[Freeipa-users] (no subject)

Rob Crittenden rcritten at redhat.com
Wed Mar 14 18:22:32 UTC 2012 

Jimmy wrote:
> I changed the system date and it's functional now. I ran the command `
> certutil -L -d /etc/httpd/alias -n Server-Cert` and see the expired
> cert. Looking at `ipa-getcert list` I see this--
>
> Request ID '20110913154233':
>          status: CA_UNREACHABLE
>          ca-error: Server failed request, will retry: 4301 (RPC failed
> at server.  Certificate operation cannot be completed: Unable to
> communicate with CMS (Not Found)).
>          stuck: yes
>          key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-XXXXX',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapdXXXXX//pwdfile.txt'
>          certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-XXXXX',nickname='Server-Cert',token='NSS
> Certificate DB'
>          CA: IPA
>          issuer: CN=Certificate Authority,O=XXXXX
>          subject: CN=csp-idm.pdh.csp,O=XXXXX
>          expires: 2012-03-11 15:42:32 UTC
>          eku: id-kp-serverAuth
>          track: yes
>          auto-renew: yes
>
> It says "CA_UNREACHABLE", but ipactl status shows the CA running. Any
> ideas on why this is occurring?

The Apache error log may hold some clues. You might try:

# ipa-getcert resubmit -i 20110913154233

Then watch the Apache log to see what it is doing. The CA logs are in 
/var/log/pki-ca and may provide some details as well.

rob

>
> On Wed, Mar 14, 2012 at 1:35 PM, Jimmy<g17jimmy at gmail.com>  wrote:
>> My IPA server just stopped working with this error. I'm looking in to
>> it, but if anyone knows what the issue is right off I'd appreciate any
>> pointers you have.
>>
>> (when trying to do service ipa start)
>> Starting dirsrv:
>>     PDH-CSP...[14/Mar/2012:17:24:34 +0000] - SSL alert:
>> CERT_VerifyCertificateNow: verify certificate failed for cert
>> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
>> Portable Runtime error -8181 - Peer's Certificate has expired.)
>>                                                            [  OK  ]
>>     PKI-IPA...[14/Mar/2012:17:24:36 +0000] - SSL alert:
>> CERT_VerifyCertificateNow: verify certificate failed for cert
>> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
>> Portable Runtime error -8181 - Peer's Certificate has expired.)
>>                                                            [  OK  ]
>>
>>
>> I'm running on Fedora15, running IPA -- freeipa-server-2.1.1-1.fc15.x86_64.
>> Thanks.
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list