On Jan 3, 2012, at 8:37 AM, nasir nasir wrote:
>
>
> --- On Tue, 1/3/12, Rich Megginson <rmegg...@redhat.com> wrote:
>
> From: Rich Megginson <rmegg...@redhat.com>
> Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
> To: "nasir nasir" <kollath...@yahoo.com>
> Cc: freeipa-users@redhat.com, fasilk...@gmail.com
> Date: Tuesday, January 3, 2012, 7:41 AM
>
> On 01/03/2012 12:52 AM, nasir nasir wrote:
>> Hi,
>>
>> I am facing a serious issue with my production IPA server. When I try to
>> access IPA web interface using Firefox, it hangs and doesn't allow me to get
>> in. It seems to be due to expired SSL certificate as seen in the apache log
>> file,
>>
>>
>> [Tue Jan 03 10:34:08 2012] [error] Certificate not verified: 'Server-Cert'
>> [Tue Jan 03 10:34:08 2012] [error] SSL Library Error: -8181 Certificate has
>> expired
>> [Tue Jan 03 10:34:08 2012] [error] Unable to verify certificate
>> 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can
>> start until the problem can be resolved.
>> [Tue Jan 03 10:34:08 2012] [error] Certificate not verified: 'Server-Cert'
>>
>>
>> Also, when I try to use the command line (ipa user-mod or user-show
>> commands) it too just hangs and doesn't give any output or allow me for any
>> input. I can see the following in krb5kdc.log ,
>>
>> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): preauth (timestamp)
>> verify failure: Decrypt integrity check failed
>> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): AS_REQ (4 etypes {18
>> 17 16 23}) 192.168.1.10: PREAUTH_FAILED: host/xxxxx.xxxxx....@xxxxxx.com for
>> krbtgt/xxxxxx....@xxxxxx.com, Decrypt integrity check failed
>> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2429](info): AS_REQ (4 etypes {18
>> 17 16 23}) 192.168.1.10: NEEDED_PREAUTH: host/xxxx.xxxxx....@xxxxx.com for
>> krbtgt/xxxxxx....@xxxxxx.com, Additional pre-authentication required
>>
>>
>> The output of "certutil -L -d /etc/httpd/alias -n Server-Cert" confirms that
>> certificate is expired as given below.
>>
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 10 (0xa)
>> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
>> Issuer: "CN=Certificate Authority,O=XXXXXX.COM"
>> Validity:
>> Not Before: Sun Jun 19 11:27:20 2011
>> Not After : Fri Dec 16 11:27:20 2011
>>
>>
>> Relevant info
>>
>> OS: RHEL 6.1
>>
>>
>> Output of rpm -qa | grep ipa
>>
>> ipa-client-2.0.0-23.el6.i686
>> ipa-pki-ca-theme-9.0.3-6.el6.noarch
>> ipa-pki-common-theme-9.0.3-6.el6.noarch
>> device-mapper-multipath-libs-0.4.9-41.el6.i686
>> python-iniparse-0.3.1-2.1.el6.noarch
>> ipa-python-2.0.0-23.el6.i686
>> ipa-server-selinux-2.0.0-23.el6.i686
>> ipa-server-2.0.0-23.el6.i686
>> device-mapper-multipath-0.4.9-41.el6.i686
>> ipa-admintools-2.0.0-23.el6.i686
>>
>>
>> I went through the documentations to check how to renew the expired certs
>> but it seems to be confusing and different across versions. Could someone
>> please help me out by suggesting which is the best way to achieve this ? Any
>> help would be greatly appreciated as I am unable to perform any task on the
>> IPA server now because of this.
> I suggest following the mod_nss suggestion to allow it to start and use the
> expired cert while you attempt to figure this out.
>
> Thanks indeed for the suggestion. I will consider this. But can anyone point
> me the steps to renew certificate from the expired one ?
>
> Thankds and regards,
> Nidal
wasn't certmonger supposed to be designed to automatically handle this
situation?
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
