[Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
bahan w
bahanw042014 at gmail.com
Wed Sep 14 16:45:07 UTC 2016
I set the date-time when the certificates were valid :
###
# date -s '2016-05-27 10:00:00'
Fri May 27 10:00:00 CEST 2016
# date
Fri May 27 10:00:02 CEST 2016
###
Then I try to renew them :
###
# getcert resubmit -i 20140528063919
Resubmitting "20140528063919" to "IPA".
# getcert resubmit -i 20140528064145
Resubmitting "20140528064145" to "IPA".
# getcert resubmit -i 20140528063953
Resubmitting "20140528063953" to "IPA".
###
But when I do the getcert list after, the result is the same.
I guess it is because of this ?
CA_UNREACHABLE
Any idea ?
Best regards.
Bahan
On Wed, Sep 14, 2016 at 6:38 PM, bahan w <bahanw042014 at gmail.com> wrote:
> Ok, I managed to restart the IPA service by adding this line in the file
> /etc/httpd/conf.d/nss.conf :
> ###
> NSSEnforceValidCerts off
> ###
>
> But when I do the getcert now I got the following result :
>
> ###
> # getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20140528063903':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
> Certificate DB',pin='159203530658'
> certificate: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=CA Audit,O=<MYREALM>
> expires: 2018-04-09 11:39:16 UTC
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063904':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
> Certificate DB',pin='159203530658'
> certificate: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=OCSP Subsystem,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063905':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate
> DB',pin='159203530658'
> certificate: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate
> DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=CA Subsystem,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063906':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/
> httpd/alias',nickname='ipaCert',token='NSS Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=IPA RA,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20140528063907':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
> DB',pin='159203530658'
> certificate: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
> DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20140528063919':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed
> to execute the HTTP POST transaction. Peer certificate cannot be
> authenticated with known CA certificates).
> stuck: yes
> key pair storage: type=NSSDB,location='/etc/
> dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',
> nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2016-05-28 06:39:18 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> <MYREALM>
> track: yes
> auto-renew: yes
> Request ID '20140528063953':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed
> to execute the HTTP POST transaction. Peer certificate cannot be
> authenticated with known CA certificates).
> stuck: yes
> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',
> nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/
> slapd-PKI-IPA/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',
> nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2016-05-28 06:39:52 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> PKI-IPA
> track: yes
> auto-renew: yes
> Request ID '20140528064145':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed
> to execute the HTTP POST transaction. Peer certificate cannot be
> authenticated with known CA certificates).
> stuck: yes
> key pair storage: type=NSSDB,location='/etc/
> httpd/alias',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/
> httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2016-05-28 06:41:44 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> ###
>
> Indeed, the entries outdated are the following :
> - for /etc/dirsrv/slapd-<MYREALM> : 20140528063919
> - for /etc/dirsrv/slapd-PKI-IPA : 20140528063953
> - for httpd ? : 20140528064145
>
> Best regards.
>
> Bahan
>
> On Wed, Sep 14, 2016 at 6:28 PM, bahan w <bahanw042014 at gmail.com> wrote:
>
>> Ok :D
>>
>> Because to perform the getcert list command, I need to have all the ipa
>> services running right ?
>>
>> Here is the result of the command with the ipa services down.
>> ###
>> # getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20140528063903':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>> Certificate DB',pin='159203530658'
>> certificate: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=CA Audit,O=<MYREALM>
>> expires: 2018-04-09 11:39:16 UTC
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063904':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>> Certificate DB',pin='159203530658'
>> certificate: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=OCSP Subsystem,O=<MYREALM>
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-OCSPSigning
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063905':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>> Certificate DB',pin='159203530658'
>> certificate: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=CA Subsystem,O=<MYREALM>
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "subsystemCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063906':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/http
>> d/alias',nickname='ipaCert',token='NSS Certificate
>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/http
>> d/alias',nickname='ipaCert',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=IPA RA,O=<MYREALM>
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063907':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
>> DB',pin='159203530658'
>> certificate: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
>> DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063919':
>> status: MONITORING
>> ca-error: Error setting up ccache for local "host" service using
>> default keytab: Cannot contact any KDC for realm '<MYREALM>'.
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/dirs
>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate
>> DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/dirs
>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>> expires: 2016-05-28 06:39:18 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>> <MYREALM>
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063953':
>> status: MONITORING
>> ca-error: Error setting up ccache for local "host" service using
>> default keytab: Cannot contact any KDC for realm '<MYREALM>'.
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/dirs
>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/dirs
>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>> expires: 2016-05-28 06:39:52 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>> PKI-IPA
>> track: yes
>> auto-renew: yes
>> Request ID '20140528064145':
>> status: MONITORING
>> ca-error: Error setting up ccache for local "host" service using
>> default keytab: Cannot contact any KDC for realm '<MYREALM>'.
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/http
>> d/alias',nickname='Server-Cert',token='NSS Certificate
>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/http
>> d/alias',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>> expires: 2016-05-28 06:41:44 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>> ###
>>
>> Best regards.
>>
>> Bahan
>>
>> On Wed, Sep 14, 2016 at 6:21 PM, Martin Basti <mbasti at redhat.com> wrote:
>>
>>>
>>> Then you have to start services manually, I don't know if the same steps
>>> will work with IPA 3.0.0, I don't remember, but you can try :)
>>>
>>> On 14.09.2016 18:18, bahan w wrote:
>>>
>>> Oh I forgot to add that my version of ipa is quite old :
>>> ###
>>> # rpm -qa | grep ipa-server
>>> ipa-server-3.0.0-25.el6.x86_64
>>> ###
>>>
>>> When I try the command you gave me I got the following error :
>>> ###
>>> # ipactl start --force
>>> Usage: ipactl start|stop|restart|status
>>>
>>>
>>> ipactl: error: no such option: --force
>>> ###
>>>
>>> Best regards.
>>>
>>> Bahan
>>>
>>>
>>> On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti <mbasti at redhat.com> wrote:
>>>
>>>>
>>>>
>>>> On 14.09.2016 17:59, bahan w wrote:
>>>>
>>>> Hello !
>>>>
>>>> I send you this mail because I cannot restart my test IPA server.
>>>>
>>>> When I try to start it with service ipa start, I got the following
>>>> error message :
>>>> ###
>>>> # service ipa start
>>>> Starting Directory Service
>>>> Starting dirsrv:
>>>> <MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL alert:
>>>> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
>>>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
>>>> -8181 - Peer's Certificate has expired.)
>>>> [ OK ]
>>>> PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert:
>>>> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
>>>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
>>>> -8181 - Peer's Certificate has expired.)
>>>> [ OK ]
>>>> Starting KDC Service
>>>> Starting Kerberos 5 KDC: [ OK ]
>>>> Starting KPASSWD Service
>>>> Starting Kerberos 5 Admin Server: [ OK ]
>>>> Starting MEMCACHE Service
>>>> Starting ipa_memcached: [ OK ]
>>>> Starting HTTP Service
>>>> Starting httpd: [FAILED]
>>>> Failed to start HTTP Service
>>>> Shutting down
>>>> Stopping Kerberos 5 KDC: [ OK ]
>>>> Stopping Kerberos 5 Admin Server: [ OK ]
>>>> Stopping ipa_memcached: [ OK ]
>>>> Stopping httpd: [FAILED]
>>>> Stopping pki-ca: [ OK ]
>>>> Shutting down dirsrv:
>>>> <MYREALM>... [ OK ]
>>>> PKI-IPA... [ OK ]
>>>> Aborting ipactl
>>>>
>>>> # service ipa status
>>>> Directory Service: STOPPED
>>>> Failed to get list of services to probe status:
>>>> Directory Server is stopped
>>>> ###
>>>>
>>>> Do you know how to renew the SSL certificate used for the IPA Server ?
>>>>
>>>> Best regards.
>>>>
>>>> Bahan
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Hello,
>>>>
>>>> please run
>>>>
>>>> # ipactl start --force
>>>> # getcert list (to detect which certificate is outdated, I suspect DS
>>>> cert (or to get more info why it has not been renewed))
>>>>
>>>> If getcert does work (I'm not sure if ti is able to work without
>>>> httpd), you probable need to move time back to past where cert is valid,
>>>> start IPA and try again.
>>>>
>>>> Please find ID outdated certificate and try resubmit it (CA and DS must
>>>> be running)
>>>>
>>>> # getcert resubmit -i 20160914122036 (use you ID :) )
>>>>
>>>> This should renew cert, check status with getcert list
>>>>
>>>> Move time back to future (if needed)
>>>>
>>>> Try to restart IPA
>>>>
>>>> Martin^2
>>>>
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160914/2e695350/attachment.htm>
More information about the Freeipa-users
mailing list