Oh I forgot to add that my version of ipa is quite old : ### # rpm -qa | grep ipa-server ipa-server-3.0.0-25.el6.x86_64 ###
When I try the command you gave me I got the following error : ### # ipactl start --force Usage: ipactl start|stop|restart|status ipactl: error: no such option: --force ### Best regards. Bahan On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti <mba...@redhat.com> wrote: > > > On 14.09.2016 17:59, bahan w wrote: > > Hello ! > > I send you this mail because I cannot restart my test IPA server. > > When I try to start it with service ipa start, I got the following error > message : > ### > # service ipa start > Starting Directory Service > Starting dirsrv: > <MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert > of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error > -8181 - Peer's Certificate has expired.) > [ OK ] > PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert > of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error > -8181 - Peer's Certificate has expired.) > [ OK ] > Starting KDC Service > Starting Kerberos 5 KDC: [ OK ] > Starting KPASSWD Service > Starting Kerberos 5 Admin Server: [ OK ] > Starting MEMCACHE Service > Starting ipa_memcached: [ OK ] > Starting HTTP Service > Starting httpd: [FAILED] > Failed to start HTTP Service > Shutting down > Stopping Kerberos 5 KDC: [ OK ] > Stopping Kerberos 5 Admin Server: [ OK ] > Stopping ipa_memcached: [ OK ] > Stopping httpd: [FAILED] > Stopping pki-ca: [ OK ] > Shutting down dirsrv: > <MYREALM>... [ OK ] > PKI-IPA... [ OK ] > Aborting ipactl > > # service ipa status > Directory Service: STOPPED > Failed to get list of services to probe status: > Directory Server is stopped > ### > > Do you know how to renew the SSL certificate used for the IPA Server ? > > Best regards. > > Bahan > > > > > > Hello, > > please run > > # ipactl start --force > # getcert list (to detect which certificate is outdated, I suspect DS cert > (or to get more info why it has not been renewed)) > > If getcert does work (I'm not sure if ti is able to work without httpd), > you probable need to move time back to past where cert is valid, start IPA > and try again. > > Please find ID outdated certificate and try resubmit it (CA and DS must be > running) > > # getcert resubmit -i 20160914122036 (use you ID :) ) > > This should renew cert, check status with getcert list > > Move time back to future (if needed) > > Try to restart IPA > > Martin^2 >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
