[Freeipa-users] Make Gpg replica fail , where cert store I should update new ?

Rob Crittenden rcritten at redhat.com
Tue Mar 7 13:51:16 UTC 2017 

barrykfl at gmail.com wrote:
> same as as replica gpg making.////...Found this cert 2015 expired
> only,,? but I follow manual here:
> 
> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1
> <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1> 

If you are using 3rd party certs elsewhere then why not provide 3rd
party certs for this replica as well?

It seems like you aren't using the IPA-provided CA at all given its
certs expired in 2015.

rob

> 
> It imported as EXT-CA as Alias rather than sever cert by default...Is
> there anywhere pointing wrong ?
> 
> Certificate Nickname                                         Trust
> Attributes
>                                                             
> SSL,S/MIME,JAR/XPI
> *.ABC.com                                                 ,,
> EXT-CA                                                       CT,C,C
> ABC.COM <http://ABC.COM> IPA
> CA                                            CT,,C
> Server-Cert                                                  u,u,u
> 
> 
> Request ID '20160516111257':
>         status: CA_UNREACHABLE
>         ca-error: Server at https://central.ABC.com/ipa/xml failed
> request, will retry: 907 (RPC failed at server.  cannot connect to
> 'https://central.ABC.com:443/ca/agent/ca/displayBySerial':
> (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.).
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>         certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=ABC.COM <http://ABC.COM>
>         subject: CN=central.ABC.com <http://central.ABC.com>,O=ABC.COM
> <http://ABC.COM>
>         expires: 2015-11-23 08:42:52 UTC
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
>         track: yes
>         auto-renew: yes
> 
> 2017-03-07 19:24 GMT+08:00 Barry <kliu at alumni.warwick.ac.uk
> <mailto:kliu at alumni.warwick.ac.uk>>:
> 
>     Same as before I already follow  part < 4.1 as below:
> 
>     https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1
>     <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1> 
>     comdo cert is new cert /
>     It seem I m nearly right ....HTTP server side can read trust cert
>     BUT seem dirsrv still lacking of a ca cert to verify it ./..
>     but ca.crt changed to new already and imported
> 
>     ABC-COM...[07/Mar/2017:19:17:22 +0800] - SSL alert:
>     CERT_VerifyCertificateNow: verify certificate failed for cert
>     *.ABC.com - COMODO CA Limited of family
>     cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
>     -8179 - Peer's Certificate issuer is not recognized.)
>                        
> 
>     2017-03-07 17:16 GMT+08:00 Florence Blanc-Renaud <flo at redhat.com
>     <mailto:flo at redhat.com>>:
> 
>         Hi,
> 
>         In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as
>         Certificate Authority, and this file may be outdated. Running
>         ipa-certupdate may fix your issue. See [1]
> 
>         If it doesn't, you can start by identifying which certificate
>         expired with
>         $ sudo getcert list | egrep -e 'expires|Request ID|subject'
> 
>         HTH,
>         Flo
> 
>         [1] https://pagure.io/freeipa/issue/6375
>         <https://pagure.io/freeipa/issue/6375>
> 
>         On 03/07/2017 04:14 AM, barrykfl at gmail.com
>         <mailto:barrykfl at gmail.com> wrote:
> 
>             gpg
> 
>             Creating SSL certificate for the Directory Server
>             ipa         : ERROR    cert validation failed for
>             "CN=central.ABC.com <http://central.ABC.com>
>             <http://central.ABC.com>,O=ABC.COM <http://ABC.COM>
>             <http://ABC.COM>"
>             ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has
>             expired.)
>             preparation of replica failed: cannot connect to
>             'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient <https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient>':
>             (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>             cannot connect to
>             'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient <https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient>':
>             (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>               File "/usr/sbin/ipa-replica-prepare", line 490, in <module>
>                 main()
> 
>               File "/usr/sbin/ipa-replica-prepare", line 361, in main
>                 export_certdb(api.env.realm, ds_dir, dir, passwd_fname,
>             "dscert",
>             replica_fqdn, subject_base)
> 
>               File "/usr/sbin/ipa-replica-prepare", line 150, in
>             export_certdb
>                 raise e
> 
> 
> 
> 
> 
> 
> 
>

More information about the Freeipa-users mailing list