At first ip-getcert list hows certificate error

ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining:  Peer's Certificate has
expired.).

but after I changed ipa server's date to before expirate date, it shows

ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining:  couldn't connect to
host).

when I tried to start ipa with "service ipa start", all services would
fail, so I need to start one by one

systemctl start dirsrv@DOMAIN-COM-MY.service
systemctl status dirsrv@DOMAIN-COM-MY.service
systemctl start krb5kdc.service
systemctl status krb5kdc.service
systemctl start kadmin.service
systemctl status kadmin.service
systemctl start ipa_memcached.service
systemctl status ipa_memcached.service
systemctl start pki-tomcatd@pki-tomcat.service
systemctl status pki-tomcatd@pki-tomcat.service


# tail /var/log/messages
Jan  3 17:32:26 ipa systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Jan  3 17:32:29 ipa systemd[1]: Started PKI Tomcat Server pki-tomcat.
Jan  3 17:33:08 ipa certmonger[476]: 2016-01-03 17:33:08 [476] Server
failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining:  couldn't connect to host).
Jan  3 17:33:12 ipa certmonger[476]: 2016-01-03 17:33:12 [476] Server
failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining:  couldn't connect to host).

2017-03-03 13:20 GMT+08:00 Umarzuki Mochlis <umarz...@gmail.com>:
> After httpd failed to start even with "NSSEnforceValidCerts off" in
> /etc/httpd/conf.d/nss.conf
> It used to work for a while since we use this only for zimbra but
> today it won't start anymore.
>
> We are not using commercial certs, so which steps should I follow to
> renew certs?
>
> It seems CA has expired more than 2 weeks ago.
>
> #  ipa-getcert list
> Number of certificates and requests being tracked: 7.
> Request ID '20130112120232':
>         status: CA_UNREACHABLE
>         ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction, explaining:  Peer's
> Certificate has expired.).
>         stuck: yes
>         key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
>         certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
>         subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
>         expires: 2016-12-16 16:18:27 UTC
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> DOMAIN-COM-MY
>         track: yes
>         auto-renew: yes
> Request ID '20130112120734':
>         status: CA_UNREACHABLE
>         ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction, explaining:  Peer's
> Certificate has expired.).
>         stuck: yes
>         key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>         certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
>         subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
>         expires: 2016-12-16 16:18:27 UTC
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>         track: yes
>         auto-renew: yes
>
> # rpm -qa | grep ipa
> freeipa-admintools-3.1.0-2.fc18.x86_64
> freeipa-server-3.1.0-2.fc18.x86_64
> libipa_hbac-python-1.9.3-1.fc18.x86_64
> python-iniparse-0.4-6.fc18.noarch
> freeipa-client-3.1.0-2.fc18.x86_64
> freeipa-server-selinux-3.1.0-2.fc18.x86_64
> freeipa-python-3.1.0-2.fc18.x86_64
> libipa_hbac-1.9.3-1.fc18.x86_64

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to