nasir nasir wrote:
Rob,

# ipa user-show admin
ipa: ERROR: cert validation failed for
"CN=openipa.hugayet.com,O=HUGAYET.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE)
Peer's Certificate has expired.)
ipa: ERROR: cert validation failed for
"CN=openipa.hugayet.com,O=HUGAYET.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE)
Peer's Certificate has expired.)
ipa: ERROR: cannot connect to 'any of the configured servers':
https://openipa.hugayet.com/ipa/xml, https://openipa.hugayet.com/ipa/xml

 >>>>From what Nalin said, certmonger users /etc/ipa/ca.crt. This needs
to match the CA that issued your Apache cert.>>>>>>

How can we proceed further?

I think you're going to need to set the system time back to when the certificate is valid to do the renewal.

rob


Nidal.


--- On *Thu, 1/5/12, Rob Crittenden /<rcrit...@redhat.com>/*wrote:


    From: Rob Crittenden <rcrit...@redhat.com>
    Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
    To: "nasir nasir" <kollath...@yahoo.com>
    Cc: freeipa-users@redhat.com, fasilk...@gmail.com
    Date: Thursday, January 5, 2012, 2:21 PM

    nasir nasir wrote:
     > Hi Rob,
     >
     > Added the directive "NSSEnforceValidCerts off" in
     > /etc/httpd/conf.d/nss.conf and restarted httpd. Please find the
     > /var/log/httpd/error_log
     >
     > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
     > KeyError(-1215723696,) in <module 'threading' from
     > '/usr/lib/python2.6/threading.pyc'> ignored
     > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
     > KeyError(-1215723696,) in <module 'threading' from
     > '/usr/lib/python2.6/threading.pyc'> ignored
     > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
     > KeyError(-1215723696,) in <module 'threading' from
     > '/usr/lib/python2.6/threading.pyc'> ignored
     > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
     > KeyError(-1215723696,) in <module 'threading' from
     > '/usr/lib/python2.6/threading.pyc'> ignored
     > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
     > KeyError(-1215723696,) in <module 'threading' from
     > '/usr/lib/python2.6/threading.pyc'> ignored
     > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
     > KeyError(-1215723696,) in <module 'threading' from
     > '/usr/lib/python2.6/threading.pyc'> ignored
     > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
     > KeyError(-1215723696,) in <module 'threading' from
     > '/usr/lib/python2.6/threading.pyc'> ignored
     > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
     > KeyError(-1215723696,) in <module 'threading' from
     > '/usr/lib/python2.6/threading.pyc'> ignored
     > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
     > KeyError(-1215723696,) in <module 'threading' from
     > '/usr/lib/python2.6/threading.pyc'> ignored
     > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
     > KeyError(-1215723696,) in <module 'threading' from
     > '/usr/lib/python2.6/threading.pyc'> ignored
     > [Fri Jan 06 01:06:29 2012] [notice] caught SIGTERM, shutting down
     > [Fri Jan 06 01:06:29 2012] [notice] suEXEC mechanism enabled
    (wrapper:
     > /usr/sbin/suexec)
     > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
    'Server-Cert'
     > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
    Certificate
     > has expired
     > [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
     > 'Server-Cert'
     > [Fri Jan 06 01:06:30 2012] [notice] Digest: generating secret for
    digest
     > authentication ...
     > [Fri Jan 06 01:06:30 2012] [notice] Digest: done
     > [Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Compiled for
    Python/2.6.2.
     > [Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Runtime using
    Python/2.6.6.
     > [Fri Jan 06 01:06:30 2012] [notice] Apache/2.2.15 (Unix) DAV/2
     > mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2
    Python/2.6.6
     > configured -- resuming normal operations
     > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
    'Server-Cert'
     > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
    Certificate
     > has expired
     > [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
     > 'Server-Cert'
     > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
    'Server-Cert'
     > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
    Certificate
     > has expired
     > [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
     > 'Server-Cert'
     > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
    'Server-Cert'
     > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
    Certificate
     > has expired
     > [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
     > 'Server-Cert'
     > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
    'Server-Cert'
     > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
    Certificate
     > has expired
     > [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
     > 'Server-Cert'
     > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
    'Server-Cert'
     > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
    Certificate
     > has expired
     > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
    'Server-Cert'
     > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
    Certificate
     > has expired
     > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
    'Server-Cert'
     > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
    Certificate
     > has expired
     > [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
     > 'Server-Cert'
     > [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
     > 'Server-Cert'
     > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
    'Server-Cert'
     > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
    Certificate
     > has expired
     > [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
     > 'Server-Cert'
     > [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
     > 'Server-Cert'
     > [Fri Jan 06 01:06:32 2012] [error] ipa: INFO: *** PROCESS START ***
     > [Fri Jan 06 01:06:32 2012] [error] ipa: INFO: *** PROCESS START ***
     >
     > # ipa-getcert list
     > Number of certificates and requests being tracked: 3.
     > Request ID '20110619112648':
     > status: CA_UNREACHABLE
     > ca-error: Server failed request, will retry: -504 (libcurl failed to
     > execute the HTTP POST transaction. SSL connect error).
     > stuck: yes
     > key pair storage:
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
     > Certificate DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'
     > certificate:
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
     > Certificate DB'
     > CA: IPA
     > issuer: CN=Certificate Authority,O=HUGAYET.COM
     > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
     > expires: 20111216112647
     > eku: id-kp-serverAuth
     > track: yes
     > auto-renew: yes
     > Request ID '20110619112705':
     > status: CA_UNREACHABLE
     > ca-error: Server failed request, will retry: -504 (libcurl failed to
     > execute the HTTP POST transaction. SSL connect error).
     > stuck: yes
     > key pair storage:
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
     > certificate:
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     > Certificate DB'
     > CA: IPA
     > issuer: CN=Certificate Authority,O=HUGAYET.COM
     > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
     > expires: 20111216112704
     > eku: id-kp-serverAuth
     > track: yes
     > auto-renew: yes
     > Request ID '20110619112721':
     > status: CA_UNREACHABLE
     > ca-error: Server failed request, will retry: -504 (libcurl failed to
     > execute the HTTP POST transaction. Peer certificate cannot be
     > authenticated with known CA certificates).
     > stuck: yes
     > key pair storage:
     >
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     > certificate:
     >
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     > Certificate DB'
     > CA: IPA
     > issuer: CN=Certificate Authority,O=HUGAYET.COM
     > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
     > expires: 20111216112720
     > eku: id-kp-serverAuth
     > track: yes
     > auto-renew: yes
     >
     > Do we need to restart /etc/init.d/ipa service for all this to
    take effect?

    No, and be very careful if your 389-ds cert is also expired.

    This error really does mean that certmonger doesn't trust the SSL cert
    of your web server. Have you replaced your certs with something else?

    Does a simple command like: ipa user-show admin work?

    It may fail too due to the expired cert. You may have to turn time back
    on this machine, but that won't affect the untrusted CA. From what
    Nalin
    said, certmonger users /etc/ipa/ca.crt. This needs to match the CA that
    issued your Apache cert.

    rob

     >
     > Nidal.
     >
     >
     > --- On *Thu, 1/5/12, Rob Crittenden /<rcrit...@redhat.com
    </mc/compose?to=rcrit...@redhat.com>>/* wrote:
     >
     >
     > From: Rob Crittenden <rcrit...@redhat.com
    </mc/compose?to=rcrit...@redhat.com>>
     > Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
     > To: "nasir nasir" <kollath...@yahoo.com
    </mc/compose?to=kollath...@yahoo.com>>
     > Cc: freeipa-users@redhat.com
    </mc/compose?to=freeipa-users@redhat.com>, fasilk...@gmail.com
    </mc/compose?to=fasilk...@gmail.com>
     > Date: Thursday, January 5, 2012, 8:59 AM
     >
     > nasir nasir wrote:
     > > Thanks for the input Rob,
     > >
     > > Please find below the /var/log/httpd/error_log
     > >
     > > [Thu Jan 05 19:50:46 2012] [error] Certificate not verified:
     > 'Server-Cert'
     > > [Thu Jan 05 19:50:46 2012] [error] SSL Library Error: -8181
     > Certificate
     > > has expired
     > > [Thu Jan 05 19:50:46 2012] [error] Certificate not verified:
     > 'Server-Cert'
     > > [Thu Jan 05 19:50:46 2012] [error] Unable to verify certificate
     > > 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the
     > server
     > > can start until the problem can be resolved.
     > >
     > > Do I need to add "NSSEnforceValidCerts off" in
     > > /etc/httpd/conf.d/nss.conf? Please advice.
     > >
     >
     > That explains why certmonger can't connect. Yes, for now add that
     > directive and restart httpd. Then try the start-tracking again
    and see
     > if it renews the cert.
     >
     > rob
     >
     > > Nidal.
     > >
     > >
     > > --- On *Thu, 1/5/12, Rob Crittenden /<rcrit...@redhat.com
    </mc/compose?to=rcrit...@redhat.com>
     > </mc/compose?to=rcrit...@redhat.com
    </mc/compose?to=rcrit...@redhat.com>>>/* wrote:
     > >
     > >
     > > From: Rob Crittenden <rcrit...@redhat.com
    </mc/compose?to=rcrit...@redhat.com>
     > </mc/compose?to=rcrit...@redhat.com
    </mc/compose?to=rcrit...@redhat.com>>>
     > > Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
     > > To: "nasir nasir" <kollath...@yahoo.com
    </mc/compose?to=kollath...@yahoo.com>
     > </mc/compose?to=kollath...@yahoo.com
    </mc/compose?to=kollath...@yahoo.com>>>
     > > Cc: freeipa-users@redhat.com
    </mc/compose?to=freeipa-users@redhat.com>
     > </mc/compose?to=freeipa-users@redhat.com
    </mc/compose?to=freeipa-users@redhat.com>>, fasilk...@gmail.com
    </mc/compose?to=fasilk...@gmail.com>
     > </mc/compose?to=fasilk...@gmail.com
    </mc/compose?to=fasilk...@gmail.com>>
     > > Date: Thursday, January 5, 2012, 7:38 AM
     > >
     > > nasir nasir wrote:
     > > > Thanks for the reply Rob.
     > > >
     > > > Please find below the output of your guidelines.
     > > >
     > > > # ipa-getkeytab -s xxxxxxx.xxxxxxx.com -p
    host/xxxxxx.xxxxxx.com -k
     > > > /etc/krb5.keytab
     > > > (the command was successful; it din't show any errors in the
     > > krb5kdc.log
     > > > or audit.log)
     > > >
     > > > # kinit -kt /etc/krb5.keytab host/xxxxxx.xxxxxx.com
     > > >
     > > > krb5kdc.log
     > > > -----------------
     > > > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2431](info): AS_REQ (4
     > > etypes
     > > > {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
     > > > host/xxxxxx.xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>
     > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>>
     > > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>
     > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>>> for
     > > krbtgt/xxxxxx....@xxxxxx.com </mc/compose?to=xxxxxx....@xxxxxx.com>
     > </mc/compose?to=xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx....@xxxxxx.com>>
     > </mc/compose?to=xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx....@xxxxxx.com>
     > </mc/compose?to=xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx....@xxxxxx.com>>>,
     > > > Additional pre-authentication required
     > > > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2427](info): AS_REQ (4
     > > etypes
     > > > {18 17 16 23}) 192.168.1.10: ISSUE: authtime 1325766032, etypes
     > > {rep=18
     > > > tkt=18 ses=18}, host/xxxxxx.xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>
     > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>>
     > > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>
     > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>>> for
     > > > krbtgt/xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx....@xxxxxx.com>
     > </mc/compose?to=xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx....@xxxxxx.com>>
     > </mc/compose?to=xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx....@xxxxxx.com>
     > </mc/compose?to=xxxxxx....@xxxxxx.com
    </mc/compose?to=xxxxxx....@xxxxxx.com>>>
     > > >
     > > > # ipa-getcert list
     > > > Number of certificates and requests being tracked: 3.
     > > > Request ID '20110619112648':
     > > > status: CA_UNREACHABLE
     > > > ca-error: Server failed request, will retry: -504 (libcurl
     > failed to
     > > > execute the HTTP POST transaction. SSL connect error).
     > > > stuck: yes
     > > > key pair storage:
     > > >
     > >
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
     > > > Certificate
    DB',pinfile='/etc/dirsrv/slapd-xxxxxx-COM//pwdfile.txt'
     > > > certificate:
     > > >
     > >
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
     > > > Certificate DB'
     > > > CA: IPA
     > > > issuer: CN=Certificate Authority,O=xxxxxx.COM
     > > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
     > > > expires: 20111216112647
     > > > eku: id-kp-serverAuth
     > > > track: yes
     > > > auto-renew: yes
     > > > Request ID '20110619112705':
     > > > status: CA_UNREACHABLE
     > > > ca-error: Server failed request, will retry: -504 (libcurl
     > failed to
     > > > execute the HTTP POST transaction. SSL connect error).
     > > > stuck: yes
     > > > key pair storage:
     > > >
     > >
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     > > > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
     > > > certificate:
     > > >
     > >
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     > > > Certificate DB'
     > > > CA: IPA
     > > > issuer: CN=Certificate Authority,O=xxxxxx.COM
     > > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
     > > > expires: 20111216112704
     > > > eku: id-kp-serverAuth
     > > > track: yes
     > > > auto-renew: yes
     > > > Request ID '20110619112721':
     > > > status: CA_UNREACHABLE
     > > > ca-error: Server failed request, will retry: -504 (libcurl
     > failed to
     > > > execute the HTTP POST transaction. SSL connect error).
     > > > stuck: yes
     > > > key pair storage:
     > > >
     > >
     >
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     > > > certificate:
     > > >
     > >
     >
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     > > > Certificate DB'
     > > > CA: IPA
     > > > issuer: CN=Certificate Authority,O=xxxxxx.COM
     > > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
     > > > expires: 20111216112720
     > > > eku: id-kp-serverAuth
     > > > track: yes
     > > > auto-renew: yes
     > > >
     > > > # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert
     > > > Request "20110619112721" modified.
     > > >
     > > > # ipa-getcert list
     > > > Number of certificates and requests being tracked: 3.
     > > > Request ID '20110619112648':
     > > > status: CA_UNREACHABLE
     > > > ca-error: Server failed request, will retry: -504 (libcurl
     > failed to
     > > > execute the HTTP POST transaction. SSL connect error).
     > > > stuck: yes
     > > > key pair storage:
     > > >
     > >
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
     > > > Certificate
     > DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'
     > > > certificate:
     > > >
     > >
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
     > > > Certificate DB'
     > > > CA: IPA
     > > > issuer: CN=Certificate Authority,O=HUGAYET.COM
     > > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
     > > > expires: 20111216112647
     > > > eku: id-kp-serverAuth
     > > > track: yes
     > > > auto-renew: yes
     > > > Request ID '20110619112705':
     > > > status: CA_UNREACHABLE
     > > > ca-error: Server failed request, will retry: -504 (libcurl
     > failed to
     > > > execute the HTTP POST transaction. SSL connect error).
     > > > stuck: yes
     > > > key pair storage:
     > > >
     > >
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     > > > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
     > > > certificate:
     > > >
     > >
     >
    
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
     > > > Certificate DB'
     > > > CA: IPA
     > > > issuer: CN=Certificate Authority,O=HUGAYET.COM
     > > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
     > > > expires: 20111216112704
     > > > eku: id-kp-serverAuth
     > > > track: yes
     > > > auto-renew: yes
     > > > Request ID '20110619112721':
     > > > status: SUBMITTING
     > > > stuck: no
     > > > key pair storage:
     > > >
     > >
     >
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     > > > certificate:
     > > >
     > >
     >
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
     > > > Certificate DB'
     > > > CA: IPA
     > > > issuer: CN=Certificate Authority,O=HUGAYET.COM
     > > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
     > > > expires: 20111216112720
     > > > eku: id-kp-serverAuth
     > > > track: yes
     > > > auto-renew: yes
     > > >
     > > > and after few minutes, the status 'SUBMITTING' will be changed as
     > > > 'CA_UNREACHABLE'
     > > > Do we need to restart the /etc/init.d/ipa service for this? I am
     > > working
     > > > remotely.
     > >
     > > It isn't logging enough information to know why it failed. Can
     > you look
     > > in the Apache error log to see why the request failed?
     > >
     > > My first thought was that there was a CA trust issue. I believe
    that
     > > certmonger uses the NSS database where the certificate is stored so
     > > since it is also doing this against Apache (which in theory trust
     > is ok
     > > for it to start at all) so I'm baffled. Hopefully the httpd logs
     > > will be
     > > enlightening.
     > >
     > > >
     > > > I need to upgrade my IPA version. Before going for this I need to
     > > have a
     > > > replica of the existing one. Is it okay to have the replica
     > while all
     > > > these issues exist?
     > >
     > >
     > > Yes, you should be able to create a replica, this shouldn't
     > affect it.
     > >
     > > rob
     > >
     >


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to