Now users complaining that passwords that have been reset cannot be
used to log in.

I also tried resubmit getcert but 2 resubmit failed

[root@ipa ~]# getcert list
Number of certificates and requests being tracked: 7.
Request ID '20130112120226':
    status: MONITORING
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
    certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
    CA: dogtag-ipa-renew-agent
    issuer: CN=Certificate Authority,O=DOA.GOV.MY
    subject: CN=CA Audit,O=DOA.GOV.MY
    expires: 2016-11-24 16:19:25 UTC
    pre-save command:
    post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
    track: yes
    auto-renew: yes
Request ID '20130112120227':
    status: MONITORING
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
    certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
    CA: dogtag-ipa-renew-agent
    issuer: CN=Certificate Authority,O=DOA.GOV.MY
    subject: CN=OCSP Subsystem,O=DOA.GOV.MY
    expires: 2016-11-24 16:18:25 UTC
    eku: id-kp-OCSPSigning
    pre-save command:
    post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
    track: yes
    auto-renew: yes
Request ID '20130112120228':
    status: MONITORING
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
    certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
    CA: dogtag-ipa-renew-agent
    issuer: CN=Certificate Authority,O=DOA.GOV.MY
    subject: CN=CA Subsystem,O=DOA.GOV.MY
    expires: 2016-11-24 16:18:25 UTC
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
    track: yes
    auto-renew: yes
Request ID '20130112120229':
    status: MONITORING
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
    CA: dogtag-ipa-renew-agent
    issuer: CN=Certificate Authority,O=DOA.GOV.MY
    subject: CN=IPA RA,O=DOA.GOV.MY
    expires: 2016-11-24 16:18:25 UTC
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
    track: yes
    auto-renew: yes
Request ID '20130112120230':
    status: MONITORING
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
    certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
    CA: dogtag-ipa-renew-agent
    issuer: CN=Certificate Authority,O=DOA.GOV.MY
    subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
    expires: 2016-11-24 16:18:25 UTC
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command: /usr/lib64/ipa/certmonger/restart_pkicad
"Server-Cert cert-pki-ca"
    track: yes
    auto-renew: yes
Request ID '20130112120232':
    status: CA_UNREACHABLE
    ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)).
    stuck: yes
    key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=DOA.GOV.MY
    subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
    expires: 2016-12-16 16:18:27 UTC
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DOMAIN-COM-MY
    track: yes
    auto-renew: yes
Request ID '20130112120734':
    status: CA_UNREACHABLE
    ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)).
    stuck: yes
    key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=DOA.GOV.MY
    subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
    expires: 2016-12-16 16:18:27 UTC
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command: /usr/lib64/ipa/certmonger/restart_httpd
    track: yes
    auto-renew: yes

What are my options?


2017-03-03 21:20 GMT+08:00 Umarzuki Mochlis <umarz...@gmail.com>:
> At first ip-getcert list hows certificate error
>
> ca-error: Server failed request, will retry: -504 (libcurl failed to
> execute the HTTP POST transaction, explaining:  Peer's Certificate has
> expired.).
>
> but after I changed ipa server's date to before expirate date, it shows
>
> ca-error: Server failed request, will retry: -504 (libcurl failed to
> execute the HTTP POST transaction, explaining:  couldn't connect to
> host).
>
> when I tried to start ipa with "service ipa start", all services would
> fail, so I need to start one by one
>
> systemctl start dirsrv@DOMAIN-COM-MY.service
> systemctl status dirsrv@DOMAIN-COM-MY.service
> systemctl start krb5kdc.service
> systemctl status krb5kdc.service
> systemctl start kadmin.service
> systemctl status kadmin.service
> systemctl start ipa_memcached.service
> systemctl status ipa_memcached.service
> systemctl start pki-tomcatd@pki-tomcat.service
> systemctl status pki-tomcatd@pki-tomcat.service
>
>
> # tail /var/log/messages
> Jan  3 17:32:26 ipa systemd[1]: Starting PKI Tomcat Server pki-tomcat...
> Jan  3 17:32:29 ipa systemd[1]: Started PKI Tomcat Server pki-tomcat.
> Jan  3 17:33:08 ipa certmonger[476]: 2016-01-03 17:33:08 [476] Server
> failed request, will retry: -504 (libcurl failed to execute the HTTP
> POST transaction, explaining:  couldn't connect to host).
> Jan  3 17:33:12 ipa certmonger[476]: 2016-01-03 17:33:12 [476] Server
> failed request, will retry: -504 (libcurl failed to execute the HTTP
> POST transaction, explaining:  couldn't connect to host).
>
> 2017-03-03 13:20 GMT+08:00 Umarzuki Mochlis <umarz...@gmail.com>:
>> After httpd failed to start even with "NSSEnforceValidCerts off" in
>> /etc/httpd/conf.d/nss.conf
>> It used to work for a while since we use this only for zimbra but
>> today it won't start anymore.
>>
>> We are not using commercial certs, so which steps should I follow to
>> renew certs?
>>
>> It seems CA has expired more than 2 weeks ago.
>>
>> #  ipa-getcert list
>> Number of certificates and requests being tracked: 7.
>> Request ID '20130112120232':
>>         status: CA_UNREACHABLE
>>         ca-error: Server failed request, will retry: -504 (libcurl
>> failed to execute the HTTP POST transaction, explaining:  Peer's
>> Certificate has expired.).
>>         stuck: yes
>>         key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
>>         certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
>> Certificate DB'
>>         CA: IPA
>>         issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
>>         subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
>>         expires: 2016-12-16 16:18:27 UTC
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command:
>>         post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>> DOMAIN-COM-MY
>>         track: yes
>>         auto-renew: yes
>> Request ID '20130112120734':
>>         status: CA_UNREACHABLE
>>         ca-error: Server failed request, will retry: -504 (libcurl
>> failed to execute the HTTP POST transaction, explaining:  Peer's
>> Certificate has expired.).
>>         stuck: yes
>>         key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>         certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>>         CA: IPA
>>         issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
>>         subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
>>         expires: 2016-12-16 16:18:27 UTC
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command:
>>         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>         track: yes
>>         auto-renew: yes
>>
>> # rpm -qa | grep ipa
>> freeipa-admintools-3.1.0-2.fc18.x86_64
>> freeipa-server-3.1.0-2.fc18.x86_64
>> libipa_hbac-python-1.9.3-1.fc18.x86_64
>> python-iniparse-0.4-6.fc18.noarch
>> freeipa-client-3.1.0-2.fc18.x86_64
>> freeipa-server-selinux-3.1.0-2.fc18.x86_64
>> freeipa-python-3.1.0-2.fc18.x86_64
>> libipa_hbac-1.9.3-1.fc18.x86_64

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to