[Freeipa-users] Expired SSL certificate issue with IPA

Rich Megginson rmeggins at redhat.com
Tue Jan 3 15:41:59 UTC 2012 

On 01/03/2012 12:52 AM, nasir nasir wrote:
> Hi,
>
> I am facing a serious issue with my production IPA server. When I try 
> to access IPA web interface using Firefox, it hangs and doesn't allow 
> me to get in. It seems to be due to expired SSL certificate as seen in 
> the apache log file,
>
>
> [Tue Jan 03 10:34:08 2012] [error] Certificate not verified: 'Server-Cert'
> [Tue Jan 03 10:34:08 2012] [error] SSL Library Error: -8181 
> Certificate has expired
> [Tue Jan 03 10:34:08 2012] [error] Unable to verify certificate 
> 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the 
> server can start until the problem can be resolved.
> [Tue Jan 03 10:34:08 2012] [error] Certificate not verified: 'Server-Cert'
>
>
> Also, when I try to use the command line (ipa user-mod or user-show 
> commands) it too just hangs and doesn't give any output or allow me 
> for any input. I can see the following in krb5kdc.log ,
>
> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): preauth 
> (timestamp) verify failure: Decrypt integrity check failed
> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): AS_REQ (4 
> etypes {18 17 16 23}) 192.168.1.10: PREAUTH_FAILED: 
> host/xxxxx.xxxxx.com at XXXXXX.COM for krbtgt/XXXXXX.COM at XXXXXX.COM, 
> Decrypt integrity check failed
> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2429](info): AS_REQ (4 
> etypes {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH: 
> host/xxxx.xxxxx.com at XXXXX.COM for krbtgt/XXXXXX.COM at XXXXXX.COM, 
> Additional pre-authentication required
>
>
> The output of "certutil -L -d /etc/httpd/alias -n Server-Cert" 
> confirms that certificate is expired as given below.
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 10 (0xa)
> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Issuer: "CN=Certificate Authority,O=XXXXXX.COM"
> Validity:
> Not Before: Sun Jun 19 11:27:20 2011
> Not After : Fri Dec 16 11:27:20 2011
>
>
> Relevant info
>
> OS: RHEL 6.1
>
>
> Output of rpm -qa | grep ipa
>
> ipa-client-2.0.0-23.el6.i686
> ipa-pki-ca-theme-9.0.3-6.el6.noarch
> ipa-pki-common-theme-9.0.3-6.el6.noarch
> device-mapper-multipath-libs-0.4.9-41.el6.i686
> python-iniparse-0.3.1-2.1.el6.noarch
> ipa-python-2.0.0-23.el6.i686
> ipa-server-selinux-2.0.0-23.el6.i686
> ipa-server-2.0.0-23.el6.i686
> device-mapper-multipath-0.4.9-41.el6.i686
> ipa-admintools-2.0.0-23.el6.i686
>
>
> I went through the documentations to check how to renew the expired 
> certs but it seems to be confusing and different across versions. 
> Could someone please help me out by suggesting which is the best way 
> to achieve this ? Any help would be greatly appreciated as I am unable 
> to perform any task on the IPA server now because of this.
>
I suggest following the mod_nss suggestion to allow it to start and use 
the expired cert while you attempt to figure this out.
>
> Regards,
> Nidal
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120103/fd34ab56/attachment.htm>

More information about the Freeipa-users mailing list