[Freeipa-users] FreeIPA HTTP Server-Cert expired.
ketan mehta
ketanmehta.in at gmail.com
Wed Aug 6 13:11:50 UTC 2014
Hi Rob,
I tried doing that earlier but it fails because of named error
output of /var/log/messages
Jul 31 14:06:04 ipa01 named[22866]: Failed to init credentials (Clock skew
too great)
Jul 31 14:06:04 ipa01 named[22866]: loading configuration: failure
Jul 31 14:06:04 ipa01 named[22866]: exiting (due to fatal error)
Jul 31 14:06:05 ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Credentials cache file
'/tmp/krb5cc_494' not found)
------------------
[root at ipa01 ~]# service ntpd status
ntpd is stopped
[root at ipa01 ~]# ipactl start
Starting Directory Service
Starting dirsrv:
EXAMPLE-COM... [ OK ]
PKI-IPA... [ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting DNS Service
Starting named: [FAILED]
Failed to start DNS Service
Shutting down
Stopping Kerberos 5 KDC: [ OK ]
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping named: [ OK ]
Stopping httpd: [FAILED]
Stopping pki-ca: [ OK ]
Shutting down dirsrv:
EXAMPLE-COM... [ OK ]
PKI-IPA... [ OK ]
Aborting ipactl
Thanks,
Ketan
On Wed, Aug 6, 2014 at 1:54 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> ketan mehta wrote:
> > Hi All,
> >
> > I'm facing a strange problem, my IPA master server's HTTP Server-Cert
> > got expired and i'm not able to renew it. would you please help me in
> > resolve it.
> >
> > [root at ipa01 ~]# getcert list
> > Number of certificates and requests being tracked: 9.
> > Request ID '20120731123222':
> > status: CA_UNREACHABLE
> > ca-error: Server failed request, will retry: -504 (libcurl
> > failed to execute the HTTP POST transaction. couldn't connect to host).
> > stuck: yes
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=EXAMPLE.COM <
> http://EXAMPLE.COM>
> > subject: CN=ipa01.EXAMPLE.COM
> > <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM>
> > expires: 2014-08-01 12:32:21 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> > BIGDATA-BSKYB-COM
> > track: yes
> > auto-renew: yes
> > Request ID '20120731123240':
> > status: CA_UNREACHABLE
> > ca-error: Server failed request, will retry: -504 (libcurl
> > failed to execute the HTTP POST transaction. couldn't connect to host).
> > stuck: yes
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=EXAMPLE.COM <
> http://EXAMPLE.COM>
> > subject: CN=ipa01.EXAMPLE.COM
> > <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM>
> > expires: 2014-08-01 12:32:40 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20120731123255':
> > status: CA_UNREACHABLE
> > ca-error: Server failed request, will retry: -504 (libcurl
> > failed to execute the HTTP POST transaction. couldn't connect to host).
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=EXAMPLE.COM <
> http://EXAMPLE.COM>
> > subject: CN=ipa01.EXAMPLE.COM
> > <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM>
> > expires: 2014-08-01 12:32:55 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> > track: yes
> > auto-renew: yes
> > Request ID '20130315142330':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='625466584922'
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=EXAMPLE.COM <
> http://EXAMPLE.COM>
> > subject: CN=CA Audit,O=EXAMPLE.COM <http://EXAMPLE.COM>
> > expires: 2016-06-12 15:06:33 UTC
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "auditSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130315142331':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='625466584922'
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=EXAMPLE.COM <
> http://EXAMPLE.COM>
> > subject: CN=OCSP Subsystem,O=EXAMPLE.COM <http://EXAMPLE.COM>
> > expires: 2016-06-12 15:05:33 UTC
> > eku: id-kp-OCSPSigning
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "ocspSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130315142332':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB',pin='625466584922'
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=EXAMPLE.COM <
> http://EXAMPLE.COM>
> > subject: CN=CA Subsystem,O=EXAMPLE.COM <http://EXAMPLE.COM>
> > expires: 2016-06-12 15:05:33 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "subsystemCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130315142333':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=EXAMPLE.COM <
> http://EXAMPLE.COM>
> > subject: CN=IPA RA,O=EXAMPLE.COM <http://EXAMPLE.COM>
> > expires: 2016-06-12 15:05:33 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> > track: yes
> > auto-renew: yes
> > Request ID '20130315142334':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB',pin='625466584922'
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=EXAMPLE.COM <
> http://EXAMPLE.COM>
> > subject: CN=ipa01.EXAMPLE.COM
> > <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM>
> > expires: 2016-06-12 15:05:33 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20140805110726':
> > status: CA_UNREACHABLE
> > ca-error: Server failed request, will retry: -504 (libcurl
> > failed to execute the HTTP POST transaction. couldn't connect to host).
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > certificate:
> > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
> > CA: IPA
> > issuer:
> > subject:
> > expires: unknown
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> >
> > [root at ipa01 ~]# ipactl start
> > Starting Directory Service
> > Starting dirsrv:
> > EXAMPLE-COM...[06/Aug/2014:09:39:50 +0100] - SSL alert:
> > CERT_VerifyCertificateNow: verify certificate failed for cert
> > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
> > Runtime error -8181 - Peer's Certificate has expired.)
> > [ OK ]
> > PKI-IPA...[06/Aug/2014:09:39:52 +0100] - SSL alert:
> > CERT_VerifyCertificateNow: verify certificate failed for cert
> > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
> > Runtime error -8181 - Peer's Certificate has expired.)
> > [ OK ]
> > Starting KDC Service
> > Starting Kerberos 5 KDC: [ OK ]
> > Starting KPASSWD Service
> > Starting Kerberos 5 Admin Server: [ OK ]
> > Starting DNS Service
> > Starting named: [ OK ]
> > Starting MEMCACHE Service
> > Starting ipa_memcached: [ OK ]
> > Starting HTTP Service
> > Starting httpd: [FAILED]
> > Failed to start HTTP Service
> > Shutting down
> > Stopping Kerberos 5 KDC: [ OK ]
> > Stopping Kerberos 5 Admin Server: [ OK ]
> > Stopping named: . [ OK ]
> > Stopping ipa_memcached: [ OK ]
> > Stopping httpd: [FAILED]
> > Stopping pki-ca: [ OK ]
> > Shutting down dirsrv:
> > EXAMPLE-COM... [ OK ]
> > PKI-IPA... [ OK ]
> > Aborting ipactl
> >
> > I'm running ipa-server-3.0.0-26.el6_4.2.x86_64
> >
> > Let me know if you need any further information.
>
> The easiest thing to do would be to roll back time to 7/31 and restart
> certmonger. It's hard to say why they didn't renew already as the CA
> subsystem certificates appear to have renewed ok.
>
> rob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140806/8c8bbece/attachment.htm>
More information about the Freeipa-users
mailing list