<div dir="ltr"><div><div><div><div><div>I set the date-time when the certificates were valid :<br>###<br># date -s '2016-05-27 10:00:00'<br>Fri May 27 10:00:00 CEST 2016<br><br># date<br>Fri May 27 10:00:02 CEST 2016<br>###<br><br></div>Then I try to renew them :<br>###<br># getcert resubmit -i 20140528063919<br>Resubmitting "20140528063919" to "IPA".<br><br># getcert resubmit -i 20140528064145<br>Resubmitting "20140528064145" to "IPA".<br><br># getcert resubmit -i 20140528063953<br>Resubmitting "20140528063953" to "IPA".<br>###<br><br></div>But when I do the getcert list after, the result is the same.<br><br></div><div>I guess it is because of this ?<br>CA_UNREACHABLE<br></div><div><br></div>Any idea ?<br><br></div>Best regards.<br><br></div>Bahan<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 14, 2016 at 6:38 PM, bahan w <span dir="ltr"><<a href="mailto:bahanw042014@gmail.com" target="_blank">bahanw042014@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>Ok, I managed to restart the IPA service by adding this line in the file /etc/httpd/conf.d/nss.conf :<br>###<br>NSSEnforceValidCerts off<br>###<br><br></div>But when I do the getcert now I got the following result :<div><div class="h5"><br>###<br># getcert list<br>Number of certificates and requests being tracked: 8.<br>Request ID '20140528063903':<br> status: MONITORING<br> stuck: no<br> key pair storage: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br> certificate: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>auditSigningCert cert-pki-ca',token='NSS Certificate DB'<br> CA: dogtag-ipa-renew-agent<br> issuer: CN=Certificate Authority,O=<MYREALM><br> subject: CN=CA Audit,O=<MYREALM><br> expires: 2018-04-09 11:39:16 UTC<br> pre-save command: /usr/lib64/ipa/certmonger/<wbr>stop_pkicad<br> post-save command: /usr/lib64/ipa/certmonger/<wbr>renew_ca_cert "auditSigningCert cert-pki-ca"<br> track: yes<br> auto-renew: yes<br>Request ID '20140528063904':<br> status: MONITORING<br> stuck: no<br> key pair storage: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br> certificate: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>ocspSigningCert cert-pki-ca',token='NSS Certificate DB'<br> CA: dogtag-ipa-renew-agent<br> issuer: CN=Certificate Authority,O=<MYREALM><br> subject: CN=OCSP Subsystem,O=<MYREALM><br> expires: 2018-04-09 11:38:16 UTC<br> eku: id-kp-OCSPSigning<br> pre-save command: /usr/lib64/ipa/certmonger/<wbr>stop_pkicad<br> post-save command: /usr/lib64/ipa/certmonger/<wbr>renew_ca_cert "ocspSigningCert cert-pki-ca"<br> track: yes<br> auto-renew: yes<br>Request ID '20140528063905':<br> status: MONITORING<br> stuck: no<br> key pair storage: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br> certificate: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>subsystemCert cert-pki-ca',token='NSS Certificate DB'<br> CA: dogtag-ipa-renew-agent<br> issuer: CN=Certificate Authority,O=<MYREALM><br> subject: CN=CA Subsystem,O=<MYREALM><br> expires: 2018-04-09 11:38:16 UTC<br> eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br> pre-save command: /usr/lib64/ipa/certmonger/<wbr>stop_pkicad<br> post-save command: /usr/lib64/ipa/certmonger/<wbr>renew_ca_cert "subsystemCert cert-pki-ca"<br> track: yes<br> auto-renew: yes<br>Request ID '20140528063906':<br> status: MONITORING<br> stuck: no<br> key pair storage: type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='<wbr>ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br> certificate: type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='<wbr>ipaCert',token='NSS Certificate DB'<br> CA: dogtag-ipa-renew-agent<br> issuer: CN=Certificate Authority,O=<MYREALM><br> subject: CN=IPA RA,O=<MYREALM><br> expires: 2018-04-09 11:38:16 UTC<br> eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br> pre-save command:<br> post-save command: /usr/lib64/ipa/certmonger/<wbr>renew_ra_cert<br> track: yes<br> auto-renew: yes<br>Request ID '20140528063907':<br> status: MONITORING<br> stuck: no<br> key pair storage: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br> certificate: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='<wbr>Server-Cert cert-pki-ca',token='NSS Certificate DB'<br> CA: dogtag-ipa-renew-agent<br> issuer: CN=Certificate Authority,O=<MYREALM><br> subject: CN=<IPA SERVER HOST>,O=<MYREALM><br> expires: 2018-04-09 11:38:16 UTC<br> eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br> pre-save command:<br> post-save command:<br> track: yes<br> auto-renew: yes<br>Request ID '20140528063919':<br></div></div> status: CA_UNREACHABLE<br> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).<br> stuck: yes<span class=""><br> key pair storage: type=NSSDB,location='/etc/<wbr>dirsrv/slapd-<MYREALM>',<wbr>nickname='Server-Cert',token='<wbr>NSS Certificate DB',pinfile='/etc/dirsrv/<wbr>slapd-<MYREALM>/pwdfile.txt'<br> certificate: type=NSSDB,location='/etc/<wbr>dirsrv/slapd-<MYREALM>',<wbr>nickname='Server-Cert',token='<wbr>NSS Certificate DB'<br> CA: IPA<br> issuer: CN=Certificate Authority,O=<MYREALM><br> subject: CN=<IPA SERVER HOST>,O=<MYREALM><br> expires: 2016-05-28 06:39:18 UTC<br> eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br> pre-save command:<br> post-save command: /usr/lib64/ipa/certmonger/<wbr>restart_dirsrv <MYREALM><br> track: yes<br> auto-renew: yes<br>Request ID '20140528063953':<br></span> status: CA_UNREACHABLE<br> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).<br> stuck: yes<span class=""><br> key pair storage: type=NSSDB,location='/etc/<wbr>dirsrv/slapd-PKI-IPA',<wbr>nickname='Server-Cert',token='<wbr>NSS Certificate DB',pinfile='/etc/dirsrv/<wbr>slapd-PKI-IPA/pwdfile.txt'<br> certificate: type=NSSDB,location='/etc/<wbr>dirsrv/slapd-PKI-IPA',<wbr>nickname='Server-Cert',token='<wbr>NSS Certificate DB'<br> CA: IPA<br> issuer: CN=Certificate Authority,O=<MYREALM><br> subject: CN=<IPA SERVER HOST>,O=<MYREALM><br> expires: 2016-05-28 06:39:52 UTC<br> eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br> pre-save command:<br> post-save command: /usr/lib64/ipa/certmonger/<wbr>restart_dirsrv PKI-IPA<br> track: yes<br> auto-renew: yes<br>Request ID '20140528064145':<br></span> status: CA_UNREACHABLE<br> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).<br> stuck: yes<span class=""><br> key pair storage: type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br> certificate: type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS Certificate DB'<br> CA: IPA<br> issuer: CN=Certificate Authority,O=<MYREALM><br> subject: CN=<IPA SERVER HOST>,O=<MYREALM><br> expires: 2016-05-28 06:41:44 UTC<br> eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br> pre-save command:<br> post-save command: /usr/lib64/ipa/certmonger/<wbr>restart_httpd<br> track: yes<br> auto-renew: yes<br>###<br><br></span></div>Indeed, the entries outdated are the following :<br></div>- for /etc/dirsrv/slapd-<MYREALM> : 20140528063919<br>- for /etc/dirsrv/slapd-PKI-IPA : 20140528063953<br></div>- for httpd ? : 20140528064145<br><br><div><div><div><div>Best regards.<span class="HOEnZb"><font color="#888888"><br><br></font></span></div><span class="HOEnZb"><font color="#888888"><div>Bahan<br></div></font></span></div></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 14, 2016 at 6:28 PM, bahan w <span dir="ltr"><<a href="mailto:bahanw042014@gmail.com" target="_blank">bahanw042014@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Ok :D <br><br>Because to perform the getcert list command, I need to have all the ipa services running right ?<br><br></div><div>Here is the result of the command with the ipa services down.<br></div><div>###<br># getcert list<br>Number of certificates and requests being tracked: 8.<br>Request ID '20140528063903':<br> status: MONITORING<br> stuck: no<br> key pair storage: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='auditS<wbr>igningCert cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br> certificate: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='auditS<wbr>igningCert cert-pki-ca',token='NSS Certificate DB'<br> CA: dogtag-ipa-renew-agent<br> issuer: CN=Certificate Authority,O=<MYREALM><br> subject: CN=CA Audit,O=<MYREALM><br> expires: 2018-04-09 11:39:16 UTC<br> pre-save command: /usr/lib64/ipa/certmonger/stop<wbr>_pkicad<br> post-save command: /usr/lib64/ipa/certmonger/rene<wbr>w_ca_cert "auditSigningCert cert-pki-ca"<br> track: yes<br> auto-renew: yes<br>Request ID '20140528063904':<br> status: MONITORING<br> stuck: no<br> key pair storage: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='ocspSi<wbr>gningCert cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br> certificate: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='ocspSi<wbr>gningCert cert-pki-ca',token='NSS Certificate DB'<br> CA: dogtag-ipa-renew-agent<br> issuer: CN=Certificate Authority,O=<MYREALM><br> subject: CN=OCSP Subsystem,O=<MYREALM><br> expires: 2018-04-09 11:38:16 UTC<br> eku: id-kp-OCSPSigning<br> pre-save command: /usr/lib64/ipa/certmonger/stop<wbr>_pkicad<br> post-save command: /usr/lib64/ipa/certmonger/rene<wbr>w_ca_cert "ocspSigningCert cert-pki-ca"<br> track: yes<br> auto-renew: yes<br>Request ID '20140528063905':<br> status: MONITORING<br> stuck: no<br> key pair storage: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='subsys<wbr>temCert cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br> certificate: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='subsys<wbr>temCert cert-pki-ca',token='NSS Certificate DB'<br> CA: dogtag-ipa-renew-agent<br> issuer: CN=Certificate Authority,O=<MYREALM><br> subject: CN=CA Subsystem,O=<MYREALM><br> expires: 2018-04-09 11:38:16 UTC<br> eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br> pre-save command: /usr/lib64/ipa/certmonger/stop<wbr>_pkicad<br> post-save command: /usr/lib64/ipa/certmonger/rene<wbr>w_ca_cert "subsystemCert cert-pki-ca"<br> track: yes<br> auto-renew: yes<br>Request ID '20140528063906':<br> status: MONITORING<br> stuck: no<br> key pair storage: type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',<wbr>token='NSS Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br> certificate: type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',<wbr>token='NSS Certificate DB'<br> CA: dogtag-ipa-renew-agent<br> issuer: CN=Certificate Authority,O=<MYREALM><br> subject: CN=IPA RA,O=<MYREALM><br> expires: 2018-04-09 11:38:16 UTC<br> eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br> pre-save command:<br> post-save command: /usr/lib64/ipa/certmonger/rene<wbr>w_ra_cert<br> track: yes<br> auto-renew: yes<br>Request ID '20140528063907':<br> status: MONITORING<br> stuck: no<br> key pair storage: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='Server<wbr>-Cert cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br> certificate: type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='Server<wbr>-Cert cert-pki-ca',token='NSS Certificate DB'<br> CA: dogtag-ipa-renew-agent<br> issuer: CN=Certificate Authority,O=<MYREALM><br> subject: CN=<IPA SERVER HOST>,O=<MYREALM><br> expires: 2018-04-09 11:38:16 UTC<br> eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br> pre-save command:<br> post-save command:<br> track: yes<br> auto-renew: yes<br>Request ID '20140528063919':<br> status: MONITORING<br> ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm '<MYREALM>'.<br> stuck: no<br> key pair storage: type=NSSDB,location='/etc/dirs<wbr>rv/slapd-<MYREALM>',nickname='<wbr>Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd<wbr>-<MYREALM>/pwdfile.txt'<br> certificate: type=NSSDB,location='/etc/dirs<wbr>rv/slapd-<MYREALM>',nickname='<wbr>Server-Cert',token='NSS Certificate DB'<br> CA: IPA<br> issuer: CN=Certificate Authority,O=<MYREALM><br> subject: CN=<IPA SERVER HOST>,O=<MYREALM><br> expires: 2016-05-28 06:39:18 UTC<br> eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br> pre-save command:<br> post-save command: /usr/lib64/ipa/certmonger/rest<wbr>art_dirsrv <MYREALM><br> track: yes<br> auto-renew: yes<br>Request ID '20140528063953':<br> status: MONITORING<br> ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm '<MYREALM>'.<br> stuck: no<br> key pair storage: type=NSSDB,location='/etc/dirs<wbr>rv/slapd-PKI-IPA',nickname='<wbr>Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd<wbr>-PKI-IPA/pwdfile.txt'<br> certificate: type=NSSDB,location='/etc/dirs<wbr>rv/slapd-PKI-IPA',nickname='<wbr>Server-Cert',token='NSS Certificate DB'<br> CA: IPA<br> issuer: CN=Certificate Authority,O=<MYREALM><br> subject: CN=<IPA SERVER HOST>,O=<MYREALM><br> expires: 2016-05-28 06:39:52 UTC<br> eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br> pre-save command:<br> post-save command: /usr/lib64/ipa/certmonger/rest<wbr>art_dirsrv PKI-IPA<br> track: yes<br> auto-renew: yes<br>Request ID '20140528064145':<br> status: MONITORING<br> ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm '<MYREALM>'.<br> stuck: no<br> key pair storage: type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br> certificate: type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS Certificate DB'<br> CA: IPA<br> issuer: CN=Certificate Authority,O=<MYREALM><br> subject: CN=<IPA SERVER HOST>,O=<MYREALM><br> expires: 2016-05-28 06:41:44 UTC<br> eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br> pre-save command:<br> post-save command: /usr/lib64/ipa/certmonger/rest<wbr>art_httpd<br> track: yes<br> auto-renew: yes<br>###<br><br></div>Best regards.<span><font color="#888888"><br><br></font></span></div><span><font color="#888888"><div>Bahan<br></div></font></span></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 14, 2016 at 6:21 PM, Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<p>Then you have to start services manually, I don't know if the
same steps will work with IPA 3.0.0, I don't remember, but you can
try :)<br>
</p><div><div>
<br>
<div>On 14.09.2016 18:18, bahan w wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Oh I forgot to add that my version of ipa is quite old :<br>
###<br>
# rpm -qa | grep ipa-server<br>
ipa-server-3.0.0-25.el6.x86_64<br>
###<br>
<br>
</div>
When I try the command you gave me I got the following error :<br>
###<br>
<div># ipactl start --force<br>
Usage: ipactl start|stop|restart|status<br>
<br>
<br>
ipactl: error: no such option: --force<br>
###<br>
<br>
</div>
<div>Best regards.<br>
<br>
</div>
<div>Bahan<br>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 14, 2016 at 6:14 PM, Martin
Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>
<p><br>
</p>
<br>
<div>On 14.09.2016 17:59, bahan w wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Hello !<br>
<br>
</div>
I send you this mail because I cannot
restart my test IPA server.<br>
<br>
</div>
When I try to start it with service ipa start,
I got the following error message :<br>
###<br>
# service ipa start<br>
Starting Directory Service<br>
Starting dirsrv:<br>
<MYREALM>...[14/Sep/2016:17:57<wbr>:23
+0200] - SSL alert: CERT_VerifyCertificateNow:
verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config
(Netscape Portable Runtime error -8181 -
Peer's Certificate has expired.)<br>
<wbr>
[ OK ]<br>
PKI-IPA...[14/Sep/2016:17:57:3<wbr>3
+0200] - SSL alert: CERT_VerifyCertificateNow:
verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config
(Netscape Portable Runtime error -8181 -
Peer's Certificate has expired.)<br>
<wbr>
[ OK ]<br>
Starting KDC Service<br>
Starting Kerberos 5
KDC: <wbr> [
OK ]<br>
Starting KPASSWD Service<br>
Starting Kerberos 5 Admin
Server: <wbr> [ OK ]<br>
Starting MEMCACHE Service<br>
Starting ipa_memcached: <wbr>
[ OK ]<br>
Starting HTTP Service<br>
Starting httpd: <wbr>
[FAILED]<br>
Failed to start HTTP Service<br>
Shutting down<br>
Stopping Kerberos 5
KDC: <wbr> [
OK ]<br>
Stopping Kerberos 5 Admin
Server: <wbr> [ OK ]<br>
Stopping ipa_memcached: <wbr>
[ OK ]<br>
Stopping httpd: <wbr>
[FAILED]<br>
Stopping pki-ca: <wbr>
[ OK ]<br>
Shutting down dirsrv:<br>
<MYREALM>... <wbr>
[ OK ]<br>
PKI-IPA... <wbr>
[ OK ]<br>
Aborting ipactl<br>
<br>
# service ipa status<br>
Directory Service: STOPPED<br>
Failed to get list of services to probe
status:<br>
Directory Server is stopped<br>
###<br>
<br>
</div>
<div>Do you know how to renew the SSL
certificate used for the IPA Server ?<br>
<br>
</div>
<div>Best regards.<br>
<br>
</div>
<div>Bahan<br>
</div>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div>
</div>
Hello,<br>
<br>
please run<br>
<br>
# ipactl start --force<br>
# getcert list (to detect which certificate is outdated, I
suspect DS cert (or to get more info why it has not been
renewed))<br>
<br>
If getcert does work (I'm not sure if ti is able to work
without httpd), you probable need to move time back to
past where cert is valid, start IPA and try again.<br>
<br>
Please find ID outdated certificate and try resubmit it
(CA and DS must be running)<br>
<br>
# getcert resubmit -i 20160914122036 (use you ID :) )<br>
<br>
This should renew cert, check status with getcert list<br>
<br>
Move time back to future (if needed)<br>
<br>
Try to restart IPA<br>
<br>
Martin^2<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>