[Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
Martin Basti
mbasti at redhat.com
Thu Sep 15 10:20:31 UTC 2016
I'm afraid that because you moved time back, the dogtag certificates are
before VALIDITY time now.
Can you find CA debug log, /var/log/pki/pki-tomcat/ca/debug.log (not
sure about the path). There should be exact certificate and reason why
cert validation failed
On 14.09.2016 19:42, bahan w wrote:
> Here is what I found :
>
> In the catalina.out :
> ###
> May 27, 2016 10:51:35 AM org.apache.catalina.core.StandardWrapperValve
> invoke
> SEVERE: Servlet.service() for servlet caDisplayBySerial-agent threw
> exception
> java.io.IOException: CS server is not ready to serve.
> at
> com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> com.netscape.cms.servlet.filter.AgentRequestFilter.doFilter(AgentRequestFilter.java:124)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> at
> org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
> at
> org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
> at
> org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769)
> at
> org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698)
> at
> org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891)
> at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
> at java.lang.Thread.run(Thread.java:722)
> ###
>
> In the selftests.log in /var/log/pki-ca :
> ###
> 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
> Initializing self test plugins:
> 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
> loading all self test plugin logger parameters
> 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
> loading all self test plugin instances
> 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
> loading all self test plugin instance parameters
> 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
> loading self test plugins in on-demand order
> 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
> loading self test plugins in startup order
> 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
> Self test plugins have been successfully loaded!
> 24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SelfTestSubsystem:
> Running self test plugins specified to be executed at startup:
> 24196.main - [27/May/2016:10:50:28 CEST] [20] [1] CAPresence: CA is
> present
> 24196.main - [27/May/2016:10:50:28 CEST] [20] [1]
> SystemCertsVerification: system certs verification failure
> 24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SelfTestSubsystem:
> The CRITICAL self test plugin called selftests.container.instance.SystemC
> ertsVerification running at startup FAILED!
> ###
>
> But nothing else.
>
> Best regards.
>
> Bahan
>
> On Wed, Sep 14, 2016 at 7:27 PM, bahan w <bahanw042014 at gmail.com
> <mailto:bahanw042014 at gmail.com>> wrote:
>
> I tried also the following commands :
> ###
> # ipa cert-show 1
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (Not Found)
>
> # service ipa status
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> MEMCACHE Service: RUNNING
> HTTP Service: RUNNING
> CA Service: RUNNING
> ###
>
> I'm checking the /var/log/pki-ca logs to see if I find something.
>
> Best regards.
>
> Bahan
>
> On Wed, Sep 14, 2016 at 7:02 PM, bahan w <bahanw042014 at gmail.com
> <mailto:bahanw042014 at gmail.com>> wrote:
>
> Sorry Martin,
>
> This is not the first time I forgot to add back freeipa users.
> I have problems with gmail, again sorry.
>
> Indeed I figured out that I had to restart the ipa server.
> So I tried to restart ipa server.
> But it was not working yet.
>
> So I thought it was maybe due to the configuration I performed
> in the nss.conf.
> So I rollbacked this conf and restarted ipa-server.
> Then I retried your commands but it is still the same error.
>
> ###
> Request ID '20140528064145':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC
> failed at server. Certificate operation cannot be completed:
> Unable to communicate with CMS (Not Found)).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=<MYREALM>
> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
> expires: 2016-05-28 06:41:44 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> ###
>
> Do you know what is the CMS ?
> ###
> (RPC failed at server. Certificate operation cannot be
> completed: Unable to communicate with CMS (Not Found)).
> ###
>
> Best regards.
>
> Bahan
>
>
>
>
>
> On Wed, Sep 14, 2016 at 6:46 PM, Martin Basti
> <mbasti at redhat.com <mailto:mbasti at redhat.com>> wrote:
>
> did you restart IPA when you moved time? Is there are more
> detailed error description in output of getcert list?
>
>
> On 14.09.2016 18:45, bahan w wrote:
>> I set the date-time when the certificates were valid :
>> ###
>> # date -s '2016-05-27 10:00:00'
>> Fri May 27 10:00:00 CEST 2016
>>
>> # date
>> Fri May 27 10:00:02 CEST 2016
>> ###
>>
>> Then I try to renew them :
>> ###
>> # getcert resubmit -i 20140528063919
>> Resubmitting "20140528063919" to "IPA".
>>
>> # getcert resubmit -i 20140528064145
>> Resubmitting "20140528064145" to "IPA".
>>
>> # getcert resubmit -i 20140528063953
>> Resubmitting "20140528063953" to "IPA".
>> ###
>>
>> But when I do the getcert list after, the result is the same.
>>
>> I guess it is because of this ?
>> CA_UNREACHABLE
>>
>> Any idea ?
>>
>> Best regards.
>>
>> Bahan
>>
>> On Wed, Sep 14, 2016 at 6:38 PM, bahan w
>> <bahanw042014 at gmail.com <mailto:bahanw042014 at gmail.com>>
>> wrote:
>>
>> Ok, I managed to restart the IPA service by adding
>> this line in the file /etc/httpd/conf.d/nss.conf :
>> ###
>> NSSEnforceValidCerts off
>> ###
>>
>> But when I do the getcert now I got the following
>> result :
>>
>> ###
>> # getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20140528063903':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate
>> DB',pin='159203530658'
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=CA Audit,O=<MYREALM>
>> expires: 2018-04-09 11:39:16 UTC
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command:
>> /usr/lib64/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063904':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate
>> DB',pin='159203530658'
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=OCSP Subsystem,O=<MYREALM>
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-OCSPSigning
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command:
>> /usr/lib64/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063905':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate
>> DB',pin='159203530658'
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=CA Subsystem,O=<MYREALM>
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command:
>> /usr/lib64/ipa/certmonger/renew_ca_cert
>> "subsystemCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063906':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=IPA RA,O=<MYREALM>
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> /usr/lib64/ipa/certmonger/renew_ra_cert
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063907':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate
>> DB',pin='159203530658'
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063919':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry:
>> -504 (libcurl failed to execute the HTTP POST
>> transaction. Peer certificate cannot be authenticated
>> with known CA certificates).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
>> Certificate
>> DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>> expires: 2016-05-28 06:39:18 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> /usr/lib64/ipa/certmonger/restart_dirsrv <MYREALM>
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063953':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry:
>> -504 (libcurl failed to execute the HTTP POST
>> transaction. Peer certificate cannot be authenticated
>> with known CA certificates).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate
>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>> expires: 2016-05-28 06:39:52 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
>> track: yes
>> auto-renew: yes
>> Request ID '20140528064145':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry:
>> -504 (libcurl failed to execute the HTTP POST
>> transaction. Peer certificate cannot be authenticated
>> with known CA certificates).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>> expires: 2016-05-28 06:41:44 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> /usr/lib64/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>> ###
>>
>> Indeed, the entries outdated are the following :
>> - for /etc/dirsrv/slapd-<MYREALM> : 20140528063919
>> - for /etc/dirsrv/slapd-PKI-IPA : 20140528063953
>> - for httpd ? : 20140528064145
>>
>> Best regards.
>>
>> Bahan
>>
>> On Wed, Sep 14, 2016 at 6:28 PM, bahan w
>> <bahanw042014 at gmail.com
>> <mailto:bahanw042014 at gmail.com>> wrote:
>>
>> Ok :D
>>
>> Because to perform the getcert list command, I
>> need to have all the ipa services running right ?
>>
>> Here is the result of the command with the ipa
>> services down.
>> ###
>> # getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20140528063903':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate
>> DB',pin='159203530658'
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=CA Audit,O=<MYREALM>
>> expires: 2018-04-09 11:39:16 UTC
>> pre-save command:
>> /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command:
>> /usr/lib64/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063904':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate
>> DB',pin='159203530658'
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=OCSP Subsystem,O=<MYREALM>
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-OCSPSigning
>> pre-save command:
>> /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command:
>> /usr/lib64/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063905':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate
>> DB',pin='159203530658'
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=CA Subsystem,O=<MYREALM>
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command:
>> /usr/lib64/ipa/certmonger/renew_ca_cert
>> "subsystemCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063906':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate
>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=IPA RA,O=<MYREALM>
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> /usr/lib64/ipa/certmonger/renew_ra_cert
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063907':
>> status: MONITORING
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate
>> DB',pin='159203530658'
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063919':
>> status: MONITORING
>> ca-error: Error setting up ccache for local
>> "host" service using default keytab: Cannot
>> contact any KDC for realm '<MYREALM>'.
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
>> Certificate
>> DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>> expires: 2016-05-28 06:39:18 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> /usr/lib64/ipa/certmonger/restart_dirsrv <MYREALM>
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063953':
>> status: MONITORING
>> ca-error: Error setting up ccache for local
>> "host" service using default keytab: Cannot
>> contact any KDC for realm '<MYREALM>'.
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate
>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>> expires: 2016-05-28 06:39:52 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
>> track: yes
>> auto-renew: yes
>> Request ID '20140528064145':
>> status: MONITORING
>> ca-error: Error setting up ccache for local
>> "host" service using default keytab: Cannot
>> contact any KDC for realm '<MYREALM>'.
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate
>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=<MYREALM>
>> subject: CN=<IPA SERVER HOST>,O=<MYREALM>
>> expires: 2016-05-28 06:41:44 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> /usr/lib64/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>> ###
>>
>> Best regards.
>>
>> Bahan
>>
>> On Wed, Sep 14, 2016 at 6:21 PM, Martin Basti
>> <mbasti at redhat.com <mailto:mbasti at redhat.com>> wrote:
>>
>>
>> Then you have to start services manually, I
>> don't know if the same steps will work with
>> IPA 3.0.0, I don't remember, but you can try :)
>>
>>
>> On 14.09.2016 18:18, bahan w wrote:
>>> Oh I forgot to add that my version of ipa is
>>> quite old :
>>> ###
>>> # rpm -qa | grep ipa-server
>>> ipa-server-3.0.0-25.el6.x86_64
>>> ###
>>>
>>> When I try the command you gave me I got the
>>> following error :
>>> ###
>>> # ipactl start --force
>>> Usage: ipactl start|stop|restart|status
>>>
>>>
>>> ipactl: error: no such option: --force
>>> ###
>>>
>>> Best regards.
>>>
>>> Bahan
>>>
>>> On Wed, Sep 14, 2016 at 6:14 PM, Martin
>>> Basti <mbasti at redhat.com
>>> <mailto:mbasti at redhat.com>> wrote:
>>>
>>>
>>>
>>> On 14.09.2016 17:59, bahan w wrote:
>>>> Hello !
>>>>
>>>> I send you this mail because I cannot
>>>> restart my test IPA server.
>>>>
>>>> When I try to start it with service ipa
>>>> start, I got the following error message :
>>>> ###
>>>> # service ipa start
>>>> Starting Directory Service
>>>> Starting dirsrv:
>>>> <MYREALM>...[14/Sep/2016:17:57:23
>>>> +0200] - SSL alert:
>>>> CERT_VerifyCertificateNow: verify
>>>> certificate failed for cert Server-Cert
>>>> of family
>>>> cn=RSA,cn=encryption,cn=config
>>>> (Netscape Portable Runtime error -8181
>>>> - Peer's Certificate has expired.)
>>>> [ OK ]
>>>> PKI-IPA...[14/Sep/2016:17:57:33 +0200]
>>>> - SSL alert: CERT_VerifyCertificateNow:
>>>> verify certificate failed for cert
>>>> Server-Cert of family
>>>> cn=RSA,cn=encryption,cn=config
>>>> (Netscape Portable Runtime error -8181
>>>> - Peer's Certificate has expired.)
>>>> [ OK ]
>>>> Starting KDC Service
>>>> Starting Kerberos 5 KDC: [ OK ]
>>>> Starting KPASSWD Service
>>>> Starting Kerberos 5 Admin Server: [ OK ]
>>>> Starting MEMCACHE Service
>>>> Starting ipa_memcached: [ OK ]
>>>> Starting HTTP Service
>>>> Starting httpd: [FAILED]
>>>> Failed to start HTTP Service
>>>> Shutting down
>>>> Stopping Kerberos 5 KDC: [ OK ]
>>>> Stopping Kerberos 5 Admin Server: [ OK ]
>>>> Stopping ipa_memcached: [ OK ]
>>>> Stopping httpd: [FAILED]
>>>> Stopping pki-ca: [ OK ]
>>>> Shutting down dirsrv:
>>>> <MYREALM>... [ OK ]
>>>> PKI-IPA... [ OK ]
>>>> Aborting ipactl
>>>>
>>>> # service ipa status
>>>> Directory Service: STOPPED
>>>> Failed to get list of services to probe
>>>> status:
>>>> Directory Server is stopped
>>>> ###
>>>>
>>>> Do you know how to renew the SSL
>>>> certificate used for the IPA Server ?
>>>>
>>>> Best regards.
>>>>
>>>> Bahan
>>>>
>>>>
>>>>
>>>
>>>
>>> Hello,
>>>
>>> please run
>>>
>>> # ipactl start --force
>>> # getcert list (to detect which
>>> certificate is outdated, I suspect DS
>>> cert (or to get more info why it has not
>>> been renewed))
>>>
>>> If getcert does work (I'm not sure if ti
>>> is able to work without httpd), you
>>> probable need to move time back to past
>>> where cert is valid, start IPA and try
>>> again.
>>>
>>> Please find ID outdated certificate and
>>> try resubmit it (CA and DS must be running)
>>>
>>> # getcert resubmit -i 20160914122036
>>> (use you ID :) )
>>>
>>> This should renew cert, check status
>>> with getcert list
>>>
>>> Move time back to future (if needed)
>>>
>>> Try to restart IPA
>>>
>>> Martin^2
>>>
>>>
>>
>>
>>
>>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160915/44c0a78d/attachment.htm>
More information about the Freeipa-users
mailing list