[Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
bahan w
bahanw042014 at gmail.com
Wed Sep 14 17:42:12 UTC 2016
Here is what I found :
In the catalina.out :
###
May 27, 2016 10:51:35 AM org.apache.catalina.core.StandardWrapperValve
invoke
SEVERE: Servlet.service() for servlet caDisplayBySerial-agent threw
exception
java.io.IOException: CS server is not ready to serve.
at
com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.netscape.cms.servlet.filter.AgentRequestFilter.doFilter(AgentRequestFilter.java:124)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769)
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698)
at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
at java.lang.Thread.run(Thread.java:722)
###
In the selftests.log in /var/log/pki-ca :
###
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
Initializing self test plugins:
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
loading all self test plugin logger parameters
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
loading all self test plugin instances
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
loading all self test plugin instance parameters
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
loading self test plugins in on-demand order
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
loading self test plugins in startup order
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: Self
test plugins have been successfully loaded!
24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SelfTestSubsystem:
Running self test plugins specified to be executed at startup:
24196.main - [27/May/2016:10:50:28 CEST] [20] [1] CAPresence: CA is present
24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SystemCertsVerification:
system certs verification failure
24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called selftests.container.instance.SystemC
ertsVerification running at startup FAILED!
###
But nothing else.
Best regards.
Bahan
On Wed, Sep 14, 2016 at 7:27 PM, bahan w <bahanw042014 at gmail.com> wrote:
> I tried also the following commands :
> ###
> # ipa cert-show 1
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (Not Found)
>
> # service ipa status
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> MEMCACHE Service: RUNNING
> HTTP Service: RUNNING
> CA Service: RUNNING
> ###
>
> I'm checking the /var/log/pki-ca logs to see if I find something.
>
> Best regards.
>
> Bahan
>
> On Wed, Sep 14, 2016 at 7:02 PM, bahan w <bahanw042014 at gmail.com> wrote:
>
>> Sorry Martin,
>>
>> This is not the first time I forgot to add back freeipa users.
>> I have problems with gmail, again sorry.
>>
>> Indeed I figured out that I had to restart the ipa server.
>> So I tried to restart ipa server.
>> But it was not working yet.
>>
>> So I thought it was maybe due to the configuration I performed in the
>> nss.conf.
>> So I rollbacked this conf and restarted ipa-server.
>> Then I retried your commands but it is still the same error.
>>
>> ###
>> Request ID '20140528064145':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: 4301 (RPC failed at
>> server. Certificate operation cannot be completed: Unable to communicate
>> with CMS (Not Found)).
>> stuck: yes
>> key pair storage: type=NSSDB,location='/etc/http
>> d/alias',nickname='Server-Cert',token='NSS Certificate
>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/http
>> d/alias',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>> expires: 2016-05-28 06:41:44 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>> ###
>>
>> Do you know what is the CMS ?
>> ###
>> (RPC failed at server. Certificate operation cannot be completed: Unable
>> to communicate with CMS (Not Found)).
>> ###
>>
>> Best regards.
>>
>> Bahan
>>
>>
>>
>>
>>
>> On Wed, Sep 14, 2016 at 6:46 PM, Martin Basti <mbasti at redhat.com> wrote:
>>
>>> did you restart IPA when you moved time? Is there are more detailed
>>> error description in output of getcert list?
>>>
>>> On 14.09.2016 18:45, bahan w wrote:
>>>
>>> I set the date-time when the certificates were valid :
>>> ###
>>> # date -s '2016-05-27 10:00:00'
>>> Fri May 27 10:00:00 CEST 2016
>>>
>>> # date
>>> Fri May 27 10:00:02 CEST 2016
>>> ###
>>>
>>> Then I try to renew them :
>>> ###
>>> # getcert resubmit -i 20140528063919
>>> Resubmitting "20140528063919" to "IPA".
>>>
>>> # getcert resubmit -i 20140528064145
>>> Resubmitting "20140528064145" to "IPA".
>>>
>>> # getcert resubmit -i 20140528063953
>>> Resubmitting "20140528063953" to "IPA".
>>> ###
>>>
>>> But when I do the getcert list after, the result is the same.
>>>
>>> I guess it is because of this ?
>>> CA_UNREACHABLE
>>>
>>> Any idea ?
>>>
>>> Best regards.
>>>
>>> Bahan
>>>
>>> On Wed, Sep 14, 2016 at 6:38 PM, bahan w <bahanw042014 at gmail.com> wrote:
>>>
>>>> Ok, I managed to restart the IPA service by adding this line in the
>>>> file /etc/httpd/conf.d/nss.conf :
>>>> ###
>>>> NSSEnforceValidCerts off
>>>> ###
>>>>
>>>> But when I do the getcert now I got the following result :
>>>>
>>>> ###
>>>> # getcert list
>>>> Number of certificates and requests being tracked: 8.
>>>> Request ID '20140528063903':
>>>> status: MONITORING
>>>> stuck: no
>>>> key pair storage: type=NSSDB,location='/var/lib/
>>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>>>> Certificate DB',pin='159203530658'
>>>> certificate: type=NSSDB,location='/var/lib/
>>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>>>> Certificate DB'
>>>> CA: dogtag-ipa-renew-agent
>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>> subject: CN=CA Audit,O=<MYREALM>
>>>> expires: 2018-04-09 11:39:16 UTC
>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>> "auditSigningCert cert-pki-ca"
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20140528063904':
>>>> status: MONITORING
>>>> stuck: no
>>>> key pair storage: type=NSSDB,location='/var/lib/
>>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>>>> Certificate DB',pin='159203530658'
>>>> certificate: type=NSSDB,location='/var/lib/
>>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>>>> Certificate DB'
>>>> CA: dogtag-ipa-renew-agent
>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>> subject: CN=OCSP Subsystem,O=<MYREALM>
>>>> expires: 2018-04-09 11:38:16 UTC
>>>> eku: id-kp-OCSPSigning
>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>> "ocspSigningCert cert-pki-ca"
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20140528063905':
>>>> status: MONITORING
>>>> stuck: no
>>>> key pair storage: type=NSSDB,location='/var/lib/
>>>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>>>> Certificate DB',pin='159203530658'
>>>> certificate: type=NSSDB,location='/var/lib/
>>>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>>>> Certificate DB'
>>>> CA: dogtag-ipa-renew-agent
>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>> subject: CN=CA Subsystem,O=<MYREALM>
>>>> expires: 2018-04-09 11:38:16 UTC
>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>> "subsystemCert cert-pki-ca"
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20140528063906':
>>>> status: MONITORING
>>>> stuck: no
>>>> key pair storage: type=NSSDB,location='/etc/http
>>>> d/alias',nickname='ipaCert',token='NSS Certificate
>>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> certificate: type=NSSDB,location='/etc/http
>>>> d/alias',nickname='ipaCert',token='NSS Certificate DB'
>>>> CA: dogtag-ipa-renew-agent
>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>> subject: CN=IPA RA,O=<MYREALM>
>>>> expires: 2018-04-09 11:38:16 UTC
>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>> pre-save command:
>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20140528063907':
>>>> status: MONITORING
>>>> stuck: no
>>>> key pair storage: type=NSSDB,location='/var/lib/
>>>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS
>>>> Certificate DB',pin='159203530658'
>>>> certificate: type=NSSDB,location='/var/lib/
>>>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS
>>>> Certificate DB'
>>>> CA: dogtag-ipa-renew-agent
>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>>> expires: 2018-04-09 11:38:16 UTC
>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>> pre-save command:
>>>> post-save command:
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20140528063919':
>>>> status: CA_UNREACHABLE
>>>> ca-error: Server failed request, will retry: -504 (libcurl
>>>> failed to execute the HTTP POST transaction. Peer certificate cannot be
>>>> authenticated with known CA certificates).
>>>> stuck: yes
>>>> key pair storage: type=NSSDB,location='/etc/dirs
>>>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate
>>>> DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
>>>> certificate: type=NSSDB,location='/etc/dirs
>>>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate DB'
>>>> CA: IPA
>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>>> expires: 2016-05-28 06:39:18 UTC
>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>> pre-save command:
>>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>>>> <MYREALM>
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20140528063953':
>>>> status: CA_UNREACHABLE
>>>> ca-error: Server failed request, will retry: -504 (libcurl
>>>> failed to execute the HTTP POST transaction. Peer certificate cannot be
>>>> authenticated with known CA certificates).
>>>> stuck: yes
>>>> key pair storage: type=NSSDB,location='/etc/dirs
>>>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
>>>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>>>> certificate: type=NSSDB,location='/etc/dirs
>>>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
>>>> CA: IPA
>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>>> expires: 2016-05-28 06:39:52 UTC
>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>> pre-save command:
>>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>>>> PKI-IPA
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20140528064145':
>>>> status: CA_UNREACHABLE
>>>> ca-error: Server failed request, will retry: -504 (libcurl
>>>> failed to execute the HTTP POST transaction. Peer certificate cannot be
>>>> authenticated with known CA certificates).
>>>> stuck: yes
>>>> key pair storage: type=NSSDB,location='/etc/http
>>>> d/alias',nickname='Server-Cert',token='NSS Certificate
>>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> certificate: type=NSSDB,location='/etc/http
>>>> d/alias',nickname='Server-Cert',token='NSS Certificate DB'
>>>> CA: IPA
>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>>> expires: 2016-05-28 06:41:44 UTC
>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>> pre-save command:
>>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>> track: yes
>>>> auto-renew: yes
>>>> ###
>>>>
>>>> Indeed, the entries outdated are the following :
>>>> - for /etc/dirsrv/slapd-<MYREALM> : 20140528063919
>>>> - for /etc/dirsrv/slapd-PKI-IPA : 20140528063953
>>>> - for httpd ? : 20140528064145
>>>>
>>>> Best regards.
>>>>
>>>> Bahan
>>>>
>>>> On Wed, Sep 14, 2016 at 6:28 PM, bahan w <bahanw042014 at gmail.com>
>>>> wrote:
>>>>
>>>>> Ok :D
>>>>>
>>>>> Because to perform the getcert list command, I need to have all the
>>>>> ipa services running right ?
>>>>>
>>>>> Here is the result of the command with the ipa services down.
>>>>> ###
>>>>> # getcert list
>>>>> Number of certificates and requests being tracked: 8.
>>>>> Request ID '20140528063903':
>>>>> status: MONITORING
>>>>> stuck: no
>>>>> key pair storage: type=NSSDB,location='/var/lib/
>>>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>>>>> Certificate DB',pin='159203530658'
>>>>> certificate: type=NSSDB,location='/var/lib/
>>>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>>>>> Certificate DB'
>>>>> CA: dogtag-ipa-renew-agent
>>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>>> subject: CN=CA Audit,O=<MYREALM>
>>>>> expires: 2018-04-09 11:39:16 UTC
>>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>>> "auditSigningCert cert-pki-ca"
>>>>> track: yes
>>>>> auto-renew: yes
>>>>> Request ID '20140528063904':
>>>>> status: MONITORING
>>>>> stuck: no
>>>>> key pair storage: type=NSSDB,location='/var/lib/
>>>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>>>>> Certificate DB',pin='159203530658'
>>>>> certificate: type=NSSDB,location='/var/lib/
>>>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>>>>> Certificate DB'
>>>>> CA: dogtag-ipa-renew-agent
>>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>>> subject: CN=OCSP Subsystem,O=<MYREALM>
>>>>> expires: 2018-04-09 11:38:16 UTC
>>>>> eku: id-kp-OCSPSigning
>>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>>> "ocspSigningCert cert-pki-ca"
>>>>> track: yes
>>>>> auto-renew: yes
>>>>> Request ID '20140528063905':
>>>>> status: MONITORING
>>>>> stuck: no
>>>>> key pair storage: type=NSSDB,location='/var/lib/
>>>>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>>>>> Certificate DB',pin='159203530658'
>>>>> certificate: type=NSSDB,location='/var/lib/
>>>>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>>>>> Certificate DB'
>>>>> CA: dogtag-ipa-renew-agent
>>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>>> subject: CN=CA Subsystem,O=<MYREALM>
>>>>> expires: 2018-04-09 11:38:16 UTC
>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>>>> "subsystemCert cert-pki-ca"
>>>>> track: yes
>>>>> auto-renew: yes
>>>>> Request ID '20140528063906':
>>>>> status: MONITORING
>>>>> stuck: no
>>>>> key pair storage: type=NSSDB,location='/etc/http
>>>>> d/alias',nickname='ipaCert',token='NSS Certificate
>>>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>>> certificate: type=NSSDB,location='/etc/http
>>>>> d/alias',nickname='ipaCert',token='NSS Certificate DB'
>>>>> CA: dogtag-ipa-renew-agent
>>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>>> subject: CN=IPA RA,O=<MYREALM>
>>>>> expires: 2018-04-09 11:38:16 UTC
>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>>> pre-save command:
>>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>>>> track: yes
>>>>> auto-renew: yes
>>>>> Request ID '20140528063907':
>>>>> status: MONITORING
>>>>> stuck: no
>>>>> key pair storage: type=NSSDB,location='/var/lib/
>>>>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS
>>>>> Certificate DB',pin='159203530658'
>>>>> certificate: type=NSSDB,location='/var/lib/
>>>>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS
>>>>> Certificate DB'
>>>>> CA: dogtag-ipa-renew-agent
>>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>>>> expires: 2018-04-09 11:38:16 UTC
>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>>> pre-save command:
>>>>> post-save command:
>>>>> track: yes
>>>>> auto-renew: yes
>>>>> Request ID '20140528063919':
>>>>> status: MONITORING
>>>>> ca-error: Error setting up ccache for local "host" service
>>>>> using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
>>>>> stuck: no
>>>>> key pair storage: type=NSSDB,location='/etc/dirs
>>>>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate
>>>>> DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
>>>>> certificate: type=NSSDB,location='/etc/dirs
>>>>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate DB'
>>>>> CA: IPA
>>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>>>> expires: 2016-05-28 06:39:18 UTC
>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>>> pre-save command:
>>>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>>>>> <MYREALM>
>>>>> track: yes
>>>>> auto-renew: yes
>>>>> Request ID '20140528063953':
>>>>> status: MONITORING
>>>>> ca-error: Error setting up ccache for local "host" service
>>>>> using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
>>>>> stuck: no
>>>>> key pair storage: type=NSSDB,location='/etc/dirs
>>>>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
>>>>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>>>>> certificate: type=NSSDB,location='/etc/dirs
>>>>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
>>>>> CA: IPA
>>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>>>> expires: 2016-05-28 06:39:52 UTC
>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>>> pre-save command:
>>>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>>>>> PKI-IPA
>>>>> track: yes
>>>>> auto-renew: yes
>>>>> Request ID '20140528064145':
>>>>> status: MONITORING
>>>>> ca-error: Error setting up ccache for local "host" service
>>>>> using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
>>>>> stuck: no
>>>>> key pair storage: type=NSSDB,location='/etc/http
>>>>> d/alias',nickname='Server-Cert',token='NSS Certificate
>>>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>>> certificate: type=NSSDB,location='/etc/http
>>>>> d/alias',nickname='Server-Cert',token='NSS Certificate DB'
>>>>> CA: IPA
>>>>> issuer: CN=Certificate Authority,O=<MYREALM>
>>>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>>>>> expires: 2016-05-28 06:41:44 UTC
>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>>> pre-save command:
>>>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>>> track: yes
>>>>> auto-renew: yes
>>>>> ###
>>>>>
>>>>> Best regards.
>>>>>
>>>>> Bahan
>>>>>
>>>>> On Wed, Sep 14, 2016 at 6:21 PM, Martin Basti <mbasti at redhat.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> Then you have to start services manually, I don't know if the same
>>>>>> steps will work with IPA 3.0.0, I don't remember, but you can try :)
>>>>>>
>>>>>> On 14.09.2016 18:18, bahan w wrote:
>>>>>>
>>>>>> Oh I forgot to add that my version of ipa is quite old :
>>>>>> ###
>>>>>> # rpm -qa | grep ipa-server
>>>>>> ipa-server-3.0.0-25.el6.x86_64
>>>>>> ###
>>>>>>
>>>>>> When I try the command you gave me I got the following error :
>>>>>> ###
>>>>>> # ipactl start --force
>>>>>> Usage: ipactl start|stop|restart|status
>>>>>>
>>>>>>
>>>>>> ipactl: error: no such option: --force
>>>>>> ###
>>>>>>
>>>>>> Best regards.
>>>>>>
>>>>>> Bahan
>>>>>>
>>>>>>
>>>>>> On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti <mbasti at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 14.09.2016 17:59, bahan w wrote:
>>>>>>>
>>>>>>> Hello !
>>>>>>>
>>>>>>> I send you this mail because I cannot restart my test IPA server.
>>>>>>>
>>>>>>> When I try to start it with service ipa start, I got the following
>>>>>>> error message :
>>>>>>> ###
>>>>>>> # service ipa start
>>>>>>> Starting Directory Service
>>>>>>> Starting dirsrv:
>>>>>>> <MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL alert:
>>>>>>> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
>>>>>>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
>>>>>>> -8181 - Peer's Certificate has expired.)
>>>>>>> [ OK ]
>>>>>>> PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert:
>>>>>>> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
>>>>>>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
>>>>>>> -8181 - Peer's Certificate has expired.)
>>>>>>> [ OK ]
>>>>>>> Starting KDC Service
>>>>>>> Starting Kerberos 5 KDC: [ OK ]
>>>>>>> Starting KPASSWD Service
>>>>>>> Starting Kerberos 5 Admin Server: [ OK ]
>>>>>>> Starting MEMCACHE Service
>>>>>>> Starting ipa_memcached: [ OK ]
>>>>>>> Starting HTTP Service
>>>>>>> Starting httpd: [FAILED]
>>>>>>> Failed to start HTTP Service
>>>>>>> Shutting down
>>>>>>> Stopping Kerberos 5 KDC: [ OK ]
>>>>>>> Stopping Kerberos 5 Admin Server: [ OK ]
>>>>>>> Stopping ipa_memcached: [ OK ]
>>>>>>> Stopping httpd: [FAILED]
>>>>>>> Stopping pki-ca: [ OK ]
>>>>>>> Shutting down dirsrv:
>>>>>>> <MYREALM>... [ OK ]
>>>>>>> PKI-IPA... [ OK ]
>>>>>>> Aborting ipactl
>>>>>>>
>>>>>>> # service ipa status
>>>>>>> Directory Service: STOPPED
>>>>>>> Failed to get list of services to probe status:
>>>>>>> Directory Server is stopped
>>>>>>> ###
>>>>>>>
>>>>>>> Do you know how to renew the SSL certificate used for the IPA Server
>>>>>>> ?
>>>>>>>
>>>>>>> Best regards.
>>>>>>>
>>>>>>> Bahan
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> please run
>>>>>>>
>>>>>>> # ipactl start --force
>>>>>>> # getcert list (to detect which certificate is outdated, I suspect
>>>>>>> DS cert (or to get more info why it has not been renewed))
>>>>>>>
>>>>>>> If getcert does work (I'm not sure if ti is able to work without
>>>>>>> httpd), you probable need to move time back to past where cert is valid,
>>>>>>> start IPA and try again.
>>>>>>>
>>>>>>> Please find ID outdated certificate and try resubmit it (CA and DS
>>>>>>> must be running)
>>>>>>>
>>>>>>> # getcert resubmit -i 20160914122036 (use you ID :) )
>>>>>>>
>>>>>>> This should renew cert, check status with getcert list
>>>>>>>
>>>>>>> Move time back to future (if needed)
>>>>>>>
>>>>>>> Try to restart IPA
>>>>>>>
>>>>>>> Martin^2
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160914/64b966e2/attachment.htm>
More information about the Freeipa-users
mailing list