<div dir="ltr"><div>Oh I forgot to add that my version of ipa is quite old :<br>###<br># rpm -qa | grep ipa-server<br>ipa-server-3.0.0-25.el6.x86_64<br>###<br><br></div>When I try the command you gave me I got the following error :<br>###<br><div># ipactl start --force<br>Usage: ipactl start|stop|restart|status<br><br><br>ipactl: error: no such option: --force<br>###<br><br></div><div>Best regards.<br><br></div><div>Bahan<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">
<p><br>
</p>
<br>
<div>On 14.09.2016 17:59, bahan w wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Hello !<br>
<br>
</div>
I send you this mail because I cannot restart my test IPA
server.<br>
<br>
</div>
When I try to start it with service ipa start, I got the
following error message :<br>
###<br>
# service ipa start<br>
Starting Directory Service<br>
Starting dirsrv:<br>
<MYREALM>...[14/Sep/2016:17:<wbr>57:23 +0200] - SSL
alert: CERT_VerifyCertificateNow: verify certificate failed
for cert Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime
error -8181 - Peer's Certificate has expired.)<br>
<wbr>
[ OK ]<br>
PKI-IPA...[14/Sep/2016:17:57:<wbr>33 +0200] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for
cert Server-Cert of family cn=RSA,cn=encryption,cn=config
(Netscape Portable Runtime error -8181 - Peer's Certificate
has expired.)<br>
<wbr>
[ OK ]<br>
Starting KDC Service<br>
Starting Kerberos 5 KDC: <wbr>
[ OK ]<br>
Starting KPASSWD Service<br>
Starting Kerberos 5 Admin Server: <wbr>
[ OK ]<br>
Starting MEMCACHE Service<br>
Starting ipa_memcached: <wbr>
[ OK ]<br>
Starting HTTP Service<br>
Starting httpd: <wbr>
[FAILED]<br>
Failed to start HTTP Service<br>
Shutting down<br>
Stopping Kerberos 5 KDC: <wbr>
[ OK ]<br>
Stopping Kerberos 5 Admin Server: <wbr>
[ OK ]<br>
Stopping ipa_memcached: <wbr>
[ OK ]<br>
Stopping httpd: <wbr>
[FAILED]<br>
Stopping pki-ca: <wbr>
[ OK ]<br>
Shutting down dirsrv:<br>
<MYREALM>... <wbr> [
OK ]<br>
PKI-IPA... <wbr>
[ OK ]<br>
Aborting ipactl<br>
<br>
# service ipa status<br>
Directory Service: STOPPED<br>
Failed to get list of services to probe status:<br>
Directory Server is stopped<br>
###<br>
<br>
</div>
<div>Do you know how to renew the SSL certificate used for the
IPA Server ?<br>
<br>
</div>
<div>Best regards.<br>
<br>
</div>
<div>Bahan<br>
</div>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br></div></div>
Hello,<br>
<br>
please run<br>
<br>
# ipactl start --force<br>
# getcert list (to detect which certificate is outdated, I suspect
DS cert (or to get more info why it has not been renewed))<br>
<br>
If getcert does work (I'm not sure if ti is able to work without
httpd), you probable need to move time back to past where cert is
valid, start IPA and try again.<br>
<br>
Please find ID outdated certificate and try resubmit it (CA and DS
must be running)<br>
<br>
# getcert resubmit -i 20160914122036 (use you ID :) )<br>
<br>
This should renew cert, check status with getcert list<br>
<br>
Move time back to future (if needed)<br>
<br>
Try to restart IPA<br>
<br>
Martin^2<br>
</div>
</blockquote></div><br></div>