On 06/27/2018 07:02 AM, Thomas Letherby via FreeIPA-users wrote:
> After some fiddling with dates some more I seem to have the HTTPD cert
> in sync, however it appears the cert signing cert is expired.
>
> named also says it's starting, but doesn't seem to want to respond.
>
> I don't have time to dig into it more tonight, but let me know what
> other information or tests I can run and I'll get them posted tomorrow.
>
> Thanks all.
>
> Thomas
>
> On Mon, Jun 25, 2018 at 5:11 PM Thomas Letherby <xrs444@xrs444.net
> <mailto:xrs444@xrs444.net>> wrote:
>
> Hello,
>
> I think this is everything (domain name changed to protect the
> guilty!):
>
> https://pastebin.com/bF1KR7VJ
>
Hi Thomas,
in the provided pastebin, the error 'certutil: function failed:
SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old,
unsupported format' can be easily explained: there is a typo in the
directory path.
You can try with certutil -d /etc/pki/pki-tomcat/alias -L -n <nickname>
(note the pki-tomcat instead of pki-tomcat*d*).
You mention that the cert signing cert is expired, can you clarify which
certificate this is? Please provide the subject name, certificate
nickname and location.
Flo
> I pulled the same on the replica, which appears to be playing up too
> in a similar fashion.
>
> I did just notice the date on the replica is out, I never set it
> back when I was trying to get the cert to renew.
>
> Let me know if you need anything else.
>
> Thanks,
>
> Thomas
>
> On Sun, Jun 24, 2018 at 8:43 PM Fraser Tweedale <ftweedal@redhat.com
> <mailto:ftweedal@redhat.com>> wrote:
>
> On Fri, Jun 22, 2018 at 11:16:21PM -0700, Thomas Letherby via
> FreeIPA-users wrote:
> > Hello all,
> > I had an issue a short while ago with a replica which turned
> out to be an
> > expired certificate which I renewed and all seemed good.
> >
> > Seemed...
> >
> > It now appears that although the certificate renewed as seen
> by getcert
> > -list, it didn't update /etc/httpd/alias and so the httpd and
> tomcat-pki
> > services won't start unless I set the date to before the
> certificate
> > expired, and even then sometimes the httpd error_log shows:
> > Unable to verify certificate 'Server-Cert'. Add
> "NSSEnforceValidCerts off"
> > to nss.conf so the server can start until the problem can be
> resolved.
> > and the service fails to start.
> >
> Hi Thomas,
>
> Can you please show `getcert list` output on the server in question,
> as well as the output of
>
> certutil -d /etc/httpd/alias -L Server-Cert
>
> and
>
> certutil -d /etc/pki/pki-tomcatd/alias -L <nickname>
>
> for each nickname in the /etc/pki/pki-tomcatd/alias NSSDB.
>
> And Certmonger journal output. And pki debug log
> /var/log/pki/pki-tomcat/ca/debug.
>
> It is strange that `getcert list' shows an up to date certificate
> while the actual certificate that is being tracked is expired...
>
> Thanks,
> Fraser
>
> > I've tried resubmitting the certificate, and it doesn't seem
> to throw an
> > error, but it doesn't update /alias either.
> > Trying to access the server via the web page shows the old
> certificate
> > still in use.
> > I see the same certificate error with the replica server,
> which was freshly
> > rebuilt and added last week.
> > I've doubtless dug further into the hole trying to
> troubleshoot this, so I
> > probably need to start from the beginning again, and a
> pointer in the right
> > direction would be a great help!
> >
> > A getcert list shows all the certificates expiry dates well
> into the future.
> >
> > How can I get the certs back in sync? I've found a few guides
> and most seem
> > to be for earlier versions, and I'm not sure if they're still
> current.
> >
> > I can post whatever logs you think will help, I'm afraid I'm
> not familiar
> > enough with them all to tell which are the most relevant. Is
> there a guide
> > for the logs?
> >
> > Thanks for any help you can give,
> >
> > Thomas
>
> > _______________________________________________
> > FreeIPA-users mailing list --
> freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > To unsubscribe send an email to
> freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > Fedora Code of Conduct:
> https://getfedora.org/code-of-conduct.html
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/CAXKCVP42DLWJQV2TAJFFCR2NG2CBO27/
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RAEH5S7INPORXEK7ZKGQTLXEHH3CH4S4/
>