[Freeipa-users] IPA server having cert issues
Bret Wortman
bret.wortman at damascusgrp.com
Tue Apr 26 12:14:17 UTC 2016
I have an IPA server on a private network which has apparently run into
certificate issues this morning. It's been running without issue for
quite a while, and is on 4.1.4-1 on fedora 21.
This morning, the gui started giving:
IPA Error 907: NetworkError with description "cannot connect to
'https://zsipa.private.net:443/ca/agent/ca/displayBySerial':
(SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as
expired."
I dug into the logs and after trying to restart ipa using ipactl, there
was a length pause, then:
dogtag-ipa-ca-renew-agent-submit: Updated certificate not available
certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in
database "/etc/httpd/alias" is no longer valid.
dogtag-ipa-ca-renew-agent-submit: Updated certificate not available
certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token
"NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no
longer valid.
dogtag-ipa-ca-renew-agent-submit: Updated certificate not available.
named-pkcs11[3437]: client 192.168.208.205#57832: update
'208.168.192.in-addr.arpa/IN' denied
and then things start shutting down. I can't start ipa at all using ipactl.
So at present, our DNS is down. Authentication should work for a while,
but I'd like to get this working again as quickly as possible. Any
ideas? I deal with certificates so infrequently (like only when
something like this happens) that I'm not sure where to start.
Thanks!
--
*Bret Wortman*
/Coming soon to Kickstarter.../
<http://wrapbuddies.co/>
http://wrapbuddies.co/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160426/18630251/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 112446 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160426/18630251/attachment.png>
More information about the Freeipa-users
mailing list