[Freeipa-users] Re: certification NOT Valid

Thu, 10 Oct 2024 05:26:19 -0700 

Hi Flo,
Thank you for your reply,
this is what happened
<pre>Last login: Tue Oct  8 20:49:14 2024 from 10.10.1.5
[root@ipa1 ~]# ipa-cert-fix

                          WARNING

ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of IPA.  It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.


The following certificates will be renewed:

Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=LOCAL.LESBG.COM
  Serial:  10468392990
  Expires: 2024-10-02 10:19:00+00:00

Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=LOCAL.LESBG.COM
  Serial:  10468392980
  Expires: 2024-10-02 10:19:00+00:00

Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=LOCAL.LESBG.COM
  Serial:  10468392992
  Expires: 2024-10-02 10:19:00+00:00

IPA IPA RA certificate:
  Subject: CN=IPA RA,O=LOCAL.LESBG.COM
  Serial:  10468392987
  Expires: 2024-10-02 10:19:00+00:00

IPA Apache HTTPS certificate:
  Subject: CN=ipa1.lesbg.com,O=LOCAL.LESBG.COM
  Serial:  95866352280
  Expires: 2024-10-02 10:19:00+00:00

IPA LDAP certificate:
  Subject: CN=ipa1.lesbg.com,O=LOCAL.LESBG.COM
  Serial:  95866352279
  Expires: 2024-10-02 10:19:00+00:00

IPA KDC certificate:
  Subject: CN=ipa1.lesbg.com,O=LOCAL.LESBG.COM
  Serial:  95866352277
  Expires: 2024-10-02 10:19:00+00:00

Enter &quot;yes&quot; to proceed: yes
Proceeding.
CalledProcessError(Command [&apos;pki-server&apos;, &apos;cert-fix&apos;, 
&apos;--ldapi-socket&apos;, &apos;/run/slapd-LOCAL-LESBG-COM.socket&apos;, 
&apos;--agent-uid&apos;, &apos;ipara&apos;, &apos;--cert&apos;, 
&apos;subsystem&apos;, &apos;--cert&apos;, &apos;ca_ocsp_signing&apos;, 
&apos;--cert&apos;, &apos;ca_audit_signing&apos;, &apos;--extra-cert&apos;, 
&apos;10468392987&apos;, &apos;--extra-cert&apos;, &apos;95866352280&apos;, 
&apos;--extra-cert&apos;, &apos;95866352279&apos;, &apos;--extra-cert&apos;, 
&apos;95866352277&apos;] returned non-zero exit status 1: &apos;INFO: Loading 
instance type: pki-tomcatd\nINFO: Loading instance: pki-tomcat\nINFO: Loading 
global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: 
/usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: 
/etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: 
/etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: 
/etc/pki/pki-tomcat/ca/CS.cfg\nINFO: Loading subsystem registry: 
/etc/pki/pki-tomcat/ca/registry.cfg\nINFO: Loading instance registry: 
/etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: Fixing the following 
system certs: [\&apos;subsystem\&apos;, \&apos;ca_ocsp_signing\&apos;, 
\&apos;ca_audit_signing\&apos;]\nINFO: Renewing the following additional certs: 
[\&apos;10468392987\&apos;, \&apos;95866352280\&apos;, 
\&apos;95866352279\&apos;, \&apos;95866352277\&apos;]\nINFO: Stopping the 
instance to proceed with system cert renewal\nINFO: Configuring LDAP connection 
for CA\nINFO: Setting pkidbuser password via ldappasswd\nSASL/EXTERNAL 
authentication started\nSASL username: 
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nINFO: 
Storing subsystem config: /etc/pki/pki-tomcat/ca/CS.cfg\nINFO: Storing registry 
config: /etc/pki/pki-tomcat/ca/registry.cfg\nINFO: Storing subsystem config: 
/etc/pki/pki-tomcat/ca/CS.cfg\nINFO: Storing registry config: 
/etc/pki/pki-tomcat/ca/registry.cfg\nINFO: Selftests disabled for subsystems: 
ca\nSASL/EXTERNAL authentication started\nSASL username: 
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nINFO: 
Resetting password for uid=ipara,ou=people,o=ipaca\nSASL/EXTERNAL 
authentication started\nSASL username: 
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nINFO: 
Starting the instance\nINFO: Sleeping for 10 seconds to allow server time to 
start...\nINFO: Requesting new cert for subsystem\nINFO: Getting subsystem cert 
info from CS.cfg\nINFO: Getting subsystem cert info from NSS database\nINFO: 
Trying to setup a secure connection to CA subsystem.\nINFO: Stopping the 
instance\nINFO: Storing subsystem config: /etc/pki/pki-tomcat/ca/CS.cfg\nINFO: 
Storing registry config: /etc/pki/pki-tomcat/ca/registry.cfg\nINFO: Selftests 
enabled for subsystems: ca\nINFO: Restoring LDAP connection for CA\nINFO: 
Storing subsystem config: /etc/pki/pki-tomcat/ca/CS.cfg\nINFO: Storing registry 
config: /etc/pki/pki-tomcat/ca/registry.cfg\nERROR: 
HTTPSConnectionPool(host=\&apos;ipa1.lesbg.com\&apos;, port=8443): Max retries 
exceeded with url: /ca/rest/account/login (Caused by 
SSLError(SSLCertVerificationError(1, \&apos;[SSL: CERTIFICATE_VERIFY_FAILED] 
certificate verify failed: certificate has expired 
(_ssl.c:1129)\&apos;)))\nTraceback (most recent call last):\n  File 
&quot;/usr/lib/python3.9/site-packages/urllib3/connectionpool.py&quot;, line 
700, in urlopen\n    httplib_response = self._make_request(\n  File 
&quot;/usr/lib/python3.9/site-packages/urllib3/connectionpool.py&quot;, line 
383, in _make_request\n    self._validate_conn(conn)\n  File 
&quot;/usr/lib/python3.9/site-packages/urllib3/connectionpool.py&quot;, line 
1015, in _validate_conn\n    conn.connect()\n  File 
&quot;/usr/lib/python3.9/site-packages/urllib3/connection.py&quot;, line 411, 
in connect\n    self.sock = ssl_wrap_socket(\n  File 
&quot;/usr/lib/python3.9/site-packages/urllib3/util/ssl_.py&quot;, line 449, in 
ssl_wrap_socket\n    ssl_sock = _ssl_wrap_socket_impl(\n  File 
&quot;/usr/lib/python3.9/site-packages/urllib3/util/ssl_.py&quot;, line 493, in 
_ssl_wrap_socket_impl\n    return ssl_context.wrap_socket(sock, 
server_hostname=server_hostname)\n  File 
&quot;/usr/lib64/python3.9/ssl.py&quot;, line 501, in wrap_socket\n    return 
self.sslsocket_class._create(\n  File &quot;/usr/lib64/python3.9/ssl.py&quot;, 
line 1074, in _create\n    self.do_handshake()\n  File 
&quot;/usr/lib64/python3.9/ssl.py&quot;, line 1343, in do_handshake\n    
self._sslobj.do_handshake()\nssl.SSLCertVerificationError: [SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired 
(_ssl.c:1129)\n\nDuring handling of the above exception, another exception 
occurred:\n\nTraceback (most recent call last):\n  File 
&quot;/usr/lib/python3.9/site-packages/requests/adapters.py&quot;, line 439, in 
send\n    resp = conn.urlopen(\n  File 
&quot;/usr/lib/python3.9/site-packages/urllib3/connectionpool.py&quot;, line 
756, in urlopen\n    retries = retries.increment(\n  File 
&quot;/usr/lib/python3.9/site-packages/urllib3/util/retry.py&quot;, line 576, 
in increment\n    raise MaxRetryError(_pool, url, error or 
ResponseError(cause))\nurllib3.exceptions.MaxRetryError: 
HTTPSConnectionPool(host=\&apos;ipa1.lesbg.com\&apos;, port=8443): Max retries 
exceeded with url: /ca/rest/account/login (Caused by 
SSLError(SSLCertVerificationError(1, \&apos;[SSL: CERTIFICATE_VERIFY_FAILED] 
certificate verify failed: certificate has expired 
(_ssl.c:1129)\&apos;)))\n\nDuring handling of the above exception, another 
exception occurred:\n\nTraceback (most recent call last):\n  File 
&quot;/usr/lib/python3.9/site-packages/pki/server/pkiserver.py&quot;, line 41, 
in &lt;module&gt;\n    cli.execute(sys.argv)\n  File 
&quot;/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py&quot;, line 
144, in execute\n    super().execute(args)\n  File 
&quot;/usr/lib/python3.9/site-packages/pki/cli/__init__.py&quot;, line 217, in 
execute\n    module.execute(module_args)\n  File 
&quot;/usr/lib/python3.9/site-packages/pki/cli/__init__.py&quot;, line 217, in 
execute\n    module.execute(module_args)\n  File 
&quot;/usr/lib/python3.9/site-packages/pki/server/cli/cert.py&quot;, line 1467, 
in execute\n    instance.cert_create(\n  File 
&quot;/usr/lib/python3.9/site-packages/pki/server/instance.py&quot;, line 980, 
in cert_create\n    connection = 
pki.server.PKIServer.setup_password_authentication(\n  File 
&quot;/usr/lib/python3.9/site-packages/pki/server/__init__.py&quot;, line 1420, 
in setup_password_authentication\n    account_client.login()\n  File 
&quot;/usr/lib/python3.9/site-packages/pki/__init__.py&quot;, line 432, in 
handler\n    return fn_call(inst, *args, **kwargs)\n  File 
&quot;/usr/lib/python3.9/site-packages/pki/account.py&quot;, line 68, in 
login\n    self.connection.get(self.login_url)\n  File 
&quot;/usr/lib/python3.9/site-packages/pki/client.py&quot;, line 56, in 
wrapper\n    return func(self, *args, **kwargs)\n  File 
&quot;/usr/lib/python3.9/site-packages/pki/client.py&quot;, line 263, in get\n  
  r = self.session.get(\n  File 
&quot;/usr/lib/python3.9/site-packages/requests/sessions.py&quot;, line 557, in 
get\n    return self.request(\&apos;GET\&apos;, url, **kwargs)\n  File 
&quot;/usr/lib/python3.9/site-packages/requests/sessions.py&quot;, line 544, in 
request\n    resp = self.send(prep, **send_kwargs)\n  File 
&quot;/usr/lib/python3.9/site-packages/requests/sessions.py&quot;, line 657, in 
send\n    r = adapter.send(request, **kwargs)\n  File 
&quot;/usr/lib/python3.9/site-packages/requests/adapters.py&quot;, line 514, in 
send\n    raise SSLError(e, request=request)\nrequests.exceptions.SSLError: 
HTTPSConnectionPool(host=\&apos;ipa1.lesbg.com\&apos;, port=8443): Max retries 
exceeded with url: /ca/rest/account/login (Caused by 
SSLError(SSLCertVerificationError(1, \&apos;[SSL: CERTIFICATE_VERIFY_FAILED] 
certificate verify failed: certificate has expired 
(_ssl.c:1129)\&apos;)))\n&apos;)
The ipa-cert-fix command failed.
</pre>

<pre>[root@ipa1 ~]# curl -k http://ipa1.lesbg.com:8080/ca/admin/ca/getStatus
curl: (7) Failed to connect to ipa1.lesbg.com port 8080: Connection refused
</pre>
-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to