[Freeipa-users] Certificate format error: [Errno -8018]
Rob Crittenden
rcritten at redhat.com
Wed Jan 29 14:15:50 UTC 2014
craig.freeipa at noboost.org wrote:
> On Tue, Jan 28, 2014 at 01:25:56PM -0500, Rob Crittenden wrote:
>> craig.freeipa at noboost.org wrote:
>>> On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote:
>>>> Alexander Bokovoy wrote:
>>>>> On Thu, 23 Jan 2014, craig.freeipa at noboost.org wrote:
>>>>>> Hi Guys,
>>>>>>
>>>>>> I'm sure this is an easy issue to fix!
>>>>>>
>>>>>> First the specs;
>>>>>> Red Hat Enterprise Linux Server release 6.3 (Santiago)
>>>>>> ipa-client-2.2.0-16.el6.x86_64
>>>>>> ipa-server-2.2.0-16.el6.x86_64
>>>>>>
>>>>>>
>>>>>> Issue:
>>>>>> When I click on the hosts TAB from inside the Identity Managemnt GUI, I
>>>>>> get the following error;
>>>>>> * Certificate format error: [Errno -8018] None (repeated many times)
>>>>>>
>>>>>> * Cannot connect to
>>>>>> 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
>>>>>>
>>>>>> [Errno -8018] None
>>>>>>
>>>>>> Also seen this error;
>>>>>> cannot connect to
>>>>>> 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
>>>>>> [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
>>>>>> certificate as expired.
>>>>>>
>>>>>>
>>>>>> Any advise would be greatly appreciated!
>>>>> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
>>>>>
>>>>> Since you have FreeIPA before 3.4, you need to follow manual procedure
>>>>> outlined on that page. 2.2 might also be a bit different than 3.x but
>>>>> this is a starting point.
>>>>>
>>>>>
>>>>
>>>> For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>>>>
>>>> rob
>>>>
>>> Just running into a couple of issues with then manual SSL cert process;
>>>
>>> 1) ERROR when telling certmonger about all the CA certificates
>>>
>>> #Command:
>>> for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
>>> do
>>> echo $nickname
>>> certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after
>>> done
>>>
>>>
>>> #Result:
>>> auditSigningCert cert-pki-ca
>>> Not After : Tue Jan 14 06:45:05 2014
>>> ocspSigningCert cert-pki-ca
>>> Not After : Tue Jan 14 06:45:05 2014
>>> subsystemCert cert-pki-ca
>>> Not After : Tue Jan 14 06:45:05 2014
>>> Server-Cert cert-pki-ca
>>> Not After : Tue Jan 14 06:45:05 2014
>>>
>>> #Command:
>>> for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
>>> do
>>> /usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n "${nickname}" -c dogtag-ipa-renew-agent -P 705114231111
>>> done
>>>
>>> #Result:
>>> No CA with name "dogtag-ipa-renew-agent" found.
>>> No CA with name "dogtag-ipa-renew-agent" found.
>>> No CA with name "dogtag-ipa-renew-agent" found.
>>> No CA with name "dogtag-ipa-renew-agent" found.
>>>
>>>
>>> 2)Upgrade instead?
>>> I could potentionally upgrade the ipa-server to "3.0.0-37.el6", would this version be able to automatically update the certificates?
>>>
>>> cya
>>>
>>> Craig
>>>
>>
>> You need certmonger-0.58-1 or higher to get the
>> dogtag-ipa-renew-agent CA and other fixed. I'll update the wiki with
>> that, sorry for the oversight.
>>
>> You could try updating to 3.0. If you do decide to try upgrading I
>> think I'd go back in time when all the certs are valid first as some
>> services will be restarted during the upgrade and we don't want the
>> upgrade blowing up in the middle because of expired certs.
>>
>> rob
> I'll give the upgrade a go, say I go back to the older date and IPA
> starts fine. Won't the certs still have a hard expiry date on them, so
> I'll need to follow the
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal procedure?
It depends in part how far back in time you go. I'd go back a day or two
before the oldest date (not all certs expire at the same time).
The upgrade will configure automatic renewal. I think what I'd recommend
is do the upgrade then restart the certmonger service on the machine.
Run `getcert list` to check the status of the certs. After the restart
they should all renew.
rob
More information about the Freeipa-users
mailing list