I set the date-time when the certificates were valid : ### # date -s '2016-05-27 10:00:00' Fri May 27 10:00:00 CEST 2016
# date Fri May 27 10:00:02 CEST 2016 ### Then I try to renew them : ### # getcert resubmit -i 20140528063919 Resubmitting "20140528063919" to "IPA". # getcert resubmit -i 20140528064145 Resubmitting "20140528064145" to "IPA". # getcert resubmit -i 20140528063953 Resubmitting "20140528063953" to "IPA". ### But when I do the getcert list after, the result is the same. I guess it is because of this ? CA_UNREACHABLE Any idea ? Best regards. Bahan On Wed, Sep 14, 2016 at 6:38 PM, bahan w <bahanw042...@gmail.com> wrote: > Ok, I managed to restart the IPA service by adding this line in the file > /etc/httpd/conf.d/nss.conf : > ### > NSSEnforceValidCerts off > ### > > But when I do the getcert now I got the following result : > > ### > # getcert list > Number of certificates and requests being tracked: 8. > Request ID '20140528063903': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS > Certificate DB',pin='159203530658' > certificate: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=<MYREALM> > subject: CN=CA Audit,O=<MYREALM> > expires: 2018-04-09 11:39:16 UTC > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20140528063904': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS > Certificate DB',pin='159203530658' > certificate: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=<MYREALM> > subject: CN=OCSP Subsystem,O=<MYREALM> > expires: 2018-04-09 11:38:16 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20140528063905': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate > DB',pin='159203530658' > certificate: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate > DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=<MYREALM> > subject: CN=CA Subsystem,O=<MYREALM> > expires: 2018-04-09 11:38:16 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20140528063906': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/ > httpd/alias',nickname='ipaCert',token='NSS Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=<MYREALM> > subject: CN=IPA RA,O=<MYREALM> > expires: 2018-04-09 11:38:16 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20140528063907': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate > DB',pin='159203530658' > certificate: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate > DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=<MYREALM> > subject: CN=<IPA SERVER HOST>,O=<MYREALM> > expires: 2018-04-09 11:38:16 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20140528063919': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl failed > to execute the HTTP POST transaction. Peer certificate cannot be > authenticated with known CA certificates). > stuck: yes > key pair storage: type=NSSDB,location='/etc/ > dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate > DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt' > certificate: type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>', > nickname='Server-Cert',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=<MYREALM> > subject: CN=<IPA SERVER HOST>,O=<MYREALM> > expires: 2016-05-28 06:39:18 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv > <MYREALM> > track: yes > auto-renew: yes > Request ID '20140528063953': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl failed > to execute the HTTP POST transaction. Peer certificate cannot be > authenticated with known CA certificates). > stuck: yes > key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA', > nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/ > slapd-PKI-IPA/pwdfile.txt' > certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA', > nickname='Server-Cert',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=<MYREALM> > subject: CN=<IPA SERVER HOST>,O=<MYREALM> > expires: 2016-05-28 06:39:52 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv > PKI-IPA > track: yes > auto-renew: yes > Request ID '20140528064145': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl failed > to execute the HTTP POST transaction. Peer certificate cannot be > authenticated with known CA certificates). > stuck: yes > key pair storage: type=NSSDB,location='/etc/ > httpd/alias',nickname='Server-Cert',token='NSS Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/ > httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=<MYREALM> > subject: CN=<IPA SERVER HOST>,O=<MYREALM> > expires: 2016-05-28 06:41:44 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > ### > > Indeed, the entries outdated are the following : > - for /etc/dirsrv/slapd-<MYREALM> : 20140528063919 > - for /etc/dirsrv/slapd-PKI-IPA : 20140528063953 > - for httpd ? : 20140528064145 > > Best regards. > > Bahan > > On Wed, Sep 14, 2016 at 6:28 PM, bahan w <bahanw042...@gmail.com> wrote: > >> Ok :D >> >> Because to perform the getcert list command, I need to have all the ipa >> services running right ? >> >> Here is the result of the command with the ipa services down. >> ### >> # getcert list >> Number of certificates and requests being tracked: 8. >> Request ID '20140528063903': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >> Certificate DB',pin='159203530658' >> certificate: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=<MYREALM> >> subject: CN=CA Audit,O=<MYREALM> >> expires: 2018-04-09 11:39:16 UTC >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20140528063904': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >> Certificate DB',pin='159203530658' >> certificate: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=<MYREALM> >> subject: CN=OCSP Subsystem,O=<MYREALM> >> expires: 2018-04-09 11:38:16 UTC >> eku: id-kp-OCSPSigning >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20140528063905': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS >> Certificate DB',pin='159203530658' >> certificate: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=<MYREALM> >> subject: CN=CA Subsystem,O=<MYREALM> >> expires: 2018-04-09 11:38:16 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20140528063906': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/http >> d/alias',nickname='ipaCert',token='NSS Certificate >> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/http >> d/alias',nickname='ipaCert',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=<MYREALM> >> subject: CN=IPA RA,O=<MYREALM> >> expires: 2018-04-09 11:38:16 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> Request ID '20140528063907': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate >> DB',pin='159203530658' >> certificate: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate >> DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=<MYREALM> >> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >> expires: 2018-04-09 11:38:16 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20140528063919': >> status: MONITORING >> ca-error: Error setting up ccache for local "host" service using >> default keytab: Cannot contact any KDC for realm '<MYREALM>'. >> stuck: no >> key pair storage: type=NSSDB,location='/etc/dirs >> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate >> DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/dirs >> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=<MYREALM> >> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >> expires: 2016-05-28 06:39:18 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >> <MYREALM> >> track: yes >> auto-renew: yes >> Request ID '20140528063953': >> status: MONITORING >> ca-error: Error setting up ccache for local "host" service using >> default keytab: Cannot contact any KDC for realm '<MYREALM>'. >> stuck: no >> key pair storage: type=NSSDB,location='/etc/dirs >> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate >> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/dirs >> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=<MYREALM> >> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >> expires: 2016-05-28 06:39:52 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >> PKI-IPA >> track: yes >> auto-renew: yes >> Request ID '20140528064145': >> status: MONITORING >> ca-error: Error setting up ccache for local "host" service using >> default keytab: Cannot contact any KDC for realm '<MYREALM>'. >> stuck: no >> key pair storage: type=NSSDB,location='/etc/http >> d/alias',nickname='Server-Cert',token='NSS Certificate >> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/http >> d/alias',nickname='Server-Cert',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=<MYREALM> >> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >> expires: 2016-05-28 06:41:44 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> ### >> >> Best regards. >> >> Bahan >> >> On Wed, Sep 14, 2016 at 6:21 PM, Martin Basti <mba...@redhat.com> wrote: >> >>> >>> Then you have to start services manually, I don't know if the same steps >>> will work with IPA 3.0.0, I don't remember, but you can try :) >>> >>> On 14.09.2016 18:18, bahan w wrote: >>> >>> Oh I forgot to add that my version of ipa is quite old : >>> ### >>> # rpm -qa | grep ipa-server >>> ipa-server-3.0.0-25.el6.x86_64 >>> ### >>> >>> When I try the command you gave me I got the following error : >>> ### >>> # ipactl start --force >>> Usage: ipactl start|stop|restart|status >>> >>> >>> ipactl: error: no such option: --force >>> ### >>> >>> Best regards. >>> >>> Bahan >>> >>> >>> On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti <mba...@redhat.com> wrote: >>> >>>> >>>> >>>> On 14.09.2016 17:59, bahan w wrote: >>>> >>>> Hello ! >>>> >>>> I send you this mail because I cannot restart my test IPA server. >>>> >>>> When I try to start it with service ipa start, I got the following >>>> error message : >>>> ### >>>> # service ipa start >>>> Starting Directory Service >>>> Starting dirsrv: >>>> <MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL alert: >>>> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert >>>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error >>>> -8181 - Peer's Certificate has expired.) >>>> [ OK ] >>>> PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert: >>>> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert >>>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error >>>> -8181 - Peer's Certificate has expired.) >>>> [ OK ] >>>> Starting KDC Service >>>> Starting Kerberos 5 KDC: [ OK ] >>>> Starting KPASSWD Service >>>> Starting Kerberos 5 Admin Server: [ OK ] >>>> Starting MEMCACHE Service >>>> Starting ipa_memcached: [ OK ] >>>> Starting HTTP Service >>>> Starting httpd: [FAILED] >>>> Failed to start HTTP Service >>>> Shutting down >>>> Stopping Kerberos 5 KDC: [ OK ] >>>> Stopping Kerberos 5 Admin Server: [ OK ] >>>> Stopping ipa_memcached: [ OK ] >>>> Stopping httpd: [FAILED] >>>> Stopping pki-ca: [ OK ] >>>> Shutting down dirsrv: >>>> <MYREALM>... [ OK ] >>>> PKI-IPA... [ OK ] >>>> Aborting ipactl >>>> >>>> # service ipa status >>>> Directory Service: STOPPED >>>> Failed to get list of services to probe status: >>>> Directory Server is stopped >>>> ### >>>> >>>> Do you know how to renew the SSL certificate used for the IPA Server ? >>>> >>>> Best regards. >>>> >>>> Bahan >>>> >>>> >>>> >>>> >>>> >>>> Hello, >>>> >>>> please run >>>> >>>> # ipactl start --force >>>> # getcert list (to detect which certificate is outdated, I suspect DS >>>> cert (or to get more info why it has not been renewed)) >>>> >>>> If getcert does work (I'm not sure if ti is able to work without >>>> httpd), you probable need to move time back to past where cert is valid, >>>> start IPA and try again. >>>> >>>> Please find ID outdated certificate and try resubmit it (CA and DS must >>>> be running) >>>> >>>> # getcert resubmit -i 20160914122036 (use you ID :) ) >>>> >>>> This should renew cert, check status with getcert list >>>> >>>> Move time back to future (if needed) >>>> >>>> Try to restart IPA >>>> >>>> Martin^2 >>>> >>> >>> >>> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
