[Freeipa-users] IPA certificates expired, please help!

Linov Suresh Fri, 15 Jul 2016 13:58:23 -0700

I logged into my IPA master, and found that the cert had expired again, we
renewed these certificates about 18 months ago.




Our environment is CentOS 6.4 and IPA 3.0.0-26.


I followed the Redhat documentation, How do I manually renew Identity
Management (IPA) certificates after they have expired? (Master IPA Server),
https://access.redhat.com/solutions/643753 but no luck.

I have also changed the directive "NSSEnforceValidCerts off" in
/etc/httpd/conf.d/nss.conf and the value of nsslapd-validate-cert is
warn.



ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w
******* -b  cn=config | grep  nsslapd-validate-cert

nsslapd-validate-cert: warn



Here is my getcert list,



[root@caer ~]# getcert list

Number of certificates and requests being tracked: 8.

Request ID '20111214223243':

        status: CA_UNREACHABLE

        ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction.  Peer certificate cannot
be authenticated with known CA certificates).

        stuck: yes

        key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'

        certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB'

        CA: IPA

        issuer: CN=Certificate Authority,O=TELOIP.NET

        subject: CN=caer.teloip.net,O=TELOIP.NET

        expires: 2016-01-29 14:09:46 UTC

        eku: id-kp-serverAuth

        pre-save command:

        post-save command:

        track: yes

        auto-renew: yes

Request ID '20111214223300':

        status: CA_UNREACHABLE

        ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction.  Peer certificate cannot
be authenticated with known CA certificates).

        stuck: yes

        key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'

        certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'

        CA: IPA

        issuer: CN=Certificate Authority,O=TELOIP.NET

        subject: CN=caer.teloip.net,O=TELOIP.NET

        expires: 2016-01-29 14:09:45 UTC

        eku: id-kp-serverAuth

        pre-save command:

        post-save command:

        track: yes

        auto-renew: yes

Request ID '20111214223316':

        status: CA_UNREACHABLE

        ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction.  Peer certificate cannot
be authenticated with known CA certificates).

        stuck: yes

        key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'

        certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'

        CA: IPA

        issuer: CN=Certificate Authority,O=TELOIP.NET

        subject: CN=caer.teloip.net,O=TELOIP.NET

        expires: 2016-01-29 14:09:45 UTC

        eku: id-kp-serverAuth

        pre-save command:

        post-save command:

        track: yes

        auto-renew: yes

Request ID '20130519130741':

        status: MONITORING

        stuck: no

        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'

        certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'

        CA: dogtag-ipa-renew-agent

        issuer: CN=Certificate Authority,O=TELOIP.NET

        subject: CN=CA Audit,O=TELOIP.NET

        expires: 2017-10-13 14:10:49 UTC

        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad

        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"

        track: yes

        auto-renew: yes

Request ID '20130519130742':

        status: MONITORING

        stuck: no

        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'

        certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'

        CA: dogtag-ipa-renew-agent

        issuer: CN=Certificate Authority,O=TELOIP.NET

        subject: CN=OCSP Subsystem,O=TELOIP.NET

        expires: 2017-10-13 14:09:49 UTC

        eku: id-kp-OCSPSigning

        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad

        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"

        track: yes

        auto-renew: yes

Request ID '20130519130743':

        status: MONITORING

        stuck: no

        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'

        certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'

        CA: dogtag-ipa-renew-agent

        issuer: CN=Certificate Authority,O=TELOIP.NET

        subject: CN=CA Subsystem,O=TELOIP.NET

        expires: 2017-10-13 14:09:49 UTC

        eku: id-kp-serverAuth,id-kp-clientAuth

        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad

        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"

        track: yes

        auto-renew: yes

Request ID '20130519130744':

        status: MONITORING

        stuck: no

        key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'

        certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'

        CA: dogtag-ipa-renew-agent

        issuer: CN=Certificate Authority,O=TELOIP.NET

        subject: CN=RA Subsystem,O=TELOIP.NET

        expires: 2017-10-13 14:09:49 UTC

        eku: id-kp-serverAuth,id-kp-clientAuth

        pre-save command:

        post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert

        track: yes

        auto-renew: yes

Request ID '20130519130745':

        status: MONITORING

        stuck: no

        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'

        certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'

        CA: dogtag-ipa-renew-agent

        issuer: CN=Certificate Authority,O=TELOIP.NET

        subject: CN=caer.teloip.net,O=TELOIP.NET

        expires: 2017-10-13 14:09:49 UTC

        eku: id-kp-serverAuth,id-kp-clientAuth

        pre-save command:

        post-save command:

        track: yes

        auto-renew: yes

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA certificates expired, please help!

Reply via email to