[Freeipa-users] Expired SSL certificate issue with IPA
nasir nasir
kollathodi at yahoo.com
Tue Jan 3 16:37:11 UTC 2012
--- On Tue, 1/3/12, Rich Megginson <rmeggins at redhat.com> wrote:
From: Rich Megginson <rmeggins at redhat.com>
Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
To: "nasir nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com, fasilkaks at gmail.com
Date: Tuesday, January 3, 2012, 7:41 AM
On 01/03/2012 12:52 AM, nasir nasir wrote:
Hi,
I am facing a serious issue with my production IPA server.
When I try to access IPA web interface using Firefox, it
hangs and doesn't allow me to get in. It seems to be due
to expired SSL certificate as seen in the apache log file,
[Tue Jan 03 10:34:08 2012] [error] Certificate not
verified: 'Server-Cert'
[Tue Jan 03 10:34:08 2012] [error] SSL Library Error:
-8181 Certificate has expired
[Tue Jan 03 10:34:08 2012] [error] Unable to verify
certificate 'Server-Cert'. Add "NSSEnforceValidCerts off"
to nss.conf so the server can start until the problem can
be resolved.
[Tue Jan 03 10:34:08 2012] [error] Certificate not
verified: 'Server-Cert'
Also, when I try to use the command line (ipa user-mod or
user-show commands) it too just hangs and doesn't give any
output or allow me for any input. I can see the following
in krb5kdc.log ,
Jan 03 10:29:16 xxxxxx.xxxxxx.com
krb5kdc[2426](info): preauth (timestamp) verify
failure: Decrypt integrity check failed
Jan 03 10:29:16 xxxxxx.xxxxxx.com
krb5kdc[2426](info): AS_REQ (4 etypes {18 17 16 23})
192.168.1.10: PREAUTH_FAILED:
host/xxxxx.xxxxx.com at XXXXXX.COM for
krbtgt/XXXXXX.COM at XXXXXX.COM, Decrypt integrity check
failed
Jan 03 10:29:16 xxxxxx.xxxxxx.com
krb5kdc[2429](info): AS_REQ (4 etypes {18 17 16 23})
192.168.1.10: NEEDED_PREAUTH:
host/xxxx.xxxxx.com at XXXXX.COM for
krbtgt/XXXXXX.COM at XXXXXX.COM, Additional
pre-authentication required
The output of "certutil -L -d /etc/httpd/alias -n
Server-Cert" confirms that certificate is expired as
given below.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=XXXXXX.COM"
Validity:
Not Before: Sun Jun 19 11:27:20 2011
Not After : Fri Dec 16 11:27:20 2011
Relevant info
OS: RHEL 6.1
Output of rpm -qa | grep ipa
ipa-client-2.0.0-23.el6.i686
ipa-pki-ca-theme-9.0.3-6.el6.noarch
ipa-pki-common-theme-9.0.3-6.el6.noarch
device-mapper-multipath-libs-0.4.9-41.el6.i686
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.0.0-23.el6.i686
ipa-server-selinux-2.0.0-23.el6.i686
ipa-server-2.0.0-23.el6.i686
device-mapper-multipath-0.4.9-41.el6.i686
ipa-admintools-2.0.0-23.el6.i686
I went through the documentations to check how to renew
the expired certs but it seems to be confusing and
different across versions. Could someone please help me
out by suggesting which is the best way to achieve this
? Any help would be greatly appreciated as I am unable
to perform any task on the IPA server now because of
this.
I suggest following the mod_nss suggestion to allow it to start and
use the expired cert while you attempt to figure this out.
Thanks indeed for the suggestion. I will consider this. But can anyone point me the steps to renew certificate from the expired one ?
Thankds and regards,Nidal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120103/30527bff/attachment.htm>
More information about the Freeipa-users
mailing list