Re: [Freeipa-users] FreeIPA webserver cert expired.
On 6/29/12 5:14 PM, Rob Crittenden wrote: Paul Tader wrote: On 6/11/12 9:16 AM, Paul Tader wrote: On 6/5/12 2:33 PM, Rob Crittenden wrote: JR Aquino wrote: On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: A couple days ago my (apache) certificates expired. Users are able to kinit but tools such as sudo fail because of the expired certificates. Lots of reading/Google'ing later I found this script (steps) to renew these certs: I'm just curious, but, isn't certmonger supposed to automatically renew these? Is certmonger failing in this case? Yes, the first thing to do is figure out why certmonger didn't automatically renew the certificates. Then it should be as simple as setting the date back, letting certmonger do its thing, then setting it forward again. That is very strange certmonger output. You might try setting the date back a couple of days and trying something like: ipa-getcert resubmit -i 20110706215145 And see what the status goes to. rob (Sorry for the delay reply) No luck with setting the date back and resubmitting the certificate. # /etc/init.d/ntpd stop Stopping ntpd (via systemctl): [ OK ] # date 060112002012 Fri Jun 1 12:00:00 CDT 2012 # /etc/init.d/httpd stop Stopping httpd (via systemctl):[ OK ] # /etc/init.d/httpd start Starting httpd (via systemctl):[ OK ] # ipa-getcert resubmit -i 20110706215145 Resubmitting 20110706215145 to IPA. # ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20110706215109': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=RELAM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215129': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215145': status: GENERATING_CSR ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Unauthorized)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Still working on this problem. I've imported new self signed certs because I don't think I can renew expired certs and now all of the entries list like this: Request ID '20110706215145': status: NEED_CSR_GEN_TOKEN ca-error: Error setting up ccache for local host service using default keytab. stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=ipa01.domain.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Any tips or suggestions? I've saved off the old files so I think I can go back to the expired certs. This means that the keytab isn't working for certmonger. This could be a couple of things. I'd try this first: # kinit host/$(hostname) -kt /etc/krb5.keytab And # kvno host/$(hostname) rob Output below: # kinit
Re: [Freeipa-users] FreeIPA webserver cert expired.
Paul Tader wrote: On 6/29/12 5:14 PM, Rob Crittenden wrote: Paul Tader wrote: On 6/11/12 9:16 AM, Paul Tader wrote: On 6/5/12 2:33 PM, Rob Crittenden wrote: JR Aquino wrote: On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: A couple days ago my (apache) certificates expired. Users are able to kinit but tools such as sudo fail because of the expired certificates. Lots of reading/Google'ing later I found this script (steps) to renew these certs: I'm just curious, but, isn't certmonger supposed to automatically renew these? Is certmonger failing in this case? Yes, the first thing to do is figure out why certmonger didn't automatically renew the certificates. Then it should be as simple as setting the date back, letting certmonger do its thing, then setting it forward again. That is very strange certmonger output. You might try setting the date back a couple of days and trying something like: ipa-getcert resubmit -i 20110706215145 And see what the status goes to. rob (Sorry for the delay reply) No luck with setting the date back and resubmitting the certificate. # /etc/init.d/ntpd stop Stopping ntpd (via systemctl): [ OK ] # date 060112002012 Fri Jun 1 12:00:00 CDT 2012 # /etc/init.d/httpd stop Stopping httpd (via systemctl):[ OK ] # /etc/init.d/httpd start Starting httpd (via systemctl):[ OK ] # ipa-getcert resubmit -i 20110706215145 Resubmitting 20110706215145 to IPA. # ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20110706215109': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=RELAM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215129': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215145': status: GENERATING_CSR ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Unauthorized)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Still working on this problem. I've imported new self signed certs because I don't think I can renew expired certs and now all of the entries list like this: Request ID '20110706215145': status: NEED_CSR_GEN_TOKEN ca-error: Error setting up ccache for local host service using default keytab. stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=ipa01.domain.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Any tips or suggestions? I've saved off the old files so I think I can go back to the expired certs. This means that the keytab isn't working for certmonger. This could be a couple of things. I'd try this first: # kinit host/$(hostname) -kt /etc/krb5.keytab And # kvno host/$(hostname) rob Output
Re: [Freeipa-users] FreeIPA webserver cert expired.
On 7/18/12 3:58 PM, Paul Tader wrote: On 6/29/12 5:14 PM, Rob Crittenden wrote: Paul Tader wrote: On 6/11/12 9:16 AM, Paul Tader wrote: On 6/5/12 2:33 PM, Rob Crittenden wrote: JR Aquino wrote: On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: A couple days ago my (apache) certificates expired. Users are able to kinit but tools such as sudo fail because of the expired certificates. Lots of reading/Google'ing later I found this script (steps) to renew these certs: I'm just curious, but, isn't certmonger supposed to automatically renew these? Is certmonger failing in this case? Yes, the first thing to do is figure out why certmonger didn't automatically renew the certificates. Then it should be as simple as setting the date back, letting certmonger do its thing, then setting it forward again. That is very strange certmonger output. You might try setting the date back a couple of days and trying something like: ipa-getcert resubmit -i 20110706215145 And see what the status goes to. rob (Sorry for the delay reply) No luck with setting the date back and resubmitting the certificate. # /etc/init.d/ntpd stop Stopping ntpd (via systemctl): [ OK ] # date 060112002012 Fri Jun 1 12:00:00 CDT 2012 # /etc/init.d/httpd stop Stopping httpd (via systemctl):[ OK ] # /etc/init.d/httpd start Starting httpd (via systemctl):[ OK ] # ipa-getcert resubmit -i 20110706215145 Resubmitting 20110706215145 to IPA. # ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20110706215109': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=RELAM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215129': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215145': status: GENERATING_CSR ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Unauthorized)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Still working on this problem. I've imported new self signed certs because I don't think I can renew expired certs and now all of the entries list like this: Request ID '20110706215145': status: NEED_CSR_GEN_TOKEN ca-error: Error setting up ccache for local host service using default keytab. stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=ipa01.domain.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Any tips or suggestions? I've saved off the old files so I think I can go back to the expired certs. This means that the keytab isn't working for certmonger. This could be a couple of things. I'd try this first: # kinit host/$(hostname) -kt /etc/krb5.keytab And # kvno
Re: [Freeipa-users] FreeIPA webserver cert expired.
On 6/11/12 9:16 AM, Paul Tader wrote: On 6/5/12 2:33 PM, Rob Crittenden wrote: JR Aquino wrote: On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: A couple days ago my (apache) certificates expired. Users are able to kinit but tools such as sudo fail because of the expired certificates. Lots of reading/Google'ing later I found this script (steps) to renew these certs: I'm just curious, but, isn't certmonger supposed to automatically renew these? Is certmonger failing in this case? Yes, the first thing to do is figure out why certmonger didn't automatically renew the certificates. Then it should be as simple as setting the date back, letting certmonger do its thing, then setting it forward again. That is very strange certmonger output. You might try setting the date back a couple of days and trying something like: ipa-getcert resubmit -i 20110706215145 And see what the status goes to. rob (Sorry for the delay reply) No luck with setting the date back and resubmitting the certificate. # /etc/init.d/ntpd stop Stopping ntpd (via systemctl): [ OK ] # date 060112002012 Fri Jun 1 12:00:00 CDT 2012 # /etc/init.d/httpd stop Stopping httpd (via systemctl):[ OK ] # /etc/init.d/httpd start Starting httpd (via systemctl):[ OK ] # ipa-getcert resubmit -i 20110706215145 Resubmitting 20110706215145 to IPA. # ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20110706215109': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=RELAM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215129': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215145': status: GENERATING_CSR ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Unauthorized)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Still working on this problem. I've imported new self signed certs because I don't think I can renew expired certs and now all of the entries list like this: Request ID '20110706215145': status: NEED_CSR_GEN_TOKEN ca-error: Error setting up ccache for local host service using default keytab. stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=ipa01.domain.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Any tips or suggestions? I've saved off the old files so I think I can go back to the expired certs. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA webserver cert expired.
Paul Tader wrote: On 6/11/12 9:16 AM, Paul Tader wrote: On 6/5/12 2:33 PM, Rob Crittenden wrote: JR Aquino wrote: On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: A couple days ago my (apache) certificates expired. Users are able to kinit but tools such as sudo fail because of the expired certificates. Lots of reading/Google'ing later I found this script (steps) to renew these certs: I'm just curious, but, isn't certmonger supposed to automatically renew these? Is certmonger failing in this case? Yes, the first thing to do is figure out why certmonger didn't automatically renew the certificates. Then it should be as simple as setting the date back, letting certmonger do its thing, then setting it forward again. That is very strange certmonger output. You might try setting the date back a couple of days and trying something like: ipa-getcert resubmit -i 20110706215145 And see what the status goes to. rob (Sorry for the delay reply) No luck with setting the date back and resubmitting the certificate. # /etc/init.d/ntpd stop Stopping ntpd (via systemctl): [ OK ] # date 060112002012 Fri Jun 1 12:00:00 CDT 2012 # /etc/init.d/httpd stop Stopping httpd (via systemctl):[ OK ] # /etc/init.d/httpd start Starting httpd (via systemctl):[ OK ] # ipa-getcert resubmit -i 20110706215145 Resubmitting 20110706215145 to IPA. # ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20110706215109': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=RELAM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215129': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215145': status: GENERATING_CSR ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Unauthorized)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Still working on this problem. I've imported new self signed certs because I don't think I can renew expired certs and now all of the entries list like this: Request ID '20110706215145': status: NEED_CSR_GEN_TOKEN ca-error: Error setting up ccache for local host service using default keytab. stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=ipa01.domain.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Any tips or suggestions? I've saved off the old files so I think I can go back to the expired certs. This means that the keytab isn't working for certmonger. This could be a couple of things. I'd try this first: # kinit host/$(hostname) -kt /etc/krb5.keytab And # kvno host/$(hostname) rob ___ Freeipa-users mailing list
Re: [Freeipa-users] FreeIPA webserver cert expired.
On 6/5/12 2:33 PM, Rob Crittenden wrote: JR Aquino wrote: On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: A couple days ago my (apache) certificates expired. Users are able to kinit but tools such as sudo fail because of the expired certificates. Lots of reading/Google'ing later I found this script (steps) to renew these certs: I'm just curious, but, isn't certmonger supposed to automatically renew these? Is certmonger failing in this case? Yes, the first thing to do is figure out why certmonger didn't automatically renew the certificates. Then it should be as simple as setting the date back, letting certmonger do its thing, then setting it forward again. That is very strange certmonger output. You might try setting the date back a couple of days and trying something like: ipa-getcert resubmit -i 20110706215145 And see what the status goes to. rob (Sorry for the delay reply) No luck with setting the date back and resubmitting the certificate. # /etc/init.d/ntpd stop Stopping ntpd (via systemctl): [ OK ] # date 060112002012 Fri Jun 1 12:00:00 CDT 2012 # /etc/init.d/httpd stop Stopping httpd (via systemctl):[ OK ] # /etc/init.d/httpd start Starting httpd (via systemctl):[ OK ] # ipa-getcert resubmit -i 20110706215145 Resubmitting 20110706215145 to IPA. # ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20110706215109': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=RELAM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215129': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215145': status: GENERATING_CSR ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Unauthorized)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA webserver cert expired.
On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: A couple days ago my (apache) certificates expired. Users are able to kinit but tools such as sudo fail because of the expired certificates. Lots of reading/Google'ing later I found this script (steps) to renew these certs: I'm just curious, but, isn't certmonger supposed to automatically renew these? Is certmonger failing in this case? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA webserver cert expired.
JR Aquino wrote: On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: A couple days ago my (apache) certificates expired. Users are able to kinit but tools such as sudo fail because of the expired certificates. Lots of reading/Google'ing later I found this script (steps) to renew these certs: I'm just curious, but, isn't certmonger supposed to automatically renew these? Is certmonger failing in this case? Yes, the first thing to do is figure out why certmonger didn't automatically renew the certificates. Then it should be as simple as setting the date back, letting certmonger do its thing, then setting it forward again. That is very strange certmonger output. You might try setting the date back a couple of days and trying something like: ipa-getcert resubmit -i 20110706215145 And see what the status goes to. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
