[Freeipa-users] ipa 3.0 expired cert renewal
Dmitri Pal
dpal at redhat.com
Thu May 29 00:50:41 UTC 2014
On 05/28/2014 10:40 AM, David Fitzgerald wrote:
> Hello,
>
> My Freeipa server stopped working over the weekend due to what looks
> like expired certificates. I am running ipa-server 3.0 and thought
> these certs were automatically renewed. I am no expert at KDC / IPA
> and any help you can give is greatly appreciated.
>
> When I try to start the ipa service on my server I get:
>
> root at aurora ~]# /sbin/service ipa start
> Starting Directory Service
> Starting dirsrv:
> LINUX-DIRSRV-LOCAL...[28/May/2014:10:23:33 -0400] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert
> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
> Portable Runtime error -8181 - Peer's Certificate has expired.)
> [ OK ]
> PKI-IPA...[28/May/2014:10:23:34 -0400] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert
> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
> Portable Runtime error -8181 - Peer's Certificate has expired.)
> [ OK ]
> Starting KDC Service
> Starting Kerberos 5 KDC: [ OK ]
> Starting KPASSWD Service
> Starting Kerberos 5 Admin Server: [ OK ]
> Starting MEMCACHE Service
> Starting ipa_memcached: [ OK ]
> Starting HTTP Service
> Starting httpd: [Wed May 28 10:23:36 2014] [warn] _default_
> VirtualHost overlap on port 443, the first has precedence
> [FAILED]
> Failed to start HTTP Service
> Shutting down
> Stopping Kerberos 5 KDC: [ OK ]
> Stopping Kerberos 5 Admin Server: [ OK ]
> Stopping ipa_memcached: [ OK ]
> Stopping httpd: [FAILED]
> Stopping pki-ca: [ OK ]
> Shutting down dirsrv:
> LINUX-DIRSRV-LOCAL... [ OK ]
> PKI-IPA... [ OK ]
> Aborting ipactl
>
> Of course kinit also fails with: kinit: Cannot contact any KDC for
> realm 'LINUX.DIRSRV.LOCAL' while getting initial credentials
>
> Can someone help me get back on my feet? Luckily there are not many
> students around in the summer so I just have 20 annoyed faculty
> instead of 200 annoyed students to placate.
>
> Thanks!
Usually that happens when you do not have the original master any more.
Is this the case for you?
Have you looked at http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ?
>
>
>
> -----------------------------------------------
> David Fitzgerald
> Adjunct Professor
> Department of Earth Sciences
> Millersville University
> Millersville, PA 17551
>
> E-mail: david.fitzgerald at millersville.edu
> PH: 717-871-2394
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140528/8c252e72/attachment.htm>
More information about the Freeipa-users
mailing list