[Freeipa-users] Expired SSL certificate issue with IPA
Rob Crittenden
rcritten at redhat.com
Thu Jan 5 22:21:40 UTC 2012
nasir nasir wrote:
> Hi Rob,
>
> Added the directive "NSSEnforceValidCerts off" in
> /etc/httpd/conf.d/nss.conf and restarted httpd. Please find the
> /var/log/httpd/error_log
>
> [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> KeyError(-1215723696,) in <module 'threading' from
> '/usr/lib/python2.6/threading.pyc'> ignored
> [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> KeyError(-1215723696,) in <module 'threading' from
> '/usr/lib/python2.6/threading.pyc'> ignored
> [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> KeyError(-1215723696,) in <module 'threading' from
> '/usr/lib/python2.6/threading.pyc'> ignored
> [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> KeyError(-1215723696,) in <module 'threading' from
> '/usr/lib/python2.6/threading.pyc'> ignored
> [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> KeyError(-1215723696,) in <module 'threading' from
> '/usr/lib/python2.6/threading.pyc'> ignored
> [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> KeyError(-1215723696,) in <module 'threading' from
> '/usr/lib/python2.6/threading.pyc'> ignored
> [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> KeyError(-1215723696,) in <module 'threading' from
> '/usr/lib/python2.6/threading.pyc'> ignored
> [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> KeyError(-1215723696,) in <module 'threading' from
> '/usr/lib/python2.6/threading.pyc'> ignored
> [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> KeyError(-1215723696,) in <module 'threading' from
> '/usr/lib/python2.6/threading.pyc'> ignored
> [Fri Jan 06 01:06:29 2012] [error] Exception KeyError:
> KeyError(-1215723696,) in <module 'threading' from
> '/usr/lib/python2.6/threading.pyc'> ignored
> [Fri Jan 06 01:06:29 2012] [notice] caught SIGTERM, shutting down
> [Fri Jan 06 01:06:29 2012] [notice] suEXEC mechanism enabled (wrapper:
> /usr/sbin/suexec)
> [Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
> [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
> has expired
> [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
> 'Server-Cert'
> [Fri Jan 06 01:06:30 2012] [notice] Digest: generating secret for digest
> authentication ...
> [Fri Jan 06 01:06:30 2012] [notice] Digest: done
> [Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Compiled for Python/2.6.2.
> [Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Runtime using Python/2.6.6.
> [Fri Jan 06 01:06:30 2012] [notice] Apache/2.2.15 (Unix) DAV/2
> mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6
> configured -- resuming normal operations
> [Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
> [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
> has expired
> [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
> 'Server-Cert'
> [Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
> [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
> has expired
> [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
> 'Server-Cert'
> [Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
> [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
> has expired
> [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
> 'Server-Cert'
> [Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
> [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
> has expired
> [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
> 'Server-Cert'
> [Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
> [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
> has expired
> [Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
> [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
> has expired
> [Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
> [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
> has expired
> [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
> 'Server-Cert'
> [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
> 'Server-Cert'
> [Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'
> [Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate
> has expired
> [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
> 'Server-Cert'
> [Fri Jan 06 01:06:30 2012] [error] Server certificate is expired:
> 'Server-Cert'
> [Fri Jan 06 01:06:32 2012] [error] ipa: INFO: *** PROCESS START ***
> [Fri Jan 06 01:06:32 2012] [error] ipa: INFO: *** PROCESS START ***
>
> # ipa-getcert list
> Number of certificates and requests being tracked: 3.
> Request ID '20110619112648':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed to
> execute the HTTP POST transaction. SSL connect error).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=HUGAYET.COM
> subject: CN=openipa.hugayet.com,O=HUGAYET.COM
> expires: 20111216112647
> eku: id-kp-serverAuth
> track: yes
> auto-renew: yes
> Request ID '20110619112705':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed to
> execute the HTTP POST transaction. SSL connect error).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=HUGAYET.COM
> subject: CN=openipa.hugayet.com,O=HUGAYET.COM
> expires: 20111216112704
> eku: id-kp-serverAuth
> track: yes
> auto-renew: yes
> Request ID '20110619112721':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed to
> execute the HTTP POST transaction. Peer certificate cannot be
> authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=HUGAYET.COM
> subject: CN=openipa.hugayet.com,O=HUGAYET.COM
> expires: 20111216112720
> eku: id-kp-serverAuth
> track: yes
> auto-renew: yes
>
> Do we need to restart /etc/init.d/ipa service for all this to take effect?
No, and be very careful if your 389-ds cert is also expired.
This error really does mean that certmonger doesn't trust the SSL cert
of your web server. Have you replaced your certs with something else?
Does a simple command like: ipa user-show admin work?
It may fail too due to the expired cert. You may have to turn time back
on this machine, but that won't affect the untrusted CA. From what Nalin
said, certmonger users /etc/ipa/ca.crt. This needs to match the CA that
issued your Apache cert.
rob
>
> Nidal.
>
>
> --- On *Thu, 1/5/12, Rob Crittenden /<rcritten at redhat.com>/* wrote:
>
>
> From: Rob Crittenden <rcritten at redhat.com>
> Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
> To: "nasir nasir" <kollathodi at yahoo.com>
> Cc: freeipa-users at redhat.com, fasilkaks at gmail.com
> Date: Thursday, January 5, 2012, 8:59 AM
>
> nasir nasir wrote:
> > Thanks for the input Rob,
> >
> > Please find below the /var/log/httpd/error_log
> >
> > [Thu Jan 05 19:50:46 2012] [error] Certificate not verified:
> 'Server-Cert'
> > [Thu Jan 05 19:50:46 2012] [error] SSL Library Error: -8181
> Certificate
> > has expired
> > [Thu Jan 05 19:50:46 2012] [error] Certificate not verified:
> 'Server-Cert'
> > [Thu Jan 05 19:50:46 2012] [error] Unable to verify certificate
> > 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the
> server
> > can start until the problem can be resolved.
> >
> > Do I need to add "NSSEnforceValidCerts off" in
> > /etc/httpd/conf.d/nss.conf? Please advice.
> >
>
> That explains why certmonger can't connect. Yes, for now add that
> directive and restart httpd. Then try the start-tracking again and see
> if it renews the cert.
>
> rob
>
> > Nidal.
> >
> >
> > --- On *Thu, 1/5/12, Rob Crittenden /<rcritten at redhat.com
> </mc/compose?to=rcritten at redhat.com>>/* wrote:
> >
> >
> > From: Rob Crittenden <rcritten at redhat.com
> </mc/compose?to=rcritten at redhat.com>>
> > Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA
> > To: "nasir nasir" <kollathodi at yahoo.com
> </mc/compose?to=kollathodi at yahoo.com>>
> > Cc: freeipa-users at redhat.com
> </mc/compose?to=freeipa-users at redhat.com>, fasilkaks at gmail.com
> </mc/compose?to=fasilkaks at gmail.com>
> > Date: Thursday, January 5, 2012, 7:38 AM
> >
> > nasir nasir wrote:
> > > Thanks for the reply Rob.
> > >
> > > Please find below the output of your guidelines.
> > >
> > > # ipa-getkeytab -s xxxxxxx.xxxxxxx.com -p host/xxxxxx.xxxxxx.com -k
> > > /etc/krb5.keytab
> > > (the command was successful; it din't show any errors in the
> > krb5kdc.log
> > > or audit.log)
> > >
> > > # kinit -kt /etc/krb5.keytab host/xxxxxx.xxxxxx.com
> > >
> > > krb5kdc.log
> > > -----------------
> > > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2431](info): AS_REQ (4
> > etypes
> > > {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH:
> > > host/xxxxxx.xxxxxx.com at xxxxxx.COM
> </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM>
> > </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM
> </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM>> for
> > krbtgt/xxxxxx.COM at xxxxxx.COM
> </mc/compose?to=xxxxxx.COM at xxxxxx.COM>
> </mc/compose?to=xxxxxx.COM at xxxxxx.COM
> </mc/compose?to=xxxxxx.COM at xxxxxx.COM>>,
> > > Additional pre-authentication required
> > > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2427](info): AS_REQ (4
> > etypes
> > > {18 17 16 23}) 192.168.1.10: ISSUE: authtime 1325766032, etypes
> > {rep=18
> > > tkt=18 ses=18}, host/xxxxxx.xxxxxx.com at xxxxxx.COM
> </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM>
> > </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM
> </mc/compose?to=xxxxxx.xxxxxx.com at xxxxxx.COM>> for
> > > krbtgt/xxxxxx.COM at xxxxxx.COM
> </mc/compose?to=xxxxxx.COM at xxxxxx.COM>
> </mc/compose?to=xxxxxx.COM at xxxxxx.COM
> </mc/compose?to=xxxxxx.COM at xxxxxx.COM>>
> > >
> > > # ipa-getcert list
> > > Number of certificates and requests being tracked: 3.
> > > Request ID '20110619112648':
> > > status: CA_UNREACHABLE
> > > ca-error: Server failed request, will retry: -504 (libcurl
> failed to
> > > execute the HTTP POST transaction. SSL connect error).
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
> > > Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxxx-COM//pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=xxxxxx.COM
> > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
> > > expires: 20111216112647
> > > eku: id-kp-serverAuth
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20110619112705':
> > > status: CA_UNREACHABLE
> > > ca-error: Server failed request, will retry: -504 (libcurl
> failed to
> > > execute the HTTP POST transaction. SSL connect error).
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=xxxxxx.COM
> > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
> > > expires: 20111216112704
> > > eku: id-kp-serverAuth
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20110619112721':
> > > status: CA_UNREACHABLE
> > > ca-error: Server failed request, will retry: -504 (libcurl
> failed to
> > > execute the HTTP POST transaction. SSL connect error).
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=xxxxxx.COM
> > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM
> > > expires: 20111216112720
> > > eku: id-kp-serverAuth
> > > track: yes
> > > auto-renew: yes
> > >
> > > # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert
> > > Request "20110619112721" modified.
> > >
> > > # ipa-getcert list
> > > Number of certificates and requests being tracked: 3.
> > > Request ID '20110619112648':
> > > status: CA_UNREACHABLE
> > > ca-error: Server failed request, will retry: -504 (libcurl
> failed to
> > > execute the HTTP POST transaction. SSL connect error).
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
> > > Certificate
> DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=HUGAYET.COM
> > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
> > > expires: 20111216112647
> > > eku: id-kp-serverAuth
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20110619112705':
> > > status: CA_UNREACHABLE
> > > ca-error: Server failed request, will retry: -504 (libcurl
> failed to
> > > execute the HTTP POST transaction. SSL connect error).
> > > stuck: yes
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=HUGAYET.COM
> > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
> > > expires: 20111216112704
> > > eku: id-kp-serverAuth
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20110619112721':
> > > status: SUBMITTING
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=HUGAYET.COM
> > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM
> > > expires: 20111216112720
> > > eku: id-kp-serverAuth
> > > track: yes
> > > auto-renew: yes
> > >
> > > and after few minutes, the status 'SUBMITTING' will be changed as
> > > 'CA_UNREACHABLE'
> > > Do we need to restart the /etc/init.d/ipa service for this? I am
> > working
> > > remotely.
> >
> > It isn't logging enough information to know why it failed. Can
> you look
> > in the Apache error log to see why the request failed?
> >
> > My first thought was that there was a CA trust issue. I believe that
> > certmonger uses the NSS database where the certificate is stored so
> > since it is also doing this against Apache (which in theory trust
> is ok
> > for it to start at all) so I'm baffled. Hopefully the httpd logs
> > will be
> > enlightening.
> >
> > >
> > > I need to upgrade my IPA version. Before going for this I need to
> > have a
> > > replica of the existing one. Is it okay to have the replica
> while all
> > > these issues exist?
> >
> >
> > Yes, you should be able to create a replica, this shouldn't
> affect it.
> >
> > rob
> >
>
More information about the Freeipa-users
mailing list