[Freeipa-users] Replica Cert failed to renew ...

Martin Kosek mkosek at redhat.com
Thu Jul 31 08:21:31 UTC 2014 

(Adding back the users list as this may be interesting for everyone)

Ok, the steps suggested below should help. If the DS does not want to start at
all because of the expired certificate, you can also edit
/etc/dirsrv/slapd-YOUR-REALM/dse.ldif and edit it manually (only when dirsrv
service is stopped).

Martin

On 07/31/2014 09:53 AM, Matt Bryant wrote:
> Martin,
> 
> Correct in that the replica does not have a CA and the version being run is
> 
> $ rpm -qa ipa-server
> ipa-server-3.0.0-25.el6.x86_64
> 
> restarted the services and get
> 
> Starting dirsrv:
>     SERVER-IPA...[31/Jul/2014:18:00:15 +1000] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of
> family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 -
> Peer's Certificate has expired.)
> 
> so I think it is just dealing with an expired cert ... so will try the other
> steps suggested  ..
> 
> rgds
> 
> Matt Bryant
> 
> On 31/07/14 17:33, Martin Kosek wrote:
>> On 07/31/2014 07:49 AM, Matt Bryant wrote:
>>> All,
>>>
>>> Got an issue with an IPA replica in that the certs in /etc/httpd/alias &
>>> /etc/dirsrv/slapd-IPA-REALM have expired.
>> I assume that this replica does not have a CA and we are only dealing with
>> service HTTPD and DIRSRV service certificates.
>>
>>> Have tried setting date back before expiry on the replica and doing an
>>> 'ipa-getcert resubmit -i <id>' but that hasn't worked it looks like the CA
>>> master is actually rejecting it since the havent set the date back on that
>>> server.
>>>
>>> Error am getting on replica is ...
>>>
>>> Request ID '20120719044839':
>>>      status: CA_UNREACHABLE
>>>      ca-error: Server failed request, will retry: -504 (libcurl failed to
>>> execute the HTTP POST transaction.  Peer certificate cannot be authenticated
>>> with known CA certificates).
>> Isn't this rather a problem that the replica does not trust the master server
>> HTTPD certificate because it's certificates are not valid from replica POV?
>>
>>> is there any way of forcing a re-newel or manual process for updating these
>>> certs .. ???
>> If this is just a replica without PKI, I would suggest synchronizing the time
>> back with the master CA server and restarting all the services.
>>
>> If the HTTPD service does not want to start, follow chapter "⁠25.2.2. Starting
>> IdM with Expired Certificates" in
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html
>>
>> and then try to resubmit the certificates so that they can be renewed on the
>> master. Do not forget to revert the above configuration changes when you are
>> done.
>>
>> Also, what version of FreeIPA are you running?
>>
>> HTH,
>> Martin
>

More information about the Freeipa-users mailing list