[Freeipa-users] renewing cert and migrating free-ipa 3.1

[Rob Crittenden]

Umarzuki Mochlis wrote:
> At first ip-getcert list hows certificate error
> 
> ca-error: Server failed request, will retry: -504 (libcurl failed to
> execute the HTTP POST transaction, explaining:  Peer's Certificate has
> expired.).
> 
> but after I changed ipa server's date to before expirate date, it shows
> 
> ca-error: Server failed request, will retry: -504 (libcurl failed to
> execute the HTTP POST transaction, explaining:  couldn't connect to
> host).
> 
> when I tried to start ipa with "service ipa start", all services would
> fail, so I need to start one by one
> 
> systemctl start dirsrv at DOMAIN-COM-MY.service
> systemctl status dirsrv at DOMAIN-COM-MY.service
> systemctl start krb5kdc.service
> systemctl status krb5kdc.service
> systemctl start kadmin.service
> systemctl status kadmin.service
> systemctl start ipa_memcached.service
> systemctl status ipa_memcached.service
> systemctl start pki-tomcatd at pki-tomcat.service
> systemctl status pki-tomcatd at pki-tomcat.service
> 
> 
> # tail /var/log/messages
> Jan  3 17:32:26 ipa systemd[1]: Starting PKI Tomcat Server pki-tomcat...
> Jan  3 17:32:29 ipa systemd[1]: Started PKI Tomcat Server pki-tomcat.
> Jan  3 17:33:08 ipa certmonger[476]: 2016-01-03 17:33:08 [476] Server
> failed request, will retry: -504 (libcurl failed to execute the HTTP
> POST transaction, explaining:  couldn't connect to host).
> Jan  3 17:33:12 ipa certmonger[476]: 2016-01-03 17:33:12 [476] Server
> failed request, will retry: -504 (libcurl failed to execute the HTTP
> POST transaction, explaining:  couldn't connect to host).

You want to use the getcert command, not ipa-getcert, to see the CA
subsystem certificates.

What you should do is: getcert list |grep expires

Find a date/time that fits into a period where all certs are valid and
go back in time to then (after stopping ntpd).

That will hopefully fix the ipactl start issue.

Once IPA is restarted, restart certmonger.

rob