On Fri, Jun 22, 2018 at 11:16:21PM -0700, Thomas Letherby via FreeIPA-users wrote:
Hello all,
I had an issue a short while ago with a replica which turned out to be an
expired certificate which I renewed and all seemed good.
Seemed...
It now appears that although the certificate renewed as seen by getcert
-list, it didn't update /etc/httpd/alias and so the httpd and tomcat-pki
services won't start unless I set the date to before the certificate
expired, and even then sometimes the httpd error_log shows:
Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts
off"
to nss.conf so the server can start until the problem can be resolved.
and the service fails to start.
Hi Thomas,
Can you please show `getcert list` output on the server in question,
as well as the output of
certutil -d /etc/httpd/alias -L Server-Cert
and
certutil -d /etc/pki/pki-tomcatd/alias -L <nickname>
for each nickname in the /etc/pki/pki-tomcatd/alias NSSDB.
And Certmonger journal output. And pki debug log
/var/log/pki/pki-tomcat/ca/debug.
It is strange that `getcert list' shows an up to date certificate
while the actual certificate that is being tracked is expired...
Thanks,
Fraser
I've tried resubmitting the certificate, and it doesn't seem
to throw an
error, but it doesn't update /alias either.
Trying to access the server via the web page shows the old certificate
still in use.
I see the same certificate error with the replica server, which was freshly
rebuilt and added last week.
I've doubtless dug further into the hole trying to troubleshoot this, so I
probably need to start from the beginning again, and a pointer in the right
direction would be a great help!
A getcert list shows all the certificates expiry dates well into the future.
How can I get the certs back in sync? I've found a few guides and most seem
to be for earlier versions, and I'm not sure if they're still current.
I can post whatever logs you think will help, I'm afraid I'm not familiar
enough with them all to tell which are the most relevant. Is there a guide
for the logs?
Thanks for any help you can give,
Thomas
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...