On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote: > /etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority > > All the certs monitored by Certmonger show the same issuer.
Ok, good. (If that hadn't been the case, I wouldn't have had an explanation to offer.) > Wasn't getting anything back when running the ipahost script you provided, > ran ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo > $ipahost shows nothing so I just ran the openssl section manually: Hmm. Curious. That might be a leftover from having different releases installed at various times on my test box. Thanks for continuing on. > openssl s_client -CAfile /etc/ipa/ca.crt -connect ipa01.ctidata.net:https > -showcerts < /dev/null > > Results: > CONNECTED(00000003) > depth=1 O = CTIDATA.NET, CN = Certificate Authority > verify return:1 > depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net > verify error:num=10:certificate has expired > notAfter=Mar 24 19:56:36 2013 GMT > verify return:1 > depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net > notAfter=Mar 24 19:56:36 2013 GMT > verify return:1 > --- > Certificate chain > 0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net > i:/O=CTIDATA.NET/CN=Certificate Authority > -----BEGIN CERTIFICATE----- > ##### > -----END CERTIFICATE----- > 1 s:/O=CTIDATA.NET/CN=Certificate Authority > i:/O=CTIDATA.NET/CN=Certificate Authority > -----BEGIN CERTIFICATE----- > #### > -----END CERTIFICATE----- > --- > Server certificate > subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net > issuer=/O=CTIDATA.NET/CN=Certificate Authority > --- > No client certificate CA names sent > --- > SSL handshake has read 1959 bytes and written 463 bytes > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: ##### > Session-ID-ctx: > Master-Key: #### > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1367518514 > Timeout : 300 (sec) > Verify return code: 10 (certificate has expired) > --- > DONE Yup, that's the problem: the IPA server's certificate wasn't able to be replaced while it was still valid, and now it can no longer ask itself for a new one. With 2.1.4, I think the simplest way to sort this is to stop the services (ipactl stop; service certmonger stop), roll the system date back, start the services up again, possibly use 'ipa-getcert resubmit' to force updating (it should happen automatically, but forcing it to happen a second time won't hurt). Then shut things down, set the correct time on the clock, and bring everything back up again. Hopefully there's a smarter way to do it, but I'm blanking on it if there is one. HTH, Nalin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users