xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: certificate has expired).

rui liang via FreeIPA-users Tue, 31 May 2022 06:45:02 -0700

Because the PKI-tomcat service was not started at the time of the upgrade, it 
was ignored and the related certificates could not be automatically renewed.


host                                                                            
            version
fs-hiido-kerberos-server02.hiido.host.yydevops.com              VERSION: 4.8.6, 
API_VERSION: 2.236
fs-hiido-kerberos-server03.hiido.host.yydevops.com              VERSION: 4.8.6, 
API_VERSION: 2.236
fs-hiido-kerberos-server04.hiido.host.yydevops.com              VERSION: 4.8.6, 
API_VERSION: 2.236
fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com            VERSION: 4.3.1, 
API_VERSION: 2.164
fs-hiido-kerveros-test08.hiido.host.yydevops.com                        
VERSION: 4.8.6, API_VERSION: 2.236

Version 4.8 is currently in use

ssh fs-hiido-kerberos-server02.hiido.host.yydevops.com
liangrui@fs-hiido-kerberos-server02:~$ cat /etc/ipa/default.conf
[global]
basedn = dc=yydevops,dc=com
host = fs-hiido-kerberos-server02.hiido.host.yydevops.com
realm = YYDEVOPS.COM
domain = yydevops.com
xmlrpc_uri = https://fs-hiido-kerberos-server02.hiido.host.yydevops.com/ipa/xml
ldap_uri = ldapi://%2Fvar%2Frun%2Fslapd-YYDEVOPS-COM.socket
mode = production
enable_ra = True
ra_plugin = dogtag
dogtag_version = 10
ca_host = fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com

ssh  fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com
root@fs-hiido-kerberos-21-117-149:/home/liangrui# kinit admin; ipa config-show 
| grep CA
Password for [email protected]: 
root@fs-hiido-kerberos-21-117-149:/home/liangrui# ipa config-show
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: yydevops.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=YYDEVOPS.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: 
guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC

Not sure where CA is now?
What do I need to do to make the previous HTTPD service work
Can I use this command to fix it?  ipa-cert-fix
https://manpages.debian.org/unstable/freeipa-server/ipa-cert-fix.1.en.html
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: ca-error: Server at https://xx.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: certificate has expired).

Reply via email to