Yes that helped fix 2012092520027 (thank you!!) But I am still seeing an error with:
Request ID '20120615190133': status: CA_UNCONFIGURED ca-error: Error setting up ccache for local "host" service using default keytab. stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown track: yes auto-renew: yes I noticed that the request ID doesn't show up in /var/lib/certmonger/requests/, does that make a difference? David On Thu, May 2, 2013 at 2:35 PM, Nalin Dahyabhai <na...@redhat.com> wrote: > On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote: > > /etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority > > > > All the certs monitored by Certmonger show the same issuer. > > Ok, good. (If that hadn't been the case, I wouldn't have had an > explanation to offer.) > > > Wasn't getting anything back when running the ipahost script you > provided, > > ran ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo > > $ipahost shows nothing so I just ran the openssl section manually: > > Hmm. Curious. That might be a leftover from having different releases > installed at various times on my test box. Thanks for continuing on. > > > openssl s_client -CAfile /etc/ipa/ca.crt -connect ipa01.ctidata.net: > https > > -showcerts < /dev/null > > > > Results: > > CONNECTED(00000003) > > depth=1 O = CTIDATA.NET, CN = Certificate Authority > > verify return:1 > > depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net > > verify error:num=10:certificate has expired > > notAfter=Mar 24 19:56:36 2013 GMT > > verify return:1 > > depth=0 O = CTIDATA.NET, CN = ipa01.ctidata.net > > notAfter=Mar 24 19:56:36 2013 GMT > > verify return:1 > > --- > > Certificate chain > > 0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net > > i:/O=CTIDATA.NET/CN=Certificate Authority > > -----BEGIN CERTIFICATE----- > > ##### > > -----END CERTIFICATE----- > > 1 s:/O=CTIDATA.NET/CN=Certificate Authority > > i:/O=CTIDATA.NET/CN=Certificate Authority > > -----BEGIN CERTIFICATE----- > > #### > > -----END CERTIFICATE----- > > --- > > Server certificate > > subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net > > issuer=/O=CTIDATA.NET/CN=Certificate Authority > > --- > > No client certificate CA names sent > > --- > > SSL handshake has read 1959 bytes and written 463 bytes > > --- > > New, TLSv1/SSLv3, Cipher is AES256-SHA > > Server public key is 2048 bit > > Secure Renegotiation IS supported > > Compression: NONE > > Expansion: NONE > > SSL-Session: > > Protocol : TLSv1 > > Cipher : AES256-SHA > > Session-ID: ##### > > Session-ID-ctx: > > Master-Key: #### > > Key-Arg : None > > Krb5 Principal: None > > PSK identity: None > > PSK identity hint: None > > Start Time: 1367518514 > > Timeout : 300 (sec) > > Verify return code: 10 (certificate has expired) > > --- > > DONE > > Yup, that's the problem: the IPA server's certificate wasn't able to be > replaced while it was still valid, and now it can no longer ask itself > for a new one. > > With 2.1.4, I think the simplest way to sort this is to stop the > services (ipactl stop; service certmonger stop), roll the system date > back, start the services up again, possibly use 'ipa-getcert resubmit' > to force updating (it should happen automatically, but forcing it to > happen a second time won't hurt). Then shut things down, set the > correct time on the clock, and bring everything back up again. > > Hopefully there's a smarter way to do it, but I'm blanking on it if > there is one. > > HTH, > > Nalin >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users