[Freeipa-users] renewing cert and migrating free-ipa 3.1
Umarzuki Mochlis
umarzuki at gmail.com
Fri Mar 3 13:20:41 UTC 2017
At first ip-getcert list hows certificate error
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining: Peer's Certificate has
expired.).
but after I changed ipa server's date to before expirate date, it shows
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining: couldn't connect to
host).
when I tried to start ipa with "service ipa start", all services would
fail, so I need to start one by one
systemctl start dirsrv at DOMAIN-COM-MY.service
systemctl status dirsrv at DOMAIN-COM-MY.service
systemctl start krb5kdc.service
systemctl status krb5kdc.service
systemctl start kadmin.service
systemctl status kadmin.service
systemctl start ipa_memcached.service
systemctl status ipa_memcached.service
systemctl start pki-tomcatd at pki-tomcat.service
systemctl status pki-tomcatd at pki-tomcat.service
# tail /var/log/messages
Jan 3 17:32:26 ipa systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Jan 3 17:32:29 ipa systemd[1]: Started PKI Tomcat Server pki-tomcat.
Jan 3 17:33:08 ipa certmonger[476]: 2016-01-03 17:33:08 [476] Server
failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining: couldn't connect to host).
Jan 3 17:33:12 ipa certmonger[476]: 2016-01-03 17:33:12 [476] Server
failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining: couldn't connect to host).
2017-03-03 13:20 GMT+08:00 Umarzuki Mochlis <umarzuki at gmail.com>:
> After httpd failed to start even with "NSSEnforceValidCerts off" in
> /etc/httpd/conf.d/nss.conf
> It used to work for a while since we use this only for zimbra but
> today it won't start anymore.
>
> We are not using commercial certs, so which steps should I follow to
> renew certs?
>
> It seems CA has expired more than 2 weeks ago.
>
> # ipa-getcert list
> Number of certificates and requests being tracked: 7.
> Request ID '20130112120232':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction, explaining: Peer's
> Certificate has expired.).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
> subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
> expires: 2016-12-16 16:18:27 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> DOMAIN-COM-MY
> track: yes
> auto-renew: yes
> Request ID '20130112120734':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction, explaining: Peer's
> Certificate has expired.).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
> subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
> expires: 2016-12-16 16:18:27 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
> # rpm -qa | grep ipa
> freeipa-admintools-3.1.0-2.fc18.x86_64
> freeipa-server-3.1.0-2.fc18.x86_64
> libipa_hbac-python-1.9.3-1.fc18.x86_64
> python-iniparse-0.4-6.fc18.noarch
> freeipa-client-3.1.0-2.fc18.x86_64
> freeipa-server-selinux-3.1.0-2.fc18.x86_64
> freeipa-python-3.1.0-2.fc18.x86_64
> libipa_hbac-1.9.3-1.fc18.x86_64
More information about the Freeipa-users
mailing list