Unfortunately this issue suddenly go much worse. I get this error in the UI
when trying to view hosts on one of my servers
cannot connect to 'https:/ipa1.example.com:443/ca/agent/ca/displayBySerial':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
and this on others:Some operations failed.
Hide details
Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
database is in an old, unsupported format.
Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
database is in an old, unsupported format.
Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
database is in an old, unsupported format.
Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
database is in an old, unsupported format.
Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
database is in an old, unsupported format.
Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
database is in an old, unsupported format.
Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
database is in an old, unsupported format.
Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
database is in an old, unsupported format.
Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
database is in an old, unsupported format.
Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
database is in an old, unsupported format.
Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
database is in an old, unsupported format.
Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
database is in an old, unsupported format.
Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
database is in an old, unsupported format.
Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
database is in an old, unsupported format.
Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
database is in an old, unsupported format.
Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key
database is in an old, unsupported format.
From: sipazzo <[email protected]>
To: "[email protected]" <[email protected]>
Sent: Friday, July 29, 2016 9:06 AM
Subject: certificates expired - won't renew
I have seen many threads on this so sorry to bring it up again but I have a
freeipa domain, with 4 ipa servers running on redhat 6 version 3.0.0-50. The
certificates are expired/expiring and will not renew and it is causing many
issues for us. I have tried the many suggestions I have see in the archives
such as changing the time to prior to expiration and attempting renew by
resubmitting the requests but they never renew. An example of getcert list from
the first server that expired:
Number of certificates and requests being tracked: 8.
Request ID '20140618161026':
status: CA_UNREACHABLE
ca-error: Server at https://ipa1.example.com/ipa/xml failed request, will
retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer
certificate cannot be authenticated with known CA certificates).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=idm1-io.example.com,O=EXAMPLE.COM
expires: 2016-06-18 00:09:05 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
track: yes
auto-renew: yes
Request ID '20140618161126':
status: MONITORING
ca-error: Internal error: no response to
"http://ipa1-io.example.com:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-pki-ca&serial_num=5&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2016-06-06 23:36:29 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/restart_pkicad
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140618161127':
status: MONITORING
ca-error: Internal error: no response to
"http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=ocspSigningCert+cert-pki-ca&serial_num=2&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2016-06-06 23:36:28 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/restart_pkicad
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140618161128':
status: MONITORING
ca-error: Internal error: no response to
"http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=subsystemCert+cert-pki-ca&serial_num=4&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2016-06-06 23:36:28 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140618161129':
status: MONITORING
ca-error: Internal error: no response to
"http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=268304385&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa1.example.com,O=EXAMPLE.COM
expires: 2016-06-07 16:11:22 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20140618161217':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-example-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-example-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-example-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa1.example.com,O=EXAMPLE.COM
expires: 2016-06-18 00:09:05 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv example-COM
track: yes
auto-renew: yes
Request ID '20140618161317':
status: CA_UNREACHABLE
ca-error: Server at https://ipa1.example.com/ipa/xml failed request, will
retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer
certificate cannot be authenticated with known CA certificates).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=idm1-io.example.com,O=EXAMPLE.COM
expires: 2016-06-18 00:09:06 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20140618161338':
status: MONITORING
ca-error: Internal error: no response to
"http://ipa1.example.com:9180/ca/ee/ca/profileSubmit?profileId=ipaCert&serial_num=7&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2016-06-06 23:37:09 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
localhost log in /var/log/pki-ca have errors like:tail localhost.2016-07-29.log
Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet caProfileSubmit threw exception
java.io.IOException: CS server is not ready to serve.
at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.
Debug log in /var/log/pki-cacd
tail debug
[29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:
netscape.ldap.LDAPException: error result (49)
[29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to query
sessionIds: java.io.IOException: Failed to connect to the internal database.
[29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: getSessionIds:
Error in disconnecting from database: java.lang.NullPointerException
[29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:
netscape.ldap.LDAPException: error result (49)
[29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to query
sessionIds: java.io.IOException: Failed to connect to the internal database.
[29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: getSessionIds:
Error in disconnecting from database: java.lang.NullPointerException
Performing most IPA commands results in errors such as ipa: ERROR: cert
validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM"
((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
Not sure if it is related but we lost our first IPA server some time ago and
had to promote another to the CA master. Also, due to someone leaving the
company at the beginning of the year we had to change the directory manager
password. I followed all the directions to do so but it does not seem like it
was a completely smooth transaction.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
