Discussion:
[Freeipa-users] ipa 3.0 expired cert renewal
David Fitzgerald
2014-05-28 14:40:00 UTC
Permalink
Hello,

My Freeipa server stopped working over the weekend due to what looks like expired certificates. I am running ipa-server 3.0 and thought these certs were automatically renewed. I am no expert at KDC / IPA and any help you can give is greatly appreciated.

When I try to start the ipa service on my server I get:

***@aurora ~]# /sbin/service ipa start
Starting Directory Service
Starting dirsrv:
LINUX-DIRSRV-LOCAL...[28/May/2014:10:23:33 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.)
[ OK ]
PKI-IPA...[28/May/2014:10:23:34 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.)
[ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting MEMCACHE Service
Starting ipa_memcached: [ OK ]
Starting HTTP Service
Starting httpd: [Wed May 28 10:23:36 2014] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
[FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC: [ OK ]
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping ipa_memcached: [ OK ]
Stopping httpd: [FAILED]
Stopping pki-ca: [ OK ]
Shutting down dirsrv:
LINUX-DIRSRV-LOCAL... [ OK ]
PKI-IPA... [ OK ]
Aborting ipactl

Of course kinit also fails with: kinit: Cannot contact any KDC for realm 'LINUX.DIRSRV.LOCAL' while getting initial credentials

Can someone help me get back on my feet? Luckily there are not many students around in the summer so I just have 20 annoyed faculty instead of 200 annoyed students to placate.

Thanks!



-----------------------------------------------
David Fitzgerald
Adjunct Professor
Department of Earth Sciences
Millersville University
Millersville, PA 17551

E-mail: ***@millersville.edu
PH: 717-871-2394
Dmitri Pal
2014-05-29 00:50:41 UTC
Permalink
Post by David Fitzgerald
Hello,
My Freeipa server stopped working over the weekend due to what looks
like expired certificates. I am running ipa-server 3.0 and thought
these certs were automatically renewed. I am no expert at KDC / IPA
and any help you can give is greatly appreciated.
Starting Directory Service
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8181 - Peer's Certificate has expired.)
[ OK ]
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8181 - Peer's Certificate has expired.)
[ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting MEMCACHE Service
Starting ipa_memcached: [ OK ]
Starting HTTP Service
Starting httpd: [Wed May 28 10:23:36 2014] [warn] _default_
VirtualHost overlap on port 443, the first has precedence
[FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC: [ OK ]
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping ipa_memcached: [ OK ]
Stopping httpd: [FAILED]
Stopping pki-ca: [ OK ]
LINUX-DIRSRV-LOCAL... [ OK ]
PKI-IPA... [ OK ]
Aborting ipactl
Of course kinit also fails with: kinit: Cannot contact any KDC for
realm 'LINUX.DIRSRV.LOCAL' while getting initial credentials
Can someone help me get back on my feet? Luckily there are not many
students around in the summer so I just have 20 annoyed faculty
instead of 200 annoyed students to placate.
Thanks!
Usually that happens when you do not have the original master any more.
Is this the case for you?
Have you looked at http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ?
Post by David Fitzgerald
-----------------------------------------------
David Fitzgerald
Adjunct Professor
Department of Earth Sciences
Millersville University
Millersville, PA 17551
PH: 717-871-2394
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
David Fitzgerald
2014-05-29 18:57:40 UTC
Permalink
From: freeipa-users-***@redhat.com [mailto:freeipa-users-***@redhat.com] On Behalf Of Dmitri Pal
Sent: Wednesday, May 28, 2014 8:51 PM
To: freeipa-***@redhat.com
Subject: Re: [Freeipa-users] ipa 3.0 expired cert renewal

On 05/28/2014 10:40 AM, David Fitzgerald wrote:
Hello,

My Freeipa server stopped working over the weekend due to what looks like expired certificates. I am running ipa-server 3.0 and thought these certs were automatically renewed. I am no expert at KDC / IPA and any help you can give is greatly appreciated.

When I try to start the ipa service on my server I get:

***@aurora ~]# /sbin/service ipa start
Starting Directory Service
Starting dirsrv:
LINUX-DIRSRV-LOCAL...[28/May/2014:10:23:33 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.)
[ OK ]
PKI-IPA...[28/May/2014:10:23:34 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.)
[ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting MEMCACHE Service
Starting ipa_memcached: [ OK ]
Starting HTTP Service
Starting httpd: [Wed May 28 10:23:36 2014] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
[FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC: [ OK ]
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping ipa_memcached: [ OK ]
Stopping httpd: [FAILED]
Stopping pki-ca: [ OK ]
Shutting down dirsrv:
LINUX-DIRSRV-LOCAL... [ OK ]
PKI-IPA... [ OK ]
Aborting ipactl

Of course kinit also fails with: kinit: Cannot contact any KDC for realm 'LINUX.DIRSRV.LOCAL' while getting initial credentials

Can someone help me get back on my feet? Luckily there are not many students around in the summer so I just have 20 annoyed faculty instead of 200 annoyed students to placate.

Thanks!

Usually that happens when you do not have the original master any more. Is this the case for you?
Have you looked at http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ?


That was the info I needed. Sorry I didn't check the IPA 2x docs. It works just fine again.
Thank You!



-----------------------------------------------
David Fitzgerald
Adjunct Professor
Department of Earth Sciences
Millersville University
Millersville, PA 17551

E-mail: ***@millersville.edu<mailto:***@millersville.edu>
PH: 717-871-2394




_______________________________________________

Freeipa-users mailing list

Freeipa-***@redhat.com<mailto:Freeipa-***@redhat.com>

https://www.redhat.com/mailman/listinfo/freeipa-users




--

Thank you,

Dmitri Pal



Sr. Engineering Manager IdM portfolio

Red Hat, Inc.

Rob Crittenden
2014-05-29 13:07:36 UTC
Permalink
Post by David Fitzgerald
Hello,
My Freeipa server stopped working over the weekend due to what looks
like expired certificates. I am running ipa-server 3.0 and thought
these certs were automatically renewed. I am no expert at KDC / IPA and
any help you can give is greatly appreciated.
Starting Directory Service
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.)
[ OK ]
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.)
[ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting MEMCACHE Service
Starting ipa_memcached: [ OK ]
Starting HTTP Service
Starting httpd: [Wed May 28 10:23:36 2014] [warn] _default_ VirtualHost
overlap on port 443, the first has precedence
[FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC: [ OK ]
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping ipa_memcached: [ OK ]
Stopping httpd: [FAILED]
Stopping pki-ca: [ OK ]
LINUX-DIRSRV-LOCAL... [ OK ]
PKI-IPA... [ OK ]
Aborting ipactl
Of course kinit also fails with: kinit: Cannot contact any KDC for realm
Can you show the current state of the tracked certificates?

# getcert list

The CA has a number of certificates that require renewal for the rest to
be successful. Those are the ones we need to get working first.

Do you have multiple IPA Masters? Are they in a similar state?

rob
Loading...