On 03/03/2014 08:50 AM, Lager, Nathan T. wrote:
Today i found that i was unable to authenticate to FreeIPA.

I logged into my IPA master, and found that the cert had expired.  Which has 
never been a problem in the past.

I did some googling, and found a few others with similar problems. but none 
quite matched the issue i'm seeing.

The issue is this:
[root@caroline0 PROD ~]# ipa-getcert list
Number of certificates and requests being tracked: 8.
Request ID '20120203213023':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: -504 (libcurl failed to 
execute the HTTP POST transaction.  Peer certificate cannot be authenticated 
with known CA certificates).
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU//pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS
 Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
        subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
        expires: 2014-02-03 21:30:22 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20120203213048':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: -504 (libcurl failed to 
execute the HTTP POST transaction.  Peer certificate cannot be authenticated 
with known CA certificates).
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
        subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
        expires: 2014-02-03 21:30:47 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20120203213112':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: -504 (libcurl failed to 
execute the HTTP POST transaction.  Peer certificate cannot be authenticated 
with known CA certificates).
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
        subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
        expires: 2014-02-03 21:31:11 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

Now, if i understand FreeIPA, the CA is FreeIPA itself, isnt it?  If so, how 
could it be unreachable?

What else might I be able to try to get past this?

Thanks!



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Seems like your certificates have expired.
The best would be to set the time back and restart the services everything should come up again.
There have been some bugs with the cert rotation and restart.
I suggest you check the mail threads regarding making sure that you have the fixed version and that certificates are rotated.
Sorry for the situation.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to