Here is what I found : In the catalina.out : ### May 27, 2016 10:51:35 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet caDisplayBySerial-agent threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.netscape.cms.servlet.filter.AgentRequestFilter.doFilter(AgentRequestFilter.java:124) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) at java.lang.Thread.run(Thread.java:722) ###
In the selftests.log in /var/log/pki-ca : ### 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: Initializing self test plugins: 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: loading all self test plugin instances 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 24196.main - [27/May/2016:10:50:28 CEST] [20] [1] CAPresence: CA is present 24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SystemCertsVerification: system certs verification failure 24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemC ertsVerification running at startup FAILED! ### But nothing else. Best regards. Bahan On Wed, Sep 14, 2016 at 7:27 PM, bahan w <bahanw042...@gmail.com> wrote: > I tried also the following commands : > ### > # ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > > # service ipa status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING > ### > > I'm checking the /var/log/pki-ca logs to see if I find something. > > Best regards. > > Bahan > > On Wed, Sep 14, 2016 at 7:02 PM, bahan w <bahanw042...@gmail.com> wrote: > >> Sorry Martin, >> >> This is not the first time I forgot to add back freeipa users. >> I have problems with gmail, again sorry. >> >> Indeed I figured out that I had to restart the ipa server. >> So I tried to restart ipa server. >> But it was not working yet. >> >> So I thought it was maybe due to the configuration I performed in the >> nss.conf. >> So I rollbacked this conf and restarted ipa-server. >> Then I retried your commands but it is still the same error. >> >> ### >> Request ID '20140528064145': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: 4301 (RPC failed at >> server. Certificate operation cannot be completed: Unable to communicate >> with CMS (Not Found)). >> stuck: yes >> key pair storage: type=NSSDB,location='/etc/http >> d/alias',nickname='Server-Cert',token='NSS Certificate >> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/http >> d/alias',nickname='Server-Cert',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=<MYREALM> >> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >> expires: 2016-05-28 06:41:44 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> ### >> >> Do you know what is the CMS ? >> ### >> (RPC failed at server. Certificate operation cannot be completed: Unable >> to communicate with CMS (Not Found)). >> ### >> >> Best regards. >> >> Bahan >> >> >> >> >> >> On Wed, Sep 14, 2016 at 6:46 PM, Martin Basti <mba...@redhat.com> wrote: >> >>> did you restart IPA when you moved time? Is there are more detailed >>> error description in output of getcert list? >>> >>> On 14.09.2016 18:45, bahan w wrote: >>> >>> I set the date-time when the certificates were valid : >>> ### >>> # date -s '2016-05-27 10:00:00' >>> Fri May 27 10:00:00 CEST 2016 >>> >>> # date >>> Fri May 27 10:00:02 CEST 2016 >>> ### >>> >>> Then I try to renew them : >>> ### >>> # getcert resubmit -i 20140528063919 >>> Resubmitting "20140528063919" to "IPA". >>> >>> # getcert resubmit -i 20140528064145 >>> Resubmitting "20140528064145" to "IPA". >>> >>> # getcert resubmit -i 20140528063953 >>> Resubmitting "20140528063953" to "IPA". >>> ### >>> >>> But when I do the getcert list after, the result is the same. >>> >>> I guess it is because of this ? >>> CA_UNREACHABLE >>> >>> Any idea ? >>> >>> Best regards. >>> >>> Bahan >>> >>> On Wed, Sep 14, 2016 at 6:38 PM, bahan w <bahanw042...@gmail.com> wrote: >>> >>>> Ok, I managed to restart the IPA service by adding this line in the >>>> file /etc/httpd/conf.d/nss.conf : >>>> ### >>>> NSSEnforceValidCerts off >>>> ### >>>> >>>> But when I do the getcert now I got the following result : >>>> >>>> ### >>>> # getcert list >>>> Number of certificates and requests being tracked: 8. >>>> Request ID '20140528063903': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: type=NSSDB,location='/var/lib/ >>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >>>> Certificate DB',pin='159203530658' >>>> certificate: type=NSSDB,location='/var/lib/ >>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >>>> Certificate DB' >>>> CA: dogtag-ipa-renew-agent >>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>> subject: CN=CA Audit,O=<MYREALM> >>>> expires: 2018-04-09 11:39:16 UTC >>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> "auditSigningCert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20140528063904': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: type=NSSDB,location='/var/lib/ >>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >>>> Certificate DB',pin='159203530658' >>>> certificate: type=NSSDB,location='/var/lib/ >>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >>>> Certificate DB' >>>> CA: dogtag-ipa-renew-agent >>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>> subject: CN=OCSP Subsystem,O=<MYREALM> >>>> expires: 2018-04-09 11:38:16 UTC >>>> eku: id-kp-OCSPSigning >>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> "ocspSigningCert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20140528063905': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: type=NSSDB,location='/var/lib/ >>>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS >>>> Certificate DB',pin='159203530658' >>>> certificate: type=NSSDB,location='/var/lib/ >>>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS >>>> Certificate DB' >>>> CA: dogtag-ipa-renew-agent >>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>> subject: CN=CA Subsystem,O=<MYREALM> >>>> expires: 2018-04-09 11:38:16 UTC >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> "subsystemCert cert-pki-ca" >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20140528063906': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: type=NSSDB,location='/etc/http >>>> d/alias',nickname='ipaCert',token='NSS Certificate >>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/http >>>> d/alias',nickname='ipaCert',token='NSS Certificate DB' >>>> CA: dogtag-ipa-renew-agent >>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>> subject: CN=IPA RA,O=<MYREALM> >>>> expires: 2018-04-09 11:38:16 UTC >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: >>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20140528063907': >>>> status: MONITORING >>>> stuck: no >>>> key pair storage: type=NSSDB,location='/var/lib/ >>>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS >>>> Certificate DB',pin='159203530658' >>>> certificate: type=NSSDB,location='/var/lib/ >>>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS >>>> Certificate DB' >>>> CA: dogtag-ipa-renew-agent >>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>>> expires: 2018-04-09 11:38:16 UTC >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: >>>> post-save command: >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20140528063919': >>>> status: CA_UNREACHABLE >>>> ca-error: Server failed request, will retry: -504 (libcurl >>>> failed to execute the HTTP POST transaction. Peer certificate cannot be >>>> authenticated with known CA certificates). >>>> stuck: yes >>>> key pair storage: type=NSSDB,location='/etc/dirs >>>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate >>>> DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/dirs >>>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate DB' >>>> CA: IPA >>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>>> expires: 2016-05-28 06:39:18 UTC >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: >>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >>>> <MYREALM> >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20140528063953': >>>> status: CA_UNREACHABLE >>>> ca-error: Server failed request, will retry: -504 (libcurl >>>> failed to execute the HTTP POST transaction. Peer certificate cannot be >>>> authenticated with known CA certificates). >>>> stuck: yes >>>> key pair storage: type=NSSDB,location='/etc/dirs >>>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate >>>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/dirs >>>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' >>>> CA: IPA >>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>>> expires: 2016-05-28 06:39:52 UTC >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: >>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >>>> PKI-IPA >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20140528064145': >>>> status: CA_UNREACHABLE >>>> ca-error: Server failed request, will retry: -504 (libcurl >>>> failed to execute the HTTP POST transaction. Peer certificate cannot be >>>> authenticated with known CA certificates). >>>> stuck: yes >>>> key pair storage: type=NSSDB,location='/etc/http >>>> d/alias',nickname='Server-Cert',token='NSS Certificate >>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> certificate: type=NSSDB,location='/etc/http >>>> d/alias',nickname='Server-Cert',token='NSS Certificate DB' >>>> CA: IPA >>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>>> expires: 2016-05-28 06:41:44 UTC >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: >>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>>> track: yes >>>> auto-renew: yes >>>> ### >>>> >>>> Indeed, the entries outdated are the following : >>>> - for /etc/dirsrv/slapd-<MYREALM> : 20140528063919 >>>> - for /etc/dirsrv/slapd-PKI-IPA : 20140528063953 >>>> - for httpd ? : 20140528064145 >>>> >>>> Best regards. >>>> >>>> Bahan >>>> >>>> On Wed, Sep 14, 2016 at 6:28 PM, bahan w <bahanw042...@gmail.com> >>>> wrote: >>>> >>>>> Ok :D >>>>> >>>>> Because to perform the getcert list command, I need to have all the >>>>> ipa services running right ? >>>>> >>>>> Here is the result of the command with the ipa services down. >>>>> ### >>>>> # getcert list >>>>> Number of certificates and requests being tracked: 8. >>>>> Request ID '20140528063903': >>>>> status: MONITORING >>>>> stuck: no >>>>> key pair storage: type=NSSDB,location='/var/lib/ >>>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >>>>> Certificate DB',pin='159203530658' >>>>> certificate: type=NSSDB,location='/var/lib/ >>>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >>>>> Certificate DB' >>>>> CA: dogtag-ipa-renew-agent >>>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>>> subject: CN=CA Audit,O=<MYREALM> >>>>> expires: 2018-04-09 11:39:16 UTC >>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>>> "auditSigningCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20140528063904': >>>>> status: MONITORING >>>>> stuck: no >>>>> key pair storage: type=NSSDB,location='/var/lib/ >>>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >>>>> Certificate DB',pin='159203530658' >>>>> certificate: type=NSSDB,location='/var/lib/ >>>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >>>>> Certificate DB' >>>>> CA: dogtag-ipa-renew-agent >>>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>>> subject: CN=OCSP Subsystem,O=<MYREALM> >>>>> expires: 2018-04-09 11:38:16 UTC >>>>> eku: id-kp-OCSPSigning >>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>>> "ocspSigningCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20140528063905': >>>>> status: MONITORING >>>>> stuck: no >>>>> key pair storage: type=NSSDB,location='/var/lib/ >>>>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS >>>>> Certificate DB',pin='159203530658' >>>>> certificate: type=NSSDB,location='/var/lib/ >>>>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS >>>>> Certificate DB' >>>>> CA: dogtag-ipa-renew-agent >>>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>>> subject: CN=CA Subsystem,O=<MYREALM> >>>>> expires: 2018-04-09 11:38:16 UTC >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>>> "subsystemCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20140528063906': >>>>> status: MONITORING >>>>> stuck: no >>>>> key pair storage: type=NSSDB,location='/etc/http >>>>> d/alias',nickname='ipaCert',token='NSS Certificate >>>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>> certificate: type=NSSDB,location='/etc/http >>>>> d/alias',nickname='ipaCert',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-renew-agent >>>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>>> subject: CN=IPA RA,O=<MYREALM> >>>>> expires: 2018-04-09 11:38:16 UTC >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: >>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20140528063907': >>>>> status: MONITORING >>>>> stuck: no >>>>> key pair storage: type=NSSDB,location='/var/lib/ >>>>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS >>>>> Certificate DB',pin='159203530658' >>>>> certificate: type=NSSDB,location='/var/lib/ >>>>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS >>>>> Certificate DB' >>>>> CA: dogtag-ipa-renew-agent >>>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>>>> expires: 2018-04-09 11:38:16 UTC >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: >>>>> post-save command: >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20140528063919': >>>>> status: MONITORING >>>>> ca-error: Error setting up ccache for local "host" service >>>>> using default keytab: Cannot contact any KDC for realm '<MYREALM>'. >>>>> stuck: no >>>>> key pair storage: type=NSSDB,location='/etc/dirs >>>>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate >>>>> DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt' >>>>> certificate: type=NSSDB,location='/etc/dirs >>>>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate DB' >>>>> CA: IPA >>>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>>>> expires: 2016-05-28 06:39:18 UTC >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: >>>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >>>>> <MYREALM> >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20140528063953': >>>>> status: MONITORING >>>>> ca-error: Error setting up ccache for local "host" service >>>>> using default keytab: Cannot contact any KDC for realm '<MYREALM>'. >>>>> stuck: no >>>>> key pair storage: type=NSSDB,location='/etc/dirs >>>>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate >>>>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >>>>> certificate: type=NSSDB,location='/etc/dirs >>>>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' >>>>> CA: IPA >>>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>>>> expires: 2016-05-28 06:39:52 UTC >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: >>>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >>>>> PKI-IPA >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20140528064145': >>>>> status: MONITORING >>>>> ca-error: Error setting up ccache for local "host" service >>>>> using default keytab: Cannot contact any KDC for realm '<MYREALM>'. >>>>> stuck: no >>>>> key pair storage: type=NSSDB,location='/etc/http >>>>> d/alias',nickname='Server-Cert',token='NSS Certificate >>>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>> certificate: type=NSSDB,location='/etc/http >>>>> d/alias',nickname='Server-Cert',token='NSS Certificate DB' >>>>> CA: IPA >>>>> issuer: CN=Certificate Authority,O=<MYREALM> >>>>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>>>> expires: 2016-05-28 06:41:44 UTC >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: >>>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>>>> track: yes >>>>> auto-renew: yes >>>>> ### >>>>> >>>>> Best regards. >>>>> >>>>> Bahan >>>>> >>>>> On Wed, Sep 14, 2016 at 6:21 PM, Martin Basti <mba...@redhat.com> >>>>> wrote: >>>>> >>>>>> >>>>>> Then you have to start services manually, I don't know if the same >>>>>> steps will work with IPA 3.0.0, I don't remember, but you can try :) >>>>>> >>>>>> On 14.09.2016 18:18, bahan w wrote: >>>>>> >>>>>> Oh I forgot to add that my version of ipa is quite old : >>>>>> ### >>>>>> # rpm -qa | grep ipa-server >>>>>> ipa-server-3.0.0-25.el6.x86_64 >>>>>> ### >>>>>> >>>>>> When I try the command you gave me I got the following error : >>>>>> ### >>>>>> # ipactl start --force >>>>>> Usage: ipactl start|stop|restart|status >>>>>> >>>>>> >>>>>> ipactl: error: no such option: --force >>>>>> ### >>>>>> >>>>>> Best regards. >>>>>> >>>>>> Bahan >>>>>> >>>>>> >>>>>> On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti <mba...@redhat.com> >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On 14.09.2016 17:59, bahan w wrote: >>>>>>> >>>>>>> Hello ! >>>>>>> >>>>>>> I send you this mail because I cannot restart my test IPA server. >>>>>>> >>>>>>> When I try to start it with service ipa start, I got the following >>>>>>> error message : >>>>>>> ### >>>>>>> # service ipa start >>>>>>> Starting Directory Service >>>>>>> Starting dirsrv: >>>>>>> <MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL alert: >>>>>>> CERT_VerifyCertificateNow: verify certificate failed for cert >>>>>>> Server-Cert >>>>>>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime >>>>>>> error >>>>>>> -8181 - Peer's Certificate has expired.) >>>>>>> [ OK ] >>>>>>> PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert: >>>>>>> CERT_VerifyCertificateNow: verify certificate failed for cert >>>>>>> Server-Cert >>>>>>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime >>>>>>> error >>>>>>> -8181 - Peer's Certificate has expired.) >>>>>>> [ OK ] >>>>>>> Starting KDC Service >>>>>>> Starting Kerberos 5 KDC: [ OK ] >>>>>>> Starting KPASSWD Service >>>>>>> Starting Kerberos 5 Admin Server: [ OK ] >>>>>>> Starting MEMCACHE Service >>>>>>> Starting ipa_memcached: [ OK ] >>>>>>> Starting HTTP Service >>>>>>> Starting httpd: [FAILED] >>>>>>> Failed to start HTTP Service >>>>>>> Shutting down >>>>>>> Stopping Kerberos 5 KDC: [ OK ] >>>>>>> Stopping Kerberos 5 Admin Server: [ OK ] >>>>>>> Stopping ipa_memcached: [ OK ] >>>>>>> Stopping httpd: [FAILED] >>>>>>> Stopping pki-ca: [ OK ] >>>>>>> Shutting down dirsrv: >>>>>>> <MYREALM>... [ OK ] >>>>>>> PKI-IPA... [ OK ] >>>>>>> Aborting ipactl >>>>>>> >>>>>>> # service ipa status >>>>>>> Directory Service: STOPPED >>>>>>> Failed to get list of services to probe status: >>>>>>> Directory Server is stopped >>>>>>> ### >>>>>>> >>>>>>> Do you know how to renew the SSL certificate used for the IPA Server >>>>>>> ? >>>>>>> >>>>>>> Best regards. >>>>>>> >>>>>>> Bahan >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> please run >>>>>>> >>>>>>> # ipactl start --force >>>>>>> # getcert list (to detect which certificate is outdated, I suspect >>>>>>> DS cert (or to get more info why it has not been renewed)) >>>>>>> >>>>>>> If getcert does work (I'm not sure if ti is able to work without >>>>>>> httpd), you probable need to move time back to past where cert is valid, >>>>>>> start IPA and try again. >>>>>>> >>>>>>> Please find ID outdated certificate and try resubmit it (CA and DS >>>>>>> must be running) >>>>>>> >>>>>>> # getcert resubmit -i 20160914122036 (use you ID :) ) >>>>>>> >>>>>>> This should renew cert, check status with getcert list >>>>>>> >>>>>>> Move time back to future (if needed) >>>>>>> >>>>>>> Try to restart IPA >>>>>>> >>>>>>> Martin^2 >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >>> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project