On Friday, June 21, 2013 09:30:12 Rob Crittenden wrote:
> Joshua J. Kugler wrote:
> > So, ongoing saga of a FreeIPA 2.x system with an expired cert for the CA
> > server:
> > 
> > ca-error: Server failed request, will retry: 907 (RPC failed at server.
> > cannot connect to
> > 'https://ipa0.lab.whamcloud.com:9443/ca/agent/ca/displayBySerial': [Errno
> > -8181] (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.).
> I thought you said in a different thread that it wasn't the CA that was
> expired, but the tomcat cert.

According to our conversation in IRC (a while back) this indicates the Tomcat 
cert is expired. :)  The cert in /etc/ipa/ca.crt (which I assume is the actual 
CA cert) is good until 2019.  That was why I was trying to server the tomcat 

> > Any ideas how to get the CA cert renewed?
> > 
> > I know how to generate a CSR and a cert, but I'm not sure 1) how I would
> > add it into the cert DB, and 2) how I can add it without invalidating all
> > my other certs.

Sorry, I wasn't clear. Any idea how to renew the cert in /var/lib/pki-
ca/alias. (Server-Cert)

> certmonger in F-17 doesn't know how to renew the CA-related
> certificates. We fixed this in the IPA 3.1 timeframe. I'm not sure if
> the certmonger requires dogtag 10 for this feature or not, but it may.
> You'll want to upgrade to 3.1+ if you can.
> So if it is just the tomcat cert that is expired, then for simplicity
> I'd set the time back on both systems (you'll need to kill ntp) to when
> the cert is valid and try that. I have the feeling you've already done
> this, but it is unclear what exactly you've tried.

Yes, I've tried setting the clock back, and that works to renew the service 
certs. But the cert for the Tomcat server was never added to certmonger for 
some reason, so it was never renewed, which means the service certs don't 
renew properly, which leads to our current need to get off this instance (along 
with the LDAP server dying after too many requests, but that's a separate 


Joshua J. Kugler - Fairbanks, Alaska
Azariah Enterprises - Programming and Website Design
jos...@azariah.com - Jabber: pedah...@gmail.com
PGP Key: http://pgp.mit.edu/  ID 0x73B13B6A

Freeipa-users mailing list

Reply via email to