ketan mehta wrote: > Hi All, > > I'm facing a strange problem, my IPA master server's HTTP Server-Cert > got expired and i'm not able to renew it. would you please help me in > resolve it. > > [root@ipa01 ~]# getcert list > Number of certificates and requests being tracked: 9. > Request ID '20120731123222': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl > failed to execute the HTTP POST transaction. couldn't connect to host). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-BIGDATA-BSKYB-COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM> > subject: CN=ipa01.EXAMPLE.COM > <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM> > expires: 2014-08-01 12:32:21 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv > BIGDATA-BSKYB-COM > track: yes > auto-renew: yes > Request ID '20120731123240': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl > failed to execute the HTTP POST transaction. couldn't connect to host). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM> > subject: CN=ipa01.EXAMPLE.COM > <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM> > expires: 2014-08-01 12:32:40 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20120731123255': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl > failed to execute the HTTP POST transaction. couldn't connect to host). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM> > subject: CN=ipa01.EXAMPLE.COM > <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM> > expires: 2014-08-01 12:32:55 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20130315142330': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='625466584922' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM> > subject: CN=CA Audit,O=EXAMPLE.COM <http://EXAMPLE.COM> > expires: 2016-06-12 15:06:33 UTC > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130315142331': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='625466584922' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM> > subject: CN=OCSP Subsystem,O=EXAMPLE.COM <http://EXAMPLE.COM> > expires: 2016-06-12 15:05:33 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130315142332': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='625466584922' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM> > subject: CN=CA Subsystem,O=EXAMPLE.COM <http://EXAMPLE.COM> > expires: 2016-06-12 15:05:33 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130315142333': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM> > subject: CN=IPA RA,O=EXAMPLE.COM <http://EXAMPLE.COM> > expires: 2016-06-12 15:05:33 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20130315142334': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='625466584922' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM <http://EXAMPLE.COM> > subject: CN=ipa01.EXAMPLE.COM > <http://ipa01.EXAMPLE.COM>,O=EXAMPLE.COM <http://EXAMPLE.COM> > expires: 2016-06-12 15:05:33 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20140805110726': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl > failed to execute the HTTP POST transaction. couldn't connect to host). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > certificate: > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes > > [root@ipa01 ~]# ipactl start > Starting Directory Service > Starting dirsrv: > EXAMPLE-COM...[06/Aug/2014:09:39:50 +0100] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable > Runtime error -8181 - Peer's Certificate has expired.) > [ OK ] > PKI-IPA...[06/Aug/2014:09:39:52 +0100] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable > Runtime error -8181 - Peer's Certificate has expired.) > [ OK ] > Starting KDC Service > Starting Kerberos 5 KDC: [ OK ] > Starting KPASSWD Service > Starting Kerberos 5 Admin Server: [ OK ] > Starting DNS Service > Starting named: [ OK ] > Starting MEMCACHE Service > Starting ipa_memcached: [ OK ] > Starting HTTP Service > Starting httpd: [FAILED] > Failed to start HTTP Service > Shutting down > Stopping Kerberos 5 KDC: [ OK ] > Stopping Kerberos 5 Admin Server: [ OK ] > Stopping named: . [ OK ] > Stopping ipa_memcached: [ OK ] > Stopping httpd: [FAILED] > Stopping pki-ca: [ OK ] > Shutting down dirsrv: > EXAMPLE-COM... [ OK ] > PKI-IPA... [ OK ] > Aborting ipactl > > I'm running ipa-server-3.0.0-26.el6_4.2.x86_64 > > Let me know if you need any further information.
The easiest thing to do would be to roll back time to 7/31 and restart certmonger. It's hard to say why they didn't renew already as the CA subsystem certificates appear to have renewed ok. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
