<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;">Thanks for the reply Rob,<div><br></div><div>Indeed there are host entries.</div><div>Please find below the output of your below mentioned guidelines.</div><div><br></div><div><div># klist -kt /etc/krb5.keytab</div><div>Keytab name: WRFILE:/etc/krb5.keytab</div><div>KVNO Timestamp         Principal</div><div>---- ----------------- --------------------------------------------------------</div><div>   <span style="background-color: rgb(255, 0, 0);">2 06/19/11 14:27:17 host/xxxxxx.xxxxxx.com@xxxxxx.COM</span></div><div><span style="background-color: rgb(255, 0, 0);">   2 06/19/11 14:27:17 host/xxxxxx.xxxxxx.com@xxxxxx.COM</span></div><div><span style="background-color: rgb(255, 0, 0);">   2 06/19/11 14:27:17 host/xxxxxx.xxxxxx.com@xxxxxx.COM</span></div><div><span style="background-color: rgb(255, 0, 0);"> 
  2 06/19/11 14:27:17 host/xxxxxx.xxxxxx.com@xxxxxx.COM</span></div><div><span style="background-color: rgb(255, 0, 0);">   2 06/19/11 14:27:17 host/xxxxxx.xxxxxx.com@xxxxxx.COM</span></div><div><span style="background-color: rgb(255, 0, 0);">   2 06/19/11 14:27:17 host/xxxxxx.xxxxxx.com@xxxxxx.COM</span></div><div><span style="background-color: rgb(255, 0, 0);">   2 06/20/11 09:07:26 host/test1.xxxxxx.com@xxxxxx.COM</span></div><div><span style="background-color: rgb(255, 0, 0);">   2 06/20/11 09:07:26 host/test1.xxxxxx.com@xxxxxx.COM</span></div><div><span style="background-color: rgb(255, 0, 0);">   2 06/20/11 09:07:26 host/test1.xxxxxx.com@xxxxxx.COM</span></div><div><span style="background-color: rgb(255, 0, 0);">   2 06/20/11 09:07:26 host/test1.xxxxxx.com@xxxxxx.COM</span></div><div>   6 06/20/11 09:09:12 nfs/nfs.xxxxxx.com@xxxxxx.COM</div><div>   6 06/20/11
 09:09:12 nfs/nfs.xxxxxx.com@xxxxxx.COM</div><div>   6 06/20/11 09:09:12 nfs/nfs.xxxxxx.com@xxxxxx.COM</div><div>   6 06/20/11 09:09:12 nfs/nfs.xxxxxx.com@xxxxxx.COM</div><div>   2 06/20/11 09:11:24 nfs/test1.xxxxxx.com@xxxxxx.COM</div><div>   2 06/20/11 09:11:24 nfs/test1.xxxxxx.com@xxxxxx.COM</div><div>   2 06/20/11 09:11:24 nfs/test1.xxxxxx.com@xxxxxx.COM</div><div>   2 06/20/11 09:11:24 nfs/test1.xxxxxx.com@xxxxxx.COM</div><div><br></div><div><div># kinit -kt /etc/krb5.keytab host/openipa.hugayet.com</div><div><span style="background-color: rgb(255, 0, 0);">kinit: Password incorrect while getting initial credentials</span></div></div><div><br></div># kinit admin</div><div>(the password is accepted successfully here)</div><div><br></div><div><div># kinit -kt /etc/krb5.keytab host/openipa.hugayet.com</div><div><span style="background-color: rgb(255, 0, 0);">kinit: Password incorrect while
 getting initial credentials</span></div><div><br></div><div>What could be the possible issue of the invalid credential error? Please help.</div><div><br></div><div>Nidal</div>--- On <b>Wed, 1/4/12, Rob Crittenden <i><rcritten@redhat</i></b></div><div><b><i>.com></i></b> wrote:<br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"><br>From: Rob Crittenden <rcritten@redhat.com><br>Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA<br>To: "nasir nasir" <kollathodi@yahoo.com><br>Cc: "Rich Megginson" <rmeggins@redhat.com>, freeipa-users@redhat.com, fasilkaks@gmail.com<br>Date: Wednesday, January 4, 2012, 11:52 AM<br><br><div class="plainMail">nasir nasir wrote:<br>> Thanks for all the replies.<br>><br>> Rob,<br>> Please find the output of your guidelines.<br><br>Here is the culprit:<br><br>ca-error: Error setting up ccache for local "host" service using
 default <br>keytab.<br><br>certmonger authenticates to IPA using the host service principal <br>installed on each client (and master). For some reason that can't be used.<br><br>Check the keytab:<br><br># klist -kt /etc/krb5.keytab<br><br>If there are host entries there, try it:<br><br># kinit -kt /etc/krb5.keytab host/server.example.com<br><br>rob<br><br>><br>> # ipa-getcert list<br>> Number of certificates and requests being tracked: 3.<br>> Request ID '20110619112648':<br>> status: MONITORING<br>> ca-error: Error setting up ccache for local "host" service using default<br>> keytab.<br>> stuck: no<br>> key pair storage:<br>> type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS<br>> Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxx-COM//pwdfile.txt'<br>> certificate:<br>> type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS<br>> Certificate
 DB'<br>> CA: IPA<br>> issuer: CN=Certificate Authority,O=xxxxx.COM<br>> subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM<br>> expires: 20111216112647<br>> eku: id-kp-serverAuth<br>> track: yes<br>> auto-renew: yes<br>> Request ID '20110619112705':<br>> status: MONITORING<br>> ca-error: Error setting up ccache for local "host" service using default<br>> keytab.<br>> stuck: no<br>> key pair storage:<br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>> certificate:<br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> Certificate DB'<br>> CA: IPA<br>> issuer: CN=Certificate Authority,O=xxxxx.COM<br>> subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM<br>> expires: 20111216112704<br>> eku: id-kp-serverAuth<br>> track: yes<br>> auto-renew: yes<br>> Request
 ID '20110619112721':<br>> status: MONITORING<br>> ca-error: Error setting up ccache for local "host" service using default<br>> keytab.<br>> stuck: no<br>> key pair storage:<br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>> certificate:<br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> Certificate DB'<br>> CA: IPA<br>> issuer: CN=Certificate Authority,O=xxxxx.COM<br>> subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM<br>> expires: 20111216112720 eku: id-kp-serverAuth track: yes<br>> auto-renew: yes<br>><br>> # certutil -L -d /etc/httpd/alias<br>> Certificate Nickname Trust Attributes<br>> SSL,S/MIME,JAR/XPI<br>> Server-Cert u,u,u<br>> HUGAYET.COM IPA CA CT,C,C<br>> ipaCert u,u,u<br>> Signing-Cert u,u,u<br>><br>> Now track it<br>> # ipa-getcert start-tracking -d
 /etc/httpd/alias -n Server-Cert<br>> Request "20110619112721" modified.<br>><br>> #ipa-getcert list<br>> Number of certificates and requests being tracked: 3.<br>> Request ID '20110619112648':<br>> status: MONITORING<br>> ca-error: Error setting up ccache for local "host" service using default<br>> keytab.<br>> stuck: no<br>> key pair storage:<br>> type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS<br>> Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxx-COM//pwdfile.txt'<br>> certificate:<br>> type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS<br>> Certificate DB'<br>> CA: IPA<br>> issuer: CN=Certificate Authority,O=xxxxx.COM<br>> subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM<br>> expires: 20111216112647<br>> eku: id-kp-serverAuth<br>> track: yes<br>> auto-renew: yes<br>> Request ID '20110619112705':<br>> status:
 MONITORING<br>> ca-error: Error setting up ccache for local "host" service using default<br>> keytab.<br>> stuck: no<br>> key pair storage:<br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>> certificate:<br>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>> Certificate DB'<br>> CA: IPA<br>> issuer: CN=Certificate Authority,O=xxxxx.COM<br>> subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM<br>> expires: 20111216112704<br>> eku: id-kp-serverAuth<br>> track: yes<br>> auto-renew: yes<br>> Request ID '20110619112721':<br>> status: MONITORING<br>> ca-error: Error setting up ccache for local "host" service using default<br>> keytab.<br>> stuck: no<br>> key pair storage:<br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>>
 Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>> certificate:<br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> Certificate DB'<br>> CA: IPA<br>> issuer: CN=Certificate Authority,O=xxxxx.COM<br>> subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM<br>> expires: 20111216112720<br>> eku: id-kp-serverAuth<br>> track: yes<br>> auto-renew: yes<br>><br>> The issue is still there as you can see the expiry dates are not getting<br>> modified.<br>><br>> Nidal.<br>><br>> --- On *Tue, 1/3/12, Rob Crittenden /<<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a>>/* wrote:<br>><br>><br>>     From: Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a>><br>>     Subject: Re: [Freeipa-users] Expired SSL
 certificate issue with IPA<br>>     To: "nasir nasir" <<a ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a>><br>>     Cc: "Rich Megginson" <<a ymailto="mailto:rmeggins@redhat.com" href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a>>,<br>>     <a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a>, <a ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a><br>>     Date: Tuesday, January 3, 2012, 2:23 PM<br>><br>>     nasir nasir wrote:<br>>      ><br>>      ><br>>      > --- On *Tue, 1/3/12, Rich Megginson /<<a ymailto="mailto:rmeggins@redhat.com"
 href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a><br>>     </mc/compose?to=<a ymailto="mailto:rmeggins@redhat.com" href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a>>>/*wrote:<br>>      ><br>>      ><br>>      > From: Rich Megginson <<a ymailto="mailto:rmeggins@redhat.com" href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a><br>>     </mc/compose?to=<a ymailto="mailto:rmeggins@redhat.com" href="/mc/compose?to=rmeggins@redhat.com">rmeggins@redhat.com</a>>><br>>      > Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA<br>>      > To: "nasir nasir" <<a ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a><br>>     </mc/compose?to=<a
 ymailto="mailto:kollathodi@yahoo.com" href="/mc/compose?to=kollathodi@yahoo.com">kollathodi@yahoo.com</a>>><br>>      > Cc: <a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>>     </mc/compose?to=<a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a>>, <a ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a><br>>     </mc/compose?to=<a ymailto="mailto:fasilkaks@gmail.com" href="/mc/compose?to=fasilkaks@gmail.com">fasilkaks@gmail.com</a>><br>>      > Date: Tuesday, January 3, 2012, 7:41 AM<br>>      ><br>>      > On 01/03/2012 12:52 AM, nasir nasir wrote:<br>>      >> Hi,<br>>     
 >><br>>      >> I am facing a serious issue with my production IPA server. When I<br>>      >> try to access IPA web interface using Firefox, it hangs and<br>>      >> doesn't allow me to get in. It seems to be due to expired SSL<br>>      >> certificate as seen in the apache log file,<br>>      >><br>>      >><br>>      >> [Tue Jan 03 10:34:08 2012] [error] Certificate not verified:<br>>      >> 'Server-Cert'<br>>      >> [Tue Jan 03 10:34:08 2012] [error] SSL Library Error: -8181<br>>      >> Certificate has expired<br>>      >> [Tue Jan 03 10:34:08 2012] [error] Unable to verify certificate<br>>      >> 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf
 so the<br>>      >> server can start until the problem can be resolved.<br>>      >> [Tue Jan 03 10:34:08 2012] [error] Certificate not verified:<br>>      >> 'Server-Cert'<br>>      >><br>>      >><br>>      >> Also, when I try to use the command line (ipa user-mod or<br>>      >> user-show commands) it too just hangs and doesn't give any output<br>>      >> or allow me for any input. I can see the following in krb5kdc.log ,<br>>      >><br>>      >> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): preauth<br>>      >> (timestamp) verify failure: Decrypt integrity check failed<br>>      >> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): AS_REQ
 (4<br>>      >> etypes {18 17 16 23}) 192.168.1.10: PREAUTH_FAILED:<br>>      >> host/<a ymailto="mailto:xxxxx.xxxxx.com@XXXXXX.COM" href="/mc/compose?to=xxxxx.xxxxx.com@XXXXXX.COM">xxxxx.xxxxx.com@XXXXXX.COM</a><br>>     </mc/compose?to=<a ymailto="mailto:xxxxx.xxxxx.com@XXXXXX.COM" href="/mc/compose?to=xxxxx.xxxxx.com@XXXXXX.COM">xxxxx.xxxxx.com@XXXXXX.COM</a>><br>>      >> </mc/compose?to=host/<a ymailto="mailto:xxxxx.xxxxx.com@XXXXXX.COM" href="/mc/compose?to=xxxxx.xxxxx.com@XXXXXX.COM">xxxxx.xxxxx.com@XXXXXX.COM</a><br>>     </mc/compose?to=<a ymailto="mailto:xxxxx.xxxxx.com@XXXXXX.COM" href="/mc/compose?to=xxxxx.xxxxx.com@XXXXXX.COM">xxxxx.xxxxx.com@XXXXXX.COM</a>>> for<br>>      >> krbtgt/<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM"
 href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a> </mc/compose?to=<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a>><br>>      >> </mc/compose?to=krbtgt/<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a><br>>     </mc/compose?to=<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a>>>, Decrypt integrity<br>>      >> check failed<br>>      >> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2429](info): AS_REQ (4<br>>      >> etypes {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:<br>>      >> host/<a ymailto="mailto:xxxx.xxxxx.com@XXXXX.COM"
 href="/mc/compose?to=xxxx.xxxxx.com@XXXXX.COM">xxxx.xxxxx.com@XXXXX.COM</a><br>>     </mc/compose?to=<a ymailto="mailto:xxxx.xxxxx.com@XXXXX.COM" href="/mc/compose?to=xxxx.xxxxx.com@XXXXX.COM">xxxx.xxxxx.com@XXXXX.COM</a>><br>>      >> </mc/compose?to=host/<a ymailto="mailto:xxxx.xxxxx.com@XXXXX.COM" href="/mc/compose?to=xxxx.xxxxx.com@XXXXX.COM">xxxx.xxxxx.com@XXXXX.COM</a><br>>     </mc/compose?to=<a ymailto="mailto:xxxx.xxxxx.com@XXXXX.COM" href="/mc/compose?to=xxxx.xxxxx.com@XXXXX.COM">xxxx.xxxxx.com@XXXXX.COM</a>>> for<br>>      >> krbtgt/<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a> </mc/compose?to=<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a>><br>>      >>
 </mc/compose?to=krbtgt/<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a><br>>     </mc/compose?to=<a ymailto="mailto:XXXXXX.COM@XXXXXX.COM" href="/mc/compose?to=XXXXXX.COM@XXXXXX.COM">XXXXXX.COM@XXXXXX.COM</a>>>, Additional<br>>      >> pre-authentication required<br>>      >><br>>      >><br>>      >> The output of "certutil -L -d /etc/httpd/alias -n Server-Cert"<br>>      >> confirms that certificate is expired as given below.<br>>      >><br>>      >> Certificate:<br>>      >> Data:<br>>      >> Version: 3 (0x2)<br>>      >> Serial Number: 10 (0xa)<br>>      >> Signature Algorithm: PKCS #1
 SHA-256 With RSA Encryption<br>>      >> Issuer: "CN=Certificate Authority,O=XXXXXX.COM"<br>>      >> Validity:<br>>      >> Not Before: Sun Jun 19 11:27:20 2011<br>>      >> Not After : Fri Dec 16 11:27:20 2011<br>>      >><br>>      >><br>>      >> Relevant info<br>>      >><br>>      >> OS: RHEL 6.1<br>>      >><br>>      >><br>>      >> Output of rpm -qa | grep ipa<br>>      >><br>>      >> ipa-client-2.0.0-23.el6.i686<br>>      >> ipa-pki-ca-theme-9.0.3-6.el6.noarch<br>>      >> ipa-pki-common-theme-9.0.3-6.el6.noarch<br>>      >>
 device-mapper-multipath-libs-0.4.9-41.el6.i686<br>>      >> python-iniparse-0.3.1-2.1.el6.noarch<br>>      >> ipa-python-2.0.0-23.el6.i686<br>>      >> ipa-server-selinux-2.0.0-23.el6.i686<br>>      >> ipa-server-2.0.0-23.el6.i686<br>>      >> device-mapper-multipath-0.4.9-41.el6.i686<br>>      >> ipa-admintools-2.0.0-23.el6.i686<br>>      >><br>>      >><br>>      >> I went through the documentations to check how to renew the<br>>      >> expired certs but it seems to be confusing and different across<br>>      >> versions. Could someone please help me out by suggesting which is<br>>      >> the best way to achieve this ? Any help would be greatly<br>>   
   >> appreciated as I am unable to perform any task on the IPA server<br>>      >> now because of this.<br>>      >><br>>      > I suggest following the mod_nss suggestion to allow it to start and<br>>      > use the expired cert while you attempt to figure this out.<br>>      ><br>>      > Thanks indeed for the suggestion. I will consider this. But can<br>>      > anyone point me the steps to renew certificate from the expired one ?<br>>      ><br>>      > Thankds and regards,<br>>      > Nidal<br>><br>>     Lets start with figuring out why certmonger didn't do this for you:<br>><br>>     Can you run as root: ipa-getcert list<br>><br>>     You should
 have something like:<br>><br>>     Request ID '20111215203350':<br>>     status: MONITORING<br>>     stuck: no<br>>     key pair storage:<br>>     type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>><br>>     Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>>     certificate:<br>>     type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>><br>>     Certificate DB'<br>>     CA: IPA<br>>     issuer: CN=EXAMPLE.COM Certificate Authority<br>>     subject: CN=rawhide.example.com,O=EXAMPLE.COM<br>>     expires: 2021-12-15 20:33:50 UTC<br>>     track: yes<br>> 
    auto-renew: yes<br>><br>>     If you don't have something like this then perhaps the easiest way to<br>>     get it renewed is to tell certmonger to track it. First, look at your<br>>     current database, it should look something like:<br>><br>>     # certutil -L -d /etc/httpd/alias<br>><br>>     Server-Cert u,u,u<br>>     EXAMPLE.COM IPA CA CTu,u,Cu<br>>     Signing-Cert u,u,u<br>><br>>     Now track it<br>><br>>     # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert<br>><br>>     Use ipa-getcert list to track the status of the renewal. Once it has<br>>     been completed you can reset the EnforceValidCerts option and restart<br>> 
    Apache.<br>><br>>     If certmonger is already tracking the cert and the renewal has failed<br>>     then please provide the ipa-getcert list output.<br>><br>>     rob<br>><br><br></div></blockquote></div></td></tr></table>