[Freeipa-users] FreeIPA webserver cert expired.
Paul Tader
ptader at linuxscope.com
Fri Jun 29 21:55:00 UTC 2012
On 6/11/12 9:16 AM, Paul Tader wrote:
> On 6/5/12 2:33 PM, Rob Crittenden wrote:
>> JR Aquino wrote:
>>> On Jun 5, 2012, at 11:18 AM, Paul Tader wrote:
>>>
>>>> A couple days ago my (apache) certificates expired. Users are able to
>>>> kinit but tools such as sudo fail because of the expired
>>>> certificates. Lots of reading/Google'ing later I found this script
>>>> (steps) to renew these certs:
>>>
>>> I'm just curious, but, isn't certmonger supposed to automatically
>>> renew these? Is certmonger failing in this case?
>>
>> Yes, the first thing to do is figure out why certmonger didn't
>> automatically renew the certificates. Then it should be as simple as
>> setting the date back, letting certmonger do its thing, then setting it
>> forward again.
>>
>> That is very strange certmonger output. You might try setting the date
>> back a couple of days and trying something like:
>>
>> ipa-getcert resubmit -i 20110706215145
>>
>> And see what the status goes to.
>>
>> rob
>
> (Sorry for the delay reply)
>
> No luck with setting the date back and resubmitting the certificate.
>
>
>
> # /etc/init.d/ntpd stop
> Stopping ntpd (via systemctl): [ OK ]
>
> # date 060112002012
> Fri Jun 1 12:00:00 CDT 2012
>
> # /etc/init.d/httpd stop
> Stopping httpd (via systemctl): [ OK ]
> # /etc/init.d/httpd start
> Starting httpd (via systemctl): [ OK ]
>
> # ipa-getcert resubmit -i 20110706215145
> Resubmitting "20110706215145" to "IPA".
>
> # ipa-getcert list
> Number of certificates and requests being tracked: 3.
> Request ID '20110706215109':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed
> to execute the HTTP POST transaction, explaining: SSL connect error).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=RELAM.NET
> subject: CN=srv01.company.net,O=REALM.NET
> expires: 2012-06-03 20:19:49 UTC
> eku: id-kp-serverAuth
> track: yes
> auto-renew: yes
> Request ID '20110706215129':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed
> to execute the HTTP POST transaction, explaining: SSL connect error).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=REALM.NET
> subject: CN=srv01.company.net,O=REALM.NET
> expires: 2012-06-03 20:19:49 UTC
> eku: id-kp-serverAuth
> track: yes
> auto-renew: yes
> Request ID '20110706215145':
> status: GENERATING_CSR
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server. Certificate operation cannot be completed: Unable to
> communicate with CMS (Unauthorized)).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=REALM.NET
> subject: CN=srv01.company.net,O=REALM.NET
> expires: 2012-06-03 20:19:49 UTC
> eku: id-kp-serverAuth
> track: yes
> auto-renew: yes
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Still working on this problem. I've imported new self signed certs
because I don't think I can renew expired certs and now all of the
entries list like this:
Request ID '20110706215145':
status: NEED_CSR_GEN_TOKEN
ca-error: Error setting up ccache for local "host" service using
default keytab.
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=REALM.NET
subject: CN=ipa01.domain.net,O=REALM.NET
expires: 2012-06-03 20:19:49 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Any tips or suggestions? I've saved off the old files so I think I can
go back to the expired certs.
More information about the Freeipa-users
mailing list