[Freeipa-users] ipa 3.0 expired cert renewal

Rob Crittenden rcritten at redhat.com
Thu May 29 13:07:36 UTC 2014 

David Fitzgerald wrote:
> Hello,
> 
> My Freeipa server stopped working over the weekend due to what looks
> like expired certificates.  I am running ipa-server 3.0 and thought
> these certs were automatically renewed.  I am no expert at KDC / IPA and
> any help you can give is greatly appreciated.
> 
> When I try to start the ipa service on my server I get:
> 
> root at aurora ~]# /sbin/service ipa start
> Starting Directory Service
> Starting dirsrv:
>     LINUX-DIRSRV-LOCAL...[28/May/2014:10:23:33 -0400] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert
> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
> Runtime error -8181 - Peer's Certificate has expired.)
>                                                            [  OK  ]
>     PKI-IPA...[28/May/2014:10:23:34 -0400] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert
> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
> Runtime error -8181 - Peer's Certificate has expired.)
>                                                            [  OK  ]
> Starting KDC Service
> Starting Kerberos 5 KDC:                                   [  OK  ]
> Starting KPASSWD Service
> Starting Kerberos 5 Admin Server:                          [  OK  ]
> Starting MEMCACHE Service
> Starting ipa_memcached:                                    [  OK  ]
> Starting HTTP Service
> Starting httpd: [Wed May 28 10:23:36 2014] [warn] _default_ VirtualHost
> overlap on port 443, the first has precedence
>                                                            [FAILED]
> Failed to start HTTP Service
> Shutting down
> Stopping Kerberos 5 KDC:                                   [  OK  ]
> Stopping Kerberos 5 Admin Server:                          [  OK  ]
> Stopping ipa_memcached:                                    [  OK  ]
> Stopping httpd:                                            [FAILED]
> Stopping pki-ca:                                           [  OK  ]
> Shutting down dirsrv:
>     LINUX-DIRSRV-LOCAL...                                  [  OK  ]
>     PKI-IPA...                                             [  OK  ]
> Aborting ipactl
> 
> Of course kinit also fails with: kinit: Cannot contact any KDC for realm

Can you show the current state of the tracked certificates?

# getcert list

The CA has a number of certificates that require renewal for the rest to
be successful. Those are the ones we need to get working first.

Do you have multiple IPA Masters? Are they in a similar state?

rob

More information about the Freeipa-users mailing list