Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

2016-09-14 Thread bahan w 
Here is what I found :

In the catalina.out :
###
May 27, 2016 10:51:35 AM org.apache.catalina.core.StandardWrapperValve
invoke
SEVERE: Servlet.service() for servlet caDisplayBySerial-agent threw
exception
java.io.IOException: CS server is not ready to serve.
at
com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.netscape.cms.servlet.filter.AgentRequestFilter.doFilter(AgentRequestFilter.java:124)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769)
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698)
at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
at java.lang.Thread.run(Thread.java:722)
###

In the selftests.log in /var/log/pki-ca :
###
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
Initializing self test plugins:
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
loading all self test plugin logger parameters
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
loading all self test plugin instances
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
loading all self test plugin instance parameters
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
loading self test plugins in on-demand order
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem:
loading self test plugins in startup order
24196.main - [27/May/2016:10:50:27 CEST] [20] [1] SelfTestSubsystem: Self
test plugins have been successfully loaded!
24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SelfTestSubsystem:
Running self test plugins specified to be executed at startup:
24196.main - [27/May/2016:10:50:28 CEST] [20] [1] CAPresence:  CA is present
24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SystemCertsVerification:
system certs verification failure
24196.main - [27/May/2016:10:50:28 CEST] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called selftests.container.instance.SystemC
ertsVerification running at startup FAILED!
###

But nothing else.

Best regards.

Bahan

On Wed, Sep 14, 2016 at 7:27 PM, bahan w  wrote:

> I tried also the following commands :
> ###
> # ipa cert-show 1
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (Not Found)
>
> # service ipa status
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> MEMCACHE Service: RUNNING
> HTTP Service: RUNNING
> CA Service: RUNNING
> ###
>
> I'm checking the /var/log/pki-ca logs to see if I find something.
>
> Best regards.
>
> Bahan
>
> On Wed, Sep 14, 2016 at 7:02 PM, bahan w  wrote:
>
>> Sorry Martin,
>>
>> This is not the first time I forgot to add back freeipa users.
>> I have problems with gmail, again sorry.
>>
>> Indeed I figured out that I had to restart the ipa server.
>> So I tried to restart ipa server.
>> But it was not working yet.
>>
>> So I thought it was maybe due to the configuration I performed in the
>> nss.conf.
>> So I rollbacked this conf and restarted ipa-server.
>> Then I retried your commands but it is still the same error.
>>
>> ###
>> Request ID '20140528064145':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: 4301 (RPC failed at
>> server.  Certificate operation cannot be completed: Unable to communicate
>> with CMS (Not Found)).
>> stuck: yes
>> key pair storage: type=NSSDB,location='/etc/http
>> d/alias',nickname='Server-Cert',token='NSS Certificate
>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

2016-09-14 Thread bahan w 
I tried also the following commands :
###
# ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)

# service ipa status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
###

I'm checking the /var/log/pki-ca logs to see if I find something.

Best regards.

Bahan

On Wed, Sep 14, 2016 at 7:02 PM, bahan w  wrote:

> Sorry Martin,
>
> This is not the first time I forgot to add back freeipa users.
> I have problems with gmail, again sorry.
>
> Indeed I figured out that I had to restart the ipa server.
> So I tried to restart ipa server.
> But it was not working yet.
>
> So I thought it was maybe due to the configuration I performed in the
> nss.conf.
> So I rollbacked this conf and restarted ipa-server.
> Then I retried your commands but it is still the same error.
>
> ###
> Request ID '20140528064145':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server.  Certificate operation cannot be completed: Unable to communicate
> with CMS (Not Found)).
> stuck: yes
> key pair storage: type=NSSDB,location='/etc/
> httpd/alias',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/
> httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=
> subject: CN=,O=
> expires: 2016-05-28 06:41:44 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> ###
>
> Do you know what is the CMS ?
> ###
> (RPC failed at server.  Certificate operation cannot be completed: Unable
> to communicate with CMS (Not Found)).
> ###
>
> Best regards.
>
> Bahan
>
>
>
>
>
> On Wed, Sep 14, 2016 at 6:46 PM, Martin Basti  wrote:
>
>> did you restart IPA when you moved time? Is there are more detailed error
>> description in output of getcert list?
>>
>> On 14.09.2016 18:45, bahan w wrote:
>>
>> I set the date-time when the certificates were valid :
>> ###
>> # date -s '2016-05-27 10:00:00'
>> Fri May 27 10:00:00 CEST 2016
>>
>> # date
>> Fri May 27 10:00:02 CEST 2016
>> ###
>>
>> Then I try to renew them :
>> ###
>> # getcert resubmit -i 20140528063919
>> Resubmitting "20140528063919" to "IPA".
>>
>> # getcert resubmit -i 20140528064145
>> Resubmitting "20140528064145" to "IPA".
>>
>> # getcert resubmit -i 20140528063953
>> Resubmitting "20140528063953" to "IPA".
>> ###
>>
>> But when I do the getcert list after, the result is the same.
>>
>> I guess it is because of this ?
>> CA_UNREACHABLE
>>
>> Any idea ?
>>
>> Best regards.
>>
>> Bahan
>>
>> On Wed, Sep 14, 2016 at 6:38 PM, bahan w  wrote:
>>
>>> Ok, I managed to restart the IPA service by adding this line in the file
>>> /etc/httpd/conf.d/nss.conf :
>>> ###
>>> NSSEnforceValidCerts off
>>> ###
>>>
>>> But when I do the getcert now I got the following result :
>>>
>>> ###
>>> # getcert list
>>> Number of certificates and requests being tracked: 8.
>>> Request ID '20140528063903':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>>> Certificate DB',pin='159203530658'
>>> certificate: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>>> Certificate DB'
>>> CA: dogtag-ipa-renew-agent
>>> issuer: CN=Certificate Authority,O=
>>> subject: CN=CA Audit,O=
>>> expires: 2018-04-09 11:39:16 UTC
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "auditSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528063904':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>>> Certificate DB',pin='159203530658'
>>> certificate: type=NSSDB,location='/var/lib/
>>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>>> Certificate DB'
>>> CA: dogtag-ipa-renew-agent
>>> issuer: CN=Certificate Authority,O=
>>> subject: CN=OCSP Subsystem,O=
>>> expires: 2018-04-09 11:38:16 UTC
>>> eku: id-kp-OCSPSigning
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20140528063905':
>>> status:

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

2016-09-14 Thread bahan w 
Sorry Martin,

This is not the first time I forgot to add back freeipa users.
I have problems with gmail, again sorry.

Indeed I figured out that I had to restart the ipa server.
So I tried to restart ipa server.
But it was not working yet.

So I thought it was maybe due to the configuration I performed in the
nss.conf.
So I rollbacked this conf and restarted ipa-server.
Then I retried your commands but it is still the same error.

###
Request ID '20140528064145':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: Unable to communicate
with CMS (Not Found)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=
subject: CN=,O=
expires: 2016-05-28 06:41:44 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
###

Do you know what is the CMS ?
###
(RPC failed at server.  Certificate operation cannot be completed: Unable
to communicate with CMS (Not Found)).
###

Best regards.

Bahan





On Wed, Sep 14, 2016 at 6:46 PM, Martin Basti  wrote:

> did you restart IPA when you moved time? Is there are more detailed error
> description in output of getcert list?
>
> On 14.09.2016 18:45, bahan w wrote:
>
> I set the date-time when the certificates were valid :
> ###
> # date -s '2016-05-27 10:00:00'
> Fri May 27 10:00:00 CEST 2016
>
> # date
> Fri May 27 10:00:02 CEST 2016
> ###
>
> Then I try to renew them :
> ###
> # getcert resubmit -i 20140528063919
> Resubmitting "20140528063919" to "IPA".
>
> # getcert resubmit -i 20140528064145
> Resubmitting "20140528064145" to "IPA".
>
> # getcert resubmit -i 20140528063953
> Resubmitting "20140528063953" to "IPA".
> ###
>
> But when I do the getcert list after, the result is the same.
>
> I guess it is because of this ?
> CA_UNREACHABLE
>
> Any idea ?
>
> Best regards.
>
> Bahan
>
> On Wed, Sep 14, 2016 at 6:38 PM, bahan w  wrote:
>
>> Ok, I managed to restart the IPA service by adding this line in the file
>> /etc/httpd/conf.d/nss.conf :
>> ###
>> NSSEnforceValidCerts off
>> ###
>>
>> But when I do the getcert now I got the following result :
>>
>> ###
>> # getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20140528063903':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>> Certificate DB',pin='159203530658'
>> certificate: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=
>> subject: CN=CA Audit,O=
>> expires: 2018-04-09 11:39:16 UTC
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063904':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>> Certificate DB',pin='159203530658'
>> certificate: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=
>> subject: CN=OCSP Subsystem,O=
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-OCSPSigning
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20140528063905':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>> Certificate DB',pin='159203530658'
>> certificate: type=NSSDB,location='/var/lib/
>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=
>> subject: CN=CA Subsystem,O=
>> expires: 2018-04-09 11:38:16 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command:

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

2016-09-14 Thread Martin Basti 

Please keep freeipa-users in CC, I'm quite lost here

ca-error: Server failed request, will retry: -504 (libcurl failed to 
execute the HTTP POST transaction.  Peer certificate cannot be 
authenticated with known CA certificates).


I'm not sure what this does mean, but if this is caused by invalid httpd 
certificate, solution might be to set time a week before 2016-05-28, 
restart IPA and try to renew certs again



Martin^2


On 14.09.2016 18:38, bahan w wrote:
Ok, I managed to restart the IPA service by adding this line in the 
file /etc/httpd/conf.d/nss.conf :

###
NSSEnforceValidCerts off
###

But when I do the getcert now I got the following result :
###
# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20140528063903':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=CA Audit,O=
expires: 2018-04-09 11:39:16 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"

track: yes
auto-renew: yes
Request ID '20140528063904':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=OCSP Subsystem,O=
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"

track: yes
auto-renew: yes
Request ID '20140528063905':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=CA Subsystem,O=
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"

track: yes
auto-renew: yes
Request ID '20140528063906':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'

CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=IPA RA,O=
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20140528063907':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=,O=
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20140528063919':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl 
failed to execute the HTTP POST transaction. Peer certificate cannot 
be authenticated with known CA certificates).

stuck: yes
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=
subject: CN=,O=
expires: 2016-05-28 06:39:18 UTC
eku:

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

2016-09-14 Thread Martin Basti 
did you restart IPA when you moved time? Is there are more detailed 
error description in output of getcert list?



On 14.09.2016 18:45, bahan w wrote:

I set the date-time when the certificates were valid :
###
# date -s '2016-05-27 10:00:00'
Fri May 27 10:00:00 CEST 2016

# date
Fri May 27 10:00:02 CEST 2016
###

Then I try to renew them :
###
# getcert resubmit -i 20140528063919
Resubmitting "20140528063919" to "IPA".

# getcert resubmit -i 20140528064145
Resubmitting "20140528064145" to "IPA".

# getcert resubmit -i 20140528063953
Resubmitting "20140528063953" to "IPA".
###

But when I do the getcert list after, the result is the same.

I guess it is because of this ?
CA_UNREACHABLE

Any idea ?

Best regards.

Bahan

On Wed, Sep 14, 2016 at 6:38 PM, bahan w > wrote:


Ok, I managed to restart the IPA service by adding this line in
the file /etc/httpd/conf.d/nss.conf :
###
NSSEnforceValidCerts off
###

But when I do the getcert now I got the following result :

###
# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20140528063903':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=CA Audit,O=
expires: 2018-04-09 11:39:16 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063904':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=OCSP Subsystem,O=
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063905':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=CA Subsystem,O=
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063906':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=IPA RA,O=
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20140528063907':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=
subject: CN=,O=
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

2016-09-14 Thread bahan w 
I set the date-time when the certificates were valid :
###
# date -s '2016-05-27 10:00:00'
Fri May 27 10:00:00 CEST 2016

# date
Fri May 27 10:00:02 CEST 2016
###

Then I try to renew them :
###
# getcert resubmit -i 20140528063919
Resubmitting "20140528063919" to "IPA".

# getcert resubmit -i 20140528064145
Resubmitting "20140528064145" to "IPA".

# getcert resubmit -i 20140528063953
Resubmitting "20140528063953" to "IPA".
###

But when I do the getcert list after, the result is the same.

I guess it is because of this ?
CA_UNREACHABLE

Any idea ?

Best regards.

Bahan

On Wed, Sep 14, 2016 at 6:38 PM, bahan w  wrote:

> Ok, I managed to restart the IPA service by adding this line in the file
> /etc/httpd/conf.d/nss.conf :
> ###
> NSSEnforceValidCerts off
> ###
>
> But when I do the getcert now I got the following result :
>
> ###
> # getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20140528063903':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
> Certificate DB',pin='159203530658'
> certificate: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=
> subject: CN=CA Audit,O=
> expires: 2018-04-09 11:39:16 UTC
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063904':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
> Certificate DB',pin='159203530658'
> certificate: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=
> subject: CN=OCSP Subsystem,O=
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063905':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate
> DB',pin='159203530658'
> certificate: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate
> DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=
> subject: CN=CA Subsystem,O=
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20140528063906':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/
> httpd/alias',nickname='ipaCert',token='NSS Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=
> subject: CN=IPA RA,O=
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20140528063907':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
> DB',pin='159203530658'
> certificate: type=NSSDB,location='/var/lib/
> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
> DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=
> subject: CN=,O=
> expires: 2018-04-09 11:38:16 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20140528063919':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed
> to execute the HTTP POST transaction.  Peer certificate cannot be
> authenticated with known CA certificates).
> stuck: yes
> key pair storage: type=NSSDB,location='/etc/

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

2016-09-14 Thread Martin Basti 


Please keep freeipa-users in CC, there si no sensitive information in 
getcert list output (you sanitized it)



Folowing certificates are expired, please try to to resubmit them. I'm 
also worried about this error message: ca-error: Error setting up ccache 
for local "host" service using default keytab: Cannot contact any KDC 
for realm ''.


is KDC running?



Request ID '20140528063919':
status: MONITORING
ca-error: Error setting up ccache for local "host" service 
using default keytab: Cannot contact any KDC for realm ''.

stuck: no
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=
subject: CN=,O=
expires: 2016-05-28 06:39:18 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv 


track: yes
auto-renew: yes
Request ID '20140528063953':
status: MONITORING
ca-error: Error setting up ccache for local "host" service 
using default keytab: Cannot contact any KDC for realm ''.

stuck: no
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=
subject: CN=,O=
expires: 2016-05-28 06:39:52 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv 
PKI-IPA

track: yes
auto-renew: yes
Request ID '20140528064145':
status: MONITORING
ca-error: Error setting up ccache for local "host" service 
using default keytab: Cannot contact any KDC for realm ''.

stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=
subject: CN=,O=
expires: 2016-05-28 06:41:44 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

2016-09-14 Thread Martin Basti 


Then you have to start services manually, I don't know if the same steps 
will work with IPA 3.0.0, I don't remember, but you can try :)



On 14.09.2016 18:18, bahan w wrote:

Oh I forgot to add that my version of ipa is quite old :
###
# rpm -qa | grep ipa-server
ipa-server-3.0.0-25.el6.x86_64
###

When I try the command you gave me I got the following error :
###
# ipactl start --force
Usage: ipactl start|stop|restart|status


ipactl: error: no such option: --force
###

Best regards.

Bahan

On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti > wrote:




On 14.09.2016 17:59, bahan w wrote:

Hello !

I send you this mail because I cannot restart my test IPA server.

When I try to start it with service ipa start, I got the
following error message :
###
# service ipa start
Starting Directory Service
Starting dirsrv:
...[14/Sep/2016:17:57:23 +0200] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8181 - Peer's Certificate has expired.)
[  OK  ]
PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8181 - Peer's Certificate has expired.)
[  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:  [ OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:[  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached: [  OK  ]
Starting HTTP Service
Starting httpd: [FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC:  [ OK  ]
Stopping Kerberos 5 Admin Server:[  OK  ]
Stopping ipa_memcached: [  OK  ]
Stopping httpd: [FAILED]
Stopping pki-ca: [  OK  ]
Shutting down dirsrv:
... [  OK  ]
PKI-IPA... [  OK  ]
Aborting ipactl

# service ipa status
Directory Service: STOPPED
Failed to get list of services to probe status:
Directory Server is stopped
###

Do you know how to renew the SSL certificate used for the IPA
Server ?

Best regards.

Bahan






Hello,

please run

# ipactl start --force
# getcert list (to detect which certificate is outdated, I suspect
DS cert (or to get more info why it has not been renewed))

If getcert does work (I'm not sure if ti is able to work without
httpd), you probable need to move time back to past where cert is
valid, start IPA and try again.

Please find ID outdated certificate and try resubmit it (CA and DS
must be running)

# getcert resubmit -i 20160914122036 (use you ID :) )

This should renew cert, check status with getcert list

Move time back to future (if needed)

Try to restart IPA

Martin^2




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

2016-09-14 Thread bahan w 
Oh I forgot to add that my version of ipa is quite old :
###
# rpm -qa | grep ipa-server
ipa-server-3.0.0-25.el6.x86_64
###

When I try the command you gave me I got the following error :
###
# ipactl start --force
Usage: ipactl start|stop|restart|status


ipactl: error: no such option: --force
###

Best regards.

Bahan

On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti  wrote:

>
>
> On 14.09.2016 17:59, bahan w wrote:
>
> Hello !
>
> I send you this mail because I cannot restart my test IPA server.
>
> When I try to start it with service ipa start, I got the following error
> message :
> ###
> # service ipa start
> Starting Directory Service
> Starting dirsrv:
> ...[14/Sep/2016:17:57:23 +0200] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
> -8181 - Peer's Certificate has expired.)
>[  OK  ]
> PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
> -8181 - Peer's Certificate has expired.)
>[  OK  ]
> Starting KDC Service
> Starting Kerberos 5 KDC:   [  OK  ]
> Starting KPASSWD Service
> Starting Kerberos 5 Admin Server:  [  OK  ]
> Starting MEMCACHE Service
> Starting ipa_memcached:[  OK  ]
> Starting HTTP Service
> Starting httpd:[FAILED]
> Failed to start HTTP Service
> Shutting down
> Stopping Kerberos 5 KDC:   [  OK  ]
> Stopping Kerberos 5 Admin Server:  [  OK  ]
> Stopping ipa_memcached:[  OK  ]
> Stopping httpd:[FAILED]
> Stopping pki-ca:   [  OK  ]
> Shutting down dirsrv:
> ...[  OK  ]
> PKI-IPA... [  OK  ]
> Aborting ipactl
>
> # service ipa status
> Directory Service: STOPPED
> Failed to get list of services to probe status:
> Directory Server is stopped
> ###
>
> Do you know how to renew the SSL certificate used for the IPA Server ?
>
> Best regards.
>
> Bahan
>
>
>
>
>
> Hello,
>
> please run
>
> # ipactl start --force
> # getcert list (to detect which certificate is outdated, I suspect DS cert
> (or to get more info why it has not been renewed))
>
> If getcert does work (I'm not sure if ti is able to work without httpd),
> you probable need to move time back to past where cert is valid, start IPA
> and try again.
>
> Please find ID outdated certificate and try resubmit it (CA and DS must be
> running)
>
> # getcert resubmit -i 20160914122036 (use you ID :) )
>
> This should renew cert, check status with getcert list
>
> Move time back to future (if needed)
>
> Try to restart IPA
>
> Martin^2
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family

2016-09-14 Thread Martin Basti 



On 14.09.2016 17:59, bahan w wrote:

Hello !

I send you this mail because I cannot restart my test IPA server.

When I try to start it with service ipa start, I got the following 
error message :

###
# service ipa start
Starting Directory Service
Starting dirsrv:
...[14/Sep/2016:17:57:23 +0200] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert 
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape 
Portable Runtime error -8181 - Peer's Certificate has expired.)

[  OK  ]
PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert: 
CERT_VerifyCertificateNow: verify certificate failed for cert 
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape 
Portable Runtime error -8181 - Peer's Certificate has expired.)

[  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC: [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached: [  OK  ]
Starting HTTP Service
Starting httpd: [FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC: [  OK  ]
Stopping Kerberos 5 Admin Server: [  OK  ]
Stopping ipa_memcached: [  OK  ]
Stopping httpd: [FAILED]
Stopping pki-ca: [  OK  ]
Shutting down dirsrv:
...[ OK  ]
PKI-IPA... [  OK  ]
Aborting ipactl

# service ipa status
Directory Service: STOPPED
Failed to get list of services to probe status:
Directory Server is stopped
###

Do you know how to renew the SSL certificate used for the IPA Server ?

Best regards.

Bahan






Hello,

please run

# ipactl start --force
# getcert list (to detect which certificate is outdated, I suspect DS 
cert (or to get more info why it has not been renewed))


If getcert does work (I'm not sure if ti is able to work without httpd), 
you probable need to move time back to past where cert is valid, start 
IPA and try again.


Please find ID outdated certificate and try resubmit it (CA and DS must 
be running)


# getcert resubmit -i 20160914122036 (use you ID :) )

This should renew cert, check status with getcert list

Move time back to future (if needed)

Try to restart IPA

Martin^2
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project