[Freeipa-users] Re: certificate has expired?

2017-06-08 Thread Roberto Cornacchia via FreeIPA-users
A relatively good news: The current error (Insufficient access: Principal 'HTTP/ spinque04.hq.spinque@hq.spinque.com' is not permitted to use CA '.' with profile 'caIPAserviceCert' for certificate issuance.) might not be due to the package upgrade. I looked at the journal of 16 Feb 2017 (28

[Freeipa-users] Re: certificate has expired?

2017-06-08 Thread Roberto Cornacchia via FreeIPA-users
Hi Florence, I just posted that the problem is solved, but thank for coming back to me! Now (on the fixed system) I get: $ getcert list-cas -c IPA CA 'IPA': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit One thing I

[Freeipa-users] Re: certificate has expired?

2017-06-08 Thread Roberto Cornacchia via FreeIPA-users
It seems solved now, reporting back. It looks to me like in February, when the certificate renewal failed, I had hit the bug described here: https://www.redhat.com/archives/freeipa-users/2016-February/msg00441.html Yesterday I updated the packages, including the fix to this bug, but then I still

[Freeipa-users] Re: certificate has expired?

2017-06-08 Thread Florence Blanc-Renaud via FreeIPA-users
On 06/07/2017 11:25 PM, Roberto Cornacchia wrote: A relatively good news: The current error (Insufficient access: Principal 'HTTP/spinque04.hq.spinque@hq.spinque.com ' is not permitted to use CA '.' with profile 'caIPAserviceCert' for

[Freeipa-users] Re: certificate has expired?

2017-06-07 Thread Rob Crittenden via FreeIPA-users
Roberto Cornacchia via FreeIPA-users wrote: > Sorry for accidentally dropping freeipa-users. > > I was impatient so went back in time before your answer, but I did chose > a good date > > Before this, I had the following two entries with an expired date: > > Request ID '20150316184508': >

[Freeipa-users] Re: certificate has expired?

2017-06-07 Thread Roberto Cornacchia via FreeIPA-users
Sorry for accidentally dropping freeipa-users. I was impatient so went back in time before your answer, but I did chose a good date Before this, I had the following two entries with an expired date: Request ID '20150316184508': status: NEED_TO_SUBMIT ca-error: Error setting up ccache for "host"

[Freeipa-users] Re: certificate has expired?

2017-06-07 Thread Rob Crittenden via FreeIPA-users
Roberto Cornacchia via FreeIPA-users wrote: > OK, I did so and httpd restarts. > > $ openssl s_client -connect 127.0.0.1:443 -showcerts > CONNECTED(0003) > depth=1 O = HQ.SPINQUE.COM , CN = Certificate > Authority > verify return:1 > depth=0 O =

[Freeipa-users] Re: certificate has expired?

2017-06-07 Thread John Keates via FreeIPA-users
Looks to me like Apache isn’t using the correct certificate, or the correct certificate was never installed. But I don’t know enough about FreeIPA’s certificate replacement process to known which one it is. Aside from digging deeper and checking to see where Apache is looking for certificates

[Freeipa-users] Re: certificate has expired?

2017-06-07 Thread Roberto Cornacchia via FreeIPA-users
OK, I did so and httpd restarts. $ openssl s_client -connect 127.0.0.1:443 -showcerts CONNECTED(0003) depth=1 O = HQ.SPINQUE.COM, CN = Certificate Authority verify return:1 depth=0 O = HQ.SPINQUE.COM, CN = spinque04.hq.spinque.com verify error:num=10:certificate has expired notAfter=Mar 16

[Freeipa-users] Re: certificate has expired?

2017-06-07 Thread John Keates via FreeIPA-users
I would suggest doing what the last line says: Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. Then, you can check the certificates and maybe refresh it if it is actually expired. John > On 7 Jun 2017, at 14:39, Roberto Cornacchia via