[Freeipa-users] (no subject)

Rob Crittenden rcritten at redhat.com
Wed Mar 14 19:09:46 UTC 2012 

Jimmy wrote:
> I can set the date to before 3/12(the cert expiry date) and things
> start just fine. The apache logs don't seem to hold much info other
> than "the cert is expired." CA logs have even less info.
>
> I did find a similar issue on the mailing list -
> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/3104 - but I
> don't see a resolution, I don't see how the cert is supposed to get
> renewed.

certmonger is supposed to automatically renew it. It apparently tried 
and failed because the CA was unreachable. If you set the date back 
again and execute this command it will resubmit the request and perhaps 
the logs will contain the details we need.

rob

>
> On Wed, Mar 14, 2012 at 2:22 PM, Rob Crittenden<rcritten at redhat.com>  wrote:
>> Jimmy wrote:
>>>
>>> I changed the system date and it's functional now. I ran the command `
>>> certutil -L -d /etc/httpd/alias -n Server-Cert` and see the expired
>>> cert. Looking at `ipa-getcert list` I see this--
>>>
>>> Request ID '20110913154233':
>>>          status: CA_UNREACHABLE
>>>          ca-error: Server failed request, will retry: 4301 (RPC failed
>>> at server.  Certificate operation cannot be completed: Unable to
>>> communicate with CMS (Not Found)).
>>>          stuck: yes
>>>          key pair storage:
>>>
>>> type=NSSDB,location='/etc/dirsrv/slapd-XXXXX',nickname='Server-Cert',token='NSS
>>> Certificate DB',pinfile='/etc/dirsrv/slapdXXXXX//pwdfile.txt'
>>>          certificate:
>>>
>>> type=NSSDB,location='/etc/dirsrv/slapd-XXXXX',nickname='Server-Cert',token='NSS
>>> Certificate DB'
>>>          CA: IPA
>>>          issuer: CN=Certificate Authority,O=XXXXX
>>>          subject: CN=csp-idm.pdh.csp,O=XXXXX
>>>          expires: 2012-03-11 15:42:32 UTC
>>>          eku: id-kp-serverAuth
>>>          track: yes
>>>          auto-renew: yes
>>>
>>> It says "CA_UNREACHABLE", but ipactl status shows the CA running. Any
>>> ideas on why this is occurring?
>>
>>
>> The Apache error log may hold some clues. You might try:
>>
>> # ipa-getcert resubmit -i 20110913154233
>>
>> Then watch the Apache log to see what it is doing. The CA logs are in
>> /var/log/pki-ca and may provide some details as well.
>>
>> rob
>>
>>
>>>
>>> On Wed, Mar 14, 2012 at 1:35 PM, Jimmy<g17jimmy at gmail.com>    wrote:
>>>>
>>>> My IPA server just stopped working with this error. I'm looking in to
>>>> it, but if anyone knows what the issue is right off I'd appreciate any
>>>> pointers you have.
>>>>
>>>> (when trying to do service ipa start)
>>>> Starting dirsrv:
>>>>     PDH-CSP...[14/Mar/2012:17:24:34 +0000] - SSL alert:
>>>> CERT_VerifyCertificateNow: verify certificate failed for cert
>>>> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
>>>> Portable Runtime error -8181 - Peer's Certificate has expired.)
>>>>                                                            [  OK  ]
>>>>     PKI-IPA...[14/Mar/2012:17:24:36 +0000] - SSL alert:
>>>> CERT_VerifyCertificateNow: verify certificate failed for cert
>>>> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
>>>> Portable Runtime error -8181 - Peer's Certificate has expired.)
>>>>                                                            [  OK  ]
>>>>
>>>>
>>>> I'm running on Fedora15, running IPA --
>>>> freeipa-server-2.1.1-1.fc15.x86_64.
>>>> Thanks.
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>

More information about the Freeipa-users mailing list