[Freeipa-users] (no subject)

Jimmy g17jimmy at gmail.com
Wed Mar 14 19:03:05 UTC 2012 

I can set the date to before 3/12(the cert expiry date) and things
start just fine. The apache logs don't seem to hold much info other
than "the cert is expired." CA logs have even less info.

I did find a similar issue on the mailing list -
http://comments.gmane.org/gmane.linux.redhat.freeipa.user/3104 - but I
don't see a resolution, I don't see how the cert is supposed to get
renewed.

On Wed, Mar 14, 2012 at 2:22 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Jimmy wrote:
>>
>> I changed the system date and it's functional now. I ran the command `
>> certutil -L -d /etc/httpd/alias -n Server-Cert` and see the expired
>> cert. Looking at `ipa-getcert list` I see this--
>>
>> Request ID '20110913154233':
>>         status: CA_UNREACHABLE
>>         ca-error: Server failed request, will retry: 4301 (RPC failed
>> at server.  Certificate operation cannot be completed: Unable to
>> communicate with CMS (Not Found)).
>>         stuck: yes
>>         key pair storage:
>>
>> type=NSSDB,location='/etc/dirsrv/slapd-XXXXX',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapdXXXXX//pwdfile.txt'
>>         certificate:
>>
>> type=NSSDB,location='/etc/dirsrv/slapd-XXXXX',nickname='Server-Cert',token='NSS
>> Certificate DB'
>>         CA: IPA
>>         issuer: CN=Certificate Authority,O=XXXXX
>>         subject: CN=csp-idm.pdh.csp,O=XXXXX
>>         expires: 2012-03-11 15:42:32 UTC
>>         eku: id-kp-serverAuth
>>         track: yes
>>         auto-renew: yes
>>
>> It says "CA_UNREACHABLE", but ipactl status shows the CA running. Any
>> ideas on why this is occurring?
>
>
> The Apache error log may hold some clues. You might try:
>
> # ipa-getcert resubmit -i 20110913154233
>
> Then watch the Apache log to see what it is doing. The CA logs are in
> /var/log/pki-ca and may provide some details as well.
>
> rob
>
>
>>
>> On Wed, Mar 14, 2012 at 1:35 PM, Jimmy<g17jimmy at gmail.com>  wrote:
>>>
>>> My IPA server just stopped working with this error. I'm looking in to
>>> it, but if anyone knows what the issue is right off I'd appreciate any
>>> pointers you have.
>>>
>>> (when trying to do service ipa start)
>>> Starting dirsrv:
>>>    PDH-CSP...[14/Mar/2012:17:24:34 +0000] - SSL alert:
>>> CERT_VerifyCertificateNow: verify certificate failed for cert
>>> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
>>> Portable Runtime error -8181 - Peer's Certificate has expired.)
>>>                                                           [  OK  ]
>>>    PKI-IPA...[14/Mar/2012:17:24:36 +0000] - SSL alert:
>>> CERT_VerifyCertificateNow: verify certificate failed for cert
>>> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
>>> Portable Runtime error -8181 - Peer's Certificate has expired.)
>>>                                                           [  OK  ]
>>>
>>>
>>> I'm running on Fedora15, running IPA --
>>> freeipa-server-2.1.1-1.fc15.x86_64.
>>> Thanks.
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>

More information about the Freeipa-users mailing list