Re: [Freeipa-users] IPA certificates expired, please help!

Rob Crittenden Tue, 19 Jul 2016 07:56:20 -0700

Linov Suresh wrote:

I have followed Redhat official documentation,
https://access.redhat.com/solutions/643753 for certificate renewal,
which says *add: usercertificate. (step 12)*
*
*
While on the other hand FreeIPA official documentaion
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to *add:
usercertificate;binary*


Just wondering if we need to*add *the certificate? or*replace* the
existing certificate and which format do we need to use? *pem* or *der*.

We already successfully renewed the certificates about months back, but
they were expired about 6 months back and we were not able to renew till
now, and is affected our production environment.

Pleas help us.

You shouldn't have to mess with these values at all. In 3.0 this ishandled somewhat automatically.

I'd restart the CA, then certmonger and see if the communication errorgoes away for the CA subservice certificates (the internal error).


# service pki-cad restart
<pause a bit>
# service certmonger restart

I find it very strange that the certificates were set to expireyesterday but it isn't a show-stopper necessarily assuming you can getthe CA back up.

Assuming you can, then go back in time again, this time just a few daysand try renewing the LDAP and Apache server certs again.

rob


On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh <linov.sur...@gmail.com
<mailto:linov.sur...@gmail.com>> wrote:

    We have cloned and created another virtual server from the template.
    Surprisingly this server certificates were also expired at the same
    time as the previous, just lasted for a day.
    This issue has something to do with the kerberos tickets?

    I am new to IPA and your help is highly appreciated.

    On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh
    <linov.sur...@gmail.com <mailto:linov.sur...@gmail.com>> wrote:

        *Update: my webserver and LDAP certificates were expired at
        2016-07-18 15:54:36 UTC and the certificates are in
        CA_UNREACHABLE state.*
        *
        *
        *Could you please help us?
        *

        [root@caer tmp]# getcert list
        Number of certificates and requests being tracked: 8.
        Request ID '20111214223243':
                 status: CA_UNREACHABLE
                 ca-error: Server failed request, will retry: -504
        (libcurl failed to execute the HTTP POST transaction.  Peer
        certificate cannot be authenticated with known CA certificates).
                 stuck: yes
                 key pair storage:
        
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
        Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
                 certificate:
        
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
        Certificate DB'
                 CA: IPA
                 issuer: CN=Certificate Authority,O=TELOIP.NET
        <http://TELOIP.NET>
                 subject: CN=caer.teloip.net
        <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
        *expires: 2016-07-18 15:54:36 UTC*
                 eku: id-kp-serverAuth
                 pre-save command:
                 post-save command:
                 track: yes
                 auto-renew: yes
        Request ID '20111214223300':
                 status: CA_UNREACHABLE
                 ca-error: Server failed request, will retry: -504
        (libcurl failed to execute the HTTP POST transaction.  Peer
        certificate cannot be authenticated with known CA certificates).
                 stuck: yes
                 key pair storage:
        
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
        Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
                 certificate:
        
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
        Certificate DB'
                 CA: IPA
                 issuer: CN=Certificate Authority,O=TELOIP.NET
        <http://TELOIP.NET>
                 subject: CN=caer.teloip.net
        <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
        *expires: 2016-07-18 15:54:52 UTC*
                 eku: id-kp-serverAuth
                 pre-save command:
                 post-save command:
                 track: yes
                 auto-renew: yes
        Request ID '20111214223316':
                 status: CA_UNREACHABLE
                 ca-error: Server failed request, will retry: -504
        (libcurl failed to execute the HTTP POST transaction.  Peer
        certificate cannot be authenticated with known CA certificates).
                 stuck: yes
                 key pair storage:
        type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
        Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
                 certificate:
        type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
        Certificate DB'
                 CA: IPA
                 issuer: CN=Certificate Authority,O=TELOIP.NET
        <http://TELOIP.NET>
                 subject: CN=caer.teloip.net
        <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
        *expires: 2016-07-18 15:55:04 UTC*
                 eku: id-kp-serverAuth
                 pre-save command:
                 post-save command:
                 track: yes
                 auto-renew: yes
        Request ID '20130519130741':
                 status: MONITORING
                 ca-error: Internal error: no response to
        
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";.
                 stuck: no
                 key pair storage:
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
        cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
                 certificate:
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
        cert-pki-ca',token='NSS Certificate DB'
                 CA: dogtag-ipa-renew-agent
                 issuer: CN=Certificate Authority,O=TELOIP.NET
        <http://TELOIP.NET>
                 subject: CN=CA Audit,O=TELOIP.NET <http://TELOIP.NET>
                 expires: 2017-10-13 14:10:49 UTC
                 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
                 post-save command:
        /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert
        cert-pki-ca"
                 track: yes
                 auto-renew: yes
        Request ID '20130519130742':
                 status: MONITORING
                 ca-error: Internal error: no response to
        
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";.
                 stuck: no
                 key pair storage:
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
        cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
                 certificate:
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
        cert-pki-ca',token='NSS Certificate DB'
                 CA: dogtag-ipa-renew-agent
                 issuer: CN=Certificate Authority,O=TELOIP.NET
        <http://TELOIP.NET>
                 subject: CN=OCSP Subsystem,O=TELOIP.NET <http://TELOIP.NET>
                 expires: 2017-10-13 14:09:49 UTC
                 eku: id-kp-OCSPSigning
                 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
                 post-save command:
        /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert
        cert-pki-ca"
                 track: yes
                 auto-renew: yes
        Request ID '20130519130743':
                 status: MONITORING
                 ca-error: Internal error: no response to
        
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true";.
                 stuck: no
                 key pair storage:
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
        cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
                 certificate:
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
        cert-pki-ca',token='NSS Certificate DB'
                 CA: dogtag-ipa-renew-agent
                 issuer: CN=Certificate Authority,O=TELOIP.NET
        <http://TELOIP.NET>
                 subject: CN=CA Subsystem,O=TELOIP.NET <http://TELOIP.NET>
                 expires: 2017-10-13 14:09:49 UTC
                 eku: id-kp-serverAuth,id-kp-clientAuth
                 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
                 post-save command:
        /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
                 track: yes
                 auto-renew: yes
        Request ID '20130519130744':
                 status: MONITORING
                 ca-error: Internal error: no response to
        
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true";.
                 stuck: no
                 key pair storage:
        type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
        Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
                 certificate:
        type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
        Certificate DB'
                 CA: dogtag-ipa-renew-agent
                 issuer: CN=Certificate Authority,O=TELOIP.NET
        <http://TELOIP.NET>
                 subject: CN=RA Subsystem,O=TELOIP.NET <http://TELOIP.NET>
                 expires: 2017-10-13 14:09:49 UTC
                 eku: id-kp-serverAuth,id-kp-clientAuth
                 pre-save command:
                 post-save command: /usr/lib64/ipa/certmonger/restart_httpd
                 track: yes
                 auto-renew: yes
        Request ID '20130519130745':
                 status: MONITORING
                 ca-error: Internal error: no response to
        
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
                 stuck: no
                 key pair storage:
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS
        Certificate DB',pin='297100916664'
                 certificate:
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS
        Certificate DB'
                 CA: dogtag-ipa-renew-agent
                 issuer: CN=Certificate Authority,O=TELOIP.NET
        <http://TELOIP.NET>
                 subject: CN=caer.teloip.net
        <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
                 expires: 2017-10-13 14:09:49 UTC
                 eku: id-kp-serverAuth,id-kp-clientAuth
                 pre-save command:
                 post-save command:
        /usr/lib64/ipa/certmonger/restart_dirsrv "TELOIP.NET
        <http://TELOIP.NET>"
                 track: yes
                 auto-renew: yes

        On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh
        <linov.sur...@gmail.com <mailto:linov.sur...@gmail.com>> wrote:

            Yes, PKI is running and I don't see any errors in selftests,
            I have followed https://access.redhat.com/solutions/643753
            and restarted the PKI in step 10.

            The only change which I made was clean
            up userCertificate;binary before adding new
            userCertificatein LDAP, which is step 12.

            [root@caer ~]# /etc/init.d/pki-cad status
            pki-ca (pid 8634) is running...                            [
              OK  ]
                 Unsecure Port       = http://caer.teloip.net:9180/ca/ee/ca
                 Secure Agent Port   =
            https://caer.teloip.net:9443/ca/agent/ca
                 Secure EE Port      = https://caer.teloip.net:9444/ca/ee/ca
                 Secure Admin Port   =
            https://caer.teloip.net:9445/ca/services
                 EE Client Auth Port =
            https://caer.teloip.net:9446/ca/eeca/ca
                 PKI Console Port    = pkiconsole
            https://caer.teloip.net:9445/ca
                 Tomcat Port         = 9701 (for shutdown)

                 PKI Instance Name:   pki-ca

                 PKI Subsystem Type:  Root CA (Security Domain)

                 Registered PKI Security Domain Information:

            
==========================================================================
                 Name:  IPA
                 URL: https://caer.teloip.net:9445

            
==========================================================================
            [root@caer ~]#
            [root@caer ~]# tail -f /var/log/pki-ca/selftests.log
            8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
            SelfTestSubsystem:  loading all self test plugin logger
            parameters
            8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
            SelfTestSubsystem:  loading all self test plugin instances
            8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
            SelfTestSubsystem:  loading all self test plugin instance
            parameters
            8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
            SelfTestSubsystem:  loading self test plugins in on-demand order
            8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
            SelfTestSubsystem:  loading self test plugins in startup order
            8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
            SelfTestSubsystem: Self test plugins have been successfully
            loaded!
            8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]
            SelfTestSubsystem: Running self test plugins specified to be
            executed at startup:
            8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence:
              CA is present
            8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]
            SystemCertsVerification: system certs verification success
            8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]
            SelfTestSubsystem: All CRITICAL self test plugins ran
            SUCCESSFULLY at startup!

            Your help is highly appreciated!

                Linov Suresh

                70 Forest Manor Rd.
                Toronto
                ON M2J 0A9
                Mobile: +1 647 406 9438 <tel:%2B1%20647%20406%209438>
                Linkedin: ca.linkedin.com/in/linov/
                <http://ca.linkedin.com/in/linov/>
                Website: http://mylinuxthoughts.blogspot.com


            On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik
            <pvobo...@redhat.com <mailto:pvobo...@redhat.com>> wrote:

                On 07/18/2016 05:45 AM, Linov Suresh wrote:
                > Thanks for the update Rob. I went back to Jan 20, 2016, 
restarted CA and
                > certmonger. Look like certificates were renewed. But I'm 
getting a different
                > error now,
                >
                 > *ca-error: Internal error: no response to
                 >
                
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".*

                Is PKI running? When you change the time, does restart
                of IPA help?

                >
                > [root@caer ~]# getcert list
                > Number of certificates and requests being tracked: 8.
                > Request ID '20111214223243':
                >          status: MONITORING
                >          stuck: no
                >          key pair storage:
                > 
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
                > Certificate 
DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
                >          certificate:
                > 
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
                > Certificate DB'
                >          CA: IPA
                 >          issuer: CN=Certificate
                Authority,O=TELOIP.NET <http://TELOIP.NET>
                <http://TELOIP.NET>
                 >          subject: CN=caer.teloip.net
                <http://caer.teloip.net>
                <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
                 > <http://TELOIP.NET>
                >          expires: 2016-07-18 15:54:36 UTC
                >          eku: id-kp-serverAuth
                >          pre-save command:
                >          post-save command:
                >          track: yes
                >          auto-renew: yes
                > Request ID '20111214223300':
                >          status: MONITORING
                >          stuck: no
                >          key pair storage:
                > 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
Certificate
                > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
                >          certificate:
                > 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
Certificate
                > DB'
                >          CA: IPA
                 >          issuer: CN=Certificate
                Authority,O=TELOIP.NET <http://TELOIP.NET>
                <http://TELOIP.NET>
                 >          subject: CN=caer.teloip.net
                <http://caer.teloip.net>
                <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
                 > <http://TELOIP.NET>
                >          expires: 2016-07-18 15:54:52 UTC
                >          eku: id-kp-serverAuth
                >          pre-save command:
                >          post-save command:
                >          track: yes
                >          auto-renew: yes
                > Request ID '20111214223316':
                >          status: MONITORING
                >          stuck: no
                >          key pair storage:
                > 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
                > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
                >          certificate:
                > 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
                > Certificate DB'
                >          CA: IPA
                 >          issuer: CN=Certificate
                Authority,O=TELOIP.NET <http://TELOIP.NET>
                <http://TELOIP.NET>
                 >          subject: CN=caer.teloip.net
                <http://caer.teloip.net>
                <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
                 > <http://TELOIP.NET>
                >          expires: 2016-07-18 15:55:04 UTC
                >          eku: id-kp-serverAuth
                >          pre-save command:
                >          post-save command:
                >          track: yes
                >          auto-renew: yes
                > Request ID '20130519130741':
                >          status: MONITORING
                >          ca-error: Internal error: no response to
                > 
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";.
                >          stuck: no
                >          key pair storage:
                > 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
                > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
                >          certificate:
                > 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
                > cert-pki-ca',token='NSS Certificate DB'
                >          CA: dogtag-ipa-renew-agent
                 >          issuer: CN=Certificate
                Authority,O=TELOIP.NET <http://TELOIP.NET>
                <http://TELOIP.NET>
                 >          subject: CN=CA Audit,O=TELOIP.NET
                <http://TELOIP.NET> <http://TELOIP.NET>
                >          expires: 2017-10-13 14:10:49 UTC
                >          pre-save command: 
/usr/lib64/ipa/certmonger/stop_pkicad
                >          post-save command: 
/usr/lib64/ipa/certmonger/renew_ca_cert
                > "auditSigningCert cert-pki-ca"
                >          track: yes
                >          auto-renew: yes
                > Request ID '20130519130742':
                >          status: MONITORING
                >          ca-error: Internal error: no response to
                > 
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";.
                >          stuck: no
                >          key pair storage:
                > 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
                > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
                >          certificate:
                > 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
                > cert-pki-ca',token='NSS Certificate DB'
                >          CA: dogtag-ipa-renew-agent
                 >          issuer: CN=Certificate
                Authority,O=TELOIP.NET <http://TELOIP.NET>
                <http://TELOIP.NET>
                 >          subject: CN=OCSP Subsystem,O=TELOIP.NET
                <http://TELOIP.NET> <http://TELOIP.NET>
                >          expires: 2017-10-13 14:09:49 UTC
                >          eku: id-kp-OCSPSigning
                >          pre-save command: 
/usr/lib64/ipa/certmonger/stop_pkicad
                >          post-save command: 
/usr/lib64/ipa/certmonger/renew_ca_cert
                > "ocspSigningCert cert-pki-ca"
                >          track: yes
                >          auto-renew: yes
                > Request ID '20130519130743':
                >          status: MONITORING
                >          ca-error: Internal error: no response to
                > 
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true";.
                >          stuck: no
                >          key pair storage:
                > 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
                > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
                >          certificate:
                > 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
                > cert-pki-ca',token='NSS Certificate DB'
                >          CA: dogtag-ipa-renew-agent
                 >          issuer: CN=Certificate
                Authority,O=TELOIP.NET <http://TELOIP.NET>
                <http://TELOIP.NET>
                 >          subject: CN=CA Subsystem,O=TELOIP.NET
                <http://TELOIP.NET> <http://TELOIP.NET>
                >          expires: 2017-10-13 14:09:49 UTC
                >          eku: id-kp-serverAuth,id-kp-clientAuth
                >          pre-save command: 
/usr/lib64/ipa/certmonger/stop_pkicad
                >          post-save command: 
/usr/lib64/ipa/certmonger/renew_ca_cert
                > "subsystemCert cert-pki-ca"
                >          track: yes
                >          auto-renew: yes
                > Request ID '20130519130744':
                >          status: MONITORING
                >          ca-error: Internal error: no response to
                > 
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true";.
                >          stuck: no
                >          key pair storage:
                > 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate
                > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
                >          certificate:
                > 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate 
DB'
                >          CA: dogtag-ipa-renew-agent
                 >          issuer: CN=Certificate
                Authority,O=TELOIP.NET <http://TELOIP.NET>
                <http://TELOIP.NET>
                 >          subject: CN=RA Subsystem,O=TELOIP.NET
                <http://TELOIP.NET> <http://TELOIP.NET>
                >          expires: 2017-10-13 14:09:49 UTC
                >          eku: id-kp-serverAuth,id-kp-clientAuth
                >          pre-save command:
                >          post-save command: 
/usr/lib64/ipa/certmonger/restart_httpd
                >          track: yes
                >          auto-renew: yes
                > Request ID '20130519130745':
                >          status: MONITORING
                >          ca-error: Internal error: no response to
                > 
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
                >          stuck: no
                >          key pair storage:
                > 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
                > cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
                >          certificate:
                > 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
                > cert-pki-ca',token='NSS Certificate DB'
                >          CA: dogtag-ipa-renew-agent
                 >          issuer: CN=Certificate
                Authority,O=TELOIP.NET <http://TELOIP.NET>
                <http://TELOIP.NET>
                 >          subject: CN=caer.teloip.net
                <http://caer.teloip.net>
                <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
                 > <http://TELOIP.NET>
                >          expires: 2017-10-13 14:09:49 UTC
                >          eku: id-kp-serverAuth,id-kp-clientAuth
                >          pre-save command:
                >          post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv 
"TELOIP.NET <http://TELOIP.NET>
                 > <http://TELOIP.NET>"
                >          track: yes
                >          auto-renew: yes
                > [root@caer ~]#
                >
                > Your help is highly appreciated!
                >
                >
                >
                > On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden 
<rcrit...@redhat.com <mailto:rcrit...@redhat.com>
                 > <mailto:rcrit...@redhat.com
                <mailto:rcrit...@redhat.com>>> wrote:
                 >
                 >     Linov Suresh wrote:
                 >
                 >         I logged into my IPA master, and found that
                the cert had expired again,
                 >         we renewed these certificates about 18 months
                ago.
                 >
                 >         Our environment is CentOS 6.4 and IPA 3.0.0-26.
                 >
                 >
                 >            I followed the Redhat documentation,How do
                I manually renew Identity
                 >            Management (IPA) certificates after they
                have expired? (Master IPA
                 >            Server),
                https://access.redhat.com/solutions/643753 but no luck.
                 >
                 >
                 >         I have also changed the directive
                "NSSEnforceValidCerts off" in
                 >         /etc/httpd/conf.d/nss.conf and the value of
                nsslapd-validate-cert is warn.
                 >
                 >         ldapsearch -x -h localhost -p 7389 -D
                'cn=directory manager' -w *******
                 >         -b  cn=config | grep  nsslapd-validate-cert
                 >
                 >         nsslapd-validate-cert: warn
                 >
                 >         Here is my getcert list,
                 >
                 >         [root@caer ~]# getcert list
                 >
                 >
                 >     It looks like your CA subsystem certificates all
                renewed successfully it is
                 >     just the webserver and LDAP certificates that
                need renewing so that's good.
                 >
                 >     What I'd do is go back in time again to say Jan
                20, 2016 and restart
                 >     certmonger. That should make it retry the renewals.
                 >
                 >     rob
                 >
                 >
                 >
                 >



                --
                Petr Vobornik


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA certificates expired, please help!

Reply via email to