[Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
Martin Basti
mbasti at redhat.com
Wed Sep 14 16:21:10 UTC 2016
Then you have to start services manually, I don't know if the same steps
will work with IPA 3.0.0, I don't remember, but you can try :)
On 14.09.2016 18:18, bahan w wrote:
> Oh I forgot to add that my version of ipa is quite old :
> ###
> # rpm -qa | grep ipa-server
> ipa-server-3.0.0-25.el6.x86_64
> ###
>
> When I try the command you gave me I got the following error :
> ###
> # ipactl start --force
> Usage: ipactl start|stop|restart|status
>
>
> ipactl: error: no such option: --force
> ###
>
> Best regards.
>
> Bahan
>
> On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>> wrote:
>
>
>
> On 14.09.2016 17:59, bahan w wrote:
>> Hello !
>>
>> I send you this mail because I cannot restart my test IPA server.
>>
>> When I try to start it with service ipa start, I got the
>> following error message :
>> ###
>> # service ipa start
>> Starting Directory Service
>> Starting dirsrv:
>> <MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL alert:
>> CERT_VerifyCertificateNow: verify certificate failed for cert
>> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
>> Portable Runtime error -8181 - Peer's Certificate has expired.)
>> [ OK ]
>> PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert:
>> CERT_VerifyCertificateNow: verify certificate failed for cert
>> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
>> Portable Runtime error -8181 - Peer's Certificate has expired.)
>> [ OK ]
>> Starting KDC Service
>> Starting Kerberos 5 KDC: [ OK ]
>> Starting KPASSWD Service
>> Starting Kerberos 5 Admin Server: [ OK ]
>> Starting MEMCACHE Service
>> Starting ipa_memcached: [ OK ]
>> Starting HTTP Service
>> Starting httpd: [FAILED]
>> Failed to start HTTP Service
>> Shutting down
>> Stopping Kerberos 5 KDC: [ OK ]
>> Stopping Kerberos 5 Admin Server: [ OK ]
>> Stopping ipa_memcached: [ OK ]
>> Stopping httpd: [FAILED]
>> Stopping pki-ca: [ OK ]
>> Shutting down dirsrv:
>> <MYREALM>... [ OK ]
>> PKI-IPA... [ OK ]
>> Aborting ipactl
>>
>> # service ipa status
>> Directory Service: STOPPED
>> Failed to get list of services to probe status:
>> Directory Server is stopped
>> ###
>>
>> Do you know how to renew the SSL certificate used for the IPA
>> Server ?
>>
>> Best regards.
>>
>> Bahan
>>
>>
>>
>
>
> Hello,
>
> please run
>
> # ipactl start --force
> # getcert list (to detect which certificate is outdated, I suspect
> DS cert (or to get more info why it has not been renewed))
>
> If getcert does work (I'm not sure if ti is able to work without
> httpd), you probable need to move time back to past where cert is
> valid, start IPA and try again.
>
> Please find ID outdated certificate and try resubmit it (CA and DS
> must be running)
>
> # getcert resubmit -i 20160914122036 (use you ID :) )
>
> This should renew cert, check status with getcert list
>
> Move time back to future (if needed)
>
> Try to restart IPA
>
> Martin^2
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160914/6a325c1f/attachment.htm>
More information about the Freeipa-users
mailing list