On 04/26/2016 03:26 PM, Bret Wortman wrote: > On our non-CA IPA server, this is happening, in case it's related and > illustrative: > > # ipa host-del zw113.private.net > ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The > certificate/key database is in an old, unsupported format. > #
I would start with checking on all IPA servers if and what certificates are expired: # getcert list or short version to check if there are any: # getcert list | grep expires When CA cert is renewed, it is not automatically transfered to clients. There one must run: # ipa-certupdate > > On 04/26/2016 09:24 AM, Bret Wortman wrote: >> I rolled the date on the IPA server in question back to April 1 and ran >> "ipa-cacert-manage renew", which said it completed successfully. I rolled >> the >> date back to current and tried restarting ipa using ipactl stop && ipactl >> start, but no joy. No more ca renewal errors, but right after the pause I >> see >> this in /var/log/messages: >> >> systemd: kadmin.service: main process exited, code=exited, >> status=2/INVALIDARGUMENT >> systemd: Unit kadmin.service entered failed state. >> systemd: kadmin.service failed. >> >> I rebooted the server just in case, and it's still getting stuck at the same >> place. ipa-otpd doesn't get around to starting. >> >> >> Bret >> >> After the several-minutes-long pause after ipactl start outputs "Starting >> pki-tomcatd Service", I get the >> >> On 04/26/2016 08:14 AM, Bret Wortman wrote: >>> I have an IPA server on a private network which has apparently run into >>> certificate issues this morning. It's been running without issue for quite >>> a >>> while, and is on 4.1.4-1 on fedora 21. >>> >>> This morning, the gui started giving: >>> >>> IPA Error 907: NetworkError with description "cannot connect to >>> 'https://zsipa.private.net:443/ca/agent/ca/displayBySerial': >>> (SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your certificate as >>> expired." >>> >>> I dug into the logs and after trying to restart ipa using ipactl, there was >>> a >>> length pause, then: >>> >>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available >>> certmonger: Certificate named "ipaCert" in token "NSS Certificate DB" in >>> database "/etc/httpd/alias" is no longer valid. >>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available >>> certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS >>> Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid. >>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available. >>> named-pkcs11[3437]: client 192.168.208.205#57832: update >>> '208.168.192.in-addr.arpa/IN' denied >>> >>> and then things start shutting down. I can't start ipa at all using ipactl. >>> >>> So at present, our DNS is down. Authentication should work for a while, but >>> I'd like to get this working again as quickly as possible. Any ideas? I >>> deal >>> with certificates so infrequently (like only when something like this >>> happens) that I'm not sure where to start. >>> >>> Thanks! >>> >>> >>> -- >>> *Bret Wortman* >>> /Coming soon to Kickstarter.../ >>> <http://wrapbuddies.co/> >>> http://wrapbuddies.co/ >>> -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project