[Freeipa-users] Expired Certs
Rob Crittenden
rcritten at redhat.com
Fri Apr 17 13:42:53 UTC 2015
John Williams wrote:
>
>> You are going way to far back in time AFAICT. The certs expired on April
>> 5 of this year so you don't need to go back to 2014. Just go back to
>> April 3 or 4.
>
>> You'll also need to restart IPA before kicking certmonger ipactl restart
>
>> rob
>
>
>
>
> ******* SNIP *******
>
> Thanks!!
>
>
> Following your advice, it looks like only one of the eight certificates
> are now monitoring. Check out the following:
It's impossible to see what is going on with this output, other than the
fact that your hostname seems to be using the shortname rather than FQDN
(or order is bad in /etc/hosts), based on the error for the cert in
MONITORING.
rob
>
>
> [root at ipa ~]# getcert list | grep -A1 status
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to
> https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate
> cannot be authenticated with known CA certificates.
> --
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to
> https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate
> cannot be authenticated with known CA certificates.
> --
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to
> https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate
> cannot be authenticated with known CA certificates.
> --
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to
> https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate
> cannot be authenticated with known CA certificates.
> --
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to
> https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate
> cannot be authenticated with known CA certificates.
> --
> status: CA_UNREACHABLE
> ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will
> retry: 4301 (RPC failed at server. Certificate operation cannot be
> completed: EXCEPTION (Invalid Credential.)).
> --
> status: CA_UNREACHABLE
> ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will
> retry: 4301 (RPC failed at server. Certificate operation cannot be
> completed: EXCEPTION (Invalid Credential.)).
> --
> status: MONITORING
> ca-error: Server at https://ipa.infra.idef/ipa/xml denied our request,
> giving up: 2100 (RPC failed at server. Insufficient access: hostname in
> subject of request 'ipa.infra.idef' does not match principal hostname
> 'ipa').
>
> How can I get the remaining certs fixed as well? Thanks in advance.
>
>
>
More information about the Freeipa-users
mailing list