[Freeipa-users] Expired SSL certificate issue with IPA
Rob Crittenden
rcritten at redhat.com
Thu Jan 5 16:59:19 UTC 2012
nasir nasir wrote:
> Thanks for the input Rob,
>
> Please find below the /var/log/httpd/error_log
>
> [Thu Jan 05 19:50:46 2012] [error] Certificate not verified: 'Server-Cert'
> [Thu Jan 05 19:50:46 2012] [error] SSL Library Error: -8181 Certificate
> has expired
> [Thu Jan 05 19:50:46 2012] [error] Certificate not verified: 'Server-Cert'
> [Thu Jan 05 19:50:46 2012] [error] Unable to verify certificate
> 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server
> can start until the problem can be resolved.
>
> Do I need to add "NSSEnforceValidCerts off" in
> /etc/httpd/conf.d/nss.conf? Please advice.
>
That explains why certmonger can't connect. Yes, for now add that
directive and restart httpd. Then try the start-tracking again and see
if it renews the cert.
rob
> Nidal.
>
>
> --- On *Thu, 1/5/12, Rob Crittenden /<rcritten at redhat.com>/* wrote:
>
>
> From: Rob Crittenden <rcritten at redhat.com>
> Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
> To: "nasir nasir" <kollathodi at yahoo.com>
> Cc: freeipa-users at redhat.com, fasilkaks at gmail.com
> Date: Thursday, January 5, 2012, 7:38 AM
>
> nasir nasir wrote:
> > Thanks for the reply Rob.
> >
> > Please find below the output of your guidelines.
> >
> > # ipa-getkeytab -s xxxxxxx.xxxxxxx.com -p host/xxxxxx.xxxxxx.com -k
> > /etc/krb5.keytab
> > (the command was successful; it din't show any errors in the
> krb5kdc.log
> > or audit.log)
> >
> > # kinit -kt /etc/krb5.keytab host/xxxxxx.xxxxxx.com
> >
> > krb5kdc.log
> > -----------------
> > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2431](info): AS_REQ (4
> etypes
> > {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
> > host/xxxxxx.xxxxxx.com at xxxxxx.COM
> </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM> for
> krbtgt/xxxxxx.COM at xxxxxx.COM </mc/compose?to=xxxxxx.COM at xxxxxx.COM>,
> > Additional pre-authentication required
> > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2427](info): AS_REQ (4
> etypes
> > {18 17 16 23}) 192.168.1.10: ISSUE: authtime 1325766032, etypes
> {rep=18
> > tkt=18 ses=18}, host/xxxxxx.xxxxxx.com at xxxxxx.COM
> </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM> for
> > krbtgt/xxxxxx.COM at xxxxxx.COM </mc/compose?to=xxxxxx.COM at xxxxxx.COM>
> >
> > # ipa-getcert list
> > Number of certificates and requests being tracked: 3.
> > Request ID '20110619112648':
> > status: CA_UNREACHABLE
> > ca-error: Server failed request, will retry: -504 (libcurl failed to
> > execute the HTTP POST transaction. SSL connect error).
> > stuck: yes
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxxx-COM//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=xxxxxx.COM
> > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
> > expires: 20111216112647
> > eku: id-kp-serverAuth
> > track: yes
> > auto-renew: yes
> > Request ID '20110619112705':
> > status: CA_UNREACHABLE
> > ca-error: Server failed request, will retry: -504 (libcurl failed to
> > execute the HTTP POST transaction. SSL connect error).
> > stuck: yes
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=xxxxxx.COM
> > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
> > expires: 20111216112704
> > eku: id-kp-serverAuth
> > track: yes
> > auto-renew: yes
> > Request ID '20110619112721':
> > status: CA_UNREACHABLE
> > ca-error: Server failed request, will retry: -504 (libcurl failed to
> > execute the HTTP POST transaction. SSL connect error).
> > stuck: yes
> > key pair storage:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=xxxxxx.COM
> > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
> > expires: 20111216112720
> > eku: id-kp-serverAuth
> > track: yes
> > auto-renew: yes
> >
> > # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert
> > Request "20110619112721" modified.
> >
> > # ipa-getcert list
> > Number of certificates and requests being tracked: 3.
> > Request ID '20110619112648':
> > status: CA_UNREACHABLE
> > ca-error: Server failed request, will retry: -504 (libcurl failed to
> > execute the HTTP POST transaction. SSL connect error).
> > stuck: yes
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=HUGAYET.COM
> > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
> > expires: 20111216112647
> > eku: id-kp-serverAuth
> > track: yes
> > auto-renew: yes
> > Request ID '20110619112705':
> > status: CA_UNREACHABLE
> > ca-error: Server failed request, will retry: -504 (libcurl failed to
> > execute the HTTP POST transaction. SSL connect error).
> > stuck: yes
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=HUGAYET.COM
> > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
> > expires: 20111216112704
> > eku: id-kp-serverAuth
> > track: yes
> > auto-renew: yes
> > Request ID '20110619112721':
> > status: SUBMITTING
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=HUGAYET.COM
> > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
> > expires: 20111216112720
> > eku: id-kp-serverAuth
> > track: yes
> > auto-renew: yes
> >
> > and after few minutes, the status 'SUBMITTING' will be changed as
> > 'CA_UNREACHABLE'
> > Do we need to restart the /etc/init.d/ipa service for this? I am
> working
> > remotely.
>
> It isn't logging enough information to know why it failed. Can you look
> in the Apache error log to see why the request failed?
>
> My first thought was that there was a CA trust issue. I believe that
> certmonger uses the NSS database where the certificate is stored so
> since it is also doing this against Apache (which in theory trust is ok
> for it to start at all) so I'm baffled. Hopefully the httpd logs
> will be
> enlightening.
>
> >
> > I need to upgrade my IPA version. Before going for this I need to
> have a
> > replica of the existing one. Is it okay to have the replica while all
> > these issues exist?
>
>
> Yes, you should be able to create a replica, this shouldn't affect it.
>
> rob
>
More information about the Freeipa-users
mailing list