Hi, '' # getcert list Number of certificates and requests being tracked: 4. Request ID '20161220171510': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://freeipa4.xxxx.fr:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=xxxx.FR subject: CN=OCSP Subsystem,O=xxxx.FR expires: 2017-04-18 14:30:07 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161220171511': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://freeipa4.xxxx.fr:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=xxxx.FR subject: CN=CA Subsystem,O=xxxx.FR expires: 2017-04-18 14:30:07 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161220171512': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=xxxx.FR subject: CN=Certificate Authority,O=xxxx.FR expires: 2020-11-22 16:07:13 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161220171513': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://freeipa4.xxxx.fr:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=xxxx.FR subject: CN=IPA RA,O=xxxx.FR expires: 2017-04-18 13:31:46 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes ''
hoping that this will be useful for you Thx, Pierre Le 23/03/2018 à 00:45, Fraser Tweedale via FreeIPA-users a écrit : > Hi Pierre, > > What is the output of `getcert list` ? > > Looks like there's an expired cert. Need to find which one(s) and > then work out how to renew them. > > Cheers, > Fraser > > On Thu, Mar 22, 2018 at 11:13:26PM +0100, Pierre Labanowski via FreeIPA-users > wrote: >> Hi Fraser, >> >> thank you in advance for the help. >> >> ipa-server-upgrade ends on this message : >> >> '' >> Migrating certificate profiles to LDAP] >> cert validation failed for "CN=freeipa4.xxxx.fr,O=xxxx.FR" >> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) >> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run >> command ipa-server-upgrade manually. >> Unexpected error - see /var/log/ipaupgrade.log for details: >> NetworkError: cannot connect to >> 'https://freeipa4.xxxx.fr:8443/ca/rest/account/login': >> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. >> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >> more information >> '' >> >> >> thx >> Pierre >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
