<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>did you restart IPA when you moved time? Is there are more
detailed error description in output of getcert list?<br>
</p>
<br>
<div class="moz-cite-prefix">On 14.09.2016 18:45, bahan w wrote:<br>
</div>
<blockquote
cite="mid:CAMJtubLfHKfDcptvRS5DNKiq5g7fYj1L7afr_upOKEtvxwhi=w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>I set the date-time when the certificates were
valid :<br>
###<br>
# date -s '2016-05-27 10:00:00'<br>
Fri May 27 10:00:00 CEST 2016<br>
<br>
# date<br>
Fri May 27 10:00:02 CEST 2016<br>
###<br>
<br>
</div>
Then I try to renew them :<br>
###<br>
# getcert resubmit -i 20140528063919<br>
Resubmitting "20140528063919" to "IPA".<br>
<br>
# getcert resubmit -i 20140528064145<br>
Resubmitting "20140528064145" to "IPA".<br>
<br>
# getcert resubmit -i 20140528063953<br>
Resubmitting "20140528063953" to "IPA".<br>
###<br>
<br>
</div>
But when I do the getcert list after, the result is the
same.<br>
<br>
</div>
<div>I guess it is because of this ?<br>
CA_UNREACHABLE<br>
</div>
<div><br>
</div>
Any idea ?<br>
<br>
</div>
Best regards.<br>
<br>
</div>
Bahan<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 14, 2016 at 6:38 PM, bahan
w <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bahanw042014@gmail.com" target="_blank">bahanw042014@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>Ok, I managed to restart the IPA service by
adding this line in the file
/etc/httpd/conf.d/nss.conf :<br>
###<br>
NSSEnforceValidCerts off<br>
###<br>
<br>
</div>
But when I do the getcert now I got the following
result :
<div>
<div class="h5"><br>
###<br>
# getcert list<br>
Number of certificates and requests being
tracked: 8.<br>
Request ID '20140528063903':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>auditSigningCert
cert-pki-ca',token='NSS Certificate
DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>auditSigningCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=CA Audit,O=<MYREALM><br>
expires: 2018-04-09 11:39:16 UTC<br>
pre-save command:
/usr/lib64/ipa/certmonger/<wbr>stop_pkicad<br>
post-save command:
/usr/lib64/ipa/certmonger/<wbr>renew_ca_cert
"auditSigningCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063904':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>ocspSigningCert
cert-pki-ca',token='NSS Certificate
DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=OCSP
Subsystem,O=<MYREALM><br>
expires: 2018-04-09 11:38:16 UTC<br>
eku: id-kp-OCSPSigning<br>
pre-save command:
/usr/lib64/ipa/certmonger/<wbr>stop_pkicad<br>
post-save command:
/usr/lib64/ipa/certmonger/<wbr>renew_ca_cert
"ocspSigningCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063905':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>subsystemCert
cert-pki-ca',token='NSS Certificate
DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>subsystemCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=CA
Subsystem,O=<MYREALM><br>
expires: 2018-04-09 11:38:16 UTC<br>
eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
pre-save command:
/usr/lib64/ipa/certmonger/<wbr>stop_pkicad<br>
post-save command:
/usr/lib64/ipa/certmonger/<wbr>renew_ca_cert
"subsystemCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063906':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='<wbr>ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
certificate: type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='<wbr>ipaCert',token='NSS
Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=IPA RA,O=<MYREALM><br>
expires: 2018-04-09 11:38:16 UTC<br>
eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
pre-save command:<br>
post-save command:
/usr/lib64/ipa/certmonger/<wbr>renew_ra_cert<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063907':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>Server-Cert
cert-pki-ca',token='NSS Certificate
DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>Server-Cert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=<IPA SERVER
HOST>,O=<MYREALM><br>
expires: 2018-04-09 11:38:16 UTC<br>
eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
pre-save command:<br>
post-save command:<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063919':<br>
</div>
</div>
status: CA_UNREACHABLE<br>
ca-error: Server failed request, will retry:
-504 (libcurl failed to execute the HTTP POST
transaction. Peer certificate cannot be
authenticated with known CA certificates).<br>
stuck: yes<span class=""><br>
key pair storage:
type=NSSDB,location='/etc/<wbr>dirsrv/slapd-<MYREALM>',<wbr>nickname='Server-Cert',token='<wbr>NSS
Certificate DB',pinfile='/etc/dirsrv/<wbr>slapd-<MYREALM>/pwdfile.txt'<br>
certificate: type=NSSDB,location='/etc/<wbr>dirsrv/slapd-<MYREALM>',<wbr>nickname='Server-Cert',token='<wbr>NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=<IPA SERVER
HOST>,O=<MYREALM><br>
expires: 2016-05-28 06:39:18 UTC<br>
eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
pre-save command:<br>
post-save command:
/usr/lib64/ipa/certmonger/<wbr>restart_dirsrv
<MYREALM><br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063953':<br>
</span> status: CA_UNREACHABLE<br>
ca-error: Server failed request, will retry:
-504 (libcurl failed to execute the HTTP POST
transaction. Peer certificate cannot be
authenticated with known CA certificates).<br>
stuck: yes<span class=""><br>
key pair storage:
type=NSSDB,location='/etc/<wbr>dirsrv/slapd-PKI-IPA',<wbr>nickname='Server-Cert',token='<wbr>NSS
Certificate DB',pinfile='/etc/dirsrv/<wbr>slapd-PKI-IPA/pwdfile.txt'<br>
certificate: type=NSSDB,location='/etc/<wbr>dirsrv/slapd-PKI-IPA',<wbr>nickname='Server-Cert',token='<wbr>NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=<IPA SERVER
HOST>,O=<MYREALM><br>
expires: 2016-05-28 06:39:52 UTC<br>
eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
pre-save command:<br>
post-save command:
/usr/lib64/ipa/certmonger/<wbr>restart_dirsrv
PKI-IPA<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528064145':<br>
</span> status: CA_UNREACHABLE<br>
ca-error: Server failed request, will retry:
-504 (libcurl failed to execute the HTTP POST
transaction. Peer certificate cannot be
authenticated with known CA certificates).<br>
stuck: yes<span class=""><br>
key pair storage:
type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
certificate: type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=<IPA SERVER
HOST>,O=<MYREALM><br>
expires: 2016-05-28 06:41:44 UTC<br>
eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
pre-save command:<br>
post-save command:
/usr/lib64/ipa/certmonger/<wbr>restart_httpd<br>
track: yes<br>
auto-renew: yes<br>
###<br>
<br>
</span></div>
Indeed, the entries outdated are the following :<br>
</div>
- for /etc/dirsrv/slapd-<MYREALM> : 20140528063919<br>
- for /etc/dirsrv/slapd-PKI-IPA : 20140528063953<br>
</div>
- for httpd ? : 20140528064145<br>
<br>
<div>
<div>
<div>
<div>Best regards.<span class="HOEnZb"><font
color="#888888"><br>
<br>
</font></span></div>
<span class="HOEnZb"><font color="#888888">
<div>Bahan<br>
</div>
</font></span></div>
</div>
</div>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 14, 2016 at 6:28
PM, bahan w <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:bahanw042014@gmail.com"
target="_blank">bahanw042014@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>Ok :D <br>
<br>
Because to perform the getcert list command,
I need to have all the ipa services running
right ?<br>
<br>
</div>
<div>Here is the result of the command with
the ipa services down.<br>
</div>
<div>###<br>
# getcert list<br>
Number of certificates and requests being
tracked: 8.<br>
Request ID '20140528063903':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='auditS<wbr>igningCert
cert-pki-ca',token='NSS Certificate
DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='auditS<wbr>igningCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=CA
Audit,O=<MYREALM><br>
expires: 2018-04-09 11:39:16 UTC<br>
pre-save command:
/usr/lib64/ipa/certmonger/stop<wbr>_pkicad<br>
post-save command:
/usr/lib64/ipa/certmonger/rene<wbr>w_ca_cert
"auditSigningCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063904':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='ocspSi<wbr>gningCert
cert-pki-ca',token='NSS Certificate
DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='ocspSi<wbr>gningCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=OCSP
Subsystem,O=<MYREALM><br>
expires: 2018-04-09 11:38:16 UTC<br>
eku: id-kp-OCSPSigning<br>
pre-save command:
/usr/lib64/ipa/certmonger/stop<wbr>_pkicad<br>
post-save command:
/usr/lib64/ipa/certmonger/rene<wbr>w_ca_cert
"ocspSigningCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063905':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='subsys<wbr>temCert
cert-pki-ca',token='NSS Certificate
DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='subsys<wbr>temCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=CA
Subsystem,O=<MYREALM><br>
expires: 2018-04-09 11:38:16 UTC<br>
eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save command:
/usr/lib64/ipa/certmonger/stop<wbr>_pkicad<br>
post-save command:
/usr/lib64/ipa/certmonger/rene<wbr>w_ca_cert
"subsystemCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063906':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',<wbr>token='NSS
Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',<wbr>token='NSS
Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=IPA RA,O=<MYREALM><br>
expires: 2018-04-09 11:38:16 UTC<br>
eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save command:<br>
post-save command:
/usr/lib64/ipa/certmonger/rene<wbr>w_ra_cert<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063907':<br>
status: MONITORING<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='Server<wbr>-Cert
cert-pki-ca',token='NSS Certificate
DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='Server<wbr>-Cert
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=<IPA SERVER
HOST>,O=<MYREALM><br>
expires: 2018-04-09 11:38:16 UTC<br>
eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save command:<br>
post-save command:<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063919':<br>
status: MONITORING<br>
ca-error: Error setting up ccache
for local "host" service using default
keytab: Cannot contact any KDC for realm
'<MYREALM>'.<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/etc/dirs<wbr>rv/slapd-<MYREALM>',nickname='<wbr>Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd<wbr>-<MYREALM>/pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/dirs<wbr>rv/slapd-<MYREALM>',nickname='<wbr>Server-Cert',token='NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=<IPA SERVER
HOST>,O=<MYREALM><br>
expires: 2016-05-28 06:39:18 UTC<br>
eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save command:<br>
post-save command:
/usr/lib64/ipa/certmonger/rest<wbr>art_dirsrv
<MYREALM><br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528063953':<br>
status: MONITORING<br>
ca-error: Error setting up ccache
for local "host" service using default
keytab: Cannot contact any KDC for realm
'<MYREALM>'.<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/etc/dirs<wbr>rv/slapd-PKI-IPA',nickname='<wbr>Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd<wbr>-PKI-IPA/pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/dirs<wbr>rv/slapd-PKI-IPA',nickname='<wbr>Server-Cert',token='NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=<IPA SERVER
HOST>,O=<MYREALM><br>
expires: 2016-05-28 06:39:52 UTC<br>
eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save command:<br>
post-save command:
/usr/lib64/ipa/certmonger/rest<wbr>art_dirsrv
PKI-IPA<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20140528064145':<br>
status: MONITORING<br>
ca-error: Error setting up ccache
for local "host" service using default
keytab: Cannot contact any KDC for realm
'<MYREALM>'.<br>
stuck: no<br>
key pair storage:
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=<IPA SERVER
HOST>,O=<MYREALM><br>
expires: 2016-05-28 06:41:44 UTC<br>
eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save command:<br>
post-save command:
/usr/lib64/ipa/certmonger/rest<wbr>art_httpd<br>
track: yes<br>
auto-renew: yes<br>
###<br>
<br>
</div>
Best regards.<span><font color="#888888"><br>
<br>
</font></span></div>
<span><font color="#888888">
<div>Bahan<br>
</div>
</font></span></div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 14,
2016 at 6:21 PM, Martin Basti <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com"
target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<p>Then you have to start services
manually, I don't know if the same
steps will work with IPA 3.0.0, I
don't remember, but you can try :)<br>
</p>
<div>
<div> <br>
<div>On 14.09.2016 18:18, bahan w
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Oh I forgot to add that
my version of ipa is quite
old :<br>
###<br>
# rpm -qa | grep ipa-server<br>
ipa-server-3.0.0-25.el6.x86_64<br>
###<br>
<br>
</div>
When I try the command you
gave me I got the following
error :<br>
###<br>
<div># ipactl start --force<br>
Usage: ipactl
start|stop|restart|status<br>
<br>
<br>
ipactl: error: no such
option: --force<br>
###<br>
<br>
</div>
<div>Best regards.<br>
<br>
</div>
<div>Bahan<br>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Wed, Sep 14, 2016 at 6:14
PM, Martin Basti <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mbasti@redhat.com"
target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div>
<div>
<p><br>
</p>
<br>
<div>On 14.09.2016
17:59, bahan w
wrote:<br>
</div>
<blockquote
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Hello !<br>
<br>
</div>
I send you
this mail
because I
cannot restart
my test IPA
server.<br>
<br>
</div>
When I try to
start it with
service ipa
start, I got
the following
error message
:<br>
###<br>
# service ipa
start<br>
Starting
Directory
Service<br>
Starting
dirsrv:<br>
<MYREALM>...[14/Sep/2016:17:57<wbr>:23
+0200] - SSL
alert:
CERT_VerifyCertificateNow:
verify
certificate
failed for
cert
Server-Cert of
family
cn=RSA,cn=encryption,cn=config
(Netscape
Portable
Runtime error
-8181 - Peer's
Certificate
has expired.)<br>
<wbr> [ OK ]<br>
PKI-IPA...[14/Sep/2016:17:57:3<wbr>3
+0200] - SSL
alert:
CERT_VerifyCertificateNow:
verify
certificate
failed for
cert
Server-Cert of
family
cn=RSA,cn=encryption,cn=config
(Netscape
Portable
Runtime error
-8181 - Peer's
Certificate
has expired.)<br>
<wbr> [ OK ]<br>
Starting KDC
Service<br>
Starting
Kerberos 5
KDC: <wbr>
[ OK ]<br>
Starting
KPASSWD
Service<br>
Starting
Kerberos 5
Admin
Server: <wbr>
[ OK ]<br>
Starting
MEMCACHE
Service<br>
Starting
ipa_memcached: <wbr>
[ OK ]<br>
Starting HTTP
Service<br>
Starting
httpd: <wbr>
[FAILED]<br>
Failed to
start HTTP
Service<br>
Shutting down<br>
Stopping
Kerberos 5
KDC: <wbr>
[ OK ]<br>
Stopping
Kerberos 5
Admin
Server: <wbr>
[ OK ]<br>
Stopping
ipa_memcached: <wbr>
[ OK ]<br>
Stopping
httpd: <wbr>
[FAILED]<br>
Stopping
pki-ca: <wbr>
[ OK ]<br>
Shutting down
dirsrv:<br>
<MYREALM>... <wbr>
[ OK ]<br>
PKI-IPA... <wbr>
[ OK ]<br>
Aborting
ipactl<br>
<br>
# service ipa
status<br>
Directory
Service:
STOPPED<br>
Failed to get
list of
services to
probe status:<br>
Directory
Server is
stopped<br>
###<br>
<br>
</div>
<div>Do you
know how to
renew the SSL
certificate
used for the
IPA Server ?<br>
<br>
</div>
<div>Best
regards.<br>
<br>
</div>
<div>Bahan<br>
</div>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div>
</div>
Hello,<br>
<br>
please run<br>
<br>
# ipactl start --force<br>
# getcert list (to
detect which certificate
is outdated, I suspect
DS cert (or to get more
info why it has not been
renewed))<br>
<br>
If getcert does work
(I'm not sure if ti is
able to work without
httpd), you probable
need to move time back
to past where cert is
valid, start IPA and try
again.<br>
<br>
Please find ID outdated
certificate and try
resubmit it (CA and DS
must be running)<br>
<br>
# getcert resubmit -i
20160914122036 (use you
ID :) )<br>
<br>
This should renew cert,
check status with
getcert list<br>
<br>
Move time back to future
(if needed)<br>
<br>
Try to restart IPA<br>
<br>
Martin^2<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>