On 6/5/12 2:33 PM, Rob Crittenden wrote:
JR Aquino wrote:
On Jun 5, 2012, at 11:18 AM, Paul Tader wrote:
A couple days ago my (apache) certificates expired. Users are able to
kinit but tools such as sudo fail because of the expired
certificates. Lots of reading/Google'ing later I found this script
(steps) to renew these certs:
I'm just curious, but, isn't certmonger supposed to automatically
renew these? Is certmonger failing in this case?
Yes, the first thing to do is figure out why certmonger didn't
automatically renew the certificates. Then it should be as simple as
setting the date back, letting certmonger do its thing, then setting it
forward again.
That is very strange certmonger output. You might try setting the date
back a couple of days and trying something like:
ipa-getcert resubmit -i 20110706215145
And see what the status goes to.
rob
(Sorry for the delay reply)
No luck with setting the date back and resubmitting the certificate.
# /etc/init.d/ntpd stop
Stopping ntpd (via systemctl): [ OK ]
# date 060112002012
Fri Jun 1 12:00:00 CDT 2012
# /etc/init.d/httpd stop
Stopping httpd (via systemctl): [ OK ]
# /etc/init.d/httpd start
Starting httpd (via systemctl): [ OK ]
# ipa-getcert resubmit -i 20110706215145
Resubmitting "20110706215145" to "IPA".
# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20110706215109':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining: SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=RELAM.NET
subject: CN=srv01.company.net,O=REALM.NET
expires: 2012-06-03 20:19:49 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110706215129':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining: SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=REALM.NET
subject: CN=srv01.company.net,O=REALM.NET
expires: 2012-06-03 20:19:49 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110706215145':
status: GENERATING_CSR
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Unable to
communicate with CMS (Unauthorized)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=REALM.NET
subject: CN=srv01.company.net,O=REALM.NET
expires: 2012-06-03 20:19:49 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
