On 08/29/2017 04:09 PM, Julien Honore via FreeIPA-users wrote:


Hi,

I have an issue with my freeipa server.

The certificates expired and I can't resubmit.

I put the date before the expiration of the certs.

The result of ipa-getcert list :


Number of certificates and requests being tracked: 8.
Request ID '20150805183502':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked.
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-VIT-LAN/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=VIT.LAN
subject: CN=auth0.vit.lan,O=VIT.LAN
expires:2017-08-05 18 <callto:2017-08-05 18>:35:02 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150805183539':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked.
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=VIT.LAN
subject: CN=auth0.vit.lan,O=VIT.LAN
expires:2017-08-05 18 <callto:2017-08-05 18>:35:39 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150805183647':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked.
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=VIT.LAN
subject: CN=auth0.vit.lan,O=VIT.LAN
expires:2017-08-05 18 <callto:2017-08-05 18>:36:47 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes

If someone can help me with this issue ? It will be very helpful

Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
ADTRUST Service: RUNNING
EXTID Service: RUNNING

FreeIpa V3.

Thank you

Julien Honore
        





_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi,

I have very little experience with IPA v3, but let's try anyway... If things didn't change too much, certmonger's IPA helper is using /etc/krb5.keytab to connect to IPA server. Can you check if this keytab is still valid using
$ sudo kinit -kt /etc/krb5.keytab

If the operation fails, this is probably the root cause of your issue. The utility ipa-getkeytab will allow you to get the host keytab (with the --retrieve option and --principal=host/$HOSTNAME@$DOMAINNAME).

HTH,
Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to