After httpd failed to start even with "NSSEnforceValidCerts off" in
/etc/httpd/conf.d/nss.conf
It used to work for a while since we use this only for zimbra but
today it won't start anymore.

We are not using commercial certs, so which steps should I follow to
renew certs?

It seems CA has expired more than 2 weeks ago.

#  ipa-getcert list
Number of certificates and requests being tracked: 7.
Request ID '20130112120232':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction, explaining:  Peer's
Certificate has expired.).
        stuck: yes
        key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
        subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
        expires: 2016-12-16 16:18:27 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
DOMAIN-COM-MY
        track: yes
        auto-renew: yes
Request ID '20130112120734':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction, explaining:  Peer's
Certificate has expired.).
        stuck: yes
        key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
        subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
        expires: 2016-12-16 16:18:27 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes

# rpm -qa | grep ipa
freeipa-admintools-3.1.0-2.fc18.x86_64
freeipa-server-3.1.0-2.fc18.x86_64
libipa_hbac-python-1.9.3-1.fc18.x86_64
python-iniparse-0.4-6.fc18.noarch
freeipa-client-3.1.0-2.fc18.x86_64
freeipa-server-selinux-3.1.0-2.fc18.x86_64
freeipa-python-3.1.0-2.fc18.x86_64
libipa_hbac-1.9.3-1.fc18.x86_64

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to