Here is the output from the submit: /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr Submitting request to "https://ipa01.ctidata.net/ipa/xml". Fault -504: (libcurl failed to execute the HTTP POST transaction, explaining: Peer certificate cannot be authenticated with known CA certificates). Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer certificate cannot be authenticated with known CA certificates).
Regarding /etc/ipa/ca.crt, it isn't expired it shows its valid until July 6, 2019. On Thu, May 2, 2013 at 12:30 PM, Nalin Dahyabhai <na...@redhat.com> wrote: > On Thu, May 02, 2013 at 11:45:51AM -0500, Toasted Penguin wrote: > > Nalin, > > > > Thanks for your response. Running `hostname` does result in > > ipa01.ctidata.net and kinit -k host/ipa01.ctidata.net does also succeed. > > > > I ran ` ipa-getcert resubmit -i 20120925200227 -K HTTP/ > > ipa01.ctidata....@ctidata.net` > > > > and it resulted in this: > > > > Request ID '20120615190133': > > status: CA_UNCONFIGURED > > ca-error: Error setting up ccache for local "host" service using default > keytab. > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > > certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert' > > CA: IPA > > issuer: > > subject: > > expires: unknown > > track: yes > > auto-renew: yes > > Can you retrieve the contents of the request and save it to a temporary > file, like so: > reqfile=`grep -l '^id=20120615190133' /var/lib/certmonger/requests/*` > awk '/BEGIN .*REQ/,/END .*REQ/ {sub("^( |csr=)","");print}' $reqfile >\ > ~/req.csr > > And then try to manually submit it to the server for signing, in the way > that certmonger would, like so: > /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr > > Hopefully the error output there will give us more information about > what's going on when the submission helper's failing to set up a ccache. > > If it manages to get past that point, I expect it to fail because you > hopefully don't have a principal named "bogus" defined on the local > host. But at that point we'll have gotten past errors creating the > ccache, and we'll have to find another way to figure out why it failed > here. > > As an aside, we provide better information for this error in the > "ca-error" note with later versions than you appear to have, so tracking > down this information won't always be this complicated. > > > Request ID '20120925200227': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: -504 (libcurl failed to > > execute the HTTP POST transaction, explaining: Peer certificate cannot > be > > authenticated with known CA certificates). > > stuck: yes > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=CTIDATA.NET > > subject: CN=ipa01.ctidata.net,O=CTIDATA.NET > > expires: 2013-03-24 19:56:36 UTC > > eku: id-kp-serverAuth > > track: yes > > auto-renew: yes > > There's an error verifying the server's certificate using the local copy > of the CA certificate in /etc/ipa/ca.crt. Is it also expired? > > Nalin >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users