[Freeipa-users] ipa 3.0 expired cert renewal

Dmitri Pal dpal at redhat.com
Thu May 29 00:50:41 UTC 2014 

On 05/28/2014 10:40 AM, David Fitzgerald wrote:
> Hello,
>
> My Freeipa server stopped working over the weekend due to what looks 
> like expired certificates.  I am running ipa-server 3.0 and thought 
> these certs were automatically renewed.  I am no expert at KDC / IPA 
> and any help you can give is greatly appreciated.
>
> When I try to start the ipa service on my server I get:
>
> root at aurora ~]# /sbin/service ipa start
> Starting Directory Service
> Starting dirsrv:
>     LINUX-DIRSRV-LOCAL...[28/May/2014:10:23:33 -0400] - SSL alert: 
> CERT_VerifyCertificateNow: verify certificate failed for cert 
> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape 
> Portable Runtime error -8181 - Peer's Certificate has expired.)
>                                                            [ OK  ]
>     PKI-IPA...[28/May/2014:10:23:34 -0400] - SSL alert: 
> CERT_VerifyCertificateNow: verify certificate failed for cert 
> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape 
> Portable Runtime error -8181 - Peer's Certificate has expired.)
>                                                            [ OK  ]
> Starting KDC Service
> Starting Kerberos 5 KDC:                                   [ OK  ]
> Starting KPASSWD Service
> Starting Kerberos 5 Admin Server:                          [ OK  ]
> Starting MEMCACHE Service
> Starting ipa_memcached:                                    [ OK  ]
> Starting HTTP Service
> Starting httpd: [Wed May 28 10:23:36 2014] [warn] _default_ 
> VirtualHost overlap on port 443, the first has precedence
> [FAILED]
> Failed to start HTTP Service
> Shutting down
> Stopping Kerberos 5 KDC:                                   [ OK  ]
> Stopping Kerberos 5 Admin Server:                          [ OK  ]
> Stopping ipa_memcached:                                    [ OK  ]
> Stopping httpd: [FAILED]
> Stopping pki-ca:                                           [ OK  ]
> Shutting down dirsrv:
>     LINUX-DIRSRV-LOCAL...                                  [ OK  ]
>     PKI-IPA...                                             [ OK  ]
> Aborting ipactl
>
> Of course kinit also fails with: kinit: Cannot contact any KDC for 
> realm 'LINUX.DIRSRV.LOCAL' while getting initial credentials
>
> Can someone help me get back on my feet?  Luckily there are not many 
> students around in the summer so I just have 20 annoyed faculty 
> instead of 200 annoyed students to placate.
>
> Thanks!

Usually that happens when you do not have the original master any more. 
Is this the case for you?
Have you looked at http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ?


>
>
>
> -----------------------------------------------
> David Fitzgerald
> Adjunct Professor
> Department of Earth Sciences
> Millersville University
> Millersville, PA 17551
>
> E-mail: david.fitzgerald at millersville.edu
> PH: 717-871-2394
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140528/8c252e72/attachment.htm>

More information about the Freeipa-users mailing list