On Jan 3, 2012, at 8:37 AM, nasir nasir wrote: > > > --- On Tue, 1/3/12, Rich Megginson <rmegg...@redhat.com> wrote: > > From: Rich Megginson <rmegg...@redhat.com> > Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA > To: "nasir nasir" <kollath...@yahoo.com> > Cc: freeipa-users@redhat.com, fasilk...@gmail.com > Date: Tuesday, January 3, 2012, 7:41 AM > > On 01/03/2012 12:52 AM, nasir nasir wrote: >> Hi, >> >> I am facing a serious issue with my production IPA server. When I try to >> access IPA web interface using Firefox, it hangs and doesn't allow me to get >> in. It seems to be due to expired SSL certificate as seen in the apache log >> file, >> >> >> [Tue Jan 03 10:34:08 2012] [error] Certificate not verified: 'Server-Cert' >> [Tue Jan 03 10:34:08 2012] [error] SSL Library Error: -8181 Certificate has >> expired >> [Tue Jan 03 10:34:08 2012] [error] Unable to verify certificate >> 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can >> start until the problem can be resolved. >> [Tue Jan 03 10:34:08 2012] [error] Certificate not verified: 'Server-Cert' >> >> >> Also, when I try to use the command line (ipa user-mod or user-show >> commands) it too just hangs and doesn't give any output or allow me for any >> input. I can see the following in krb5kdc.log , >> >> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): preauth (timestamp) >> verify failure: Decrypt integrity check failed >> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): AS_REQ (4 etypes {18 >> 17 16 23}) 192.168.1.10: PREAUTH_FAILED: host/xxxxx.xxxxx....@xxxxxx.com for >> krbtgt/xxxxxx....@xxxxxx.com, Decrypt integrity check failed >> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2429](info): AS_REQ (4 etypes {18 >> 17 16 23}) 192.168.1.10: NEEDED_PREAUTH: host/xxxx.xxxxx....@xxxxx.com for >> krbtgt/xxxxxx....@xxxxxx.com, Additional pre-authentication required >> >> >> The output of "certutil -L -d /etc/httpd/alias -n Server-Cert" confirms that >> certificate is expired as given below. >> >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: 10 (0xa) >> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption >> Issuer: "CN=Certificate Authority,O=XXXXXX.COM" >> Validity: >> Not Before: Sun Jun 19 11:27:20 2011 >> Not After : Fri Dec 16 11:27:20 2011 >> >> >> Relevant info >> >> OS: RHEL 6.1 >> >> >> Output of rpm -qa | grep ipa >> >> ipa-client-2.0.0-23.el6.i686 >> ipa-pki-ca-theme-9.0.3-6.el6.noarch >> ipa-pki-common-theme-9.0.3-6.el6.noarch >> device-mapper-multipath-libs-0.4.9-41.el6.i686 >> python-iniparse-0.3.1-2.1.el6.noarch >> ipa-python-2.0.0-23.el6.i686 >> ipa-server-selinux-2.0.0-23.el6.i686 >> ipa-server-2.0.0-23.el6.i686 >> device-mapper-multipath-0.4.9-41.el6.i686 >> ipa-admintools-2.0.0-23.el6.i686 >> >> >> I went through the documentations to check how to renew the expired certs >> but it seems to be confusing and different across versions. Could someone >> please help me out by suggesting which is the best way to achieve this ? Any >> help would be greatly appreciated as I am unable to perform any task on the >> IPA server now because of this. > I suggest following the mod_nss suggestion to allow it to start and use the > expired cert while you attempt to figure this out. > > Thanks indeed for the suggestion. I will consider this. But can anyone point > me the steps to renew certificate from the expired one ? > > Thankds and regards, > Nidal
wasn't certmonger supposed to be designed to automatically handle this situation? > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users