I logged into my IPA master, and found that the cert had expired again, we renewed these certificates about 18 months ago.
Our environment is CentOS 6.4 and IPA 3.0.0-26. I followed the Redhat documentation, How do I manually renew Identity Management (IPA) certificates after they have expired? (Master IPA Server), https://access.redhat.com/solutions/643753 but no luck. I have also changed "NSSEnforceValidCerts off" in /etc/httpd/conf.d/nss.conf and the nsslapd-validate-cert value is warn. ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w ******* -b cn=config | grep nsslapd-validate-cert nsslapd-validate-cert: warn Here is my getcert list, [root@caer ~]# getcert list Number of certificates and requests being tracked: 8. Request ID '20111214223243': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-01-29 14:09:46 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223300': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223316': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-01-29 14:09:45 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130519130741': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=CA Audit,O=TELOIP.NET expires: 2017-10-13 14:10:49 UTC pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130742': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=OCSP Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130743': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=CA Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130744': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=RA Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20130519130745': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Note: I'm seeing two blobs in ipaCert, not sure this is because we already renewed the certificate about 18 months back. [root@caer ~]# certutil -L -d /etc/httpd/alias -n ipaCert -a -----BEGIN CERTIFICATE----- MIIDbzCCAlegAwIBAgIBQDANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUxMDI0 MTQwOTQ5WhcNMTcxMDEzMTQwOTQ5WjAsMRMwEQYDVQQKEwpURUxPSVAuTkVUMRUw EwYDVQQDEwxSQSBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDVI16akCv85Wgl3L+vF0hOb0G7NItC4bt77wsSqUCp6CRQQXyEt3NR/QuV Ta/NPnHKLRDGVUHXxbhWNpC6e/gxrAC6aO3/XyqRWJG6WHqC4jMepz9vaeeYwTx1 MvH4JQMJtPY745Mu8cbL6xgPVJV2G2gaQyoJWnelPbmCAudF8WDZXXnMGR7zXv1U 2e9R+b0QgLrOUklWv+hW6tqgbhZONaITPcEA8byiXTizIa+vfICkSMZW6qYLpvh6 IEXMZ+CxkhGN101HiyrHKNIBUeXoCvIf1s6fTzJHIFgCpeDS2gymj8hbmSEItRfz OK9xD3+3bP+ttgw3rxPKiKqCKNr/AgMBAAGjgZIwgY8wHwYDVR0jBBgwFoAUx5/Z pwOfXZQ5KNwC42cBW+Y+bGIwPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFo dHRwOi8vY2Flci50ZWxvaXAubmV0OjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTw MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOC AQEAGxNLz7EQsdqTEzy1zf1KtpBKLEGdsst2OhzfAuPWQk/ZSVQHyaAgjOirUngG 1ZUmdPhsi+O9UVobLL/yBOnM6HUAsFG+kzk3Tkkfry2+U9goIZgri+LyPuZhK5A1 tczTcBinbSBF0XjJXCt6o3dq1BAf0Z/JazxV9NNDXoV0JHL6gHbZ66rN/ohBeSPB uQSyLhFqZvVXbKw3sIahu9hfwfa+GBoJ7oQ/3sRXGE1iVbxaV8nOjHRbBAgOxgCU XOZ3MshXy3eqMpoyFBcA7F9tKfFrHShL/VSk1W2xugXNQW7e+9vATLGLnmPRslLy 3fN5HM3Wmhjoya3C6rxXPpgGbQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDcTCCAlmgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0 MjIzMTUzWhcNMTMxMjAzMjIzMTUzWjAsMRMwEQYDVQQKEwpURUxPSVAuTkVUMRUw EwYDVQQDEwxSQSBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDVI16akCv85Wgl3L+vF0hOb0G7NItC4bt77wsSqUCp6CRQQXyEt3NR/QuV Ta/NPnHKLRDGVUHXxbhWNpC6e/gxrAC6aO3/XyqRWJG6WHqC4jMepz9vaeeYwTx1 MvH4JQMJtPY745Mu8cbL6xgPVJV2G2gaQyoJWnelPbmCAudF8WDZXXnMGR7zXv1U 2e9R+b0QgLrOUklWv+hW6tqgbhZONaITPcEA8byiXTizIa+vfICkSMZW6qYLpvh6 IEXMZ+CxkhGN101HiyrHKNIBUeXoCvIf1s6fTzJHIFgCpeDS2gymj8hbmSEItRfz OK9xD3+3bP+ttgw3rxPKiKqCKNr/AgMBAAGjgZQwgZEwHwYDVR0jBBgwFoAUx5/Z pwOfXZQ5KNwC42cBW+Y+bGIwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNo dHRwOi8vY2Flci50ZWxvaXAubmV0OjkxODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMC BPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUA A4IBAQCSH1Qf7pIWL4krYbMvvPqoQddy4A1Rgc4pglhQwVb7UhzFuPoD+IcVk8LJ KCA8mlWKpBw9vnCsbaIB1oIs7aFEvFJVb9G2TUJ/gzcbMlPfDJ1CdoBJgN/QDfqA Az3k3av4U5rJc59KG5taV3nKcSRtLT2qiW939fgDWbUkAoyALlDg+v5kNgPVEvb0 oGBMypFL9LW6CcQJycde8nB6XnBPMFaPrJu4l1pThS7OfBFIwewpd72+JstiaIv5 tKMdREWFwZuiQ9NVX5E9pzTwgbi/9WbKSZgNl58L16zgwnZ0pnndDcNf/FXwwRKP wm1YBfh+UyydiHHl/swLyV84vOXr -----END CERTIFICATE----- Your help is highly appreciated. Regards, Linov Suresh.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project