Discussion:
[Freeipa-users] renewing cert and migrating free-ipa 3.1
Umarzuki Mochlis
2017-03-03 05:20:57 UTC
Permalink
After httpd failed to start even with "NSSEnforceValidCerts off" in
/etc/httpd/conf.d/nss.conf
It used to work for a while since we use this only for zimbra but
today it won't start anymore.

We are not using commercial certs, so which steps should I follow to
renew certs?

It seems CA has expired more than 2 weeks ago.

# ipa-getcert list
Number of certificates and requests being tracked: 7.
Request ID '20130112120232':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction, explaining: Peer's
Certificate has expired.).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
DOMAIN-COM-MY
track: yes
auto-renew: yes
Request ID '20130112120734':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction, explaining: Peer's
Certificate has expired.).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes

# rpm -qa | grep ipa
freeipa-admintools-3.1.0-2.fc18.x86_64
freeipa-server-3.1.0-2.fc18.x86_64
libipa_hbac-python-1.9.3-1.fc18.x86_64
python-iniparse-0.4-6.fc18.noarch
freeipa-client-3.1.0-2.fc18.x86_64
freeipa-server-selinux-3.1.0-2.fc18.x86_64
freeipa-python-3.1.0-2.fc18.x86_64
libipa_hbac-1.9.3-1.fc18.x86_64
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Umarzuki Mochlis
2017-03-03 13:20:41 UTC
Permalink
At first ip-getcert list hows certificate error

ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining: Peer's Certificate has
expired.).

but after I changed ipa server's date to before expirate date, it shows

ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining: couldn't connect to
host).

when I tried to start ipa with "service ipa start", all services would
fail, so I need to start one by one

systemctl start ***@DOMAIN-COM-MY.service
systemctl status ***@DOMAIN-COM-MY.service
systemctl start krb5kdc.service
systemctl status krb5kdc.service
systemctl start kadmin.service
systemctl status kadmin.service
systemctl start ipa_memcached.service
systemctl status ipa_memcached.service
systemctl start pki-***@pki-tomcat.service
systemctl status pki-***@pki-tomcat.service


# tail /var/log/messages
Jan 3 17:32:26 ipa systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Jan 3 17:32:29 ipa systemd[1]: Started PKI Tomcat Server pki-tomcat.
Jan 3 17:33:08 ipa certmonger[476]: 2016-01-03 17:33:08 [476] Server
failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining: couldn't connect to host).
Jan 3 17:33:12 ipa certmonger[476]: 2016-01-03 17:33:12 [476] Server
failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining: couldn't connect to host).
Post by Umarzuki Mochlis
After httpd failed to start even with "NSSEnforceValidCerts off" in
/etc/httpd/conf.d/nss.conf
It used to work for a while since we use this only for zimbra but
today it won't start anymore.
We are not using commercial certs, so which steps should I follow to
renew certs?
It seems CA has expired more than 2 weeks ago.
# ipa-getcert list
Number of certificates and requests being tracked: 7.
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction, explaining: Peer's
Certificate has expired.).
stuck: yes
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
DOMAIN-COM-MY
track: yes
auto-renew: yes
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction, explaining: Peer's
Certificate has expired.).
stuck: yes
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
# rpm -qa | grep ipa
freeipa-admintools-3.1.0-2.fc18.x86_64
freeipa-server-3.1.0-2.fc18.x86_64
libipa_hbac-python-1.9.3-1.fc18.x86_64
python-iniparse-0.4-6.fc18.noarch
freeipa-client-3.1.0-2.fc18.x86_64
freeipa-server-selinux-3.1.0-2.fc18.x86_64
freeipa-python-3.1.0-2.fc18.x86_64
libipa_hbac-1.9.3-1.fc18.x86_64
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Rob Crittenden
2017-03-03 14:55:56 UTC
Permalink
Post by Umarzuki Mochlis
At first ip-getcert list hows certificate error
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining: Peer's Certificate has
expired.).
but after I changed ipa server's date to before expirate date, it shows
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining: couldn't connect to
host).
when I tried to start ipa with "service ipa start", all services would
fail, so I need to start one by one
systemctl start krb5kdc.service
systemctl status krb5kdc.service
systemctl start kadmin.service
systemctl status kadmin.service
systemctl start ipa_memcached.service
systemctl status ipa_memcached.service
# tail /var/log/messages
Jan 3 17:32:26 ipa systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Jan 3 17:32:29 ipa systemd[1]: Started PKI Tomcat Server pki-tomcat.
Jan 3 17:33:08 ipa certmonger[476]: 2016-01-03 17:33:08 [476] Server
failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining: couldn't connect to host).
Jan 3 17:33:12 ipa certmonger[476]: 2016-01-03 17:33:12 [476] Server
failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining: couldn't connect to host).
You want to use the getcert command, not ipa-getcert, to see the CA
subsystem certificates.

What you should do is: getcert list |grep expires

Find a date/time that fits into a period where all certs are valid and
go back in time to then (after stopping ntpd).

That will hopefully fix the ipactl start issue.

Once IPA is restarted, restart certmonger.

rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Umarzuki Mochlis
2017-04-18 08:36:24 UTC
Permalink
Now users complaining that passwords that have been reset cannot be
used to log in.

I also tried resubmit getcert but 2 resubmit failed

[***@ipa ~]# getcert list
Number of certificates and requests being tracked: 7.
Request ID '20130112120226':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=CA Audit,O=DOA.GOV.MY
expires: 2016-11-24 16:19:25 UTC
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130112120227':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=OCSP Subsystem,O=DOA.GOV.MY
expires: 2016-11-24 16:18:25 UTC
eku: id-kp-OCSPSigning
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130112120228':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=CA Subsystem,O=DOA.GOV.MY
expires: 2016-11-24 16:18:25 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130112120229':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=IPA RA,O=DOA.GOV.MY
expires: 2016-11-24 16:18:25 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20130112120230':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
expires: 2016-11-24 16:18:25 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_pkicad
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130112120232':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DOMAIN-COM-MY
track: yes
auto-renew: yes
Request ID '20130112120734':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes

What are my options?
Post by Umarzuki Mochlis
At first ip-getcert list hows certificate error
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining: Peer's Certificate has
expired.).
but after I changed ipa server's date to before expirate date, it shows
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining: couldn't connect to
host).
when I tried to start ipa with "service ipa start", all services would
fail, so I need to start one by one
systemctl start krb5kdc.service
systemctl status krb5kdc.service
systemctl start kadmin.service
systemctl status kadmin.service
systemctl start ipa_memcached.service
systemctl status ipa_memcached.service
# tail /var/log/messages
Jan 3 17:32:26 ipa systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Jan 3 17:32:29 ipa systemd[1]: Started PKI Tomcat Server pki-tomcat.
Jan 3 17:33:08 ipa certmonger[476]: 2016-01-03 17:33:08 [476] Server
failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining: couldn't connect to host).
Jan 3 17:33:12 ipa certmonger[476]: 2016-01-03 17:33:12 [476] Server
failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining: couldn't connect to host).
Post by Umarzuki Mochlis
After httpd failed to start even with "NSSEnforceValidCerts off" in
/etc/httpd/conf.d/nss.conf
It used to work for a while since we use this only for zimbra but
today it won't start anymore.
We are not using commercial certs, so which steps should I follow to
renew certs?
It seems CA has expired more than 2 weeks ago.
# ipa-getcert list
Number of certificates and requests being tracked: 7.
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction, explaining: Peer's
Certificate has expired.).
stuck: yes
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
DOMAIN-COM-MY
track: yes
auto-renew: yes
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction, explaining: Peer's
Certificate has expired.).
stuck: yes
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
# rpm -qa | grep ipa
freeipa-admintools-3.1.0-2.fc18.x86_64
freeipa-server-3.1.0-2.fc18.x86_64
libipa_hbac-python-1.9.3-1.fc18.x86_64
python-iniparse-0.4-6.fc18.noarch
freeipa-client-3.1.0-2.fc18.x86_64
freeipa-server-selinux-3.1.0-2.fc18.x86_64
freeipa-python-3.1.0-2.fc18.x86_64
libipa_hbac-1.9.3-1.fc18.x86_64
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Umarzuki Mochlis
2017-04-18 08:38:25 UTC
Permalink
please ignore that domain because I did not mask it properly
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Umarzuki Mochlis
2017-04-18 08:46:18 UTC
Permalink
below are from httpd error log

[Thu Feb 18 16:28:06.351007 2016] [:error] [pid 310] ipa: INFO:
***@DOMAIN.COM.MY: user_find(u'yusma', sizelimit=0, pkey_only=True):
SUCCESS
[Thu Feb 18 16:28:06.400453 2016] [:error] [pid 311] ipa: INFO:
***@DOMAIN.COM.MY: batch: user_show(u'nisa', all=True): SUCCESS
[Thu Feb 18 16:28:06.412753 2016] [:error] [pid 311] ipa: INFO:
***@DOMAIN.COM.MY: batch: user_show(u'noryusmaniza', all=True):
SUCCESS
[Thu Feb 18 16:28:06.428103 2016] [:error] [pid 311] ipa: INFO:
***@DOMAIN.COM.MY: batch: user_show(u'yusmayusof', all=True):
SUCCESS
[Thu Feb 18 16:28:06.428335 2016] [:error] [pid 311] ipa: INFO:
***@DOMAIN.COM.MY: batch(({u'params': [[u'nisa'], {u'all': True}],
u'method': u'user_show'}, {u'params': [[u'noryusmaniza'], {u'all':
True}], u'method': u'user_show'}, {u'params': [[u'yusmayusof'],
{u'all': True}], u'method': u'user_show'})): SUCCESS
[Thu Feb 18 16:28:09.254484 2016] [:error] [pid 310] ipa: INFO:
***@DOMAIN.COM.MY: batch: user_show(u'yusmayusof', rights=True,
all=True): SUCCESS
[Thu Feb 18 16:28:09.308107 2016] [:error] [pid 310] ipa: INFO:
***@DOMAIN.COM.MY: batch: pwpolicy_show(None, rights=True,
user=u'yusmayusof', all=True): SUCCESS
[Thu Feb 18 16:28:09.416227 2016] [:error] [pid 310] ipa: INFO:
***@DOMAIN.COM.MY: batch: krbtpolicy_show(u'yusmayusof',
rights=True, all=True): SUCCESS
[Thu Feb 18 16:28:09.416483 2016] [:error] [pid 310] ipa: INFO:
***@DOMAIN.COM.MY: batch(({u'params': [[u'yusmayusof'], {u'all':
True, u'rights': True}], u'method': u'user_show'}, {u'params': [[],
{u'all': True, u'user': u'yusmayusof', u'rights': True}], u'method':
u'pwpolicy_show'}, {u'params': [[u'yusmayusof'], {u'all': True,
u'rights': True}], u'method': u'krbtpolicy_show'})): SUCCESS
[Thu Feb 18 16:28:09.921130 2016] [:error] [pid 311] ipa: INFO:
***@DOMAIN.COM.MY: user_find(None): SUCCESS
[Thu Feb 18 16:28:27.176668 2016] [:error] [pid 310] ipa: INFO:
***@DOMAIN.COM.MY: passwd(u'yusmayusof', u'********', None): SUCCESS
[Thu Feb 18 16:28:27.331989 2016] [:error] [pid 311] ipa: INFO:
***@DOMAIN.COM.MY: batch: user_show(u'yusmayusof', rights=True,
all=True): SUCCESS
[Thu Feb 18 16:28:27.382532 2016] [:error] [pid 311] ipa: INFO:
***@DOMAIN.COM.MY: batch: pwpolicy_show(None, rights=True,
user=u'yusmayusof', all=True): SUCCESS
[Thu Feb 18 16:28:27.486929 2016] [:error] [pid 311] ipa: INFO:
***@DOMAIN.COM.MY: batch: krbtpolicy_show(u'yusmayusof',
rights=True, all=True): SUCCESS
[Thu Feb 18 16:28:27.487178 2016] [:error] [pid 311] ipa: INFO:
***@DOMAIN.COM.MY: batch(({u'params': [[u'yusmayusof'], {u'all':
True, u'rights': True}], u'method': u'user_show'}, {u'params': [[],
{u'all': True, u'user': u'yusmayusof', u'rights': True}], u'method':
u'pwpolicy_show'}, {u'params': [[u'yusmayusof'], {u'all': True,
u'rights': True}], u'method': u'krbtpolicy_show'})): SUCCESS
[Thu Feb 18 16:28:27.969435 2016] [:error] [pid 310] ipa: INFO:
***@DOMAIN.COM.MY: user_find(None): SUCCESS
[Thu Feb 18 16:29:22.017394 2016] [:error] [pid 311] ipa: INFO:
***@DOMAIN.COM.MY: passwd(u'yusmayusof', u'********', None): SUCCESS
[Thu Feb 18 16:29:22.169817 2016] [:error] [pid 310] ipa: INFO:
***@DOMAIN.COM.MY: batch: user_show(u'yusmayusof', rights=True,
all=True): SUCCESS
[Thu Feb 18 16:29:22.221379 2016] [:error] [pid 310] ipa: INFO:
***@DOMAIN.COM.MY: batch: pwpolicy_show(None, rights=True,
user=u'yusmayusof', all=True): SUCCESS
[Thu Feb 18 16:29:22.325846 2016] [:error] [pid 310] ipa: INFO:
***@DOMAIN.COM.MY: batch: krbtpolicy_show(u'yusmayusof',
rights=True, all=True): SUCCESS
[Thu Feb 18 16:29:22.326098 2016] [:error] [pid 310] ipa: INFO:
***@DOMAIN.COM.MY: batch(({u'params': [[u'yusmayusof'], {u'all':
True, u'rights': True}], u'method': u'user_show'}, {u'params': [[],
{u'all': True, u'user': u'yusmayusof', u'rights': True}], u'method':
u'pwpolicy_show'}, {u'params': [[u'yusmayusof'], {u'all': True,
u'rights': True}], u'method': u'krbtpolicy_show'})): SUCCESS
[Thu Feb 18 16:29:22.801354 2016] [:error] [pid 311] ipa: INFO:
***@DOMAIN.COM.MY: user_find(None): SUCCESS
[Thu Feb 18 16:31:55.029022 2016] [:error] [pid 310] ipa: ERROR:
AuthManager.logout.xmlserver_session: session_data does not contain
ccache_data
[Thu Feb 18 16:31:55.029222 2016] [:error] [pid 310] ipa: INFO:
***@DOMAIN.COM.MY: session_logout(): SUCCESS
[Thu Feb 18 16:35:35.585717 2016] [:error] [pid 377] SSL Library
Error: -12195 Peer does not recognize and trust the CA that issued
your certificate
[Thu Feb 18 16:36:59.015795 2016] [auth_kerb:error] [pid 377] [client
10.19.82.43:54553] gss_accept_sec_context() failed: No credentials
were supplied, or the credentials were unavailable or inaccessible (,
Unknown error), referer: https://ipa.domain.com.my/ipa/ui/
[***@ipa ~]# date
Thu Feb 18 16:37:19 MYT 2016
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Rob Crittenden
2017-04-18 14:07:20 UTC
Permalink
Post by Umarzuki Mochlis
Now users complaining that passwords that have been reset cannot be
used to log in.
Passwords are completely unrelated to expired certificates.

Wow, this is really quite an old install.

The error message about communicating with CMS suggests that the CA
isn't really up. The dogtag debug log may contain more details on that.

What is the output when you use ipactl to restart the services? I have
the feeling it is catching an error that your manual restart is not.

I'd also not set the date back so far. It won't hurt but it will be the
starting date for new certificates so you'd be cheating yourself out of
8 or so months.

I'd also look at the RA agent cert to be sure it is currently correct:

$ ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b
uid=ipara,ou=People,o=ipaca description

$ certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial

The description field from the ldapsearch has the format:

2;<serial number>;<issuer subject>;<subject>

The serial numbers should match. Don't do anything if they don't, just
report back the result.

rob
Post by Umarzuki Mochlis
I also tried resubmit getcert but 2 resubmit failed
Number of certificates and requests being tracked: 7.
status: MONITORING
stuck: no
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=CA Audit,O=DOA.GOV.MY
expires: 2016-11-24 16:19:25 UTC
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
stuck: no
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=OCSP Subsystem,O=DOA.GOV.MY
expires: 2016-11-24 16:18:25 UTC
eku: id-kp-OCSPSigning
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
stuck: no
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=CA Subsystem,O=DOA.GOV.MY
expires: 2016-11-24 16:18:25 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=IPA RA,O=DOA.GOV.MY
expires: 2016-11-24 16:18:25 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
status: MONITORING
stuck: no
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='932018712055'
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
expires: 2016-11-24 16:18:25 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/restart_pkicad
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)).
stuck: yes
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DOMAIN-COM-MY
track: yes
auto-renew: yes
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)).
stuck: yes
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOA.GOV.MY
subject: CN=ipa.domain.com.my,O=DOA.GOV.MY
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
What are my options?
Post by Umarzuki Mochlis
At first ip-getcert list hows certificate error
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining: Peer's Certificate has
expired.).
but after I changed ipa server's date to before expirate date, it shows
ca-error: Server failed request, will retry: -504 (libcurl failed to
execute the HTTP POST transaction, explaining: couldn't connect to
host).
when I tried to start ipa with "service ipa start", all services would
fail, so I need to start one by one
systemctl start krb5kdc.service
systemctl status krb5kdc.service
systemctl start kadmin.service
systemctl status kadmin.service
systemctl start ipa_memcached.service
systemctl status ipa_memcached.service
# tail /var/log/messages
Jan 3 17:32:26 ipa systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Jan 3 17:32:29 ipa systemd[1]: Started PKI Tomcat Server pki-tomcat.
Jan 3 17:33:08 ipa certmonger[476]: 2016-01-03 17:33:08 [476] Server
failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining: couldn't connect to host).
Jan 3 17:33:12 ipa certmonger[476]: 2016-01-03 17:33:12 [476] Server
failed request, will retry: -504 (libcurl failed to execute the HTTP
POST transaction, explaining: couldn't connect to host).
Post by Umarzuki Mochlis
After httpd failed to start even with "NSSEnforceValidCerts off" in
/etc/httpd/conf.d/nss.conf
It used to work for a while since we use this only for zimbra but
today it won't start anymore.
We are not using commercial certs, so which steps should I follow to
renew certs?
It seems CA has expired more than 2 weeks ago.
# ipa-getcert list
Number of certificates and requests being tracked: 7.
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction, explaining: Peer's
Certificate has expired.).
stuck: yes
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM-MY/pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM-MY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DOMAIN-COM-MY
track: yes
auto-renew: yes
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction, explaining: Peer's
Certificate has expired.).
stuck: yes
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOMAIN.COM.MY
subject: CN=ipa.domain.com.my,O=DOMAIN.COM.MY
expires: 2016-12-16 16:18:27 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
# rpm -qa | grep ipa
freeipa-admintools-3.1.0-2.fc18.x86_64
freeipa-server-3.1.0-2.fc18.x86_64
libipa_hbac-python-1.9.3-1.fc18.x86_64
python-iniparse-0.4-6.fc18.noarch
freeipa-client-3.1.0-2.fc18.x86_64
freeipa-server-selinux-3.1.0-2.fc18.x86_64
freeipa-python-3.1.0-2.fc18.x86_64
libipa_hbac-1.9.3-1.fc18.x86_64
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Continue reading on narkive:
Search results for '[Freeipa-users] renewing cert and migrating free-ipa 3.1' (Questions and Answers)
11
replies
Can anyone fill me in on what the Amish community is all about?
started 2006-10-03 05:06:49 UTC
current events
Loading...