[Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
Martin Basti
mbasti at redhat.com
Wed Sep 14 16:45:13 UTC 2016
Please keep freeipa-users in CC, I'm quite lost here
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. Peer certificate cannot be
authenticated with known CA certificates).
I'm not sure what this does mean, but if this is caused by invalid httpd
certificate, solution might be to set time a week before 2016-05-28,
restart IPA and try to renew certs again
Martin^2
On 14.09.2016 18:38, bahan w wrote:
> Ok, I managed to restart the IPA service by adding this line in the
> file /etc/httpd/conf.d/nss.conf :
> ###
> NSSEnforceValidCerts off
> ###
>
> But when I do the getcert now I got the following result :
> ###
> # getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20140528063903':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=CA Audit,O=<MYREALM>
> expires: 2018-04-09 11:39:16 UTC
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063904':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=OCSP Subsystem,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063905':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=CA Subsystem,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063906':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=IPA RA,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20140528063907':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20140528063919':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction. Peer certificate cannot
> be authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2016-05-28 06:39:18 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> <MYREALM>
> track: yes
> auto-renew: yes
> Request ID '20140528063953':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction. Peer certificate cannot
> be authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2016-05-28 06:39:52 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> PKI-IPA
> track: yes
> auto-renew: yes
> Request ID '20140528064145':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction. Peer certificate cannot
> be authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2016-05-28 06:41:44 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> ###
>
> Indeed, the entries outdated are the following :
> - for /etc/dirsrv/slapd-<MYREALM> : 20140528063919
> - for /etc/dirsrv/slapd-PKI-IPA : 20140528063953
> - for httpd ? : 20140528064145
>
> Best regards.
>
> Bahan
>
> On Wed, Sep 14, 2016 at 6:28 PM, bahan w <bahanw042014 at gmail.com
> <mailto:bahanw042014 at gmail.com>> wrote:
>
> Ok :D
>
> Because to perform the getcert list command, I need to have all
> the ipa services running right ?
>
> Here is the result of the command with the ipa services down.
> ###
> # getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20140528063903':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=CA Audit,O=<MYREALM>
> expires: 2018-04-09 11:39:16 UTC
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063904':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=OCSP Subsystem,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063905':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=CA Subsystem,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063906':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=IPA RA,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20140528063907':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20140528063919':
> status: MONITORING
> ca-error: Error setting up ccache for local "host" service
> using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2016-05-28 06:39:18 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> /usr/lib64/ipa/certmonger/restart_dirsrv <MYREALM>
> track: yes
> auto-renew: yes
> Request ID '20140528063953':
> status: MONITORING
> ca-error: Error setting up ccache for local "host" service
> using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2016-05-28 06:39:52 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
> track: yes
> auto-renew: yes
> Request ID '20140528064145':
> status: MONITORING
> ca-error: Error setting up ccache for local "host" service
> using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2016-05-28 06:41:44 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> ###
>
> Best regards.
>
> Bahan
>
> On Wed, Sep 14, 2016 at 6:21 PM, Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>> wrote:
>
>
> Then you have to start services manually, I don't know if the
> same steps will work with IPA 3.0.0, I don't remember, but you
> can try :)
>
>
> On 14.09.2016 18:18, bahan w wrote:
>> Oh I forgot to add that my version of ipa is quite old :
>> ###
>> # rpm -qa | grep ipa-server
>> ipa-server-3.0.0-25.el6.x86_64
>> ###
>>
>> When I try the command you gave me I got the following error :
>> ###
>> # ipactl start --force
>> Usage: ipactl start|stop|restart|status
>>
>>
>> ipactl: error: no such option: --force
>> ###
>>
>> Best regards.
>>
>> Bahan
>>
>> On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti
>> <mbasti at redhat.com <mailto:mbasti at redhat.com>> wrote:
>>
>>
>>
>> On 14.09.2016 17:59, bahan w wrote:
>>> Hello !
>>>
>>> I send you this mail because I cannot restart my test
>>> IPA server.
>>>
>>> When I try to start it with service ipa start, I got the
>>> following error message :
>>> ###
>>> # service ipa start
>>> Starting Directory Service
>>> Starting dirsrv:
>>> <MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL alert:
>>> CERT_VerifyCertificateNow: verify certificate failed for
>>> cert Server-Cert of family
>>> cn=RSA,cn=encryption,cn=config (Netscape Portable
>>> Runtime error -8181 - Peer's Certificate has expired.)
>>> [ OK ]
>>> PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert:
>>> CERT_VerifyCertificateNow: verify certificate failed for
>>> cert Server-Cert of family
>>> cn=RSA,cn=encryption,cn=config (Netscape Portable
>>> Runtime error -8181 - Peer's Certificate has expired.)
>>> [ OK ]
>>> Starting KDC Service
>>> Starting Kerberos 5 KDC: [ OK ]
>>> Starting KPASSWD Service
>>> Starting Kerberos 5 Admin Server: [ OK ]
>>> Starting MEMCACHE Service
>>> Starting ipa_memcached: [ OK ]
>>> Starting HTTP Service
>>> Starting httpd: [FAILED]
>>> Failed to start HTTP Service
>>> Shutting down
>>> Stopping Kerberos 5 KDC: [ OK ]
>>> Stopping Kerberos 5 Admin Server: [ OK ]
>>> Stopping ipa_memcached: [ OK ]
>>> Stopping httpd: [FAILED]
>>> Stopping pki-ca: [ OK ]
>>> Shutting down dirsrv:
>>> <MYREALM>... [ OK ]
>>> PKI-IPA... [ OK ]
>>> Aborting ipactl
>>>
>>> # service ipa status
>>> Directory Service: STOPPED
>>> Failed to get list of services to probe status:
>>> Directory Server is stopped
>>> ###
>>>
>>> Do you know how to renew the SSL certificate used for
>>> the IPA Server ?
>>>
>>> Best regards.
>>>
>>> Bahan
>>>
>>>
>>>
>>
>>
>> Hello,
>>
>> please run
>>
>> # ipactl start --force
>> # getcert list (to detect which certificate is outdated,
>> I suspect DS cert (or to get more info why it has not
>> been renewed))
>>
>> If getcert does work (I'm not sure if ti is able to work
>> without httpd), you probable need to move time back to
>> past where cert is valid, start IPA and try again.
>>
>> Please find ID outdated certificate and try resubmit it
>> (CA and DS must be running)
>>
>> # getcert resubmit -i 20160914122036 (use you ID :) )
>>
>> This should renew cert, check status with getcert list
>>
>> Move time back to future (if needed)
>>
>> Try to restart IPA
>>
>> Martin^2
>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160914/7fac7276/attachment.htm>
More information about the Freeipa-users
mailing list