Jimmy wrote:
I can set the date to before 3/12(the cert expiry date) and things
start just fine. The apache logs don't seem to hold much info other
than "the cert is expired." CA logs have even less info.

I did find a similar issue on the mailing list -
http://comments.gmane.org/gmane.linux.redhat.freeipa.user/3104 - but I
don't see a resolution, I don't see how the cert is supposed to get
renewed.

certmonger is supposed to automatically renew it. It apparently tried and failed because the CA was unreachable. If you set the date back again and execute this command it will resubmit the request and perhaps the logs will contain the details we need.

rob


On Wed, Mar 14, 2012 at 2:22 PM, Rob Crittenden<rcrit...@redhat.com>  wrote:
Jimmy wrote:

I changed the system date and it's functional now. I ran the command `
certutil -L -d /etc/httpd/alias -n Server-Cert` and see the expired
cert. Looking at `ipa-getcert list` I see this--

Request ID '20110913154233':
         status: CA_UNREACHABLE
         ca-error: Server failed request, will retry: 4301 (RPC failed
at server.  Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)).
         stuck: yes
         key pair storage:

type=NSSDB,location='/etc/dirsrv/slapd-XXXXX',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapdXXXXX//pwdfile.txt'
         certificate:

type=NSSDB,location='/etc/dirsrv/slapd-XXXXX',nickname='Server-Cert',token='NSS
Certificate DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=XXXXX
         subject: CN=csp-idm.pdh.csp,O=XXXXX
         expires: 2012-03-11 15:42:32 UTC
         eku: id-kp-serverAuth
         track: yes
         auto-renew: yes

It says "CA_UNREACHABLE", but ipactl status shows the CA running. Any
ideas on why this is occurring?


The Apache error log may hold some clues. You might try:

# ipa-getcert resubmit -i 20110913154233

Then watch the Apache log to see what it is doing. The CA logs are in
/var/log/pki-ca and may provide some details as well.

rob



On Wed, Mar 14, 2012 at 1:35 PM, Jimmy<g17ji...@gmail.com>    wrote:

My IPA server just stopped working with this error. I'm looking in to
it, but if anyone knows what the issue is right off I'd appreciate any
pointers you have.

(when trying to do service ipa start)
Starting dirsrv:
    PDH-CSP...[14/Mar/2012:17:24:34 +0000] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8181 - Peer's Certificate has expired.)
                                                           [  OK  ]
    PKI-IPA...[14/Mar/2012:17:24:36 +0000] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8181 - Peer's Certificate has expired.)
                                                           [  OK  ]


I'm running on Fedora15, running IPA --
freeipa-server-2.1.1-1.fc15.x86_64.
Thanks.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to