<div dir="ltr">Hi All,<div><br></div><div>I'm facing a strange problem, my IPA master server's HTTP Server-Cert got expired and i'm not able to renew it. would you please help me in resolve it.</div><div><br></div>
<div><div>[root@ipa01 ~]# getcert list</div><div>Number of certificates and requests being tracked: 9.</div><div>Request ID '20120731123222':</div><div> status: CA_UNREACHABLE</div><div> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. couldn't connect to host).</div>
<div> stuck: yes</div><div> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM/pwdfile.txt'</div>
<div> certificate: type=NSSDB,location='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM',nickname='Server-Cert',token='NSS Certificate DB'</div><div> CA: IPA</div><div> issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></div>
<div> subject: CN=<a href="http://ipa01.EXAMPLE.COM">ipa01.EXAMPLE.COM</a>,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></div><div> expires: 2014-08-01 12:32:21 UTC</div><div> eku: id-kp-serverAuth,id-kp-clientAuth</div>
<div> pre-save command:</div><div> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv BIGDATA-BSKYB-COM</div><div> track: yes</div><div> auto-renew: yes</div><div>Request ID '20120731123240':</div>
<div> status: CA_UNREACHABLE</div><div> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. couldn't connect to host).</div><div> stuck: yes</div>
<div> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'</div><div> certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'</div>
<div> CA: IPA</div><div> issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></div><div> subject: CN=<a href="http://ipa01.EXAMPLE.COM">ipa01.EXAMPLE.COM</a>,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></div>
<div> expires: 2014-08-01 12:32:40 UTC</div><div> eku: id-kp-serverAuth,id-kp-clientAuth</div><div> pre-save command:</div><div> post-save command:</div><div> track: yes</div><div> auto-renew: yes</div>
<div>Request ID '20120731123255':</div><div> status: CA_UNREACHABLE</div><div> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. couldn't connect to host).</div>
<div> stuck: yes</div><div> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div>
<div> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'</div><div> CA: IPA</div><div> issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></div>
<div> subject: CN=<a href="http://ipa01.EXAMPLE.COM">ipa01.EXAMPLE.COM</a>,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></div><div> expires: 2014-08-01 12:32:55 UTC</div><div> eku: id-kp-serverAuth,id-kp-clientAuth</div>
<div> pre-save command:</div><div> post-save command: /usr/lib64/ipa/certmonger/restart_httpd</div><div> track: yes</div><div> auto-renew: yes</div><div>Request ID '20130315142330':</div>
<div> status: MONITORING</div><div> stuck: no</div><div> key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='625466584922'</div>
<div> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'</div><div> CA: dogtag-ipa-renew-agent</div><div> issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></div>
<div> subject: CN=CA Audit,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></div><div> expires: 2016-06-12 15:06:33 UTC</div><div> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad</div><div> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"</div>
<div> track: yes</div><div> auto-renew: yes</div><div>Request ID '20130315142331':</div><div> status: MONITORING</div><div> stuck: no</div><div> key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='625466584922'</div>
<div> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'</div><div> CA: dogtag-ipa-renew-agent</div><div> issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></div>
<div> subject: CN=OCSP Subsystem,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></div><div> expires: 2016-06-12 15:05:33 UTC</div><div> eku: id-kp-OCSPSigning</div><div> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad</div>
<div> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"</div><div> track: yes</div><div> auto-renew: yes</div><div>Request ID '20130315142332':</div>
<div> status: MONITORING</div><div> stuck: no</div><div> key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='625466584922'</div>
<div> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'</div><div> CA: dogtag-ipa-renew-agent</div><div> issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></div>
<div> subject: CN=CA Subsystem,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></div><div> expires: 2016-06-12 15:05:33 UTC</div><div> eku: id-kp-serverAuth,id-kp-clientAuth</div><div> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad</div>
<div> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"</div><div> track: yes</div><div> auto-renew: yes</div><div>Request ID '20130315142333':</div>
<div> status: MONITORING</div><div> stuck: no</div><div> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div>
<div> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'</div><div> CA: dogtag-ipa-renew-agent</div><div> issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></div>
<div> subject: CN=IPA RA,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></div><div> expires: 2016-06-12 15:05:33 UTC</div><div> eku: id-kp-serverAuth,id-kp-clientAuth</div><div> pre-save command:</div>
<div> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert</div><div> track: yes</div><div> auto-renew: yes</div><div>Request ID '20130315142334':</div><div> status: MONITORING</div>
<div> stuck: no</div><div> key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='625466584922'</div>
<div> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'</div><div> CA: dogtag-ipa-renew-agent</div><div> issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></div>
<div> subject: CN=<a href="http://ipa01.EXAMPLE.COM">ipa01.EXAMPLE.COM</a>,O=<a href="http://EXAMPLE.COM">EXAMPLE.COM</a></div><div> expires: 2016-06-12 15:05:33 UTC</div><div> eku: id-kp-serverAuth,id-kp-clientAuth</div>
<div> pre-save command:</div><div> post-save command:</div><div> track: yes</div><div> auto-renew: yes</div><div>Request ID '20140805110726':</div><div> status: CA_UNREACHABLE</div>
<div> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. couldn't connect to host).</div><div> stuck: yes</div><div> key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB'</div>
<div> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'</div><div> CA: IPA</div><div> issuer:</div><div> subject:</div><div> expires: unknown</div>
<div> pre-save command:</div><div> post-save command:</div><div> track: yes</div><div> auto-renew: yes</div></div><div><br></div><div><div>[root@ipa01 ~]# ipactl start</div><div>Starting Directory Service</div>
<div>Starting dirsrv:</div><div> EXAMPLE-COM...[06/Aug/2014:09:39:50 +0100] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.)</div>
<div> [ OK ]</div><div> PKI-IPA...[06/Aug/2014:09:39:52 +0100] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.)</div>
<div> [ OK ]</div><div>Starting KDC Service</div><div>Starting Kerberos 5 KDC: [ OK ]</div><div>Starting KPASSWD Service</div>
<div>Starting Kerberos 5 Admin Server: [ OK ]</div><div>Starting DNS Service</div><div>Starting named: [ OK ]</div><div>Starting MEMCACHE Service</div>
<div>Starting ipa_memcached: [ OK ]</div><div>Starting HTTP Service</div><div>Starting httpd: [FAILED]</div><div>Failed to start HTTP Service</div>
<div>Shutting down</div><div>Stopping Kerberos 5 KDC: [ OK ]</div><div>Stopping Kerberos 5 Admin Server: [ OK ]</div><div>Stopping named: . [ OK ]</div>
<div>Stopping ipa_memcached: [ OK ]</div><div>Stopping httpd: [FAILED]</div><div>Stopping pki-ca: [ OK ]</div>
<div>Shutting down dirsrv:</div><div> EXAMPLE-COM... [ OK ]</div><div> PKI-IPA... [ OK ]</div><div>Aborting ipactl</div></div><div><br>
</div><div>I'm running ipa-server-3.0.0-26.el6_4.2.x86_64</div><div><br></div><div>Let me know if you need any further information.</div><div><br>Thanks,</div><div>Ketan</div></div>