[Freeipa-users] Certificate format error: [Errno -8018]
craig.freeipa at noboost.org
craig.freeipa at noboost.org
Tue Jan 28 06:56:28 UTC 2014
On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote:
> Alexander Bokovoy wrote:
> >On Thu, 23 Jan 2014, craig.freeipa at noboost.org wrote:
> >>Hi Guys,
> >>
> >>I'm sure this is an easy issue to fix!
> >>
> >>First the specs;
> >>Red Hat Enterprise Linux Server release 6.3 (Santiago)
> >>ipa-client-2.2.0-16.el6.x86_64
> >>ipa-server-2.2.0-16.el6.x86_64
> >>
> >>
> >>Issue:
> >>When I click on the hosts TAB from inside the Identity Managemnt GUI, I
> >>get the following error;
> >>* Certificate format error: [Errno -8018] None (repeated many times)
> >>
> >>* Cannot connect to
> >> 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
> >>
> >> [Errno -8018] None
> >>
> >>Also seen this error;
> >>cannot connect to
> >>'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
> >>[Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
> >>certificate as expired.
> >>
> >>
> >>Any advise would be greatly appreciated!
> >http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
> >
> >Since you have FreeIPA before 3.4, you need to follow manual procedure
> >outlined on that page. 2.2 might also be a bit different than 3.x but
> >this is a starting point.
> >
> >
>
> For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>
> rob
>
Just running into a couple of issues with then manual SSL cert process;
1) ERROR when telling certmonger about all the CA certificates
#Command:
for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
do
echo $nickname
certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after
done
#Result:
auditSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
subsystemCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
Server-Cert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
#Command:
for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
do
/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n "${nickname}" -c dogtag-ipa-renew-agent -P 705114231111
done
#Result:
No CA with name "dogtag-ipa-renew-agent" found.
No CA with name "dogtag-ipa-renew-agent" found.
No CA with name "dogtag-ipa-renew-agent" found.
No CA with name "dogtag-ipa-renew-agent" found.
2)Upgrade instead?
I could potentionally upgrade the ipa-server to "3.0.0-37.el6", would this version be able to automatically update the certificates?
cya
Craig
More information about the Freeipa-users
mailing list