On Mon, Jan 13, 2014 at 04:07:16PM +0100, Sigbjorn Lie wrote: > After I restarted dirsrv, pki-cad and then the httpd on ipa01 the status of > the request is now: > > Request ID '20120119194518': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 907 (RPC failed at server. > cannot connect to > 'https://ipa01.dns.domain:443/ca/agent/ca/displayBySerial': [Errno -12269] > (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as > expired.). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-DNS-DOMAIN',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile='/etc/dirsrv/slapd-DNS-DOMAIN//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-DNS-DOMAIN',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=DNS-DOMAIN > subject: CN=ipa01.dns.domain,O=DNS-DOMAIN > expires: 2014-01-19 19:45:18 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > However I cannot find the certificate that's expired?
That error message was the one the IPA server received and then relayed back to certmonger, so I'd expect that the expired certificate is the agent certificate that IPA uses when connecting to the CA's agent interface. That's stored in the NSS database in /etc/httpd/alias, with nickname "ipaCert". HTH, Nalin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
