Not being able to login to the admin console, I checked the httpd log and
found the following errors:
[Wed Jun 07 12:50:59.352022 2017] [:error] [pid 10240] Unable to verify
certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so
the server can start until the problem can be resolved.
[Wed Jun 07 12:50:59.353372 2017] [:error] [pid 10237] SSL Library Error:
-8181 Certificate has expired
[Wed Jun 07 12:50:59.353395 2017] [:error] [pid 10237] Unable to verify
certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so
the server can start until the problem can be resolved.
[Wed Jun 07 12:50:59.986025 2017] [core:error] [pid 11522] AH00546: no
record of generation 47 of exiting child 10203
I also get an error during enrollment of a new client (which seems to
retrieve a valid certificate anyway):
Password for ad...@hq.spinque.com:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=HQ.SPINQUE.COM
Issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM
Valid From: Mon Mar 16 18:44:35 2015 UTC
Valid Until: Fri Mar 16 18:44:35 2035 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction,
explaining: TCP connection reset by peer
Services are up:
$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Certificate monitoring seems ok:
$ getcert list -d /etc/httpd/alias -n ipaCert
Number of certificates and requests being tracked: 8.
Request ID '20160501114633':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM
subject: CN=IPA RA,O=HQ.SPINQUE.COM
expires: 2019-01-26 19:41:51 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Version:
$ ipa --version
VERSION: 4.4.3, API_VERSION: 2.215
Could you please point me at what else to check?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
