[Freeipa-users] Certificate format error: [Errno -8018]

craig.freeipa at noboost.org craig.freeipa at noboost.org
Thu Jan 30 05:03:11 UTC 2014 

On Wed, Jan 29, 2014 at 09:22:35PM -0500, Rob Crittenden wrote:
> craig.freeipa at noboost.org wrote:
> >Well progress :) just not quite fully fixed, seems three certificates have updated just not the others yet. Do I need to "tell them to update", or let the server roll over until it hits Jan 14?
> >
> >Server: Red Hat Enterprise Linux Server release 6.5 (Santiago)
> >ipa-server-3.0.0-37.el6.x86_64
> >ipa-client-3.0.0-37.el6.x86_64
> >---
> >~/Scripts>date
> >Sat Jan 11 19:29:02 EST 2014
> >---
> >~/Scripts>certutil -L -d /etc/httpd/alias -n ipaCert | grep After
> >             Not After : Fri Jan 01 07:44:45 2016
> >---
> >Ran script:
> >for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
> >do
> >     echo $nickname
> >     certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after
> >done
> >
> >---
> >auditSigningCert cert-pki-ca
> >             Not After : Thu Jul 10 07:45:42 2014
> >             Not After : Tue Jan 14 06:45:05 2014
> >ocspSigningCert cert-pki-ca
> >             Not After : Fri Jan 01 07:44:43 2016
> >subsystemCert cert-pki-ca
> >             Not After : Fri Jan 01 07:44:44 2016
> >Server-Cert cert-pki-ca
> >             Not After : Tue Jan 14 06:45:05 2014
> >---
> >
> >The apache cert did update which is good!
> >~/Scripts>certutil -L -d /etc/httpd/alias -n ipaCert | grep After
> >             Not After : Fri Jan 01 07:44:45 2016
> >
> >cya
> >
> >Craig
> >
> 
> For those not yet renewed I'd do a getcert list to find them and
> getcert resubmit -i <id> to force renewal.
> 
> The CA won't start without a valid audit cert.
> 
> rob
Thanks for all the help, looks like all is fixed. I moved the dates back
to normal and all the services are working :)

I did notice the "auditSigningCert cert-pki-ca" has two certificates, one old one and a new one. The getcert list command is only showing the new one, so I figure all is well. 


auditSigningCert cert-pki-ca
Certificate:
        Validity:
            Not Before: Sat Jan 11 07:45:42 2014
            Not After : Thu Jul 10 07:45:42 2014

Data:
    Validity:
        Not Before: Wed Jan 25 06:45:05 2012
        Not After : Tue Jan 14 06:45:05 2014

cya

Craig

More information about the Freeipa-users mailing list