Looks to me like Apache isn’t using the correct certificate, or the correct certificate was never installed. But I don’t know enough about FreeIPA’s certificate replacement process to known which one it is. Aside from digging deeper and checking to see where Apache is looking for certificates and maybe manually refreshing it to see if the certificate gets replaced correctly this time I’m afraid someone else is going to have to jump in here.
John > On 7 Jun 2017, at 15:03, Roberto Cornacchia via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > OK, I did so and httpd restarts. > > $ openssl s_client -connect 127.0.0.1:443 <http://127.0.0.1:443/> -showcerts > CONNECTED(00000003) > depth=1 O = HQ.SPINQUE.COM <http://hq.spinque.com/>, CN = Certificate > Authority > verify return:1 > depth=0 O = HQ.SPINQUE.COM <http://hq.spinque.com/>, CN = > spinque04.hq.spinque.com <http://spinque04.hq.spinque.com/> > verify error:num=10:certificate has expired > notAfter=Mar 16 18:45:29 2017 GMT > verify return:1 > depth=0 O = HQ.SPINQUE.COM <http://hq.spinque.com/>, CN = > spinque04.hq.spinque.com <http://spinque04.hq.spinque.com/> > notAfter=Mar 16 18:45:29 2017 GMT > verify return:1 > --- > Certificate chain > 0 s:/O=HQ.SPINQUE.COM/CN=spinque04.hq.spinque.com > <http://hq.spinque.com/CN=spinque04.hq.spinque.com> > i:/O=HQ.SPINQUE.COM/CN=Certificate <http://hq.spinque.com/CN=Certificate> > Authority > ... > > Fair enough, but why does this say it expires in 2019? Are they two different > certificates? > > $ getcert list -d /etc/httpd/alias -n ipaCert > Number of certificates and requests being tracked: 8. > Request ID '20160501114633': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM > <http://hq.spinque.com/> > subject: CN=IPA RA,O=HQ.SPINQUE.COM <http://hq.spinque.com/> > expires: 2019-01-26 19:41:51 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > > What's the right way to solve this? > > > On Wed, 7 Jun 2017 at 14:52 John Keates via FreeIPA-users > <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > I would suggest doing what the last line says: > > Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the > problem can be resolved. > > Then, you can check the certificates and maybe refresh it if it is actually > expired. > > John > > >> On 7 Jun 2017, at 14:39, Roberto Cornacchia via FreeIPA-users >> <freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org>> wrote: >> > >> Things are getting worse. >> >> First, the version I reported before was incorrect (taken from a client). >> Here's the server one. >> >> $ ipa --version >> VERSION: 4.2.4, API_VERSION: 2.156 >> >> I did a dnf update (Fedora 23). The IPA upgrade failed. >> I tried running it again, manually, after a reboot: >> >> $ ipa-server-upgrade >> session memcached servers not running >> Upgrading IPA: >> [1/8]: saving configuration >> [2/8]: disabling listeners >> [3/8]: enabling DS global lock >> [4/8]: starting directory server >> [5/8]: updating schema >> [6/8]: upgrading server >> Add failure attribute "cn" not allowed >> [7/8]: stopping directory server >> [8/8]: restoring configuration >> Done. >> Update complete >> Upgrading IPA services >> Upgrading the configuration of the IPA services >> [Verifying that root certificate is published] >> [Migrate CRL publish directory] >> CRL tree already moved >> [Verifying that CA proxy configuration is correct] >> [Verifying that KDC configuration is using ipa-kdb backend] >> [Fix DS schema file syntax] >> Syntax already fixed >> [Removing RA cert from DS NSS database] >> RA cert already removed >> [Enable sidgen and extdom plugins by default] >> [Updating mod_nss protocol versions] >> Protocol versions already updated >> [Fixing trust flags in /etc/httpd/alias] >> Trust flags already processed >> [Exporting KRA agent PEM file] >> KRA is not enabled >> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command >> ipa-server-upgrade manually. >> Unexpected error - see /var/log/ipaupgrade.log for details: >> CalledProcessError: Command ''/bin/systemctl' 'start' 'httpd.service'' >> returned non-zero exit status 1 >> >> The ipaupgrade log only says that starting httpd failed. >> >> HTTPD log says: >> >> [Wed Jun 07 14:32:26.822478 2017] [core:notice] [pid 3182] SELinux policy >> enabled; httpd running as context system_u:system_r:httpd_t:s0 >> [Wed Jun 07 14:32:26.823122 2017] [suexec:notice] [pid 3182] AH01232: suEXEC >> mechanism enabled (wrapper: /usr/sbin/suexec) >> [Wed Jun 07 14:32:26.823467 2017] [:warn] [pid 3182] NSSSessionCacheTimeout >> is deprecated. Ignoring. >> [Wed Jun 07 14:32:26.913923 2017] [:error] [pid 3182] SSL Library Error: >> -8181 Certificate has expired >> [Wed Jun 07 14:32:26.913942 2017] [:error] [pid 3182] Unable to verify >> certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the >> server can start until the problem can be resolved. >> >> Any suggestion? >> >> On Wed, 7 Jun 2017 at 13:17 Roberto Cornacchia <roberto.cornacc...@gmail.com >> <mailto:roberto.cornacc...@gmail.com>> wrote: >> Not being able to login to the admin console, I checked the httpd log and >> found the following errors: >> >> [Wed Jun 07 12:50:59.352022 2017] [:error] [pid 10240] Unable to verify >> certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the >> server can start until the problem can be resolved. >> [Wed Jun 07 12:50:59.353372 2017] [:error] [pid 10237] SSL Library Error: >> -8181 Certificate has expired >> [Wed Jun 07 12:50:59.353395 2017] [:error] [pid 10237] Unable to verify >> certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the >> server can start until the problem can be resolved. >> [Wed Jun 07 12:50:59.986025 2017] [core:error] [pid 11522] AH00546: no >> record of generation 47 of exiting child 10203 >> >> I also get an error during enrollment of a new client (which seems to >> retrieve a valid certificate anyway): >> >> Password for ad...@hq.spinque.com <mailto:ad...@hq.spinque.com>: >> Successfully retrieved CA cert >> Subject: CN=Certificate Authority,O=HQ.SPINQUE.COM >> <http://hq.spinque.com/> >> Issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM >> <http://hq.spinque.com/> >> Valid From: Mon Mar 16 18:44:35 2015 UTC >> Valid Until: Fri Mar 16 18:44:35 2035 UTC >> >> Joining realm failed: libcurl failed to execute the HTTP POST transaction, >> explaining: TCP connection reset by peer >> >> Services are up: >> >> $ ipactl status >> Directory Service: RUNNING >> krb5kdc Service: RUNNING >> kadmin Service: RUNNING >> named Service: RUNNING >> ipa_memcached Service: RUNNING >> httpd Service: RUNNING >> pki-tomcatd Service: RUNNING >> ipa-otpd Service: RUNNING >> ipa-dnskeysyncd Service: RUNNING >> ipa: INFO: The ipactl command was successful >> >> >> Certificate monitoring seems ok: >> >> $ getcert list -d /etc/httpd/alias -n ipaCert >> Number of certificates and requests being tracked: 8. >> Request ID '20160501114633': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM >> <http://hq.spinque.com/> >> subject: CN=IPA RA,O=HQ.SPINQUE.COM <http://hq.spinque.com/> >> expires: 2019-01-26 19:41:51 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre >> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> >> Version: >> >> $ ipa --version >> VERSION: 4.4.3, API_VERSION: 2.215 >> >> Could you please point me at what else to check? >> > >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org> >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> <mailto:freeipa-users-le...@lists.fedorahosted.org> > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org