[Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
bahan w
bahanw042014 at gmail.com
Wed Sep 14 17:27:52 UTC 2016
I tried also the following commands :
###
# ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)
# service ipa status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
###
I'm checking the /var/log/pki-ca logs to see if I find something.
Best regards.
Bahan
On Wed, Sep 14, 2016 at 7:02 PM, bahan w <bahanw042014 at gmail.com> wrote:
> Sorry Martin,
>
> This is not the first time I forgot to add back freeipa users.
> I have problems with gmail, again sorry.
>
> Indeed I figured out that I had to restart the ipa server.
> So I tried to restart ipa server.
> But it was not working yet.
>
> So I thought it was maybe due to the configuration I performed in the
> nss.conf.
> So I rollbacked this conf and restarted ipa-server.
> Then I retried your commands but it is still the same error.
>
> ###
> Request ID '20140528064145':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server. Certificate operation cannot be completed: Unable to communicate
> with CMS (Not Found)).
> stuck: yes
> key pair storage: type=NSSDB,location='/etc/
> httpd/alias',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/
> httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2016-05-28 06:41:44 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> ###
>
> Do you know what is the CMS ?
> ###
> (RPC failed at server. Certificate operation cannot be completed: Unable
> to communicate with CMS (Not Found)).
> ###
>
> Best regards.
>
> Bahan
>
>
>
>
>
> On Wed, Sep 14, 2016 at 6:46 PM, Martin Basti <mbasti at redhat.com> wrote:
>
>> did you restart IPA when you moved time? Is there are more detailed error
>> description in output of getcert list?
>>
>> On 14.09.2016 18:45, bahan w wrote:
>>
>> I set the date-time when the certificates were valid :
>> ###
>> # date -s '2016-05-27 10:00:00'
>> Fri May 27 10:00:00 CEST 2016
>>
>> # date
>> Fri May 27 10:00:02 CEST 2016
>> ###
>>
>> Then I try to renew them :
>> ###
>> # getcert resubmit -i 20140528063919
>> Resubmitting "20140528063919" to "IPA".
>>
>> # getcert resubmit -i 20140528064145
>> Resubmitting "20140528064145" to "IPA".
>>
>> # getcert resubmit -i 20140528063953
>> Resubmitting "20140528063953" to "IPA".
>> ###
>>
>> But when I do the getcert list after, the result is the same.
>>
>> I guess it is because of this ?
>> CA_UNREACHABLE
>>
>> Any idea ?
>>
>> Best regards.
>>
>> Bahan
>>
>> On Wed, Sep 14, 2016 at 6:38 PM, bahan w <bahanw042014 at gmail.com> wrote:
>>
>>> Ok, I managed to restart the IPA service by adding this line in the file
>>> /etc/httpd/conf.d/nss.conf :
>>> ###
>>> NSSEnforceValidCerts off
>>> ###
>>>
>>> But when I do the getcert now I got the following result :
>>>
>>> ###
>>> # getcert list
>>> Number of certificates and requests being tracked: 8.
>>> Request ID '20140528063903':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>>> Certificate DB',pin='159203530658'
>>> certificate: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>>> Certificate DB'
>>> CA: dogtag-ipa-renew-agent
>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>> subject: CN=CA Audit,O=<MYREALM>
>>> expires: 2018-04-09 11:39:16 UTC
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "auditSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528063904':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>>> Certificate DB',pin='159203530658'
>>> certificate: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>>> Certificate DB'
>>> CA: dogtag-ipa-renew-agent
>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>> subject: CN=OCSP Subsystem,O=<MYREALM>
>>> expires: 2018-04-09 11:38:16 UTC
>>> eku: id-kp-OCSPSigning
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528063905':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>>> Certificate DB',pin='159203530658'
>>> certificate: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>>> Certificate DB'
>>> CA: dogtag-ipa-renew-agent
>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>> subject: CN=CA Subsystem,O=<MYREALM>
>>> expires: 2018-04-09 11:38:16 UTC
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "subsystemCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528063906':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/etc/http
>>> d/alias',nickname='ipaCert',token='NSS Certificate
>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate: type=NSSDB,location='/etc/http
>>> d/alias',nickname='ipaCert',token='NSS Certificate DB'
>>> CA: dogtag-ipa-renew-agent
>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>> subject: CN=IPA RA,O=<MYREALM>
>>> expires: 2018-04-09 11:38:16 UTC
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528063907':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
>>> DB',pin='159203530658'
>>> certificate: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
>>> DB'
>>> CA: dogtag-ipa-renew-agent
>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>> expires: 2018-04-09 11:38:16 UTC
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command:
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528063919':
>>> status: CA_UNREACHABLE
>>> ca-error: Server failed request, will retry: -504 (libcurl
>>> failed to execute the HTTP POST transaction. Peer certificate cannot be
>>> authenticated with known CA certificates).
>>> stuck: yes
>>> key pair storage: type=NSSDB,location='/etc/dirs
>>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate
>>> DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
>>> certificate: type=NSSDB,location='/etc/dirs
>>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>> expires: 2016-05-28 06:39:18 UTC
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>>> <MYREALM>
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528063953':
>>> status: CA_UNREACHABLE
>>> ca-error: Server failed request, will retry: -504 (libcurl
>>> failed to execute the HTTP POST transaction. Peer certificate cannot be
>>> authenticated with known CA certificates).
>>> stuck: yes
>>> key pair storage: type=NSSDB,location='/etc/dirs
>>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
>>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>>> certificate: type=NSSDB,location='/etc/dirs
>>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>> expires: 2016-05-28 06:39:52 UTC
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>>> PKI-IPA
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528064145':
>>> status: CA_UNREACHABLE
>>> ca-error: Server failed request, will retry: -504 (libcurl
>>> failed to execute the HTTP POST transaction. Peer certificate cannot be
>>> authenticated with known CA certificates).
>>> stuck: yes
>>> key pair storage: type=NSSDB,location='/etc/http
>>> d/alias',nickname='Server-Cert',token='NSS Certificate
>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate: type=NSSDB,location='/etc/http
>>> d/alias',nickname='Server-Cert',token='NSS Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>> expires: 2016-05-28 06:41:44 UTC
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>> track: yes
>>> auto-renew: yes
>>> ###
>>>
>>> Indeed, the entries outdated are the following :
>>> - for /etc/dirsrv/slapd-<MYREALM> : 20140528063919
>>> - for /etc/dirsrv/slapd-PKI-IPA : 20140528063953
>>> - for httpd ? : 20140528064145
>>>
>>> Best regards.
>>>
>>> Bahan
>>>
>>> On Wed, Sep 14, 2016 at 6:28 PM, bahan w <bahanw042014 at gmail.com> wrote:
>>>
>>>> Ok :D
>>>>
>>>> Because to perform the getcert list command, I need to have all the ipa
>>>> services running right ?
>>>>
>>>> Here is the result of the command with the ipa services down.
>>>> ###
>>>> # getcert list
>>>> Number of certificates and requests being tracked: 8.
>>>> Request ID '20140528063903':
>>>> status: MONITORING
>>>> stuck: no
>>>> key pair storage: type=NSSDB,location='/var/lib/
>>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>>>> Certificate DB',pin='159203530658'
>>>> certificate: type=NSSDB,location='/var/lib/
>>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>>>> Certificate DB'
>>>> CA: dogtag-ipa-renew-agent
>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>> subject: CN=CA Audit,O=<MYREALM>
>>>> expires: 2018-04-09 11:39:16 UTC
>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>> "auditSigningCert cert-pki-ca"
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20140528063904':
>>>> status: MONITORING
>>>> stuck: no
>>>> key pair storage: type=NSSDB,location='/var/lib/
>>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>>>> Certificate DB',pin='159203530658'
>>>> certificate: type=NSSDB,location='/var/lib/
>>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>>>> Certificate DB'
>>>> CA: dogtag-ipa-renew-agent
>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>> subject: CN=OCSP Subsystem,O=<MYREALM>
>>>> expires: 2018-04-09 11:38:16 UTC
>>>> eku: id-kp-OCSPSigning
>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>> "ocspSigningCert cert-pki-ca"
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20140528063905':
>>>> status: MONITORING
>>>> stuck: no
>>>> key pair storage: type=NSSDB,location='/var/lib/
>>>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>>>> Certificate DB',pin='159203530658'
>>>> certificate: type=NSSDB,location='/var/lib/
>>>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>>>> Certificate DB'
>>>> CA: dogtag-ipa-renew-agent
>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>> subject: CN=CA Subsystem,O=<MYREALM>
>>>> expires: 2018-04-09 11:38:16 UTC
>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>> "subsystemCert cert-pki-ca"
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20140528063906':
>>>> status: MONITORING
>>>> stuck: no
>>>> key pair storage: type=NSSDB,location='/etc/http
>>>> d/alias',nickname='ipaCert',token='NSS Certificate
>>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> certificate: type=NSSDB,location='/etc/http
>>>> d/alias',nickname='ipaCert',token='NSS Certificate DB'
>>>> CA: dogtag-ipa-renew-agent
>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>> subject: CN=IPA RA,O=<MYREALM>
>>>> expires: 2018-04-09 11:38:16 UTC
>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>> pre-save command:
>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20140528063907':
>>>> status: MONITORING
>>>> stuck: no
>>>> key pair storage: type=NSSDB,location='/var/lib/
>>>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS
>>>> Certificate DB',pin='159203530658'
>>>> certificate: type=NSSDB,location='/var/lib/
>>>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS
>>>> Certificate DB'
>>>> CA: dogtag-ipa-renew-agent
>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>>> expires: 2018-04-09 11:38:16 UTC
>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>> pre-save command:
>>>> post-save command:
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20140528063919':
>>>> status: MONITORING
>>>> ca-error: Error setting up ccache for local "host" service
>>>> using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
>>>> stuck: no
>>>> key pair storage: type=NSSDB,location='/etc/dirs
>>>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate
>>>> DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
>>>> certificate: type=NSSDB,location='/etc/dirs
>>>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate DB'
>>>> CA: IPA
>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>>> expires: 2016-05-28 06:39:18 UTC
>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>> pre-save command:
>>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>>>> <MYREALM>
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20140528063953':
>>>> status: MONITORING
>>>> ca-error: Error setting up ccache for local "host" service
>>>> using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
>>>> stuck: no
>>>> key pair storage: type=NSSDB,location='/etc/dirs
>>>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
>>>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>>>> certificate: type=NSSDB,location='/etc/dirs
>>>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
>>>> CA: IPA
>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>>> expires: 2016-05-28 06:39:52 UTC
>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>> pre-save command:
>>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>>>> PKI-IPA
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20140528064145':
>>>> status: MONITORING
>>>> ca-error: Error setting up ccache for local "host" service
>>>> using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
>>>> stuck: no
>>>> key pair storage: type=NSSDB,location='/etc/http
>>>> d/alias',nickname='Server-Cert',token='NSS Certificate
>>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> certificate: type=NSSDB,location='/etc/http
>>>> d/alias',nickname='Server-Cert',token='NSS Certificate DB'
>>>> CA: IPA
>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>>> expires: 2016-05-28 06:41:44 UTC
>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>> pre-save command:
>>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>> track: yes
>>>> auto-renew: yes
>>>> ###
>>>>
>>>> Best regards.
>>>>
>>>> Bahan
>>>>
>>>> On Wed, Sep 14, 2016 at 6:21 PM, Martin Basti <mbasti at redhat.com>
>>>> wrote:
>>>>
>>>>>
>>>>> Then you have to start services manually, I don't know if the same
>>>>> steps will work with IPA 3.0.0, I don't remember, but you can try :)
>>>>>
>>>>> On 14.09.2016 18:18, bahan w wrote:
>>>>>
>>>>> Oh I forgot to add that my version of ipa is quite old :
>>>>> ###
>>>>> # rpm -qa | grep ipa-server
>>>>> ipa-server-3.0.0-25.el6.x86_64
>>>>> ###
>>>>>
>>>>> When I try the command you gave me I got the following error :
>>>>> ###
>>>>> # ipactl start --force
>>>>> Usage: ipactl start|stop|restart|status
>>>>>
>>>>>
>>>>> ipactl: error: no such option: --force
>>>>> ###
>>>>>
>>>>> Best regards.
>>>>>
>>>>> Bahan
>>>>>
>>>>>
>>>>> On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti <mbasti at redhat.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On 14.09.2016 17:59, bahan w wrote:
>>>>>>
>>>>>> Hello !
>>>>>>
>>>>>> I send you this mail because I cannot restart my test IPA server.
>>>>>>
>>>>>> When I try to start it with service ipa start, I got the following
>>>>>> error message :
>>>>>> ###
>>>>>> # service ipa start
>>>>>> Starting Directory Service
>>>>>> Starting dirsrv:
>>>>>> <MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL alert:
>>>>>> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
>>>>>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
>>>>>> -8181 - Peer's Certificate has expired.)
>>>>>> [ OK ]
>>>>>> PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert:
>>>>>> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
>>>>>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
>>>>>> -8181 - Peer's Certificate has expired.)
>>>>>> [ OK ]
>>>>>> Starting KDC Service
>>>>>> Starting Kerberos 5 KDC: [ OK ]
>>>>>> Starting KPASSWD Service
>>>>>> Starting Kerberos 5 Admin Server: [ OK ]
>>>>>> Starting MEMCACHE Service
>>>>>> Starting ipa_memcached: [ OK ]
>>>>>> Starting HTTP Service
>>>>>> Starting httpd: [FAILED]
>>>>>> Failed to start HTTP Service
>>>>>> Shutting down
>>>>>> Stopping Kerberos 5 KDC: [ OK ]
>>>>>> Stopping Kerberos 5 Admin Server: [ OK ]
>>>>>> Stopping ipa_memcached: [ OK ]
>>>>>> Stopping httpd: [FAILED]
>>>>>> Stopping pki-ca: [ OK ]
>>>>>> Shutting down dirsrv:
>>>>>> <MYREALM>... [ OK ]
>>>>>> PKI-IPA... [ OK ]
>>>>>> Aborting ipactl
>>>>>>
>>>>>> # service ipa status
>>>>>> Directory Service: STOPPED
>>>>>> Failed to get list of services to probe status:
>>>>>> Directory Server is stopped
>>>>>> ###
>>>>>>
>>>>>> Do you know how to renew the SSL certificate used for the IPA Server ?
>>>>>>
>>>>>> Best regards.
>>>>>>
>>>>>> Bahan
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> please run
>>>>>>
>>>>>> # ipactl start --force
>>>>>> # getcert list (to detect which certificate is outdated, I suspect DS
>>>>>> cert (or to get more info why it has not been renewed))
>>>>>>
>>>>>> If getcert does work (I'm not sure if ti is able to work without
>>>>>> httpd), you probable need to move time back to past where cert is valid,
>>>>>> start IPA and try again.
>>>>>>
>>>>>> Please find ID outdated certificate and try resubmit it (CA and DS
>>>>>> must be running)
>>>>>>
>>>>>> # getcert resubmit -i 20160914122036 (use you ID :) )
>>>>>>
>>>>>> This should renew cert, check status with getcert list
>>>>>>
>>>>>> Move time back to future (if needed)
>>>>>>
>>>>>> Try to restart IPA
>>>>>>
>>>>>> Martin^2
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160914/304e42a4/attachment.htm>
More information about the Freeipa-users
mailing list