I set the date back and ran the command and this is what I see in the
httpd log. The ca directory does not exist, I verified it as missing.
Any idea why this is? Did I miss something in the install of IPA?

[Sun Jan 01 00:20:46 2012] [error] ipa: INFO: sslget
'https://XXXXXX:443/ca/agent/ca/displayBySerial'
[Sun Jan 01 00:20:46 2012] [error] [client 192.168.201.102] File does
not exist: /var/www/html/ca
[Sun Jan 01 00:20:46 2012] [error] ipa: INFO: host/XXXX@XXXXXX:
cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bp
c7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbV
oa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc
3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbg
f5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqg
dKds2tsp0KzHIMcJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=',
principal=u
'ldap/XXXXXXXX@XXXXXXX', add=True): CertificateOperationError


On Wed, Mar 14, 2012 at 3:09 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Jimmy wrote:
>>
>> I can set the date to before 3/12(the cert expiry date) and things
>> start just fine. The apache logs don't seem to hold much info other
>> than "the cert is expired." CA logs have even less info.
>>
>> I did find a similar issue on the mailing list -
>> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/3104 - but I
>> don't see a resolution, I don't see how the cert is supposed to get
>> renewed.
>
>
> certmonger is supposed to automatically renew it. It apparently tried and
> failed because the CA was unreachable. If you set the date back again and
> execute this command it will resubmit the request and perhaps the logs will
> contain the details we need.
>
>
> rob
>
>>
>> On Wed, Mar 14, 2012 at 2:22 PM, Rob Crittenden<rcrit...@redhat.com>
>>  wrote:
>>>
>>> Jimmy wrote:
>>>>
>>>>
>>>> I changed the system date and it's functional now. I ran the command `
>>>> certutil -L -d /etc/httpd/alias -n Server-Cert` and see the expired
>>>> cert. Looking at `ipa-getcert list` I see this--
>>>>
>>>> Request ID '20110913154233':
>>>>         status: CA_UNREACHABLE
>>>>         ca-error: Server failed request, will retry: 4301 (RPC failed
>>>> at server.  Certificate operation cannot be completed: Unable to
>>>> communicate with CMS (Not Found)).
>>>>         stuck: yes
>>>>         key pair storage:
>>>>
>>>>
>>>> type=NSSDB,location='/etc/dirsrv/slapd-XXXXX',nickname='Server-Cert',token='NSS
>>>> Certificate DB',pinfile='/etc/dirsrv/slapdXXXXX//pwdfile.txt'
>>>>         certificate:
>>>>
>>>>
>>>> type=NSSDB,location='/etc/dirsrv/slapd-XXXXX',nickname='Server-Cert',token='NSS
>>>> Certificate DB'
>>>>         CA: IPA
>>>>         issuer: CN=Certificate Authority,O=XXXXX
>>>>         subject: CN=csp-idm.pdh.csp,O=XXXXX
>>>>         expires: 2012-03-11 15:42:32 UTC
>>>>         eku: id-kp-serverAuth
>>>>         track: yes
>>>>         auto-renew: yes
>>>>
>>>> It says "CA_UNREACHABLE", but ipactl status shows the CA running. Any
>>>> ideas on why this is occurring?
>>>
>>>
>>>
>>> The Apache error log may hold some clues. You might try:
>>>
>>> # ipa-getcert resubmit -i 20110913154233
>>>
>>> Then watch the Apache log to see what it is doing. The CA logs are in
>>> /var/log/pki-ca and may provide some details as well.
>>>
>>> rob
>>>
>>>
>>>>
>>>> On Wed, Mar 14, 2012 at 1:35 PM, Jimmy<g17ji...@gmail.com>    wrote:
>>>>>
>>>>>
>>>>> My IPA server just stopped working with this error. I'm looking in to
>>>>> it, but if anyone knows what the issue is right off I'd appreciate any
>>>>> pointers you have.
>>>>>
>>>>> (when trying to do service ipa start)
>>>>> Starting dirsrv:
>>>>>    PDH-CSP...[14/Mar/2012:17:24:34 +0000] - SSL alert:
>>>>> CERT_VerifyCertificateNow: verify certificate failed for cert
>>>>> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
>>>>> Portable Runtime error -8181 - Peer's Certificate has expired.)
>>>>>                                                           [  OK  ]
>>>>>    PKI-IPA...[14/Mar/2012:17:24:36 +0000] - SSL alert:
>>>>> CERT_VerifyCertificateNow: verify certificate failed for cert
>>>>> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
>>>>> Portable Runtime error -8181 - Peer's Certificate has expired.)
>>>>>                                                           [  OK  ]
>>>>>
>>>>>
>>>>> I'm running on Fedora15, running IPA --
>>>>> freeipa-server-2.1.1-1.fc15.x86_64.
>>>>> Thanks.
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users@redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to