[Freeipa-users] Cert auto-renew probem.
Dmitri Pal
dpal at redhat.com
Mon Mar 3 23:18:27 UTC 2014
On 03/03/2014 08:50 AM, Lager, Nathan T. wrote:
> Today i found that i was unable to authenticate to FreeIPA.
>
> I logged into my IPA master, and found that the cert had expired. Which has never been a problem in the past.
>
> I did some googling, and found a few others with similar problems. but none quite matched the issue i'm seeing.
>
> The issue is this:
> [root at caroline0 PROD ~]# ipa-getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20120203213023':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).
> stuck: yes
> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU//pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
> subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
> expires: 2014-02-03 21:30:22 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20120203213048':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).
> stuck: yes
> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
> subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
> expires: 2014-02-03 21:30:47 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20120203213112':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).
> stuck: yes
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
> subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
> expires: 2014-02-03 21:31:11 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> Now, if i understand FreeIPA, the CA is FreeIPA itself, isnt it? If so, how could it be unreachable?
>
> What else might I be able to try to get past this?
>
> Thanks!
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Seems like your certificates have expired.
The best would be to set the time back and restart the services
everything should come up again.
There have been some bugs with the cert rotation and restart.
I suggest you check the mail threads regarding making sure that you have
the fixed version and that certificates are rotated.
Sorry for the situation.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list