Re: [Freeipa-users] Certificate format error: [Errno -8018]
craig.free...@noboost.org wrote:
On Tue, Jan 28, 2014 at 01:25:56PM -0500, Rob Crittenden wrote:
craig.free...@noboost.org wrote:
On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Thu, 23 Jan 2014, craig.free...@noboost.org wrote:
Hi Guys,
I'm sure this is an easy issue to fix!
First the specs;
Red Hat Enterprise Linux Server release 6.3 (Santiago)
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
Issue:
When I click on the hosts TAB from inside the Identity Managemnt GUI, I
get the following error;
* Certificate format error: [Errno -8018] None (repeated many times)
* Cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
[Errno -8018] None
Also seen this error;
cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
[Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.
Any advise would be greatly appreciated!
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
Since you have FreeIPA before 3.4, you need to follow manual procedure
outlined on that page. 2.2 might also be a bit different than 3.x but
this is a starting point.
For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
rob
Just running into a couple of issues with then manual SSL cert process;
1) ERROR when telling certmonger about all the CA certificates
#Command:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert
cert-pki-ca Server-Cert cert-pki-ca
do
echo $nickname
certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after
done
#Result:
auditSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
subsystemCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
Server-Cert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
#Command:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert
cert-pki-ca Server-Cert cert-pki-ca
do
/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n ${nickname}
-c dogtag-ipa-renew-agent -P 70511423
done
#Result:
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
2)Upgrade instead?
I could potentionally upgrade the ipa-server to 3.0.0-37.el6, would this
version be able to automatically update the certificates?
cya
Craig
You need certmonger-0.58-1 or higher to get the
dogtag-ipa-renew-agent CA and other fixed. I'll update the wiki with
that, sorry for the oversight.
You could try updating to 3.0. If you do decide to try upgrading I
think I'd go back in time when all the certs are valid first as some
services will be restarted during the upgrade and we don't want the
upgrade blowing up in the middle because of expired certs.
rob
I'll give the upgrade a go, say I go back to the older date and IPA
starts fine. Won't the certs still have a hard expiry date on them, so
I'll need to follow the
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal procedure?
It depends in part how far back in time you go. I'd go back a day or two
before the oldest date (not all certs expire at the same time).
The upgrade will configure automatic renewal. I think what I'd recommend
is do the upgrade then restart the certmonger service on the machine.
Run `getcert list` to check the status of the certs. After the restart
they should all renew.
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
On Wed, Jan 29, 2014 at 09:15:50AM -0500, Rob Crittenden wrote:
craig.free...@noboost.org wrote:
On Tue, Jan 28, 2014 at 01:25:56PM -0500, Rob Crittenden wrote:
craig.free...@noboost.org wrote:
On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Thu, 23 Jan 2014, craig.free...@noboost.org wrote:
Hi Guys,
I'm sure this is an easy issue to fix!
First the specs;
Red Hat Enterprise Linux Server release 6.3 (Santiago)
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
Issue:
When I click on the hosts TAB from inside the Identity Managemnt GUI, I
get the following error;
* Certificate format error: [Errno -8018] None (repeated many times)
* Cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
[Errno -8018] None
Also seen this error;
cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
[Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.
Any advise would be greatly appreciated!
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
Since you have FreeIPA before 3.4, you need to follow manual procedure
outlined on that page. 2.2 might also be a bit different than 3.x but
this is a starting point.
For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
rob
Just running into a couple of issues with then manual SSL cert process;
1) ERROR when telling certmonger about all the CA certificates
#Command:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert
cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca
do
echo $nickname
certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after
done
#Result:
auditSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
subsystemCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
Server-Cert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
#Command:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert
cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca
do
/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n
${nickname} -c dogtag-ipa-renew-agent -P 70511423
done
#Result:
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
2)Upgrade instead?
I could potentionally upgrade the ipa-server to 3.0.0-37.el6, would this
version be able to automatically update the certificates?
cya
Craig
You need certmonger-0.58-1 or higher to get the
dogtag-ipa-renew-agent CA and other fixed. I'll update the wiki with
that, sorry for the oversight.
You could try updating to 3.0. If you do decide to try upgrading I
think I'd go back in time when all the certs are valid first as some
services will be restarted during the upgrade and we don't want the
upgrade blowing up in the middle because of expired certs.
rob
I'll give the upgrade a go, say I go back to the older date and IPA
starts fine. Won't the certs still have a hard expiry date on them, so
I'll need to follow the
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal procedure?
It depends in part how far back in time you go. I'd go back a day or
two before the oldest date (not all certs expire at the same time).
The upgrade will configure automatic renewal. I think what I'd
recommend is do the upgrade then restart the certmonger service on
the machine.
Run `getcert list` to check the status of the certs. After the
restart they should all renew.
rob
Well progress :) just not quite fully fixed, seems three certificates have
updated just not the others yet. Do I need to tell them to update, or let the
server roll over until it hits Jan 14?
Server: Red Hat Enterprise Linux Server release 6.5 (Santiago)
ipa-server-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
---
~/Scriptsdate
Sat Jan 11 19:29:02 EST 2014
---
~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After
Not After : Fri Jan 01 07:44:45 2016
---
Ran script:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca
subsystemCert cert-pki-ca Server-Cert cert-pki-ca
do
echo $nickname
certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after
done
---
auditSigningCert cert-pki-ca
Not After : Thu Jul 10 07:45:42 2014
Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
Not After : Fri Jan 01 07:44:43 2016
subsystemCert cert-pki-ca
Not After : Fri Jan 01 07:44:44 2016
Server-Cert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
---
The apache cert did update which is good!
~/Scriptscertutil -L -d /etc/httpd/alias
Re: [Freeipa-users] Certificate format error: [Errno -8018]
craig.free...@noboost.org wrote:
Well progress :) just not quite fully fixed, seems three certificates have updated just
not the others yet. Do I need to tell them to update, or let the server roll
over until it hits Jan 14?
Server: Red Hat Enterprise Linux Server release 6.5 (Santiago)
ipa-server-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
---
~/Scriptsdate
Sat Jan 11 19:29:02 EST 2014
---
~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After
Not After : Fri Jan 01 07:44:45 2016
---
Ran script:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert
cert-pki-ca Server-Cert cert-pki-ca
do
echo $nickname
certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after
done
---
auditSigningCert cert-pki-ca
Not After : Thu Jul 10 07:45:42 2014
Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
Not After : Fri Jan 01 07:44:43 2016
subsystemCert cert-pki-ca
Not After : Fri Jan 01 07:44:44 2016
Server-Cert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
---
The apache cert did update which is good!
~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After
Not After : Fri Jan 01 07:44:45 2016
cya
Craig
For those not yet renewed I'd do a getcert list to find them and getcert
resubmit -i id to force renewal.
The CA won't start without a valid audit cert.
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
On Wed, Jan 29, 2014 at 09:22:35PM -0500, Rob Crittenden wrote:
craig.free...@noboost.org wrote:
Well progress :) just not quite fully fixed, seems three certificates have
updated just not the others yet. Do I need to tell them to update, or let
the server roll over until it hits Jan 14?
Server: Red Hat Enterprise Linux Server release 6.5 (Santiago)
ipa-server-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
---
~/Scriptsdate
Sat Jan 11 19:29:02 EST 2014
---
~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After
Not After : Fri Jan 01 07:44:45 2016
---
Ran script:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca
subsystemCert cert-pki-ca Server-Cert cert-pki-ca
do
echo $nickname
certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after
done
---
auditSigningCert cert-pki-ca
Not After : Thu Jul 10 07:45:42 2014
Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
Not After : Fri Jan 01 07:44:43 2016
subsystemCert cert-pki-ca
Not After : Fri Jan 01 07:44:44 2016
Server-Cert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
---
The apache cert did update which is good!
~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After
Not After : Fri Jan 01 07:44:45 2016
cya
Craig
For those not yet renewed I'd do a getcert list to find them and
getcert resubmit -i id to force renewal.
The CA won't start without a valid audit cert.
rob
Thanks for all the help, looks like all is fixed. I moved the dates back
to normal and all the services are working :)
I did notice the auditSigningCert cert-pki-ca has two certificates, one old
one and a new one. The getcert list command is only showing the new one, so I
figure all is well.
auditSigningCert cert-pki-ca
Certificate:
Validity:
Not Before: Sat Jan 11 07:45:42 2014
Not After : Thu Jul 10 07:45:42 2014
Data:
Validity:
Not Before: Wed Jan 25 06:45:05 2012
Not After : Tue Jan 14 06:45:05 2014
cya
Craig
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
craig.free...@noboost.org wrote:
On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Thu, 23 Jan 2014, craig.free...@noboost.org wrote:
Hi Guys,
I'm sure this is an easy issue to fix!
First the specs;
Red Hat Enterprise Linux Server release 6.3 (Santiago)
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
Issue:
When I click on the hosts TAB from inside the Identity Managemnt GUI, I
get the following error;
* Certificate format error: [Errno -8018] None (repeated many times)
* Cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
[Errno -8018] None
Also seen this error;
cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
[Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.
Any advise would be greatly appreciated!
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
Since you have FreeIPA before 3.4, you need to follow manual procedure
outlined on that page. 2.2 might also be a bit different than 3.x but
this is a starting point.
For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
rob
Just running into a couple of issues with then manual SSL cert process;
1) ERROR when telling certmonger about all the CA certificates
#Command:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert
cert-pki-ca Server-Cert cert-pki-ca
do
echo $nickname
certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after
done
#Result:
auditSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
subsystemCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
Server-Cert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
#Command:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert
cert-pki-ca Server-Cert cert-pki-ca
do
/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n ${nickname}
-c dogtag-ipa-renew-agent -P 70511423
done
#Result:
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
2)Upgrade instead?
I could potentionally upgrade the ipa-server to 3.0.0-37.el6, would this
version be able to automatically update the certificates?
cya
Craig
You need certmonger-0.58-1 or higher to get the dogtag-ipa-renew-agent
CA and other fixed. I'll update the wiki with that, sorry for the oversight.
You could try updating to 3.0. If you do decide to try upgrading I think
I'd go back in time when all the certs are valid first as some services
will be restarted during the upgrade and we don't want the upgrade
blowing up in the middle because of expired certs.
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
On Tue, Jan 28, 2014 at 01:25:56PM -0500, Rob Crittenden wrote:
craig.free...@noboost.org wrote:
On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Thu, 23 Jan 2014, craig.free...@noboost.org wrote:
Hi Guys,
I'm sure this is an easy issue to fix!
First the specs;
Red Hat Enterprise Linux Server release 6.3 (Santiago)
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
Issue:
When I click on the hosts TAB from inside the Identity Managemnt GUI, I
get the following error;
* Certificate format error: [Errno -8018] None (repeated many times)
* Cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
[Errno -8018] None
Also seen this error;
cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
[Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.
Any advise would be greatly appreciated!
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
Since you have FreeIPA before 3.4, you need to follow manual procedure
outlined on that page. 2.2 might also be a bit different than 3.x but
this is a starting point.
For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
rob
Just running into a couple of issues with then manual SSL cert process;
1) ERROR when telling certmonger about all the CA certificates
#Command:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca
subsystemCert cert-pki-ca Server-Cert cert-pki-ca
do
echo $nickname
certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after
done
#Result:
auditSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
subsystemCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
Server-Cert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
#Command:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca
subsystemCert cert-pki-ca Server-Cert cert-pki-ca
do
/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n
${nickname} -c dogtag-ipa-renew-agent -P 70511423
done
#Result:
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
2)Upgrade instead?
I could potentionally upgrade the ipa-server to 3.0.0-37.el6, would this
version be able to automatically update the certificates?
cya
Craig
You need certmonger-0.58-1 or higher to get the
dogtag-ipa-renew-agent CA and other fixed. I'll update the wiki with
that, sorry for the oversight.
You could try updating to 3.0. If you do decide to try upgrading I
think I'd go back in time when all the certs are valid first as some
services will be restarted during the upgrade and we don't want the
upgrade blowing up in the middle because of expired certs.
rob
I'll give the upgrade a go, say I go back to the older date and IPA
starts fine. Won't the certs still have a hard expiry date on them, so
I'll need to follow the
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal procedure?
cya
Craig
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Thu, 23 Jan 2014, craig.free...@noboost.org wrote:
Hi Guys,
I'm sure this is an easy issue to fix!
First the specs;
Red Hat Enterprise Linux Server release 6.3 (Santiago)
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
Issue:
When I click on the hosts TAB from inside the Identity Managemnt GUI, I
get the following error;
* Certificate format error: [Errno -8018] None (repeated many times)
* Cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
[Errno -8018] None
Also seen this error;
cannot connect to
'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial':
[Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.
Any advise would be greatly appreciated!
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
Since you have FreeIPA before 3.4, you need to follow manual procedure
outlined on that page. 2.2 might also be a bit different than 3.x but
this is a starting point.
For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
rob
Just running into a couple of issues with then manual SSL cert process;
1) ERROR when telling certmonger about all the CA certificates
#Command:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca
subsystemCert cert-pki-ca Server-Cert cert-pki-ca
do
echo $nickname
certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after
done
#Result:
auditSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
ocspSigningCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
subsystemCert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
Server-Cert cert-pki-ca
Not After : Tue Jan 14 06:45:05 2014
#Command:
for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca
subsystemCert cert-pki-ca Server-Cert cert-pki-ca
do
/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n ${nickname}
-c dogtag-ipa-renew-agent -P 70511423
done
#Result:
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
No CA with name dogtag-ipa-renew-agent found.
2)Upgrade instead?
I could potentionally upgrade the ipa-server to 3.0.0-37.el6, would this
version be able to automatically update the certificates?
cya
Craig
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Certificate format error: [Errno -8018]
Hi Guys, I'm sure this is an easy issue to fix! First the specs; Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 Issue: When I click on the hosts TAB from inside the Identity Managemnt GUI, I get the following error; * Certificate format error: [Errno -8018] None (repeated many times) * Cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -8018] None Also seen this error; cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired. Any advise would be greatly appreciated! cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
On Thu, 23 Jan 2014, craig.free...@noboost.org wrote: Hi Guys, I'm sure this is an easy issue to fix! First the specs; Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 Issue: When I click on the hosts TAB from inside the Identity Managemnt GUI, I get the following error; * Certificate format error: [Errno -8018] None (repeated many times) * Cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -8018] None Also seen this error; cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired. Any advise would be greatly appreciated! http://www.freeipa.org/page/Howto/CA_Certificate_Renewal Since you have FreeIPA before 3.4, you need to follow manual procedure outlined on that page. 2.2 might also be a bit different than 3.x but this is a starting point. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
