I set the date-time when the certificates were valid :
###
# date -s '2016-05-27 10:00:00'
Fri May 27 10:00:00 CEST 2016
# date
Fri May 27 10:00:02 CEST 2016
###
Then I try to renew them :
###
# getcert resubmit -i 20140528063919
Resubmitting "20140528063919" to "IPA".
# getcert resubmit -i 20140528064145
Resubmitting "20140528064145" to "IPA".
# getcert resubmit -i 20140528063953
Resubmitting "20140528063953" to "IPA".
###
But when I do the getcert list after, the result is the same.
I guess it is because of this ?
CA_UNREACHABLE
Any idea ?
Best regards.
Bahan
On Wed, Sep 14, 2016 at 6:38 PM, bahan w <bahanw042...@gmail.com
<mailto:bahanw042...@gmail.com>> wrote:
Ok, I managed to restart the IPA service by adding this line in
the file /etc/httpd/conf.d/nss.conf :
###
NSSEnforceValidCerts off
###
But when I do the getcert now I got the following result :
###
# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20140528063903':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=CA Audit,O=<MYREALM>
expires: 2018-04-09 11:39:16 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063904':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=OCSP Subsystem,O=<MYREALM>
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063905':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=CA Subsystem,O=<MYREALM>
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063906':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=IPA RA,O=<MYREALM>
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20140528063907':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=<IPA SERVER HOST>,O=<MYREALM>
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20140528063919':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction. Peer certificate
cannot be authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=<IPA SERVER HOST>,O=<MYREALM>
expires: 2016-05-28 06:39:18 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv <MYREALM>
track: yes
auto-renew: yes
Request ID '20140528063953':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction. Peer certificate
cannot be authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=<IPA SERVER HOST>,O=<MYREALM>
expires: 2016-05-28 06:39:52 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
track: yes
auto-renew: yes
Request ID '20140528064145':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction. Peer certificate
cannot be authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=<IPA SERVER HOST>,O=<MYREALM>
expires: 2016-05-28 06:41:44 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
###
Indeed, the entries outdated are the following :
- for /etc/dirsrv/slapd-<MYREALM> : 20140528063919
- for /etc/dirsrv/slapd-PKI-IPA : 20140528063953
- for httpd ? : 20140528064145
Best regards.
Bahan
On Wed, Sep 14, 2016 at 6:28 PM, bahan w <bahanw042...@gmail.com
<mailto:bahanw042...@gmail.com>> wrote:
Ok :D
Because to perform the getcert list command, I need to have
all the ipa services running right ?
Here is the result of the command with the ipa services down.
###
# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20140528063903':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=CA Audit,O=<MYREALM>
expires: 2018-04-09 11:39:16 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063904':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=OCSP Subsystem,O=<MYREALM>
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063905':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=CA Subsystem,O=<MYREALM>
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063906':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=IPA RA,O=<MYREALM>
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20140528063907':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=<IPA SERVER HOST>,O=<MYREALM>
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20140528063919':
status: MONITORING
ca-error: Error setting up ccache for local "host"
service using default keytab: Cannot contact any KDC for realm
'<MYREALM>'.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=<IPA SERVER HOST>,O=<MYREALM>
expires: 2016-05-28 06:39:18 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv <MYREALM>
track: yes
auto-renew: yes
Request ID '20140528063953':
status: MONITORING
ca-error: Error setting up ccache for local "host"
service using default keytab: Cannot contact any KDC for realm
'<MYREALM>'.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=<IPA SERVER HOST>,O=<MYREALM>
expires: 2016-05-28 06:39:52 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
track: yes
auto-renew: yes
Request ID '20140528064145':
status: MONITORING
ca-error: Error setting up ccache for local "host"
service using default keytab: Cannot contact any KDC for realm
'<MYREALM>'.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=<IPA SERVER HOST>,O=<MYREALM>
expires: 2016-05-28 06:41:44 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
###
Best regards.
Bahan
On Wed, Sep 14, 2016 at 6:21 PM, Martin Basti
<mba...@redhat.com <mailto:mba...@redhat.com>> wrote:
Then you have to start services manually, I don't know if
the same steps will work with IPA 3.0.0, I don't remember,
but you can try :)
On 14.09.2016 18:18, bahan w wrote:
Oh I forgot to add that my version of ipa is quite old :
###
# rpm -qa | grep ipa-server
ipa-server-3.0.0-25.el6.x86_64
###
When I try the command you gave me I got the following
error :
###
# ipactl start --force
Usage: ipactl start|stop|restart|status
ipactl: error: no such option: --force
###
Best regards.
Bahan
On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti
<mba...@redhat.com <mailto:mba...@redhat.com>> wrote:
On 14.09.2016 17:59, bahan w wrote:
Hello !
I send you this mail because I cannot restart my
test IPA server.
When I try to start it with service ipa start, I got
the following error message :
###
# service ipa start
Starting Directory Service
Starting dirsrv:
<MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL
alert: CERT_VerifyCertificateNow: verify certificate
failed for cert Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.)
[ OK ]
PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed
for cert Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.)
[ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting MEMCACHE Service
Starting ipa_memcached: [ OK ]
Starting HTTP Service
Starting httpd: [FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC: [ OK ]
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping ipa_memcached: [ OK ]
Stopping httpd: [FAILED]
Stopping pki-ca: [ OK ]
Shutting down dirsrv:
<MYREALM>... [ OK ]
PKI-IPA... [ OK ]
Aborting ipactl
# service ipa status
Directory Service: STOPPED
Failed to get list of services to probe status:
Directory Server is stopped
###
Do you know how to renew the SSL certificate used
for the IPA Server ?
Best regards.
Bahan
Hello,
please run
# ipactl start --force
# getcert list (to detect which certificate is
outdated, I suspect DS cert (or to get more info why
it has not been renewed))
If getcert does work (I'm not sure if ti is able to
work without httpd), you probable need to move time
back to past where cert is valid, start IPA and try
again.
Please find ID outdated certificate and try resubmit
it (CA and DS must be running)
# getcert resubmit -i 20160914122036 (use you ID :) )
This should renew cert, check status with getcert list
Move time back to future (if needed)
Try to restart IPA
Martin^2
