ketan mehta wrote:
> Hi All,
> 
> I'm facing a strange problem, my IPA master server's HTTP Server-Cert
> got  expired and i'm not able to renew it. would you please help me in
> resolve it.
> 
> [root@ipa01 ~]# getcert list
> Number of certificates and requests being tracked: 9.
> Request ID '20120731123222':
>         status: CA_UNREACHABLE
>         ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction.  couldn't connect to host).
>         stuck: yes
>         key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM/pwdfile.txt'
>         certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
>         subject: CN=ipa01.EXAMPLE.COM
> <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM>
>         expires: 2014-08-01 12:32:21 UTC
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> BIGDATA-BSKYB-COM
>         track: yes
>         auto-renew: yes
> Request ID '20120731123240':
>         status: CA_UNREACHABLE
>         ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction.  couldn't connect to host).
>         stuck: yes
>         key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>         certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
>         subject: CN=ipa01.EXAMPLE.COM
> <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM>
>         expires: 2014-08-01 12:32:40 UTC
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
> Request ID '20120731123255':
>         status: CA_UNREACHABLE
>         ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction.  couldn't connect to host).
>         stuck: yes
>         key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>         certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
>         subject: CN=ipa01.EXAMPLE.COM
> <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM>
>         expires: 2014-08-01 12:32:55 UTC
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>         track: yes
>         auto-renew: yes
> Request ID '20130315142330':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='625466584922'
>         certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-renew-agent
>         issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
>         subject: CN=CA Audit,O=EXAMPLE.COM <http://EXAMPLE.COM>
>         expires: 2016-06-12 15:06:33 UTC
>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20130315142331':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='625466584922'
>         certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-renew-agent
>         issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
>         subject: CN=OCSP Subsystem,O=EXAMPLE.COM <http://EXAMPLE.COM>
>         expires: 2016-06-12 15:05:33 UTC
>         eku: id-kp-OCSPSigning
>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20130315142332':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='625466584922'
>         certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-renew-agent
>         issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
>         subject: CN=CA Subsystem,O=EXAMPLE.COM <http://EXAMPLE.COM>
>         expires: 2016-06-12 15:05:33 UTC
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20130315142333':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>         certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
>         CA: dogtag-ipa-renew-agent
>         issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
>         subject: CN=IPA RA,O=EXAMPLE.COM <http://EXAMPLE.COM>
>         expires: 2016-06-12 15:05:33 UTC
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>         track: yes
>         auto-renew: yes
> Request ID '20130315142334':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin='625466584922'
>         certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-renew-agent
>         issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM>
>         subject: CN=ipa01.EXAMPLE.COM
> <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM>
>         expires: 2016-06-12 15:05:33 UTC
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
> Request ID '20140805110726':
>         status: CA_UNREACHABLE
>         ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction.  couldn't connect to host).
>         stuck: yes
>         key pair storage:
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
> Certificate DB'
>         certificate:
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
>         CA: IPA
>         issuer:
>         subject:
>         expires: unknown
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
> 
> [root@ipa01 ~]# ipactl start
> Starting Directory Service
> Starting dirsrv:
>     EXAMPLE-COM...[06/Aug/2014:09:39:50 +0100] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert
> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
> Runtime error -8181 - Peer's Certificate has expired.)
>                                                            [  OK  ]
>     PKI-IPA...[06/Aug/2014:09:39:52 +0100] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert
> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
> Runtime error -8181 - Peer's Certificate has expired.)
>                                                            [  OK  ]
> Starting KDC Service
> Starting Kerberos 5 KDC:                                   [  OK  ]
> Starting KPASSWD Service
> Starting Kerberos 5 Admin Server:                          [  OK  ]
> Starting DNS Service
> Starting named:                                            [  OK  ]
> Starting MEMCACHE Service
> Starting ipa_memcached:                                    [  OK  ]
> Starting HTTP Service
> Starting httpd:                                            [FAILED]
> Failed to start HTTP Service
> Shutting down
> Stopping Kerberos 5 KDC:                                   [  OK  ]
> Stopping Kerberos 5 Admin Server:                          [  OK  ]
> Stopping named: .                                          [  OK  ]
> Stopping ipa_memcached:                                    [  OK  ]
> Stopping httpd:                                            [FAILED]
> Stopping pki-ca:                                           [  OK  ]
> Shutting down dirsrv:
>     EXAMPLE-COM...                                   [  OK  ]
>     PKI-IPA...                                             [  OK  ]
> Aborting ipactl
> 
> I'm running ipa-server-3.0.0-26.el6_4.2.x86_64
> 
> Let me know if you need any further information.

The easiest thing to do would be to roll back time to 7/31 and restart
certmonger. It's hard to say why they didn't renew already as the CA
subsystem certificates appear to have renewed ok.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to