[Freeipa-users] renewing cert and migrating free-ipa 3.1
Umarzuki Mochlis
umarzuki at gmail.com
Tue Apr 18 08:36:24 UTC 2017
Now users complaining that passwords that have been reset cannot be
used to log in.
I also tried resubmit getcert but 2 resubmit failed
[root at ipa ~]# getcert list
Number of certificates and requests being tracked: 7.
Request ID '20130112120226':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=CA Audit,O=DOA.GOV.MY
expires: 2016-11-24 16:19:25 UTC
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130112120227':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=OCSP Subsystem,O=DOA.GOV.MY
expires: 2016-11-24 16:18:25 UTC
eku: id-kp-OCSPSigning
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130112120228':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=CA Subsystem,O=DOA.GOV.MY
expires: 2016-11-24 16:18:25 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130112120229':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=IPA RA,O=DOA.GOV.MY
expires: 2016-11-24 16:18:25 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20130112120230':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
expires: 2016-11-24 16:18:25 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_pkicad
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130112120232':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DOMAIN-COM-MY
track: yes
auto-renew: yes
Request ID '20130112120734':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
What are my options?
2017-03-03 21:20 GMT+08:00 Umarzuki Mochlis <umarzuki at gmail.com>:
> At first ip-getcert list hows certificate error
>
> ca-error: Server failed request, will retry: -504 (libcurl failed to
> execute the HTTP POST transaction, explaining: Peer's Certificate has
> expired.).
>
> but after I changed ipa server's date to before expirate date, it shows
>
> ca-error: Server failed request, will retry: -504 (libcurl failed to
> execute the HTTP POST transaction, explaining: couldn't connect to
> host).
>
> when I tried to start ipa with "service ipa start", all services would
> fail, so I need to start one by one
>
> systemctl start dirsrv at DOMAIN-COM-MY.service
> systemctl status dirsrv at DOMAIN-COM-MY.service
> systemctl start krb5kdc.service
> systemctl status krb5kdc.service
> systemctl start kadmin.service
> systemctl status kadmin.service
> systemctl start ipa_memcached.service
> systemctl status ipa_memcached.service
> systemctl start pki-tomcatd at pki-tomcat.service
> systemctl status pki-tomcatd at pki-tomcat.service
>
>
> # tail /var/log/messages
> Jan 3 17:32:26 ipa systemd[1]: Starting PKI Tomcat Server pki-tomcat...
> Jan 3 17:32:29 ipa systemd[1]: Started PKI Tomcat Server pki-tomcat.
> Jan 3 17:33:08 ipa certmonger[476]: 2016-01-03 17:33:08 [476] Server
> failed request, will retry: -504 (libcurl failed to execute the HTTP
> POST transaction, explaining: couldn't connect to host).
> Jan 3 17:33:12 ipa certmonger[476]: 2016-01-03 17:33:12 [476] Server
> failed request, will retry: -504 (libcurl failed to execute the HTTP
> POST transaction, explaining: couldn't connect to host).
>
> 2017-03-03 13:20 GMT+08:00 Umarzuki Mochlis <umarzuki at gmail.com>:
>> After httpd failed to start even with "NSSEnforceValidCerts off" in
>> /etc/httpd/conf.d/nss.conf
>> It used to work for a while since we use this only for zimbra but
>> today it won't start anymore.
>>
>> We are not using commercial certs, so which steps should I follow to
>> renew certs?
>>
>> It seems CA has expired more than 2 weeks ago.
>>
>> # ipa-getcert list
>> Number of certificates and requests being tracked: 7.
>> Request ID '20130112120232':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: -504 (libcurl
>> failed to execute the HTTP POST transaction, explaining: Peer's
>> Certificate has expired.).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
>> subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
>> expires: 2016-12-16 16:18:27 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>> DOMAIN-COM-MY
>> track: yes
>> auto-renew: yes
>> Request ID '20130112120734':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: -504 (libcurl
>> failed to execute the HTTP POST transaction, explaining: Peer's
>> Certificate has expired.).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
>> subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
>> expires: 2016-12-16 16:18:27 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>>
>> # rpm -qa | grep ipa
>> freeipa-admintools-3.1.0-2.fc18.x86_64
>> freeipa-server-3.1.0-2.fc18.x86_64
>> libipa_hbac-python-1.9.3-1.fc18.x86_64
>> python-iniparse-0.4-6.fc18.noarch
>> freeipa-client-3.1.0-2.fc18.x86_64
>> freeipa-server-selinux-3.1.0-2.fc18.x86_64
>> freeipa-python-3.1.0-2.fc18.x86_64
>> libipa_hbac-1.9.3-1.fc18.x86_64
More information about the Freeipa-users
mailing list