[Freeipa-users] Expired certs not auto renewed by Cermonger
Toasted Penguin
toastedpenguininfo at gmail.com
Thu May 2 18:23:04 UTC 2013
/etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority
All the certs monitored by Certmonger show the same issuer.
Wasn't getting anything back when running the ipahost script you provided,
ran ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo
$ipahost shows nothing so I just ran the openssl section manually:
openssl s_client -CAfile /etc/ipa/ca.crt -connect ipa01.ctidata.net:https
-showcerts < /dev/null
Results:
CONNECTED(00000003)
depth=1 O = CTIDATA.NET, CN = Certificate Authority
verify return:1
depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net
verify error:num=10:certificate has expired
notAfter=Mar 24 19:56:36 2013 GMT
verify return:1
depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net
notAfter=Mar 24 19:56:36 2013 GMT
verify return:1
---
Certificate chain
0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net
i:/O=CTIDATA.NET/CN=Certificate Authority
-----BEGIN CERTIFICATE-----
#####
-----END CERTIFICATE-----
1 s:/O=CTIDATA.NET/CN=Certificate Authority
i:/O=CTIDATA.NET/CN=Certificate Authority
-----BEGIN CERTIFICATE-----
####
-----END CERTIFICATE-----
---
Server certificate
subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net
issuer=/O=CTIDATA.NET/CN=Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 1959 bytes and written 463 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: #####
Session-ID-ctx:
Master-Key: ####
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1367518514
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
DONE
On Thu, May 2, 2013 at 12:53 PM, Nalin Dahyabhai <nalin at redhat.com> wrote:
> On Thu, May 02, 2013 at 12:45:34PM -0500, Toasted Penguin wrote:
> > Here is the output from the submit:
> >
> > /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
> > Submitting request to "https://ipa01.ctidata.net/ipa/xml".
> > Fault -504: (libcurl failed to execute the HTTP POST transaction,
> > explaining: Peer certificate cannot be authenticated with known CA
> > certificates).
> > Server failed request, will retry: -504 (libcurl failed to execute the
> HTTP
> > POST transaction, explaining: Peer certificate cannot be authenticated
> > with known CA certificates).
> >
> > Regarding /etc/ipa/ca.crt, it isn't expired it shows its valid until July
> > 6, 2019.
>
> Hmm, so for both cases, you're seeing errors verifying the IPA server's
> certificate. Can you double-check the certificates and that the
> server's looks like it was issued by the CA?
>
> This should more or less repeat the part of the process that's giving
> libcurl trouble, and show us the certificates, too:
>
> ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=`
> openssl s_client -CAfile /etc/ipa/ca.crt \
> -connect $ipahost:https -showcerts < /dev/null
>
> Nalin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130502/14117ff0/attachment.htm>
More information about the Freeipa-users
mailing list