Thanks for the reply Rob,
Indeed there are host entries.Please find below the output of your below 
mentioned guidelines.
# klist -kt /etc/krb5.keytabKeytab name: WRFILE:/etc/krb5.keytabKVNO Timestamp  
       Principal---- ----------------- 
--------------------------------------------------------   2 06/19/11 14:27:17 
host/xxxxxx.xxxxxx....@xxxxxx.com   2 06/19/11 14:27:17 
host/xxxxxx.xxxxxx....@xxxxxx.com   2 06/19/11 14:27:17 
host/xxxxxx.xxxxxx....@xxxxxx.com   2 06/19/11 14:27:17 
host/xxxxxx.xxxxxx....@xxxxxx.com   2 06/19/11 14:27:17 
host/xxxxxx.xxxxxx....@xxxxxx.com   2 06/19/11 14:27:17 
host/xxxxxx.xxxxxx....@xxxxxx.com   2 06/20/11 09:07:26 
host/test1.xxxxxx....@xxxxxx.com   2 06/20/11 09:07:26 
host/test1.xxxxxx....@xxxxxx.com   2 06/20/11 09:07:26 
host/test1.xxxxxx....@xxxxxx.com   2 06/20/11 09:07:26 
host/test1.xxxxxx....@xxxxxx.com   6 06/20/11 09:09:12 
nfs/nfs.xxxxxx....@xxxxxx.com   6 06/20/11 09:09:12 
nfs/nfs.xxxxxx....@xxxxxx.com   6 06/20/11 09:09:12 
nfs/nfs.xxxxxx....@xxxxxx.com   6 06/20/11 09:09:12
 nfs/nfs.xxxxxx....@xxxxxx.com   2 06/20/11 09:11:24 
nfs/test1.xxxxxx....@xxxxxx.com   2 06/20/11 09:11:24 
nfs/test1.xxxxxx....@xxxxxx.com   2 06/20/11 09:11:24 
nfs/test1.xxxxxx....@xxxxxx.com   2 06/20/11 09:11:24 
nfs/test1.xxxxxx....@xxxxxx.com
# kinit -kt /etc/krb5.keytab host/openipa.hugayet.comkinit: Password incorrect 
while getting initial credentials
# kinit admin(the password is accepted successfully here)
# kinit -kt /etc/krb5.keytab host/openipa.hugayet.comkinit: Password incorrect 
while getting initial credentials
What could be the possible issue of the invalid credential error? Please help.
Nidal--- On Wed, 1/4/12, Rob Crittenden <rcrit...@redhat.com> wrote:

From: Rob Crittenden <rcrit...@redhat.com>
Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
To: "nasir nasir" <kollath...@yahoo.com>
Cc: "Rich Megginson" <rmegg...@redhat.com>, freeipa-users@redhat.com, 
fasilk...@gmail.com
Date: Wednesday, January 4, 2012, 11:52 AM

nasir nasir wrote:
> Thanks for all the replies.
>
> Rob,
> Please find the output of your guidelines.

Here is the culprit:

ca-error: Error setting up ccache for local "host" service using default 
keytab.

certmonger authenticates to IPA using the host service principal 
installed on each client (and master). For some reason that can't be used.

Check the keytab:

# klist -kt /etc/krb5.keytab

If there are host entries there, try it:

# kinit -kt /etc/krb5.keytab host/server.example.com

rob

>
> # ipa-getcert list
> Number of certificates and requests being tracked: 3.
> Request ID '20110619112648':
> status: MONITORING
> ca-error: Error setting up ccache for local "host" service using default
> keytab.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxx-COM//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=xxxxx.COM
> subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM
> expires: 20111216112647
> eku: id-kp-serverAuth
> track: yes
> auto-renew: yes
> Request ID '20110619112705':
> status: MONITORING
> ca-error: Error setting up ccache for local "host" service using default
> keytab.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=xxxxx.COM
> subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM
> expires: 20111216112704
> eku: id-kp-serverAuth
> track: yes
> auto-renew: yes
> Request ID '20110619112721':
> status: MONITORING
> ca-error: Error setting up ccache for local "host" service using default
> keytab.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=xxxxx.COM
> subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM
> expires: 20111216112720 eku: id-kp-serverAuth track: yes
> auto-renew: yes
>
> # certutil -L -d /etc/httpd/alias
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
> Server-Cert u,u,u
> HUGAYET.COM IPA CA CT,C,C
> ipaCert u,u,u
> Signing-Cert u,u,u
>
> Now track it
> # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert
> Request "20110619112721" modified.
>
> #ipa-getcert list
> Number of certificates and requests being tracked: 3.
> Request ID '20110619112648':
> status: MONITORING
> ca-error: Error setting up ccache for local "host" service using default
> keytab.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxx-COM//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=xxxxx.COM
> subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM
> expires: 20111216112647
> eku: id-kp-serverAuth
> track: yes
> auto-renew: yes
> Request ID '20110619112705':
> status: MONITORING
> ca-error: Error setting up ccache for local "host" service using default
> keytab.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=xxxxx.COM
> subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM
> expires: 20111216112704
> eku: id-kp-serverAuth
> track: yes
> auto-renew: yes
> Request ID '20110619112721':
> status: MONITORING
> ca-error: Error setting up ccache for local "host" service using default
> keytab.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=xxxxx.COM
> subject: CN=xxxxx.xxxxx.com,O=xxxxx.COM
> expires: 20111216112720
> eku: id-kp-serverAuth
> track: yes
> auto-renew: yes
>
> The issue is still there as you can see the expiry dates are not getting
> modified.
>
> Nidal.
>
> --- On *Tue, 1/3/12, Rob Crittenden /<rcrit...@redhat.com>/* wrote:
>
>
>     From: Rob Crittenden <rcrit...@redhat.com>
>     Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
>     To: "nasir nasir" <kollath...@yahoo.com>
>     Cc: "Rich Megginson" <rmegg...@redhat.com>,
>     freeipa-users@redhat.com, fasilk...@gmail.com
>     Date: Tuesday, January 3, 2012, 2:23 PM
>
>     nasir nasir wrote:
>      >
>      >
>      > --- On *Tue, 1/3/12, Rich Megginson /<rmegg...@redhat.com
>     </mc/compose?to=rmegg...@redhat.com>>/*wrote:
>      >
>      >
>      > From: Rich Megginson <rmegg...@redhat.com
>     </mc/compose?to=rmegg...@redhat.com>>
>      > Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
>      > To: "nasir nasir" <kollath...@yahoo.com
>     </mc/compose?to=kollath...@yahoo.com>>
>      > Cc: freeipa-users@redhat.com
>     </mc/compose?to=freeipa-users@redhat.com>, fasilk...@gmail.com
>     </mc/compose?to=fasilk...@gmail.com>
>      > Date: Tuesday, January 3, 2012, 7:41 AM
>      >
>      > On 01/03/2012 12:52 AM, nasir nasir wrote:
>      >> Hi,
>      >>
>      >> I am facing a serious issue with my production IPA server. When I
>      >> try to access IPA web interface using Firefox, it hangs and
>      >> doesn't allow me to get in. It seems to be due to expired SSL
>      >> certificate as seen in the apache log file,
>      >>
>      >>
>      >> [Tue Jan 03 10:34:08 2012] [error] Certificate not verified:
>      >> 'Server-Cert'
>      >> [Tue Jan 03 10:34:08 2012] [error] SSL Library Error: -8181
>      >> Certificate has expired
>      >> [Tue Jan 03 10:34:08 2012] [error] Unable to verify certificate
>      >> 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the
>      >> server can start until the problem can be resolved.
>      >> [Tue Jan 03 10:34:08 2012] [error] Certificate not verified:
>      >> 'Server-Cert'
>      >>
>      >>
>      >> Also, when I try to use the command line (ipa user-mod or
>      >> user-show commands) it too just hangs and doesn't give any output
>      >> or allow me for any input. I can see the following in krb5kdc.log ,
>      >>
>      >> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): preauth
>      >> (timestamp) verify failure: Decrypt integrity check failed
>      >> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2426](info): AS_REQ (4
>      >> etypes {18 17 16 23}) 192.168.1.10: PREAUTH_FAILED:
>      >> host/xxxxx.xxxxx....@xxxxxx.com
>     </mc/compose?to=xxxxx.xxxxx....@xxxxxx.com>
>      >> </mc/compose?to=host/xxxxx.xxxxx....@xxxxxx.com
>     </mc/compose?to=xxxxx.xxxxx....@xxxxxx.com>> for
>      >> krbtgt/xxxxxx....@xxxxxx.com </mc/compose?to=xxxxxx....@xxxxxx.com>
>      >> </mc/compose?to=krbtgt/xxxxxx....@xxxxxx.com
>     </mc/compose?to=xxxxxx....@xxxxxx.com>>, Decrypt integrity
>      >> check failed
>      >> Jan 03 10:29:16 xxxxxx.xxxxxx.com krb5kdc[2429](info): AS_REQ (4
>      >> etypes {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
>      >> host/xxxx.xxxxx....@xxxxx.com
>     </mc/compose?to=xxxx.xxxxx....@xxxxx.com>
>      >> </mc/compose?to=host/xxxx.xxxxx....@xxxxx.com
>     </mc/compose?to=xxxx.xxxxx....@xxxxx.com>> for
>      >> krbtgt/xxxxxx....@xxxxxx.com </mc/compose?to=xxxxxx....@xxxxxx.com>
>      >> </mc/compose?to=krbtgt/xxxxxx....@xxxxxx.com
>     </mc/compose?to=xxxxxx....@xxxxxx.com>>, Additional
>      >> pre-authentication required
>      >>
>      >>
>      >> The output of "certutil -L -d /etc/httpd/alias -n Server-Cert"
>      >> confirms that certificate is expired as given below.
>      >>
>      >> Certificate:
>      >> Data:
>      >> Version: 3 (0x2)
>      >> Serial Number: 10 (0xa)
>      >> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
>      >> Issuer: "CN=Certificate Authority,O=XXXXXX.COM"
>      >> Validity:
>      >> Not Before: Sun Jun 19 11:27:20 2011
>      >> Not After : Fri Dec 16 11:27:20 2011
>      >>
>      >>
>      >> Relevant info
>      >>
>      >> OS: RHEL 6.1
>      >>
>      >>
>      >> Output of rpm -qa | grep ipa
>      >>
>      >> ipa-client-2.0.0-23.el6.i686
>      >> ipa-pki-ca-theme-9.0.3-6.el6.noarch
>      >> ipa-pki-common-theme-9.0.3-6.el6.noarch
>      >> device-mapper-multipath-libs-0.4.9-41.el6.i686
>      >> python-iniparse-0.3.1-2.1.el6.noarch
>      >> ipa-python-2.0.0-23.el6.i686
>      >> ipa-server-selinux-2.0.0-23.el6.i686
>      >> ipa-server-2.0.0-23.el6.i686
>      >> device-mapper-multipath-0.4.9-41.el6.i686
>      >> ipa-admintools-2.0.0-23.el6.i686
>      >>
>      >>
>      >> I went through the documentations to check how to renew the
>      >> expired certs but it seems to be confusing and different across
>      >> versions. Could someone please help me out by suggesting which is
>      >> the best way to achieve this ? Any help would be greatly
>      >> appreciated as I am unable to perform any task on the IPA server
>      >> now because of this.
>      >>
>      > I suggest following the mod_nss suggestion to allow it to start and
>      > use the expired cert while you attempt to figure this out.
>      >
>      > Thanks indeed for the suggestion. I will consider this. But can
>      > anyone point me the steps to renew certificate from the expired one ?
>      >
>      > Thankds and regards,
>      > Nidal
>
>     Lets start with figuring out why certmonger didn't do this for you:
>
>     Can you run as root: ipa-getcert list
>
>     You should have something like:
>
>     Request ID '20111215203350':
>     status: MONITORING
>     stuck: no
>     key pair storage:
>     type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>
>     Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>     certificate:
>     type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>
>     Certificate DB'
>     CA: IPA
>     issuer: CN=EXAMPLE.COM Certificate Authority
>     subject: CN=rawhide.example.com,O=EXAMPLE.COM
>     expires: 2021-12-15 20:33:50 UTC
>     track: yes
>     auto-renew: yes
>
>     If you don't have something like this then perhaps the easiest way to
>     get it renewed is to tell certmonger to track it. First, look at your
>     current database, it should look something like:
>
>     # certutil -L -d /etc/httpd/alias
>
>     Server-Cert u,u,u
>     EXAMPLE.COM IPA CA CTu,u,Cu
>     Signing-Cert u,u,u
>
>     Now track it
>
>     # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert
>
>     Use ipa-getcert list to track the status of the renewal. Once it has
>     been completed you can reset the EnforceValidCerts option and restart
>     Apache.
>
>     If certmonger is already tracking the cert and the renewal has failed
>     then please provide the ipa-getcert list output.
>
>     rob
>

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to