[Freeipa-users] ipa 3.0 expired cert renewal

David Fitzgerald David.Fitzgerald at millersville.edu
Wed May 28 14:40:00 UTC 2014 

Hello,

My Freeipa server stopped working over the weekend due to what looks like expired certificates.  I am running ipa-server 3.0 and thought these certs were automatically renewed.  I am no expert at KDC / IPA and any help you can give is greatly appreciated.

When I try to start the ipa service on my server I get:

root at aurora ~]# /sbin/service ipa start
Starting Directory Service
Starting dirsrv:
    LINUX-DIRSRV-LOCAL...[28/May/2014:10:23:33 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.)
                                                           [  OK  ]
    PKI-IPA...[28/May/2014:10:23:34 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.)
                                                           [  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:                                   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:                          [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached:                                    [  OK  ]
Starting HTTP Service
Starting httpd: [Wed May 28 10:23:36 2014] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
                                                           [FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping ipa_memcached:                                    [  OK  ]
Stopping httpd:                                            [FAILED]
Stopping pki-ca:                                           [  OK  ]
Shutting down dirsrv:
    LINUX-DIRSRV-LOCAL...                                  [  OK  ]
    PKI-IPA...                                             [  OK  ]
Aborting ipactl

Of course kinit also fails with: kinit: Cannot contact any KDC for realm 'LINUX.DIRSRV.LOCAL' while getting initial credentials

Can someone help me get back on my feet?  Luckily there are not many students around in the summer so I just have 20 annoyed faculty instead of 200 annoyed students to placate.

Thanks!



-----------------------------------------------
David Fitzgerald
Adjunct Professor
Department of Earth Sciences
Millersville University
Millersville, PA 17551

E-mail: david.fitzgerald at millersville.edu
PH: 717-871-2394

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140528/355c3da3/attachment.htm>

More information about the Freeipa-users mailing list