Hi Rob,
Added the directive "NSSEnforceValidCerts off" in /etc/httpd/conf.d/nss.conf 
and restarted httpd. Please find the /var/log/httpd/error_log
[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) 
in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 
06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 
'threading' from '/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 
01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 
'threading' from '/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 
01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 
'threading' from '/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 
01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 
'threading' from '/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 
01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 
'threading' from '/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 
01:06:29 2012] [error] Exception KeyError:
 KeyError(-1215723696,) in <module 'threading' from 
'/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 01:06:29 2012] [error] 
Exception KeyError: KeyError(-1215723696,) in <module 'threading' from 
'/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 01:06:29 2012] [error] 
Exception KeyError: KeyError(-1215723696,) in <module 'threading' from 
'/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 01:06:29 2012] [error] 
Exception KeyError: KeyError(-1215723696,) in <module 'threading' from 
'/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 01:06:29 2012] [notice] 
caught SIGTERM, shutting down[Fri Jan 06 01:06:29 2012] [notice] suEXEC 
mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Jan 06 01:06:30 2012] [error] 
Certificate not verified: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] SSL 
Library Error: -8181 Certificate has expired[Fri Jan 06 01:06:30 2012] [error] 
Server certificate is expired: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [notice]
 Digest: generating secret for digest authentication ...[Fri Jan 06 01:06:30 
2012] [notice] Digest: done[Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Compiled 
for Python/2.6.2.[Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Runtime using 
Python/2.6.6.[Fri Jan 06 01:06:30 2012] [notice] Apache/2.2.15 (Unix) DAV/2 
mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 
configured -- resuming normal operations[Fri Jan 06 01:06:30 2012] [error] 
Certificate not verified: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] SSL 
Library Error: -8181 Certificate has expired[Fri Jan 06 01:06:30 2012] [error] 
Server certificate is expired: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] 
Certificate not verified: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] SSL 
Library Error: -8181 Certificate has expired[Fri Jan 06 01:06:30 2012] [error] 
Server certificate is expired: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] 
Certificate not verified:
 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 
Certificate has expired[Fri Jan 06 01:06:30 2012] [error] Server certificate is 
expired: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] Certificate not 
verified: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: 
-8181 Certificate has expired[Fri Jan 06 01:06:30 2012] [error] Server 
certificate is expired: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] 
Certificate not verified: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] SSL 
Library Error: -8181 Certificate has expired[Fri Jan 06 01:06:30 2012] [error] 
Certificate not verified: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] SSL 
Library Error: -8181 Certificate has expired[Fri Jan 06 01:06:30 2012] [error] 
Certificate not verified: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] SSL 
Library Error: -8181 Certificate has expired[Fri Jan 06 01:06:30 2012] [error] 
Server certificate is expired: 'Server-Cert'[Fri
 Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'[Fri 
Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'[Fri Jan 
06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired[Fri 
Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'[Fri 
Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'[Fri 
Jan 06 01:06:32 2012] [error] ipa: INFO: *** PROCESS START ***[Fri Jan 06 
01:06:32 2012] [error] ipa: INFO: *** PROCESS START ***
# ipa-getcert listNumber of certificates and requests being tracked: 3.Request 
ID '20110619112648':        status: CA_UNREACHABLE        ca-error: Server 
failed request, will retry: -504 (libcurl failed to execute the HTTP POST 
transaction.  SSL connect error).        stuck: yes        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'        
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
 Certificate DB'        CA: IPA        issuer: CN=Certificate 
Authority,O=HUGAYET.COM        subject: CN=openipa.hugayet.com,O=HUGAYET.COM    
    expires: 20111216112647        eku: id-kp-serverAuth        track: yes      
  auto-renew: yesRequest ID '20110619112705':        status: CA_UNREACHABLE     
   ca-error: Server failed request, will
 retry: -504 (libcurl failed to execute the HTTP POST transaction.  SSL connect 
error).        stuck: yes        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'        
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate DB'        CA: IPA        issuer: CN=Certificate 
Authority,O=HUGAYET.COM        subject: CN=openipa.hugayet.com,O=HUGAYET.COM    
    expires: 20111216112704        eku: id-kp-serverAuth        track: yes      
  auto-renew: yesRequest ID '20110619112721':        status: CA_UNREACHABLE     
   ca-error: Server failed request, will retry: -504 (libcurl failed to execute 
the HTTP POST transaction.  Peer certificate cannot be authenticated with known 
CA certificates).        stuck: yes        key pair storage:
 type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'        CA: IPA        issuer: CN=Certificate 
Authority,O=HUGAYET.COM        subject: CN=openipa.hugayet.com,O=HUGAYET.COM    
    expires: 20111216112720        eku: id-kp-serverAuth        track: yes      
  auto-renew: yes
Do we need to restart /etc/init.d/ipa service for all this to take effect?
Nidal.

--- On Thu, 1/5/12, Rob Crittenden <rcrit...@redhat.com> wrote:

From: Rob Crittenden <rcrit...@redhat.com>
Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
To: "nasir nasir" <kollath...@yahoo.com>
Cc: freeipa-users@redhat.com, fasilk...@gmail.com
Date: Thursday, January 5, 2012, 8:59 AM

nasir nasir wrote:
> Thanks for the input Rob,
>
> Please find below the /var/log/httpd/error_log
>
> [Thu Jan 05 19:50:46 2012] [error] Certificate not verified: 'Server-Cert'
> [Thu Jan 05 19:50:46 2012] [error] SSL Library Error: -8181 Certificate
> has expired
> [Thu Jan 05 19:50:46 2012] [error] Certificate not verified: 'Server-Cert'
> [Thu Jan 05 19:50:46 2012] [error] Unable to verify certificate
> 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server
> can start until the problem can be resolved.
>
> Do I need to add "NSSEnforceValidCerts off" in
> /etc/httpd/conf.d/nss.conf? Please advice.
>

That explains why certmonger can't connect. Yes, for now add that 
directive and restart httpd. Then try the start-tracking again and see 
if it renews the cert.

rob

> Nidal.
>
>
> --- On *Thu, 1/5/12, Rob Crittenden /<rcrit...@redhat.com>/* wrote:
>
>
>     From: Rob Crittenden <rcrit...@redhat.com>
>     Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
>     To: "nasir nasir" <kollath...@yahoo.com>
>     Cc: freeipa-users@redhat.com, fasilk...@gmail.com
>     Date: Thursday, January 5, 2012, 7:38 AM
>
>     nasir nasir wrote:
>      > Thanks for the reply Rob.
>      >
>      > Please find below the output of your guidelines.
>      >
>      > # ipa-getkeytab -s xxxxxxx.xxxxxxx.com -p host/xxxxxx.xxxxxx.com -k
>      > /etc/krb5.keytab
>      > (the command was successful; it din't show any errors in the
>     krb5kdc.log
>      > or audit.log)
>      >
>      > # kinit -kt /etc/krb5.keytab host/xxxxxx.xxxxxx.com
>      >
>      > krb5kdc.log
>      > -----------------
>      > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2431](info): AS_REQ (4
>     etypes
>      > {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
>      > host/xxxxxx.xxxxxx....@xxxxxx.com
>     </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com> for
>     krbtgt/xxxxxx....@xxxxxx.com </mc/compose?to=xxxxxx....@xxxxxx.com>,
>      > Additional pre-authentication required
>      > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2427](info): AS_REQ (4
>     etypes
>      > {18 17 16 23}) 192.168.1.10: ISSUE: authtime 1325766032, etypes
>     {rep=18
>      > tkt=18 ses=18}, host/xxxxxx.xxxxxx....@xxxxxx.com
>     </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com> for
>      > krbtgt/xxxxxx....@xxxxxx.com </mc/compose?to=xxxxxx....@xxxxxx.com>
>      >
>      > # ipa-getcert list
>      > Number of certificates and requests being tracked: 3.
>      > Request ID '20110619112648':
>      > status: CA_UNREACHABLE
>      > ca-error: Server failed request, will retry: -504 (libcurl failed to
>      > execute the HTTP POST transaction. SSL connect error).
>      > stuck: yes
>      > key pair storage:
>      >
>     
>type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
>      > Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxxx-COM//pwdfile.txt'
>      > certificate:
>      >
>     
>type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
>      > Certificate DB'
>      > CA: IPA
>      > issuer: CN=Certificate Authority,O=xxxxxx.COM
>      > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
>      > expires: 20111216112647
>      > eku: id-kp-serverAuth
>      > track: yes
>      > auto-renew: yes
>      > Request ID '20110619112705':
>      > status: CA_UNREACHABLE
>      > ca-error: Server failed request, will retry: -504 (libcurl failed to
>      > execute the HTTP POST transaction. SSL connect error).
>      > stuck: yes
>      > key pair storage:
>      >
>     
>type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>      > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>      > certificate:
>      >
>     
>type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>      > Certificate DB'
>      > CA: IPA
>      > issuer: CN=Certificate Authority,O=xxxxxx.COM
>      > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
>      > expires: 20111216112704
>      > eku: id-kp-serverAuth
>      > track: yes
>      > auto-renew: yes
>      > Request ID '20110619112721':
>      > status: CA_UNREACHABLE
>      > ca-error: Server failed request, will retry: -504 (libcurl failed to
>      > execute the HTTP POST transaction. SSL connect error).
>      > stuck: yes
>      > key pair storage:
>      >
>     type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>      > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>      > certificate:
>      >
>     type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>      > Certificate DB'
>      > CA: IPA
>      > issuer: CN=Certificate Authority,O=xxxxxx.COM
>      > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
>      > expires: 20111216112720
>      > eku: id-kp-serverAuth
>      > track: yes
>      > auto-renew: yes
>      >
>      > # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert
>      > Request "20110619112721" modified.
>      >
>      > # ipa-getcert list
>      > Number of certificates and requests being tracked: 3.
>      > Request ID '20110619112648':
>      > status: CA_UNREACHABLE
>      > ca-error: Server failed request, will retry: -504 (libcurl failed to
>      > execute the HTTP POST transaction. SSL connect error).
>      > stuck: yes
>      > key pair storage:
>      >
>     
>type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
>      > Certificate DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'
>      > certificate:
>      >
>     
>type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
>      > Certificate DB'
>      > CA: IPA
>      > issuer: CN=Certificate Authority,O=HUGAYET.COM
>      > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
>      > expires: 20111216112647
>      > eku: id-kp-serverAuth
>      > track: yes
>      > auto-renew: yes
>      > Request ID '20110619112705':
>      > status: CA_UNREACHABLE
>      > ca-error: Server failed request, will retry: -504 (libcurl failed to
>      > execute the HTTP POST transaction. SSL connect error).
>      > stuck: yes
>      > key pair storage:
>      >
>     
>type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>      > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>      > certificate:
>      >
>     
>type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>      > Certificate DB'
>      > CA: IPA
>      > issuer: CN=Certificate Authority,O=HUGAYET.COM
>      > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
>      > expires: 20111216112704
>      > eku: id-kp-serverAuth
>      > track: yes
>      > auto-renew: yes
>      > Request ID '20110619112721':
>      > status: SUBMITTING
>      > stuck: no
>      > key pair storage:
>      >
>     type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>      > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>      > certificate:
>      >
>     type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>      > Certificate DB'
>      > CA: IPA
>      > issuer: CN=Certificate Authority,O=HUGAYET.COM
>      > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
>      > expires: 20111216112720
>      > eku: id-kp-serverAuth
>      > track: yes
>      > auto-renew: yes
>      >
>      > and after few minutes, the status 'SUBMITTING' will be changed as
>      > 'CA_UNREACHABLE'
>      > Do we need to restart the /etc/init.d/ipa service for this? I am
>     working
>      > remotely.
>
>     It isn't logging enough information to know why it failed. Can you look
>     in the Apache error log to see why the request failed?
>
>     My first thought was that there was a CA trust issue. I believe that
>     certmonger uses the NSS database where the certificate is stored so
>     since it is also doing this against Apache (which in theory trust is ok
>     for it to start at all) so I'm baffled. Hopefully the httpd logs
>     will be
>     enlightening.
>
>      >
>      > I need to upgrade my IPA version. Before going for this I need to
>     have a
>      > replica of the existing one. Is it okay to have the replica while all
>      > these issues exist?
>
>
>     Yes, you should be able to create a replica, this shouldn't affect it.
>
>     rob
>

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to