nasir nasir wrote:
Thanks for the input Rob,

Please find below the /var/log/httpd/error_log

[Thu Jan 05 19:50:46 2012] [error] Certificate not verified: 'Server-Cert'
[Thu Jan 05 19:50:46 2012] [error] SSL Library Error: -8181 Certificate
has expired
[Thu Jan 05 19:50:46 2012] [error] Certificate not verified: 'Server-Cert'
[Thu Jan 05 19:50:46 2012] [error] Unable to verify certificate
'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server
can start until the problem can be resolved.

Do I need to add "NSSEnforceValidCerts off" in
/etc/httpd/conf.d/nss.conf? Please advice.


That explains why certmonger can't connect. Yes, for now add that directive and restart httpd. Then try the start-tracking again and see if it renews the cert.

rob

Nidal.


--- On *Thu, 1/5/12, Rob Crittenden /<rcrit...@redhat.com>/* wrote:


    From: Rob Crittenden <rcrit...@redhat.com>
    Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
    To: "nasir nasir" <kollath...@yahoo.com>
    Cc: freeipa-users@redhat.com, fasilk...@gmail.com
    Date: Thursday, January 5, 2012, 7:38 AM

    nasir nasir wrote:
     > Thanks for the reply Rob.
     >
     > Please find below the output of your guidelines.
     >
     > # ipa-getkeytab -s xxxxxxx.xxxxxxx.com -p host/xxxxxx.xxxxxx.com -k
     > /etc/krb5.keytab
     > (the command was successful; it din't show any errors in the
    krb5kdc.log
     > or audit.log)
     >
     > # kinit -kt /etc/krb5.keytab host/xxxxxx.xxxxxx.com
     >
     > krb5kdc.log
     > -----------------
     > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2431](info): AS_REQ (4
    etypes
     > {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
     > host/xxxxxx.xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com> for
    krbtgt/xxxxxx....@xxxxxx.com </mc/compose?to=xxxxxx....@xxxxxx.com>,
     > Additional pre-authentication required
     > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2427](info): AS_REQ (4
    etypes
     > {18 17 16 23}) 192.168.1.10: ISSUE: authtime 1325766032, etypes
    {rep=18
     > tkt=18 ses=18}, host/xxxxxx.xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com> for
     > krbtgt/xxxxxx....@xxxxxx.com </mc/compose?to=xxxxxx....@xxxxxx.com>
     >
     > # ipa-getcert list
     > Number of certificates and requests being tracked: 3.
     > Request ID '20110619112648':
     > status: CA_UNREACHABLE
     > ca-error: Server failed request, will retry: -504 (libcurl failed to
     > execute the HTTP POST transaction. SSL connect error).
     > stuck: yes
     > key pair storage:
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
     > Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxxx-COM//pwdfile.txt'
     > certificate:
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
     > Certificate DB'
     > CA: IPA
     > issuer: CN=Certificate Authority,O=xxxxxx.COM
     > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
     > expires: 20111216112647
     > eku: id-kp-serverAuth
     > track: yes
     > auto-renew: yes
     > Request ID '20110619112705':
     > status: CA_UNREACHABLE
     > ca-error: Server failed request, will retry: -504 (libcurl failed to
     > execute the HTTP POST transaction. SSL connect error).
     > stuck: yes
     > key pair storage:
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
     > certificate:
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     > Certificate DB'
     > CA: IPA
     > issuer: CN=Certificate Authority,O=xxxxxx.COM
     > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
     > expires: 20111216112704
     > eku: id-kp-serverAuth
     > track: yes
     > auto-renew: yes
     > Request ID '20110619112721':
     > status: CA_UNREACHABLE
     > ca-error: Server failed request, will retry: -504 (libcurl failed to
     > execute the HTTP POST transaction. SSL connect error).
     > stuck: yes
     > key pair storage:
     >
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     > certificate:
     >
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     > Certificate DB'
     > CA: IPA
     > issuer: CN=Certificate Authority,O=xxxxxx.COM
     > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
     > expires: 20111216112720
     > eku: id-kp-serverAuth
     > track: yes
     > auto-renew: yes
     >
     > # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert
     > Request "20110619112721" modified.
     >
     > # ipa-getcert list
     > Number of certificates and requests being tracked: 3.
     > Request ID '20110619112648':
     > status: CA_UNREACHABLE
     > ca-error: Server failed request, will retry: -504 (libcurl failed to
     > execute the HTTP POST transaction. SSL connect error).
     > stuck: yes
     > key pair storage:
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
     > Certificate DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'
     > certificate:
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
     > Certificate DB'
     > CA: IPA
     > issuer: CN=Certificate Authority,O=HUGAYET.COM
     > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
     > expires: 20111216112647
     > eku: id-kp-serverAuth
     > track: yes
     > auto-renew: yes
     > Request ID '20110619112705':
     > status: CA_UNREACHABLE
     > ca-error: Server failed request, will retry: -504 (libcurl failed to
     > execute the HTTP POST transaction. SSL connect error).
     > stuck: yes
     > key pair storage:
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
     > certificate:
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     > Certificate DB'
     > CA: IPA
     > issuer: CN=Certificate Authority,O=HUGAYET.COM
     > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
     > expires: 20111216112704
     > eku: id-kp-serverAuth
     > track: yes
     > auto-renew: yes
     > Request ID '20110619112721':
     > status: SUBMITTING
     > stuck: no
     > key pair storage:
     >
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     > certificate:
     >
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     > Certificate DB'
     > CA: IPA
     > issuer: CN=Certificate Authority,O=HUGAYET.COM
     > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
     > expires: 20111216112720
     > eku: id-kp-serverAuth
     > track: yes
     > auto-renew: yes
     >
     > and after few minutes, the status 'SUBMITTING' will be changed as
     > 'CA_UNREACHABLE'
     > Do we need to restart the /etc/init.d/ipa service for this? I am
    working
     > remotely.

    It isn't logging enough information to know why it failed. Can you look
    in the Apache error log to see why the request failed?

    My first thought was that there was a CA trust issue. I believe that
    certmonger uses the NSS database where the certificate is stored so
    since it is also doing this against Apache (which in theory trust is ok
    for it to start at all) so I'm baffled. Hopefully the httpd logs
    will be
    enlightening.

     >
     > I need to upgrade my IPA version. Before going for this I need to
    have a
     > replica of the existing one. Is it okay to have the replica while all
     > these issues exist?


    Yes, you should be able to create a replica, this shouldn't affect it.

    rob


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to