[Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

Martin Basti mbasti at redhat.com
Wed Sep 14 16:34:43 UTC 2016 

Please keep freeipa-users in CC, there si no sensitive information in 
getcert list output (you sanitized it)


Folowing certificates are expired, please try to to resubmit them. I'm 
also worried about this error message: ca-error: Error setting up ccache 
for local "host" service using default keytab: Cannot contact any KDC 
for realm '<MYREALM>'.

is KDC running?


> Request ID '20140528063919':
>         status: MONITORING
>         ca-error: Error setting up ccache for local "host" service 
> using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS 
> Certificate DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
>         certificate: 
> type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS 
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=<MYREALM>
>         subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>         expires: 2016-05-28 06:39:18 UTC
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv 
> <MYREALM>
>         track: yes
>         auto-renew: yes
> Request ID '20140528063953':
>         status: MONITORING
>         ca-error: Error setting up ccache for local "host" service 
> using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>         certificate: 
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=<MYREALM>
>         subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>         expires: 2016-05-28 06:39:52 UTC
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv 
> PKI-IPA
>         track: yes
>         auto-renew: yes
> Request ID '20140528064145':
>         status: MONITORING
>         ca-error: Error setting up ccache for local "host" service 
> using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
>         stuck: no
>         key pair storage: 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>         certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=<MYREALM>
>         subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>         expires: 2016-05-28 06:41:44 UTC
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>         track: yes
>         auto-renew: yes

More information about the Freeipa-users mailing list