Hi, On Tue, May 31, 2022 at 8:33 AM rui liang via FreeIPA-users < [email protected]> wrote:
> ### Request for enhancement > ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired > > > At present, it is an online operation, so I dare not change the > configuration at will.I tried to modify Linux times on the test > environment, but there were some unexpected risks.Don't dare change the > time online like this.Is there a good way to renew it?Thank you very much > > #### Steps to Reproduce > > root@fs-ambari-server:~# ipa host-add > fs-hiido-alluxio-12-65-100.hiido.host.yydevops.com > ipa: ERROR: cert validation failed for "CN= > fs-hiido-kerberos-server02.hiido.host.yydevops.com,O=YYDEVOPS.COM" > ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) > ipa: ERROR: cannot connect to ' > https://fs-hiido-kerberos-server02.hiido.host.yydevops.com/ipa/json': > (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired. > root@fs-ambari-server:~# > root@fs-ambari-server:~# > root@fs-ambari-server:~# cat /tmp/kinit_trace > [61194] 1653916457.285087: ccselect module realm chose cache > KEYRING:persistent:0:0 with client principal [email protected] for > server principal HTTP/ > [email protected] > [61194] 1653916457.285138: Getting credentials [email protected] -> HTTP/ > [email protected] using > ccache KEYRING:persistent:0:0 > [61194] 1653916457.285216: Retrieving [email protected] -> HTTP/ > [email protected] from > KEYRING:persistent:0:0 with result: 0/Success > [61194] 1653916457.285253: Creating authenticator for [email protected] > -> HTTP/[email protected], > seqnum 746871073, subkey aes256-cts/24EC, session key aes256-cts/BFE5 > > > ssh [email protected] > root@fs-hiido-kerberos-server02:/var/log/ipa# ipa-getcert list > Number of certificates and requests being tracked: 4. > Since only 4 certificates are tracked, I assume that this machine is an IPA server that doesn't have the CA role. I would start by checking if the server with CA role is fully functional first: 1. identify which machine is the CA renewal master # kinit admin; ipa config-show | grep CA This command will print out the CA renewal master and a list of servers with the CA role. 2. on the CA renewal master, ensure that all the certs are valid # getcert list | grep -B 1 -C 3 status If some certs are expired, you will have to repair this machine first. If all certs are valid, you can focus on the fs-hiido-kerberos-server02.hiido.host.yydevops.com machine: identify which certs are expired # getcert list | grep -B 1 -C 3 status The renewal may fail if the RA cert hasn't been updated, and the above command would show it. We'll be able to guide you depending on the output of the above commands. flo Request ID '20200528083036': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-YYDEVOPS-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-YYDEVOPS-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-YYDEVOPS-COM',nickname='Server-Cert' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: /usr/lib/ipa/certmonger/restart_dirsrv > YYDEVOPS-COM > track: yes > auto-renew: yes > Request ID '20200528083056': > status: CA_UNREACHABLE > ca-error: Server at > https://fs-hiido-kerberos-server02.hiido.host.yydevops.com/ipa/xml failed > request, will retry: -504 (libcurl failed to execute the HTTP POST > transaction, explaining: SSL certificate problem: certificate has expired). > stuck: no > key pair storage: > type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/fs-hiido-kerberos-server02.hiido.host.yydevops.com-443-RSA' > certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' > CA: IPA > issuer: CN=Certificate Authority,O=YYDEVOPS.COM > subject: CN=fs-hiido-kerberos-server02.hiido.host.yydevops.com,O= > YYDEVOPS.COM > expires: 2022-05-29 16:31:00 CST > dns: fs-hiido-kerberos-server02.hiido.host.yydevops.com > principal name: HTTP/ > [email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > #### Version/Release/Distribution > root@fs-hiido-kerberos-server02:/var/log/ipa# ipa --version > VERSION: 4.8.6, API_VERSION: 2.236 > > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
