Re: [Freeipa-users] Cert auto-renew probem.

[Rob Crittenden]

Dmitri Pal wrote:
On 03/03/2014 08:50 AM, Lager, Nathan T. wrote:
Today i found that i was unable to authenticate to FreeIPA.
I logged into my IPA master, and found that the cert had expired.
Which has never been a problem in the past.

I did some googling, and found a few others with similar problems. but
none quite matched the issue i'm seeing.

The issue is this:
[root@caroline0 PROD ~]# ipa-getcert list
Number of certificates and requests being tracked: 8.
Request ID '20120203213023':
    status: CA_UNREACHABLE
    ca-error: Server failed request, will retry: -504 (libcurl failed
to execute the HTTP POST transaction.  Peer certificate cannot be
authenticated with known CA certificates).
    stuck: yes
    key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU//pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS
Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
    subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
    expires: 2014-02-03 21:30:22 UTC
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command:
    track: yes
    auto-renew: yes
Request ID '20120203213048':
    status: CA_UNREACHABLE
    ca-error: Server failed request, will retry: -504 (libcurl failed
to execute the HTTP POST transaction.  Peer certificate cannot be
authenticated with known CA certificates).
    stuck: yes
    key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
    subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
    expires: 2014-02-03 21:30:47 UTC
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command:
    track: yes
    auto-renew: yes
Request ID '20120203213112':
    status: CA_UNREACHABLE
    ca-error: Server failed request, will retry: -504 (libcurl failed
to execute the HTTP POST transaction.  Peer certificate cannot be
authenticated with known CA certificates).
    stuck: yes
    key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
    subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
    expires: 2014-02-03 21:31:11 UTC
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command:
    track: yes
    auto-renew: yes

Now, if i understand FreeIPA, the CA is FreeIPA itself, isnt it?  If
so, how could it be unreachable?

What else might I be able to try to get past this?

Thanks!



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Seems like your certificates have expired.
The best would be to set the time back and restart the services
everything should come up again.
There have been some bugs with the cert rotation and restart.
I suggest you check the mail threads regarding making sure that you have
the fixed version and that certificates are rotated.
Sorry for the situation.


I think Dmitri is right. To expand on this, if you use getcert rather 
than ipa-getcert you'll see all the certificates tracked by certmonger, 
specifically those of the CA itself. This will give you a better picture 
of what is going on.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users