On Mon, January 13, 2014 15:58, Rob Crittenden wrote:
> Sigbjorn Lie wrote:
>> I seem to have issues with the certificate system on my IPA installation.
>> Looking up hosts in
>> the IPA WEBUI on any of the IPA servers says "Certificate format error:
>> [Errno -8015] error
>> I also notice that hosts says the certificate system is unavailable.
>> certmonger: Server failed request, will retry: 4301 (RPC failed at server.
>> operation cannot be completed: Failure decoding Certificate Signing Request).
>> Looking at the pki-ca logs on the ipa servers I see that some selftest
>> # tail -100 selftests.log
>> 28697.main - [13/Jan/2014:15:06:33 CET]   SelfTestSubsystem:
>> Initializing self test
>> 28697.main - [13/Jan/2014:15:06:33 CET]   SelfTestSubsystem: loading
>> all self test
>> plugin logger parameters 28697.main - [13/Jan/2014:15:06:33 CET]  
>> loading all self test plugin instances 28697.main - [13/Jan/2014:15:06:33
>> CET]  
>> SelfTestSubsystem: loading all self test plugin
>> instance parameters 28697.main - [13/Jan/2014:15:06:33 CET]  
>> SelfTestSubsystem: loading
>> self test plugins in on-demand order 28697.main - [13/Jan/2014:15:06:33 CET]
>>  
>> SelfTestSubsystem: loading self test plugins in
>> startup order 28697.main - [13/Jan/2014:15:06:33 CET]  
>> SelfTestSubsystem: Self test
>> plugins have been successfully loaded! 28697.main - [13/Jan/2014:15:06:34
>> CET]  
>> SelfTestSubsystem: Running self test plugins
>> specified to be executed at startup: 28697.main - [13/Jan/2014:15:06:34 CET]
>>   CAPresence:
>> CA is present
>> 28697.main - [13/Jan/2014:15:06:34 CET]   SystemCertsVerification:
>> system certs
>> verification failure 28697.main - [13/Jan/2014:15:06:34 CET]  
>> SelfTestSubsystem: The
>> CRITICAL self test plugin
>> called selftests.container.instance.SystemCertsVerification running at
>> startup FAILED!
>> the pki-cad service is running and "pki-cad status" displays the ports
>> /etc/init.d/pki-cad status
>> pki-ca (pid 28697) is running... [ OK ]
>> My main consern is that the certmonger requests for renew of certificates
>> for LDAP on 2 out of
>> of the IPA servers has failed, and the current certificate is expiring the
>> 19th of January,
>> under a week from now.
>> Do you have any suggestions to where I can start troubleshootng this issue?
> Check the trust on the audit certificate:
> # certutil -L -d /var/lib/pki-ca/alias/
> auditSigningCert cert-pki-ca u,u,Pu
> If the trust is not u,u,Pu then you can fix it with:
> # certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca'
> -t u,u,Pu
> Then restart the CA and it should be ok.
Looks like this certificate is expired. This is the same output on all 3 of the
How can this be fixed?
# certutil -L -d /var/lib/pki-ca/alias/ -n "auditSigningCert cert-pki-ca"
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=DNS.DOMAIN"
Not Before: Thu Jan 19 19:44:24 2012
Not After : Wed Jan 08 19:44:24 2014
Freeipa-users mailing list