[Freeipa-users] IPA v3 Certificate not renewed

Rob Crittenden rcritten at redhat.com
Thu Jun 4 15:03:55 UTC 2015 

Junhe Jian wrote:
> Hi Rob,
>
> i set the date in past "26 MAY 2015"
> and add "NSSEnforceValidCerts off" to nss.conf
>
> and resubmit the 3 ID
> [root at be-ipasrv httpd]# getcert resubmit -i 20130528090822
> Resubmitting "20130528090822" to "IPA".
> [root at be-ipasrv httpd]# getcert resubmit -i 20130528090849
> Resubmitting "20130528090849" to "IPA".
> [root at be-ipasrv httpd]# getcert resubmit -i 20130528090923
> Resubmitting "20130528090923" to "IPA".
>
> Restart ipa and certmonger
>
> now I get error in http_error
>
> [Tue May 26 10:00:30 2015] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
> [Tue May 26 10:00:30 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Tue May 26 10:00:31 2015] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured.
> [Tue May 26 10:00:31 2015] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9"
> [Tue May 26 10:00:31 2015] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
> [Tue May 26 10:00:31 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1"
> [Tue May 26 10:00:31 2015] [notice] ModSecurity: LIBXML compiled version="2.7.6"
> [Tue May 26 10:00:31 2015] [notice] Digest: generating secret for digest authentication ...
> [Tue May 26 10:00:31 2015] [notice] Digest: done
> [Tue May 26 10:00:32 2015] [notice] Apache/2.2.15 (Unix) mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.14.0.0 Basic ECC PHP/5.3.25 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations
> [Tue May 26 10:00:33 2015] [error] ipa: INFO: *** PROCESS START ***
> [Tue May 26 10:00:33 2015] [error] ipa: INFO: *** PROCESS START ***
> [Tue May 26 10:01:23 2015] [warn] proxy: No protocol handler was valid for the URL /ca/agent/ca/displayBySerial. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
> [Tue May 26 10:01:23 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Internal Server Error)

Have you changed your apache configuration? It looks that way. You need 
the proxy modules loaded.

rob

More information about the Freeipa-users mailing list