Hi Rob, Added the directive "NSSEnforceValidCerts off" in /etc/httpd/conf.d/nss.conf and restarted httpd. Please find the /var/log/httpd/error_log [Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 01:06:29 2012] [error] Exception KeyError: KeyError(-1215723696,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored[Fri Jan 06 01:06:29 2012] [notice] caught SIGTERM, shutting down[Fri Jan 06 01:06:29 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [notice] Digest: generating secret for digest authentication ...[Fri Jan 06 01:06:30 2012] [notice] Digest: done[Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Compiled for Python/2.6.2.[Fri Jan 06 01:06:30 2012] [warn] mod_wsgi: Runtime using Python/2.6.6.[Fri Jan 06 01:06:30 2012] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] Certificate not verified: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] SSL Library Error: -8181 Certificate has expired[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'[Fri Jan 06 01:06:30 2012] [error] Server certificate is expired: 'Server-Cert'[Fri Jan 06 01:06:32 2012] [error] ipa: INFO: *** PROCESS START ***[Fri Jan 06 01:06:32 2012] [error] ipa: INFO: *** PROCESS START *** # ipa-getcert listNumber of certificates and requests being tracked: 3.Request ID '20110619112648': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=HUGAYET.COM subject: CN=openipa.hugayet.com,O=HUGAYET.COM expires: 20111216112647 eku: id-kp-serverAuth track: yes auto-renew: yesRequest ID '20110619112705': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=HUGAYET.COM subject: CN=openipa.hugayet.com,O=HUGAYET.COM expires: 20111216112704 eku: id-kp-serverAuth track: yes auto-renew: yesRequest ID '20110619112721': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=HUGAYET.COM subject: CN=openipa.hugayet.com,O=HUGAYET.COM expires: 20111216112720 eku: id-kp-serverAuth track: yes auto-renew: yes Do we need to restart /etc/init.d/ipa service for all this to take effect? Nidal.
--- On Thu, 1/5/12, Rob Crittenden <[email protected]> wrote: From: Rob Crittenden <[email protected]> Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA To: "nasir nasir" <[email protected]> Cc: [email protected], [email protected] Date: Thursday, January 5, 2012, 8:59 AM nasir nasir wrote: > Thanks for the input Rob, > > Please find below the /var/log/httpd/error_log > > [Thu Jan 05 19:50:46 2012] [error] Certificate not verified: 'Server-Cert' > [Thu Jan 05 19:50:46 2012] [error] SSL Library Error: -8181 Certificate > has expired > [Thu Jan 05 19:50:46 2012] [error] Certificate not verified: 'Server-Cert' > [Thu Jan 05 19:50:46 2012] [error] Unable to verify certificate > 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server > can start until the problem can be resolved. > > Do I need to add "NSSEnforceValidCerts off" in > /etc/httpd/conf.d/nss.conf? Please advice. > That explains why certmonger can't connect. Yes, for now add that directive and restart httpd. Then try the start-tracking again and see if it renews the cert. rob > Nidal. > > > --- On *Thu, 1/5/12, Rob Crittenden /<[email protected]>/* wrote: > > > From: Rob Crittenden <[email protected]> > Subject: Re: [Freeipa-users] Expired SSL certificate issue with IPA > To: "nasir nasir" <[email protected]> > Cc: [email protected], [email protected] > Date: Thursday, January 5, 2012, 7:38 AM > > nasir nasir wrote: > > Thanks for the reply Rob. > > > > Please find below the output of your guidelines. > > > > # ipa-getkeytab -s xxxxxxx.xxxxxxx.com -p host/xxxxxx.xxxxxx.com -k > > /etc/krb5.keytab > > (the command was successful; it din't show any errors in the > krb5kdc.log > > or audit.log) > > > > # kinit -kt /etc/krb5.keytab host/xxxxxx.xxxxxx.com > > > > krb5kdc.log > > ----------------- > > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2431](info): AS_REQ (4 > etypes > > {18 17 16 23}) 192.168.1.10: NEEDED_PREAUTH: > > host/[email protected] > </mc/[email protected]> for > krbtgt/[email protected] </mc/[email protected]>, > > Additional pre-authentication required > > Jan 05 15:20:32 xxxxxx.xxxxxx.com krb5kdc[2427](info): AS_REQ (4 > etypes > > {18 17 16 23}) 192.168.1.10: ISSUE: authtime 1325766032, etypes > {rep=18 > > tkt=18 ses=18}, host/[email protected] > </mc/[email protected]> for > > krbtgt/[email protected] </mc/[email protected]> > > > > # ipa-getcert list > > Number of certificates and requests being tracked: 3. > > Request ID '20110619112648': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: -504 (libcurl failed to > > execute the HTTP POST transaction. SSL connect error). > > stuck: yes > > key pair storage: > > > >type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxxx-COM//pwdfile.txt' > > certificate: > > > >type=NSSDB,location='/etc/dirsrv/slapd-xxxxxx-COM',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=xxxxxx.COM > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM > > expires: 20111216112647 > > eku: id-kp-serverAuth > > track: yes > > auto-renew: yes > > Request ID '20110619112705': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: -504 (libcurl failed to > > execute the HTTP POST transaction. SSL connect error). > > stuck: yes > > key pair storage: > > > >type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > certificate: > > > >type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=xxxxxx.COM > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM > > expires: 20111216112704 > > eku: id-kp-serverAuth > > track: yes > > auto-renew: yes > > Request ID '20110619112721': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: -504 (libcurl failed to > > execute the HTTP POST transaction. SSL connect error). > > stuck: yes > > key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=xxxxxx.COM > > subject: CN=xxxxxx.xxxxxx.com,O=xxxxxx.COM > > expires: 20111216112720 > > eku: id-kp-serverAuth > > track: yes > > auto-renew: yes > > > > # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert > > Request "20110619112721" modified. > > > > # ipa-getcert list > > Number of certificates and requests being tracked: 3. > > Request ID '20110619112648': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: -504 (libcurl failed to > > execute the HTTP POST transaction. SSL connect error). > > stuck: yes > > key pair storage: > > > >type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-HUGAYET-COM//pwdfile.txt' > > certificate: > > > >type=NSSDB,location='/etc/dirsrv/slapd-HUGAYET-COM',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=HUGAYET.COM > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM > > expires: 20111216112647 > > eku: id-kp-serverAuth > > track: yes > > auto-renew: yes > > Request ID '20110619112705': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: -504 (libcurl failed to > > execute the HTTP POST transaction. SSL connect error). > > stuck: yes > > key pair storage: > > > >type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > certificate: > > > >type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=HUGAYET.COM > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM > > expires: 20111216112704 > > eku: id-kp-serverAuth > > track: yes > > auto-renew: yes > > Request ID '20110619112721': > > status: SUBMITTING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=HUGAYET.COM > > subject: CN=openipa.hugayet.com,O=HUGAYET.COM > > expires: 20111216112720 > > eku: id-kp-serverAuth > > track: yes > > auto-renew: yes > > > > and after few minutes, the status 'SUBMITTING' will be changed as > > 'CA_UNREACHABLE' > > Do we need to restart the /etc/init.d/ipa service for this? I am > working > > remotely. > > It isn't logging enough information to know why it failed. Can you look > in the Apache error log to see why the request failed? > > My first thought was that there was a CA trust issue. I believe that > certmonger uses the NSS database where the certificate is stored so > since it is also doing this against Apache (which in theory trust is ok > for it to start at all) so I'm baffled. Hopefully the httpd logs > will be > enlightening. > > > > > I need to upgrade my IPA version. Before going for this I need to > have a > > replica of the existing one. Is it okay to have the replica while all > > these issues exist? > > > Yes, you should be able to create a replica, this shouldn't affect it. > > rob >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
