On 03/03/2014 08:50 AM, Lager, Nathan T. wrote:
Today i found that i was unable to authenticate to FreeIPA.
I logged into my IPA master, and found that the cert had expired. Which has
never been a problem in the past.
I did some googling, and found a few others with similar problems. but none
quite matched the issue i'm seeing.
The issue is this:
[root@caroline0 PROD ~]# ipa-getcert list
Number of certificates and requests being tracked: 8.
Request ID '20120203213023':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. Peer certificate cannot be authenticated
with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
expires: 2014-02-03 21:30:22 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20120203213048':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. Peer certificate cannot be authenticated
with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
expires: 2014-02-03 21:30:47 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20120203213112':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. Peer certificate cannot be authenticated
with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
expires: 2014-02-03 21:31:11 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Now, if i understand FreeIPA, the CA is FreeIPA itself, isnt it? If so, how
could it be unreachable?
What else might I be able to try to get past this?
Thanks!
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
Seems like your certificates have expired.
The best would be to set the time back and restart the services
everything should come up again.
There have been some bugs with the cert rotation and restart.
I suggest you check the mail threads regarding making sure that you have
the fixed version and that certificates are rotated.
Sorry for the situation.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
