Sina Owolabi wrote:
Hi Rob
There are some logs in /var/log/pki-ca/catalina.out that appear to
indicate a problem:
[SNIP]
These are mostly white noise from tomcat and can be ignored.
Also running "getcert list" tells me there are two expired certs:
Request ID '20130524104636':
status: CA_UNREACHABLE
ca-error: Server at https://dc.ourdom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server. cannot connect to
'https://dc.ourdom.com:443/ca/agent/ca/displayBySerial': [Errno
-12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.).
stuck: no
Request ID '20130524104828':
status: CA_UNREACHABLE
ca-error: Server at https://dc.ourdom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server. cannot connect to
'https://dc.ourdom.com:443/ca/agent/ca/displayBySerial': [Errno
-12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.).
stuck: no
I'd be grateful to know what to do.
Your CA subsystem certificates are expired so while the process is up
the CA won't serve requests. See
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project