nasir nasir wrote:
Hi Rob,

Added the directive "NSSEnforceValidCerts off" in
/etc/httpd/conf.d/nss.conf and restarted httpd. Please find the
/var/log/httpd/error_log

[Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
KeyError(-1215723696,) in <module 'threading' from
'/usr/lib/python2.6/threading.pyc'> ignored
[Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
KeyError(-1215723696,) in <module 'threading' from
'/usr/lib/python2.6/threading.pyc'> ignored
[Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
KeyError(-1215723696,) in <module 'threading' from
'/usr/lib/python2.6/threading.pyc'> ignored
[Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
KeyError(-1215723696,) in <module 'threading' from
'/usr/lib/python2.6/threading.pyc'> ignored
[Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
KeyError(-1215723696,) in <module 'threading' from
'/usr/lib/python2.6/threading.pyc'> ignored
[Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
KeyError(-1215723696,) in <module 'threading' from
'/usr/lib/python2.6/threading.pyc'> ignored
[Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
KeyError(-1215723696,) in <module 'threading' from
'/usr/lib/python2.6/threading.pyc'> ignored
[Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
KeyError(-1215723696,) in <module 'threading' from
'/usr/lib/python2.6/threading.pyc'> ignored
[Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
KeyError(-1215723696,) in <module 'threading' from
'/usr/lib/python2.6/threading.pyc'> ignored
[Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
KeyError(-1215723696,) in <module 'threading' from
'/usr/lib/python2.6/threading.pyc'> ignored
[Fri Jan 06 01:06:29 2012] [notice] caught SIGTERM, shutting down
[Fri Jan 06 01:06:29 2012] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
has expired
[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
'Server-Cert'
[Fri Jan 06 01:06:30 2012] [notice] Digest: generating secret for digest
authentication ...
[Fri Jan 06 01:06:30 2012] [notice] Digest: done
[Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Compiled for Python/2.6.2.
[Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Runtime using Python/2.6.6.
[Fri Jan 06 01:06:30 2012] [notice] Apache/2.2.15 (Unix) DAV/2
mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6
configured -- resuming normal operations
[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
has expired
[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
'Server-Cert'
[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
has expired
[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
'Server-Cert'
[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
has expired
[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
'Server-Cert'
[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
has expired
[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
'Server-Cert'
[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
has expired
[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
has expired
[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
has expired
[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
'Server-Cert'
[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
'Server-Cert'
[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
has expired
[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
'Server-Cert'
[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
'Server-Cert'
[Fri Jan 06 01:06:32 2012] [error] ipa: INFO: *** PROCESS START ***
[Fri Jan 06 01:06:32 2012] [error] ipa: INFO: *** PROCESS START ***

# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20110619112648':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=HUGAYET.COM
subject: CN=openipa.hugayet.com,O=HUGAYET.COM
expires: 20111216112647
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110619112705':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=HUGAYET.COM
subject: CN=openipa.hugayet.com,O=HUGAYET.COM
expires: 20111216112704
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110619112721':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. Peer certificate cannot be
authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=HUGAYET.COM
subject: CN=openipa.hugayet.com,O=HUGAYET.COM
expires: 20111216112720
eku: id-kp-serverAuth
track: yes
auto-renew: yes

Do we need to restart /etc/init.d/ipa service for all this to take effect?

No, and be very careful if your 389-ds cert is also expired.

This error really does mean that certmonger doesn't trust the SSL cert of your web server. Have you replaced your certs with something else?

Does a simple command like: ipa user-show admin work?

It may fail too due to the expired cert. You may have to turn time back on this machine, but that won't affect the untrusted CA. From what Nalin said, certmonger users /etc/ipa/ca.crt. This needs to match the CA that issued your Apache cert.

rob


Nidal.


--- On *Thu, 1/5/12, Rob Crittenden /<rcrit...@redhat.com>/* wrote:


    From: Rob Crittenden <rcrit...@redhat.com>
    Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
    To: "nasir nasir" <kollath...@yahoo.com>
    Cc: freeipa-users@redhat.com, fasilk...@gmail.com
    Date: Thursday, January 5, 2012, 8:59 AM

    nasir nasir wrote:
     > Thanks for the input Rob,
     >
     > Please find below the /var/log/httpd/error_log
     >
     > [Thu Jan 05 19:50:46 2012] [error] Certificate not verified:
    'Server-Cert'
     > [Thu Jan 05 19:50:46 2012] [error] SSL Library Error: -8181
    Certificate
     > has expired
     > [Thu Jan 05 19:50:46 2012] [error] Certificate not verified:
    'Server-Cert'
     > [Thu Jan 05 19:50:46 2012] [error] Unable to verify certificate
     > 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the
    server
     > can start until the problem can be resolved.
     >
     > Do I need to add "NSSEnforceValidCerts off" in
     > /etc/httpd/conf.d/nss.conf? Please advice.
     >

    That explains why certmonger can't connect. Yes, for now add that
    directive and restart httpd. Then try the start-tracking again and see
    if it renews the cert.

    rob

     > Nidal.
     >
     >
     > --- On *Thu, 1/5/12, Rob Crittenden /<rcrit...@redhat.com
    </mc/compose?to=rcrit...@redhat.com>>/* wrote:
     >
     >
     > From: Rob Crittenden <rcrit...@redhat.com
    </mc/compose?to=rcrit...@redhat.com>>
     > Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
     > To: "nasir nasir" <kollath...@yahoo.com
    </mc/compose?to=kollath...@yahoo.com>>
     > Cc: freeipa-users@redhat.com
    </mc/compose?to=freeipa-users@redhat.com>, fasilk...@gmail.com
    </mc/compose?to=fasilk...@gmail.com>
     > Date: Thursday, January 5, 2012, 7:38 AM
     >
     > nasir nasir wrote:
     > > Thanks for the reply Rob.
     > >
     > > Please find below the output of your guidelines.
     > >
     > > # ipa-getkeytab -s xxxxxxx.xxxxxxx.com -p host/xxxxxx.xxxxxx.com -k
     > > /etc/krb5.keytab
     > > (the command was successful; it din't show any errors in the
     > krb5kdc.log
     > > or audit.log)
     > >
     > > # kinit -kt /etc/krb5.keytab host/xxxxxx.xxxxxx.com
     > >
     > > krb5kdc.log
     > > -----------------
     > > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2431](info): AS_REQ (4
     > etypes
     > > {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
     > > host/xxxxxx.xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>
     > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>> for
     > krbtgt/xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx....@xxxxxx.com>
    </mc/compose?to=xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx....@xxxxxx.com>>,
     > > Additional pre-authentication required
     > > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2427](info): AS_REQ (4
     > etypes
     > > {18 17 16 23}) 192.168.1.10: ISSUE: authtime 1325766032, etypes
     > {rep=18
     > > tkt=18 ses=18}, host/xxxxxx.xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>
     > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>> for
     > > krbtgt/xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx....@xxxxxx.com>
    </mc/compose?to=xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx....@xxxxxx.com>>
     > >
     > > # ipa-getcert list
     > > Number of certificates and requests being tracked: 3.
     > > Request ID '20110619112648':
     > > status: CA_UNREACHABLE
     > > ca-error: Server failed request, will retry: -504 (libcurl
    failed to
     > > execute the HTTP POST transaction. SSL connect error).
     > > stuck: yes
     > > key pair storage:
     > >
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
     > > Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxxx-COM//pwdfile.txt'
     > > certificate:
     > >
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
     > > Certificate DB'
     > > CA: IPA
     > > issuer: CN=Certificate Authority,O=xxxxxx.COM
     > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
     > > expires: 20111216112647
     > > eku: id-kp-serverAuth
     > > track: yes
     > > auto-renew: yes
     > > Request ID '20110619112705':
     > > status: CA_UNREACHABLE
     > > ca-error: Server failed request, will retry: -504 (libcurl
    failed to
     > > execute the HTTP POST transaction. SSL connect error).
     > > stuck: yes
     > > key pair storage:
     > >
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     > > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
     > > certificate:
     > >
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     > > Certificate DB'
     > > CA: IPA
     > > issuer: CN=Certificate Authority,O=xxxxxx.COM
     > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
     > > expires: 20111216112704
     > > eku: id-kp-serverAuth
     > > track: yes
     > > auto-renew: yes
     > > Request ID '20110619112721':
     > > status: CA_UNREACHABLE
     > > ca-error: Server failed request, will retry: -504 (libcurl
    failed to
     > > execute the HTTP POST transaction. SSL connect error).
     > > stuck: yes
     > > key pair storage:
     > >
     >
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     > > certificate:
     > >
     >
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     > > Certificate DB'
     > > CA: IPA
     > > issuer: CN=Certificate Authority,O=xxxxxx.COM
     > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
     > > expires: 20111216112720
     > > eku: id-kp-serverAuth
     > > track: yes
     > > auto-renew: yes
     > >
     > > # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert
     > > Request "20110619112721" modified.
     > >
     > > # ipa-getcert list
     > > Number of certificates and requests being tracked: 3.
     > > Request ID '20110619112648':
     > > status: CA_UNREACHABLE
     > > ca-error: Server failed request, will retry: -504 (libcurl
    failed to
     > > execute the HTTP POST transaction. SSL connect error).
     > > stuck: yes
     > > key pair storage:
     > >
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
     > > Certificate
    DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'
     > > certificate:
     > >
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
     > > Certificate DB'
     > > CA: IPA
     > > issuer: CN=Certificate Authority,O=HUGAYET.COM
     > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
     > > expires: 20111216112647
     > > eku: id-kp-serverAuth
     > > track: yes
     > > auto-renew: yes
     > > Request ID '20110619112705':
     > > status: CA_UNREACHABLE
     > > ca-error: Server failed request, will retry: -504 (libcurl
    failed to
     > > execute the HTTP POST transaction. SSL connect error).
     > > stuck: yes
     > > key pair storage:
     > >
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     > > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
     > > certificate:
     > >
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     > > Certificate DB'
     > > CA: IPA
     > > issuer: CN=Certificate Authority,O=HUGAYET.COM
     > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
     > > expires: 20111216112704
     > > eku: id-kp-serverAuth
     > > track: yes
     > > auto-renew: yes
     > > Request ID '20110619112721':
     > > status: SUBMITTING
     > > stuck: no
     > > key pair storage:
     > >
     >
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     > > certificate:
     > >
     >
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     > > Certificate DB'
     > > CA: IPA
     > > issuer: CN=Certificate Authority,O=HUGAYET.COM
     > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
     > > expires: 20111216112720
     > > eku: id-kp-serverAuth
     > > track: yes
     > > auto-renew: yes
     > >
     > > and after few minutes, the status 'SUBMITTING' will be changed as
     > > 'CA_UNREACHABLE'
     > > Do we need to restart the /etc/init.d/ipa service for this? I am
     > working
     > > remotely.
     >
     > It isn't logging enough information to know why it failed. Can
    you look
     > in the Apache error log to see why the request failed?
     >
     > My first thought was that there was a CA trust issue. I believe that
     > certmonger uses the NSS database where the certificate is stored so
     > since it is also doing this against Apache (which in theory trust
    is ok
     > for it to start at all) so I'm baffled. Hopefully the httpd logs
     > will be
     > enlightening.
     >
     > >
     > > I need to upgrade my IPA version. Before going for this I need to
     > have a
     > > replica of the existing one. Is it okay to have the replica
    while all
     > > these issues exist?
     >
     >
     > Yes, you should be able to create a replica, this shouldn't
    affect it.
     >
     > rob
     >


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to