[Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
Martin Basti
mbasti at redhat.com
Wed Sep 14 16:46:39 UTC 2016
did you restart IPA when you moved time? Is there are more detailed
error description in output of getcert list?
On 14.09.2016 18:45, bahan w wrote:
> I set the date-time when the certificates were valid :
> ###
> # date -s '2016-05-27 10:00:00'
> Fri May 27 10:00:00 CEST 2016
>
> # date
> Fri May 27 10:00:02 CEST 2016
> ###
>
> Then I try to renew them :
> ###
> # getcert resubmit -i 20140528063919
> Resubmitting "20140528063919" to "IPA".
>
> # getcert resubmit -i 20140528064145
> Resubmitting "20140528064145" to "IPA".
>
> # getcert resubmit -i 20140528063953
> Resubmitting "20140528063953" to "IPA".
> ###
>
> But when I do the getcert list after, the result is the same.
>
> I guess it is because of this ?
> CA_UNREACHABLE
>
> Any idea ?
>
> Best regards.
>
> Bahan
>
> On Wed, Sep 14, 2016 at 6:38 PM, bahan w <bahanw042014 at gmail.com
> <mailto:bahanw042014 at gmail.com>> wrote:
>
> Ok, I managed to restart the IPA service by adding this line in
> the file /etc/httpd/conf.d/nss.conf :
> ###
> NSSEnforceValidCerts off
> ###
>
> But when I do the getcert now I got the following result :
>
> ###
> # getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20140528063903':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=CA Audit,O=<MYREALM>
> expires: 2018-04-09 11:39:16 UTC
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063904':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=OCSP Subsystem,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063905':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=CA Subsystem,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063906':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=IPA RA,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20140528063907':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20140528063919':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction. Peer certificate
> cannot be authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2016-05-28 06:39:18 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> /usr/lib64/ipa/certmonger/restart_dirsrv <MYREALM>
> track: yes
> auto-renew: yes
> Request ID '20140528063953':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction. Peer certificate
> cannot be authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2016-05-28 06:39:52 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
> track: yes
> auto-renew: yes
> Request ID '20140528064145':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction. Peer certificate
> cannot be authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2016-05-28 06:41:44 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> ###
>
> Indeed, the entries outdated are the following :
> - for /etc/dirsrv/slapd-<MYREALM> : 20140528063919
> - for /etc/dirsrv/slapd-PKI-IPA : 20140528063953
> - for httpd ? : 20140528064145
>
> Best regards.
>
> Bahan
>
> On Wed, Sep 14, 2016 at 6:28 PM, bahan w <bahanw042014 at gmail.com
> <mailto:bahanw042014 at gmail.com>> wrote:
>
> Ok :D
>
> Because to perform the getcert list command, I need to have
> all the ipa services running right ?
>
> Here is the result of the command with the ipa services down.
> ###
> # getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20140528063903':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=CA Audit,O=<MYREALM>
> expires: 2018-04-09 11:39:16 UTC
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert
> cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063904':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=OCSP Subsystem,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert
> cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063905':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=CA Subsystem,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert
> cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063906':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=IPA RA,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20140528063907':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20140528063919':
> status: MONITORING
> ca-error: Error setting up ccache for local "host"
> service using default keytab: Cannot contact any KDC for realm
> '<MYREALM>'.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2016-05-28 06:39:18 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> /usr/lib64/ipa/certmonger/restart_dirsrv <MYREALM>
> track: yes
> auto-renew: yes
> Request ID '20140528063953':
> status: MONITORING
> ca-error: Error setting up ccache for local "host"
> service using default keytab: Cannot contact any KDC for realm
> '<MYREALM>'.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2016-05-28 06:39:52 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
> track: yes
> auto-renew: yes
> Request ID '20140528064145':
> status: MONITORING
> ca-error: Error setting up ccache for local "host"
> service using default keytab: Cannot contact any KDC for realm
> '<MYREALM>'.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2016-05-28 06:41:44 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> ###
>
> Best regards.
>
> Bahan
>
> On Wed, Sep 14, 2016 at 6:21 PM, Martin Basti
> <mbasti at redhat.com <mailto:mbasti at redhat.com>> wrote:
>
>
> Then you have to start services manually, I don't know if
> the same steps will work with IPA 3.0.0, I don't remember,
> but you can try :)
>
>
> On 14.09.2016 18:18, bahan w wrote:
>> Oh I forgot to add that my version of ipa is quite old :
>> ###
>> # rpm -qa | grep ipa-server
>> ipa-server-3.0.0-25.el6.x86_64
>> ###
>>
>> When I try the command you gave me I got the following
>> error :
>> ###
>> # ipactl start --force
>> Usage: ipactl start|stop|restart|status
>>
>>
>> ipactl: error: no such option: --force
>> ###
>>
>> Best regards.
>>
>> Bahan
>>
>> On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti
>> <mbasti at redhat.com <mailto:mbasti at redhat.com>> wrote:
>>
>>
>>
>> On 14.09.2016 17:59, bahan w wrote:
>>> Hello !
>>>
>>> I send you this mail because I cannot restart my
>>> test IPA server.
>>>
>>> When I try to start it with service ipa start, I got
>>> the following error message :
>>> ###
>>> # service ipa start
>>> Starting Directory Service
>>> Starting dirsrv:
>>> <MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL
>>> alert: CERT_VerifyCertificateNow: verify certificate
>>> failed for cert Server-Cert of family
>>> cn=RSA,cn=encryption,cn=config (Netscape Portable
>>> Runtime error -8181 - Peer's Certificate has expired.)
>>> [ OK ]
>>> PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert:
>>> CERT_VerifyCertificateNow: verify certificate failed
>>> for cert Server-Cert of family
>>> cn=RSA,cn=encryption,cn=config (Netscape Portable
>>> Runtime error -8181 - Peer's Certificate has expired.)
>>> [ OK ]
>>> Starting KDC Service
>>> Starting Kerberos 5 KDC: [ OK ]
>>> Starting KPASSWD Service
>>> Starting Kerberos 5 Admin Server: [ OK ]
>>> Starting MEMCACHE Service
>>> Starting ipa_memcached: [ OK ]
>>> Starting HTTP Service
>>> Starting httpd: [FAILED]
>>> Failed to start HTTP Service
>>> Shutting down
>>> Stopping Kerberos 5 KDC: [ OK ]
>>> Stopping Kerberos 5 Admin Server: [ OK ]
>>> Stopping ipa_memcached: [ OK ]
>>> Stopping httpd: [FAILED]
>>> Stopping pki-ca: [ OK ]
>>> Shutting down dirsrv:
>>> <MYREALM>... [ OK ]
>>> PKI-IPA... [ OK ]
>>> Aborting ipactl
>>>
>>> # service ipa status
>>> Directory Service: STOPPED
>>> Failed to get list of services to probe status:
>>> Directory Server is stopped
>>> ###
>>>
>>> Do you know how to renew the SSL certificate used
>>> for the IPA Server ?
>>>
>>> Best regards.
>>>
>>> Bahan
>>>
>>>
>>>
>>
>>
>> Hello,
>>
>> please run
>>
>> # ipactl start --force
>> # getcert list (to detect which certificate is
>> outdated, I suspect DS cert (or to get more info why
>> it has not been renewed))
>>
>> If getcert does work (I'm not sure if ti is able to
>> work without httpd), you probable need to move time
>> back to past where cert is valid, start IPA and try
>> again.
>>
>> Please find ID outdated certificate and try resubmit
>> it (CA and DS must be running)
>>
>> # getcert resubmit -i 20160914122036 (use you ID :) )
>>
>> This should renew cert, check status with getcert list
>>
>> Move time back to future (if needed)
>>
>> Try to restart IPA
>>
>> Martin^2
>>
>>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160914/d34f0e0c/attachment.htm>
More information about the Freeipa-users
mailing list