Then you have to start services manually, I don't know if the same steps
will work with IPA 3.0.0, I don't remember, but you can try :)
On 14.09.2016 18:18, bahan w wrote:
Oh I forgot to add that my version of ipa is quite old :
###
# rpm -qa | grep ipa-server
ipa-server-3.0.0-25.el6.x86_64
###
When I try the command you gave me I got the following error :
###
# ipactl start --force
Usage: ipactl start|stop|restart|status
ipactl: error: no such option: --force
###
Best regards.
Bahan
On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti <mba...@redhat.com
<mailto:mba...@redhat.com>> wrote:
On 14.09.2016 17:59, bahan w wrote:
Hello !
I send you this mail because I cannot restart my test IPA server.
When I try to start it with service ipa start, I got the
following error message :
###
# service ipa start
Starting Directory Service
Starting dirsrv:
<MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8181 - Peer's Certificate has expired.)
[ OK ]
PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8181 - Peer's Certificate has expired.)
[ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting MEMCACHE Service
Starting ipa_memcached: [ OK ]
Starting HTTP Service
Starting httpd: [FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC: [ OK ]
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping ipa_memcached: [ OK ]
Stopping httpd: [FAILED]
Stopping pki-ca: [ OK ]
Shutting down dirsrv:
<MYREALM>... [ OK ]
PKI-IPA... [ OK ]
Aborting ipactl
# service ipa status
Directory Service: STOPPED
Failed to get list of services to probe status:
Directory Server is stopped
###
Do you know how to renew the SSL certificate used for the IPA
Server ?
Best regards.
Bahan
Hello,
please run
# ipactl start --force
# getcert list (to detect which certificate is outdated, I suspect
DS cert (or to get more info why it has not been renewed))
If getcert does work (I'm not sure if ti is able to work without
httpd), you probable need to move time back to past where cert is
valid, start IPA and try again.
Please find ID outdated certificate and try resubmit it (CA and DS
must be running)
# getcert resubmit -i 20160914122036 (use you ID :) )
This should renew cert, check status with getcert list
Move time back to future (if needed)
Try to restart IPA
Martin^2
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
