craig.free...@noboost.org wrote:
On Tue, Jan 28, 2014 at 01:25:56PM -0500, Rob Crittenden wrote:
craig.free...@noboost.org wrote:
On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Thu, 23 Jan 2014, craig.free...@noboost.org wrote:
Hi Guys,
I'm sure this is an easy issue to fix!
First the specs;
Red Hat Enterprise Linux Server release 6.3 (Santiago)
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
Issue:
When I click on the hosts TAB from inside the Identity Managemnt GUI, I
get the following error;
* Certificate format error: [Errno -8018] None (repeated many times)
* Cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
[Errno -8018] None
Also seen this error;
cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
[Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.
Any advise would be greatly appreciated!
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
Since you have FreeIPA before 3.4, you need to follow manual procedure
outlined on that page. 2.2 might also be a bit different than 3.x but
this is a starting point.
For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
rob
Just running into a couple of issues with then manual SSL cert process;
1) ERROR when telling certmonger about all the CA certificates
#Command:
for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert
cert-pki-ca" "Server-Cert cert-pki-ca"
do
echo $nickname
certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after
done
#Result:
auditSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
subsystemCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
Server-Cert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
#Command:
for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert
cert-pki-ca" "Server-Cert cert-pki-ca"
do
/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n "${nickname}"
-c dogtag-ipa-renew-agent -P 705114231111
done
#Result:
No CA with name "dogtag-ipa-renew-agent" found.
No CA with name "dogtag-ipa-renew-agent" found.
No CA with name "dogtag-ipa-renew-agent" found.
No CA with name "dogtag-ipa-renew-agent" found.
2)Upgrade instead?
I could potentionally upgrade the ipa-server to "3.0.0-37.el6", would this
version be able to automatically update the certificates?
cya
Craig
You need certmonger-0.58-1 or higher to get the
dogtag-ipa-renew-agent CA and other fixed. I'll update the wiki with
that, sorry for the oversight.
You could try updating to 3.0. If you do decide to try upgrading I
think I'd go back in time when all the certs are valid first as some
services will be restarted during the upgrade and we don't want the
upgrade blowing up in the middle because of expired certs.
rob
I'll give the upgrade a go, say I go back to the older date and IPA
starts fine. Won't the certs still have a hard expiry date on them, so
I'll need to follow the
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal procedure?
It depends in part how far back in time you go. I'd go back a day or two
before the oldest date (not all certs expire at the same time).
The upgrade will configure automatic renewal. I think what I'd recommend
is do the upgrade then restart the certmonger service on the machine.
Run `getcert list` to check the status of the certs. After the restart
they should all renew.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
