[Freeipa-users] Expired SSL certificate issue with IPA
Rob Crittenden
rcritten at redhat.com
Mon Jan 9 14:52:47 UTC 2012
nasir nasir wrote:
> Hi,
>
> Would the below error cause any issues during replica and upgrade?
>
> # ipa user-show admin
> ipa: ERROR: cert validation failed for
> "CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
> certificate issuer has been marked as not trusted by the user.)
> ipa: ERROR: cert validation failed for
> "CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
> certificate issuer has been marked as not trusted by the user.)
> ipa: ERROR: cannot connect to 'any of the configured servers':
> https://xxxxxx.xxxxxx.com/ipa/xml, https://xxxxxx.xxxxxx.com/ipa/xml
I don't think so but the problem will exist until addressed. In other
words upgrading and/or creating a replica won't change things for this
server.
rob
>
> Nidal.
>
> --- On *Fri, 1/6/12, nasir nasir /<kollathodi at yahoo.com>/* wrote:
>
>
> From: nasir nasir <kollathodi at yahoo.com>
> Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
> To: "Rob Crittenden" <rcritten at redhat.com>
> Cc: freeipa-users at redhat.com, fasilkaks at gmail.com
> Date: Friday, January 6, 2012, 9:12 AM
>
> Thanks for the input Rob,
>
> We have already did it with your previous input and everything got
> normal.
>
> But the ipa user-show admin command gave the following errors.
> # ipa user-show admin
> ipa: ERROR: cert validation failed for
> "CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM" ((SEC_ERROR_UNTRUSTED_ISSUER)
> Peer's certificate issuer has been marked as not trusted by the user.)
> ipa: ERROR: cert validation failed for
> "CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM" ((SEC_ERROR_UNTRUSTED_ISSUER)
> Peer's certificate issuer has been marked as not trusted by the user.)
> ipa: ERROR: cannot connect to 'any of the configured servers':
> https://xxxxxx.xxxxxx.com/ipa/xml, https://xxxxxx.xxxxxx.com/ipa/xml
>
> Regardless of the above error, everything seems to be working fine.
> Now we need to have the replica of the server before going for an
> upgrade of IPA.
>
> Thank you all for the wonderful support during our hard times.
>
> Nidal.
>
>
> --- On *Fri, 1/6/12, Rob Crittenden /<rcritten at redhat.com>/* wrote:
>
>
> From: Rob Crittenden <rcritten at redhat.com>
> Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
> To: "nasir nasir" <kollathodi at yahoo.com>
> Cc: freeipa-users at redhat.com, fasilkaks at gmail.com
> Date: Friday, January 6, 2012, 7:21 AM
>
> nasir nasir wrote:
> > Rob,
> >
> > # ipa user-show admin
> > ipa: ERROR: cert validation failed for
> > "CN=openipa.hugayet.com,O=HUGAYET.COM"
> ((SEC_ERROR_EXPIRED_CERTIFICATE)
> > Peer's Certificate has expired.)
> > ipa: ERROR: cert validation failed for
> > "CN=openipa.hugayet.com,O=HUGAYET.COM"
> ((SEC_ERROR_EXPIRED_CERTIFICATE)
> > Peer's Certificate has expired.)
> > ipa: ERROR: cannot connect to 'any of the configured servers':
> > https://openipa.hugayet.com/ipa/xml,
> https://openipa.hugayet.com/ipa/xml
> >
> > >>>>From what Nalin said, certmonger users /etc/ipa/ca.crt.
> This needs
> > to match the CA that issued your Apache cert.>>>>>>
> >
> > How can we proceed further?
>
> I think you're going to need to set the system time back to when
> the
> certificate is valid to do the renewal.
>
> rob
>
> >
> > Nidal.
> >
> >
> > --- On *Thu, 1/5/12, Rob Crittenden
> /<rcritten at redhat.com>/*wrote:
> >
> >
> > From: Rob Crittenden <rcritten at redhat.com>
> > Subject: Re: [Freeipa-users] Expired SSL certificate issue
> with IPA
> > To: "nasir nasir" <kollathodi at yahoo.com>
> > Cc: freeipa-users at redhat.com, fasilkaks at gmail.com
> > Date: Thursday, January 5, 2012, 2:21 PM
> >
> > nasir nasir wrote:
> > > Hi Rob,
> > >
> > > Added the directive "NSSEnforceValidCerts off" in
> > > /etc/httpd/conf.d/nss.conf and restarted httpd. Please find the
> > > /var/log/httpd/error_log
> > >
> > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> > > KeyError(-1215723696,) in <module 'threading' from
> > > '/usr/lib/python2.6/threading.pyc'> ignored
> > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> > > KeyError(-1215723696,) in <module 'threading' from
> > > '/usr/lib/python2.6/threading.pyc'> ignored
> > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> > > KeyError(-1215723696,) in <module 'threading' from
> > > '/usr/lib/python2.6/threading.pyc'> ignored
> > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> > > KeyError(-1215723696,) in <module 'threading' from
> > > '/usr/lib/python2.6/threading.pyc'> ignored
> > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> > > KeyError(-1215723696,) in <module 'threading' from
> > > '/usr/lib/python2.6/threading.pyc'> ignored
> > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> > > KeyError(-1215723696,) in <module 'threading' from
> > > '/usr/lib/python2.6/threading.pyc'> ignored
> > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> > > KeyError(-1215723696,) in <module 'threading' from
> > > '/usr/lib/python2.6/threading.pyc'> ignored
> > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> > > KeyError(-1215723696,) in <module 'threading' from
> > > '/usr/lib/python2.6/threading.pyc'> ignored
> > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> > > KeyError(-1215723696,) in <module 'threading' from
> > > '/usr/lib/python2.6/threading.pyc'> ignored
> > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> > > KeyError(-1215723696,) in <module 'threading' from
> > > '/usr/lib/python2.6/threading.pyc'> ignored
> > > [Fri Jan 06 01:06:29 2012] [notice] caught SIGTERM,
> shutting down
> > > [Fri Jan 06 01:06:29 2012] [notice] suEXEC mechanism enabled
> > (wrapper:
> > > /usr/sbin/suexec)
> > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
> > 'Server-Cert'
> > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
> > Certificate
> > > has expired
> > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
> expired:
> > > 'Server-Cert'
> > > [Fri Jan 06 01:06:30 2012] [notice] Digest: generating
> secret for
> > digest
> > > authentication ...
> > > [Fri Jan 06 01:06:30 2012] [notice] Digest: done
> > > [Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Compiled for
> > Python/2.6.2.
> > > [Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Runtime using
> > Python/2.6.6.
> > > [Fri Jan 06 01:06:30 2012] [notice] Apache/2.2.15 (Unix) DAV/2
> > > mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2
> > Python/2.6.6
> > > configured -- resuming normal operations
> > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
> > 'Server-Cert'
> > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
> > Certificate
> > > has expired
> > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
> expired:
> > > 'Server-Cert'
> > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
> > 'Server-Cert'
> > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
> > Certificate
> > > has expired
> > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
> expired:
> > > 'Server-Cert'
> > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
> > 'Server-Cert'
> > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
> > Certificate
> > > has expired
> > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
> expired:
> > > 'Server-Cert'
> > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
> > 'Server-Cert'
> > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
> > Certificate
> > > has expired
> > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
> expired:
> > > 'Server-Cert'
> > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
> > 'Server-Cert'
> > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
> > Certificate
> > > has expired
> > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
> > 'Server-Cert'
> > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
> > Certificate
> > > has expired
> > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
> > 'Server-Cert'
> > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
> > Certificate
> > > has expired
> > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
> expired:
> > > 'Server-Cert'
> > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
> expired:
> > > 'Server-Cert'
> > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
> > 'Server-Cert'
> > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
> > Certificate
> > > has expired
> > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
> expired:
> > > 'Server-Cert'
> > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
> expired:
> > > 'Server-Cert'
> > > [Fri Jan 06 01:06:32 2012] [error] ipa: INFO: *** PROCESS
> START ***
> > > [Fri Jan 06 01:06:32 2012] [error] ipa: INFO: *** PROCESS
> START ***
> > >
> > > # ipa-getcert list
> > > Number of certificates and requests being tracked: 3.
> > > Request ID '20110619112648':
> > > status: CA_UNREACHABLE
> > > ca-error: Server failed request, will retry: -504 (libcurl
> failed to
> > > execute the HTTP POST transaction. SSL connect error).
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
> > > Certificate
> DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=HUGAYET.COM
> > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
> > > expires: 20111216112647
> > > eku: id-kp-serverAuth
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20110619112705':
> > > status: CA_UNREACHABLE
> > > ca-error: Server failed request, will retry: -504 (libcurl
> failed to
> > > execute the HTTP POST transaction. SSL connect error).
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > Certificate
> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=HUGAYET.COM
> > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
> > > expires: 20111216112704
> > > eku: id-kp-serverAuth
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20110619112721':
> > > status: CA_UNREACHABLE
> > > ca-error: Server failed request, will retry: -504 (libcurl
> failed to
> > > execute the HTTP POST transaction. Peer certificate cannot be
> > > authenticated with known CA certificates).
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=HUGAYET.COM
> > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
> > > expires: 20111216112720
> > > eku: id-kp-serverAuth
> > > track: yes
> > > auto-renew: yes
> > >
> > > Do we need to restart /etc/init.d/ipa service for all this to
> > take effect?
> >
> > No, and be very careful if your 389-ds cert is also expired.
> >
> > This error really does mean that certmonger doesn't trust the
> SSL cert
> > of your web server. Have you replaced your certs with
> something else?
> >
> > Does a simple command like: ipa user-show admin work?
> >
> > It may fail too due to the expired cert. You may have to turn
> time back
> > on this machine, but that won't affect the untrusted CA. From
> what
> > Nalin
> > said, certmonger users /etc/ipa/ca.crt. This needs to match
> the CA that
> > issued your Apache cert.
> >
> > rob
> >
> > >
> > > Nidal.
> > >
> > >
> > > --- On *Thu, 1/5/12, Rob Crittenden /<rcritten at redhat.com
> > </mc/compose?to=rcritten at redhat.com>>/* wrote:
> > >
> > >
> > > From: Rob Crittenden <rcritten at redhat.com
> > </mc/compose?to=rcritten at redhat.com>>
> > > Subject: Re: [Freeipa-users] Expired SSL certificate issue
> with IPA
> > > To: "nasir nasir" <kollathodi at yahoo.com
> > </mc/compose?to=kollathodi at yahoo.com>>
> > > Cc: freeipa-users at redhat.com
> > </mc/compose?to=freeipa-users at redhat.com>, fasilkaks at gmail.com
> > </mc/compose?to=fasilkaks at gmail.com>
> > > Date: Thursday, January 5, 2012, 8:59 AM
> > >
> > > nasir nasir wrote:
> > > > Thanks for the input Rob,
> > > >
> > > > Please find below the /var/log/httpd/error_log
> > > >
> > > > [Thu Jan 05 19:50:46 2012] [error] Certificate not verified:
> > > 'Server-Cert'
> > > > [Thu Jan 05 19:50:46 2012] [error] SSL Library Error: -8181
> > > Certificate
> > > > has expired
> > > > [Thu Jan 05 19:50:46 2012] [error] Certificate not verified:
> > > 'Server-Cert'
> > > > [Thu Jan 05 19:50:46 2012] [error] Unable to verify
> certificate
> > > > 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf
> so the
> > > server
> > > > can start until the problem can be resolved.
> > > >
> > > > Do I need to add "NSSEnforceValidCerts off" in
> > > > /etc/httpd/conf.d/nss.conf? Please advice.
> > > >
> > >
> > > That explains why certmonger can't connect. Yes, for now
> add that
> > > directive and restart httpd. Then try the start-tracking again
> > and see
> > > if it renews the cert.
> > >
> > > rob
> > >
> > > > Nidal.
> > > >
> > > >
> > > > --- On *Thu, 1/5/12, Rob Crittenden /<rcritten at redhat.com
> > </mc/compose?to=rcritten at redhat.com>
> > > </mc/compose?to=rcritten at redhat.com
> > </mc/compose?to=rcritten at redhat.com>>>/* wrote:
> > > >
> > > >
> > > > From: Rob Crittenden <rcritten at redhat.com
> > </mc/compose?to=rcritten at redhat.com>
> > > </mc/compose?to=rcritten at redhat.com
> > </mc/compose?to=rcritten at redhat.com>>>
> > > > Subject: Re: [Freeipa-users] Expired SSL certificate
> issue with IPA
> > > > To: "nasir nasir" <kollathodi at yahoo.com
> > </mc/compose?to=kollathodi at yahoo.com>
> > > </mc/compose?to=kollathodi at yahoo.com
> > </mc/compose?to=kollathodi at yahoo.com>>>
> > > > Cc: freeipa-users at redhat.com
> > </mc/compose?to=freeipa-users at redhat.com>
> > > </mc/compose?to=freeipa-users at redhat.com
> > </mc/compose?to=freeipa-users at redhat.com>>, fasilkaks at gmail.com
> > </mc/compose?to=fasilkaks at gmail.com>
> > > </mc/compose?to=fasilkaks at gmail.com
> > </mc/compose?to=fasilkaks at gmail.com>>
> > > > Date: Thursday, January 5, 2012, 7:38 AM
> > > >
> > > > nasir nasir wrote:
> > > > > Thanks for the reply Rob.
> > > > >
> > > > > Please find below the output of your guidelines.
> > > > >
> > > > > # ipa-getkeytab -s xxxxxxx.xxxxxxx.com -p
> > host/xxxxxx.xxxxxx.com -k
> > > > > /etc/krb5.keytab
> > > > > (the command was successful; it din't show any errors
> in the
> > > > krb5kdc.log
> > > > > or audit.log)
> > > > >
> > > > > # kinit -kt /etc/krb5.keytab host/xxxxxx.xxxxxx.com
> > > > >
> > > > > krb5kdc.log
> > > > > -----------------
> > > > > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2431](info):
> AS_REQ (4
> > > > etypes
> > > > > {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
> > > > > host/xxxxxx.xxxxxx.com at xxxxxx.COM
> > </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM>
> > > </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM
> > </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM>>
> > > > </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM
> > </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM>
> > > </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM
> > </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM>>> for
> > > > krbtgt/xxxxxx.COM at xxxxxx.COM
> </mc/compose?to=xxxxxx.COM at xxxxxx.COM>
> > > </mc/compose?to=xxxxxx.COM at xxxxxx.COM
> > </mc/compose?to=xxxxxx.COM at xxxxxx.COM>>
> > > </mc/compose?to=xxxxxx.COM at xxxxxx.COM
> > </mc/compose?to=xxxxxx.COM at xxxxxx.COM>
> > > </mc/compose?to=xxxxxx.COM at xxxxxx.COM
> > </mc/compose?to=xxxxxx.COM at xxxxxx.COM>>>,
> > > > > Additional pre-authentication required
> > > > > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2427](info):
> AS_REQ (4
> > > > etypes
> > > > > {18 17 16 23}) 192.168.1.10: ISSUE: authtime
> 1325766032, etypes
> > > > {rep=18
> > > > > tkt=18 ses=18}, host/xxxxxx.xxxxxx.com at xxxxxx.COM
> > </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM>
> > > </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM
> > </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM>>
> > > > </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM
> > </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM>
> > > </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM
> > </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM>>> for
> > > > > krbtgt/xxxxxx.COM at xxxxxx.COM
> > </mc/compose?to=xxxxxx.COM at xxxxxx.COM>
> > > </mc/compose?to=xxxxxx.COM at xxxxxx.COM
> > </mc/compose?to=xxxxxx.COM at xxxxxx.COM>>
> > > </mc/compose?to=xxxxxx.COM at xxxxxx.COM
> > </mc/compose?to=xxxxxx.COM at xxxxxx.COM>
> > > </mc/compose?to=xxxxxx.COM at xxxxxx.COM
> > </mc/compose?to=xxxxxx.COM at xxxxxx.COM>>>
> > > > >
> > > > > # ipa-getcert list
> > > > > Number of certificates and requests being tracked: 3.
> > > > > Request ID '20110619112648':
> > > > > status: CA_UNREACHABLE
> > > > > ca-error: Server failed request, will retry: -504 (libcurl
> > > failed to
> > > > > execute the HTTP POST transaction. SSL connect error).
> > > > > stuck: yes
> > > > > key pair storage:
> > > > >
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
> > > > > Certificate
> > DB',pinfile='/etc/dirsrv/slapd-xxxxxx-COM//pwdfile.txt'
> > > > > certificate:
> > > > >
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
> > > > > Certificate DB'
> > > > > CA: IPA
> > > > > issuer: CN=Certificate Authority,O=xxxxxx.COM
> > > > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
> > > > > expires: 20111216112647
> > > > > eku: id-kp-serverAuth
> > > > > track: yes
> > > > > auto-renew: yes
> > > > > Request ID '20110619112705':
> > > > > status: CA_UNREACHABLE
> > > > > ca-error: Server failed request, will retry: -504 (libcurl
> > > failed to
> > > > > execute the HTTP POST transaction. SSL connect error).
> > > > > stuck: yes
> > > > > key pair storage:
> > > > >
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > > > Certificate
> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > > > > certificate:
> > > > >
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > > > Certificate DB'
> > > > > CA: IPA
> > > > > issuer: CN=Certificate Authority,O=xxxxxx.COM
> > > > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
> > > > > expires: 20111216112704
> > > > > eku: id-kp-serverAuth
> > > > > track: yes
> > > > > auto-renew: yes
> > > > > Request ID '20110619112721':
> > > > > status: CA_UNREACHABLE
> > > > > ca-error: Server failed request, will retry: -504 (libcurl
> > > failed to
> > > > > execute the HTTP POST transaction. SSL connect error).
> > > > > stuck: yes
> > > > > key pair storage:
> > > > >
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > > > certificate:
> > > > >
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > > > Certificate DB'
> > > > > CA: IPA
> > > > > issuer: CN=Certificate Authority,O=xxxxxx.COM
> > > > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
> > > > > expires: 20111216112720
> > > > > eku: id-kp-serverAuth
> > > > > track: yes
> > > > > auto-renew: yes
> > > > >
> > > > > # ipa-getcert start-tracking -d /etc/httpd/alias -n
> Server-Cert
> > > > > Request "20110619112721" modified.
> > > > >
> > > > > # ipa-getcert list
> > > > > Number of certificates and requests being tracked: 3.
> > > > > Request ID '20110619112648':
> > > > > status: CA_UNREACHABLE
> > > > > ca-error: Server failed request, will retry: -504 (libcurl
> > > failed to
> > > > > execute the HTTP POST transaction. SSL connect error).
> > > > > stuck: yes
> > > > > key pair storage:
> > > > >
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
> > > > > Certificate
> > > DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'
> > > > > certificate:
> > > > >
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
> > > > > Certificate DB'
> > > > > CA: IPA
> > > > > issuer: CN=Certificate Authority,O=HUGAYET.COM
> > > > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
> > > > > expires: 20111216112647
> > > > > eku: id-kp-serverAuth
> > > > > track: yes
> > > > > auto-renew: yes
> > > > > Request ID '20110619112705':
> > > > > status: CA_UNREACHABLE
> > > > > ca-error: Server failed request, will retry: -504 (libcurl
> > > failed to
> > > > > execute the HTTP POST transaction. SSL connect error).
> > > > > stuck: yes
> > > > > key pair storage:
> > > > >
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > > > Certificate
> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > > > > certificate:
> > > > >
> > > >
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > > > Certificate DB'
> > > > > CA: IPA
> > > > > issuer: CN=Certificate Authority,O=HUGAYET.COM
> > > > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
> > > > > expires: 20111216112704
> > > > > eku: id-kp-serverAuth
> > > > > track: yes
> > > > > auto-renew: yes
> > > > > Request ID '20110619112721':
> > > > > status: SUBMITTING
> > > > > stuck: no
> > > > > key pair storage:
> > > > >
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > > > certificate:
> > > > >
> > > >
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > > > Certificate DB'
> > > > > CA: IPA
> > > > > issuer: CN=Certificate Authority,O=HUGAYET.COM
> > > > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
> > > > > expires: 20111216112720
> > > > > eku: id-kp-serverAuth
> > > > > track: yes
> > > > > auto-renew: yes
> > > > >
> > > > > and after few minutes, the status 'SUBMITTING' will be
> changed as
> > > > > 'CA_UNREACHABLE'
> > > > > Do we need to restart the /etc/init.d/ipa service for
> this? I am
> > > > working
> > > > > remotely.
> > > >
> > > > It isn't logging enough information to know why it
> failed. Can
> > > you look
> > > > in the Apache error log to see why the request failed?
> > > >
> > > > My first thought was that there was a CA trust issue. I
> believe
> > that
> > > > certmonger uses the NSS database where the certificate is
> stored so
> > > > since it is also doing this against Apache (which in
> theory trust
> > > is ok
> > > > for it to start at all) so I'm baffled. Hopefully the
> httpd logs
> > > > will be
> > > > enlightening.
> > > >
> > > > >
> > > > > I need to upgrade my IPA version. Before going for this
> I need to
> > > > have a
> > > > > replica of the existing one. Is it okay to have the replica
> > > while all
> > > > > these issues exist?
> > > >
> > > >
> > > > Yes, you should be able to create a replica, this shouldn't
> > > affect it.
> > > >
> > > > rob
> > > >
> > >
> >
>
>
> -----Inline Attachment Follows-----
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com </mc/compose?to=Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list