At first ip-getcert list hows certificate error ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.).
but after I changed ipa server's date to before expirate date, it shows ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: couldn't connect to host). when I tried to start ipa with "service ipa start", all services would fail, so I need to start one by one systemctl start [email protected] systemctl status [email protected] systemctl start krb5kdc.service systemctl status krb5kdc.service systemctl start kadmin.service systemctl status kadmin.service systemctl start ipa_memcached.service systemctl status ipa_memcached.service systemctl start [email protected] systemctl status [email protected] # tail /var/log/messages Jan 3 17:32:26 ipa systemd[1]: Starting PKI Tomcat Server pki-tomcat... Jan 3 17:32:29 ipa systemd[1]: Started PKI Tomcat Server pki-tomcat. Jan 3 17:33:08 ipa certmonger[476]: 2016-01-03 17:33:08 [476] Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: couldn't connect to host). Jan 3 17:33:12 ipa certmonger[476]: 2016-01-03 17:33:12 [476] Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: couldn't connect to host). 2017-03-03 13:20 GMT+08:00 Umarzuki Mochlis <[email protected]>: > After httpd failed to start even with "NSSEnforceValidCerts off" in > /etc/httpd/conf.d/nss.conf > It used to work for a while since we use this only for zimbra but > today it won't start anymore. > > We are not using commercial certs, so which steps should I follow to > renew certs? > > It seems CA has expired more than 2 weeks ago. > > # ipa-getcert list > Number of certificates and requests being tracked: 7. > Request ID '20130112120232': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl > failed to execute the HTTP POST transaction, explaining: Peer's > Certificate has expired.). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=DOMAIN.COM.MY > subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY > expires: 2016-12-16 16:18:27 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv > DOMAIN-COM-MY > track: yes > auto-renew: yes > Request ID '20130112120734': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl > failed to execute the HTTP POST transaction, explaining: Peer's > Certificate has expired.). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=DOMAIN.COM.MY > subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY > expires: 2016-12-16 16:18:27 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > # rpm -qa | grep ipa > freeipa-admintools-3.1.0-2.fc18.x86_64 > freeipa-server-3.1.0-2.fc18.x86_64 > libipa_hbac-python-1.9.3-1.fc18.x86_64 > python-iniparse-0.4-6.fc18.noarch > freeipa-client-3.1.0-2.fc18.x86_64 > freeipa-server-selinux-3.1.0-2.fc18.x86_64 > freeipa-python-3.1.0-2.fc18.x86_64 > libipa_hbac-1.9.3-1.fc18.x86_64 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
