[Freeipa-users] IPA certificates expired, please help!
Linov Suresh
linov.suresh at gmail.com
Tue Jul 19 13:52:48 UTC 2016
I have followed Redhat official documentation,
https://access.redhat.com/solutions/643753 for certificate renewal, which
says *add: usercertificate. (step 12)*
While on the other hand FreeIPA official documentaion
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to *add:
usercertificate;binary*
Just wondering if we need to* add *the certificate? or* replace* the
existing certificate and which format do we need to use? *pem* or *der*.
We already successfully renewed the certificates about months back, but
they were expired about 6 months back and we were not able to renew till
now, and is affected our production environment.
Pleas help us.
On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh <linov.suresh at gmail.com>
wrote:
> We have cloned and created another virtual server from the template.
> Surprisingly this server certificates were also expired at the same time as
> the previous, just lasted for a day.
> This issue has something to do with the kerberos tickets?
>
> I am new to IPA and your help is highly appreciated.
>
> On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh <linov.suresh at gmail.com>
> wrote:
>
>> *Update: my webserver and LDAP certificates were expired at 2016-07-18
>> 15:54:36 UTC and the certificates are in CA_UNREACHABLE state.*
>>
>>
>> *Could you please help us? *
>>
>> [root at caer tmp]# getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20111214223243':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: -504 (libcurl failed
>> to execute the HTTP POST transaction. Peer certificate cannot be
>> authenticated with known CA certificates).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=TELOIP.NET
>> subject: CN=caer.teloip.net,O=TELOIP.NET
>> * expires: 2016-07-18 15:54:36 UTC*
>> eku: id-kp-serverAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20111214223300':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: -504 (libcurl failed
>> to execute the HTTP POST transaction. Peer certificate cannot be
>> authenticated with known CA certificates).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=TELOIP.NET
>> subject: CN=caer.teloip.net,O=TELOIP.NET
>> * expires: 2016-07-18 15:54:52 UTC*
>> eku: id-kp-serverAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20111214223316':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: -504 (libcurl failed
>> to execute the HTTP POST transaction. Peer certificate cannot be
>> authenticated with known CA certificates).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=TELOIP.NET
>> subject: CN=caer.teloip.net,O=TELOIP.NET
>> *expires: 2016-07-18 15:55:04 UTC*
>> eku: id-kp-serverAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20130519130741':
>> status: MONITORING
>> ca-error: Internal error: no response to "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
>> ".
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=TELOIP.NET
>> subject: CN=CA Audit,O=TELOIP.NET
>> expires: 2017-10-13 14:10:49 UTC
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20130519130742':
>> status: MONITORING
>> ca-error: Internal error: no response to "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
>> ".
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=TELOIP.NET
>> subject: CN=OCSP Subsystem,O=TELOIP.NET
>> expires: 2017-10-13 14:09:49 UTC
>> eku: id-kp-OCSPSigning
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20130519130743':
>> status: MONITORING
>> ca-error: Internal error: no response to "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
>> ".
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=TELOIP.NET
>> subject: CN=CA Subsystem,O=TELOIP.NET
>> expires: 2017-10-13 14:09:49 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "subsystemCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20130519130744':
>> status: MONITORING
>> ca-error: Internal error: no response to "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
>> ".
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=TELOIP.NET
>> subject: CN=RA Subsystem,O=TELOIP.NET
>> expires: 2017-10-13 14:09:49 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>> Request ID '20130519130745':
>> status: MONITORING
>> ca-error: Internal error: no response to "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
>> ".
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=TELOIP.NET
>> subject: CN=caer.teloip.net,O=TELOIP.NET
>> expires: 2017-10-13 14:09:49 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv "
>> TELOIP.NET"
>> track: yes
>> auto-renew: yes
>>
>> On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh <linov.suresh at gmail.com>
>> wrote:
>>
>>> Yes, PKI is running and I don't see any errors in selftests, I have
>>> followed https://access.redhat.com/solutions/643753 and restarted the
>>> PKI in step 10.
>>>
>>> The only change which I made was clean up userCertificate;binary before
>>> adding new userCertificate in LDAP, which is step 12.
>>>
>>> [root at caer ~]# /etc/init.d/pki-cad status
>>> pki-ca (pid 8634) is running... [ OK ]
>>> Unsecure Port = http://caer.teloip.net:9180/ca/ee/ca
>>> Secure Agent Port = https://caer.teloip.net:9443/ca/agent/ca
>>> Secure EE Port = https://caer.teloip.net:9444/ca/ee/ca
>>> Secure Admin Port = https://caer.teloip.net:9445/ca/services
>>> EE Client Auth Port = https://caer.teloip.net:9446/ca/eeca/ca
>>> PKI Console Port = pkiconsole https://caer.teloip.net:9445/ca
>>> Tomcat Port = 9701 (for shutdown)
>>>
>>> PKI Instance Name: pki-ca
>>>
>>> PKI Subsystem Type: Root CA (Security Domain)
>>>
>>> Registered PKI Security Domain Information:
>>>
>>> ==========================================================================
>>> Name: IPA
>>> URL: https://caer.teloip.net:9445
>>>
>>> ==========================================================================
>>> [root at caer ~]#
>>> [root at caer ~]# tail -f /var/log/pki-ca/selftests.log
>>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:
>>> loading all self test plugin logger parameters
>>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:
>>> loading all self test plugin instances
>>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:
>>> loading all self test plugin instance parameters
>>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:
>>> loading self test plugins in on-demand order
>>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:
>>> loading self test plugins in startup order
>>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: Self
>>> test plugins have been successfully loaded!
>>> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem:
>>> Running self test plugins specified to be executed at startup:
>>> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence: CA is
>>> present
>>> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SystemCertsVerification:
>>> system certs verification success
>>> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: All
>>> CRITICAL self test plugins ran SUCCESSFULLY at startup!
>>>
>>> Your help is highly appreciated!
>>>
>>>
>>> Linov Suresh
>>>
>>> 70 Forest Manor Rd.
>>> Toronto
>>> ON M2J 0A9
>>> Mobile: +1 647 406 9438
>>> Linkedin: ca.linkedin.com/in/linov/
>>> Website: http://mylinuxthoughts.blogspot.com
>>>
>>>
>>> On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik <pvoborni at redhat.com>
>>> wrote:
>>>
>>>> On 07/18/2016 05:45 AM, Linov Suresh wrote:
>>>> > Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA
>>>> and
>>>> > certmonger. Look like certificates were renewed. But I'm getting a
>>>> different
>>>> > error now,
>>>> >
>>>> > *ca-error: Internal error: no response to
>>>> > "
>>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
>>>> ".*
>>>>
>>>> Is PKI running? When you change the time, does restart of IPA help?
>>>>
>>>> >
>>>> > [root at caer ~]# getcert list
>>>> > Number of certificates and requests being tracked: 8.
>>>> > Request ID '20111214223243':
>>>> > status: MONITORING
>>>> > stuck: no
>>>> > key pair storage:
>>>> >
>>>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>>>> > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
>>>> > certificate:
>>>> >
>>>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>>>> > Certificate DB'
>>>> > CA: IPA
>>>> > issuer: CN=Certificate Authority,O=TELOIP.NET <
>>>> http://TELOIP.NET>
>>>> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O=
>>>> TELOIP.NET
>>>> > <http://TELOIP.NET>
>>>> > expires: 2016-07-18 15:54:36 UTC
>>>> > eku: id-kp-serverAuth
>>>> > pre-save command:
>>>> > post-save command:
>>>> > track: yes
>>>> > auto-renew: yes
>>>> > Request ID '20111214223300':
>>>> > status: MONITORING
>>>> > stuck: no
>>>> > key pair storage:
>>>> >
>>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>>> Certificate
>>>> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>>>> > certificate:
>>>> >
>>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>>> Certificate
>>>> > DB'
>>>> > CA: IPA
>>>> > issuer: CN=Certificate Authority,O=TELOIP.NET <
>>>> http://TELOIP.NET>
>>>> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O=
>>>> TELOIP.NET
>>>> > <http://TELOIP.NET>
>>>> > expires: 2016-07-18 15:54:52 UTC
>>>> > eku: id-kp-serverAuth
>>>> > pre-save command:
>>>> > post-save command:
>>>> > track: yes
>>>> > auto-renew: yes
>>>> > Request ID '20111214223316':
>>>> > status: MONITORING
>>>> > stuck: no
>>>> > key pair storage:
>>>> >
>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> > certificate:
>>>> >
>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>>> > Certificate DB'
>>>> > CA: IPA
>>>> > issuer: CN=Certificate Authority,O=TELOIP.NET <
>>>> http://TELOIP.NET>
>>>> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O=
>>>> TELOIP.NET
>>>> > <http://TELOIP.NET>
>>>> > expires: 2016-07-18 15:55:04 UTC
>>>> > eku: id-kp-serverAuth
>>>> > pre-save command:
>>>> > post-save command:
>>>> > track: yes
>>>> > auto-renew: yes
>>>> > Request ID '20130519130741':
>>>> > status: MONITORING
>>>> > ca-error: Internal error: no response to
>>>> > "
>>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
>>>> ".
>>>> > stuck: no
>>>> > key pair storage:
>>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
>>>> > certificate:
>>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>>>> > cert-pki-ca',token='NSS Certificate DB'
>>>> > CA: dogtag-ipa-renew-agent
>>>> > issuer: CN=Certificate Authority,O=TELOIP.NET <
>>>> http://TELOIP.NET>
>>>> > subject: CN=CA Audit,O=TELOIP.NET <http://TELOIP.NET>
>>>> > expires: 2017-10-13 14:10:49 UTC
>>>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>> > "auditSigningCert cert-pki-ca"
>>>> > track: yes
>>>> > auto-renew: yes
>>>> > Request ID '20130519130742':
>>>> > status: MONITORING
>>>> > ca-error: Internal error: no response to
>>>> > "
>>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
>>>> ".
>>>> > stuck: no
>>>> > key pair storage:
>>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
>>>> > certificate:
>>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>>>> > cert-pki-ca',token='NSS Certificate DB'
>>>> > CA: dogtag-ipa-renew-agent
>>>> > issuer: CN=Certificate Authority,O=TELOIP.NET <
>>>> http://TELOIP.NET>
>>>> > subject: CN=OCSP Subsystem,O=TELOIP.NET <http://TELOIP.NET>
>>>> > expires: 2017-10-13 14:09:49 UTC
>>>> > eku: id-kp-OCSPSigning
>>>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>> > "ocspSigningCert cert-pki-ca"
>>>> > track: yes
>>>> > auto-renew: yes
>>>> > Request ID '20130519130743':
>>>> > status: MONITORING
>>>> > ca-error: Internal error: no response to
>>>> > "
>>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
>>>> ".
>>>> > stuck: no
>>>> > key pair storage:
>>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
>>>> > certificate:
>>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>>> > cert-pki-ca',token='NSS Certificate DB'
>>>> > CA: dogtag-ipa-renew-agent
>>>> > issuer: CN=Certificate Authority,O=TELOIP.NET <
>>>> http://TELOIP.NET>
>>>> > subject: CN=CA Subsystem,O=TELOIP.NET <http://TELOIP.NET>
>>>> > expires: 2017-10-13 14:09:49 UTC
>>>> > eku: id-kp-serverAuth,id-kp-clientAuth
>>>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>> > "subsystemCert cert-pki-ca"
>>>> > track: yes
>>>> > auto-renew: yes
>>>> > Request ID '20130519130744':
>>>> > status: MONITORING
>>>> > ca-error: Internal error: no response to
>>>> > "
>>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
>>>> ".
>>>> > stuck: no
>>>> > key pair storage:
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>>> Certificate
>>>> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> > certificate:
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>>> Certificate DB'
>>>> > CA: dogtag-ipa-renew-agent
>>>> > issuer: CN=Certificate Authority,O=TELOIP.NET <
>>>> http://TELOIP.NET>
>>>> > subject: CN=RA Subsystem,O=TELOIP.NET <http://TELOIP.NET>
>>>> > expires: 2017-10-13 14:09:49 UTC
>>>> > eku: id-kp-serverAuth,id-kp-clientAuth
>>>> > pre-save command:
>>>> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>> > track: yes
>>>> > auto-renew: yes
>>>> > Request ID '20130519130745':
>>>> > status: MONITORING
>>>> > ca-error: Internal error: no response to
>>>> > "
>>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
>>>> ".
>>>> > stuck: no
>>>> > key pair storage:
>>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
>>>> > certificate:
>>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>>>> > cert-pki-ca',token='NSS Certificate DB'
>>>> > CA: dogtag-ipa-renew-agent
>>>> > issuer: CN=Certificate Authority,O=TELOIP.NET <
>>>> http://TELOIP.NET>
>>>> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O=
>>>> TELOIP.NET
>>>> > <http://TELOIP.NET>
>>>> > expires: 2017-10-13 14:09:49 UTC
>>>> > eku: id-kp-serverAuth,id-kp-clientAuth
>>>> > pre-save command:
>>>> > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv "
>>>> TELOIP.NET
>>>> > <http://TELOIP.NET>"
>>>> > track: yes
>>>> > auto-renew: yes
>>>> > [root at caer ~]#
>>>> >
>>>> > Your help is highly appreciated!
>>>> >
>>>> >
>>>> >
>>>> > On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden <rcritten at redhat.com
>>>> > <mailto:rcritten at redhat.com>> wrote:
>>>> >
>>>> > Linov Suresh wrote:
>>>> >
>>>> > I logged into my IPA master, and found that the cert had
>>>> expired again,
>>>> > we renewed these certificates about 18 months ago.
>>>> >
>>>> > Our environment is CentOS 6.4 and IPA 3.0.0-26.
>>>> >
>>>> >
>>>> > I followed the Redhat documentation,How do I manually
>>>> renew Identity
>>>> > Management (IPA) certificates after they have expired?
>>>> (Master IPA
>>>> > Server), https://access.redhat.com/solutions/643753 but
>>>> no luck.
>>>> >
>>>> >
>>>> > I have also changed the directive "NSSEnforceValidCerts off"
>>>> in
>>>> > /etc/httpd/conf.d/nss.conf and the value of
>>>> nsslapd-validate-cert is warn.
>>>> >
>>>> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager'
>>>> -w *******
>>>> > -b cn=config | grep nsslapd-validate-cert
>>>> >
>>>> > nsslapd-validate-cert: warn
>>>> >
>>>> > Here is my getcert list,
>>>> >
>>>> > [root at caer ~]# getcert list
>>>> >
>>>> >
>>>> > It looks like your CA subsystem certificates all renewed
>>>> successfully it is
>>>> > just the webserver and LDAP certificates that need renewing so
>>>> that's good.
>>>> >
>>>> > What I'd do is go back in time again to say Jan 20, 2016 and
>>>> restart
>>>> > certmonger. That should make it retry the renewals.
>>>> >
>>>> > rob
>>>> >
>>>> >
>>>> >
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> Petr Vobornik
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160719/7f51bf58/attachment.htm>
More information about the Freeipa-users
mailing list