[Freeipa-users] IPA certificates expired, please help!
Rob Crittenden
rcritten at redhat.com
Tue Jul 19 14:50:45 UTC 2016
Linov Suresh wrote:
> I have followed Redhat official documentation,
> https://access.redhat.com/solutions/643753 for certificate renewal,
> which says *add: usercertificate. (step 12)*
> *
> *
> While on the other hand FreeIPA official documentaion
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to *add:
> usercertificate;binary*
>
> Just wondering if we need to*add *the certificate? or*replace* the
> existing certificate and which format do we need to use? *pem* or *der*.
>
> We already successfully renewed the certificates about months back, but
> they were expired about 6 months back and we were not able to renew till
> now, and is affected our production environment.
>
> Pleas help us.
You shouldn't have to mess with these values at all. In 3.0 this is
handled somewhat automatically.
I'd restart the CA, then certmonger and see if the communication error
goes away for the CA subservice certificates (the internal error).
# service pki-cad restart
<pause a bit>
# service certmonger restart
I find it very strange that the certificates were set to expire
yesterday but it isn't a show-stopper necessarily assuming you can get
the CA back up.
Assuming you can, then go back in time again, this time just a few days
and try renewing the LDAP and Apache server certs again.
rob
>
> On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh <linov.suresh at gmail.com
> <mailto:linov.suresh at gmail.com>> wrote:
>
> We have cloned and created another virtual server from the template.
> Surprisingly this server certificates were also expired at the same
> time as the previous, just lasted for a day.
> This issue has something to do with the kerberos tickets?
>
> I am new to IPA and your help is highly appreciated.
>
> On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh
> <linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>> wrote:
>
> *Update: my webserver and LDAP certificates were expired at
> 2016-07-18 15:54:36 UTC and the certificates are in
> CA_UNREACHABLE state.*
> *
> *
> *Could you please help us?
> *
>
> [root at caer tmp]# getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20111214223243':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504
> (libcurl failed to execute the HTTP POST transaction. Peer
> certificate cannot be authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TELOIP.NET
> <http://TELOIP.NET>
> subject: CN=caer.teloip.net
> <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
> *expires: 2016-07-18 15:54:36 UTC*
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223300':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504
> (libcurl failed to execute the HTTP POST transaction. Peer
> certificate cannot be authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TELOIP.NET
> <http://TELOIP.NET>
> subject: CN=caer.teloip.net
> <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
> *expires: 2016-07-18 15:54:52 UTC*
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223316':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504
> (libcurl failed to execute the HTTP POST transaction. Peer
> certificate cannot be authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TELOIP.NET
> <http://TELOIP.NET>
> subject: CN=caer.teloip.net
> <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
> *expires: 2016-07-18 15:55:04 UTC*
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130519130741':
> status: MONITORING
> ca-error: Internal error: no response to
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET
> <http://TELOIP.NET>
> subject: CN=CA Audit,O=TELOIP.NET <http://TELOIP.NET>
> expires: 2017-10-13 14:10:49 UTC
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert
> cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130742':
> status: MONITORING
> ca-error: Internal error: no response to
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET
> <http://TELOIP.NET>
> subject: CN=OCSP Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert
> cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130743':
> status: MONITORING
> ca-error: Internal error: no response to
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET
> <http://TELOIP.NET>
> subject: CN=CA Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130744':
> status: MONITORING
> ca-error: Internal error: no response to
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET
> <http://TELOIP.NET>
> subject: CN=RA Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> Request ID '20130519130745':
> status: MONITORING
> ca-error: Internal error: no response to
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS
> Certificate DB',pin='297100916664'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET
> <http://TELOIP.NET>
> subject: CN=caer.teloip.net
> <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> /usr/lib64/ipa/certmonger/restart_dirsrv "TELOIP.NET
> <http://TELOIP.NET>"
> track: yes
> auto-renew: yes
>
> On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh
> <linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>> wrote:
>
> Yes, PKI is running and I don't see any errors in selftests,
> I have followed https://access.redhat.com/solutions/643753
> and restarted the PKI in step 10.
>
> The only change which I made was clean
> up userCertificate;binary before adding new
> userCertificatein LDAP, which is step 12.
>
> [root at caer ~]# /etc/init.d/pki-cad status
> pki-ca (pid 8634) is running... [
> OK ]
> Unsecure Port = http://caer.teloip.net:9180/ca/ee/ca
> Secure Agent Port =
> https://caer.teloip.net:9443/ca/agent/ca
> Secure EE Port = https://caer.teloip.net:9444/ca/ee/ca
> Secure Admin Port =
> https://caer.teloip.net:9445/ca/services
> EE Client Auth Port =
> https://caer.teloip.net:9446/ca/eeca/ca
> PKI Console Port = pkiconsole
> https://caer.teloip.net:9445/ca
> Tomcat Port = 9701 (for shutdown)
>
> PKI Instance Name: pki-ca
>
> PKI Subsystem Type: Root CA (Security Domain)
>
> Registered PKI Security Domain Information:
>
> ==========================================================================
> Name: IPA
> URL: https://caer.teloip.net:9445
>
> ==========================================================================
> [root at caer ~]#
> [root at caer ~]# tail -f /var/log/pki-ca/selftests.log
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
> SelfTestSubsystem: loading all self test plugin logger
> parameters
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
> SelfTestSubsystem: loading all self test plugin instances
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
> SelfTestSubsystem: loading all self test plugin instance
> parameters
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
> SelfTestSubsystem: loading self test plugins in on-demand order
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
> SelfTestSubsystem: loading self test plugins in startup order
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
> SelfTestSubsystem: Self test plugins have been successfully
> loaded!
> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]
> SelfTestSubsystem: Running self test plugins specified to be
> executed at startup:
> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence:
> CA is present
> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]
> SystemCertsVerification: system certs verification success
> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]
> SelfTestSubsystem: All CRITICAL self test plugins ran
> SUCCESSFULLY at startup!
>
> Your help is highly appreciated!
>
> Linov Suresh
>
> 70 Forest Manor Rd.
> Toronto
> ON M2J 0A9
> Mobile: +1 647 406 9438 <tel:%2B1%20647%20406%209438>
> Linkedin: ca.linkedin.com/in/linov/
> <http://ca.linkedin.com/in/linov/>
> Website: http://mylinuxthoughts.blogspot.com
>
>
> On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik
> <pvoborni at redhat.com <mailto:pvoborni at redhat.com>> wrote:
>
> On 07/18/2016 05:45 AM, Linov Suresh wrote:
> > Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and
> > certmonger. Look like certificates were renewed. But I'm getting a different
> > error now,
> >
> > *ca-error: Internal error: no response to
> >
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".*
>
> Is PKI running? When you change the time, does restart
> of IPA help?
>
> >
> > [root at caer ~]# getcert list
> > Number of certificates and requests being tracked: 8.
> > Request ID '20111214223243':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> > subject: CN=caer.teloip.net
> <http://caer.teloip.net>
> <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > expires: 2016-07-18 15:54:36 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20111214223300':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
> > DB'
> > CA: IPA
> > issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> > subject: CN=caer.teloip.net
> <http://caer.teloip.net>
> <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > expires: 2016-07-18 15:54:52 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20111214223316':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> > subject: CN=caer.teloip.net
> <http://caer.teloip.net>
> <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > expires: 2016-07-18 15:55:04 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130741':
> > status: MONITORING
> > ca-error: Internal error: no response to
> > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> > subject: CN=CA Audit,O=TELOIP.NET
> <http://TELOIP.NET> <http://TELOIP.NET>
> > expires: 2017-10-13 14:10:49 UTC
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "auditSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130742':
> > status: MONITORING
> > ca-error: Internal error: no response to
> > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> > subject: CN=OCSP Subsystem,O=TELOIP.NET
> <http://TELOIP.NET> <http://TELOIP.NET>
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-OCSPSigning
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "ocspSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130743':
> > status: MONITORING
> > ca-error: Internal error: no response to
> > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> > subject: CN=CA Subsystem,O=TELOIP.NET
> <http://TELOIP.NET> <http://TELOIP.NET>
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "subsystemCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130744':
> > status: MONITORING
> > ca-error: Internal error: no response to
> > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate
> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> > subject: CN=RA Subsystem,O=TELOIP.NET
> <http://TELOIP.NET> <http://TELOIP.NET>
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130745':
> > status: MONITORING
> > ca-error: Internal error: no response to
> > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> > subject: CN=caer.teloip.net
> <http://caer.teloip.net>
> <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv "TELOIP.NET <http://TELOIP.NET>
> > <http://TELOIP.NET>"
> > track: yes
> > auto-renew: yes
> > [root at caer ~]#
> >
> > Your help is highly appreciated!
> >
> >
> >
> > On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com
> <mailto:rcritten at redhat.com>>> wrote:
> >
> > Linov Suresh wrote:
> >
> > I logged into my IPA master, and found that
> the cert had expired again,
> > we renewed these certificates about 18 months
> ago.
> >
> > Our environment is CentOS 6.4 and IPA 3.0.0-26.
> >
> >
> > I followed the Redhat documentation,How do
> I manually renew Identity
> > Management (IPA) certificates after they
> have expired? (Master IPA
> > Server),
> https://access.redhat.com/solutions/643753 but no luck.
> >
> >
> > I have also changed the directive
> "NSSEnforceValidCerts off" in
> > /etc/httpd/conf.d/nss.conf and the value of
> nsslapd-validate-cert is warn.
> >
> > ldapsearch -x -h localhost -p 7389 -D
> 'cn=directory manager' -w *******
> > -b cn=config | grep nsslapd-validate-cert
> >
> > nsslapd-validate-cert: warn
> >
> > Here is my getcert list,
> >
> > [root at caer ~]# getcert list
> >
> >
> > It looks like your CA subsystem certificates all
> renewed successfully it is
> > just the webserver and LDAP certificates that
> need renewing so that's good.
> >
> > What I'd do is go back in time again to say Jan
> 20, 2016 and restart
> > certmonger. That should make it retry the renewals.
> >
> > rob
> >
> >
> >
> >
>
>
>
> --
> Petr Vobornik
>
>
>
>
>
More information about the Freeipa-users
mailing list