On 08/29/2017 04:09 PM, Julien Honore via FreeIPA-users wrote:
Hi,
I have an issue with my freeipa server.
The certificates expired and I can't resubmit.
I put the date before the expiration of the certs.
The result of ipa-getcert list :
Number of certificates and requests being tracked: 8.
Request ID '20150805183502':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client using
default keytab: Clients credentials have been revoked.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-VIT-LAN/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=VIT.LAN
subject: CN=auth0.vit.lan,O=VIT.LAN
expires:2017-08-05 18 <callto:2017-08-05 18>:35:02 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150805183539':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client using
default keytab: Clients credentials have been revoked.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=VIT.LAN
subject: CN=auth0.vit.lan,O=VIT.LAN
expires:2017-08-05 18 <callto:2017-08-05 18>:35:39 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150805183647':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client using
default keytab: Clients credentials have been revoked.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=VIT.LAN
subject: CN=auth0.vit.lan,O=VIT.LAN
expires:2017-08-05 18 <callto:2017-08-05 18>:36:47 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
If someone can help me with this issue ? It will be very helpful
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
ADTRUST Service: RUNNING
EXTID Service: RUNNING
FreeIpa V3.
Thank you
Julien Honore
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Hi,
I have very little experience with IPA v3, but let's try anyway... If
things didn't change too much, certmonger's IPA helper is using
/etc/krb5.keytab to connect to IPA server. Can you check if this keytab
is still valid using
$ sudo kinit -kt /etc/krb5.keytab
If the operation fails, this is probably the root cause of your issue.
The utility ipa-getkeytab will allow you to get the host keytab (with
the --retrieve option and --principal=host/$HOSTNAME@$DOMAINNAME).
HTH,
Flo