Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1
Umarzuki Mochlis wrote: > Now users complaining that passwords that have been reset cannot be > used to log in. Passwords are completely unrelated to expired certificates. Wow, this is really quite an old install. The error message about communicating with CMS suggests that the CA isn't really up. The dogtag debug log may contain more details on that. What is the output when you use ipactl to restart the services? I have the feeling it is catching an error that your manual restart is not. I'd also not set the date back so far. It won't hurt but it will be the starting date for new certificates so you'd be cheating yourself out of 8 or so months. I'd also look at the RA agent cert to be sure it is currently correct: $ ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca description $ certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial The description field from the ldapsearch has the format: 2;;; The serial numbers should match. Don't do anything if they don't, just report back the result. rob > I also tried resubmit getcert but 2 resubmit failed > > [root@ipa ~]# getcert list > Number of certificates and requests being tracked: 7. > Request ID '20130112120226': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='932018712055' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=DOA.GOV.MY > subject: CN=CA Audit,O=DOA.GOV.MY > expires: 2016-11-24 16:19:25 UTC > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130112120227': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='932018712055' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=DOA.GOV.MY > subject: CN=OCSP Subsystem,O=DOA.GOV.MY > expires: 2016-11-24 16:18:25 UTC > eku: id-kp-OCSPSigning > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130112120228': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='932018712055' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=DOA.GOV.MY > subject: CN=CA Subsystem,O=DOA.GOV.MY > expires: 2016-11-24 16:18:25 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130112120229': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=DOA.GOV.MY > subject: CN=IPA RA,O=DOA.GOV.MY > expires: 2016-11-24 16:18:25 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20130112120230': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='932018712055' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=DOA.GOV.MY > subject: CN=ipa.domain.com.my,O=DOA.GOV.MY > expires: 2016-11-24 16:18:25 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_pkicad > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130112120232': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed at > server. Certificate operation cannot be completed: Unable to > communicate with CMS
Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1
below are from httpd error log [Thu Feb 18 16:28:06.351007 2016] [:error] [pid 310] ipa: INFO: ad...@domain.com.my: user_find(u'yusma', sizelimit=0, pkey_only=True): SUCCESS [Thu Feb 18 16:28:06.400453 2016] [:error] [pid 311] ipa: INFO: ad...@domain.com.my: batch: user_show(u'nisa', all=True): SUCCESS [Thu Feb 18 16:28:06.412753 2016] [:error] [pid 311] ipa: INFO: ad...@domain.com.my: batch: user_show(u'noryusmaniza', all=True): SUCCESS [Thu Feb 18 16:28:06.428103 2016] [:error] [pid 311] ipa: INFO: ad...@domain.com.my: batch: user_show(u'yusmayusof', all=True): SUCCESS [Thu Feb 18 16:28:06.428335 2016] [:error] [pid 311] ipa: INFO: ad...@domain.com.my: batch(({u'params': [[u'nisa'], {u'all': True}], u'method': u'user_show'}, {u'params': [[u'noryusmaniza'], {u'all': True}], u'method': u'user_show'}, {u'params': [[u'yusmayusof'], {u'all': True}], u'method': u'user_show'})): SUCCESS [Thu Feb 18 16:28:09.254484 2016] [:error] [pid 310] ipa: INFO: ad...@domain.com.my: batch: user_show(u'yusmayusof', rights=True, all=True): SUCCESS [Thu Feb 18 16:28:09.308107 2016] [:error] [pid 310] ipa: INFO: ad...@domain.com.my: batch: pwpolicy_show(None, rights=True, user=u'yusmayusof', all=True): SUCCESS [Thu Feb 18 16:28:09.416227 2016] [:error] [pid 310] ipa: INFO: ad...@domain.com.my: batch: krbtpolicy_show(u'yusmayusof', rights=True, all=True): SUCCESS [Thu Feb 18 16:28:09.416483 2016] [:error] [pid 310] ipa: INFO: ad...@domain.com.my: batch(({u'params': [[u'yusmayusof'], {u'all': True, u'rights': True}], u'method': u'user_show'}, {u'params': [[], {u'all': True, u'user': u'yusmayusof', u'rights': True}], u'method': u'pwpolicy_show'}, {u'params': [[u'yusmayusof'], {u'all': True, u'rights': True}], u'method': u'krbtpolicy_show'})): SUCCESS [Thu Feb 18 16:28:09.921130 2016] [:error] [pid 311] ipa: INFO: ad...@domain.com.my: user_find(None): SUCCESS [Thu Feb 18 16:28:27.176668 2016] [:error] [pid 310] ipa: INFO: ad...@domain.com.my: passwd(u'yusmayusof', u'', None): SUCCESS [Thu Feb 18 16:28:27.331989 2016] [:error] [pid 311] ipa: INFO: ad...@domain.com.my: batch: user_show(u'yusmayusof', rights=True, all=True): SUCCESS [Thu Feb 18 16:28:27.382532 2016] [:error] [pid 311] ipa: INFO: ad...@domain.com.my: batch: pwpolicy_show(None, rights=True, user=u'yusmayusof', all=True): SUCCESS [Thu Feb 18 16:28:27.486929 2016] [:error] [pid 311] ipa: INFO: ad...@domain.com.my: batch: krbtpolicy_show(u'yusmayusof', rights=True, all=True): SUCCESS [Thu Feb 18 16:28:27.487178 2016] [:error] [pid 311] ipa: INFO: ad...@domain.com.my: batch(({u'params': [[u'yusmayusof'], {u'all': True, u'rights': True}], u'method': u'user_show'}, {u'params': [[], {u'all': True, u'user': u'yusmayusof', u'rights': True}], u'method': u'pwpolicy_show'}, {u'params': [[u'yusmayusof'], {u'all': True, u'rights': True}], u'method': u'krbtpolicy_show'})): SUCCESS [Thu Feb 18 16:28:27.969435 2016] [:error] [pid 310] ipa: INFO: ad...@domain.com.my: user_find(None): SUCCESS [Thu Feb 18 16:29:22.017394 2016] [:error] [pid 311] ipa: INFO: ad...@domain.com.my: passwd(u'yusmayusof', u'', None): SUCCESS [Thu Feb 18 16:29:22.169817 2016] [:error] [pid 310] ipa: INFO: ad...@domain.com.my: batch: user_show(u'yusmayusof', rights=True, all=True): SUCCESS [Thu Feb 18 16:29:22.221379 2016] [:error] [pid 310] ipa: INFO: ad...@domain.com.my: batch: pwpolicy_show(None, rights=True, user=u'yusmayusof', all=True): SUCCESS [Thu Feb 18 16:29:22.325846 2016] [:error] [pid 310] ipa: INFO: ad...@domain.com.my: batch: krbtpolicy_show(u'yusmayusof', rights=True, all=True): SUCCESS [Thu Feb 18 16:29:22.326098 2016] [:error] [pid 310] ipa: INFO: ad...@domain.com.my: batch(({u'params': [[u'yusmayusof'], {u'all': True, u'rights': True}], u'method': u'user_show'}, {u'params': [[], {u'all': True, u'user': u'yusmayusof', u'rights': True}], u'method': u'pwpolicy_show'}, {u'params': [[u'yusmayusof'], {u'all': True, u'rights': True}], u'method': u'krbtpolicy_show'})): SUCCESS [Thu Feb 18 16:29:22.801354 2016] [:error] [pid 311] ipa: INFO: ad...@domain.com.my: user_find(None): SUCCESS [Thu Feb 18 16:31:55.029022 2016] [:error] [pid 310] ipa: ERROR: AuthManager.logout.xmlserver_session: session_data does not contain ccache_data [Thu Feb 18 16:31:55.029222 2016] [:error] [pid 310] ipa: INFO: ad...@domain.com.my: session_logout(): SUCCESS [Thu Feb 18 16:35:35.585717 2016] [:error] [pid 377] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate [Thu Feb 18 16:36:59.015795 2016] [auth_kerb:error] [pid 377] [client 10.19.82.43:54553] gss_accept_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, Unknown error), referer: https://ipa.domain.com.my/ipa/ui/ [root@ipa ~]# date Thu Feb 18 16:37:19 MYT 2016 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1
please ignore that domain because I did not mask it properly -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1
Now users complaining that passwords that have been reset cannot be used to log in. I also tried resubmit getcert but 2 resubmit failed [root@ipa ~]# getcert list Number of certificates and requests being tracked: 7. Request ID '20130112120226': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='932018712055' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOA.GOV.MY subject: CN=CA Audit,O=DOA.GOV.MY expires: 2016-11-24 16:19:25 UTC pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130112120227': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='932018712055' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOA.GOV.MY subject: CN=OCSP Subsystem,O=DOA.GOV.MY expires: 2016-11-24 16:18:25 UTC eku: id-kp-OCSPSigning pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130112120228': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='932018712055' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOA.GOV.MY subject: CN=CA Subsystem,O=DOA.GOV.MY expires: 2016-11-24 16:18:25 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130112120229': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOA.GOV.MY subject: CN=IPA RA,O=DOA.GOV.MY expires: 2016-11-24 16:18:25 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20130112120230': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='932018712055' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOA.GOV.MY subject: CN=ipa.domain.com.my,O=DOA.GOV.MY expires: 2016-11-24 16:18:25 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20130112120232': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOA.GOV.MY subject: CN=ipa.domain.com.my,O=DOA.GOV.MY expires: 2016-12-16 16:18:27 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DOMAIN-COM-MY track: yes auto-renew: yes Request ID '20130112120734': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA
Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1
Umarzuki Mochlis wrote: > At first ip-getcert list hows certificate error > > ca-error: Server failed request, will retry: -504 (libcurl failed to > execute the HTTP POST transaction, explaining: Peer's Certificate has > expired.). > > but after I changed ipa server's date to before expirate date, it shows > > ca-error: Server failed request, will retry: -504 (libcurl failed to > execute the HTTP POST transaction, explaining: couldn't connect to > host). > > when I tried to start ipa with "service ipa start", all services would > fail, so I need to start one by one > > systemctl start dirsrv@DOMAIN-COM-MY.service > systemctl status dirsrv@DOMAIN-COM-MY.service > systemctl start krb5kdc.service > systemctl status krb5kdc.service > systemctl start kadmin.service > systemctl status kadmin.service > systemctl start ipa_memcached.service > systemctl status ipa_memcached.service > systemctl start pki-tomcatd@pki-tomcat.service > systemctl status pki-tomcatd@pki-tomcat.service > > > # tail /var/log/messages > Jan 3 17:32:26 ipa systemd[1]: Starting PKI Tomcat Server pki-tomcat... > Jan 3 17:32:29 ipa systemd[1]: Started PKI Tomcat Server pki-tomcat. > Jan 3 17:33:08 ipa certmonger[476]: 2016-01-03 17:33:08 [476] Server > failed request, will retry: -504 (libcurl failed to execute the HTTP > POST transaction, explaining: couldn't connect to host). > Jan 3 17:33:12 ipa certmonger[476]: 2016-01-03 17:33:12 [476] Server > failed request, will retry: -504 (libcurl failed to execute the HTTP > POST transaction, explaining: couldn't connect to host). You want to use the getcert command, not ipa-getcert, to see the CA subsystem certificates. What you should do is: getcert list |grep expires Find a date/time that fits into a period where all certs are valid and go back in time to then (after stopping ntpd). That will hopefully fix the ipactl start issue. Once IPA is restarted, restart certmonger. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1
At first ip-getcert list hows certificate error ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). but after I changed ipa server's date to before expirate date, it shows ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: couldn't connect to host). when I tried to start ipa with "service ipa start", all services would fail, so I need to start one by one systemctl start dirsrv@DOMAIN-COM-MY.service systemctl status dirsrv@DOMAIN-COM-MY.service systemctl start krb5kdc.service systemctl status krb5kdc.service systemctl start kadmin.service systemctl status kadmin.service systemctl start ipa_memcached.service systemctl status ipa_memcached.service systemctl start pki-tomcatd@pki-tomcat.service systemctl status pki-tomcatd@pki-tomcat.service # tail /var/log/messages Jan 3 17:32:26 ipa systemd[1]: Starting PKI Tomcat Server pki-tomcat... Jan 3 17:32:29 ipa systemd[1]: Started PKI Tomcat Server pki-tomcat. Jan 3 17:33:08 ipa certmonger[476]: 2016-01-03 17:33:08 [476] Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: couldn't connect to host). Jan 3 17:33:12 ipa certmonger[476]: 2016-01-03 17:33:12 [476] Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: couldn't connect to host). 2017-03-03 13:20 GMT+08:00 Umarzuki Mochlis: > After httpd failed to start even with "NSSEnforceValidCerts off" in > /etc/httpd/conf.d/nss.conf > It used to work for a while since we use this only for zimbra but > today it won't start anymore. > > We are not using commercial certs, so which steps should I follow to > renew certs? > > It seems CA has expired more than 2 weeks ago. > > # ipa-getcert list > Number of certificates and requests being tracked: 7. > Request ID '20130112120232': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl > failed to execute the HTTP POST transaction, explaining: Peer's > Certificate has expired.). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=DOMAIN.COM.MY > subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY > expires: 2016-12-16 16:18:27 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv > DOMAIN-COM-MY > track: yes > auto-renew: yes > Request ID '20130112120734': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl > failed to execute the HTTP POST transaction, explaining: Peer's > Certificate has expired.). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=DOMAIN.COM.MY > subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY > expires: 2016-12-16 16:18:27 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > # rpm -qa | grep ipa > freeipa-admintools-3.1.0-2.fc18.x86_64 > freeipa-server-3.1.0-2.fc18.x86_64 > libipa_hbac-python-1.9.3-1.fc18.x86_64 > python-iniparse-0.4-6.fc18.noarch > freeipa-client-3.1.0-2.fc18.x86_64 > freeipa-server-selinux-3.1.0-2.fc18.x86_64 > freeipa-python-3.1.0-2.fc18.x86_64 > libipa_hbac-1.9.3-1.fc18.x86_64 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] renewing cert and migrating free-ipa 3.1
After httpd failed to start even with "NSSEnforceValidCerts off" in /etc/httpd/conf.d/nss.conf It used to work for a while since we use this only for zimbra but today it won't start anymore. We are not using commercial certs, so which steps should I follow to renew certs? It seems CA has expired more than 2 weeks ago. # ipa-getcert list Number of certificates and requests being tracked: 7. Request ID '20130112120232': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOMAIN.COM.MY subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY expires: 2016-12-16 16:18:27 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DOMAIN-COM-MY track: yes auto-renew: yes Request ID '20130112120734': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOMAIN.COM.MY subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY expires: 2016-12-16 16:18:27 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes # rpm -qa | grep ipa freeipa-admintools-3.1.0-2.fc18.x86_64 freeipa-server-3.1.0-2.fc18.x86_64 libipa_hbac-python-1.9.3-1.fc18.x86_64 python-iniparse-0.4-6.fc18.noarch freeipa-client-3.1.0-2.fc18.x86_64 freeipa-server-selinux-3.1.0-2.fc18.x86_64 freeipa-python-3.1.0-2.fc18.x86_64 libipa_hbac-1.9.3-1.fc18.x86_64 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project