[Freeipa-users] Re: certificate has expired?

Wed, 07 Jun 2017 06:31:53 -0700 

Roberto Cornacchia via FreeIPA-users wrote:
> OK, I did so and httpd restarts.
> 
> $ openssl s_client -connect 127.0.0.1:443 <http://127.0.0.1:443> -showcerts
> CONNECTED(00000003)
> depth=1 O = HQ.SPINQUE.COM <http://HQ.SPINQUE.COM>, CN = Certificate
> Authority
> verify return:1
> depth=0 O = HQ.SPINQUE.COM <http://HQ.SPINQUE.COM>, CN =
> spinque04.hq.spinque.com <http://spinque04.hq.spinque.com>
> verify error:num=10:certificate has expired
> notAfter=Mar 16 18:45:29 2017 GMT
> verify return:1
> depth=0 O = HQ.SPINQUE.COM <http://HQ.SPINQUE.COM>, CN =
> spinque04.hq.spinque.com <http://spinque04.hq.spinque.com>
> notAfter=Mar 16 18:45:29 2017 GMT
> verify return:1
> ---
> Certificate chain
>  0 s:/O=HQ.SPINQUE.COM/CN=spinque04.hq.spinque.com
> <http://HQ.SPINQUE.COM/CN=spinque04.hq.spinque.com>
>    i:/O=HQ.SPINQUE.COM/CN=Certificate
> <http://HQ.SPINQUE.COM/CN=Certificate> Authority
> ...
> 
> Fair enough, but why does this say it expires in 2019? Are they two
> different certificates? 
> 
> $ getcert list -d /etc/httpd/alias -n ipaCert
> Number of certificates and requests being tracked: 8.
> Request ID '20160501114633':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM <http://HQ.SPINQUE.COM>
> subject: CN=IPA RA,O=HQ.SPINQUE.COM <http://HQ.SPINQUE.COM>
> expires: 2019-01-26 19:41:51 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> 
> What's the right way to solve this?

You're looking at the wrong cert.

# getcert list -d /etc/httpd/alias -n Server-Cert

And really, you should examine all certificate status, not just a single
one.

I was also strongly urge you to wait until all problems are resolved
before attempting to update packages in the future (unless a package
claims to fix a specific problem), particularly when it comes to
certificates.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to