Hi,

I am facing a serious issue with my production IPA server. When I try to access 
IPA web interface using Firefox, it hangs and doesn't allow me to get in. It 
seems to be due to expired SSL certificate as seen in the apache log file, 


[Tue Jan 03 10:34:08 2012] [error] Certificate not verified: 'Server-Cert'
[Tue Jan 03 10:34:08 2012] [error] SSL Library Error: -8181 Certificate has 
expired
[Tue Jan 03 10:34:08 2012] [error] Unable to verify certificate 'Server-Cert'. 
Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the 
problem can be resolved.
[Tue Jan 03 10:34:08 2012] [error] Certificate not verified: 'Server-Cert'


Also, when I try to use the command line (ipa user-mod or user-show commands) 
it too just hangs and doesn't give any output or allow me for any input. I can 
see the following in krb5kdc.log ,

Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): preauth (timestamp) 
verify failure: Decrypt integrity check failedJan 03 10:29:16 xxxxxx.xxxxxx.com 
krb5kdc[2426](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.10: 
PREAUTH_FAILED: host/xxxxx.xxxxx....@xxxxxx.com for 
krbtgt/xxxxxx....@xxxxxx.com, Decrypt integrity check failedJan 03 10:29:16 
xxxxxx.xxxxxx.com krb5kdc[2429](info): AS_REQ (4 etypes {18 17 16 23}) 
192.168.1.10: NEEDED_PREAUTH: host/xxxx.xxxxx....@xxxxx.com for 
krbtgt/xxxxxx....@xxxxxx.com, Additional pre-authentication required

The output of  "certutil -L -d /etc/httpd/alias -n Server-Cert" confirms that 
certificate is expired as given below.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10 (0xa)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=XXXXXX.COM"
        Validity:
            Not Before: Sun Jun 19 11:27:20 2011
            Not After : Fri Dec 16 11:27:20 2011


Relevant info

OS: RHEL 6.1


Output of rpm -qa | grep ipa

ipa-client-2.0.0-23.el6.i686
ipa-pki-ca-theme-9.0.3-6.el6.noarch
ipa-pki-common-theme-9.0.3-6.el6.noarch
device-mapper-multipath-libs-0.4.9-41.el6.i686
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.0.0-23.el6.i686
ipa-server-selinux-2.0.0-23.el6.i686
ipa-server-2.0.0-23.el6.i686
device-mapper-multipath-0.4.9-41.el6.i686
ipa-admintools-2.0.0-23.el6.i686


I went through the documentations to check how to renew the expired certs but 
it seems to be confusing and different across versions. Could someone please 
help me out by suggesting which is the best way to achieve this ? Any help 
would be greatly appreciated as I am unable to perform any task on the IPA 
server now because of this.

Regards,
Nidal
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to