[Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
bahan w
bahanw042014 at gmail.com
Wed Sep 14 17:02:22 UTC 2016
Sorry Martin,
This is not the first time I forgot to add back freeipa users.
I have problems with gmail, again sorry.
Indeed I figured out that I had to restart the ipa server.
So I tried to restart ipa server.
But it was not working yet.
So I thought it was maybe due to the configuration I performed in the
nss.conf.
So I rollbacked this conf and restarted ipa-server.
Then I retried your commands but it is still the same error.
###
Request ID '20140528064145':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Unable to communicate
with CMS (Not Found)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=<IPA SERVER HOST>,O=<MYREALM>
expires: 2016-05-28 06:41:44 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
###
Do you know what is the CMS ?
###
(RPC failed at server. Certificate operation cannot be completed: Unable
to communicate with CMS (Not Found)).
###
Best regards.
Bahan
On Wed, Sep 14, 2016 at 6:46 PM, Martin Basti <mbasti at redhat.com> wrote:
> did you restart IPA when you moved time? Is there are more detailed error
> description in output of getcert list?
>
> On 14.09.2016 18:45, bahan w wrote:
>
> I set the date-time when the certificates were valid :
> ###
> # date -s '2016-05-27 10:00:00'
> Fri May 27 10:00:00 CEST 2016
>
> # date
> Fri May 27 10:00:02 CEST 2016
> ###
>
> Then I try to renew them :
> ###
> # getcert resubmit -i 20140528063919
> Resubmitting "20140528063919" to "IPA".
>
> # getcert resubmit -i 20140528064145
> Resubmitting "20140528064145" to "IPA".
>
> # getcert resubmit -i 20140528063953
> Resubmitting "20140528063953" to "IPA".
> ###
>
> But when I do the getcert list after, the result is the same.
>
> I guess it is because of this ?
> CA_UNREACHABLE
>
> Any idea ?
>
> Best regards.
>
> Bahan
>
> On Wed, Sep 14, 2016 at 6:38 PM, bahan w <bahanw042014 at gmail.com> wrote:
>
>> Ok, I managed to restart the IPA service by adding this line in the file
>> /etc/httpd/conf.d/nss.conf :
>> ###
>> NSSEnforceValidCerts off
>> ###
>>
>> But when I do the getcert now I got the following result :
>>
>> ###
>> # getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20140528063903':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>> Certificate DB',pin='159203530658'
>> certificate: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=CA Audit,O=<MYREALM>
>> expires: 2018-04-09 11:39:16 UTC
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063904':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>> Certificate DB',pin='159203530658'
>> certificate: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=OCSP Subsystem,O=<MYREALM>
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-OCSPSigning
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063905':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>> Certificate DB',pin='159203530658'
>> certificate: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=CA Subsystem,O=<MYREALM>
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "subsystemCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063906':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/http
>> d/alias',nickname='ipaCert',token='NSS Certificate
>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/http
>> d/alias',nickname='ipaCert',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=IPA RA,O=<MYREALM>
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063907':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
>> DB',pin='159203530658'
>> certificate: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
>> DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063919':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: -504 (libcurl failed
>> to execute the HTTP POST transaction. Peer certificate cannot be
>> authenticated with known CA certificates).
>> stuck: yes
>> key pair storage: type=NSSDB,location='/etc/dirs
>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate
>> DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/dirs
>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>> expires: 2016-05-28 06:39:18 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>> <MYREALM>
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063953':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: -504 (libcurl failed
>> to execute the HTTP POST transaction. Peer certificate cannot be
>> authenticated with known CA certificates).
>> stuck: yes
>> key pair storage: type=NSSDB,location='/etc/dirs
>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/dirs
>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>> expires: 2016-05-28 06:39:52 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>> PKI-IPA
>> track: yes
>> auto-renew: yes
>> Request ID '20140528064145':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: -504 (libcurl failed
>> to execute the HTTP POST transaction. Peer certificate cannot be
>> authenticated with known CA certificates).
>> stuck: yes
>> key pair storage: type=NSSDB,location='/etc/http
>> d/alias',nickname='Server-Cert',token='NSS Certificate
>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/http
>> d/alias',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>> expires: 2016-05-28 06:41:44 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>> ###
>>
>> Indeed, the entries outdated are the following :
>> - for /etc/dirsrv/slapd-<MYREALM> : 20140528063919
>> - for /etc/dirsrv/slapd-PKI-IPA : 20140528063953
>> - for httpd ? : 20140528064145
>>
>> Best regards.
>>
>> Bahan
>>
>> On Wed, Sep 14, 2016 at 6:28 PM, bahan w <bahanw042014 at gmail.com> wrote:
>>
>>> Ok :D
>>>
>>> Because to perform the getcert list command, I need to have all the ipa
>>> services running right ?
>>>
>>> Here is the result of the command with the ipa services down.
>>> ###
>>> # getcert list
>>> Number of certificates and requests being tracked: 8.
>>> Request ID '20140528063903':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>>> Certificate DB',pin='159203530658'
>>> certificate: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>>> Certificate DB'
>>> CA: dogtag-ipa-renew-agent
>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>> subject: CN=CA Audit,O=<MYREALM>
>>> expires: 2018-04-09 11:39:16 UTC
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "auditSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528063904':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>>> Certificate DB',pin='159203530658'
>>> certificate: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>>> Certificate DB'
>>> CA: dogtag-ipa-renew-agent
>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>> subject: CN=OCSP Subsystem,O=<MYREALM>
>>> expires: 2018-04-09 11:38:16 UTC
>>> eku: id-kp-OCSPSigning
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528063905':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>>> Certificate DB',pin='159203530658'
>>> certificate: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>>> Certificate DB'
>>> CA: dogtag-ipa-renew-agent
>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>> subject: CN=CA Subsystem,O=<MYREALM>
>>> expires: 2018-04-09 11:38:16 UTC
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "subsystemCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528063906':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/etc/http
>>> d/alias',nickname='ipaCert',token='NSS Certificate
>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate: type=NSSDB,location='/etc/http
>>> d/alias',nickname='ipaCert',token='NSS Certificate DB'
>>> CA: dogtag-ipa-renew-agent
>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>> subject: CN=IPA RA,O=<MYREALM>
>>> expires: 2018-04-09 11:38:16 UTC
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528063907':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
>>> DB',pin='159203530658'
>>> certificate: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
>>> DB'
>>> CA: dogtag-ipa-renew-agent
>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>> expires: 2018-04-09 11:38:16 UTC
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command:
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528063919':
>>> status: MONITORING
>>> ca-error: Error setting up ccache for local "host" service using
>>> default keytab: Cannot contact any KDC for realm '<MYREALM>'.
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/etc/dirs
>>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate
>>> DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
>>> certificate: type=NSSDB,location='/etc/dirs
>>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>> expires: 2016-05-28 06:39:18 UTC
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>>> <MYREALM>
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528063953':
>>> status: MONITORING
>>> ca-error: Error setting up ccache for local "host" service using
>>> default keytab: Cannot contact any KDC for realm '<MYREALM>'.
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/etc/dirs
>>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
>>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>>> certificate: type=NSSDB,location='/etc/dirs
>>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>> expires: 2016-05-28 06:39:52 UTC
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>>> PKI-IPA
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528064145':
>>> status: MONITORING
>>> ca-error: Error setting up ccache for local "host" service using
>>> default keytab: Cannot contact any KDC for realm '<MYREALM>'.
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/etc/http
>>> d/alias',nickname='Server-Cert',token='NSS Certificate
>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate: type=NSSDB,location='/etc/http
>>> d/alias',nickname='Server-Cert',token='NSS Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>> expires: 2016-05-28 06:41:44 UTC
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>> track: yes
>>> auto-renew: yes
>>> ###
>>>
>>> Best regards.
>>>
>>> Bahan
>>>
>>> On Wed, Sep 14, 2016 at 6:21 PM, Martin Basti <mbasti at redhat.com> wrote:
>>>
>>>>
>>>> Then you have to start services manually, I don't know if the same
>>>> steps will work with IPA 3.0.0, I don't remember, but you can try :)
>>>>
>>>> On 14.09.2016 18:18, bahan w wrote:
>>>>
>>>> Oh I forgot to add that my version of ipa is quite old :
>>>> ###
>>>> # rpm -qa | grep ipa-server
>>>> ipa-server-3.0.0-25.el6.x86_64
>>>> ###
>>>>
>>>> When I try the command you gave me I got the following error :
>>>> ###
>>>> # ipactl start --force
>>>> Usage: ipactl start|stop|restart|status
>>>>
>>>>
>>>> ipactl: error: no such option: --force
>>>> ###
>>>>
>>>> Best regards.
>>>>
>>>> Bahan
>>>>
>>>>
>>>> On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti <mbasti at redhat.com>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On 14.09.2016 17:59, bahan w wrote:
>>>>>
>>>>> Hello !
>>>>>
>>>>> I send you this mail because I cannot restart my test IPA server.
>>>>>
>>>>> When I try to start it with service ipa start, I got the following
>>>>> error message :
>>>>> ###
>>>>> # service ipa start
>>>>> Starting Directory Service
>>>>> Starting dirsrv:
>>>>> <MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL alert:
>>>>> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
>>>>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
>>>>> -8181 - Peer's Certificate has expired.)
>>>>> [ OK ]
>>>>> PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert:
>>>>> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
>>>>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
>>>>> -8181 - Peer's Certificate has expired.)
>>>>> [ OK ]
>>>>> Starting KDC Service
>>>>> Starting Kerberos 5 KDC: [ OK ]
>>>>> Starting KPASSWD Service
>>>>> Starting Kerberos 5 Admin Server: [ OK ]
>>>>> Starting MEMCACHE Service
>>>>> Starting ipa_memcached: [ OK ]
>>>>> Starting HTTP Service
>>>>> Starting httpd: [FAILED]
>>>>> Failed to start HTTP Service
>>>>> Shutting down
>>>>> Stopping Kerberos 5 KDC: [ OK ]
>>>>> Stopping Kerberos 5 Admin Server: [ OK ]
>>>>> Stopping ipa_memcached: [ OK ]
>>>>> Stopping httpd: [FAILED]
>>>>> Stopping pki-ca: [ OK ]
>>>>> Shutting down dirsrv:
>>>>> <MYREALM>... [ OK ]
>>>>> PKI-IPA... [ OK ]
>>>>> Aborting ipactl
>>>>>
>>>>> # service ipa status
>>>>> Directory Service: STOPPED
>>>>> Failed to get list of services to probe status:
>>>>> Directory Server is stopped
>>>>> ###
>>>>>
>>>>> Do you know how to renew the SSL certificate used for the IPA Server ?
>>>>>
>>>>> Best regards.
>>>>>
>>>>> Bahan
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>> please run
>>>>>
>>>>> # ipactl start --force
>>>>> # getcert list (to detect which certificate is outdated, I suspect DS
>>>>> cert (or to get more info why it has not been renewed))
>>>>>
>>>>> If getcert does work (I'm not sure if ti is able to work without
>>>>> httpd), you probable need to move time back to past where cert is valid,
>>>>> start IPA and try again.
>>>>>
>>>>> Please find ID outdated certificate and try resubmit it (CA and DS
>>>>> must be running)
>>>>>
>>>>> # getcert resubmit -i 20160914122036 (use you ID :) )
>>>>>
>>>>> This should renew cert, check status with getcert list
>>>>>
>>>>> Move time back to future (if needed)
>>>>>
>>>>> Try to restart IPA
>>>>>
>>>>> Martin^2
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160914/c280279a/attachment.htm>
More information about the Freeipa-users
mailing list