<div dir="ltr">Hi Rob,<div><br></div><div>I tried doing that earlier but it fails because of named error</div><div><br></div><div>output of /var/log/messages</div><div><div>Jul 31 14:06:04 ipa01 named[22866]: Failed to init credentials (Clock skew too great)</div> <div>Jul 31 14:06:04 ipa01 named[22866]: loading configuration: failure</div><div>Jul 31 14:06:04 ipa01 named[22866]: exiting (due to fatal error)</div><div>Jul 31 14:06:05 ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_494' not found)</div> </div><div><br></div><div>------------------</div><div><div>[root@ipa01 ~]# service ntpd status</div><div>ntpd is stopped</div><div>[root@ipa01 ~]# ipactl start</div><div>Starting Directory Service</div><div>Starting dirsrv:</div> <div> EXAMPLE-COM... [ OK ]</div><div> PKI-IPA... [ OK ]</div><div>Starting KDC Service</div><div>Starting Kerberos 5 KDC: [ OK ]</div> <div>Starting KPASSWD Service</div><div>Starting Kerberos 5 Admin Server: [ OK ]</div><div>Starting DNS Service</div><div>Starting named: [FAILED]</div> <div>Failed to start DNS Service</div><div>Shutting down</div><div>Stopping Kerberos 5 KDC: [ OK ]</div><div>Stopping Kerberos 5 Admin Server: [ OK ]</div><div> Stopping named: [ OK ]</div><div>Stopping httpd: [FAILED]</div><div>Stopping pki-ca: [ OK ]</div> <div>Shutting down dirsrv:</div><div> EXAMPLE-COM... [ OK ]</div><div> PKI-IPA... [ OK ]</div><div>Aborting ipactl</div></div><div><br> </div><div>Thanks,</div><div>Ketan</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Aug 6, 2014 at 1:54 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">ketan mehta wrote:<br> > Hi All,<br> ><br> > I'm facing a strange problem, my IPA master server's HTTP Server-Cert<br> > got expired and i'm not able to renew it. would you please help me in<br> > resolve it.<br> ><br> > [root@ipa01 ~]# getcert list<br> > Number of certificates and requests being tracked: 9.<br> > Request ID '20120731123222':<br> > status: CA_UNREACHABLE<br> > ca-error: Server failed request, will retry: -504 (libcurl<br> > failed to execute the HTTP POST transaction. couldn't connect to host).<br> > stuck: yes<br> > key pair storage:<br> > type=NSSDB,location='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM',nickname='Server-Cert',token='NSS<br> > Certificate DB',pinfile='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM/pwdfile.txt'<br> > certificate:<br> > type=NSSDB,location='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM',nickname='Server-Cert',token='NSS<br> > Certificate DB'<br> > CA: IPA<br> </div>> issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br> > subject: CN=<a href="http://ipa01.EXAMPLE.COM" target="_blank">ipa01.EXAMPLE.COM</a><br> > <<a href="http://ipa01.EXAMPLE.COM" target="_blank">http://ipa01.EXAMPLE.COM</a>>,O=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br> <div class="">> expires: 2014-08-01 12:32:21 UTC<br> > eku: id-kp-serverAuth,id-kp-clientAuth<br> > pre-save command:<br> > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv<br> > BIGDATA-BSKYB-COM<br> > track: yes<br> > auto-renew: yes<br> > Request ID '20120731123240':<br> > status: CA_UNREACHABLE<br> > ca-error: Server failed request, will retry: -504 (libcurl<br> > failed to execute the HTTP POST transaction. couldn't connect to host).<br> > stuck: yes<br> > key pair storage:<br> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'<br> > certificate:<br> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br> > Certificate DB'<br> > CA: IPA<br> </div>> issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br> > subject: CN=<a href="http://ipa01.EXAMPLE.COM" target="_blank">ipa01.EXAMPLE.COM</a><br> > <<a href="http://ipa01.EXAMPLE.COM" target="_blank">http://ipa01.EXAMPLE.COM</a>>,O=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br> <div class="">> expires: 2014-08-01 12:32:40 UTC<br> > eku: id-kp-serverAuth,id-kp-clientAuth<br> > pre-save command:<br> > post-save command:<br> > track: yes<br> > auto-renew: yes<br> > Request ID '20120731123255':<br> > status: CA_UNREACHABLE<br> > ca-error: Server failed request, will retry: -504 (libcurl<br> > failed to execute the HTTP POST transaction. couldn't connect to host).<br> > stuck: yes<br> > key pair storage:<br> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br> > certificate:<br> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br> > Certificate DB'<br> > CA: IPA<br> </div>> issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br> > subject: CN=<a href="http://ipa01.EXAMPLE.COM" target="_blank">ipa01.EXAMPLE.COM</a><br> > <<a href="http://ipa01.EXAMPLE.COM" target="_blank">http://ipa01.EXAMPLE.COM</a>>,O=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br> <div class="">> expires: 2014-08-01 12:32:55 UTC<br> > eku: id-kp-serverAuth,id-kp-clientAuth<br> > pre-save command:<br> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd<br> > track: yes<br> > auto-renew: yes<br> > Request ID '20130315142330':<br> > status: MONITORING<br> > stuck: no<br> > key pair storage:<br> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br> > cert-pki-ca',token='NSS Certificate DB',pin='625466584922'<br> > certificate:<br> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br> > cert-pki-ca',token='NSS Certificate DB'<br> > CA: dogtag-ipa-renew-agent<br> </div>> issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br> > subject: CN=CA Audit,O=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br> <div class="">> expires: 2016-06-12 15:06:33 UTC<br> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert<br> > "auditSigningCert cert-pki-ca"<br> > track: yes<br> > auto-renew: yes<br> > Request ID '20130315142331':<br> > status: MONITORING<br> > stuck: no<br> > key pair storage:<br> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br> > cert-pki-ca',token='NSS Certificate DB',pin='625466584922'<br> > certificate:<br> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br> > cert-pki-ca',token='NSS Certificate DB'<br> > CA: dogtag-ipa-renew-agent<br> </div>> issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br> > subject: CN=OCSP Subsystem,O=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br> <div class="">> expires: 2016-06-12 15:05:33 UTC<br> > eku: id-kp-OCSPSigning<br> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert<br> > "ocspSigningCert cert-pki-ca"<br> > track: yes<br> > auto-renew: yes<br> > Request ID '20130315142332':<br> > status: MONITORING<br> > stuck: no<br> > key pair storage:<br> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br> > cert-pki-ca',token='NSS Certificate DB',pin='625466584922'<br> > certificate:<br> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br> > cert-pki-ca',token='NSS Certificate DB'<br> > CA: dogtag-ipa-renew-agent<br> </div>> issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br> > subject: CN=CA Subsystem,O=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br> <div class="">> expires: 2016-06-12 15:05:33 UTC<br> > eku: id-kp-serverAuth,id-kp-clientAuth<br> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert<br> > "subsystemCert cert-pki-ca"<br> > track: yes<br> > auto-renew: yes<br> > Request ID '20130315142333':<br> > status: MONITORING<br> > stuck: no<br> > key pair storage:<br> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br> > certificate:<br> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br> > Certificate DB'<br> > CA: dogtag-ipa-renew-agent<br> </div>> issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br> > subject: CN=IPA RA,O=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br> <div class="">> expires: 2016-06-12 15:05:33 UTC<br> > eku: id-kp-serverAuth,id-kp-clientAuth<br> > pre-save command:<br> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert<br> > track: yes<br> > auto-renew: yes<br> > Request ID '20130315142334':<br> > status: MONITORING<br> > stuck: no<br> > key pair storage:<br> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br> > cert-pki-ca',token='NSS Certificate DB',pin='625466584922'<br> > certificate:<br> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br> > cert-pki-ca',token='NSS Certificate DB'<br> > CA: dogtag-ipa-renew-agent<br> </div>> issuer: CN=Certificate Authority,O=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br> > subject: CN=<a href="http://ipa01.EXAMPLE.COM" target="_blank">ipa01.EXAMPLE.COM</a><br> > <<a href="http://ipa01.EXAMPLE.COM" target="_blank">http://ipa01.EXAMPLE.COM</a>>,O=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>><br> <div><div class="h5">> expires: 2016-06-12 15:05:33 UTC<br> > eku: id-kp-serverAuth,id-kp-clientAuth<br> > pre-save command:<br> > post-save command:<br> > track: yes<br> > auto-renew: yes<br> > Request ID '20140805110726':<br> > status: CA_UNREACHABLE<br> > ca-error: Server failed request, will retry: -504 (libcurl<br> > failed to execute the HTTP POST transaction. couldn't connect to host).<br> > stuck: yes<br> > key pair storage:<br> > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS<br> > Certificate DB'<br> > certificate:<br> > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'<br> > CA: IPA<br> > issuer:<br> > subject:<br> > expires: unknown<br> > pre-save command:<br> > post-save command:<br> > track: yes<br> > auto-renew: yes<br> ><br> > [root@ipa01 ~]# ipactl start<br> > Starting Directory Service<br> > Starting dirsrv:<br> > EXAMPLE-COM...[06/Aug/2014:09:39:50 +0100] - SSL alert:<br> > CERT_VerifyCertificateNow: verify certificate failed for cert<br> > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable<br> > Runtime error -8181 - Peer's Certificate has expired.)<br> > [ OK ]<br> > PKI-IPA...[06/Aug/2014:09:39:52 +0100] - SSL alert:<br> > CERT_VerifyCertificateNow: verify certificate failed for cert<br> > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable<br> > Runtime error -8181 - Peer's Certificate has expired.)<br> > [ OK ]<br> > Starting KDC Service<br> > Starting Kerberos 5 KDC: [ OK ]<br> > Starting KPASSWD Service<br> > Starting Kerberos 5 Admin Server: [ OK ]<br> > Starting DNS Service<br> > Starting named: [ OK ]<br> > Starting MEMCACHE Service<br> > Starting ipa_memcached: [ OK ]<br> > Starting HTTP Service<br> > Starting httpd: [FAILED]<br> > Failed to start HTTP Service<br> > Shutting down<br> > Stopping Kerberos 5 KDC: [ OK ]<br> > Stopping Kerberos 5 Admin Server: [ OK ]<br> > Stopping named: . [ OK ]<br> > Stopping ipa_memcached: [ OK ]<br> > Stopping httpd: [FAILED]<br> > Stopping pki-ca: [ OK ]<br> > Shutting down dirsrv:<br> > EXAMPLE-COM... [ OK ]<br> > PKI-IPA... [ OK ]<br> > Aborting ipactl<br> ><br> > I'm running ipa-server-3.0.0-26.el6_4.2.x86_64<br> ><br> > Let me know if you need any further information.<br> <br> </div></div>The easiest thing to do would be to roll back time to 7/31 and restart<br> certmonger. It's hard to say why they didn't renew already as the CA<br> subsystem certificates appear to have renewed ok.<br> <span class="HOEnZb"><font color="#888888"><br> rob<br> </font></span></blockquote></div><br></div>