Hi Rob,

I tried doing that earlier but it fails because of named error

output of /var/log/messages
Jul 31 14:06:04 ipa01 named[22866]: Failed to init credentials (Clock skew
too great)
Jul 31 14:06:04 ipa01 named[22866]: loading configuration: failure
Jul 31 14:06:04 ipa01 named[22866]: exiting (due to fatal error)
Jul 31 14:06:05 ipa01 ns-slapd: GSSAPI Error: Unspecified GSS failure.
 Minor code may provide more information (Credentials cache file
'/tmp/krb5cc_494' not found)

------------------
[root@ipa01 ~]# service ntpd status
ntpd is stopped
[root@ipa01 ~]# ipactl start
Starting Directory Service
Starting dirsrv:
    EXAMPLE-COM...                                   [  OK  ]
    PKI-IPA...                                             [  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:                                   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:                          [  OK  ]
Starting DNS Service
Starting named:                                            [FAILED]
Failed to start DNS Service
Shutting down
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping named:                                            [  OK  ]
Stopping httpd:                                            [FAILED]
Stopping pki-ca:                                           [  OK  ]
Shutting down dirsrv:
    EXAMPLE-COM...                                   [  OK  ]
    PKI-IPA...                                             [  OK  ]
Aborting ipactl

Thanks,
Ketan


On Wed, Aug 6, 2014 at 1:54 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> ketan mehta wrote:
> > Hi All,
> >
> > I'm facing a strange problem, my IPA master server's HTTP Server-Cert
> > got  expired and i'm not able to renew it. would you please help me in
> > resolve it.
> >
> > [root@ipa01 ~]# getcert list
> > Number of certificates and requests being tracked: 9.
> > Request ID '20120731123222':
> >         status: CA_UNREACHABLE
> >         ca-error: Server failed request, will retry: -504 (libcurl
> > failed to execute the HTTP POST transaction.  couldn't connect to host).
> >         stuck: yes
> >         key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM/pwdfile.txt'
> >         certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM',nickname='Server-Cert',token='NSS
> > Certificate DB'
> >         CA: IPA
> >         issuer: CN=Certificate Authority,O=EXAMPLE.COM <
> http://EXAMPLE.COM>
> >         subject: CN=ipa01.EXAMPLE.COM
> > <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM>
> >         expires: 2014-08-01 12:32:21 UTC
> >         eku: id-kp-serverAuth,id-kp-clientAuth
> >         pre-save command:
> >         post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> > BIGDATA-BSKYB-COM
> >         track: yes
> >         auto-renew: yes
> > Request ID '20120731123240':
> >         status: CA_UNREACHABLE
> >         ca-error: Server failed request, will retry: -504 (libcurl
> > failed to execute the HTTP POST transaction.  couldn't connect to host).
> >         stuck: yes
> >         key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> >         certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB'
> >         CA: IPA
> >         issuer: CN=Certificate Authority,O=EXAMPLE.COM <
> http://EXAMPLE.COM>
> >         subject: CN=ipa01.EXAMPLE.COM
> > <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM>
> >         expires: 2014-08-01 12:32:40 UTC
> >         eku: id-kp-serverAuth,id-kp-clientAuth
> >         pre-save command:
> >         post-save command:
> >         track: yes
> >         auto-renew: yes
> > Request ID '20120731123255':
> >         status: CA_UNREACHABLE
> >         ca-error: Server failed request, will retry: -504 (libcurl
> > failed to execute the HTTP POST transaction.  couldn't connect to host).
> >         stuck: yes
> >         key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >         certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> >         CA: IPA
> >         issuer: CN=Certificate Authority,O=EXAMPLE.COM <
> http://EXAMPLE.COM>
> >         subject: CN=ipa01.EXAMPLE.COM
> > <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM>
> >         expires: 2014-08-01 12:32:55 UTC
> >         eku: id-kp-serverAuth,id-kp-clientAuth
> >         pre-save command:
> >         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> >         track: yes
> >         auto-renew: yes
> > Request ID '20130315142330':
> >         status: MONITORING
> >         stuck: no
> >         key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='625466584922'
> >         certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> >         CA: dogtag-ipa-renew-agent
> >         issuer: CN=Certificate Authority,O=EXAMPLE.COM <
> http://EXAMPLE.COM>
> >         subject: CN=CA Audit,O=EXAMPLE.COM <http://EXAMPLE.COM>
> >         expires: 2016-06-12 15:06:33 UTC
> >         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> >         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "auditSigningCert cert-pki-ca"
> >         track: yes
> >         auto-renew: yes
> > Request ID '20130315142331':
> >         status: MONITORING
> >         stuck: no
> >         key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB',pin='625466584922'
> >         certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> >         CA: dogtag-ipa-renew-agent
> >         issuer: CN=Certificate Authority,O=EXAMPLE.COM <
> http://EXAMPLE.COM>
> >         subject: CN=OCSP Subsystem,O=EXAMPLE.COM <http://EXAMPLE.COM>
> >         expires: 2016-06-12 15:05:33 UTC
> >         eku: id-kp-OCSPSigning
> >         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> >         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "ocspSigningCert cert-pki-ca"
> >         track: yes
> >         auto-renew: yes
> > Request ID '20130315142332':
> >         status: MONITORING
> >         stuck: no
> >         key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB',pin='625466584922'
> >         certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB'
> >         CA: dogtag-ipa-renew-agent
> >         issuer: CN=Certificate Authority,O=EXAMPLE.COM <
> http://EXAMPLE.COM>
> >         subject: CN=CA Subsystem,O=EXAMPLE.COM <http://EXAMPLE.COM>
> >         expires: 2016-06-12 15:05:33 UTC
> >         eku: id-kp-serverAuth,id-kp-clientAuth
> >         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> >         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "subsystemCert cert-pki-ca"
> >         track: yes
> >         auto-renew: yes
> > Request ID '20130315142333':
> >         status: MONITORING
> >         stuck: no
> >         key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >         certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB'
> >         CA: dogtag-ipa-renew-agent
> >         issuer: CN=Certificate Authority,O=EXAMPLE.COM <
> http://EXAMPLE.COM>
> >         subject: CN=IPA RA,O=EXAMPLE.COM <http://EXAMPLE.COM>
> >         expires: 2016-06-12 15:05:33 UTC
> >         eku: id-kp-serverAuth,id-kp-clientAuth
> >         pre-save command:
> >         post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> >         track: yes
> >         auto-renew: yes
> > Request ID '20130315142334':
> >         status: MONITORING
> >         stuck: no
> >         key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB',pin='625466584922'
> >         certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB'
> >         CA: dogtag-ipa-renew-agent
> >         issuer: CN=Certificate Authority,O=EXAMPLE.COM <
> http://EXAMPLE.COM>
> >         subject: CN=ipa01.EXAMPLE.COM
> > <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM>
> >         expires: 2016-06-12 15:05:33 UTC
> >         eku: id-kp-serverAuth,id-kp-clientAuth
> >         pre-save command:
> >         post-save command:
> >         track: yes
> >         auto-renew: yes
> > Request ID '20140805110726':
> >         status: CA_UNREACHABLE
> >         ca-error: Server failed request, will retry: -504 (libcurl
> > failed to execute the HTTP POST transaction.  couldn't connect to host).
> >         stuck: yes
> >         key pair storage:
> > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
> > Certificate DB'
> >         certificate:
> > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
> >         CA: IPA
> >         issuer:
> >         subject:
> >         expires: unknown
> >         pre-save command:
> >         post-save command:
> >         track: yes
> >         auto-renew: yes
> >
> > [root@ipa01 ~]# ipactl start
> > Starting Directory Service
> > Starting dirsrv:
> >     EXAMPLE-COM...[06/Aug/2014:09:39:50 +0100] - SSL alert:
> > CERT_VerifyCertificateNow: verify certificate failed for cert
> > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
> > Runtime error -8181 - Peer's Certificate has expired.)
> >                                                            [  OK  ]
> >     PKI-IPA...[06/Aug/2014:09:39:52 +0100] - SSL alert:
> > CERT_VerifyCertificateNow: verify certificate failed for cert
> > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
> > Runtime error -8181 - Peer's Certificate has expired.)
> >                                                            [  OK  ]
> > Starting KDC Service
> > Starting Kerberos 5 KDC:                                   [  OK  ]
> > Starting KPASSWD Service
> > Starting Kerberos 5 Admin Server:                          [  OK  ]
> > Starting DNS Service
> > Starting named:                                            [  OK  ]
> > Starting MEMCACHE Service
> > Starting ipa_memcached:                                    [  OK  ]
> > Starting HTTP Service
> > Starting httpd:                                            [FAILED]
> > Failed to start HTTP Service
> > Shutting down
> > Stopping Kerberos 5 KDC:                                   [  OK  ]
> > Stopping Kerberos 5 Admin Server:                          [  OK  ]
> > Stopping named: .                                          [  OK  ]
> > Stopping ipa_memcached:                                    [  OK  ]
> > Stopping httpd:                                            [FAILED]
> > Stopping pki-ca:                                           [  OK  ]
> > Shutting down dirsrv:
> >     EXAMPLE-COM...                                   [  OK  ]
> >     PKI-IPA...                                             [  OK  ]
> > Aborting ipactl
> >
> > I'm running ipa-server-3.0.0-26.el6_4.2.x86_64
> >
> > Let me know if you need any further information.
>
> The easiest thing to do would be to roll back time to 7/31 and restart
> certmonger. It's hard to say why they didn't renew already as the CA
> subsystem certificates appear to have renewed ok.
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to