subject:"\[Freeipa\-users\] Ipa replica cannot gen as cert expire which folder I should replace new cert\?\?\?"

Re: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

2016-05-26 Thread Rob Crittenden


barry...@gmail.com wrote:

externaly signed CA - Godaddy Exppired.

Already add new to db /etc/https/alias / -L  and config nickname map in
/etc/http/config.d/nss.conf
Already Import to /etc/slapd/PKI-IPA ...where nickname I should point to?
Alreasy change /etc/dirsrv/slapd-ABC-COM and nickname map in dse.ldif

Start stop IPA no cert issue . but server ipa prepare fail.

IPA replica still say cert expiry , any where I missed ?



ipa-replica-prepare needs certificates, one for the new web server and 
one for the new LDAP server. If certificates aren't provided on the cli 
it will attempt to get them from the IPA CA. Your CA not working, hence 
the failure.


rob



Thanks


2016-05-25 19:30 GMT+08:00 Martin Basti >:



On 25.05.2016 04:36, Barry wrote:


Hi:

Which location i should renew cert?
Http/alias
Etc/dirsrv/slapd*

Enough?



We need to know if you have IPA configured with
* externaly signed CA
* or selfsigned CA
* or if you have any other certificates from different CAs

If I remember correctly you wrote in one email that you have a
certificate from godaddy, which certificate?

In case you have self signed CA certificate you should follow:
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal

Martin

2016年5月24日 下午10:01 於 "Rob Crittenden" > 寫道：

barry...@gmail.com
 wrote:

hi all:


Thx ad title

ipa : ERRORcert validation failed for
"CN=server.abc.com 
,O=WISER S.COM 
<http://S.COM>"
((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has
expired.)
preparation of replica failed: cannot connect to
'https://server.ABC.com:944
4/ca/ee/ca/profileSubmitSSLClient':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi
ficate has expired.
cannot connect to
'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie
nt':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has
expired.


The root of all your problems is that your certificates are
expired. Fixing this should be your priority. This is probably
going to involve going back in time to when the certificates
are still valid, restarting IPA, restarting certmonger and
waiting for things to properly renew. It can take some time as
the certificates don't all renew at once.

I suspect that once renewed and returned to current time the
rest of your problems will, for the most part, go away.

rob






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

2016-05-25 Thread barrykfl

externaly signed CA - Godaddy Exppired.

Already add new to db /etc/https/alias / -L  and config nickname map in
/etc/http/config.d/nss.conf
Already Import to /etc/slapd/PKI-IPA ...where nickname I should point to?
Alreasy change /etc/dirsrv/slapd-ABC-COM and nickname map in dse.ldif

Start stop IPA no cert issue . but server ipa prepare fail.

IPA replica still say cert expiry , any where I missed ?


Thanks


2016-05-25 19:30 GMT+08:00 Martin Basti :

>
>
> On 25.05.2016 04:36, Barry wrote:
>
> Hi:
>
> Which location i should renew cert?
> Http/alias
> Etc/dirsrv/slapd*
>
> Enough?
>
>
> We need to know if you have IPA configured with
> * externaly signed CA
> * or selfsigned CA
> * or if you have any other certificates from different CAs
>
> If I remember correctly you wrote in one email that you have a certificate
> from godaddy, which certificate?
>
> In case you have self signed CA certificate you should follow:
> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
>
> Martin
>
> 2016年5月24日 下午10:01 於 "Rob Crittenden"  寫道：
>
>> barry...@gmail.com wrote:
>>
>>> hi all:
>>>
>>>
>>> Thx ad title
>>>
>>> ipa : ERRORcert validation failed for "CN=server.abc.com
>>> ,O=WISER S.COM "
>>> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
>>> preparation of replica failed: cannot connect to
>>> 'https://server.ABC.com:944  4/ca/ee/ca/profileSubmitSSLClient':
>>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi  ficate has expired.
>>> cannot connect to
>>> 'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie  nt':
>>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>>>
>>
>> The root of all your problems is that your certificates are expired.
>> Fixing this should be your priority. This is probably going to involve
>> going back in time to when the certificates are still valid, restarting
>> IPA, restarting certmonger and waiting for things to properly renew. It can
>> take some time as the certificates don't all renew at once.
>>
>> I suspect that once renewed and returned to current time the rest of your
>> problems will, for the most part, go away.
>>
>> rob
>>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

2016-05-25 Thread Martin Basti




On 25.05.2016 04:36, Barry wrote:


Hi:

Which location i should renew cert?
Http/alias
Etc/dirsrv/slapd*

Enough?



We need to know if you have IPA configured with
* externaly signed CA
* or selfsigned CA
* or if you have any other certificates from different CAs

If I remember correctly you wrote in one email that you have a 
certificate from godaddy, which certificate?


In case you have self signed CA certificate you should follow: 
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal


Martin
2016年5月24日 下午10:01 於 "Rob Crittenden" > 寫道：


barry...@gmail.com  wrote:

hi all:


Thx ad title

ipa : ERRORcert validation failed for
"CN=server.abc.com 
,O=WISER S.COM 
"
((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
preparation of replica failed: cannot connect to
'https://server.ABC.com:944
4/ca/ee/ca/profileSubmitSSLClient':

(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi  ficate
has expired.
cannot connect to
'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie
nt':

(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.


The root of all your problems is that your certificates are
expired. Fixing this should be your priority. This is probably
going to involve going back in time to when the certificates are
still valid, restarting IPA, restarting certmonger and waiting for
things to properly renew. It can take some time as the
certificates don't all renew at once.

I suspect that once renewed and returned to current time the rest
of your problems will, for the most part, go away.

rob





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

2016-05-24 Thread Barry

Hi:

Which location i should renew cert?
Http/alias
Etc/dirsrv/slapd*

Enough?
2016年5月24日 下午10:01 於 "Rob Crittenden"  寫道：

> barry...@gmail.com wrote:
>
>> hi all:
>>
>>
>> Thx ad title
>>
>> ipa : ERRORcert validation failed for "CN=server.abc.com
>> ,O=WISER S.COM "
>> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
>> preparation of replica failed: cannot connect to
>> 'https://server.ABC.com:944  4/ca/ee/ca/profileSubmitSSLClient':
>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi  ficate has expired.
>> cannot connect to
>> 'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie  nt':
>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>>
>
> The root of all your problems is that your certificates are expired.
> Fixing this should be your priority. This is probably going to involve
> going back in time to when the certificates are still valid, restarting
> IPA, restarting certmonger and waiting for things to properly renew. It can
> take some time as the certificates don't all renew at once.
>
> I suspect that once renewed and returned to current time the rest of your
> problems will, for the most part, go away.
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

2016-05-24 Thread Rob Crittenden


barry...@gmail.com wrote:

hi all:


Thx ad title

ipa : ERRORcert validation failed for "CN=server.abc.com
,O=WISER S.COM "
((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
preparation of replica failed: cannot connect to
'https://server.ABC.com:944  4/ca/ee/ca/profileSubmitSSLClient':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi  ficate has expired.
cannot connect to
'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie  nt':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.


The root of all your problems is that your certificates are expired. 
Fixing this should be your priority. This is probably going to involve 
going back in time to when the certificates are still valid, restarting 
IPA, restarting certmonger and waiting for things to properly renew. It 
can take some time as the certificates don't all renew at once.


I suspect that once renewed and returned to current time the rest of 
your problems will, for the most part, go away.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

2016-05-24 Thread barrykfl

hi all:


Thx ad title

ipa : ERRORcert validation failed for
"CN=server.abc.com,O=WISER
S.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
preparation of replica failed: cannot connect to
'https://server.ABC.com:944
4/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's
Certi  ficate has expired.
cannot connect to
'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie
nt': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

Re: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

Re: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

Re: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

Re: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

[Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

6 matches

Site Navigation

Mail list logo

Footer information