Not being able to login to the admin console, I checked the httpd log and found the following errors:
[Wed Jun 07 12:50:59.352022 2017] [:error] [pid 10240] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. [Wed Jun 07 12:50:59.353372 2017] [:error] [pid 10237] SSL Library Error: -8181 Certificate has expired [Wed Jun 07 12:50:59.353395 2017] [:error] [pid 10237] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. [Wed Jun 07 12:50:59.986025 2017] [core:error] [pid 11522] AH00546: no record of generation 47 of exiting child 10203
I also get an error during enrollment of a new client (which seems to retrieve a valid certificate anyway):
Password for admin@HQ.SPINQUE.COM: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=HQ.SPINQUE.COM Issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM Valid From: Mon Mar 16 18:44:35 2015 UTC Valid Until: Fri Mar 16 18:44:35 2035 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining: TCP connection reset by peer
Services are up:
$ ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
Certificate monitoring seems ok:
$ getcert list -d /etc/httpd/alias -n ipaCert Number of certificates and requests being tracked: 8. Request ID '20160501114633': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM subject: CN=IPA RA,O=HQ.SPINQUE.COM expires: 2019-01-26 19:41:51 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
Version:
$ ipa --version VERSION: 4.4.3, API_VERSION: 2.215
Could you please point me at what else to check?
freeipa-users@lists.fedorahosted.org