I can set the date to before 3/12(the cert expiry date) and things start just fine. The apache logs don't seem to hold much info other than "the cert is expired." CA logs have even less info.
I did find a similar issue on the mailing list - http://comments.gmane.org/gmane.linux.redhat.freeipa.user/3104 - but I don't see a resolution, I don't see how the cert is supposed to get renewed. On Wed, Mar 14, 2012 at 2:22 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Jimmy wrote: >> >> I changed the system date and it's functional now. I ran the command ` >> certutil -L -d /etc/httpd/alias -n Server-Cert` and see the expired >> cert. Looking at `ipa-getcert list` I see this-- >> >> Request ID '20110913154233': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: 4301 (RPC failed >> at server. Certificate operation cannot be completed: Unable to >> communicate with CMS (Not Found)). >> stuck: yes >> key pair storage: >> >> type=NSSDB,location='/etc/dirsrv/slapd-XXXXX',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapdXXXXX//pwdfile.txt' >> certificate: >> >> type=NSSDB,location='/etc/dirsrv/slapd-XXXXX',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=XXXXX >> subject: CN=csp-idm.pdh.csp,O=XXXXX >> expires: 2012-03-11 15:42:32 UTC >> eku: id-kp-serverAuth >> track: yes >> auto-renew: yes >> >> It says "CA_UNREACHABLE", but ipactl status shows the CA running. Any >> ideas on why this is occurring? > > > The Apache error log may hold some clues. You might try: > > # ipa-getcert resubmit -i 20110913154233 > > Then watch the Apache log to see what it is doing. The CA logs are in > /var/log/pki-ca and may provide some details as well. > > rob > > >> >> On Wed, Mar 14, 2012 at 1:35 PM, Jimmy<g17ji...@gmail.com> wrote: >>> >>> My IPA server just stopped working with this error. I'm looking in to >>> it, but if anyone knows what the issue is right off I'd appreciate any >>> pointers you have. >>> >>> (when trying to do service ipa start) >>> Starting dirsrv: >>> PDH-CSP...[14/Mar/2012:17:24:34 +0000] - SSL alert: >>> CERT_VerifyCertificateNow: verify certificate failed for cert >>> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape >>> Portable Runtime error -8181 - Peer's Certificate has expired.) >>> [ OK ] >>> PKI-IPA...[14/Mar/2012:17:24:36 +0000] - SSL alert: >>> CERT_VerifyCertificateNow: verify certificate failed for cert >>> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape >>> Portable Runtime error -8181 - Peer's Certificate has expired.) >>> [ OK ] >>> >>> >>> I'm running on Fedora15, running IPA -- >>> freeipa-server-2.1.1-1.fc15.x86_64. >>> Thanks. >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipafirstname.lastname@example.org >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipaemail@example.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users