[Freeipa-users] FreeIPA HTTP Server-Cert expired.
Rob Crittenden
rcritten at redhat.com
Wed Aug 6 12:54:36 UTC 2014
ketan mehta wrote:
> Hi All,
>
> I'm facing a strange problem, my IPA master server's HTTP Server-Cert
> got expired and i'm not able to renew it. would you please help me in
> resolve it.
>
> [root at ipa01 ~]# getcert list
> Number of certificates and requests being tracked: 9.
> Request ID '20120731123222':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction. couldn't connect to host).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
> subject: CN=ipa01.EXAMPLE.COM
> <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM>
> expires: 2014-08-01 12:32:21 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> BIGDATA-BSKYB-COM
> track: yes
> auto-renew: yes
> Request ID '20120731123240':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction. couldn't connect to host).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
> subject: CN=ipa01.EXAMPLE.COM
> <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM>
> expires: 2014-08-01 12:32:40 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20120731123255':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction. couldn't connect to host).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
> subject: CN=ipa01.EXAMPLE.COM
> <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM>
> expires: 2014-08-01 12:32:55 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> Request ID '20130315142330':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='625466584922'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
> subject: CN=CA Audit,O=EXAMPLE.COM <http://EXAMPLE.COM>
> expires: 2016-06-12 15:06:33 UTC
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130315142331':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='625466584922'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
> subject: CN=OCSP Subsystem,O=EXAMPLE.COM <http://EXAMPLE.COM>
> expires: 2016-06-12 15:05:33 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130315142332':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='625466584922'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
> subject: CN=CA Subsystem,O=EXAMPLE.COM <http://EXAMPLE.COM>
> expires: 2016-06-12 15:05:33 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130315142333':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
> subject: CN=IPA RA,O=EXAMPLE.COM <http://EXAMPLE.COM>
> expires: 2016-06-12 15:05:33 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20130315142334':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin='625466584922'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
> subject: CN=ipa01.EXAMPLE.COM
> <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM>
> expires: 2016-06-12 15:05:33 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20140805110726':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction. couldn't connect to host).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
> Certificate DB'
> certificate:
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
> CA: IPA
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> [root at ipa01 ~]# ipactl start
> Starting Directory Service
> Starting dirsrv:
> EXAMPLE-COM...[06/Aug/2014:09:39:50 +0100] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert
> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
> Runtime error -8181 - Peer's Certificate has expired.)
> [ OK ]
> PKI-IPA...[06/Aug/2014:09:39:52 +0100] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert
> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
> Runtime error -8181 - Peer's Certificate has expired.)
> [ OK ]
> Starting KDC Service
> Starting Kerberos 5 KDC: [ OK ]
> Starting KPASSWD Service
> Starting Kerberos 5 Admin Server: [ OK ]
> Starting DNS Service
> Starting named: [ OK ]
> Starting MEMCACHE Service
> Starting ipa_memcached: [ OK ]
> Starting HTTP Service
> Starting httpd: [FAILED]
> Failed to start HTTP Service
> Shutting down
> Stopping Kerberos 5 KDC: [ OK ]
> Stopping Kerberos 5 Admin Server: [ OK ]
> Stopping named: . [ OK ]
> Stopping ipa_memcached: [ OK ]
> Stopping httpd: [FAILED]
> Stopping pki-ca: [ OK ]
> Shutting down dirsrv:
> EXAMPLE-COM... [ OK ]
> PKI-IPA... [ OK ]
> Aborting ipactl
>
> I'm running ipa-server-3.0.0-26.el6_4.2.x86_64
>
> Let me know if you need any further information.
The easiest thing to do would be to roll back time to 7/31 and restart
certmonger. It's hard to say why they didn't renew already as the CA
subsystem certificates appear to have renewed ok.
rob
More information about the Freeipa-users
mailing list