Hi, On Tue, May 31, 2022 at 1:20 PM rui liang via FreeIPA-users < [email protected]> wrote:
> Hello, thank you very much for your reply. My situation is as follows: > > 1. root@fs-hiido-kerberos-server02:/home/liangrui# ipa config-show | grep > CA > ipa: ERROR: cannot connect to ' > https://fs-hiido-kerberos-server02.hiido.host.yydevops.com/ipa/json': > [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has > expired (_ssl.c:1108) > > 1. root@fs-hiido-kerberos-server02:/home/liangrui# getcert list | grep -B > 1 -C 3 status > Request ID '20200528083036': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-YYDEVOPS-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-YYDEVOPS-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-YYDEVOPS-COM',nickname='Server-Cert' > -- > Request ID '20200528083056': > status: CA_UNREACHABLE > ca-error: Server at > https://fs-hiido-kerberos-server02.hiido.host.yydevops.com/ipa/xml failed > request, will retry: -504 (libcurl failed to execute the HTTP POST > transaction, explaining: SSL certificate problem: certificate has expired). > stuck: no > key pair storage: > type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/fs-hiido-kerberos-server02.hiido.host.yydevops.com-443-RSA' > -- > Request ID '20200528083117': > status: CA_WORKING > this status means that the RA cert stored in /var/lib/ipa/ra-agent.pem has expired and the machine is waiting for it to be available. During normal operations, the cert is the same on all the IPA servers. When it nears expiration, it gets renewed on the CA renewal master and then is put into LDAP, so that the other servers can download it from LDAP (in the entry cn=ipaCert,cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX). How many servers do you have in your topology and which ones provide the CA service? Is the ipa config-show command working on at least one of them? flo stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > -- > Request ID '20200528083123': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/certs/kdc.key' > certificate: type=FILE,location='/var/lib/ipa/certs/kdc.crt' > > How can I fix the expired Request ID 20200528083056 > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
