nasir nasir wrote:
Thanks for the reply Rob.

Please find below the output of your guidelines.

# ipa-getkeytab -s xxxxxxx.xxxxxxx.com -p host/xxxxxx.xxxxxx.com -k
/etc/krb5.keytab
(the command was successful; it din't show any errors in the krb5kdc.log
or audit.log)

# kinit -kt /etc/krb5.keytab host/xxxxxx.xxxxxx.com

krb5kdc.log
-----------------
Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2431](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
host/xxxxxx.xxxxxx....@xxxxxx.com for krbtgt/xxxxxx....@xxxxxx.com,
Additional pre-authentication required
Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2427](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.1.10: ISSUE: authtime 1325766032, etypes {rep=18
tkt=18 ses=18}, host/xxxxxx.xxxxxx....@xxxxxx.com for
krbtgt/xxxxxx....@xxxxxx.com

# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20110619112648':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxxx-COM//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=xxxxxx.COM
subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
expires: 20111216112647
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110619112705':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=xxxxxx.COM
subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
expires: 20111216112704
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110619112721':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=xxxxxx.COM
subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
expires: 20111216112720
eku: id-kp-serverAuth
track: yes
auto-renew: yes

# ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert
Request "20110619112721" modified.

# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20110619112648':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=HUGAYET.COM
subject: CN=openipa.hugayet.com,O=HUGAYET.COM
expires: 20111216112647
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110619112705':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=HUGAYET.COM
subject: CN=openipa.hugayet.com,O=HUGAYET.COM
expires: 20111216112704
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110619112721':
status: SUBMITTING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=HUGAYET.COM
subject: CN=openipa.hugayet.com,O=HUGAYET.COM
expires: 20111216112720
eku: id-kp-serverAuth
track: yes
auto-renew: yes

and after few minutes, the status 'SUBMITTING' will be changed as
'CA_UNREACHABLE'
Do we need to restart the /etc/init.d/ipa service for this? I am working
remotely.

It isn't logging enough information to know why it failed. Can you look in the Apache error log to see why the request failed?

My first thought was that there was a CA trust issue. I believe that certmonger uses the NSS database where the certificate is stored so since it is also doing this against Apache (which in theory trust is ok for it to start at all) so I'm baffled. Hopefully the httpd logs will be enlightening.


I need to upgrade my IPA version. Before going for this I need to have a
replica of the existing one. Is it okay to have the replica while all
these issues exist?


Yes, you should be able to create a replica, this shouldn't affect it.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to