<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/28/2014 10:40 AM, David
Fitzgerald wrote:<br>
</div>
<blockquote
cite="mid:958EF916EB06874283F9B8F820726DD3242889E2@FSMB1.muad.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<style id="owaParaStyle" type="text/css">P {margin-top:0;margin-bottom:0;}</style>
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;"><font size="3">Hello,<br>
<br>
My Freeipa server stopped working over the weekend due to what
looks like expired certificates. I am running ipa-server 3.0
and thought these certs were automatically renewed. I am no
expert at KDC / IPA and any help you can give is greatly
appreciated.
<br>
<br>
When I try to start the ipa service on my server I get:</font><br>
<br>
root@aurora ~]# /sbin/service ipa start<br>
Starting Directory Service<br>
Starting dirsrv:<br>
LINUX-DIRSRV-LOCAL...[28/May/2014:10:23:33 -0400] - SSL
alert: CERT_VerifyCertificateNow: verify certificate failed for
cert Server-Cert of family cn=RSA,cn=encryption,cn=config
(Netscape Portable Runtime error -8181 - Peer's Certificate has
expired.)<br>
[
OK ]<br>
PKI-IPA...[28/May/2014:10:23:34 -0400] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8181 - Peer's Certificate has expired.)<br>
[
OK ]<br>
Starting KDC Service<br>
Starting Kerberos 5 KDC: [
OK ]<br>
Starting KPASSWD Service<br>
Starting Kerberos 5 Admin Server: [
OK ]<br>
Starting MEMCACHE Service<br>
Starting ipa_memcached: [
OK ]<br>
Starting HTTP Service<br>
Starting httpd: [Wed May 28 10:23:36 2014] [warn] _default_
VirtualHost overlap on port 443, the first has precedence<br>
[FAILED]<br>
Failed to start HTTP Service<br>
Shutting down<br>
Stopping Kerberos 5 KDC: [
OK ]<br>
Stopping Kerberos 5 Admin Server: [
OK ]<br>
Stopping ipa_memcached: [
OK ]<br>
Stopping httpd:
[FAILED]<br>
Stopping pki-ca: [
OK ]<br>
Shutting down dirsrv:<br>
LINUX-DIRSRV-LOCAL... [
OK ]<br>
PKI-IPA... [
OK ]<br>
Aborting ipactl<br>
<br>
<font size="3">Of course kinit also fails with: </font>kinit:
Cannot contact any KDC for realm 'LINUX.DIRSRV.LOCAL' while
getting initial credentials<br>
<br>
<font size="3">Can someone help me get back on my feet? Luckily
there are not many students around in the summer so I just
have 20 annoyed faculty instead of 200 annoyed students to
placate.<br>
<br>
Thanks!<br>
</font></div>
</blockquote>
<br>
Usually that happens when you do not have the original master any
more. Is this the case for you?<br>
<font size="3">Have you looked at
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/IPA_2x_Certificate_Renewal">http://www.freeipa.org/page/IPA_2x_Certificate_Renewal</a> ?<br>
<br>
<br>
</font>
<blockquote
cite="mid:958EF916EB06874283F9B8F820726DD3242889E2@FSMB1.muad.local"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;"><font size="3">
<br>
<br>
<br>
-----------------------------------------------<br>
David Fitzgerald<br>
Adjunct Professor<br>
Department of Earth Sciences<br>
Millersville University <br>
Millersville, PA 17551<br>
<br>
E-mail: <a class="moz-txt-link-abbreviated" href="mailto:david.fitzgerald@millersville.edu">david.fitzgerald@millersville.edu</a><br>
PH: 717-871-2394<br>
</font><br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>