Sorry Martin, This is not the first time I forgot to add back freeipa users. I have problems with gmail, again sorry.
Indeed I figured out that I had to restart the ipa server. So I tried to restart ipa server. But it was not working yet. So I thought it was maybe due to the configuration I performed in the nss.conf. So I rollbacked this conf and restarted ipa-server. Then I retried your commands but it is still the same error. ### Request ID '20140528064145': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<MYREALM> subject: CN=<IPA SERVER HOST>,O=<MYREALM> expires: 2016-05-28 06:41:44 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes ### Do you know what is the CMS ? ### (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). ### Best regards. Bahan On Wed, Sep 14, 2016 at 6:46 PM, Martin Basti <mba...@redhat.com> wrote: > did you restart IPA when you moved time? Is there are more detailed error > description in output of getcert list? > > On 14.09.2016 18:45, bahan w wrote: > > I set the date-time when the certificates were valid : > ### > # date -s '2016-05-27 10:00:00' > Fri May 27 10:00:00 CEST 2016 > > # date > Fri May 27 10:00:02 CEST 2016 > ### > > Then I try to renew them : > ### > # getcert resubmit -i 20140528063919 > Resubmitting "20140528063919" to "IPA". > > # getcert resubmit -i 20140528064145 > Resubmitting "20140528064145" to "IPA". > > # getcert resubmit -i 20140528063953 > Resubmitting "20140528063953" to "IPA". > ### > > But when I do the getcert list after, the result is the same. > > I guess it is because of this ? > CA_UNREACHABLE > > Any idea ? > > Best regards. > > Bahan > > On Wed, Sep 14, 2016 at 6:38 PM, bahan w <bahanw042...@gmail.com> wrote: > >> Ok, I managed to restart the IPA service by adding this line in the file >> /etc/httpd/conf.d/nss.conf : >> ### >> NSSEnforceValidCerts off >> ### >> >> But when I do the getcert now I got the following result : >> >> ### >> # getcert list >> Number of certificates and requests being tracked: 8. >> Request ID '20140528063903': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >> Certificate DB',pin='159203530658' >> certificate: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=<MYREALM> >> subject: CN=CA Audit,O=<MYREALM> >> expires: 2018-04-09 11:39:16 UTC >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20140528063904': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >> Certificate DB',pin='159203530658' >> certificate: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=<MYREALM> >> subject: CN=OCSP Subsystem,O=<MYREALM> >> expires: 2018-04-09 11:38:16 UTC >> eku: id-kp-OCSPSigning >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20140528063905': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS >> Certificate DB',pin='159203530658' >> certificate: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=<MYREALM> >> subject: CN=CA Subsystem,O=<MYREALM> >> expires: 2018-04-09 11:38:16 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20140528063906': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/http >> d/alias',nickname='ipaCert',token='NSS Certificate >> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/http >> d/alias',nickname='ipaCert',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=<MYREALM> >> subject: CN=IPA RA,O=<MYREALM> >> expires: 2018-04-09 11:38:16 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> Request ID '20140528063907': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate >> DB',pin='159203530658' >> certificate: type=NSSDB,location='/var/lib/ >> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate >> DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=<MYREALM> >> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >> expires: 2018-04-09 11:38:16 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20140528063919': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: -504 (libcurl failed >> to execute the HTTP POST transaction. Peer certificate cannot be >> authenticated with known CA certificates). >> stuck: yes >> key pair storage: type=NSSDB,location='/etc/dirs >> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate >> DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/dirs >> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=<MYREALM> >> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >> expires: 2016-05-28 06:39:18 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >> <MYREALM> >> track: yes >> auto-renew: yes >> Request ID '20140528063953': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: -504 (libcurl failed >> to execute the HTTP POST transaction. Peer certificate cannot be >> authenticated with known CA certificates). >> stuck: yes >> key pair storage: type=NSSDB,location='/etc/dirs >> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate >> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/dirs >> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=<MYREALM> >> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >> expires: 2016-05-28 06:39:52 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >> PKI-IPA >> track: yes >> auto-renew: yes >> Request ID '20140528064145': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: -504 (libcurl failed >> to execute the HTTP POST transaction. Peer certificate cannot be >> authenticated with known CA certificates). >> stuck: yes >> key pair storage: type=NSSDB,location='/etc/http >> d/alias',nickname='Server-Cert',token='NSS Certificate >> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/http >> d/alias',nickname='Server-Cert',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=<MYREALM> >> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >> expires: 2016-05-28 06:41:44 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> ### >> >> Indeed, the entries outdated are the following : >> - for /etc/dirsrv/slapd-<MYREALM> : 20140528063919 >> - for /etc/dirsrv/slapd-PKI-IPA : 20140528063953 >> - for httpd ? : 20140528064145 >> >> Best regards. >> >> Bahan >> >> On Wed, Sep 14, 2016 at 6:28 PM, bahan w <bahanw042...@gmail.com> wrote: >> >>> Ok :D >>> >>> Because to perform the getcert list command, I need to have all the ipa >>> services running right ? >>> >>> Here is the result of the command with the ipa services down. >>> ### >>> # getcert list >>> Number of certificates and requests being tracked: 8. >>> Request ID '20140528063903': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >>> Certificate DB',pin='159203530658' >>> certificate: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS >>> Certificate DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O=<MYREALM> >>> subject: CN=CA Audit,O=<MYREALM> >>> expires: 2018-04-09 11:39:16 UTC >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "auditSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20140528063904': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >>> Certificate DB',pin='159203530658' >>> certificate: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS >>> Certificate DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O=<MYREALM> >>> subject: CN=OCSP Subsystem,O=<MYREALM> >>> expires: 2018-04-09 11:38:16 UTC >>> eku: id-kp-OCSPSigning >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "ocspSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20140528063905': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS >>> Certificate DB',pin='159203530658' >>> certificate: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS >>> Certificate DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O=<MYREALM> >>> subject: CN=CA Subsystem,O=<MYREALM> >>> expires: 2018-04-09 11:38:16 UTC >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> "subsystemCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20140528063906': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/http >>> d/alias',nickname='ipaCert',token='NSS Certificate >>> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/http >>> d/alias',nickname='ipaCert',token='NSS Certificate DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O=<MYREALM> >>> subject: CN=IPA RA,O=<MYREALM> >>> expires: 2018-04-09 11:38:16 UTC >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >>> track: yes >>> auto-renew: yes >>> Request ID '20140528063907': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate >>> DB',pin='159203530658' >>> certificate: type=NSSDB,location='/var/lib/ >>> pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate >>> DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O=<MYREALM> >>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>> expires: 2018-04-09 11:38:16 UTC >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >>> Request ID '20140528063919': >>> status: MONITORING >>> ca-error: Error setting up ccache for local "host" service using >>> default keytab: Cannot contact any KDC for realm '<MYREALM>'. >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/dirs >>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate >>> DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/dirs >>> rv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=<MYREALM> >>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>> expires: 2016-05-28 06:39:18 UTC >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >>> <MYREALM> >>> track: yes >>> auto-renew: yes >>> Request ID '20140528063953': >>> status: MONITORING >>> ca-error: Error setting up ccache for local "host" service using >>> default keytab: Cannot contact any KDC for realm '<MYREALM>'. >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/dirs >>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate >>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/dirs >>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=<MYREALM> >>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>> expires: 2016-05-28 06:39:52 UTC >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv >>> PKI-IPA >>> track: yes >>> auto-renew: yes >>> Request ID '20140528064145': >>> status: MONITORING >>> ca-error: Error setting up ccache for local "host" service using >>> default keytab: Cannot contact any KDC for realm '<MYREALM>'. >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/http >>> d/alias',nickname='Server-Cert',token='NSS Certificate >>> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/http >>> d/alias',nickname='Server-Cert',token='NSS Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=<MYREALM> >>> subject: CN=<IPA SERVER HOST>,O=<MYREALM> >>> expires: 2016-05-28 06:41:44 UTC >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>> track: yes >>> auto-renew: yes >>> ### >>> >>> Best regards. >>> >>> Bahan >>> >>> On Wed, Sep 14, 2016 at 6:21 PM, Martin Basti <mba...@redhat.com> wrote: >>> >>>> >>>> Then you have to start services manually, I don't know if the same >>>> steps will work with IPA 3.0.0, I don't remember, but you can try :) >>>> >>>> On 14.09.2016 18:18, bahan w wrote: >>>> >>>> Oh I forgot to add that my version of ipa is quite old : >>>> ### >>>> # rpm -qa | grep ipa-server >>>> ipa-server-3.0.0-25.el6.x86_64 >>>> ### >>>> >>>> When I try the command you gave me I got the following error : >>>> ### >>>> # ipactl start --force >>>> Usage: ipactl start|stop|restart|status >>>> >>>> >>>> ipactl: error: no such option: --force >>>> ### >>>> >>>> Best regards. >>>> >>>> Bahan >>>> >>>> >>>> On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti <mba...@redhat.com> >>>> wrote: >>>> >>>>> >>>>> >>>>> On 14.09.2016 17:59, bahan w wrote: >>>>> >>>>> Hello ! >>>>> >>>>> I send you this mail because I cannot restart my test IPA server. >>>>> >>>>> When I try to start it with service ipa start, I got the following >>>>> error message : >>>>> ### >>>>> # service ipa start >>>>> Starting Directory Service >>>>> Starting dirsrv: >>>>> <MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL alert: >>>>> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert >>>>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error >>>>> -8181 - Peer's Certificate has expired.) >>>>> [ OK ] >>>>> PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert: >>>>> CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert >>>>> of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error >>>>> -8181 - Peer's Certificate has expired.) >>>>> [ OK ] >>>>> Starting KDC Service >>>>> Starting Kerberos 5 KDC: [ OK ] >>>>> Starting KPASSWD Service >>>>> Starting Kerberos 5 Admin Server: [ OK ] >>>>> Starting MEMCACHE Service >>>>> Starting ipa_memcached: [ OK ] >>>>> Starting HTTP Service >>>>> Starting httpd: [FAILED] >>>>> Failed to start HTTP Service >>>>> Shutting down >>>>> Stopping Kerberos 5 KDC: [ OK ] >>>>> Stopping Kerberos 5 Admin Server: [ OK ] >>>>> Stopping ipa_memcached: [ OK ] >>>>> Stopping httpd: [FAILED] >>>>> Stopping pki-ca: [ OK ] >>>>> Shutting down dirsrv: >>>>> <MYREALM>... [ OK ] >>>>> PKI-IPA... [ OK ] >>>>> Aborting ipactl >>>>> >>>>> # service ipa status >>>>> Directory Service: STOPPED >>>>> Failed to get list of services to probe status: >>>>> Directory Server is stopped >>>>> ### >>>>> >>>>> Do you know how to renew the SSL certificate used for the IPA Server ? >>>>> >>>>> Best regards. >>>>> >>>>> Bahan >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Hello, >>>>> >>>>> please run >>>>> >>>>> # ipactl start --force >>>>> # getcert list (to detect which certificate is outdated, I suspect DS >>>>> cert (or to get more info why it has not been renewed)) >>>>> >>>>> If getcert does work (I'm not sure if ti is able to work without >>>>> httpd), you probable need to move time back to past where cert is valid, >>>>> start IPA and try again. >>>>> >>>>> Please find ID outdated certificate and try resubmit it (CA and DS >>>>> must be running) >>>>> >>>>> # getcert resubmit -i 20160914122036 (use you ID :) ) >>>>> >>>>> This should renew cert, check status with getcert list >>>>> >>>>> Move time back to future (if needed) >>>>> >>>>> Try to restart IPA >>>>> >>>>> Martin^2 >>>>> >>>> >>>> >>>> >>> >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project