[Freeipa-users] Make Gpg replica fail , where cert store I should update new ?
Rob Crittenden
rcritten at redhat.com
Tue Mar 7 14:17:04 UTC 2017
barrykfl at gmail.com wrote:
> I think I already input all ca cert and server cert
man ipa-replica-prepare
rob
>
>
> certutil -d /etc/dirsrv/slapd-PKI-IPA/ -L
> Trust Attributes
>
> SSL,S/MIME,JAR/XPI
> *.wisers.com <http://wisers.com> < it is
> the server wild card cert already
> EXT-CA CT,C,C <is
> the combo cert CA
> ABC.COM <http://ABC.COM> IPA CA
> CT,,C
> Server-Cert u,u,u
>
>
> When I make replica it comes out error form master server
> central.ABC.com <http://central.ABC.com> ..any I missing?
>
> Creating SSL certificate for the dogtag Directory Server
> ipa : ERROR cert validation failed for "CN=central.ABC
> ROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
> preparation of replica failed: cannot connect to
> 'https://central.ABC9444/ca/ee/ca/profileSubmitSSLClient':
> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
> cannot connect to
> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
> File "/usr/sbin/ipa-replica-prepare", line 490, in <module>
>
>
>
>
>
> 2017-03-07 21:51 GMT+08:00 Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>>:
>
> barrykfl at gmail.com <mailto:barrykfl at gmail.com> wrote:
> > same as as replica gpg making.////...Found this cert 2015 expired
> > only,,? but I follow manual here:
> >
> > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1
> <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1>
> >
> <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1
> <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1>>
>
> If you are using 3rd party certs elsewhere then why not provide 3rd
> party certs for this replica as well?
>
> It seems like you aren't using the IPA-provided CA at all given its
> certs expired in 2015.
>
> rob
>
> >
> > It imported as EXT-CA as Alias rather than sever cert by default...Is
> > there anywhere pointing wrong ?
> >
> > Certificate Nickname Trust
> > Attributes
> >
> > SSL,S/MIME,JAR/XPI
> > *.ABC.com ,,
> > EXT-CA CT,C,C
> > ABC.COM <http://ABC.COM> <http://ABC.COM> IPA
> > CA CT,,C
> > Server-Cert u,u,u
> >
> >
> > Request ID '20160516111257':
> > status: CA_UNREACHABLE
> > ca-error: Server at https://central.ABC.com/ipa/xml <https://central.ABC.com/ipa/xml> failed
> > request, will retry: 907 (RPC failed at server. cannot connect to
> > 'https://central.ABC.com:443/ca/agent/ca/displayBySerial
> <https://central.ABC.com:443/ca/agent/ca/displayBySerial>':
> > (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.).
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=ABC.COM
> <http://ABC.COM> <http://ABC.COM>
> > subject: CN=central.ABC.com <http://central.ABC.com>
> <http://central.ABC.com>,O=ABC.COM <http://ABC.COM>
> > <http://ABC.COM>
> > expires: 2015-11-23 08:42:52 UTC
> > key usage:
> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
> > track: yes
> > auto-renew: yes
> >
> > 2017-03-07 19:24 GMT+08:00 Barry <kliu at alumni.warwick.ac.uk <mailto:kliu at alumni.warwick.ac.uk>
> > <mailto:kliu at alumni.warwick.ac.uk
> <mailto:kliu at alumni.warwick.ac.uk>>>:
> >
> > Same as before I already follow part < 4.1 as below:
> >
> > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1
> <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1>
> > <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1
> <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1>>
> > comdo cert is new cert /
> > It seem I m nearly right ....HTTP server side can read trust cert
> > BUT seem dirsrv still lacking of a ca cert to verify it ./..
> > but ca.crt changed to new already and imported
> >
> > ABC-COM...[07/Mar/2017:19:17:22 +0800] - SSL alert:
> > CERT_VerifyCertificateNow: verify certificate failed for cert
> > *.ABC.com - COMODO CA Limited of family
> > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
> > -8179 - Peer's Certificate issuer is not recognized.)
> >
> >
> > 2017-03-07 17:16 GMT+08:00 Florence Blanc-Renaud <flo at redhat.com <mailto:flo at redhat.com>
> > <mailto:flo at redhat.com <mailto:flo at redhat.com>>>:
> >
> > Hi,
> >
> > In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as
> > Certificate Authority, and this file may be outdated. Running
> > ipa-certupdate may fix your issue. See [1]
> >
> > If it doesn't, you can start by identifying which certificate
> > expired with
> > $ sudo getcert list | egrep -e 'expires|Request ID|subject'
> >
> > HTH,
> > Flo
> >
> > [1] https://pagure.io/freeipa/issue/6375
> <https://pagure.io/freeipa/issue/6375>
> > <https://pagure.io/freeipa/issue/6375
> <https://pagure.io/freeipa/issue/6375>>
> >
> > On 03/07/2017 04:14 AM, barrykfl at gmail.com <mailto:barrykfl at gmail.com>
> > <mailto:barrykfl at gmail.com <mailto:barrykfl at gmail.com>> wrote:
> >
> > gpg
> >
> > Creating SSL certificate for the Directory Server
> > ipa : ERROR cert validation failed for
> > "CN=central.ABC.com <http://central.ABC.com> <http://central.ABC.com>
> > <http://central.ABC.com>,O=ABC.COM <http://ABC.COM> <http://ABC.COM>
> > <http://ABC.COM>"
> > ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has
> > expired.)
> > preparation of replica failed: cannot connect to
> >
> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient
> <https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient>
> <https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient
> <https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient>>':
> > (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
> > cannot connect to
> >
> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient
> <https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient>
> <https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient
> <https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient>>':
> > (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has
> expired.
> > File "/usr/sbin/ipa-replica-prepare", line 490, in
> <module>
> > main()
> >
> > File "/usr/sbin/ipa-replica-prepare", line 361, in main
> > export_certdb(api.env.realm, ds_dir, dir,
> passwd_fname,
> > "dscert",
> > replica_fqdn, subject_base)
> >
> > File "/usr/sbin/ipa-replica-prepare", line 150, in
> > export_certdb
> > raise e
> >
> >
> >
> >
> >
> >
> >
> >
>
>
More information about the Freeipa-users
mailing list