Unfortunately this issue suddenly go much worse. I get this error in the UI when trying to view hosts on one of my servers cannot connect to 'https:/ipa1.example.com:443/ca/agent/ca/displayBySerial': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. and this on others:Some operations failed.
Hide details Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. From: sipazzo <sipa...@yahoo.com> To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Friday, July 29, 2016 9:06 AM Subject: certificates expired - won't renew I have seen many threads on this so sorry to bring it up again but I have a freeipa domain, with 4 ipa servers running on redhat 6 version 3.0.0-50. The certificates are expired/expiring and will not renew and it is causing many issues for us. I have tried the many suggestions I have see in the archives such as changing the time to prior to expiration and attempting renew by resubmitting the requests but they never renew. An example of getcert list from the first server that expired: Number of certificates and requests being tracked: 8. Request ID '20140618161026': status: CA_UNREACHABLE ca-error: Server at https://ipa1.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=idm1-io.example.com,O=EXAMPLE.COM expires: 2016-06-18 00:09:05 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA track: yes auto-renew: yes Request ID '20140618161126': status: MONITORING ca-error: Internal error: no response to "http://ipa1-io.example.com:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-pki-ca&serial_num=5&renewal=true&xml=true". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2016-06-06 23:36:29 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20140618161127': status: MONITORING ca-error: Internal error: no response to "http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=ocspSigningCert+cert-pki-ca&serial_num=2&renewal=true&xml=true". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2016-06-06 23:36:28 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20140618161128': status: MONITORING ca-error: Internal error: no response to "http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=subsystemCert+cert-pki-ca&serial_num=4&renewal=true&xml=true". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2016-06-06 23:36:28 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20140618161129': status: MONITORING ca-error: Internal error: no response to "http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=268304385&renewal=true&xml=true". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipa1.example.com,O=EXAMPLE.COM expires: 2016-06-07 16:11:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20140618161217': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-example-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-example-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-example-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipa1.example.com,O=EXAMPLE.COM expires: 2016-06-18 00:09:05 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv example-COM track: yes auto-renew: yes Request ID '20140618161317': status: CA_UNREACHABLE ca-error: Server at https://ipa1.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=idm1-io.example.com,O=EXAMPLE.COM expires: 2016-06-18 00:09:06 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20140618161338': status: MONITORING ca-error: Internal error: no response to "http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=ipaCert&serial_num=7&renewal=true&xml=true". stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2016-06-06 23:37:09 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes localhost log in /var/log/pki-ca have errors like:tail localhost.2016-07-29.log Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet caProfileSubmit threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441) at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org. Debug log in /var/log/pki-cacd tail debug [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn: netscape.ldap.LDAPException: error result (49) [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to query sessionIds: java.io.IOException: Failed to connect to the internal database. [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: getSessionIds: Error in disconnecting from database: java.lang.NullPointerException [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn: netscape.ldap.LDAPException: error result (49) [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to query sessionIds: java.io.IOException: Failed to connect to the internal database. [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: getSessionIds: Error in disconnecting from database: java.lang.NullPointerException Performing most IPA commands results in errors such as ipa: ERROR: cert validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) Not sure if it is related but we lost our first IPA server some time ago and had to promote another to the CA master. Also, due to someone leaving the company at the beginning of the year we had to change the directory manager password. I followed all the directions to do so but it does not seem like it was a completely smooth transaction.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project