[Freeipa-users] Expired SSL certificate issue with IPA
nasir nasir
kollathodi at yahoo.com
Thu Jan 5 13:09:42 UTC 2012
Thanks for the reply Rob.
Please find below the output of your guidelines.
# ipa-getkeytab -s xxxxxxx.xxxxxxx.com -p host/xxxxxx.xxxxxx.com -k /etc/krb5.keytab(the command was successful; it din't show any errors in the krb5kdc.log or audit.log)
# kinit -kt /etc/krb5.keytab host/xxxxxx.xxxxxx.com
krb5kdc.log-----------------Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2431](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH: host/xxxxxx.xxxxxx.com at xxxxxx.COM for krbtgt/xxxxxx.COM at xxxxxx.COM, Additional pre-authentication requiredJan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2427](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.10: ISSUE: authtime 1325766032, etypes {rep=18 tkt=18 ses=18}, host/xxxxxx.xxxxxx.com at xxxxxx.COM for krbtgt/xxxxxx.COM at xxxxxx.COM
# ipa-getcert listNumber of certificates and requests being tracked: 3.Request ID '20110619112648': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxxx-COM//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=xxxxxx.COM subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM expires: 20111216112647 eku: id-kp-serverAuth track: yes auto-renew: yesRequest ID '20110619112705': status: CA_UNREACHABLE ca-error: Server failed request, will retry:
-504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=xxxxxx.COM subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM expires: 20111216112704 eku: id-kp-serverAuth track: yes auto-renew: yesRequest ID '20110619112721': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: yes key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=xxxxxx.COM subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM expires: 20111216112720 eku: id-kp-serverAuth track: yes auto-renew: yes
# ipa-getcert start-tracking -d /etc/httpd/alias -n Server-CertRequest "20110619112721" modified.
# ipa-getcert listNumber of certificates and requests being tracked: 3.Request ID '20110619112648': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=HUGAYET.COM subject: CN=openipa.hugayet.com,O=HUGAYET.COM expires: 20111216112647 eku: id-kp-serverAuth track: yes auto-renew: yesRequest ID '20110619112705': status: CA_UNREACHABLE ca-error: Server failed request, will
retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=HUGAYET.COM subject: CN=openipa.hugayet.com,O=HUGAYET.COM expires: 20111216112704 eku: id-kp-serverAuth track: yes auto-renew: yesRequest ID '20110619112721': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=HUGAYET.COM subject: CN=openipa.hugayet.com,O=HUGAYET.COM expires: 20111216112720 eku: id-kp-serverAuth track: yes auto-renew: yes
and after few minutes, the status 'SUBMITTING' will be changed as 'CA_UNREACHABLE'Do we need to restart the /etc/init.d/ipa service for this? I am working remotely.
I need to upgrade my IPA version. Before going for this I need to have a replica of the existing one. Is it okay to have the replica while all these issues exist?
Nidal.
--- On Wed, 1/4/12, Rob Crittenden <rcritten at redhat.com> wrote:
From: Rob Crittenden <rcritten at redhat.com>
Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
To: "nasir nasir" <kollathodi at yahoo.com>
Cc: freeipa-users at redhat.com, fasilkaks at gmail.com
Date: Wednesday, January 4, 2012, 2:40 PM
nasir nasir wrote:
> Thanks for the reply Rob,
>
> Indeed there are host entries.
> Please find below the output of your below mentioned guidelines.
>
> # klist -kt /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 2 06/19/11 14:27:17 host/xxxxxx.xxxxxx.com at xxxxxx.COM
> 2 06/19/11 14:27:17 host/xxxxxx.xxxxxx.com at xxxxxx.COM
> 2 06/19/11 14:27:17 host/xxxxxx.xxxxxx.com at xxxxxx.COM
> 2 06/19/11 14:27:17 host/xxxxxx.xxxxxx.com at xxxxxx.COM
> 2 06/19/11 14:27:17 host/xxxxxx.xxxxxx.com at xxxxxx.COM
> 2 06/19/11 14:27:17 host/xxxxxx.xxxxxx.com at xxxxxx.COM
> 2 06/20/11 09:07:26 host/test1.xxxxxx.com at xxxxxx.COM
> 2 06/20/11 09:07:26 host/test1.xxxxxx.com at xxxxxx.COM
> 2 06/20/11 09:07:26 host/test1.xxxxxx.com at xxxxxx.COM
> 2 06/20/11 09:07:26 host/test1.xxxxxx.com at xxxxxx.COM
> 6 06/20/11 09:09:12 nfs/nfs.xxxxxx.com at xxxxxx.COM
> 6 06/20/11 09:09:12 nfs/nfs.xxxxxx.com at xxxxxx.COM
> 6 06/20/11 09:09:12 nfs/nfs.xxxxxx.com at xxxxxx.COM
> 6 06/20/11 09:09:12 nfs/nfs.xxxxxx.com at xxxxxx.COM
> 2 06/20/11 09:11:24 nfs/test1.xxxxxx.com at xxxxxx.COM
> 2 06/20/11 09:11:24 nfs/test1.xxxxxx.com at xxxxxx.COM
> 2 06/20/11 09:11:24 nfs/test1.xxxxxx.com at xxxxxx.COM
> 2 06/20/11 09:11:24 nfs/test1.xxxxxx.com at xxxxxx.COM
>
> # kinit -kt /etc/krb5.keytab host/openipa.hugayet.com
> kinit: Password incorrect while getting initial credentials
>
> # kinit admin
> (the password is accepted successfully here)
>
> # kinit -kt /etc/krb5.keytab host/openipa.hugayet.com
> kinit: Password incorrect while getting initial credentials
>
> What could be the possible issue of the invalid credential error? Please
> help.
Probably the most expedient fix is to use ipa-getkeytab to get new
credentials for the host service. Here is an example assuming you need a
new keytab for your freeIPA server itself:
# ipa-getkeytab -s ipa.example.com -p host/ipa.example.com -k
/etc/krb5.keytab
rob
>
> Nidal
> --- On *Wed, 1/4/12, Rob Crittenden /<rcritten at redhat/*
> */.com>/* wrote:
>
>
> From: Rob Crittenden <rcritten at redhat.com>
> Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
> To: "nasir nasir" <kollathodi at yahoo.com>
> Cc: "Rich Megginson" <rmeggins at redhat.com>,
> freeipa-users at redhat.com, fasilkaks at gmail.com
> Date: Wednesday, January 4, 2012, 11:52 AM
>
> nasir nasir wrote:
> > Thanks for all the replies.
> >
> > Rob,
> > Please find the output of your guidelines.
>
> Here is the culprit:
>
> ca-error: Error setting up ccache for local "host" service using
> default
> keytab.
>
> certmonger authenticates to IPA using the host service principal
> installed on each client (and master). For some reason that can't be
> used.
>
> Check the keytab:
>
> # klist -kt /etc/krb5.keytab
>
> If there are host entries there, try it:
>
> # kinit -kt /etc/krb5.keytab host/server.example.com
>
> rob
>
> >
> > # ipa-getcert list
> > Number of certificates and requests being tracked: 3.
> > Request ID '20110619112648':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host" service using
> default
> > keytab.
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxx-COM//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=xxxxx.COM
> > subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM
> > expires: 20111216112647
> > eku: id-kp-serverAuth
> > track: yes
> > auto-renew: yes
> > Request ID '20110619112705':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host" service using
> default
> > keytab.
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=xxxxx.COM
> > subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM
> > expires: 20111216112704
> > eku: id-kp-serverAuth
> > track: yes
> > auto-renew: yes
> > Request ID '20110619112721':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host" service using
> default
> > keytab.
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=xxxxx.COM
> > subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM
> > expires: 20111216112720 eku: id-kp-serverAuth track: yes
> > auto-renew: yes
> >
> > # certutil -L -d /etc/httpd/alias
> > Certificate Nickname Trust Attributes
> > SSL,S/MIME,JAR/XPI
> > Server-Cert u,u,u
> > HUGAYET.COM IPA CA CT,C,C
> > ipaCert u,u,u
> > Signing-Cert u,u,u
> >
> > Now track it
> > # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert
> > Request "20110619112721" modified.
> >
> > #ipa-getcert list
> > Number of certificates and requests being tracked: 3.
> > Request ID '20110619112648':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host" service using
> default
> > keytab.
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxx-COM//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=xxxxx.COM
> > subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM
> > expires: 20111216112647
> > eku: id-kp-serverAuth
> > track: yes
> > auto-renew: yes
> > Request ID '20110619112705':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host" service using
> default
> > keytab.
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=xxxxx.COM
> > subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM
> > expires: 20111216112704
> > eku: id-kp-serverAuth
> > track: yes
> > auto-renew: yes
> > Request ID '20110619112721':
> > status: MONITORING
> > ca-error: Error setting up ccache for local "host" service using
> default
> > keytab.
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=xxxxx.COM
> > subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM
> > expires: 20111216112720
> > eku: id-kp-serverAuth
> > track: yes
> > auto-renew: yes
> >
> > The issue is still there as you can see the expiry dates are not
> getting
> > modified.
> >
> > Nidal.
> >
> > --- On *Tue, 1/3/12, Rob Crittenden /<rcritten at redhat.com
> </mc/compose?to=rcritten at redhat.com>>/* wrote:
> >
> >
> > From: Rob Crittenden <rcritten at redhat.com
> </mc/compose?to=rcritten at redhat.com>>
> > Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
> > To: "nasir nasir" <kollathodi at yahoo.com
> </mc/compose?to=kollathodi at yahoo.com>>
> > Cc: "Rich Megginson" <rmeggins at redhat.com
> </mc/compose?to=rmeggins at redhat.com>>,
> > freeipa-users at redhat.com
> </mc/compose?to=freeipa-users at redhat.com>, fasilkaks at gmail.com
> </mc/compose?to=fasilkaks at gmail.com>
> > Date: Tuesday, January 3, 2012, 2:23 PM
> >
> > nasir nasir wrote:
> > >
> > >
> > > --- On *Tue, 1/3/12, Rich Megginson /<rmeggins at redhat.com
> </mc/compose?to=rmeggins at redhat.com>
> > </mc/compose?to=rmeggins at redhat.com
> </mc/compose?to=rmeggins at redhat.com>>>/*wrote:
> > >
> > >
> > > From: Rich Megginson <rmeggins at redhat.com
> </mc/compose?to=rmeggins at redhat.com>
> > </mc/compose?to=rmeggins at redhat.com
> </mc/compose?to=rmeggins at redhat.com>>>
> > > Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
> > > To: "nasir nasir" <kollathodi at yahoo.com
> </mc/compose?to=kollathodi at yahoo.com>
> > </mc/compose?to=kollathodi at yahoo.com
> </mc/compose?to=kollathodi at yahoo.com>>>
> > > Cc: freeipa-users at redhat.com
> </mc/compose?to=freeipa-users at redhat.com>
> > </mc/compose?to=freeipa-users at redhat.com
> </mc/compose?to=freeipa-users at redhat.com>>, fasilkaks at gmail.com
> </mc/compose?to=fasilkaks at gmail.com>
> > </mc/compose?to=fasilkaks at gmail.com
> </mc/compose?to=fasilkaks at gmail.com>>
> > > Date: Tuesday, January 3, 2012, 7:41 AM
> > >
> > > On 01/03/2012 12:52 AM, nasir nasir wrote:
> > >> Hi,
> > >>
> > >> I am facing a serious issue with my production IPA server. When I
> > >> try to access IPA web interface using Firefox, it hangs and
> > >> doesn't allow me to get in. It seems to be due to expired SSL
> > >> certificate as seen in the apache log file,
> > >>
> > >>
> > >> [Tue Jan 03 10:34:08 2012] [error] Certificate not verified:
> > >> 'Server-Cert'
> > >> [Tue Jan 03 10:34:08 2012] [error] SSL Library Error: -8181
> > >> Certificate has expired
> > >> [Tue Jan 03 10:34:08 2012] [error] Unable to verify certificate
> > >> 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the
> > >> server can start until the problem can be resolved.
> > >> [Tue Jan 03 10:34:08 2012] [error] Certificate not verified:
> > >> 'Server-Cert'
> > >>
> > >>
> > >> Also, when I try to use the command line (ipa user-mod or
> > >> user-show commands) it too just hangs and doesn't give any output
> > >> or allow me for any input. I can see the following in
> krb5kdc.log ,
> > >>
> > >> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): preauth
> > >> (timestamp) verify failure: Decrypt integrity check failed
> > >> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): AS_REQ (4
> > >> etypes {18 17 16 23}) 192.168.1.10: PREAUTH_FAILED:
> > >> host/xxxxx.xxxxx.com at XXXXXX.COM
> </mc/compose?to=xxxxx.xxxxx.com at XXXXXX.COM>
> > </mc/compose?to=xxxxx.xxxxx.com at XXXXXX.COM
> </mc/compose?to=xxxxx.xxxxx.com at XXXXXX.COM>>
> > >> </mc/compose?to=host/xxxxx.xxxxx.com at XXXXXX.COM
> </mc/compose?to=xxxxx.xxxxx.com at XXXXXX.COM>
> > </mc/compose?to=xxxxx.xxxxx.com at XXXXXX.COM
> </mc/compose?to=xxxxx.xxxxx.com at XXXXXX.COM>>> for
> > >> krbtgt/XXXXXX.COM at XXXXXX.COM
> </mc/compose?to=XXXXXX.COM at XXXXXX.COM>
> </mc/compose?to=XXXXXX.COM at XXXXXX.COM
> </mc/compose?to=XXXXXX.COM at XXXXXX.COM>>
> > >> </mc/compose?to=krbtgt/XXXXXX.COM at XXXXXX.COM
> </mc/compose?to=XXXXXX.COM at XXXXXX.COM>
> > </mc/compose?to=XXXXXX.COM at XXXXXX.COM
> </mc/compose?to=XXXXXX.COM at XXXXXX.COM>>>, Decrypt integrity
> > >> check failed
> > >> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2429](info): AS_REQ (4
> > >> etypes {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
> > >> host/xxxx.xxxxx.com at XXXXX.COM
> </mc/compose?to=xxxx.xxxxx.com at XXXXX.COM>
> > </mc/compose?to=xxxx.xxxxx.com at XXXXX.COM
> </mc/compose?to=xxxx.xxxxx.com at XXXXX.COM>>
> > >> </mc/compose?to=host/xxxx.xxxxx.com at XXXXX.COM
> </mc/compose?to=xxxx.xxxxx.com at XXXXX.COM>
> > </mc/compose?to=xxxx.xxxxx.com at XXXXX.COM
> </mc/compose?to=xxxx.xxxxx.com at XXXXX.COM>>> for
> > >> krbtgt/XXXXXX.COM at XXXXXX.COM
> </mc/compose?to=XXXXXX.COM at XXXXXX.COM>
> </mc/compose?to=XXXXXX.COM at XXXXXX.COM
> </mc/compose?to=XXXXXX.COM at XXXXXX.COM>>
> > >> </mc/compose?to=krbtgt/XXXXXX.COM at XXXXXX.COM
> </mc/compose?to=XXXXXX.COM at XXXXXX.COM>
> > </mc/compose?to=XXXXXX.COM at XXXXXX.COM
> </mc/compose?to=XXXXXX.COM at XXXXXX.COM>>>, Additional
> > >> pre-authentication required
> > >>
> > >>
> > >> The output of "certutil -L -d /etc/httpd/alias -n Server-Cert"
> > >> confirms that certificate is expired as given below.
> > >>
> > >> Certificate:
> > >> Data:
> > >> Version: 3 (0x2)
> > >> Serial Number: 10 (0xa)
> > >> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
> > >> Issuer: "CN=Certificate Authority,O=XXXXXX.COM"
> > >> Validity:
> > >> Not Before: Sun Jun 19 11:27:20 2011
> > >> Not After : Fri Dec 16 11:27:20 2011
> > >>
> > >>
> > >> Relevant info
> > >>
> > >> OS: RHEL 6.1
> > >>
> > >>
> > >> Output of rpm -qa | grep ipa
> > >>
> > >> ipa-client-2.0.0-23.el6.i686
> > >> ipa-pki-ca-theme-9.0.3-6.el6.noarch
> > >> ipa-pki-common-theme-9.0.3-6.el6.noarch
> > >> device-mapper-multipath-libs-0.4.9-41.el6.i686
> > >> python-iniparse-0.3.1-2.1.el6.noarch
> > >> ipa-python-2.0.0-23.el6.i686
> > >> ipa-server-selinux-2.0.0-23.el6.i686
> > >> ipa-server-2.0.0-23.el6.i686
> > >> device-mapper-multipath-0.4.9-41.el6.i686
> > >> ipa-admintools-2.0.0-23.el6.i686
> > >>
> > >>
> > >> I went through the documentations to check how to renew the
> > >> expired certs but it seems to be confusing and different across
> > >> versions. Could someone please help me out by suggesting which is
> > >> the best way to achieve this ? Any help would be greatly
> > >> appreciated as I am unable to perform any task on the IPA server
> > >> now because of this.
> > >>
> > > I suggest following the mod_nss suggestion to allow it to start and
> > > use the expired cert while you attempt to figure this out.
> > >
> > > Thanks indeed for the suggestion. I will consider this. But can
> > > anyone point me the steps to renew certificate from the expired
> one ?
> > >
> > > Thankds and regards,
> > > Nidal
> >
> > Lets start with figuring out why certmonger didn't do this for you:
> >
> > Can you run as root: ipa-getcert list
> >
> > You should have something like:
> >
> > Request ID '20111215203350':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> >
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> >
> > Certificate DB'
> > CA: IPA
> > issuer: CN=EXAMPLE.COM Certificate Authority
> > subject: CN=rawhide.example.com,O=EXAMPLE.COM
> > expires: 2021-12-15 20:33:50 UTC
> > track: yes
> > auto-renew: yes
> >
> > If you don't have something like this then perhaps the easiest way to
> > get it renewed is to tell certmonger to track it. First, look at your
> > current database, it should look something like:
> >
> > # certutil -L -d /etc/httpd/alias
> >
> > Server-Cert u,u,u
> > EXAMPLE.COM IPA CA CTu,u,Cu
> > Signing-Cert u,u,u
> >
> > Now track it
> >
> > # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert
> >
> > Use ipa-getcert list to track the status of the renewal. Once it has
> > been completed you can reset the EnforceValidCerts option and restart
> > Apache.
> >
> > If certmonger is already tracking the cert and the renewal has failed
> > then please provide the ipa-getcert list output.
> >
> > rob
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120105/e0124e7e/attachment.htm>
More information about the Freeipa-users
mailing list