Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
Here is what I found : In the catalina.out : ### May 27, 2016 10:51:35 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet caDisplayBySerial-agent threw exception java.io.IOException: CS server is not ready to serve. at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.netscape.cms.servlet.filter.AgentRequestFilter.doFilter(AgentRequestFilter.java:124) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) at java.lang.Thread.run(Thread.java:722) ### In the selftests.log in /var/log/pki-ca : ### 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: Initializing self test plugins: 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: loading all self test plugin instances 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 24196.main - [27/May/2016:10:50:28 CEST] [20] [1] CAPresence: CA is present 24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SystemCertsVerification: system certs verification failure 24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemC ertsVerification running at startup FAILED! ### But nothing else. Best regards. Bahan On Wed, Sep 14, 2016 at 7:27 PM, bahan wwrote: > I tried also the following commands : > ### > # ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) > > # service ipa status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING > ### > > I'm checking the /var/log/pki-ca logs to see if I find something. > > Best regards. > > Bahan > > On Wed, Sep 14, 2016 at 7:02 PM, bahan w wrote: > >> Sorry Martin, >> >> This is not the first time I forgot to add back freeipa users. >> I have problems with gmail, again sorry. >> >> Indeed I figured out that I had to restart the ipa server. >> So I tried to restart ipa server. >> But it was not working yet. >> >> So I thought it was maybe due to the configuration I performed in the >> nss.conf. >> So I rollbacked this conf and restarted ipa-server. >> Then I retried your commands but it is still the same error. >> >> ### >> Request ID '20140528064145': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: 4301 (RPC failed at >> server. Certificate operation cannot be completed: Unable to communicate >> with CMS (Not Found)). >> stuck: yes >> key pair storage: type=NSSDB,location='/etc/http >> d/alias',nickname='Server-Cert',token='NSS Certificate >> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate:
Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
I tried also the following commands : ### # ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) # service ipa status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING ### I'm checking the /var/log/pki-ca logs to see if I find something. Best regards. Bahan On Wed, Sep 14, 2016 at 7:02 PM, bahan wwrote: > Sorry Martin, > > This is not the first time I forgot to add back freeipa users. > I have problems with gmail, again sorry. > > Indeed I figured out that I had to restart the ipa server. > So I tried to restart ipa server. > But it was not working yet. > > So I thought it was maybe due to the configuration I performed in the > nss.conf. > So I rollbacked this conf and restarted ipa-server. > Then I retried your commands but it is still the same error. > > ### > Request ID '20140528064145': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed at > server. Certificate operation cannot be completed: Unable to communicate > with CMS (Not Found)). > stuck: yes > key pair storage: type=NSSDB,location='/etc/ > httpd/alias',nickname='Server-Cert',token='NSS Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/ > httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O= > subject: CN=,O= > expires: 2016-05-28 06:41:44 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > ### > > Do you know what is the CMS ? > ### > (RPC failed at server. Certificate operation cannot be completed: Unable > to communicate with CMS (Not Found)). > ### > > Best regards. > > Bahan > > > > > > On Wed, Sep 14, 2016 at 6:46 PM, Martin Basti wrote: > >> did you restart IPA when you moved time? Is there are more detailed error >> description in output of getcert list? >> >> On 14.09.2016 18:45, bahan w wrote: >> >> I set the date-time when the certificates were valid : >> ### >> # date -s '2016-05-27 10:00:00' >> Fri May 27 10:00:00 CEST 2016 >> >> # date >> Fri May 27 10:00:02 CEST 2016 >> ### >> >> Then I try to renew them : >> ### >> # getcert resubmit -i 20140528063919 >> Resubmitting "20140528063919" to "IPA". >> >> # getcert resubmit -i 20140528064145 >> Resubmitting "20140528064145" to "IPA". >> >> # getcert resubmit -i 20140528063953 >> Resubmitting "20140528063953" to "IPA". >> ### >> >> But when I do the getcert list after, the result is the same. >> >> I guess it is because of this ? >> CA_UNREACHABLE >> >> Any idea ? >> >> Best regards. >> >> Bahan >> >> On Wed, Sep 14, 2016 at 6:38 PM, bahan w wrote: >> >>> Ok, I managed to restart the IPA service by adding this line in the file >>> /etc/httpd/conf.d/nss.conf : >>> ### >>> NSSEnforceValidCerts off >>> ### >>> >>> But when I do the getcert now I got the following result : >>> >>> ### >>> # getcert list >>> Number of certificates and requests being tracked: 8. >>> Request ID '20140528063903': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >>> Certificate DB',pin='159203530658' >>> certificate: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >>> Certificate DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O= >>> subject: CN=CA Audit,O= >>> expires: 2018-04-09 11:39:16 UTC >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "auditSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20140528063904': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >>> Certificate DB',pin='159203530658' >>> certificate: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >>> Certificate DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O= >>> subject: CN=OCSP Subsystem,O= >>> expires: 2018-04-09 11:38:16 UTC >>> eku: id-kp-OCSPSigning >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "ocspSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20140528063905': >>> status:
Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
Sorry Martin, This is not the first time I forgot to add back freeipa users. I have problems with gmail, again sorry. Indeed I figured out that I had to restart the ipa server. So I tried to restart ipa server. But it was not working yet. So I thought it was maybe due to the configuration I performed in the nss.conf. So I rollbacked this conf and restarted ipa-server. Then I retried your commands but it is still the same error. ### Request ID '20140528064145': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O= subject: CN=,O= expires: 2016-05-28 06:41:44 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes ### Do you know what is the CMS ? ### (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). ### Best regards. Bahan On Wed, Sep 14, 2016 at 6:46 PM, Martin Bastiwrote: > did you restart IPA when you moved time? Is there are more detailed error > description in output of getcert list? > > On 14.09.2016 18:45, bahan w wrote: > > I set the date-time when the certificates were valid : > ### > # date -s '2016-05-27 10:00:00' > Fri May 27 10:00:00 CEST 2016 > > # date > Fri May 27 10:00:02 CEST 2016 > ### > > Then I try to renew them : > ### > # getcert resubmit -i 20140528063919 > Resubmitting "20140528063919" to "IPA". > > # getcert resubmit -i 20140528064145 > Resubmitting "20140528064145" to "IPA". > > # getcert resubmit -i 20140528063953 > Resubmitting "20140528063953" to "IPA". > ### > > But when I do the getcert list after, the result is the same. > > I guess it is because of this ? > CA_UNREACHABLE > > Any idea ? > > Best regards. > > Bahan > > On Wed, Sep 14, 2016 at 6:38 PM, bahan w wrote: > >> Ok, I managed to restart the IPA service by adding this line in the file >> /etc/httpd/conf.d/nss.conf : >> ### >> NSSEnforceValidCerts off >> ### >> >> But when I do the getcert now I got the following result : >> >> ### >> # getcert list >> Number of certificates and requests being tracked: 8. >> Request ID '20140528063903': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >> Certificate DB',pin='159203530658' >> certificate: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O= >> subject: CN=CA Audit,O= >> expires: 2018-04-09 11:39:16 UTC >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20140528063904': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >> Certificate DB',pin='159203530658' >> certificate: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O= >> subject: CN=OCSP Subsystem,O= >> expires: 2018-04-09 11:38:16 UTC >> eku: id-kp-OCSPSigning >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20140528063905': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS >> Certificate DB',pin='159203530658' >> certificate: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O= >> subject: CN=CA Subsystem,O= >> expires: 2018-04-09 11:38:16 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command:
Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
Please keep freeipa-users in CC, I'm quite lost here ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). I'm not sure what this does mean, but if this is caused by invalid httpd certificate, solution might be to set time a week before 2016-05-28, restart IPA and try to renew certs again Martin^2 On 14.09.2016 18:38, bahan w wrote: Ok, I managed to restart the IPA service by adding this line in the file /etc/httpd/conf.d/nss.conf : ### NSSEnforceValidCerts off ### But when I do the getcert now I got the following result : ### # getcert list Number of certificates and requests being tracked: 8. Request ID '20140528063903': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='159203530658' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= subject: CN=CA Audit,O= expires: 2018-04-09 11:39:16 UTC pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20140528063904': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='159203530658' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= subject: CN=OCSP Subsystem,O= expires: 2018-04-09 11:38:16 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20140528063905': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='159203530658' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= subject: CN=CA Subsystem,O= expires: 2018-04-09 11:38:16 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20140528063906': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= subject: CN=IPA RA,O= expires: 2018-04-09 11:38:16 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20140528063907': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='159203530658' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= subject: CN=,O= expires: 2018-04-09 11:38:16 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20140528063919': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O= subject: CN=,O= expires: 2016-05-28 06:39:18 UTC eku:
Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
did you restart IPA when you moved time? Is there are more detailed error description in output of getcert list? On 14.09.2016 18:45, bahan w wrote: I set the date-time when the certificates were valid : ### # date -s '2016-05-27 10:00:00' Fri May 27 10:00:00 CEST 2016 # date Fri May 27 10:00:02 CEST 2016 ### Then I try to renew them : ### # getcert resubmit -i 20140528063919 Resubmitting "20140528063919" to "IPA". # getcert resubmit -i 20140528064145 Resubmitting "20140528064145" to "IPA". # getcert resubmit -i 20140528063953 Resubmitting "20140528063953" to "IPA". ### But when I do the getcert list after, the result is the same. I guess it is because of this ? CA_UNREACHABLE Any idea ? Best regards. Bahan On Wed, Sep 14, 2016 at 6:38 PM, bahan w> wrote: Ok, I managed to restart the IPA service by adding this line in the file /etc/httpd/conf.d/nss.conf : ### NSSEnforceValidCerts off ### But when I do the getcert now I got the following result : ### # getcert list Number of certificates and requests being tracked: 8. Request ID '20140528063903': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='159203530658' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= subject: CN=CA Audit,O= expires: 2018-04-09 11:39:16 UTC pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20140528063904': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='159203530658' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= subject: CN=OCSP Subsystem,O= expires: 2018-04-09 11:38:16 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20140528063905': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='159203530658' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= subject: CN=CA Subsystem,O= expires: 2018-04-09 11:38:16 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20140528063906': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= subject: CN=IPA RA,O= expires: 2018-04-09 11:38:16 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20140528063907': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='159203530658' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O= subject: CN=,O= expires: 2018-04-09 11:38:16 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command:
Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
I set the date-time when the certificates were valid : ### # date -s '2016-05-27 10:00:00' Fri May 27 10:00:00 CEST 2016 # date Fri May 27 10:00:02 CEST 2016 ### Then I try to renew them : ### # getcert resubmit -i 20140528063919 Resubmitting "20140528063919" to "IPA". # getcert resubmit -i 20140528064145 Resubmitting "20140528064145" to "IPA". # getcert resubmit -i 20140528063953 Resubmitting "20140528063953" to "IPA". ### But when I do the getcert list after, the result is the same. I guess it is because of this ? CA_UNREACHABLE Any idea ? Best regards. Bahan On Wed, Sep 14, 2016 at 6:38 PM, bahan wwrote: > Ok, I managed to restart the IPA service by adding this line in the file > /etc/httpd/conf.d/nss.conf : > ### > NSSEnforceValidCerts off > ### > > But when I do the getcert now I got the following result : > > ### > # getcert list > Number of certificates and requests being tracked: 8. > Request ID '20140528063903': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS > Certificate DB',pin='159203530658' > certificate: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O= > subject: CN=CA Audit,O= > expires: 2018-04-09 11:39:16 UTC > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20140528063904': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS > Certificate DB',pin='159203530658' > certificate: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O= > subject: CN=OCSP Subsystem,O= > expires: 2018-04-09 11:38:16 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20140528063905': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate > DB',pin='159203530658' > certificate: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate > DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O= > subject: CN=CA Subsystem,O= > expires: 2018-04-09 11:38:16 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20140528063906': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/ > httpd/alias',nickname='ipaCert',token='NSS Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O= > subject: CN=IPA RA,O= > expires: 2018-04-09 11:38:16 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20140528063907': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate > DB',pin='159203530658' > certificate: type=NSSDB,location='/var/lib/ > pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate > DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O= > subject: CN=,O= > expires: 2018-04-09 11:38:16 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20140528063919': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl failed > to execute the HTTP POST transaction. Peer certificate cannot be > authenticated with known CA certificates). > stuck: yes > key pair storage: type=NSSDB,location='/etc/
Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
Please keep freeipa-users in CC, there si no sensitive information in getcert list output (you sanitized it) Folowing certificates are expired, please try to to resubmit them. I'm also worried about this error message: ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm ''. is KDC running? Request ID '20140528063919': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm ''. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O= subject: CN=,O= expires: 2016-05-28 06:39:18 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv track: yes auto-renew: yes Request ID '20140528063953': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm ''. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O= subject: CN=,O= expires: 2016-05-28 06:39:52 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA track: yes auto-renew: yes Request ID '20140528064145': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm ''. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O= subject: CN=,O= expires: 2016-05-28 06:41:44 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
Then you have to start services manually, I don't know if the same steps will work with IPA 3.0.0, I don't remember, but you can try :) On 14.09.2016 18:18, bahan w wrote: Oh I forgot to add that my version of ipa is quite old : ### # rpm -qa | grep ipa-server ipa-server-3.0.0-25.el6.x86_64 ### When I try the command you gave me I got the following error : ### # ipactl start --force Usage: ipactl start|stop|restart|status ipactl: error: no such option: --force ### Best regards. Bahan On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti> wrote: On 14.09.2016 17:59, bahan w wrote: Hello ! I send you this mail because I cannot restart my test IPA server. When I try to start it with service ipa start, I got the following error message : ### # service ipa start Starting Directory Service Starting dirsrv: ...[14/Sep/2016:17:57:23 +0200] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server:[ OK ] Starting MEMCACHE Service Starting ipa_memcached: [ OK ] Starting HTTP Service Starting httpd: [FAILED] Failed to start HTTP Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server:[ OK ] Stopping ipa_memcached: [ OK ] Stopping httpd: [FAILED] Stopping pki-ca: [ OK ] Shutting down dirsrv: ... [ OK ] PKI-IPA... [ OK ] Aborting ipactl # service ipa status Directory Service: STOPPED Failed to get list of services to probe status: Directory Server is stopped ### Do you know how to renew the SSL certificate used for the IPA Server ? Best regards. Bahan Hello, please run # ipactl start --force # getcert list (to detect which certificate is outdated, I suspect DS cert (or to get more info why it has not been renewed)) If getcert does work (I'm not sure if ti is able to work without httpd), you probable need to move time back to past where cert is valid, start IPA and try again. Please find ID outdated certificate and try resubmit it (CA and DS must be running) # getcert resubmit -i 20160914122036 (use you ID :) ) This should renew cert, check status with getcert list Move time back to future (if needed) Try to restart IPA Martin^2 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
Oh I forgot to add that my version of ipa is quite old : ### # rpm -qa | grep ipa-server ipa-server-3.0.0-25.el6.x86_64 ### When I try the command you gave me I got the following error : ### # ipactl start --force Usage: ipactl start|stop|restart|status ipactl: error: no such option: --force ### Best regards. Bahan On Wed, Sep 14, 2016 at 6:14 PM, Martin Bastiwrote: > > > On 14.09.2016 17:59, bahan w wrote: > > Hello ! > > I send you this mail because I cannot restart my test IPA server. > > When I try to start it with service ipa start, I got the following error > message : > ### > # service ipa start > Starting Directory Service > Starting dirsrv: > ...[14/Sep/2016:17:57:23 +0200] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert > of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error > -8181 - Peer's Certificate has expired.) >[ OK ] > PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert > of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error > -8181 - Peer's Certificate has expired.) >[ OK ] > Starting KDC Service > Starting Kerberos 5 KDC: [ OK ] > Starting KPASSWD Service > Starting Kerberos 5 Admin Server: [ OK ] > Starting MEMCACHE Service > Starting ipa_memcached:[ OK ] > Starting HTTP Service > Starting httpd:[FAILED] > Failed to start HTTP Service > Shutting down > Stopping Kerberos 5 KDC: [ OK ] > Stopping Kerberos 5 Admin Server: [ OK ] > Stopping ipa_memcached:[ OK ] > Stopping httpd:[FAILED] > Stopping pki-ca: [ OK ] > Shutting down dirsrv: > ...[ OK ] > PKI-IPA... [ OK ] > Aborting ipactl > > # service ipa status > Directory Service: STOPPED > Failed to get list of services to probe status: > Directory Server is stopped > ### > > Do you know how to renew the SSL certificate used for the IPA Server ? > > Best regards. > > Bahan > > > > > > Hello, > > please run > > # ipactl start --force > # getcert list (to detect which certificate is outdated, I suspect DS cert > (or to get more info why it has not been renewed)) > > If getcert does work (I'm not sure if ti is able to work without httpd), > you probable need to move time back to past where cert is valid, start IPA > and try again. > > Please find ID outdated certificate and try resubmit it (CA and DS must be > running) > > # getcert resubmit -i 20160914122036 (use you ID :) ) > > This should renew cert, check status with getcert list > > Move time back to future (if needed) > > Try to restart IPA > > Martin^2 > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family
On 14.09.2016 17:59, bahan w wrote: Hello ! I send you this mail because I cannot restart my test IPA server. When I try to start it with service ipa start, I got the following error message : ### # service ipa start Starting Directory Service Starting dirsrv: ...[14/Sep/2016:17:57:23 +0200] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached: [ OK ] Starting HTTP Service Starting httpd: [FAILED] Failed to start HTTP Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: [ OK ] Stopping ipa_memcached: [ OK ] Stopping httpd: [FAILED] Stopping pki-ca: [ OK ] Shutting down dirsrv: ...[ OK ] PKI-IPA... [ OK ] Aborting ipactl # service ipa status Directory Service: STOPPED Failed to get list of services to probe status: Directory Server is stopped ### Do you know how to renew the SSL certificate used for the IPA Server ? Best regards. Bahan Hello, please run # ipactl start --force # getcert list (to detect which certificate is outdated, I suspect DS cert (or to get more info why it has not been renewed)) If getcert does work (I'm not sure if ti is able to work without httpd), you probable need to move time back to past where cert is valid, start IPA and try again. Please find ID outdated certificate and try resubmit it (CA and DS must be running) # getcert resubmit -i 20160914122036 (use you ID :) ) This should renew cert, check status with getcert list Move time back to future (if needed) Try to restart IPA Martin^2 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project