Today i found that i was unable to authenticate to FreeIPA. 

I logged into my IPA master, and found that the cert had expired.  Which has 
never been a problem in the past. 

I did some googling, and found a few others with similar problems. but none 
quite matched the issue i'm seeing. 

The issue is this: 
[root@caroline0 PROD ~]# ipa-getcert list
Number of certificates and requests being tracked: 8.
Request ID '20120203213023':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: -504 (libcurl failed to 
execute the HTTP POST transaction.  Peer certificate cannot be authenticated 
with known CA certificates).
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU//pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS
 Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
        subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
        expires: 2014-02-03 21:30:22 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: 
        post-save command: 
        track: yes
        auto-renew: yes
Request ID '20120203213048':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: -504 (libcurl failed to 
execute the HTTP POST transaction.  Peer certificate cannot be authenticated 
with known CA certificates).
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
        subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
        expires: 2014-02-03 21:30:47 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: 
        post-save command: 
        track: yes
        auto-renew: yes
Request ID '20120203213112':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: -504 (libcurl failed to 
execute the HTTP POST transaction.  Peer certificate cannot be authenticated 
with known CA certificates).
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
        subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
        expires: 2014-02-03 21:31:11 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: 
        post-save command: 
        track: yes
        auto-renew: yes

Now, if i understand FreeIPA, the CA is FreeIPA itself, isnt it?  If so, how 
could it be unreachable?  

What else might I be able to try to get past this? 

Thanks! 



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to