On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote: > Alexander Bokovoy wrote: > >On Thu, 23 Jan 2014, craig.free...@noboost.org wrote: > >>Hi Guys, > >> > >>I'm sure this is an easy issue to fix! > >> > >>First the specs; > >>Red Hat Enterprise Linux Server release 6.3 (Santiago) > >>ipa-client-2.2.0-16.el6.x86_64 > >>ipa-server-2.2.0-16.el6.x86_64 > >> > >> > >>Issue: > >>When I click on the hosts TAB from inside the Identity Managemnt GUI, I > >>get the following error; > >>* Certificate format error: [Errno -8018] None (repeated many times) > >> > >>* Cannot connect to > >> 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': > >> > >> [Errno -8018] None > >> > >>Also seen this error; > >>cannot connect to > >>'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': > >>[Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your > >>certificate as expired. > >> > >> > >>Any advise would be greatly appreciated! > >http://www.freeipa.org/page/Howto/CA_Certificate_Renewal > > > >Since you have FreeIPA before 3.4, you need to follow manual procedure > >outlined on that page. 2.2 might also be a bit different than 3.x but > >this is a starting point. > > > > > > For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal > > rob > Just running into a couple of issues with then manual SSL cert process;
1) ERROR when telling certmonger about all the CA certificates #Command: for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca" do echo $nickname certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after done #Result: auditSigningCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 ocspSigningCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 subsystemCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 Server-Cert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 #Command: for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca" do /usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n "${nickname}" -c dogtag-ipa-renew-agent -P 705114231111 done #Result: No CA with name "dogtag-ipa-renew-agent" found. No CA with name "dogtag-ipa-renew-agent" found. No CA with name "dogtag-ipa-renew-agent" found. No CA with name "dogtag-ipa-renew-agent" found. 2)Upgrade instead? I could potentionally upgrade the ipa-server to "3.0.0-37.el6", would this version be able to automatically update the certificates? cya Craig _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users