<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;"><font face="arial" size="2">Thanks for all the replies.</font><div style="font-family: arial; font-size: 10pt; "><br></div><div style="font-family: arial; font-size: 10pt; ">Rob,</div><div style="font-family: arial; font-size: 10pt; ">Please find the output of your guidelines.</div><div style="font-family: arial; font-size: 10pt; "><br></div><div><font face="arial" size="2"># ipa-getcert list</font><br><span style="font-family: arial; font-size: 10pt; ">Number of certificates and requests being tracked: 3.</span><br><div style="font-family: arial; font-size: 10pt; ">Request ID '20110619112648':</div><div style="font-family: arial; font-size: 10pt; ">        status: MONITORING</div><div style="font-family: arial; font-size: 10pt; ">        <span style="background-color: rgb(255, 0, 0);">ca-error: Error setting up ccache
 for local "host" service using default keytab.</span></div><div style="font-family: arial; font-size: 10pt; ">        stuck: no</div><div style="font-family: arial; font-size: 10pt; ">        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxx-COM//pwdfile.txt'</div><div style="font-family: arial; font-size: 10pt; ">        certificate: type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS Certificate DB'</div><div style="font-family: arial; font-size: 10pt; ">        CA: IPA</div><div style="font-family: arial; font-size: 10pt; ">        issuer: CN=Certificate Authority,O=xxxxx.COM</div><div style="font-family: arial; font-size: 10pt; ">        subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM</div><div
 style="font-family: arial; font-size: 10pt; ">        <span style="background-color: rgb(255, 0, 0);">expires: 20111216112647</span></div><div style="font-family: arial; font-size: 10pt; ">        eku: id-kp-serverAuth</div><div style="font-family: arial; font-size: 10pt; ">        track: yes</div><div style="font-family: arial; font-size: 10pt; ">        auto-renew: yes</div><div style="font-family: arial; font-size: 10pt; ">Request ID '20110619112705':</div><div style="font-family: arial; font-size: 10pt; ">        status: MONITORING</div><div style="font-family: arial; font-size: 10pt; ">        <span style="background-color: rgb(255, 0, 0);">ca-error: Error setting up ccache for local "host" service using default keytab.</span></div><div style="font-family: arial; font-size: 10pt; ">        stuck: no</div><div
 style="font-family: arial; font-size: 10pt; ">        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'</div><div style="font-family: arial; font-size: 10pt; ">        certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'</div><div style="font-family: arial; font-size: 10pt; ">        CA: IPA</div><div style="font-family: arial; font-size: 10pt; ">        issuer: CN=Certificate Authority,O=xxxxx.COM</div><div style="font-family: arial; font-size: 10pt; ">        subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM</div><div style="font-family: arial; font-size: 10pt; ">        <span style="background-color: rgb(255, 0, 0);">expires: 20111216112704</span></div><div
 style="font-family: arial; font-size: 10pt; ">        eku: id-kp-serverAuth</div><div style="font-family: arial; font-size: 10pt; ">        track: yes</div><div style="font-family: arial; font-size: 10pt; ">        auto-renew: yes</div><div style="font-family: arial; font-size: 10pt; ">Request ID '20110619112721':</div><div style="font-family: arial; font-size: 10pt; ">        status: MONITORING</div><div style="font-family: arial; font-size: 10pt; ">        <span style="background-color: rgb(255, 0, 0);">ca-error: Error setting up ccache for local "host" service using default keytab.</span></div><div style="font-family: arial; font-size: 10pt; ">        stuck: no</div><div style="font-family: arial; font-size: 10pt; ">        key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div><div style="font-family: arial; font-size: 10pt; ">        certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'</div><div style="font-family: arial; font-size: 10pt; ">        CA: IPA</div><div style="font-family: arial; font-size: 10pt; ">        issuer: CN=Certificate Authority,O=xxxxx.COM</div><div style="font-family: arial; font-size: 10pt; ">        subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM</div><div style="font-family: arial; font-size: 10pt; ">        <span style="background-color: rgb(255, 0, 0);">expires: 20111216112720 </span>                                                             
                           <span style="font-size: 10pt; ">      eku: id-kp-serverAuth                                                                                               </span><span style="font-size: 10pt; ">      track: yes                                                                                                            
  </span></div><div style="font-family: arial; font-size: 10pt; ">        auto-renew: yes          </div><br><font face="arial" size="2"># certutil -L -d /etc/httpd/alias</font><br><span style="font-family: arial; font-size: small; ">Certificate Nickname                                         Trust Attributes</span><br><div><font face="arial" size="2">                                                            SSL,S/MIME,JAR/XPI</font></div><div><span style="font-family: arial; font-size: small; ">Server-Cert                                          
        u,u,u</span></div><div><font face="arial" size="2">HUGAYET.COM IPA CA                                           CT,C,C</font></div><div><font face="arial" size="2">ipaCert                                                      u,u,u</font></div><div><font face="arial" size="2">Signing-Cert                                                 u,u,u</font></div><div style="font-family: arial; font-size: 10pt; "><br></div><font face="arial" size="2">Now track it</font><br><font face="arial" size="2"># ipa-getcert start-tracking -d /etc/httpd/alias -n
 Server-Cert</font></div><div><font face="arial" size="2">Request "20110619112721" modified.<br></font><br><font face="arial" size="2">#ipa-getcert list</font></div><div><span style="font-family: arial; font-size: small; ">Number of certificates and requests being tracked: 3.</span></div><div><font face="arial" size="2"><div>Request ID '20110619112648':</div><div>        status: MONITORING</div><div>        <span style="background-color: rgb(255, 0, 0);">ca-error: Error setting up ccache for local "host" service using default keytab.</span></div><div>        stuck: no</div><div>        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxx-COM//pwdfile.txt'</div><div>        certificate:
 type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS Certificate DB'</div><div>        CA: IPA</div><div>        issuer: CN=Certificate Authority,O=xxxxx.COM</div><div>        subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM</div><div>        <span style="background-color: rgb(255, 0, 0);">expires: 20111216112647</span></div><div>        eku: id-kp-serverAuth</div><div>        track: yes</div><div>        auto-renew: yes</div><div>Request ID '20110619112705':</div><div>        status: MONITORING</div><div>        <span style="background-color: rgb(255, 0, 0);">ca-error: Error setting up ccache for local "host" service using default keytab.</span></div><div>        stuck: no</div><div>        key pair storage:
 type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'</div><div>        certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'</div><div>        CA: IPA</div><div>        issuer: CN=Certificate Authority,O=xxxxx.COM</div><div>        subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM</div><div>        <span style="background-color: rgb(255, 0, 0);">expires: 20111216112704</span></div><div>        eku: id-kp-serverAuth</div><div>        track: yes</div><div>        auto-renew: yes</div><div>Request ID '20110619112721':</div><div>        status: MONITORING</div><div>        <span style="background-color: rgb(255, 0,
 0);">ca-error: Error setting up ccache for local "host" service using default keytab.</span></div><div>        stuck: no</div><div>        key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div><div>        certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'</div><div>        CA: IPA</div><div>        issuer: CN=Certificate Authority,O=xxxxx.COM</div><div>        subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM</div><div>        <span style="background-color: rgb(255, 0, 0);">expires: 20111216112720</span></div><div>        eku: id-kp-serverAuth</div><div>        track: yes</div><div>        auto-renew:
 yes</div><br></font></div><div style="font-family: arial; font-size: 10pt; ">The issue is still there as you can see the expiry dates are not getting modified.</div><div style="font-family: arial; font-size: 10pt; "><br></div><div style="font-family: arial; font-size: 10pt; ">Nidal.</div><div style="font-family: arial; font-size: 10pt; "><br>--- On <b>Tue, 1/3/12, Rob Crittenden <i><rcritten@redhat.com></i></b> wrote:<br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"><br>From: Rob Crittenden <rcritten@redhat.com><br>Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA<br>To: "nasir nasir" <kollathodi@yahoo.com><br>Cc: "Rich Megginson" <rmeggins@redhat.com>, freeipa-users@redhat.com, fasilkaks@gmail.com<br>Date: Tuesday, January 3, 2012, 2:23 PM<br><br><div class="plainMail">nasir nasir wrote:<br>><br>><br>> --- On *Tue, 1/3/12, Rich Megginson /<<a
 ymailto="mailto:rmeggins@redhat.com" href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a>>/*wrote:<br>><br>><br>>     From: Rich Megginson <<a ymailto="mailto:rmeggins@redhat.com" href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a>><br>>     Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA<br>>     To: "nasir nasir" <<a ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a>><br>>     Cc: <a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a>, <a ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a><br>>     Date: Tuesday, January 3, 2012, 7:41 AM<br>><br>>     On 01/03/2012 12:52 AM,
 nasir nasir wrote:<br>>>     Hi,<br>>><br>>>     I am facing a serious issue with my production IPA server. When I<br>>>     try to access IPA web interface using Firefox, it hangs and<br>>>     doesn't allow me to get in. It seems to be due to expired SSL<br>>>     certificate as seen in the apache log file,<br>>><br>>><br>>>     [Tue Jan 03 10:34:08 2012] [error] Certificate not verified:<br>>>     'Server-Cert'<br>>>     [Tue Jan 03 10:34:08 2012] [error] SSL Library Error: -8181<br>>>     Certificate has expired<br>>>     [Tue Jan 03 10:34:08 2012] [error] Unable to verify certificate<br>>>     'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf
 so the<br>>>     server can start until the problem can be resolved.<br>>>     [Tue Jan 03 10:34:08 2012] [error] Certificate not verified:<br>>>     'Server-Cert'<br>>><br>>><br>>>     Also, when I try to use the command line (ipa user-mod or<br>>>     user-show commands) it too just hangs and doesn't give any output<br>>>     or allow me for any input. I can see the following in krb5kdc.log ,<br>>><br>>>     Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): preauth<br>>>     (timestamp) verify failure: Decrypt integrity check failed<br>>>     Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): AS_REQ (4<br>>>     etypes {18 17 16 23}) 192.168.1.10:
 PREAUTH_FAILED:<br>>>     host/<a ymailto="mailto:xxxxx.xxxxx.com@XXXXXX.COM" href="/mc/compose?to=xxxxx.xxxxx.com@XXXXXX.COM">xxxxx.xxxxx.com@XXXXXX.COM</a><br>>>     </mc/compose?to=host/<a ymailto="mailto:xxxxx.xxxxx.com@XXXXXX.COM" href="/mc/compose?to=xxxxx.xxxxx.com@XXXXXX.COM">xxxxx.xxxxx.com@XXXXXX.COM</a>> for<br>>>     krbtgt/<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a><br>>>     </mc/compose?to=krbtgt/<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a>>, Decrypt integrity<br>>>     check failed<br>>>     Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2429](info): AS_REQ (4<br>>>     etypes {18 17 16 23}) 192.168.1.10:
 NEEDED_PREAUTH:<br>>>     host/<a ymailto="mailto:xxxx.xxxxx.com@XXXXX.COM" href="/mc/compose?to=xxxx.xxxxx.com@XXXXX.COM">xxxx.xxxxx.com@XXXXX.COM</a><br>>>     </mc/compose?to=host/<a ymailto="mailto:xxxx.xxxxx.com@XXXXX.COM" href="/mc/compose?to=xxxx.xxxxx.com@XXXXX.COM">xxxx.xxxxx.com@XXXXX.COM</a>> for<br>>>     krbtgt/<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a><br>>>     </mc/compose?to=krbtgt/<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a>>, Additional<br>>>     pre-authentication required<br>>><br>>><br>>>     The output of "certutil -L -d /etc/httpd/alias -n Server-Cert"<br>>>     confirms that certificate is
 expired as given below.<br>>><br>>>     Certificate:<br>>>     Data:<br>>>     Version: 3 (0x2)<br>>>     Serial Number: 10 (0xa)<br>>>     Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption<br>>>     Issuer: "CN=Certificate Authority,O=XXXXXX.COM"<br>>>     Validity:<br>>>     Not Before: Sun Jun 19 11:27:20 2011<br>>>     Not After : Fri Dec 16 11:27:20 2011<br>>><br>>><br>>>     Relevant info<br>>><br>>>     OS: RHEL 6.1<br>>><br>>><br>>>     Output of rpm -qa | grep ipa<br>>><br>>>     ipa-client-2.0.0-23.el6.i686<br>>> 
    ipa-pki-ca-theme-9.0.3-6.el6.noarch<br>>>     ipa-pki-common-theme-9.0.3-6.el6.noarch<br>>>     device-mapper-multipath-libs-0.4.9-41.el6.i686<br>>>     python-iniparse-0.3.1-2.1.el6.noarch<br>>>     ipa-python-2.0.0-23.el6.i686<br>>>     ipa-server-selinux-2.0.0-23.el6.i686<br>>>     ipa-server-2.0.0-23.el6.i686<br>>>     device-mapper-multipath-0.4.9-41.el6.i686<br>>>     ipa-admintools-2.0.0-23.el6.i686<br>>><br>>><br>>>     I went through the documentations to check how to renew the<br>>>     expired certs but it seems to be confusing and different across<br>>>     versions. Could someone please help me out by suggesting which
 is<br>>>     the best way to achieve this ? Any help would be greatly<br>>>     appreciated as I am unable to perform any task on the IPA server<br>>>     now because of this.<br>>><br>>     I suggest following the mod_nss suggestion to allow it to start and<br>>     use the expired cert while you attempt to figure this out.<br>><br>>     Thanks indeed for the suggestion. I will consider this. But can<br>>     anyone point me the steps to renew certificate from the expired one ?<br>><br>>     Thankds and regards,<br>>     Nidal<br><br>Lets start with figuring out why certmonger didn't do this for you:<br><br>Can you run as root: ipa-getcert list<br><br>You should have something like:<br><br>Request ID '20111215203350':<br> 
        status: MONITORING<br>         stuck: no<br>         key pair storage: <br>type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS <br>Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>         certificate: <br>type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS <br>Certificate DB'<br>         CA: IPA<br>         issuer: CN=EXAMPLE.COM Certificate Authority<br>         subject: CN=rawhide.example.com,O=EXAMPLE.COM<br>         expires: 2021-12-15 20:33:50 UTC<br>         track: yes<br>         auto-renew: yes<br><br>If you don't have something like this then perhaps the easiest way to <br>get it renewed is to
 tell certmonger to track it. First, look at your <br>current database, it should look something like:<br><br># certutil -L -d /etc/httpd/alias<br><br>Server-Cert                                                  u,u,u<br>EXAMPLE.COM IPA CA                                           CTu,u,Cu<br>Signing-Cert                                                 u,u,u<br><br>Now track it<br><br># ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert<br><br>Use ipa-getcert list to track the status of the renewal. Once it has <br>been completed you can reset the EnforceValidCerts option and
 restart <br>Apache.<br><br>If certmonger is already tracking the cert and the renewal has failed <br>then please provide the ipa-getcert list output.<br><br>rob<br></div></blockquote></div></td></tr></table>