Please keep freeipa-users in CC, I'm quite lost here

ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).


I'm not sure what this does mean, but if this is caused by invalid httpd certificate, solution might be to set time a week before 2016-05-28, restart IPA and try to renew certs again


Martin^2


On 14.09.2016 18:38, bahan w wrote:
Ok, I managed to restart the IPA service by adding this line in the file /etc/httpd/conf.d/nss.conf :
###
NSSEnforceValidCerts off
###

But when I do the getcert now I got the following result :
###
# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20140528063903':
        status: MONITORING
        stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='159203530658' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=<MYREALM>
        subject: CN=CA Audit,O=<MYREALM>
        expires: 2018-04-09 11:39:16 UTC
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20140528063904':
        status: MONITORING
        stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='159203530658' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=<MYREALM>
        subject: CN=OCSP Subsystem,O=<MYREALM>
        expires: 2018-04-09 11:38:16 UTC
        eku: id-kp-OCSPSigning
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20140528063905':
        status: MONITORING
        stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='159203530658' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=<MYREALM>
        subject: CN=CA Subsystem,O=<MYREALM>
        expires: 2018-04-09 11:38:16 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20140528063906':
        status: MONITORING
        stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=<MYREALM>
        subject: CN=IPA RA,O=<MYREALM>
        expires: 2018-04-09 11:38:16 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes
Request ID '20140528063907':
        status: MONITORING
        stuck: no
key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='159203530658' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=<MYREALM>
        subject: CN=<IPA SERVER HOST>,O=<MYREALM>
        expires: 2018-04-09 11:38:16 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20140528063919':
        status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).
        stuck: yes
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=<MYREALM>
        subject: CN=<IPA SERVER HOST>,O=<MYREALM>
        expires: 2016-05-28 06:39:18 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv <MYREALM>
        track: yes
        auto-renew: yes
Request ID '20140528063953':
        status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).
        stuck: yes
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=<MYREALM>
        subject: CN=<IPA SERVER HOST>,O=<MYREALM>
        expires: 2016-05-28 06:39:52 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
        track: yes
        auto-renew: yes
Request ID '20140528064145':
        status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).
        stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=<MYREALM>
        subject: CN=<IPA SERVER HOST>,O=<MYREALM>
        expires: 2016-05-28 06:41:44 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes
###

Indeed, the entries outdated are the following :
- for /etc/dirsrv/slapd-<MYREALM> : 20140528063919
- for /etc/dirsrv/slapd-PKI-IPA : 20140528063953
- for httpd ? : 20140528064145

Best regards.

Bahan

On Wed, Sep 14, 2016 at 6:28 PM, bahan w <bahanw042...@gmail.com <mailto:bahanw042...@gmail.com>> wrote:

    Ok :D

    Because to perform the getcert list command, I need to have all
    the ipa services running right ?

    Here is the result of the command with the ipa services down.
    ###
    #  getcert list
    Number of certificates and requests being tracked: 8.
    Request ID '20140528063903':
            status: MONITORING
            stuck: no
            key pair storage:
    type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
    cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
            certificate:
    type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
    cert-pki-ca',token='NSS Certificate DB'
            CA: dogtag-ipa-renew-agent
            issuer: CN=Certificate Authority,O=<MYREALM>
            subject: CN=CA Audit,O=<MYREALM>
            expires: 2018-04-09 11:39:16 UTC
            pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
            post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
    "auditSigningCert cert-pki-ca"
            track: yes
            auto-renew: yes
    Request ID '20140528063904':
            status: MONITORING
            stuck: no
            key pair storage:
    type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
    cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
            certificate:
    type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
    cert-pki-ca',token='NSS Certificate DB'
            CA: dogtag-ipa-renew-agent
            issuer: CN=Certificate Authority,O=<MYREALM>
            subject: CN=OCSP Subsystem,O=<MYREALM>
            expires: 2018-04-09 11:38:16 UTC
            eku: id-kp-OCSPSigning
            pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
            post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
    "ocspSigningCert cert-pki-ca"
            track: yes
            auto-renew: yes
    Request ID '20140528063905':
            status: MONITORING
            stuck: no
            key pair storage:
    type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
    cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
            certificate:
    type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
    cert-pki-ca',token='NSS Certificate DB'
            CA: dogtag-ipa-renew-agent
            issuer: CN=Certificate Authority,O=<MYREALM>
            subject: CN=CA Subsystem,O=<MYREALM>
            expires: 2018-04-09 11:38:16 UTC
            eku: id-kp-serverAuth,id-kp-clientAuth
            pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
            post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
    "subsystemCert cert-pki-ca"
            track: yes
            auto-renew: yes
    Request ID '20140528063906':
            status: MONITORING
            stuck: no
            key pair storage:
    type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
    Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
            certificate:
    type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
    Certificate DB'
            CA: dogtag-ipa-renew-agent
            issuer: CN=Certificate Authority,O=<MYREALM>
            subject: CN=IPA RA,O=<MYREALM>
            expires: 2018-04-09 11:38:16 UTC
            eku: id-kp-serverAuth,id-kp-clientAuth
            pre-save command:
            post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
            track: yes
            auto-renew: yes
    Request ID '20140528063907':
            status: MONITORING
            stuck: no
            key pair storage:
    type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
    cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
            certificate:
    type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
    cert-pki-ca',token='NSS Certificate DB'
            CA: dogtag-ipa-renew-agent
            issuer: CN=Certificate Authority,O=<MYREALM>
            subject: CN=<IPA SERVER HOST>,O=<MYREALM>
            expires: 2018-04-09 11:38:16 UTC
            eku: id-kp-serverAuth,id-kp-clientAuth
            pre-save command:
            post-save command:
            track: yes
            auto-renew: yes
    Request ID '20140528063919':
            status: MONITORING
            ca-error: Error setting up ccache for local "host" service
    using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
            stuck: no
            key pair storage:
    
type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
    Certificate DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
            certificate:
    
type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
    Certificate DB'
            CA: IPA
            issuer: CN=Certificate Authority,O=<MYREALM>
            subject: CN=<IPA SERVER HOST>,O=<MYREALM>
            expires: 2016-05-28 06:39:18 UTC
            eku: id-kp-serverAuth,id-kp-clientAuth
            pre-save command:
            post-save command:
    /usr/lib64/ipa/certmonger/restart_dirsrv <MYREALM>
            track: yes
            auto-renew: yes
    Request ID '20140528063953':
            status: MONITORING
            ca-error: Error setting up ccache for local "host" service
    using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
            stuck: no
            key pair storage:
    
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
    Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
            certificate:
    
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
    Certificate DB'
            CA: IPA
            issuer: CN=Certificate Authority,O=<MYREALM>
            subject: CN=<IPA SERVER HOST>,O=<MYREALM>
            expires: 2016-05-28 06:39:52 UTC
            eku: id-kp-serverAuth,id-kp-clientAuth
            pre-save command:
            post-save command:
    /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
            track: yes
            auto-renew: yes
    Request ID '20140528064145':
            status: MONITORING
            ca-error: Error setting up ccache for local "host" service
    using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
            stuck: no
            key pair storage:
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
    Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
            certificate:
    type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
    Certificate DB'
            CA: IPA
            issuer: CN=Certificate Authority,O=<MYREALM>
            subject: CN=<IPA SERVER HOST>,O=<MYREALM>
            expires: 2016-05-28 06:41:44 UTC
            eku: id-kp-serverAuth,id-kp-clientAuth
            pre-save command:
            post-save command: /usr/lib64/ipa/certmonger/restart_httpd
            track: yes
            auto-renew: yes
    ###

    Best regards.

    Bahan

    On Wed, Sep 14, 2016 at 6:21 PM, Martin Basti <mba...@redhat.com
    <mailto:mba...@redhat.com>> wrote:


        Then you have to start services manually, I don't know if the
        same steps will work with IPA 3.0.0, I don't remember, but you
        can try :)


        On 14.09.2016 18:18, bahan w wrote:
        Oh I forgot to add that my version of ipa is quite old :
        ###
        # rpm -qa | grep ipa-server
        ipa-server-3.0.0-25.el6.x86_64
        ###

        When I try the command you gave me I got the following error :
        ###
        # ipactl start --force
        Usage: ipactl start|stop|restart|status


        ipactl: error: no such option: --force
        ###

        Best regards.

        Bahan

        On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti
        <mba...@redhat.com <mailto:mba...@redhat.com>> wrote:



            On 14.09.2016 17:59, bahan w wrote:
            Hello !

            I send you this mail because I cannot restart my test
            IPA server.

            When I try to start it with service ipa start, I got the
            following error message :
            ###
            # service ipa start
            Starting Directory Service
            Starting dirsrv:
            <MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL alert:
            CERT_VerifyCertificateNow: verify certificate failed for
            cert Server-Cert of family
            cn=RSA,cn=encryption,cn=config (Netscape Portable
            Runtime error -8181 - Peer's Certificate has expired.)
                                         [  OK  ]
            PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert:
            CERT_VerifyCertificateNow: verify certificate failed for
            cert Server-Cert of family
            cn=RSA,cn=encryption,cn=config (Netscape Portable
            Runtime error -8181 - Peer's Certificate has expired.)
                                         [  OK  ]
            Starting KDC Service
            Starting Kerberos 5 KDC: [  OK  ]
            Starting KPASSWD Service
            Starting Kerberos 5 Admin Server: [  OK  ]
            Starting MEMCACHE Service
            Starting ipa_memcached: [  OK  ]
            Starting HTTP Service
            Starting httpd: [FAILED]
            Failed to start HTTP Service
            Shutting down
            Stopping Kerberos 5 KDC: [  OK  ]
            Stopping Kerberos 5 Admin Server: [  OK  ]
            Stopping ipa_memcached: [  OK  ]
            Stopping httpd: [FAILED]
            Stopping pki-ca: [  OK  ]
            Shutting down dirsrv:
            <MYREALM>... [  OK  ]
            PKI-IPA... [  OK  ]
            Aborting ipactl

            # service ipa status
            Directory Service: STOPPED
            Failed to get list of services to probe status:
            Directory Server is stopped
            ###

            Do you know how to renew the SSL certificate used for
            the IPA Server ?

            Best regards.

            Bahan





            Hello,

            please run

            # ipactl start --force
            # getcert list (to detect which certificate is outdated,
            I suspect DS cert (or to get more info why it has not
            been renewed))

            If getcert does work (I'm not sure if ti is able to work
            without httpd), you probable need to move time back to
            past where cert is valid, start IPA and try again.

            Please find ID outdated certificate and try resubmit it
            (CA and DS must be running)

            # getcert resubmit -i 20160914122036 (use you ID :) )

            This should renew cert, check status with getcert list

            Move time back to future (if needed)

            Try to restart IPA

            Martin^2






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to