On Tue, Jan 28, 2014 at 01:25:56PM -0500, Rob Crittenden wrote: > craig.free...@noboost.org wrote: > >On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote: > >>Alexander Bokovoy wrote: > >>>On Thu, 23 Jan 2014, craig.free...@noboost.org wrote: > >>>>Hi Guys, > >>>> > >>>>I'm sure this is an easy issue to fix! > >>>> > >>>>First the specs; > >>>>Red Hat Enterprise Linux Server release 6.3 (Santiago) > >>>>ipa-client-2.2.0-16.el6.x86_64 > >>>>ipa-server-2.2.0-16.el6.x86_64 > >>>> > >>>> > >>>>Issue: > >>>>When I click on the hosts TAB from inside the Identity Managemnt GUI, I > >>>>get the following error; > >>>>* Certificate format error: [Errno -8018] None (repeated many times) > >>>> > >>>>* Cannot connect to > >>>>'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': > >>>> > >>>>[Errno -8018] None > >>>> > >>>>Also seen this error; > >>>>cannot connect to > >>>>'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': > >>>>[Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your > >>>>certificate as expired. > >>>> > >>>> > >>>>Any advise would be greatly appreciated! > >>>http://www.freeipa.org/page/Howto/CA_Certificate_Renewal > >>> > >>>Since you have FreeIPA before 3.4, you need to follow manual procedure > >>>outlined on that page. 2.2 might also be a bit different than 3.x but > >>>this is a starting point. > >>> > >>> > >> > >>For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal > >> > >>rob > >> > >Just running into a couple of issues with then manual SSL cert process; > > > >1) ERROR when telling certmonger about all the CA certificates > > > >#Command: > >for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" > >"subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca" > >do > > echo $nickname > > certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after > >done > > > > > >#Result: > >auditSigningCert cert-pki-ca > > Not After : Tue Jan 14 06:45:05 2014 > >ocspSigningCert cert-pki-ca > > Not After : Tue Jan 14 06:45:05 2014 > >subsystemCert cert-pki-ca > > Not After : Tue Jan 14 06:45:05 2014 > >Server-Cert cert-pki-ca > > Not After : Tue Jan 14 06:45:05 2014 > > > >#Command: > >for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" > >"subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca" > >do > > /usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n > > "${nickname}" -c dogtag-ipa-renew-agent -P 705114231111 > >done > > > >#Result: > >No CA with name "dogtag-ipa-renew-agent" found. > >No CA with name "dogtag-ipa-renew-agent" found. > >No CA with name "dogtag-ipa-renew-agent" found. > >No CA with name "dogtag-ipa-renew-agent" found. > > > > > >2)Upgrade instead? > >I could potentionally upgrade the ipa-server to "3.0.0-37.el6", would this > >version be able to automatically update the certificates? > > > >cya > > > >Craig > > > > You need certmonger-0.58-1 or higher to get the > dogtag-ipa-renew-agent CA and other fixed. I'll update the wiki with > that, sorry for the oversight. > > You could try updating to 3.0. If you do decide to try upgrading I > think I'd go back in time when all the certs are valid first as some > services will be restarted during the upgrade and we don't want the > upgrade blowing up in the middle because of expired certs. > > rob I'll give the upgrade a go, say I go back to the older date and IPA starts fine. Won't the certs still have a hard expiry date on them, so I'll need to follow the http://www.freeipa.org/page/IPA_2x_Certificate_Renewal procedure?
cya Craig _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
