subject:"\[Freeipa\-users\] renewing cert and migrating free\-ipa 3.1"

Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1

2017-04-18 Thread Rob Crittenden

Umarzuki Mochlis wrote:
> Now users complaining that passwords that have been reset cannot be
> used to log in.

Passwords are completely unrelated to expired certificates.

Wow, this is really quite an old install.

The error message about communicating with CMS suggests that the CA
isn't really up. The dogtag debug log may contain more details on that.

What is the output when you use ipactl to restart the services? I have
the feeling it is catching an error that your manual restart is not.

I'd also not set the date back so far. It won't hurt but it will be the
starting date for new certificates so you'd be cheating yourself out of
8 or so months.

I'd also look at the RA agent cert to be sure it is currently correct:

$ ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b
uid=ipara,ou=People,o=ipaca description

$ certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial

The description field from the ldapsearch has the format:

2;;;

The serial numbers should match. Don't do anything if they don't, just
report back the result.

rob

> I also tried resubmit getcert but 2 resubmit failed
> 
> [root@ipa ~]# getcert list
> Number of certificates and requests being tracked: 7.
> Request ID '20130112120226':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=DOA.GOV.MY
> subject: CN=CA Audit,O=DOA.GOV.MY
> expires: 2016-11-24 16:19:25 UTC
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130112120227':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=DOA.GOV.MY
> subject: CN=OCSP Subsystem,O=DOA.GOV.MY
> expires: 2016-11-24 16:18:25 UTC
> eku: id-kp-OCSPSigning
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130112120228':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=DOA.GOV.MY
> subject: CN=CA Subsystem,O=DOA.GOV.MY
> expires: 2016-11-24 16:18:25 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130112120229':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=DOA.GOV.MY
> subject: CN=IPA RA,O=DOA.GOV.MY
> expires: 2016-11-24 16:18:25 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20130112120230':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=DOA.GOV.MY
> subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
> expires: 2016-11-24 16:18:25 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_pkicad
> "Server-Cert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130112120232':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server.  Certificate operation cannot be completed: Unable to
> communicate with CMS

Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1

2017-04-18 Thread Umarzuki Mochlis

below are from httpd error log

[Thu Feb 18 16:28:06.351007 2016] [:error] [pid 310] ipa: INFO:
ad...@domain.com.my: user_find(u'yusma', sizelimit=0, pkey_only=True):
SUCCESS
[Thu Feb 18 16:28:06.400453 2016] [:error] [pid 311] ipa: INFO:
ad...@domain.com.my: batch: user_show(u'nisa', all=True): SUCCESS
[Thu Feb 18 16:28:06.412753 2016] [:error] [pid 311] ipa: INFO:
ad...@domain.com.my: batch: user_show(u'noryusmaniza', all=True):
SUCCESS
[Thu Feb 18 16:28:06.428103 2016] [:error] [pid 311] ipa: INFO:
ad...@domain.com.my: batch: user_show(u'yusmayusof', all=True):
SUCCESS
[Thu Feb 18 16:28:06.428335 2016] [:error] [pid 311] ipa: INFO:
ad...@domain.com.my: batch(({u'params': [[u'nisa'], {u'all': True}],
u'method': u'user_show'}, {u'params': [[u'noryusmaniza'], {u'all':
True}], u'method': u'user_show'}, {u'params': [[u'yusmayusof'],
{u'all': True}], u'method': u'user_show'})): SUCCESS
[Thu Feb 18 16:28:09.254484 2016] [:error] [pid 310] ipa: INFO:
ad...@domain.com.my: batch: user_show(u'yusmayusof', rights=True,
all=True): SUCCESS
[Thu Feb 18 16:28:09.308107 2016] [:error] [pid 310] ipa: INFO:
ad...@domain.com.my: batch: pwpolicy_show(None, rights=True,
user=u'yusmayusof', all=True): SUCCESS
[Thu Feb 18 16:28:09.416227 2016] [:error] [pid 310] ipa: INFO:
ad...@domain.com.my: batch: krbtpolicy_show(u'yusmayusof',
rights=True, all=True): SUCCESS
[Thu Feb 18 16:28:09.416483 2016] [:error] [pid 310] ipa: INFO:
ad...@domain.com.my: batch(({u'params': [[u'yusmayusof'], {u'all':
True, u'rights': True}], u'method': u'user_show'}, {u'params': [[],
{u'all': True, u'user': u'yusmayusof', u'rights': True}], u'method':
u'pwpolicy_show'}, {u'params': [[u'yusmayusof'], {u'all': True,
u'rights': True}], u'method': u'krbtpolicy_show'})): SUCCESS
[Thu Feb 18 16:28:09.921130 2016] [:error] [pid 311] ipa: INFO:
ad...@domain.com.my: user_find(None): SUCCESS
[Thu Feb 18 16:28:27.176668 2016] [:error] [pid 310] ipa: INFO:
ad...@domain.com.my: passwd(u'yusmayusof', u'', None): SUCCESS
[Thu Feb 18 16:28:27.331989 2016] [:error] [pid 311] ipa: INFO:
ad...@domain.com.my: batch: user_show(u'yusmayusof', rights=True,
all=True): SUCCESS
[Thu Feb 18 16:28:27.382532 2016] [:error] [pid 311] ipa: INFO:
ad...@domain.com.my: batch: pwpolicy_show(None, rights=True,
user=u'yusmayusof', all=True): SUCCESS
[Thu Feb 18 16:28:27.486929 2016] [:error] [pid 311] ipa: INFO:
ad...@domain.com.my: batch: krbtpolicy_show(u'yusmayusof',
rights=True, all=True): SUCCESS
[Thu Feb 18 16:28:27.487178 2016] [:error] [pid 311] ipa: INFO:
ad...@domain.com.my: batch(({u'params': [[u'yusmayusof'], {u'all':
True, u'rights': True}], u'method': u'user_show'}, {u'params': [[],
{u'all': True, u'user': u'yusmayusof', u'rights': True}], u'method':
u'pwpolicy_show'}, {u'params': [[u'yusmayusof'], {u'all': True,
u'rights': True}], u'method': u'krbtpolicy_show'})): SUCCESS
[Thu Feb 18 16:28:27.969435 2016] [:error] [pid 310] ipa: INFO:
ad...@domain.com.my: user_find(None): SUCCESS
[Thu Feb 18 16:29:22.017394 2016] [:error] [pid 311] ipa: INFO:
ad...@domain.com.my: passwd(u'yusmayusof', u'', None): SUCCESS
[Thu Feb 18 16:29:22.169817 2016] [:error] [pid 310] ipa: INFO:
ad...@domain.com.my: batch: user_show(u'yusmayusof', rights=True,
all=True): SUCCESS
[Thu Feb 18 16:29:22.221379 2016] [:error] [pid 310] ipa: INFO:
ad...@domain.com.my: batch: pwpolicy_show(None, rights=True,
user=u'yusmayusof', all=True): SUCCESS
[Thu Feb 18 16:29:22.325846 2016] [:error] [pid 310] ipa: INFO:
ad...@domain.com.my: batch: krbtpolicy_show(u'yusmayusof',
rights=True, all=True): SUCCESS
[Thu Feb 18 16:29:22.326098 2016] [:error] [pid 310] ipa: INFO:
ad...@domain.com.my: batch(({u'params': [[u'yusmayusof'], {u'all':
True, u'rights': True}], u'method': u'user_show'}, {u'params': [[],
{u'all': True, u'user': u'yusmayusof', u'rights': True}], u'method':
u'pwpolicy_show'}, {u'params': [[u'yusmayusof'], {u'all': True,
u'rights': True}], u'method': u'krbtpolicy_show'})): SUCCESS
[Thu Feb 18 16:29:22.801354 2016] [:error] [pid 311] ipa: INFO:
ad...@domain.com.my: user_find(None): SUCCESS
[Thu Feb 18 16:31:55.029022 2016] [:error] [pid 310] ipa: ERROR:
AuthManager.logout.xmlserver_session: session_data does not contain
ccache_data
[Thu Feb 18 16:31:55.029222 2016] [:error] [pid 310] ipa: INFO:
ad...@domain.com.my: session_logout(): SUCCESS
[Thu Feb 18 16:35:35.585717 2016] [:error] [pid 377] SSL Library
Error: -12195 Peer does not recognize and trust the CA that issued
your certificate
[Thu Feb 18 16:36:59.015795 2016] [auth_kerb:error] [pid 377] [client
10.19.82.43:54553] gss_accept_sec_context() failed: No credentials
were supplied, or the credentials were unavailable or inaccessible (,
Unknown error), referer: https://ipa.domain.com.my/ipa/ui/
[root@ipa ~]# date
Thu Feb 18 16:37:19 MYT 2016

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1

2017-04-18 Thread Umarzuki Mochlis

please ignore that domain because I did not mask it properly

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1

2017-04-18 Thread Umarzuki Mochlis

Now users complaining that passwords that have been reset cannot be
used to log in.

I also tried resubmit getcert but 2 resubmit failed

[root@ipa ~]# getcert list
Number of certificates and requests being tracked: 7.
Request ID '20130112120226':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=CA Audit,O=DOA.GOV.MY
expires: 2016-11-24 16:19:25 UTC
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130112120227':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=OCSP Subsystem,O=DOA.GOV.MY
expires: 2016-11-24 16:18:25 UTC
eku: id-kp-OCSPSigning
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130112120228':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=CA Subsystem,O=DOA.GOV.MY
expires: 2016-11-24 16:18:25 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130112120229':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=IPA RA,O=DOA.GOV.MY
expires: 2016-11-24 16:18:25 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20130112120230':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
expires: 2016-11-24 16:18:25 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_pkicad
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130112120232':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DOMAIN-COM-MY
track: yes
auto-renew: yes
Request ID '20130112120734':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA

Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1

2017-03-03 Thread Rob Crittenden

Umarzuki Mochlis wrote:
> At first ip-getcert list hows certificate error
> 
> ca-error: Server failed request, will retry: -504 (libcurl failed to
> execute the HTTP POST transaction, explaining:  Peer's Certificate has
> expired.).
> 
> but after I changed ipa server's date to before expirate date, it shows
> 
> ca-error: Server failed request, will retry: -504 (libcurl failed to
> execute the HTTP POST transaction, explaining:  couldn't connect to
> host).
> 
> when I tried to start ipa with "service ipa start", all services would
> fail, so I need to start one by one
> 
> systemctl start dirsrv@DOMAIN-COM-MY.service
> systemctl status dirsrv@DOMAIN-COM-MY.service
> systemctl start krb5kdc.service
> systemctl status krb5kdc.service
> systemctl start kadmin.service
> systemctl status kadmin.service
> systemctl start ipa_memcached.service
> systemctl status ipa_memcached.service
> systemctl start pki-tomcatd@pki-tomcat.service
> systemctl status pki-tomcatd@pki-tomcat.service
> 
> 
> # tail /var/log/messages
> Jan  3 17:32:26 ipa systemd[1]: Starting PKI Tomcat Server pki-tomcat...
> Jan  3 17:32:29 ipa systemd[1]: Started PKI Tomcat Server pki-tomcat.
> Jan  3 17:33:08 ipa certmonger[476]: 2016-01-03 17:33:08 [476] Server
> failed request, will retry: -504 (libcurl failed to execute the HTTP
> POST transaction, explaining:  couldn't connect to host).
> Jan  3 17:33:12 ipa certmonger[476]: 2016-01-03 17:33:12 [476] Server
> failed request, will retry: -504 (libcurl failed to execute the HTTP
> POST transaction, explaining:  couldn't connect to host).

You want to use the getcert command, not ipa-getcert, to see the CA
subsystem certificates.

What you should do is: getcert list |grep expires

Find a date/time that fits into a period where all certs are valid and
go back in time to then (after stopping ntpd).

That will hopefully fix the ipactl start issue.

Once IPA is restarted, restart certmonger.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1

2017-03-03 Thread Umarzuki Mochlis

At first ip-getcert list hows certificate error

ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining:  Peer's Certificate has
expired.).

but after I changed ipa server's date to before expirate date, it shows

ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining:  couldn't connect to
host).

when I tried to start ipa with "service ipa start", all services would
fail, so I need to start one by one

systemctl start dirsrv@DOMAIN-COM-MY.service
systemctl status dirsrv@DOMAIN-COM-MY.service
systemctl start krb5kdc.service
systemctl status krb5kdc.service
systemctl start kadmin.service
systemctl status kadmin.service
systemctl start ipa_memcached.service
systemctl status ipa_memcached.service
systemctl start pki-tomcatd@pki-tomcat.service
systemctl status pki-tomcatd@pki-tomcat.service


# tail /var/log/messages
Jan  3 17:32:26 ipa systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Jan  3 17:32:29 ipa systemd[1]: Started PKI Tomcat Server pki-tomcat.
Jan  3 17:33:08 ipa certmonger[476]: 2016-01-03 17:33:08 [476] Server
failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining:  couldn't connect to host).
Jan  3 17:33:12 ipa certmonger[476]: 2016-01-03 17:33:12 [476] Server
failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining:  couldn't connect to host).

2017-03-03 13:20 GMT+08:00 Umarzuki Mochlis :
> After httpd failed to start even with "NSSEnforceValidCerts off" in
> /etc/httpd/conf.d/nss.conf
> It used to work for a while since we use this only for zimbra but
> today it won't start anymore.
>
> We are not using commercial certs, so which steps should I follow to
> renew certs?
>
> It seems CA has expired more than 2 weeks ago.
>
> #  ipa-getcert list
> Number of certificates and requests being tracked: 7.
> Request ID '20130112120232':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction, explaining:  Peer's
> Certificate has expired.).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
> subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
> expires: 2016-12-16 16:18:27 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> DOMAIN-COM-MY
> track: yes
> auto-renew: yes
> Request ID '20130112120734':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl
> failed to execute the HTTP POST transaction, explaining:  Peer's
> Certificate has expired.).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
> subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
> expires: 2016-12-16 16:18:27 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
> # rpm -qa | grep ipa
> freeipa-admintools-3.1.0-2.fc18.x86_64
> freeipa-server-3.1.0-2.fc18.x86_64
> libipa_hbac-python-1.9.3-1.fc18.x86_64
> python-iniparse-0.4-6.fc18.noarch
> freeipa-client-3.1.0-2.fc18.x86_64
> freeipa-server-selinux-3.1.0-2.fc18.x86_64
> freeipa-python-3.1.0-2.fc18.x86_64
> libipa_hbac-1.9.3-1.fc18.x86_64

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] renewing cert and migrating free-ipa 3.1

2017-03-02 Thread Umarzuki Mochlis

After httpd failed to start even with "NSSEnforceValidCerts off" in
/etc/httpd/conf.d/nss.conf
It used to work for a while since we use this only for zimbra but
today it won't start anymore.

We are not using commercial certs, so which steps should I follow to
renew certs?

It seems CA has expired more than 2 weeks ago.

#  ipa-getcert list
Number of certificates and requests being tracked: 7.
Request ID '20130112120232':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction, explaining:  Peer's
Certificate has expired.).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
DOMAIN-COM-MY
track: yes
auto-renew: yes
Request ID '20130112120734':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction, explaining:  Peer's
Certificate has expired.).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes

# rpm -qa | grep ipa
freeipa-admintools-3.1.0-2.fc18.x86_64
freeipa-server-3.1.0-2.fc18.x86_64
libipa_hbac-python-1.9.3-1.fc18.x86_64
python-iniparse-0.4-6.fc18.noarch
freeipa-client-3.1.0-2.fc18.x86_64
freeipa-server-selinux-3.1.0-2.fc18.x86_64
freeipa-python-3.1.0-2.fc18.x86_64
libipa_hbac-1.9.3-1.fc18.x86_64

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1

Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1

Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1

Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1

Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1

Re: [Freeipa-users] renewing cert and migrating free-ipa 3.1

[Freeipa-users] renewing cert and migrating free-ipa 3.1

7 matches

Site Navigation

Mail list logo

Footer information