On 06/27/2018 07:02 AM, Thomas Letherby via FreeIPA-users wrote:
After some fiddling with dates some more I seem to have the HTTPD
cert
in sync, however it appears the cert signing cert is expired.
named also says it's starting, but doesn't seem to want to respond.
I don't have time to dig into it more tonight, but let me know what
other information or tests I can run and I'll get them posted tomorrow.
Thanks all.
Thomas
On Mon, Jun 25, 2018 at 5:11 PM Thomas Letherby <xrs444(a)xrs444.net
<mailto:xrs444@xrs444.net>> wrote:
Hello,
I think this is everything (domain name changed to protect the
guilty!):
https://pastebin.com/bF1KR7VJ
Hi Thomas,
in the provided pastebin, the error 'certutil: function failed:
SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old,
unsupported format' can be easily explained: there is a typo in the
directory path.
You can try with certutil -d /etc/pki/pki-tomcat/alias -L -n <nickname>
(note the pki-tomcat instead of pki-tomcat*d*).
You mention that the cert signing cert is expired, can you clarify which
certificate this is? Please provide the subject name, certificate
nickname and location.
Flo
I pulled the same on the replica, which appears to be playing up
too
in a similar fashion.
I did just notice the date on the replica is out, I never set it
back when I was trying to get the cert to renew.
Let me know if you need anything else.
Thanks,
Thomas
On Sun, Jun 24, 2018 at 8:43 PM Fraser Tweedale <ftweedal(a)redhat.com
<mailto:ftweedal@redhat.com>> wrote:
On Fri, Jun 22, 2018 at 11:16:21PM -0700, Thomas Letherby via
FreeIPA-users wrote:
> Hello all,
> I had an issue a short while ago with a replica which turned
out to be an
> expired certificate which I renewed and all seemed good.
>
> Seemed...
>
> It now appears that although the certificate renewed as seen
by getcert
> -list, it didn't update /etc/httpd/alias and so the httpd and
tomcat-pki
> services won't start unless I set the date to before the
certificate
> expired, and even then sometimes the httpd error_log shows:
> Unable to verify certificate 'Server-Cert'. Add
"NSSEnforceValidCerts off"
> to nss.conf so the server can start until the problem can be
resolved.
> and the service fails to start.
>
Hi Thomas,
Can you please show `getcert list` output on the server in question,
as well as the output of
certutil -d /etc/httpd/alias -L Server-Cert
and
certutil -d /etc/pki/pki-tomcatd/alias -L <nickname>
for each nickname in the /etc/pki/pki-tomcatd/alias NSSDB.
And Certmonger journal output. And pki debug log
/var/log/pki/pki-tomcat/ca/debug.
It is strange that `getcert list' shows an up to date certificate
while the actual certificate that is being tracked is expired...
Thanks,
Fraser
> I've tried resubmitting the certificate, and it doesn't seem
to throw an
> error, but it doesn't update /alias either.
> Trying to access the server via the web page shows the old
certificate
> still in use.
> I see the same certificate error with the replica server,
which was freshly
> rebuilt and added last week.
> I've doubtless dug further into the hole trying to
troubleshoot this, so I
> probably need to start from the beginning again, and a
pointer in the right
> direction would be a great help!
>
> A getcert list shows all the certificates expiry dates well
into the future.
>
> How can I get the certs back in sync? I've found a few guides
and most seem
> to be for earlier versions, and I'm not sure if they're still
current.
>
> I can post whatever logs you think will help, I'm afraid I'm
not familiar
> enough with them all to tell which are the most relevant. Is
there a guide
> for the logs?
>
> Thanks for any help you can give,
>
> Thomas
> _______________________________________________
> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...