nasir nasir wrote:
Hi,

Would the below error cause any issues during replica and upgrade?

# ipa user-show admin
ipa: ERROR: cert validation failed for
"CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.)
ipa: ERROR: cert validation failed for
"CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's
certificate issuer has been marked as not trusted by the user.)
ipa: ERROR: cannot connect to 'any of the configured servers':
https://xxxxxx.xxxxxx.com/ipa/xml, https://xxxxxx.xxxxxx.com/ipa/xml

I don't think so but the problem will exist until addressed. In other words upgrading and/or creating a replica won't change things for this server.

rob


Nidal.

--- On *Fri, 1/6/12, nasir nasir /<kollath...@yahoo.com>/* wrote:


    From: nasir nasir <kollath...@yahoo.com>
    Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
    To: "Rob Crittenden" <rcrit...@redhat.com>
    Cc: freeipa-users@redhat.com, fasilk...@gmail.com
    Date: Friday, January 6, 2012, 9:12 AM

    Thanks for the input Rob,

    We have already did it with your previous input and everything got
    normal.

    But the ipa user-show admin command gave the following errors.
    # ipa user-show admin
    ipa: ERROR: cert validation failed for
    "CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM" ((SEC_ERROR_UNTRUSTED_ISSUER)
    Peer's certificate issuer has been marked as not trusted by the user.)
    ipa: ERROR: cert validation failed for
    "CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM" ((SEC_ERROR_UNTRUSTED_ISSUER)
    Peer's certificate issuer has been marked as not trusted by the user.)
    ipa: ERROR: cannot connect to 'any of the configured servers':
    https://xxxxxx.xxxxxx.com/ipa/xml, https://xxxxxx.xxxxxx.com/ipa/xml

    Regardless of the above error, everything seems to be working fine.
    Now we need to have the replica of the server before going for an
    upgrade of IPA.

    Thank you all for the wonderful support during our hard times.

    Nidal.


    --- On *Fri, 1/6/12, Rob Crittenden /<rcrit...@redhat.com>/* wrote:


        From: Rob Crittenden <rcrit...@redhat.com>
        Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
        To: "nasir nasir" <kollath...@yahoo.com>
        Cc: freeipa-users@redhat.com, fasilk...@gmail.com
        Date: Friday, January 6, 2012, 7:21 AM

        nasir nasir wrote:
         > Rob,
         >
         > # ipa user-show admin
         > ipa: ERROR: cert validation failed for
         > "CN=openipa.hugayet.com,O=HUGAYET.COM"
        ((SEC_ERROR_EXPIRED_CERTIFICATE)
         > Peer's Certificate has expired.)
         > ipa: ERROR: cert validation failed for
         > "CN=openipa.hugayet.com,O=HUGAYET.COM"
        ((SEC_ERROR_EXPIRED_CERTIFICATE)
         > Peer's Certificate has expired.)
         > ipa: ERROR: cannot connect to 'any of the configured servers':
         > https://openipa.hugayet.com/ipa/xml,
        https://openipa.hugayet.com/ipa/xml
         >
         > >>>>From what Nalin said, certmonger users /etc/ipa/ca.crt.
        This needs
         > to match the CA that issued your Apache cert.>>>>>>
         >
         > How can we proceed further?

        I think you're going to need to set the system time back to when
        the
        certificate is valid to do the renewal.

        rob

         >
         > Nidal.
         >
         >
         > --- On *Thu, 1/5/12, Rob Crittenden
        /<rcrit...@redhat.com>/*wrote:
         >
         >
         > From: Rob Crittenden <rcrit...@redhat.com>
         > Subject: Re: [Freeipa-users] Expired SSL certificate issue
        with IPA
         > To: "nasir nasir" <kollath...@yahoo.com>
         > Cc: freeipa-users@redhat.com, fasilk...@gmail.com
         > Date: Thursday, January 5, 2012, 2:21 PM
         >
         > nasir nasir wrote:
         > > Hi Rob,
         > >
         > > Added the directive "NSSEnforceValidCerts off" in
         > > /etc/httpd/conf.d/nss.conf and restarted httpd. Please find the
         > > /var/log/httpd/error_log
         > >
         > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
         > > KeyError(-1215723696,) in <module 'threading' from
         > > '/usr/lib/python2.6/threading.pyc'> ignored
         > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
         > > KeyError(-1215723696,) in <module 'threading' from
         > > '/usr/lib/python2.6/threading.pyc'> ignored
         > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
         > > KeyError(-1215723696,) in <module 'threading' from
         > > '/usr/lib/python2.6/threading.pyc'> ignored
         > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
         > > KeyError(-1215723696,) in <module 'threading' from
         > > '/usr/lib/python2.6/threading.pyc'> ignored
         > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
         > > KeyError(-1215723696,) in <module 'threading' from
         > > '/usr/lib/python2.6/threading.pyc'> ignored
         > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
         > > KeyError(-1215723696,) in <module 'threading' from
         > > '/usr/lib/python2.6/threading.pyc'> ignored
         > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
         > > KeyError(-1215723696,) in <module 'threading' from
         > > '/usr/lib/python2.6/threading.pyc'> ignored
         > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
         > > KeyError(-1215723696,) in <module 'threading' from
         > > '/usr/lib/python2.6/threading.pyc'> ignored
         > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
         > > KeyError(-1215723696,) in <module 'threading' from
         > > '/usr/lib/python2.6/threading.pyc'> ignored
         > > [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
         > > KeyError(-1215723696,) in <module 'threading' from
         > > '/usr/lib/python2.6/threading.pyc'> ignored
         > > [Fri Jan 06 01:06:29 2012] [notice] caught SIGTERM,
        shutting down
         > > [Fri Jan 06 01:06:29 2012] [notice] suEXEC mechanism enabled
         > (wrapper:
         > > /usr/sbin/suexec)
         > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
         > 'Server-Cert'
         > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
         > Certificate
         > > has expired
         > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
        expired:
         > > 'Server-Cert'
         > > [Fri Jan 06 01:06:30 2012] [notice] Digest: generating
        secret for
         > digest
         > > authentication ...
         > > [Fri Jan 06 01:06:30 2012] [notice] Digest: done
         > > [Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Compiled for
         > Python/2.6.2.
         > > [Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Runtime using
         > Python/2.6.6.
         > > [Fri Jan 06 01:06:30 2012] [notice] Apache/2.2.15 (Unix) DAV/2
         > > mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2
         > Python/2.6.6
         > > configured -- resuming normal operations
         > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
         > 'Server-Cert'
         > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
         > Certificate
         > > has expired
         > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
        expired:
         > > 'Server-Cert'
         > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
         > 'Server-Cert'
         > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
         > Certificate
         > > has expired
         > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
        expired:
         > > 'Server-Cert'
         > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
         > 'Server-Cert'
         > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
         > Certificate
         > > has expired
         > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
        expired:
         > > 'Server-Cert'
         > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
         > 'Server-Cert'
         > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
         > Certificate
         > > has expired
         > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
        expired:
         > > 'Server-Cert'
         > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
         > 'Server-Cert'
         > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
         > Certificate
         > > has expired
         > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
         > 'Server-Cert'
         > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
         > Certificate
         > > has expired
         > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
         > 'Server-Cert'
         > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
         > Certificate
         > > has expired
         > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
        expired:
         > > 'Server-Cert'
         > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
        expired:
         > > 'Server-Cert'
         > > [Fri Jan 06 01:06:30 2012] [error] Certificate not verified:
         > 'Server-Cert'
         > > [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181
         > Certificate
         > > has expired
         > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
        expired:
         > > 'Server-Cert'
         > > [Fri Jan 06 01:06:30 2012] [error] Server certificate is
        expired:
         > > 'Server-Cert'
         > > [Fri Jan 06 01:06:32 2012] [error] ipa: INFO: *** PROCESS
        START ***
         > > [Fri Jan 06 01:06:32 2012] [error] ipa: INFO: *** PROCESS
        START ***
         > >
         > > # ipa-getcert list
         > > Number of certificates and requests being tracked: 3.
         > > Request ID '20110619112648':
         > > status: CA_UNREACHABLE
         > > ca-error: Server failed request, will retry: -504 (libcurl
        failed to
         > > execute the HTTP POST transaction. SSL connect error).
         > > stuck: yes
         > > key pair storage:
         > >
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
         > > Certificate
        DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'
         > > certificate:
         > >
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
         > > Certificate DB'
         > > CA: IPA
         > > issuer: CN=Certificate Authority,O=HUGAYET.COM
         > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
         > > expires: 20111216112647
         > > eku: id-kp-serverAuth
         > > track: yes
         > > auto-renew: yes
         > > Request ID '20110619112705':
         > > status: CA_UNREACHABLE
         > > ca-error: Server failed request, will retry: -504 (libcurl
        failed to
         > > execute the HTTP POST transaction. SSL connect error).
         > > stuck: yes
         > > key pair storage:
         > >
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
         > > Certificate
        DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
         > > certificate:
         > >
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
         > > Certificate DB'
         > > CA: IPA
         > > issuer: CN=Certificate Authority,O=HUGAYET.COM
         > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
         > > expires: 20111216112704
         > > eku: id-kp-serverAuth
         > > track: yes
         > > auto-renew: yes
         > > Request ID '20110619112721':
         > > status: CA_UNREACHABLE
         > > ca-error: Server failed request, will retry: -504 (libcurl
        failed to
         > > execute the HTTP POST transaction. Peer certificate cannot be
         > > authenticated with known CA certificates).
         > > stuck: yes
         > > key pair storage:
         > >
         >
        type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
         > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         > > certificate:
         > >
         >
        type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
         > > Certificate DB'
         > > CA: IPA
         > > issuer: CN=Certificate Authority,O=HUGAYET.COM
         > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
         > > expires: 20111216112720
         > > eku: id-kp-serverAuth
         > > track: yes
         > > auto-renew: yes
         > >
         > > Do we need to restart /etc/init.d/ipa service for all this to
         > take effect?
         >
         > No, and be very careful if your 389-ds cert is also expired.
         >
         > This error really does mean that certmonger doesn't trust the
        SSL cert
         > of your web server. Have you replaced your certs with
        something else?
         >
         > Does a simple command like: ipa user-show admin work?
         >
         > It may fail too due to the expired cert. You may have to turn
        time back
         > on this machine, but that won't affect the untrusted CA. From
        what
         > Nalin
         > said, certmonger users /etc/ipa/ca.crt. This needs to match
        the CA that
         > issued your Apache cert.
         >
         > rob
         >
         > >
         > > Nidal.
         > >
         > >
         > > --- On *Thu, 1/5/12, Rob Crittenden /<rcrit...@redhat.com
         > </mc/compose?to=rcrit...@redhat.com>>/* wrote:
         > >
         > >
         > > From: Rob Crittenden <rcrit...@redhat.com
         > </mc/compose?to=rcrit...@redhat.com>>
         > > Subject: Re: [Freeipa-users] Expired SSL certificate issue
        with IPA
         > > To: "nasir nasir" <kollath...@yahoo.com
         > </mc/compose?to=kollath...@yahoo.com>>
         > > Cc: freeipa-users@redhat.com
         > </mc/compose?to=freeipa-users@redhat.com>, fasilk...@gmail.com
         > </mc/compose?to=fasilk...@gmail.com>
         > > Date: Thursday, January 5, 2012, 8:59 AM
         > >
         > > nasir nasir wrote:
         > > > Thanks for the input Rob,
         > > >
         > > > Please find below the /var/log/httpd/error_log
         > > >
         > > > [Thu Jan 05 19:50:46 2012] [error] Certificate not verified:
         > > 'Server-Cert'
         > > > [Thu Jan 05 19:50:46 2012] [error] SSL Library Error: -8181
         > > Certificate
         > > > has expired
         > > > [Thu Jan 05 19:50:46 2012] [error] Certificate not verified:
         > > 'Server-Cert'
         > > > [Thu Jan 05 19:50:46 2012] [error] Unable to verify
        certificate
         > > > 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf
        so the
         > > server
         > > > can start until the problem can be resolved.
         > > >
         > > > Do I need to add "NSSEnforceValidCerts off" in
         > > > /etc/httpd/conf.d/nss.conf? Please advice.
         > > >
         > >
         > > That explains why certmonger can't connect. Yes, for now
        add that
         > > directive and restart httpd. Then try the start-tracking again
         > and see
         > > if it renews the cert.
         > >
         > > rob
         > >
         > > > Nidal.
         > > >
         > > >
         > > > --- On *Thu, 1/5/12, Rob Crittenden /<rcrit...@redhat.com
         > </mc/compose?to=rcrit...@redhat.com>
         > > </mc/compose?to=rcrit...@redhat.com
         > </mc/compose?to=rcrit...@redhat.com>>>/* wrote:
         > > >
         > > >
         > > > From: Rob Crittenden <rcrit...@redhat.com
         > </mc/compose?to=rcrit...@redhat.com>
         > > </mc/compose?to=rcrit...@redhat.com
         > </mc/compose?to=rcrit...@redhat.com>>>
         > > > Subject: Re: [Freeipa-users] Expired SSL certificate
        issue with IPA
         > > > To: "nasir nasir" <kollath...@yahoo.com
         > </mc/compose?to=kollath...@yahoo.com>
         > > </mc/compose?to=kollath...@yahoo.com
         > </mc/compose?to=kollath...@yahoo.com>>>
         > > > Cc: freeipa-users@redhat.com
         > </mc/compose?to=freeipa-users@redhat.com>
         > > </mc/compose?to=freeipa-users@redhat.com
         > </mc/compose?to=freeipa-users@redhat.com>>, fasilk...@gmail.com
         > </mc/compose?to=fasilk...@gmail.com>
         > > </mc/compose?to=fasilk...@gmail.com
         > </mc/compose?to=fasilk...@gmail.com>>
         > > > Date: Thursday, January 5, 2012, 7:38 AM
         > > >
         > > > nasir nasir wrote:
         > > > > Thanks for the reply Rob.
         > > > >
         > > > > Please find below the output of your guidelines.
         > > > >
         > > > > # ipa-getkeytab -s xxxxxxx.xxxxxxx.com -p
         > host/xxxxxx.xxxxxx.com -k
         > > > > /etc/krb5.keytab
         > > > > (the command was successful; it din't show any errors
        in the
         > > > krb5kdc.log
         > > > > or audit.log)
         > > > >
         > > > > # kinit -kt /etc/krb5.keytab host/xxxxxx.xxxxxx.com
         > > > >
         > > > > krb5kdc.log
         > > > > -----------------
         > > > > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2431](info):
        AS_REQ (4
         > > > etypes
         > > > > {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
         > > > > host/xxxxxx.xxxxxx....@xxxxxx.com
         > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>
         > > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com
         > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>>
         > > > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com
         > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>
         > > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com
         > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>>> for
         > > > krbtgt/xxxxxx....@xxxxxx.com
        </mc/compose?to=xxxxxx....@xxxxxx.com>
         > > </mc/compose?to=xxxxxx....@xxxxxx.com
         > </mc/compose?to=xxxxxx....@xxxxxx.com>>
         > > </mc/compose?to=xxxxxx....@xxxxxx.com
         > </mc/compose?to=xxxxxx....@xxxxxx.com>
         > > </mc/compose?to=xxxxxx....@xxxxxx.com
         > </mc/compose?to=xxxxxx....@xxxxxx.com>>>,
         > > > > Additional pre-authentication required
         > > > > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2427](info):
        AS_REQ (4
         > > > etypes
         > > > > {18 17 16 23}) 192.168.1.10: ISSUE: authtime
        1325766032, etypes
         > > > {rep=18
         > > > > tkt=18 ses=18}, host/xxxxxx.xxxxxx....@xxxxxx.com
         > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>
         > > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com
         > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>>
         > > > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com
         > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>
         > > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com
         > </mc/compose?to=xxxxxx.xxxxxx....@xxxxxx.com>>> for
         > > > > krbtgt/xxxxxx....@xxxxxx.com
         > </mc/compose?to=xxxxxx....@xxxxxx.com>
         > > </mc/compose?to=xxxxxx....@xxxxxx.com
         > </mc/compose?to=xxxxxx....@xxxxxx.com>>
         > > </mc/compose?to=xxxxxx....@xxxxxx.com
         > </mc/compose?to=xxxxxx....@xxxxxx.com>
         > > </mc/compose?to=xxxxxx....@xxxxxx.com
         > </mc/compose?to=xxxxxx....@xxxxxx.com>>>
         > > > >
         > > > > # ipa-getcert list
         > > > > Number of certificates and requests being tracked: 3.
         > > > > Request ID '20110619112648':
         > > > > status: CA_UNREACHABLE
         > > > > ca-error: Server failed request, will retry: -504 (libcurl
         > > failed to
         > > > > execute the HTTP POST transaction. SSL connect error).
         > > > > stuck: yes
         > > > > key pair storage:
         > > > >
         > > >
         > >
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
         > > > > Certificate
         > DB',pinfile='/etc/dirsrv/slapd-xxxxxx-COM//pwdfile.txt'
         > > > > certificate:
         > > > >
         > > >
         > >
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
         > > > > Certificate DB'
         > > > > CA: IPA
         > > > > issuer: CN=Certificate Authority,O=xxxxxx.COM
         > > > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
         > > > > expires: 20111216112647
         > > > > eku: id-kp-serverAuth
         > > > > track: yes
         > > > > auto-renew: yes
         > > > > Request ID '20110619112705':
         > > > > status: CA_UNREACHABLE
         > > > > ca-error: Server failed request, will retry: -504 (libcurl
         > > failed to
         > > > > execute the HTTP POST transaction. SSL connect error).
         > > > > stuck: yes
         > > > > key pair storage:
         > > > >
         > > >
         > >
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
         > > > > Certificate
        DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
         > > > > certificate:
         > > > >
         > > >
         > >
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
         > > > > Certificate DB'
         > > > > CA: IPA
         > > > > issuer: CN=Certificate Authority,O=xxxxxx.COM
         > > > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
         > > > > expires: 20111216112704
         > > > > eku: id-kp-serverAuth
         > > > > track: yes
         > > > > auto-renew: yes
         > > > > Request ID '20110619112721':
         > > > > status: CA_UNREACHABLE
         > > > > ca-error: Server failed request, will retry: -504 (libcurl
         > > failed to
         > > > > execute the HTTP POST transaction. SSL connect error).
         > > > > stuck: yes
         > > > > key pair storage:
         > > > >
         > > >
         > >
         >
        type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
         > > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         > > > > certificate:
         > > > >
         > > >
         > >
         >
        type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
         > > > > Certificate DB'
         > > > > CA: IPA
         > > > > issuer: CN=Certificate Authority,O=xxxxxx.COM
         > > > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
         > > > > expires: 20111216112720
         > > > > eku: id-kp-serverAuth
         > > > > track: yes
         > > > > auto-renew: yes
         > > > >
         > > > > # ipa-getcert start-tracking -d /etc/httpd/alias -n
        Server-Cert
         > > > > Request "20110619112721" modified.
         > > > >
         > > > > # ipa-getcert list
         > > > > Number of certificates and requests being tracked: 3.
         > > > > Request ID '20110619112648':
         > > > > status: CA_UNREACHABLE
         > > > > ca-error: Server failed request, will retry: -504 (libcurl
         > > failed to
         > > > > execute the HTTP POST transaction. SSL connect error).
         > > > > stuck: yes
         > > > > key pair storage:
         > > > >
         > > >
         > >
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
         > > > > Certificate
         > > DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'
         > > > > certificate:
         > > > >
         > > >
         > >
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
         > > > > Certificate DB'
         > > > > CA: IPA
         > > > > issuer: CN=Certificate Authority,O=HUGAYET.COM
         > > > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
         > > > > expires: 20111216112647
         > > > > eku: id-kp-serverAuth
         > > > > track: yes
         > > > > auto-renew: yes
         > > > > Request ID '20110619112705':
         > > > > status: CA_UNREACHABLE
         > > > > ca-error: Server failed request, will retry: -504 (libcurl
         > > failed to
         > > > > execute the HTTP POST transaction. SSL connect error).
         > > > > stuck: yes
         > > > > key pair storage:
         > > > >
         > > >
         > >
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
         > > > > Certificate
        DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
         > > > > certificate:
         > > > >
         > > >
         > >
         >
        
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
         > > > > Certificate DB'
         > > > > CA: IPA
         > > > > issuer: CN=Certificate Authority,O=HUGAYET.COM
         > > > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
         > > > > expires: 20111216112704
         > > > > eku: id-kp-serverAuth
         > > > > track: yes
         > > > > auto-renew: yes
         > > > > Request ID '20110619112721':
         > > > > status: SUBMITTING
         > > > > stuck: no
         > > > > key pair storage:
         > > > >
         > > >
         > >
         >
        type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
         > > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         > > > > certificate:
         > > > >
         > > >
         > >
         >
        type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
         > > > > Certificate DB'
         > > > > CA: IPA
         > > > > issuer: CN=Certificate Authority,O=HUGAYET.COM
         > > > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
         > > > > expires: 20111216112720
         > > > > eku: id-kp-serverAuth
         > > > > track: yes
         > > > > auto-renew: yes
         > > > >
         > > > > and after few minutes, the status 'SUBMITTING' will be
        changed as
         > > > > 'CA_UNREACHABLE'
         > > > > Do we need to restart the /etc/init.d/ipa service for
        this? I am
         > > > working
         > > > > remotely.
         > > >
         > > > It isn't logging enough information to know why it
        failed. Can
         > > you look
         > > > in the Apache error log to see why the request failed?
         > > >
         > > > My first thought was that there was a CA trust issue. I
        believe
         > that
         > > > certmonger uses the NSS database where the certificate is
        stored so
         > > > since it is also doing this against Apache (which in
        theory trust
         > > is ok
         > > > for it to start at all) so I'm baffled. Hopefully the
        httpd logs
         > > > will be
         > > > enlightening.
         > > >
         > > > >
         > > > > I need to upgrade my IPA version. Before going for this
        I need to
         > > > have a
         > > > > replica of the existing one. Is it okay to have the replica
         > > while all
         > > > > these issues exist?
         > > >
         > > >
         > > > Yes, you should be able to create a replica, this shouldn't
         > > affect it.
         > > >
         > > > rob
         > > >
         > >
         >


    -----Inline Attachment Follows-----

    _______________________________________________
    Freeipa-users mailing list
    Freeipa-users@redhat.com </mc/compose?to=Freeipa-users@redhat.com>
    https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to