On 13/01/14 19:13, Nalin Dahyabhai wrote:
On Mon, Jan 13, 2014 at 04:07:16PM +0100, Sigbjorn Lie wrote:
After I restarted dirsrv, pki-cad and then the httpd on ipa01 the status of the
request is now:
Request ID '20120119194518':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 907 (RPC failed at server.
cannot connect to
'https://ipa01.dns.domain:443/ca/agent/ca/displayBySerial': [Errno -12269]
(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-DNS-DOMAIN',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-DNS-DOMAIN//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DNS-DOMAIN',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DNS-DOMAIN
subject: CN=ipa01.dns.domain,O=DNS-DOMAIN
expires: 2014-01-19 19:45:18 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
However I cannot find the certificate that's expired?
That error message was the one the IPA server received and then relayed
back to certmonger, so I'd expect that the expired certificate is the
agent certificate that IPA uses when connecting to the CA's agent
interface. That's stored in the NSS database in /etc/httpd/alias, with
nickname "ipaCert".
Yes, the ipaCert certificate in /etc/httpd/alias/ is expired.
Actually all certificates in /var/lib/pki-ca/alias/ is expired too, they
all expired at the same date, within minutes of each other. It looks
like they are the original certificates issued when I installed IPA,
when I look at the "Not Before" timestamp of the certificates.
Regards,
Siggi
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
