[Freeipa-users] Cert auto-renew probem.
Rob Crittenden
rcritten at redhat.com
Wed Mar 5 15:35:00 UTC 2014
Dmitri Pal wrote:
> On 03/03/2014 08:50 AM, Lager, Nathan T. wrote:
>> Today i found that i was unable to authenticate to FreeIPA.
>>
>> I logged into my IPA master, and found that the cert had expired.
>> Which has never been a problem in the past.
>>
>> I did some googling, and found a few others with similar problems. but
>> none quite matched the issue i'm seeing.
>>
>> The issue is this:
>> [root at caroline0 PROD ~]# ipa-getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20120203213023':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: -504 (libcurl failed
>> to execute the HTTP POST transaction. Peer certificate cannot be
>> authenticated with known CA certificates).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS
>> Certificate
>> DB',pinfile='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU//pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
>> subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
>> expires: 2014-02-03 21:30:22 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20120203213048':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: -504 (libcurl failed
>> to execute the HTTP POST transaction. Peer certificate cannot be
>> authenticated with known CA certificates).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
>> subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
>> expires: 2014-02-03 21:30:47 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20120203213112':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: -504 (libcurl failed
>> to execute the HTTP POST transaction. Peer certificate cannot be
>> authenticated with known CA certificates).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
>> subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
>> expires: 2014-02-03 21:31:11 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>> Now, if i understand FreeIPA, the CA is FreeIPA itself, isnt it? If
>> so, how could it be unreachable?
>>
>> What else might I be able to try to get past this?
>>
>> Thanks!
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> Seems like your certificates have expired.
> The best would be to set the time back and restart the services
> everything should come up again.
> There have been some bugs with the cert rotation and restart.
> I suggest you check the mail threads regarding making sure that you have
> the fixed version and that certificates are rotated.
> Sorry for the situation.
>
I think Dmitri is right. To expand on this, if you use getcert rather
than ipa-getcert you'll see all the certificates tracked by certmonger,
specifically those of the CA itself. This will give you a better picture
of what is going on.
rob
More information about the Freeipa-users
mailing list