id="yui_3_16_0_ym19_1_1469814286243_17298">    expires: 2016-08-26 16:41:24 UTC<br id="yui_3_16_0_ym19_1_1469814286243_17299">[root@ipa2 ~]# getcert list | grep expires<br id="yui_3_16_0_ym19_1_1469814286243_17300">    expires: 2016-08-26 16:41:24 UTC<br id="yui_3_16_0_ym19_1_1469814286243_17301">    expires: 2016-08-15 16:47:26 UTC<br id="yui_3_16_0_ym19_1_1469814286243_17302">    expires: 2016-08-26 16:41:23 UTC<br id="yui_3_16_0_ym19_1_1469814286243_17303">    expires: 2016-08-26 16:41:24 UTC<br id="yui_3_16_0_ym19_1_1469814286243_17304">    expires: 2016-06-06 23:36:29 UTC<br id="yui_3_16_0_ym19_1_1469814286243_17305">    expires: 2016-06-06 23:36:28 UTC<br id="yui_3_16_0_ym19_1_1469814286243_17306">    expires: 2016-06-06 23:36:28 UTC<br id="yui_3_16_0_ym19_1_1469814286243_17307">    expires: 2016-06-06 23:37:09 UTC<br></div><div id="yui_3_16_0_ym19_1_1469814286243_17113"><span><br></span></div><div id="yui_3_16_0_ym19_1_1469814286243_17324"><span><br></span></div><div id="yui_3_16_0_ym19_1_1469814286243_17334"><span>Again thank you, as always.</span></div><div id="yui_3_16_0_ym19_1_1469814286243_17071" class="qtdSeparateBR"><br><br></div><div style="display: block;" id="yui_3_16_0_ym19_1_1469814286243_17067" class="yahoo_quoted">  <div id="yui_3_16_0_ym19_1_1469814286243_17066" style="font-family: bookman old style, new york, times, serif; font-size: 13px;"> <div id="yui_3_16_0_ym19_1_1469814286243_17065" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_ym19_1_1469814286243_17064" dir="ltr"> <font id="yui_3_16_0_ym19_1_1469814286243_17063" face="Arial" size="2"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Rob Crittenden <rcritten@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> sipazzo <sipazzo@yahoo.com>; "freeipa-users@redhat.com" <freeipa-users@redhat.com> <br> <b><span style="font-weight: bold;">Sent:</span></b> Friday, July 29, 2016 2:10 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Freeipa-users] certificates expired - won't renew<br> </font> </div> <div id="yui_3_16_0_ym19_1_1469814286243_17335" class="y_msg_container"><br>sipazzo wrote:<br clear="none">> I have seen many threads on this so sorry to bring it up again but I<br clear="none">> have a freeipa domain, with 4 ipa servers running on redhat 6 version<br clear="none">> 3.0.0-50. The certificates are expired/expiring and will not renew and<br clear="none">> it is causing many issues for us. I have tried the many suggestions I<br clear="none">> have see in the archives such as changing the time to prior to<br clear="none">> expiration and attempting renew by resubmitting the requests but they<br clear="none">> never renew. An example of getcert list from the first server that expired:<br clear="none">><br clear="none">> Number of certificates and requests being tracked: 8.<br clear="none"><br clear="none">[snip]<div class="yqt7837235487" id="yqtfd80442"><br clear="none"><br clear="none">> localhost log in /var/log/pki-ca have errors like:<br clear="none">> tail localhost.2016-07-29.log<br clear="none">> Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve invoke<br clear="none">> SEVERE: Servlet.service() for servlet caProfileSubmit threw exception<br clear="none">> java.io.IOException: CS server is not ready to serve.<br clear="none">>      at<br clear="none">> com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441)<br clear="none">>      at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)<br clear="none">>      at<br clear="none">> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)<br clear="none">>      at<br clear="none">> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)<br clear="none">>      at<br clear="none">> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)<br clear="none">>      at<br clear="none">> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)<br clear="none">>      at org.<br clear="none">><br clear="none">> Debug log in /var/log/pki-cacd<br clear="none">>   tail debug<br clear="none">> [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password<br clear="none">> store initialized before.<br clear="none">> [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password<br clear="none">> store initialized.<br clear="none">> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:<br clear="none">> netscape.ldap.LDAPException: error result (49)<br clear="none">> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to<br clear="none">> query sessionIds: java.io.IOException: Failed to connect to the internal<br clear="none">> database.<br clear="none">> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable:<br clear="none">> getSessionIds: Error in disconnecting from database:<br clear="none">> java.lang.NullPointerException<br clear="none">> [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password<br clear="none">> store initialized before.<br clear="none">> [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password<br clear="none">> store initialized.<br clear="none">> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:<br clear="none">> netscape.ldap.LDAPException: error result (49)<br clear="none">> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to<br clear="none">> query sessionIds: java.io.IOException: Failed to connect to the internal<br clear="none">> database.<br clear="none">> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable:<br clear="none">> getSessionIds: Error in disconnecting from database:<br clear="none">> java.lang.NullPointerException<br clear="none">><br clear="none">><br clear="none">> Performing most IPA commands results in errors such as ipa: ERROR: cert<br clear="none">> validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM"<br clear="none">> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)<br clear="none">><br clear="none">> Not sure if it is related but we lost our first IPA server some time ago<br clear="none">> and had to promote another to the CA master. Also, due to someone<br clear="none">> leaving the company at the beginning of the year we had to change the<br clear="none">> directory manager password. I followed all the directions to do so but<br clear="none">> it does not seem like it was a completely smooth transaction.</div><br clear="none"><br clear="none">It is related. Your CA can't connect to its database. You must have <br clear="none">missed a step when updating the DM password.<br clear="none"><br clear="none">As a goof I just tried it on my RHEL 6 install and it seems to work, <br clear="none">this is what I did:<br clear="none"><br clear="none"># service dirsrv stop<br clear="none"># /usr/bin/pwdhash password<br clear="none"><br clear="none">edit both /etc/dirsrv/slapd-REALM/dse.ldif and <br clear="none">/etc/dirsrv/slapd-PKI-IPA/dse.ldif to set nsslapd-rootpw<br clear="none"><br clear="none"># service dirsrv start<br clear="none"><br clear="none">Check both of the new passwords:<br clear="none"><br clear="none"># ldapsearch -x -D "cn=directory manager" -W -s base -b "" <br clear="none">"objectclass=*"<br clear="none"># ldapsearch -h localhost -po 7389 -x -D "cn=directory manager" -W -s <br clear="none">base -b "" "objectclass=*"<br clear="none"><br clear="none">Update internaldb value in /etc/pki-ca/password.conf with the new password.<br clear="none"><br clear="none">Update and test the admin user password:<br clear="none"><br clear="none"># ldappasswd -h localhost -ZZ -p 7389 -x -D "cn=Directory Manager" -W -S <br clear="none">uid=admin,ou=people,o=ipaca<br clear="none"># ldapsearch -h localhost -ZZ -p 7389 -x -D <br clear="none">"uid=admin,ou=people,o=ipaca" -W -b "" -s base<br clear="none"><br clear="none">Restart the CA<br clear="none"><br clear="none"># service pki-cad restart<br clear="none"><br clear="none">Note that things _still_ aren't going to work so hot with all the <br clear="none">expired certs but if you go back in time you will at least have a chance <br clear="none">of renewing things.<br clear="none"><br clear="none">rob<div class="yqt7837235487" id="yqtfd55937"><br clear="none"></div><br><br></div> </div> </div>  </div></div></body></html>