Re: [Freeipa-users] Expired SSL certificate issue with IPA
nasir nasir wrote: Hi, Would the below error cause any issues during replica and upgrade? # ipa user-show admin ipa: ERROR: cert validation failed for CN=xx.xx.com,O=xx.COM ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cert validation failed for CN=xx.xx.com,O=xx.COM ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to 'any of the configured servers': https://xx.xx.com/ipa/xml, https://xx.xx.com/ipa/xml I don't think so but the problem will exist until addressed. In other words upgrading and/or creating a replica won't change things for this server. rob Nidal. --- On *Fri, 1/6/12, nasir nasir /kollath...@yahoo.com/* wrote: From: nasir nasir kollath...@yahoo.com Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA To: Rob Crittenden rcrit...@redhat.com Cc: freeipa-users@redhat.com, fasilk...@gmail.com Date: Friday, January 6, 2012, 9:12 AM Thanks for the input Rob, We have already did it with your previous input and everything got normal. But the ipa user-show admin command gave the following errors. # ipa user-show admin ipa: ERROR: cert validation failed for CN=xx.xx.com,O=xx.COM ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cert validation failed for CN=xx.xx.com,O=xx.COM ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to 'any of the configured servers': https://xx.xx.com/ipa/xml, https://xx.xx.com/ipa/xml Regardless of the above error, everything seems to be working fine. Now we need to have the replica of the server before going for an upgrade of IPA. Thank you all for the wonderful support during our hard times. Nidal. --- On *Fri, 1/6/12, Rob Crittenden /rcrit...@redhat.com/* wrote: From: Rob Crittenden rcrit...@redhat.com Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA To: nasir nasir kollath...@yahoo.com Cc: freeipa-users@redhat.com, fasilk...@gmail.com Date: Friday, January 6, 2012, 7:21 AM nasir nasir wrote: Rob, # ipa user-show admin ipa: ERROR: cert validation failed for CN=openipa.hugayet.com,O=HUGAYET.COM ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) ipa: ERROR: cert validation failed for CN=openipa.hugayet.com,O=HUGAYET.COM ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) ipa: ERROR: cannot connect to 'any of the configured servers': https://openipa.hugayet.com/ipa/xml, https://openipa.hugayet.com/ipa/xml From what Nalin said, certmonger users /etc/ipa/ca.crt. This needs to match the CA that issued your Apache cert. How can we proceed further? I think you're going to need to set the system time back to when the certificate is valid to do the renewal. rob Nidal. --- On *Thu, 1/5/12, Rob Crittenden /rcrit...@redhat.com/*wrote: From: Rob Crittenden rcrit...@redhat.com Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA To: nasir nasir kollath...@yahoo.com Cc: freeipa-users@redhat.com, fasilk...@gmail.com Date: Thursday, January 5, 2012, 2:21 PM nasir nasir wrote: Hi Rob, Added the directive NSSEnforceValidCerts off in /etc/httpd/conf.d/nss.conf and restarted httpd. Please find the /var/log/httpd/error_log [Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in module 'threading' from '/usr/lib/python2.6/threading.pyc' ignored [Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in module 'threading' from '/usr/lib/python2.6/threading.pyc' ignored [Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in module 'threading' from '/usr/lib/python2.6/threading.pyc' ignored [Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in module 'threading' from '/usr/lib/python2.6/threading.pyc' ignored [Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in module 'threading' from '/usr/lib/python2.6/threading.pyc' ignored [Fri Jan 06 01:06:29 2012
Re: [Freeipa-users] Expired SSL certificate issue with IPA
nasir nasir wrote: Rob, # ipa user-show admin ipa: ERROR: cert validation failed for CN=openipa.hugayet.com,O=HUGAYET.COM ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) ipa: ERROR: cert validation failed for CN=openipa.hugayet.com,O=HUGAYET.COM ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) ipa: ERROR: cannot connect to 'any of the configured servers': https://openipa.hugayet.com/ipa/xml, https://openipa.hugayet.com/ipa/xml From what Nalin said, certmonger users /etc/ipa/ca.crt. This needs to match the CA that issued your Apache cert. How can we proceed further? I think you're going to need to set the system time back to when the certificate is valid to do the renewal. rob Nidal. --- On *Thu, 1/5/12, Rob Crittenden /rcrit...@redhat.com/*wrote: From: Rob Crittenden rcrit...@redhat.com Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA To: nasir nasir kollath...@yahoo.com Cc: freeipa-users@redhat.com, fasilk...@gmail.com Date: Thursday, January 5, 2012, 2:21 PM nasir nasir wrote: Hi Rob, Added the directive NSSEnforceValidCerts off in /etc/httpd/conf.d/nss.conf and restarted httpd. Please find the /var/log/httpd/error_log [Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in module 'threading' from '/usr/lib/python2.6/threading.pyc' ignored [Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in module 'threading' from '/usr/lib/python2.6/threading.pyc' ignored [Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in module 'threading' from '/usr/lib/python2.6/threading.pyc' ignored [Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in module 'threading' from '/usr/lib/python2.6/threading.pyc' ignored [Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in module 'threading' from '/usr/lib/python2.6/threading.pyc' ignored [Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in module 'threading' from '/usr/lib/python2.6/threading.pyc' ignored [Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in module 'threading' from '/usr/lib/python2.6/threading.pyc' ignored [Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in module 'threading' from '/usr/lib/python2.6/threading.pyc' ignored [Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in module 'threading' from '/usr/lib/python2.6/threading.pyc' ignored [Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in module 'threading' from '/usr/lib/python2.6/threading.pyc' ignored [Fri Jan 06 01:06:29 2012] [notice] caught SIGTERM, shutting down [Fri Jan 06 01:06:29 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert' [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert' [Fri Jan 06 01:06:30 2012] [notice] Digest: generating secret for digest authentication ... [Fri Jan 06 01:06:30 2012] [notice] Digest: done [Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Compiled for Python/2.6.2. [Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Runtime using Python/2.6.6. [Fri Jan 06 01:06:30 2012] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations [Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert' [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert' [Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert' [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert' [Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert' [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert' [Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert' [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired
Re: [Freeipa-users] Expired SSL certificate issue with IPA
nasir nasir wrote:
Thanks for the reply Rob.
Please find below the output of your guidelines.
# ipa-getkeytab -s xxx.xxx.com -p host/xx.xx.com -k
/etc/krb5.keytab
(the command was successful; it din't show any errors in the krb5kdc.log
or audit.log)
# kinit -kt /etc/krb5.keytab host/xx.xx.com
krb5kdc.log
-
Jan 05 15:20:32 xx.xx.com krb5kdc[2431](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
host/xx.xx@xx.com for krbtgt/xx@xx.com,
Additional pre-authentication required
Jan 05 15:20:32 xx.xx.com krb5kdc[2427](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.1.10: ISSUE: authtime 1325766032, etypes {rep=18
tkt=18 ses=18}, host/xx.xx@xx.com for
krbtgt/xx@xx.com
# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20110619112648':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-xx-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-xx-COM//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-xx-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=xx.COM
subject: CN=xx.xx.com,O=xx.COM
expires: 20111216112647
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110619112705':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=xx.COM
subject: CN=xx.xx.com,O=xx.COM
expires: 20111216112704
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110619112721':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=xx.COM
subject: CN=xx.xx.com,O=xx.COM
expires: 20111216112720
eku: id-kp-serverAuth
track: yes
auto-renew: yes
# ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert
Request 20110619112721 modified.
# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20110619112648':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=HUGAYET.COM
subject: CN=openipa.hugayet.com,O=HUGAYET.COM
expires: 20111216112647
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110619112705':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=HUGAYET.COM
subject: CN=openipa.hugayet.com,O=HUGAYET.COM
expires: 20111216112704
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110619112721':
status: SUBMITTING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=HUGAYET.COM
subject: CN=openipa.hugayet.com,O=HUGAYET.COM
expires: 20111216112720
eku: id-kp-serverAuth
track: yes
auto-renew: yes
and after few minutes, the status 'SUBMITTING' will be changed as
'CA_UNREACHABLE'
Do we need to restart the /etc/init.d/ipa service for this? I am working
remotely.
It isn't logging enough information to know why it failed. Can you look
in the Apache error log to see why the request failed?
My
Re: [Freeipa-users] Expired SSL certificate issue with IPA
Thanks for the input Rob,
Please find below the /var/log/httpd/error_log
[Thu Jan 05 19:50:46 2012] [error] Certificate not verified: 'Server-Cert'[Thu
Jan 05 19:50:46 2012] [error] SSL Library Error: -8181 Certificate has
expired[Thu Jan 05 19:50:46 2012] [error] Certificate not verified:
'Server-Cert'[Thu Jan 05 19:50:46 2012] [error] Unable to verify certificate
'Server-Cert'. Add NSSEnforceValidCerts off to nss.conf so the server can
start until the problem can be resolved.
Do I need to add NSSEnforceValidCerts off in /etc/httpd/conf.d/nss.conf?
Please advice.
Nidal.
--- On Thu, 1/5/12, Rob Crittenden rcrit...@redhat.com wrote:
From: Rob Crittenden rcrit...@redhat.com
Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
To: nasir nasir kollath...@yahoo.com
Cc: freeipa-users@redhat.com, fasilk...@gmail.com
Date: Thursday, January 5, 2012, 7:38 AM
nasir nasir wrote:
Thanks for the reply Rob.
Please find below the output of your guidelines.
# ipa-getkeytab -s xxx.xxx.com -p host/xx.xx.com -k
/etc/krb5.keytab
(the command was successful; it din't show any errors in the krb5kdc.log
or audit.log)
# kinit -kt /etc/krb5.keytab host/xx.xx.com
krb5kdc.log
-
Jan 05 15:20:32 xx.xx.com krb5kdc[2431](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
host/xx.xx@xx.com for krbtgt/xx@xx.com,
Additional pre-authentication required
Jan 05 15:20:32 xx.xx.com krb5kdc[2427](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.1.10: ISSUE: authtime 1325766032, etypes {rep=18
tkt=18 ses=18}, host/xx.xx@xx.com for
krbtgt/xx@xx.com
# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20110619112648':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-xx-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-xx-COM//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-xx-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=xx.COM
subject: CN=xx.xx.com,O=xx.COM
expires: 20111216112647
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110619112705':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=xx.COM
subject: CN=xx.xx.com,O=xx.COM
expires: 20111216112704
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110619112721':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=xx.COM
subject: CN=xx.xx.com,O=xx.COM
expires: 20111216112720
eku: id-kp-serverAuth
track: yes
auto-renew: yes
# ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert
Request 20110619112721 modified.
# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20110619112648':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=HUGAYET.COM
subject: CN=openipa.hugayet.com,O=HUGAYET.COM
expires: 20111216112647
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110619112705':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server
Re: [Freeipa-users] Expired SSL certificate issue with IPA
nasir nasir wrote:
Thanks for the input Rob,
Please find below the /var/log/httpd/error_log
[Thu Jan 05 19:50:46 2012] [error] Certificate not verified: 'Server-Cert'
[Thu Jan 05 19:50:46 2012] [error] SSL Library Error: -8181 Certificate
has expired
[Thu Jan 05 19:50:46 2012] [error] Certificate not verified: 'Server-Cert'
[Thu Jan 05 19:50:46 2012] [error] Unable to verify certificate
'Server-Cert'. Add NSSEnforceValidCerts off to nss.conf so the server
can start until the problem can be resolved.
Do I need to add NSSEnforceValidCerts off in
/etc/httpd/conf.d/nss.conf? Please advice.
That explains why certmonger can't connect. Yes, for now add that
directive and restart httpd. Then try the start-tracking again and see
if it renews the cert.
rob
Nidal.
--- On *Thu, 1/5/12, Rob Crittenden /rcrit...@redhat.com/* wrote:
From: Rob Crittenden rcrit...@redhat.com
Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
To: nasir nasir kollath...@yahoo.com
Cc: freeipa-users@redhat.com, fasilk...@gmail.com
Date: Thursday, January 5, 2012, 7:38 AM
nasir nasir wrote:
Thanks for the reply Rob.
Please find below the output of your guidelines.
# ipa-getkeytab -s xxx.xxx.com -p host/xx.xx.com -k
/etc/krb5.keytab
(the command was successful; it din't show any errors in the
krb5kdc.log
or audit.log)
# kinit -kt /etc/krb5.keytab host/xx.xx.com
krb5kdc.log
-
Jan 05 15:20:32 xx.xx.com krb5kdc[2431](info): AS_REQ (4
etypes
{18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
host/xx.xx@xx.com
/mc/compose?to=xx.xx@xx.com for
krbtgt/xx@xx.com /mc/compose?to=xx@xx.com,
Additional pre-authentication required
Jan 05 15:20:32 xx.xx.com krb5kdc[2427](info): AS_REQ (4
etypes
{18 17 16 23}) 192.168.1.10: ISSUE: authtime 1325766032, etypes
{rep=18
tkt=18 ses=18}, host/xx.xx@xx.com
/mc/compose?to=xx.xx@xx.com for
krbtgt/xx@xx.com /mc/compose?to=xx@xx.com
# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20110619112648':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-xx-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-xx-COM//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-xx-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=xx.COM
subject: CN=xx.xx.com,O=xx.COM
expires: 20111216112647
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110619112705':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=xx.COM
subject: CN=xx.xx.com,O=xx.COM
expires: 20111216112704
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110619112721':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=xx.COM
subject: CN=xx.xx.com,O=xx.COM
expires: 20111216112720
eku: id-kp-serverAuth
track: yes
auto-renew: yes
# ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert
Request 20110619112721 modified.
# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20110619112648':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage
Re: [Freeipa-users] Expired SSL certificate issue with IPA
On Thu, Jan 05, 2012 at 10:38:11AM -0500, Rob Crittenden wrote: My first thought was that there was a CA trust issue. I believe that certmonger uses the NSS database where the certificate is stored so since it is also doing this against Apache (which in theory trust is ok for it to start at all) so I'm baffled. Hopefully the httpd logs will be enlightening. The APIs it's using don't appear to let it do that, so unless there's something going on under the covers, the IPA submission helper trusts only the root certificate found in /etc/ipa/ca.crt. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired SSL certificate issue with IPA
//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate
Authority,O=HUGAYET.COM subject: CN=openipa.hugayet.com,O=HUGAYET.COM
expires: 20111216112647 eku: id-kp-serverAuth track: yes
auto-renew: yesRequest ID '20110619112705': status: CA_UNREACHABLE
ca-error: Server failed request, will
retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect
error). stuck: yes key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate
Authority,O=HUGAYET.COM subject: CN=openipa.hugayet.com,O=HUGAYET.COM
expires: 20111216112704 eku: id-kp-serverAuth track: yes
auto-renew: yesRequest ID '20110619112721': status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to execute
the HTTP POST transaction. Peer certificate cannot be authenticated with known
CA certificates). stuck: yes key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate
Authority,O=HUGAYET.COM subject: CN=openipa.hugayet.com,O=HUGAYET.COM
expires: 20111216112720 eku: id-kp-serverAuth track: yes
auto-renew: yes
Do we need to restart /etc/init.d/ipa service for all this to take effect?
Nidal.
--- On Thu, 1/5/12, Rob Crittenden rcrit...@redhat.com wrote:
From: Rob Crittenden rcrit...@redhat.com
Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
To: nasir nasir kollath...@yahoo.com
Cc: freeipa-users@redhat.com, fasilk...@gmail.com
Date: Thursday, January 5, 2012, 8:59 AM
nasir nasir wrote:
Thanks for the input Rob,
Please find below the /var/log/httpd/error_log
[Thu Jan 05 19:50:46 2012] [error] Certificate not verified: 'Server-Cert'
[Thu Jan 05 19:50:46 2012] [error] SSL Library Error: -8181 Certificate
has expired
[Thu Jan 05 19:50:46 2012] [error] Certificate not verified: 'Server-Cert'
[Thu Jan 05 19:50:46 2012] [error] Unable to verify certificate
'Server-Cert'. Add NSSEnforceValidCerts off to nss.conf so the server
can start until the problem can be resolved.
Do I need to add NSSEnforceValidCerts off in
/etc/httpd/conf.d/nss.conf? Please advice.
That explains why certmonger can't connect. Yes, for now add that
directive and restart httpd. Then try the start-tracking again and see
if it renews the cert.
rob
Nidal.
--- On *Thu, 1/5/12, Rob Crittenden /rcrit...@redhat.com/* wrote:
From: Rob Crittenden rcrit...@redhat.com
Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
To: nasir nasir kollath...@yahoo.com
Cc: freeipa-users@redhat.com, fasilk...@gmail.com
Date: Thursday, January 5, 2012, 7:38 AM
nasir nasir wrote:
Thanks for the reply Rob.
Please find below the output of your guidelines.
# ipa-getkeytab -s xxx.xxx.com -p host/xx.xx.com -k
/etc/krb5.keytab
(the command was successful; it din't show any errors in the
krb5kdc.log
or audit.log)
# kinit -kt /etc/krb5.keytab host/xx.xx.com
krb5kdc.log
-
Jan 05 15:20:32 xx.xx.com krb5kdc[2431](info): AS_REQ (4
etypes
{18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
host/xx.xx@xx.com
/mc/compose?to=xx.xx@xx.com for
krbtgt/xx@xx.com /mc/compose?to=xx@xx.com,
Additional pre-authentication required
Jan 05 15:20:32 xx.xx.com krb5kdc[2427](info): AS_REQ (4
etypes
{18 17 16 23}) 192.168.1.10: ISSUE: authtime 1325766032, etypes
{rep=18
tkt=18 ses=18}, host/xx.xx@xx.com
/mc/compose?to=xx.xx@xx.com for
krbtgt/xx@xx.com /mc/compose?to=xx@xx.com
# ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20110619112648':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-xx-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-xx-COM
Re: [Freeipa-users] Expired SSL certificate issue with IPA
:
type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=HUGAYET.COM
subject: CN=openipa.hugayet.com,O=HUGAYET.COM
expires: 20111216112647
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110619112705':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. SSL connect error).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=HUGAYET.COM
subject: CN=openipa.hugayet.com,O=HUGAYET.COM
expires: 20111216112704
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Request ID '20110619112721':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction. Peer certificate cannot be
authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=HUGAYET.COM
subject: CN=openipa.hugayet.com,O=HUGAYET.COM
expires: 20111216112720
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Do we need to restart /etc/init.d/ipa service for all this to take effect?
No, and be very careful if your 389-ds cert is also expired.
This error really does mean that certmonger doesn't trust the SSL cert
of your web server. Have you replaced your certs with something else?
Does a simple command like: ipa user-show admin work?
It may fail too due to the expired cert. You may have to turn time back
on this machine, but that won't affect the untrusted CA. From what Nalin
said, certmonger users /etc/ipa/ca.crt. This needs to match the CA that
issued your Apache cert.
rob
Nidal.
--- On *Thu, 1/5/12, Rob Crittenden /rcrit...@redhat.com/* wrote:
From: Rob Crittenden rcrit...@redhat.com
Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
To: nasir nasir kollath...@yahoo.com
Cc: freeipa-users@redhat.com, fasilk...@gmail.com
Date: Thursday, January 5, 2012, 8:59 AM
nasir nasir wrote:
Thanks for the input Rob,
Please find below the /var/log/httpd/error_log
[Thu Jan 05 19:50:46 2012] [error] Certificate not verified:
'Server-Cert'
[Thu Jan 05 19:50:46 2012] [error] SSL Library Error: -8181
Certificate
has expired
[Thu Jan 05 19:50:46 2012] [error] Certificate not verified:
'Server-Cert'
[Thu Jan 05 19:50:46 2012] [error] Unable to verify certificate
'Server-Cert'. Add NSSEnforceValidCerts off to nss.conf so the
server
can start until the problem can be resolved.
Do I need to add NSSEnforceValidCerts off in
/etc/httpd/conf.d/nss.conf? Please advice.
That explains why certmonger can't connect. Yes, for now add that
directive and restart httpd. Then try the start-tracking again and see
if it renews the cert.
rob
Nidal.
--- On *Thu, 1/5/12, Rob Crittenden /rcrit...@redhat.com
/mc/compose?to=rcrit...@redhat.com/* wrote:
From: Rob Crittenden rcrit...@redhat.com
/mc/compose?to=rcrit...@redhat.com
Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
To: nasir nasir kollath...@yahoo.com
/mc/compose?to=kollath...@yahoo.com
Cc: freeipa-users@redhat.com
/mc/compose?to=freeipa-users@redhat.com, fasilk...@gmail.com
/mc/compose?to=fasilk...@gmail.com
Date: Thursday, January 5, 2012, 7:38 AM
nasir nasir wrote:
Thanks for the reply Rob.
Please find below the output of your guidelines.
# ipa-getkeytab -s xxx.xxx.com -p host/xx.xx.com -k
/etc/krb5.keytab
(the command was successful; it din't show any errors in the
krb5kdc.log
or audit.log)
# kinit -kt /etc/krb5.keytab host/xx.xx.com
krb5kdc.log
-
Jan 05 15:20:32 xx.xx.com krb5kdc[2431](info): AS_REQ (4
etypes
{18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
host/xx.xx@xx.com
/mc/compose?to=xx.xx@xx.com
/mc/compose?to=xx.xx@xx.com
/mc/compose?to=xx.xx@xx.com for
krbtgt/xx@xx.com
/mc/compose?to=xx@xx.com
/mc/compose?to=xx@xx.com
/mc/compose?to=xx@xx.com,
Additional pre-authentication required
Jan 05 15:20:32 xx.xx.com krb5kdc
Re: [Freeipa-users] Expired SSL certificate issue with IPA
nasir nasir wrote: Thanks for all the replies. Rob, Please find the output of your guidelines. Here is the culprit: ca-error: Error setting up ccache for local host service using default keytab. certmonger authenticates to IPA using the host service principal installed on each client (and master). For some reason that can't be used. Check the keytab: # klist -kt /etc/krb5.keytab If there are host entries there, try it: # kinit -kt /etc/krb5.keytab host/server.example.com rob # ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20110619112648': status: MONITORING ca-error: Error setting up ccache for local host service using default keytab. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-x-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-x-COM//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-x-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=x.COM subject: CN=x.x.com,O=x.COM expires: 20111216112647 eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110619112705': status: MONITORING ca-error: Error setting up ccache for local host service using default keytab. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=x.COM subject: CN=x.x.com,O=x.COM expires: 20111216112704 eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110619112721': status: MONITORING ca-error: Error setting up ccache for local host service using default keytab. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=x.COM subject: CN=x.x.com,O=x.COM expires: 20111216112720 eku: id-kp-serverAuth track: yes auto-renew: yes # certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u HUGAYET.COM IPA CA CT,C,C ipaCert u,u,u Signing-Cert u,u,u Now track it # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert Request 20110619112721 modified. #ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20110619112648': status: MONITORING ca-error: Error setting up ccache for local host service using default keytab. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-x-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-x-COM//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-x-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=x.COM subject: CN=x.x.com,O=x.COM expires: 20111216112647 eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110619112705': status: MONITORING ca-error: Error setting up ccache for local host service using default keytab. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=x.COM subject: CN=x.x.com,O=x.COM expires: 20111216112704 eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110619112721': status: MONITORING ca-error: Error setting up ccache for local host service using default keytab. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=x.COM subject: CN=x.x.com,O=x.COM expires: 20111216112720 eku: id-kp-serverAuth track: yes auto-renew: yes The issue is still there as you can see the expiry dates are not getting modified. Nidal. --- On *Tue, 1/3/12, Rob Crittenden /rcrit...@redhat.com/* wrote: From: Rob Crittenden rcrit...@redhat.com Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA To: nasir nasir kollath...@yahoo.com Cc: Rich Megginson rmegg...@redhat.com, freeipa-users@redhat.com, fasilk...@gmail.com Date: Tuesday, January 3, 2012, 2:23 PM nasir nasir wrote: --- On *Tue, 1/3/12, Rich Megginson /rmegg...@redhat.com /mc/compose?to=rmegg...@redhat.com/*wrote: From: Rich Megginson
Re: [Freeipa-users] Expired SSL certificate issue with IPA
Thanks for the reply Rob, Indeed there are host entries.Please find below the output of your below mentioned guidelines. # klist -kt /etc/krb5.keytabKeytab name: WRFILE:/etc/krb5.keytabKVNO Timestamp Principal - 2 06/19/11 14:27:17 host/xx.xx@xx.com 2 06/19/11 14:27:17 host/xx.xx@xx.com 2 06/19/11 14:27:17 host/xx.xx@xx.com 2 06/19/11 14:27:17 host/xx.xx@xx.com 2 06/19/11 14:27:17 host/xx.xx@xx.com 2 06/19/11 14:27:17 host/xx.xx@xx.com 2 06/20/11 09:07:26 host/test1.xx@xx.com 2 06/20/11 09:07:26 host/test1.xx@xx.com 2 06/20/11 09:07:26 host/test1.xx@xx.com 2 06/20/11 09:07:26 host/test1.xx@xx.com 6 06/20/11 09:09:12 nfs/nfs.xx@xx.com 6 06/20/11 09:09:12 nfs/nfs.xx@xx.com 6 06/20/11 09:09:12 nfs/nfs.xx@xx.com 6 06/20/11 09:09:12 nfs/nfs.xx@xx.com 2 06/20/11 09:11:24 nfs/test1.xx@xx.com 2 06/20/11 09:11:24 nfs/test1.xx@xx.com 2 06/20/11 09:11:24 nfs/test1.xx@xx.com 2 06/20/11 09:11:24 nfs/test1.xx@xx.com # kinit -kt /etc/krb5.keytab host/openipa.hugayet.comkinit: Password incorrect while getting initial credentials # kinit admin(the password is accepted successfully here) # kinit -kt /etc/krb5.keytab host/openipa.hugayet.comkinit: Password incorrect while getting initial credentials What could be the possible issue of the invalid credential error? Please help. Nidal--- On Wed, 1/4/12, Rob Crittenden rcrit...@redhat.com wrote: From: Rob Crittenden rcrit...@redhat.com Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA To: nasir nasir kollath...@yahoo.com Cc: Rich Megginson rmegg...@redhat.com, freeipa-users@redhat.com, fasilk...@gmail.com Date: Wednesday, January 4, 2012, 11:52 AM nasir nasir wrote: Thanks for all the replies. Rob, Please find the output of your guidelines. Here is the culprit: ca-error: Error setting up ccache for local host service using default keytab. certmonger authenticates to IPA using the host service principal installed on each client (and master). For some reason that can't be used. Check the keytab: # klist -kt /etc/krb5.keytab If there are host entries there, try it: # kinit -kt /etc/krb5.keytab host/server.example.com rob # ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20110619112648': status: MONITORING ca-error: Error setting up ccache for local host service using default keytab. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-x-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-x-COM//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-x-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=x.COM subject: CN=x.x.com,O=x.COM expires: 20111216112647 eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110619112705': status: MONITORING ca-error: Error setting up ccache for local host service using default keytab. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=x.COM subject: CN=x.x.com,O=x.COM expires: 20111216112704 eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110619112721': status: MONITORING ca-error: Error setting up ccache for local host service using default keytab. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=x.COM subject: CN=x.x.com,O=x.COM expires: 20111216112720 eku: id-kp-serverAuth track: yes auto-renew: yes # certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u HUGAYET.COM IPA CA CT,C,C ipaCert u,u,u Signing-Cert u,u,u Now track it # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert Request 20110619112721 modified. #ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20110619112648': status: MONITORING ca-error: Error setting up ccache for local host service using default keytab. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-x-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv
Re: [Freeipa-users] Expired SSL certificate issue with IPA
nasir nasir wrote: Thanks for the reply Rob, Indeed there are host entries. Please find below the output of your below mentioned guidelines. # klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal - 2 06/19/11 14:27:17 host/xx.xx@xx.com 2 06/19/11 14:27:17 host/xx.xx@xx.com 2 06/19/11 14:27:17 host/xx.xx@xx.com 2 06/19/11 14:27:17 host/xx.xx@xx.com 2 06/19/11 14:27:17 host/xx.xx@xx.com 2 06/19/11 14:27:17 host/xx.xx@xx.com 2 06/20/11 09:07:26 host/test1.xx@xx.com 2 06/20/11 09:07:26 host/test1.xx@xx.com 2 06/20/11 09:07:26 host/test1.xx@xx.com 2 06/20/11 09:07:26 host/test1.xx@xx.com 6 06/20/11 09:09:12 nfs/nfs.xx@xx.com 6 06/20/11 09:09:12 nfs/nfs.xx@xx.com 6 06/20/11 09:09:12 nfs/nfs.xx@xx.com 6 06/20/11 09:09:12 nfs/nfs.xx@xx.com 2 06/20/11 09:11:24 nfs/test1.xx@xx.com 2 06/20/11 09:11:24 nfs/test1.xx@xx.com 2 06/20/11 09:11:24 nfs/test1.xx@xx.com 2 06/20/11 09:11:24 nfs/test1.xx@xx.com # kinit -kt /etc/krb5.keytab host/openipa.hugayet.com kinit: Password incorrect while getting initial credentials # kinit admin (the password is accepted successfully here) # kinit -kt /etc/krb5.keytab host/openipa.hugayet.com kinit: Password incorrect while getting initial credentials What could be the possible issue of the invalid credential error? Please help. Probably the most expedient fix is to use ipa-getkeytab to get new credentials for the host service. Here is an example assuming you need a new keytab for your freeIPA server itself: # ipa-getkeytab -s ipa.example.com -p host/ipa.example.com -k /etc/krb5.keytab rob Nidal --- On *Wed, 1/4/12, Rob Crittenden /rcritten@redhat/* */.com/* wrote: From: Rob Crittenden rcrit...@redhat.com Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA To: nasir nasir kollath...@yahoo.com Cc: Rich Megginson rmegg...@redhat.com, freeipa-users@redhat.com, fasilk...@gmail.com Date: Wednesday, January 4, 2012, 11:52 AM nasir nasir wrote: Thanks for all the replies. Rob, Please find the output of your guidelines. Here is the culprit: ca-error: Error setting up ccache for local host service using default keytab. certmonger authenticates to IPA using the host service principal installed on each client (and master). For some reason that can't be used. Check the keytab: # klist -kt /etc/krb5.keytab If there are host entries there, try it: # kinit -kt /etc/krb5.keytab host/server.example.com rob # ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20110619112648': status: MONITORING ca-error: Error setting up ccache for local host service using default keytab. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-x-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-x-COM//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-x-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=x.COM subject: CN=x.x.com,O=x.COM expires: 20111216112647 eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110619112705': status: MONITORING ca-error: Error setting up ccache for local host service using default keytab. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=x.COM subject: CN=x.x.com,O=x.COM expires: 20111216112704 eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110619112721': status: MONITORING ca-error: Error setting up ccache for local host service using default keytab. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=x.COM subject: CN=x.x.com,O=x.COM expires: 20111216112720 eku: id-kp-serverAuth track: yes auto
Re: [Freeipa-users] Expired SSL certificate issue with IPA
--- On Tue, 1/3/12, Rich Megginson rmegg...@redhat.com wrote:
From: Rich Megginson rmegg...@redhat.com
Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
To: nasir nasir kollath...@yahoo.com
Cc: freeipa-users@redhat.com, fasilk...@gmail.com
Date: Tuesday, January 3, 2012, 7:41 AM
On 01/03/2012 12:52 AM, nasir nasir wrote:
Hi,
I am facing a serious issue with my production IPA server.
When I try to access IPA web interface using Firefox, it
hangs and doesn't allow me to get in. It seems to be due
to expired SSL certificate as seen in the apache log file,
[Tue Jan 03 10:34:08 2012] [error] Certificate not
verified: 'Server-Cert'
[Tue Jan 03 10:34:08 2012] [error] SSL Library Error:
-8181 Certificate has expired
[Tue Jan 03 10:34:08 2012] [error] Unable to verify
certificate 'Server-Cert'. Add NSSEnforceValidCerts off
to nss.conf so the server can start until the problem can
be resolved.
[Tue Jan 03 10:34:08 2012] [error] Certificate not
verified: 'Server-Cert'
Also, when I try to use the command line (ipa user-mod or
user-show commands) it too just hangs and doesn't give any
output or allow me for any input. I can see the following
in krb5kdc.log ,
Jan 03 10:29:16 xx.xx.com
krb5kdc[2426](info): preauth (timestamp) verify
failure: Decrypt integrity check failed
Jan 03 10:29:16 xx.xx.com
krb5kdc[2426](info): AS_REQ (4 etypes {18 17 16 23})
192.168.1.10: PREAUTH_FAILED:
host/x.x@xx.com for
krbtgt/xx@xx.com, Decrypt integrity check
failed
Jan 03 10:29:16 xx.xx.com
krb5kdc[2429](info): AS_REQ (4 etypes {18 17 16 23})
192.168.1.10: NEEDED_PREAUTH:
host/.x@x.com for
krbtgt/xx@xx.com, Additional
pre-authentication required
The output of certutil -L -d /etc/httpd/alias -n
Server-Cert confirms that certificate is expired as
given below.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Certificate Authority,O=XX.COM
Validity:
Not Before: Sun Jun 19 11:27:20 2011
Not After : Fri Dec 16 11:27:20 2011
Relevant info
OS: RHEL 6.1
Output of rpm -qa | grep ipa
ipa-client-2.0.0-23.el6.i686
ipa-pki-ca-theme-9.0.3-6.el6.noarch
ipa-pki-common-theme-9.0.3-6.el6.noarch
device-mapper-multipath-libs-0.4.9-41.el6.i686
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.0.0-23.el6.i686
ipa-server-selinux-2.0.0-23.el6.i686
ipa-server-2.0.0-23.el6.i686
device-mapper-multipath-0.4.9-41.el6.i686
ipa-admintools-2.0.0-23.el6.i686
I went through the documentations to check how to renew
the expired certs but it seems to be confusing and
different across versions. Could someone please help me
out by suggesting which is the best way to achieve this
? Any help would be greatly appreciated as I am unable
to perform any task on the IPA server now because of
this.
I suggest following the mod_nss suggestion to allow it to start and
use the expired cert while you attempt to figure this out.
Thanks indeed for the suggestion. I will consider this. But can anyone point me
the steps to renew certificate from the expired one ?
Thankds and regards,Nidal
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired SSL certificate issue with IPA
On Jan 3, 2012, at 8:37 AM, nasir nasir wrote:
--- On Tue, 1/3/12, Rich Megginson rmegg...@redhat.com wrote:
From: Rich Megginson rmegg...@redhat.com
Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
To: nasir nasir kollath...@yahoo.com
Cc: freeipa-users@redhat.com, fasilk...@gmail.com
Date: Tuesday, January 3, 2012, 7:41 AM
On 01/03/2012 12:52 AM, nasir nasir wrote:
Hi,
I am facing a serious issue with my production IPA server. When I try to
access IPA web interface using Firefox, it hangs and doesn't allow me to get
in. It seems to be due to expired SSL certificate as seen in the apache log
file,
[Tue Jan 03 10:34:08 2012] [error] Certificate not verified: 'Server-Cert'
[Tue Jan 03 10:34:08 2012] [error] SSL Library Error: -8181 Certificate has
expired
[Tue Jan 03 10:34:08 2012] [error] Unable to verify certificate
'Server-Cert'. Add NSSEnforceValidCerts off to nss.conf so the server can
start until the problem can be resolved.
[Tue Jan 03 10:34:08 2012] [error] Certificate not verified: 'Server-Cert'
Also, when I try to use the command line (ipa user-mod or user-show
commands) it too just hangs and doesn't give any output or allow me for any
input. I can see the following in krb5kdc.log ,
Jan 03 10:29:16 xx.xx.com krb5kdc[2426](info): preauth (timestamp)
verify failure: Decrypt integrity check failed
Jan 03 10:29:16 xx.xx.com krb5kdc[2426](info): AS_REQ (4 etypes {18
17 16 23}) 192.168.1.10: PREAUTH_FAILED: host/x.x@xx.com for
krbtgt/xx@xx.com, Decrypt integrity check failed
Jan 03 10:29:16 xx.xx.com krb5kdc[2429](info): AS_REQ (4 etypes {18
17 16 23}) 192.168.1.10: NEEDED_PREAUTH: host/.x@x.com for
krbtgt/xx@xx.com, Additional pre-authentication required
The output of certutil -L -d /etc/httpd/alias -n Server-Cert confirms that
certificate is expired as given below.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Certificate Authority,O=XX.COM
Validity:
Not Before: Sun Jun 19 11:27:20 2011
Not After : Fri Dec 16 11:27:20 2011
Relevant info
OS: RHEL 6.1
Output of rpm -qa | grep ipa
ipa-client-2.0.0-23.el6.i686
ipa-pki-ca-theme-9.0.3-6.el6.noarch
ipa-pki-common-theme-9.0.3-6.el6.noarch
device-mapper-multipath-libs-0.4.9-41.el6.i686
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.0.0-23.el6.i686
ipa-server-selinux-2.0.0-23.el6.i686
ipa-server-2.0.0-23.el6.i686
device-mapper-multipath-0.4.9-41.el6.i686
ipa-admintools-2.0.0-23.el6.i686
I went through the documentations to check how to renew the expired certs
but it seems to be confusing and different across versions. Could someone
please help me out by suggesting which is the best way to achieve this ? Any
help would be greatly appreciated as I am unable to perform any task on the
IPA server now because of this.
I suggest following the mod_nss suggestion to allow it to start and use the
expired cert while you attempt to figure this out.
Thanks indeed for the suggestion. I will consider this. But can anyone point
me the steps to renew certificate from the expired one ?
Thankds and regards,
Nidal
wasn't certmonger supposed to be designed to automatically handle this
situation?
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Expired SSL certificate issue with IPA
nasir nasir wrote:
--- On *Tue, 1/3/12, Rich Megginson /rmegg...@redhat.com/*wrote:
From: Rich Megginson rmegg...@redhat.com
Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
To: nasir nasir kollath...@yahoo.com
Cc: freeipa-users@redhat.com, fasilk...@gmail.com
Date: Tuesday, January 3, 2012, 7:41 AM
On 01/03/2012 12:52 AM, nasir nasir wrote:
Hi,
I am facing a serious issue with my production IPA server. When I
try to access IPA web interface using Firefox, it hangs and
doesn't allow me to get in. It seems to be due to expired SSL
certificate as seen in the apache log file,
[Tue Jan 03 10:34:08 2012] [error] Certificate not verified:
'Server-Cert'
[Tue Jan 03 10:34:08 2012] [error] SSL Library Error: -8181
Certificate has expired
[Tue Jan 03 10:34:08 2012] [error] Unable to verify certificate
'Server-Cert'. Add NSSEnforceValidCerts off to nss.conf so the
server can start until the problem can be resolved.
[Tue Jan 03 10:34:08 2012] [error] Certificate not verified:
'Server-Cert'
Also, when I try to use the command line (ipa user-mod or
user-show commands) it too just hangs and doesn't give any output
or allow me for any input. I can see the following in krb5kdc.log ,
Jan 03 10:29:16 xx.xx.com krb5kdc[2426](info): preauth
(timestamp) verify failure: Decrypt integrity check failed
Jan 03 10:29:16 xx.xx.com krb5kdc[2426](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.1.10: PREAUTH_FAILED:
host/x.x@xx.com
/mc/compose?to=host/x.x@xx.com for
krbtgt/xx@xx.com
/mc/compose?to=krbtgt/xx@xx.com, Decrypt integrity
check failed
Jan 03 10:29:16 xx.xx.com krb5kdc[2429](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
host/.x@x.com
/mc/compose?to=host/.x@x.com for
krbtgt/xx@xx.com
/mc/compose?to=krbtgt/xx@xx.com, Additional
pre-authentication required
The output of certutil -L -d /etc/httpd/alias -n Server-Cert
confirms that certificate is expired as given below.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: CN=Certificate Authority,O=XX.COM
Validity:
Not Before: Sun Jun 19 11:27:20 2011
Not After : Fri Dec 16 11:27:20 2011
Relevant info
OS: RHEL 6.1
Output of rpm -qa | grep ipa
ipa-client-2.0.0-23.el6.i686
ipa-pki-ca-theme-9.0.3-6.el6.noarch
ipa-pki-common-theme-9.0.3-6.el6.noarch
device-mapper-multipath-libs-0.4.9-41.el6.i686
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.0.0-23.el6.i686
ipa-server-selinux-2.0.0-23.el6.i686
ipa-server-2.0.0-23.el6.i686
device-mapper-multipath-0.4.9-41.el6.i686
ipa-admintools-2.0.0-23.el6.i686
I went through the documentations to check how to renew the
expired certs but it seems to be confusing and different across
versions. Could someone please help me out by suggesting which is
the best way to achieve this ? Any help would be greatly
appreciated as I am unable to perform any task on the IPA server
now because of this.
I suggest following the mod_nss suggestion to allow it to start and
use the expired cert while you attempt to figure this out.
Thanks indeed for the suggestion. I will consider this. But can
anyone point me the steps to renew certificate from the expired one ?
Thankds and regards,
Nidal
Lets start with figuring out why certmonger didn't do this for you:
Can you run as root: ipa-getcert list
You should have something like:
Request ID '20111215203350':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=EXAMPLE.COM Certificate Authority
subject: CN=rawhide.example.com,O=EXAMPLE.COM
expires: 2021-12-15 20:33:50 UTC
track: yes
auto-renew: yes
If you don't have something like this then perhaps the easiest way to
get it renewed is to tell certmonger to track it. First, look at your
current database, it should look something like:
# certutil -L -d /etc/httpd/alias
Server-Cert u,u,u
EXAMPLE.COM IPA CA CTu,u,Cu
Signing-Cert u,u,u
Now track it
# ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert
Use ipa-getcert list to track the status of the renewal. Once it has
been completed you can reset the EnforceValidCerts
Re: [Freeipa-users] Expired SSL certificate issue with IPA
On 03.01.2012 18:32, JR Aquino wrote: wasn't certmonger supposed to be designed to automatically handle this situation? I ran into the same problem a while ago. Seems that there was a faulty version at some point which prevented automated updates. It took me some time to fix it and roughly required setting a date back in the past when the certificates were still valid and then renewing the certificates manually. I think ipa cert-request was involved and I remember that at some point I needed to restart certmonger and then it immediately worked, but before the restart I had lots of failed tries. Hope that helps somehow, Tim -- KBSG - Knowledge-Based Systems GroupAllemaniACs RoboCup Team http://robocup.rwth-aachen.de RWTH Aachen University http://kbsg.rwth-aachen.de Ahornstrasse 55 http://www.fawkesrobotics.org D-52056 Aachen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
