[Freeipa-users] HTTP certificate expired
Hi, I have a production server that was not maintained and I see that the HTTP certificate has expired long ago. I tried to renew it but I'm not being agle to get it right. The initial status was: Request ID '20191219011208': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' Then following this thread https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GLFHCL2DW4LD2GQTTAZRYSXUGQQXD67Q/ I got it to this state: Request ID '20191219011208': status: MONITORING ca-error: Server at https://dc1.tnu.com.uy/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https:///ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/X-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' The post indicates that I have to put an old date in the server to get it renewed, but as the server is in production, it means that all clients will fail to log to the server. Evenmore, what time should I return to, before the certificate expiration or right after? Thanks in advance ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] http Certificate expired
Have had a small FreeIPA setup running for some time, but today I was unable to login at the web-gui on the master. It was possible to login at the replica but if try to delete a host I get: cannot connect to 'https://ipa.int.vink-slott.dk:443/ca/rest/certs/search?size=2147483647': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877) Indeed if I run a getcert list -c IPA on the master, one certificate is expired. Request ID '20190302094604': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=INT.VINK-SLOTT.DK subject: CN=ipa.int.vink-slott.dk,O=INT.VINK-SLOTT.DK expires: 2019-04-22 15:33:08 CEST dns: ipa.int.vink-slott.dk key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes All other certificates is valid and status: MONITORING I tried different measures based on google searches and old entries on this list. But all I have accomplished is to change the state to: Request ID '20190302094604': status: NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pin set At this state I am not sure that I added the correct pin. - And why this is suddenly a problem. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org