On 14.09.2016 17:59, bahan w wrote:
Hello !

I send you this mail because I cannot restart my test IPA server.

When I try to start it with service ipa start, I got the following error message :
###
# service ipa start
Starting Directory Service
Starting dirsrv:
<MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.)
[  OK  ]
PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.)
[  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC: [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached: [  OK  ]
Starting HTTP Service
Starting httpd: [FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC: [  OK  ]
Stopping Kerberos 5 Admin Server: [  OK  ]
Stopping ipa_memcached: [  OK  ]
Stopping httpd: [FAILED]
Stopping pki-ca: [  OK  ]
Shutting down dirsrv:
    <MYREALM>...                                    [ OK  ]
    PKI-IPA... [  OK  ]
Aborting ipactl

# service ipa status
Directory Service: STOPPED
Failed to get list of services to probe status:
Directory Server is stopped
###

Do you know how to renew the SSL certificate used for the IPA Server ?

Best regards.

Bahan





Hello,

please run

# ipactl start --force
# getcert list (to detect which certificate is outdated, I suspect DS cert (or to get more info why it has not been renewed))

If getcert does work (I'm not sure if ti is able to work without httpd), you probable need to move time back to past where cert is valid, start IPA and try again.

Please find ID outdated certificate and try resubmit it (CA and DS must be running)

# getcert resubmit -i 20160914122036 (use you ID :) )

This should renew cert, check status with getcert list

Move time back to future (if needed)

Try to restart IPA

Martin^2
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to