Having Cert issues on a centos 6 IPA 3 server ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)
ipa config-mod --enable-migration=TRUE ipa: ERROR: cannot connect to u'https://lax4ipa01.mia.bill1st.local/ipa/xml': (SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
Old server, pretty much cant register any new clients to. Willing to pay for support for migration help.
Version/Release/Distribution ipa-server-3.0.0-47.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-3.0.0-47.el6.centos.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-admintools-3.0.0-47.el6.centos.x86_64 ipa-server-selinux-3.0.0-47.el6.centos.x86_64 device-mapper-multipath-0.4.9-87.el6.x86_64 libipa_hbac-1.12.4-47.el6.x86_64 libipa_hbac-python-1.12.4-47.el6.x86_64 device-mapper-multipath-libs-0.4.9-87.el6.x86_64 sssd-ipa-1.12.4-47.el6.x86_64 ipa-client-3.0.0-47.el6.centos.x86_64
root@lax4ipa01.mia.bill1st:~$ cat /etc/ipa/ca.crt -----BEGIN CERTIFICATE----- MIIDozCCAougAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKExFNSUEu QklMTDFTVC5MT0NBTDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X DTE0MTEyNTE4MzgxN1oXDTM0MTEyNTE4MzgxN1owPDEaMBgGA1UEChMRTUlBLkJJ TEwxU1QuTE9DQUwxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXgRpqEULf5v40kMxTtEooRBlEu u8Kl1LyhXD5Oyvx4qpe7dQTM2EWKel7zm3j0Q2MP7utzTydxF4j4GToT8vlRdDXj gdZjBpV7qbCc/t6OVF7sAhqY6Hz5Gghx9UTZ3euGJcBC0rcWQPWjSQi4GFA06I1v MzoWWPoK/dY93eUgEnqXn1hdiD/ediPC5bXsgsERvKBl5LZ6xpbLYmpoNYeAh1KQ Yg3Wyluj1yel5f+qYTkm/I6UJxT3EHS2grEXizkOWWfuyNguWPKzsuLop3U7iz7K AycUAcxLVF1X1OxXIczlPv4hF91shwIUluIWBvhjfUttuAxp17Wt9eiGgbUCAwEA AaOBrzCBrDAfBgNVHSMEGDAWgBR0Qg2UtrPixTY+00wdObnpJGsxazAPBgNVHRMB Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUdEINlLaz4sU2PtNM HTm56SRrMWswSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzABhi1odHRwOi8vbGF4 NGlwYTAxLm1pYS5iaWxsMXN0LmxvY2FsOjgwL2NhL29jc3AwDQYJKoZIhvcNAQEL BQADggEBAGNJYJGde8xLSkzSaJo4Q70PDP8gFOVq3x0FK59mkA/eEpV5HsPfbhWh FcH/T3m5etycX/lh52Y2lYuf4rULJEdEbrFhZmj8u3yd3IOrHCp4oLTb2RIr3EU/ YxNvt0Rq1+tQ7+wrrwZkltpOkZRb54N6JYf1D8SYOfo5278LcwOucHRscfMdtOzu +QRXwLD8+ifV0OCHdpDw2LyV1H3JnuvzEAlBy3uKvcXPO6qzhPuVyb62JK3+gdtV 6leBi5t9kFbYN5utfjRGy5eABLbTbiCz+100jbKDiBkGBXmVduQeXbP4nvkiQM5w mnAdvxgn1cNpeNhlYd//D60k5ckE0Us= -----END CERTIFICATE-----
root@lax4ipa01.mia.bill1st:~$ certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert u,u,u ipaCert u,u,u MIA.BILL1ST.LOCAL IPA CA CT,C,C
getcert list Number of certificates and requests being tracked: 8. Request ID '20141125183905': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=CA Audit,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:15:13 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20141125183906': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=OCSP Subsystem,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20141125183907': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=CA Subsystem,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20141125183908': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=IPA RA,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20141125183909': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141125183922': status: CA_UNREACHABLE ca-error: Server at https://lax4ipa01.mia.bill1st.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2018-10-30 17:14:19 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv MIA-BILL1ST-LOCAL track: yes auto-renew: yes Request ID '20141125183953': status: CA_UNREACHABLE ca-error: Server at https://lax4ipa01.mia.bill1st.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2018-10-30 17:14:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA track: yes auto-renew: yes Request ID '20141125184220': status: CA_UNREACHABLE ca-error: Server at https://lax4ipa01.mia.bill1st.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.lax.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2019-05-03 14:41:19 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes root@lax4ipa01.mia.bill1st:~$