[Freeipa-users] Replica Cert failed to renew ...

Tue Aug 5 22:16:14 UTC 2014

Hmmm so question here .. our domain was originally installed as a 2.x 
and upgraded to 3.x  .. I installed the replicas using the 
ipa-replica-prepare etc but the CA dirsrv instance was never copied over 
or started on the replicas (ie no slapd-PKI-* around) .. yet 
/etc/ipa/defaults.conf points to the replica itself for certmonger - so 
not sure how that will work given there is no CA copy running on the 
replica ..

In the end the process followed was to change the xmlrpc_uri to the 
original master and delete and resubit the cert request for Server-Cert 
for slapd & httpd/alias we get an up to date cert ... not sure if 
anything else broken by doing that though ...

I assume maybe the replcia install/mgmt under 2.x was slightly or 
perhaps majorly different ...

rgds

Matt

On 31/07/2014 6:21 pm, Martin Kosek wrote:
> (Adding back the users list as this may be interesting for everyone)
>
> Ok, the steps suggested below should help. If the DS does not want to start at
> all because of the expired certificate, you can also edit
> /etc/dirsrv/slapd-YOUR-REALM/dse.ldif and edit it manually (only when dirsrv
> service is stopped).
>
> Martin
>
> On 07/31/2014 09:53 AM, Matt Bryant wrote:
>> Martin,
>>
>> Correct in that the replica does not have a CA and the version being run is
>>
>> $ rpm -qa ipa-server
>> ipa-server-3.0.0-25.el6.x86_64
>>
>> restarted the services and get
>>
>> Starting dirsrv:
>>      SERVER-IPA...[31/Jul/2014:18:00:15 +1000] - SSL alert:
>> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of
>> family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 -
>> Peer's Certificate has expired.)
>>
>> so I think it is just dealing with an expired cert ... so will try the other
>> steps suggested  ..
>>
>> rgds
>>
>> Matt Bryant
>>
>> On 31/07/14 17:33, Martin Kosek wrote:
>>> On 07/31/2014 07:49 AM, Matt Bryant wrote:
>>>> All,
>>>>
>>>> Got an issue with an IPA replica in that the certs in /etc/httpd/alias &
>>>> /etc/dirsrv/slapd-IPA-REALM have expired.
>>> I assume that this replica does not have a CA and we are only dealing with
>>> service HTTPD and DIRSRV service certificates.
>>>
>>>> Have tried setting date back before expiry on the replica and doing an
>>>> 'ipa-getcert resubmit -i <id>' but that hasn't worked it looks like the CA
>>>> master is actually rejecting it since the havent set the date back on that
>>>> server.
>>>>
>>>> Error am getting on replica is ...
>>>>
>>>> Request ID '20120719044839':
>>>>       status: CA_UNREACHABLE
>>>>       ca-error: Server failed request, will retry: -504 (libcurl failed to
>>>> execute the HTTP POST transaction.  Peer certificate cannot be authenticated
>>>> with known CA certificates).
>>> Isn't this rather a problem that the replica does not trust the master server
>>> HTTPD certificate because it's certificates are not valid from replica POV?
>>>
>>>> is there any way of forcing a re-newel or manual process for updating these
>>>> certs .. ???
>>> If this is just a replica without PKI, I would suggest synchronizing the time
>>> back with the master CA server and restarting all the services.
>>>
>>> If the HTTPD service does not want to start, follow chapter "⁠25.2.2. Starting
>>> IdM with Expired Certificates" in
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html
>>>
>>> and then try to resubmit the certificates so that they can be renewed on the
>>> master. Do not forget to revert the above configuration changes when you are
>>> done.
>>>
>>> Also, what version of FreeIPA are you running?
>>>
>>> HTH,
>>> Martin

-- 
Matt Bryant
Manager - SMB Services | Melbourne IT | Brisbane | Tel +617 3230 7422 | Mob +61431 496663