[Freeipa-users] Certificate system unavailable
Sigbjorn Lie
sigbjorn at nixtra.com
Mon Jan 13 18:24:17 UTC 2014
On 13/01/14 19:13, Nalin Dahyabhai wrote:
> On Mon, Jan 13, 2014 at 04:07:16PM +0100, Sigbjorn Lie wrote:
>> After I restarted dirsrv, pki-cad and then the httpd on ipa01 the status of the request is now:
>>
>> Request ID '20120119194518':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: 907 (RPC failed at server. cannot connect to
>> 'https://ipa01.dns.domain:443/ca/agent/ca/displayBySerial': [Errno -12269]
>> (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-DNS-DOMAIN',nickname='Server-Cert',token='NSS Certificate
>> DB',pinfile='/etc/dirsrv/slapd-DNS-DOMAIN//pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-DNS-DOMAIN',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=DNS-DOMAIN
>> subject: CN=ipa01.dns.domain,O=DNS-DOMAIN
>> expires: 2014-01-19 19:45:18 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>> However I cannot find the certificate that's expired?
> That error message was the one the IPA server received and then relayed
> back to certmonger, so I'd expect that the expired certificate is the
> agent certificate that IPA uses when connecting to the CA's agent
> interface. That's stored in the NSS database in /etc/httpd/alias, with
> nickname "ipaCert".
>
>
Yes, the ipaCert certificate in /etc/httpd/alias/ is expired.
Actually all certificates in /var/lib/pki-ca/alias/ is expired too, they
all expired at the same date, within minutes of each other. It looks
like they are the original certificates issued when I installed IPA,
when I look at the "Not Before" timestamp of the certificates.
Regards,
Siggi
More information about the Freeipa-users
mailing list