Hi Rob

Thanks!
I noticed that the problematic records have their expiration in the
future! And I also do not have pki-tomcatd, it's pki-cad.

>From getcert list, the troublesome IDs are:

Request ID '20130524104828':
        status: CA_UNREACHABLE
        ca-error: Server at https://dc.mydom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server.  cannot connect to
'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -8053]
(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-MYDOM-COM/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=MYDOM.COM
        subject: CN=dc.mydom.com,O=MYDOM.COM
        expires: 2015-05-25 10:12:32 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20130524104917':
        status: CA_UNREACHABLE
        ca-error: Server at https://dc.mydom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server.  cannot connect to
'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -12269]
(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as
expired.).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=MYDOM.COM
        subject: CN=dc.mydom.com,O=MYDOM.COM
        expires: 2015-05-25 10:12:33 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

On Tue, May 19, 2015 at 4:25 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Sina Owolabi wrote:
>>
>> Hi Rob
>>
>> Ive been to the URL but its a little difficult applying these commands
>> to RHEL6 systems.
>> For instance there is no /etc/pki-tomcat directory in RHEL6, and I
>> cannot find the ipa.crt
>>
>> Im sure as a noob I am overlooking some very obvious stuff, but could
>> you please guide me on what to do?
>
>
> Sorry, I think I pointed you at the wrong page. Check out
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>
> Your CA subsystem are expired, or nearly expired. They are valid for two
> years. Based on the request ID in the snippet you posted at least some are
> valid for another few days.
>
> What I'd suggest is to send the machine back in time and restart the
> services. This should bring things up so that certmonger can do the renewal:
>
> # ipactl stop
> # /sbin/service ntpd stop
> # date 0501hhm where hhmm are the current hour and minute
> # ipactl start
>
> Hopefully ntpd isn't started by ipactl. If it is then it will undo your
> going back in time, and you'll need to start the services manually:
>
> # service dirsrv@YOURREALM start
> # service krb5kdc
> # service httpd start
> # service pki-tomcatd start
>
> Restart certmonger
>
> # service certmonger restart
>
> Wait a bit
>
> # getcert list
>
> Watch the status. They should go to MODIFIED
>
> Once done:
>
> # ipactl stop
>
> Return date to present, either by restarting ntpd or date or whatever method
> you'd like.
>
> I'm taking a completely wild guess on the date to go back to. The expiration
> date is listed in the getcert output. I'd go back a week before the oldest
> expiration.
>
> rob
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to