Hi Rob and guys, i delete the server with centos 6.6 and give the ipa (centos6.4) with the new certificate the same ip in my network. Then I get on ipa webgui a lot of "unknown option no_members" error. After I upgrade ipa centos 6.4 to centos 6.6 (because all other clients run centos6.6) Now everything works fine in my network.
Thank you rob :) _____________________________________________ Best regards Junhe Jian -----Ursprüngliche Nachricht----- Von: Junhe Jian Gesendet: Donnerstag, 4. Juni 2015 17:25 An: 'Rob Crittenden'; [email protected] Betreff: AW: AW: [Freeipa-users] IPA v3 Certificate not renewed Hi Rob, i have only add NSSEnforceValidCerts off" to nss.conf. ipa run last 2 years without problem since the certificate expired. I loaded all the proxy modules in apache and restart httpd and certmonger. Yeah, the certificates are renew root@be-ipasrv httpd]# getcert list | grep status status: MONITORING status: MONITORING status: MONITORING status: MONITORING status: MONITORING status: MONITORING status: MONITORING status: MONITORING [root@be-ipasrv httpd]# getcert list | grep expir expires: 2017-04-29 08:14:24 UTC expires: 2017-04-29 08:13:24 UTC expires: 2017-04-29 08:13:24 UTC expires: 2017-04-29 08:13:24 UTC expires: 2017-04-29 08:13:24 UTC expires: 2017-05-26 08:21:01 UTC expires: 2017-05-26 08:20:43 UTC expires: 2017-05-26 08:21:08 UTC the other server with centos 6.6 and ipa-server-3.0.0-42.el6.centos.x86_64 I get error Request ID '20130528090822': status: CA_UNREACHABLE ca-error: Server at https://EXAMPLE.de/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://EXAMPLE.de:443/ca/agent/ca/displayBySerial': [Errno -8053] (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLEDE',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLEDE/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLEDE',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.DE subject: CN=EXAMPLE.de,O=EXAMPLE.DE expires: 2015-05-29 09:08:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130528090849': status: CA_UNREACHABLE ca-error: Server at https://EXAMPLE.de/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.DE subject: CN=EXAMPLE.de,O=EXAMPLE.DE expires: 2015-05-29 09:08:49 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130528090923': status: CA_UNREACHABLE ca-error: Server at https://EXAMPLE.de/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.DE subject: CN=EXAMPLE.de,O=EXAMPLE.DE expires: 2015-05-29 09:09:23 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes and http error log if i resubmit the id [Tue May 26 10:01:31 2015] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_ r:httpd_t:s0 [Tue May 26 10:01:31 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue May 26 10:01:32 2015] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured . [Tue May 26 10:01:32 2015] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9" [Tue May 26 10:01:32 2015] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-0 9-05" [Tue May 26 10:01:32 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1" [Tue May 26 10:01:32 2015] [notice] ModSecurity: LIBXML compiled version="2.7.6" [Tue May 26 10:01:32 2015] [notice] Digest: generating secret for digest authentication ... [Tue May 26 10:01:32 2015] [notice] Digest: done [Tue May 26 10:01:33 2015] [notice] Apache/2.2.15 (Unix) mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.16.1 Basi c ECC PHP/5.3.25 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations [Tue May 26 10:01:34 2015] [error] ipa: INFO: *** PROCESS START *** [Tue May 26 10:01:34 2015] [error] ipa: INFO: *** PROCESS START *** [Tue May 26 10:02:36 2015] [error] Bad remote server certificate: -8181 [Tue May 26 10:02:36 2015] [error] SSL Library Error: -8181 Certificate has expired [Tue May 26 10:02:36 2015] [error] Re-negotiation handshake failed: Not accepted by client!? [Tue May 26 10:02:36 2015] [error] ipa: INFO: host/[email protected] CH.DE: cert_request(u'MIID+zCCAuMCAQAwUDEhMB8GA1UEChMYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFMSswKQYDVQQDEyJiZS1 pcGFzcnYudGliZXQudHJhZmZpY3Mtc3dpdGNoLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAshxjlzWHlUYC262eB9BK IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+ESY IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+FZs IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+Piu IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+SXj IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+js9 IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+Vmb IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+gEm IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+uM9 IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+Dz/ IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+4jI IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+fVQ IYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+XDA ecGfcpDfLQxkMcRhaVaOHXwEGeM19xUig6s2kWa81T+TNwEKItNXmovQSpE+6cxpcT3rH00b ecGfcpDfLQxkMcRhaVaOHXwEGeM19xUig6s2kWa81T+TNwEKItNXmovQSpE+89F/Z2vUIXag ecGfcpDfLQxkMcRhaVaOHXwEGeM19xUig6s2kWa81T+TNwEKItNXmovQSpE+EJnJMuXEdqz3 ecGfcpDfLQxkMcRhaVaOHXwEGeM19xUig6s2kWa81T+TNwEKItNXmovQSpE+XpaXr6ahc YXgCSDq7L8VSd7zbguEpWZmD0lZ8857+tVXz6LBHryko3n5qyTpwFJ5M/hd6FoJyWTDulCKa YXgCSDq7L8VSd7zbguEpWZmD0lZ8857+F20sHsOBp+P18YcLUmR8pHjA9LQ4m/4dd 5cG9yBwIDAQABoIIBZDAlBgkqhkiG9w0BCRQxGB4WAFMAZQByAHYAZQByAC0AQwBlAHIAdDCCATkGCSqGSIb3DQEJDjGCASowggEmMA4G A1UdDwEBAAQEAwIE8DCBwQYDVR0RAQEABIG2MIGzoFAGCisGAQQBgjcUAgOgQgxAbGRhcC9iZS1pcGFzcnYudGliZXQudHJhZmZpY3Mtc 3dpdGNoLmRlQFRJQkVULlRSQUZGSUNTLVNXSVRDSC5ERaBfBgYrBgEFAgKgVTBToBobGFRJQkVULlRSQUZGSUNTLVNXSVRDSC5ERaE1MD OgAwIBAaEsMCobBGxkYXAbImJlLWlwYXNydi50aWJldC50cmFmZmljcy1zd2l0Y2guZGUwIAYDVR0lAQEABBYwFAYIKwYBBQUHAwEGCCs GAQUFBwMCMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFCvM2eOn/UvY2d4fFKR23C+YMyfrMA0GCSqGSIb3DQEBCwUAA4IBAQCDXHV+ c7ygZRTJrXFbDrhR/Mgz/CpX2HxtDTL9q2qUNjL73oDdHUAEF1i9MP/URw6ZUltA4FD5rXAT5K8t/MRnEHR7YLRCNMyM0SIb6HXC7Bo5Q vA/kTPbJdwshjc52rMgOMf+Pa/ztUUBD+zH+8xsJKPRktQb/Ku3fbWZ/b2g5VpQj6jcjCKSKI/IF4C1r0Vl1Dz6P4v4zN3D0sjt/g57Zi AzxwGmLUt4e3/KFKvi4o7UTgZam24pZqwqilAwYw4DRuYCg0wdhty8qBLVKyzxUG1IYkuXQUGOhWTlQwzyWEaCv6BR1N78egX5xpkP9hH zxGJxVhsgrexerEL5sxTk', principal=u'ldap/[email protected]', ad d=True): NetworkError [Tue May 26 10:02:38 2015] [error] Bad remote server certificate: -8181 [Tue May 26 10:02:38 2015] [error] SSL Library Error: -8181 Certificate has expired Do you have a idea? Thank you! _____________________________________________ Best regards Junhe Jian -----Ursprüngliche Nachricht----- Von: Rob Crittenden [mailto:[email protected]] Gesendet: Donnerstag, 4. Juni 2015 17:04 An: Junhe Jian; [email protected] Betreff: Re: AW: [Freeipa-users] IPA v3 Certificate not renewed Junhe Jian wrote: > Hi Rob, > > i set the date in past "26 MAY 2015" > and add "NSSEnforceValidCerts off" to nss.conf > > and resubmit the 3 ID > [root@be-ipasrv httpd]# getcert resubmit -i 20130528090822 > Resubmitting "20130528090822" to "IPA". > [root@be-ipasrv httpd]# getcert resubmit -i 20130528090849 > Resubmitting "20130528090849" to "IPA". > [root@be-ipasrv httpd]# getcert resubmit -i 20130528090923 > Resubmitting "20130528090923" to "IPA". > > Restart ipa and certmonger > > now I get error in http_error > > [Tue May 26 10:00:30 2015] [notice] SELinux policy enabled; httpd > running as context unconfined_u:system_r:httpd_t:s0 [Tue May 26 > 10:00:30 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) > [Tue May 26 10:00:31 2015] [notice] ModSecurity for Apache/2.7.3 > (http://www.modsecurity.org/) configured. > [Tue May 26 10:00:31 2015] [notice] ModSecurity: APR compiled > version="1.3.9"; loaded version="1.3.9" > [Tue May 26 10:00:31 2015] [notice] ModSecurity: PCRE compiled version="7.8 > "; loaded version="7.8 2008-09-05" > [Tue May 26 10:00:31 2015] [notice] ModSecurity: LUA compiled version="Lua > 5.1" > [Tue May 26 10:00:31 2015] [notice] ModSecurity: LIBXML compiled > version="2.7.6" > [Tue May 26 10:00:31 2015] [notice] Digest: generating secret for digest > authentication ... > [Tue May 26 10:00:31 2015] [notice] Digest: done [Tue May 26 10:00:32 > 2015] [notice] Apache/2.2.15 (Unix) mod_auth_kerb/5.4 mod_nss/2.2.15 > NSS/3.14.0.0 Basic ECC PHP/5.3.25 mod_wsgi/3.2 Python/2.6.6 configured > -- resuming normal operations [Tue May 26 10:00:33 2015] [error] ipa: > INFO: *** PROCESS START *** [Tue May 26 10:00:33 2015] [error] ipa: INFO: *** > PROCESS START *** [Tue May 26 10:01:23 2015] [warn] proxy: No protocol > handler was valid for the URL /ca/agent/ca/displayBySerial. If you are using > a DSO version of mod_proxy, make sure the proxy submodules are included in > the configuration using LoadModule. > [Tue May 26 10:01:23 2015] [error] ipa: ERROR: > ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate > with CMS (Internal Server Error) Have you changed your apache configuration? It looks that way. You need the proxy modules loaded. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
