On Friday, June 21, 2013 09:30:12 Rob Crittenden wrote: > Joshua J. Kugler wrote: > > So, ongoing saga of a FreeIPA 2.x system with an expired cert for the CA > > server: > > > > ca-error: Server failed request, will retry: 907 (RPC failed at server. > > cannot connect to > > 'https://ipa0.lab.whamcloud.com:9443/ca/agent/ca/displayBySerial': [Errno > > -8181] (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.). > I thought you said in a different thread that it wasn't the CA that was > expired, but the tomcat cert.
According to our conversation in IRC (a while back) this indicates the Tomcat cert is expired. :) The cert in /etc/ipa/ca.crt (which I assume is the actual CA cert) is good until 2019. That was why I was trying to server the tomcat Server-Cert. > > Any ideas how to get the CA cert renewed? > > > > I know how to generate a CSR and a cert, but I'm not sure 1) how I would > > add it into the cert DB, and 2) how I can add it without invalidating all > > my other certs. Sorry, I wasn't clear. Any idea how to renew the cert in /var/lib/pki- ca/alias. (Server-Cert) > certmonger in F-17 doesn't know how to renew the CA-related > certificates. We fixed this in the IPA 3.1 timeframe. I'm not sure if > the certmonger requires dogtag 10 for this feature or not, but it may. > You'll want to upgrade to 3.1+ if you can. > > So if it is just the tomcat cert that is expired, then for simplicity > I'd set the time back on both systems (you'll need to kill ntp) to when > the cert is valid and try that. I have the feeling you've already done > this, but it is unclear what exactly you've tried. Yes, I've tried setting the clock back, and that works to renew the service certs. But the cert for the Tomcat server was never added to certmonger for some reason, so it was never renewed, which means the service certs don't renew properly, which leads to our current need to get off this instance (along with the LDAP server dying after too many requests, but that's a separate issue). j -- Joshua J. Kugler - Fairbanks, Alaska Azariah Enterprises - Programming and Website Design jos...@azariah.com - Jabber: pedah...@gmail.com PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users