Toasted Penguin wrote:
Yes that helped fix 2012092520027 (thank you!!)
But I am still seeing an error with:
Request ID '20120615190133':
status: CA_UNCONFIGURED
ca-error: Error setting up ccache for local "host" service using default
keytab.
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
track: yes
auto-renew: yes
I noticed that the request ID doesn't show up
in /var/lib/certmonger/requests/, does that make a difference?
The request ID usually, but not always matches the name of the request
files.
We don't usually issue a Server-Cert for an IPA server. Could this be a
remnant of an older client install?
Is there a Server-Cert in /etc/pki/nssdb? certutil -L -d /etc/pki/nssdb
rob
David
On Thu, May 2, 2013 at 2:35 PM, Nalin Dahyabhai <na...@redhat.com
<mailto:na...@redhat.com>> wrote:
On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote:
> /etc/ipa/ca.crt was issued by O=CTIDATA.NET <http://CTIDATA.NET>,
CN=Certificate Authority
>
> All the certs monitored by Certmonger show the same issuer.
Ok, good. (If that hadn't been the case, I wouldn't have had an
explanation to offer.)
> Wasn't getting anything back when running the ipahost script you
provided,
> ran ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=`
and echo
> $ipahost shows nothing so I just ran the openssl section manually:
Hmm. Curious. That might be a leftover from having different releases
installed at various times on my test box. Thanks for continuing on.
> openssl s_client -CAfile /etc/ipa/ca.crt -connect
ipa01.ctidata.net:https
> -showcerts < /dev/null
>
> Results:
> CONNECTED(00000003)
> depth=1 O = CTIDATA.NET <http://CTIDATA.NET>, CN = Certificate
Authority
> verify return:1
> depth=0 O = CTIDATA.NET <http://CTIDATA.NET>, CN =
ipa01.ctidata.net <http://ipa01.ctidata.net>
> verify error:num=10:certificate has expired
> notAfter=Mar 24 19:56:36 2013 GMT
> verify return:1
> depth=0 O = CTIDATA.NET <http://CTIDATA.NET>, CN =
ipa01.ctidata.net <http://ipa01.ctidata.net>
> notAfter=Mar 24 19:56:36 2013 GMT
> verify return:1
> ---
> Certificate chain
> 0 s:/O=CTIDATA.NET/CN=ipa01.ctidata.net
<http://CTIDATA.NET/CN=ipa01.ctidata.net>
> i:/O=CTIDATA.NET/CN=Certificate
<http://CTIDATA.NET/CN=Certificate> Authority
> -----BEGIN CERTIFICATE-----
> #####
> -----END CERTIFICATE-----
> 1 s:/O=CTIDATA.NET/CN=Certificate
<http://CTIDATA.NET/CN=Certificate> Authority
> i:/O=CTIDATA.NET/CN=Certificate
<http://CTIDATA.NET/CN=Certificate> Authority
> -----BEGIN CERTIFICATE-----
> ####
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/O=CTIDATA.NET/CN=ipa01.ctidata.net
<http://CTIDATA.NET/CN=ipa01.ctidata.net>
> issuer=/O=CTIDATA.NET/CN=Certificate
<http://CTIDATA.NET/CN=Certificate> Authority
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1959 bytes and written 463 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID: #####
> Session-ID-ctx:
> Master-Key: ####
> Key-Arg : None
> Krb5 Principal: None
> PSK identity: None
> PSK identity hint: None
> Start Time: 1367518514
> Timeout : 300 (sec)
> Verify return code: 10 (certificate has expired)
> ---
> DONE
Yup, that's the problem: the IPA server's certificate wasn't able to be
replaced while it was still valid, and now it can no longer ask itself
for a new one.
With 2.1.4, I think the simplest way to sort this is to stop the
services (ipactl stop; service certmonger stop), roll the system date
back, start the services up again, possibly use 'ipa-getcert resubmit'
to force updating (it should happen automatically, but forcing it to
happen a second time won't hurt). Then shut things down, set the
correct time on the clock, and bring everything back up again.
Hopefully there's a smarter way to do it, but I'm blanking on it if
there is one.
HTH,
Nalin
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users