[Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Sina Owolabi
notify.sina at gmail.com
Tue May 19 21:52:33 UTC 2015
Hi Rob
Thanks!
I noticed that the problematic records have their expiration in the
future! And I also do not have pki-tomcatd, it's pki-cad.
>From getcert list, the troublesome IDs are:
Request ID '20130524104828':
status: CA_UNREACHABLE
ca-error: Server at https://dc.mydom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server. cannot connect to
'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -8053]
(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-MYDOM-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=dc.mydom.com,O=MYDOM.COM
expires: 2015-05-25 10:12:32 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130524104917':
status: CA_UNREACHABLE
ca-error: Server at https://dc.mydom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server. cannot connect to
'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -12269]
(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as
expired.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=dc.mydom.com,O=MYDOM.COM
expires: 2015-05-25 10:12:33 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
On Tue, May 19, 2015 at 4:25 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Sina Owolabi wrote:
>>
>> Hi Rob
>>
>> Ive been to the URL but its a little difficult applying these commands
>> to RHEL6 systems.
>> For instance there is no /etc/pki-tomcat directory in RHEL6, and I
>> cannot find the ipa.crt
>>
>> Im sure as a noob I am overlooking some very obvious stuff, but could
>> you please guide me on what to do?
>
>
> Sorry, I think I pointed you at the wrong page. Check out
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>
> Your CA subsystem are expired, or nearly expired. They are valid for two
> years. Based on the request ID in the snippet you posted at least some are
> valid for another few days.
>
> What I'd suggest is to send the machine back in time and restart the
> services. This should bring things up so that certmonger can do the renewal:
>
> # ipactl stop
> # /sbin/service ntpd stop
> # date 0501hhm where hhmm are the current hour and minute
> # ipactl start
>
> Hopefully ntpd isn't started by ipactl. If it is then it will undo your
> going back in time, and you'll need to start the services manually:
>
> # service dirsrv at YOURREALM start
> # service krb5kdc
> # service httpd start
> # service pki-tomcatd start
>
> Restart certmonger
>
> # service certmonger restart
>
> Wait a bit
>
> # getcert list
>
> Watch the status. They should go to MODIFIED
>
> Once done:
>
> # ipactl stop
>
> Return date to present, either by restarting ntpd or date or whatever method
> you'd like.
>
> I'm taking a completely wild guess on the date to go back to. The expiration
> date is listed in the getcert output. I'd go back a week before the oldest
> expiration.
>
> rob
>
More information about the Freeipa-users
mailing list