Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

Wed, 14 Sep 2016 09:20:49 -0700 


On 14.09.2016 17:59, bahan w wrote:

Hello !

I send you this mail because I cannot restart my test IPA server.


When I try to start it with service ipa start, I got the following 
error message :

###
# service ipa start
Starting Directory Service
Starting dirsrv:

    <MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert 
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape 
Portable Runtime error -8181 - Peer's Certificate has expired.)

[  OK  ]

    PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert 
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape 
Portable Runtime error -8181 - Peer's Certificate has expired.)

[  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC: [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached: [  OK  ]
Starting HTTP Service
Starting httpd: [FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC: [  OK  ]
Stopping Kerberos 5 Admin Server: [  OK  ]
Stopping ipa_memcached: [  OK  ]
Stopping httpd: [FAILED]
Stopping pki-ca: [  OK  ]
Shutting down dirsrv:
    <MYREALM>...                                    [ OK  ]
    PKI-IPA... [  OK  ]
Aborting ipactl

# service ipa status
Directory Service: STOPPED
Failed to get list of services to probe status:
Directory Server is stopped
###

Do you know how to renew the SSL certificate used for the IPA Server ?

Best regards.

Bahan






Hello,

please run

# ipactl start --force

# getcert list (to detect which certificate is outdated, I suspect DS 
cert (or to get more info why it has not been renewed))



If getcert does work (I'm not sure if ti is able to work without httpd), 
you probable need to move time back to past where cert is valid, start 
IPA and try again.



Please find ID outdated certificate and try resubmit it (CA and DS must 
be running)


# getcert resubmit -i 20160914122036 (use you ID :) )

This should renew cert, check status with getcert list

Move time back to future (if needed)

Try to restart IPA

Martin^2

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





















					Reply via email to