<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <div class="moz-cite-prefix">On 04/10/2015 03:58 PM, John Williams wrote:<br> </div> <blockquote cite="mid:299477201.646416.1428695890225.JavaMail.yahoo@mail.yahoo.com" type="cite"> <div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"> <div dir="ltr" id="yui_3_16_0_1_1428694803812_8168">I've inhereted an IPA infrastructure for a group in my organization. So I've got a RHEL instance with a IPA 3.0.0 server with expired certs.</div> <div dir="ltr" id="yui_3_16_0_1_1428694803812_8166"><br> </div> <div dir="ltr" class="" style="" id="yui_3_16_0_1_1428694803812_8485">[root@ipa ~]# rpm -qa | grep ipa-server</div> <div dir="ltr" class="" style="" id="yui_3_16_0_1_1428694803812_8193">ipa-server-selinux-3.0.0-26.el6_4.2.x86_64</div> <div dir="ltr" class="" style="" id="yui_3_16_0_1_1428694803812_8194">ipa-server-3.0.0-26.el6_4.2.x86_64</div> <div dir="ltr" class="" style="" id="yui_3_16_0_1_1428694803812_8195">[root@ipa ~]# </div> <div dir="ltr" class="" style="" id="yui_3_16_0_1_1428694803812_8195"><br> </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8195" style=""><br> </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">[root@ipa ~]# getcert list</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Number of certificates and requests being tracked: 8.</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Request ID '20130404232110':</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>status: CA_UNREACHABLE</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>ca-error: Error 7 connecting to <a class="moz-txt-link-freetext" href="http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit">http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit</a>: Couldn't connect to server.</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>stuck: no</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='242557339296'</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>CA: dogtag-ipa-renew-agent</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=IDEF</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>subject: CN=CA Audit,O=IDEF</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>expires: 2017-02-15 19:26:38 UTC</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>key usage: digitalSignature,nonRepudiation</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>pre-save command: </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>post-save command: </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>track: yes</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>auto-renew: yes</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Request ID '20130404232111':</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>status: CA_UNREACHABLE</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>ca-error: Error 7 connecting to <a class="moz-txt-link-freetext" href="http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit">http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit</a>: Couldn't connect to server.</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>stuck: no</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='242557339296'</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>CA: dogtag-ipa-renew-agent</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=IDEF</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>subject: CN=OCSP Subsystem,O=IDEF</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>expires: 2017-02-15 19:25:38 UTC</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>eku: id-kp-OCSPSigning</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>pre-save command: </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>post-save command: </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>track: yes</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>auto-renew: yes</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Request ID '20130404232112':</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>status: CA_UNREACHABLE</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>ca-error: Error 7 connecting to <a class="moz-txt-link-freetext" href="http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit">http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit</a>: Couldn't connect to server.</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>stuck: no</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='242557339296'</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>CA: dogtag-ipa-renew-agent</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=IDEF</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>subject: CN=CA Subsystem,O=IDEF</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>expires: 2017-02-15 19:25:38 UTC</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>eku: id-kp-serverAuth,id-kp-clientAuth</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>pre-save command: </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>post-save command: </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>track: yes</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>auto-renew: yes</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Request ID '20130404232113':</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>status: CA_UNREACHABLE</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>ca-error: Error 7 connecting to <a class="moz-txt-link-freetext" href="http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit">http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit</a>: Couldn't connect to server.</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>stuck: no</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>CA: dogtag-ipa-renew-agent</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=IDEF</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>subject: CN=IPA RA,O=IDEF</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>expires: 2017-02-15 19:25:38 UTC</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>eku: id-kp-serverAuth,id-kp-clientAuth</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>pre-save command: </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>post-save command: </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>track: yes</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>auto-renew: yes</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Request ID '20130404232114':</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>status: CA_UNREACHABLE</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>ca-error: Error 7 connecting to <a class="moz-txt-link-freetext" href="http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit">http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit</a>: Couldn't connect to server.</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>stuck: no</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='242557339296'</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>CA: dogtag-ipa-renew-agent</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=IDEF</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>subject: CN=ipa.infra.idef,O=IDEF</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>expires: 2017-02-15 19:25:38 UTC</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>eku: id-kp-serverAuth,id-kp-clientAuth</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>pre-save command: </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>post-save command: </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>track: yes</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>auto-renew: yes</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Request ID '20130404232127':</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>status: CA_UNREACHABLE</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'IDEF'.</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>stuck: no</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IDEF/pwdfile.txt'</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>certificate: type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS Certificate DB'</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>CA: IPA</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=IDEF</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>subject: CN=ipa.infra.idef,O=IDEF</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>expires: 2015-04-05 23:21:26 UTC</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>eku: id-kp-serverAuth,id-kp-clientAuth</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>pre-save command: </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>post-save command: </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>track: yes</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>auto-renew: yes</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Request ID '20130404232155':</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>status: CA_UNREACHABLE</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'IDEF'.</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>stuck: no</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>CA: IPA</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=IDEF</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>subject: CN=ipa.infra.idef,O=IDEF</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>expires: 2015-04-05 23:21:54 UTC</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>eku: id-kp-serverAuth,id-kp-clientAuth</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>pre-save command: </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>post-save command: </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>track: yes</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>auto-renew: yes</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Request ID '20130404232517':</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>status: CA_UNREACHABLE</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'IDEF'.</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>stuck: no</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>CA: IPA</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=IDEF</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>subject: CN=ipa.infra.idef,O=IDEF</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>expires: 2015-04-05 23:25:17 UTC</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>eku: id-kp-serverAuth,id-kp-clientAuth</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>pre-save command: </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>post-save command: </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>track: yes</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><span class="" style="white-space:pre"> </span>auto-renew: yes</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><br> </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Now, I've tried following the instructions under the following link for fixing expired certs:</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><br> </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><a moz-do-not-send="true" href="https://www.freeipa.org/page/Howto/CA_Certificate_Renewal" id="yui_3_16_0_1_1428694803812_8774">https://www.freeipa.org/page/Howto/CA_Certificate_Renewal</a><br> </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><br> </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">However, I run into a many issues, first I don't know what the <pin> is referenced very early on the instruction set.</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><br> </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">I Googled a bit an saw some advice about rolling the clock back, then restarting certmonger to renew the certs. Here is the output of that process.</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><br> </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">[root@ipa ~]# date</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Thu Apr 10 00:13:51 EDT 2014</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">[root@ipa ~]# /etc/init.d/certmonger restart</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Stopping certmonger: [ OK ]</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Starting certmonger: [ OK ]</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">[root@ipa ~]# </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><br class="" style=""> </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">That did not work.</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><br> </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><br> </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Here are some errors from syslog</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><br class="" style=""> </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm ‘MyORG’.</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Apr 10 00:13:57 ipa certmonger: Error 7 connecting to <a class="moz-txt-link-freetext" href="http://myhost.mydomain.com:9180/ca/ee/ca/profileSubmit">http://myhost.mydomain.com:9180/ca/ee/ca/profileSubmit</a>: Couldn't connect to server.</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'MyORG'.</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'MyORG'.</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><br> </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Any ideas would greatly be appreciated.</div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style=""><br> </div> <div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173" style="">Thanks.</div> <div dir="ltr" class="" style="" id="yui_3_16_0_1_1428694803812_8173"><br class="" style=""> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> </blockquote> Check if your KDC started OK.<br> Check krb5kdc.log<br> <br> More troubleshooting tips here: <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Troubleshooting">http://www.freeipa.org/page/Troubleshooting</a><br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </body> </html>