<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 04/10/2015 03:58 PM, John Williams
wrote:<br>
</div>
<blockquote
cite="mid:299477201.646416.1428695890225.JavaMail.yahoo@mail.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff;
font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial,
Lucida Grande, sans-serif;font-size:16px">
<div dir="ltr" id="yui_3_16_0_1_1428694803812_8168">I've
inhereted an IPA infrastructure for a group in my
organization. So I've got a RHEL instance with a IPA 3.0.0
server with expired certs.</div>
<div dir="ltr" id="yui_3_16_0_1_1428694803812_8166"><br>
</div>
<div dir="ltr" class="" style=""
id="yui_3_16_0_1_1428694803812_8485">[root@ipa ~]# rpm -qa |
grep ipa-server</div>
<div dir="ltr" class="" style=""
id="yui_3_16_0_1_1428694803812_8193">ipa-server-selinux-3.0.0-26.el6_4.2.x86_64</div>
<div dir="ltr" class="" style=""
id="yui_3_16_0_1_1428694803812_8194">ipa-server-3.0.0-26.el6_4.2.x86_64</div>
<div dir="ltr" class="" style=""
id="yui_3_16_0_1_1428694803812_8195">[root@ipa ~]# </div>
<div dir="ltr" class="" style=""
id="yui_3_16_0_1_1428694803812_8195"><br>
</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8195"
style=""><br>
</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">[root@ipa ~]# getcert list</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Number of certificates and requests being tracked: 8.</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Request ID '20130404232110':</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>status:
CA_UNREACHABLE</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>ca-error:
Error 7 connecting to
<a class="moz-txt-link-freetext" href="http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit">http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit</a>: Couldn't
connect to server.</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>stuck:
no</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>key
pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='242557339296'</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>CA:
dogtag-ipa-renew-agent</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>issuer:
CN=Certificate Authority,O=IDEF</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>subject:
CN=CA Audit,O=IDEF</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>expires:
2017-02-15 19:26:38 UTC</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>key
usage: digitalSignature,nonRepudiation</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>pre-save
command: </div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>post-save
command: </div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>track:
yes</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>auto-renew:
yes</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Request ID '20130404232111':</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>status:
CA_UNREACHABLE</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>ca-error:
Error 7 connecting to
<a class="moz-txt-link-freetext" href="http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit">http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit</a>: Couldn't
connect to server.</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>stuck:
no</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>key
pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='242557339296'</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>CA:
dogtag-ipa-renew-agent</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>issuer:
CN=Certificate Authority,O=IDEF</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>subject:
CN=OCSP Subsystem,O=IDEF</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>expires:
2017-02-15 19:25:38 UTC</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>eku:
id-kp-OCSPSigning</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>pre-save
command: </div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>post-save
command: </div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>track:
yes</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>auto-renew:
yes</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Request ID '20130404232112':</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>status:
CA_UNREACHABLE</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>ca-error:
Error 7 connecting to
<a class="moz-txt-link-freetext" href="http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit">http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit</a>: Couldn't
connect to server.</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>stuck:
no</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>key
pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='242557339296'</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>CA:
dogtag-ipa-renew-agent</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>issuer:
CN=Certificate Authority,O=IDEF</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>subject:
CN=CA Subsystem,O=IDEF</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>expires:
2017-02-15 19:25:38 UTC</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>key
usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>eku:
id-kp-serverAuth,id-kp-clientAuth</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>pre-save
command: </div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>post-save
command: </div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>track:
yes</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>auto-renew:
yes</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Request ID '20130404232113':</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>status:
CA_UNREACHABLE</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>ca-error:
Error 7 connecting to
<a class="moz-txt-link-freetext" href="http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit">http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit</a>: Couldn't
connect to server.</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>stuck:
no</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>key
pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>CA:
dogtag-ipa-renew-agent</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>issuer:
CN=Certificate Authority,O=IDEF</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>subject:
CN=IPA RA,O=IDEF</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>expires:
2017-02-15 19:25:38 UTC</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>key
usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>eku:
id-kp-serverAuth,id-kp-clientAuth</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>pre-save
command: </div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>post-save
command: </div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>track:
yes</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>auto-renew:
yes</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Request ID '20130404232114':</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>status:
CA_UNREACHABLE</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>ca-error:
Error 7 connecting to
<a class="moz-txt-link-freetext" href="http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit">http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit</a>: Couldn't
connect to server.</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>stuck:
no</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>key
pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='242557339296'</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>CA:
dogtag-ipa-renew-agent</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>issuer:
CN=Certificate Authority,O=IDEF</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>subject:
CN=ipa.infra.idef,O=IDEF</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>expires:
2017-02-15 19:25:38 UTC</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>key
usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>eku:
id-kp-serverAuth,id-kp-clientAuth</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>pre-save
command: </div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>post-save
command: </div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>track:
yes</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>auto-renew:
yes</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Request ID '20130404232127':</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>status:
CA_UNREACHABLE</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>ca-error:
Error setting up ccache for "host" service on client using
default keytab: Cannot contact any KDC for realm 'IDEF'.</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>stuck:
no</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>key
pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-IDEF/pwdfile.txt'</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>certificate:
type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS
Certificate DB'</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>CA:
IPA</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>issuer:
CN=Certificate Authority,O=IDEF</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>subject:
CN=ipa.infra.idef,O=IDEF</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>expires:
2015-04-05 23:21:26 UTC</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>key
usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>eku:
id-kp-serverAuth,id-kp-clientAuth</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>pre-save
command: </div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>post-save
command: </div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>track:
yes</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>auto-renew:
yes</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Request ID '20130404232155':</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>status:
CA_UNREACHABLE</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>ca-error:
Error setting up ccache for "host" service on client using
default keytab: Cannot contact any KDC for realm 'IDEF'.</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>stuck:
no</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>key
pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>CA:
IPA</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>issuer:
CN=Certificate Authority,O=IDEF</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>subject:
CN=ipa.infra.idef,O=IDEF</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>expires:
2015-04-05 23:21:54 UTC</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>key
usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>eku:
id-kp-serverAuth,id-kp-clientAuth</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>pre-save
command: </div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>post-save
command: </div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>track:
yes</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>auto-renew:
yes</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Request ID '20130404232517':</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>status:
CA_UNREACHABLE</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>ca-error:
Error setting up ccache for "host" service on client using
default keytab: Cannot contact any KDC for realm 'IDEF'.</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>stuck:
no</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>key
pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>CA:
IPA</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>issuer:
CN=Certificate Authority,O=IDEF</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>subject:
CN=ipa.infra.idef,O=IDEF</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>expires:
2015-04-05 23:25:17 UTC</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>key
usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>eku:
id-kp-serverAuth,id-kp-clientAuth</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>pre-save
command: </div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>post-save
command: </div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>track:
yes</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><span class="" style="white-space:pre"> </span>auto-renew:
yes</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><br>
</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Now, I've tried following the instructions under the
following link for fixing expired certs:</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><br>
</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><a moz-do-not-send="true"
href="https://www.freeipa.org/page/Howto/CA_Certificate_Renewal"
id="yui_3_16_0_1_1428694803812_8774">https://www.freeipa.org/page/Howto/CA_Certificate_Renewal</a><br>
</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><br>
</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">However, I run into a many issues, first I don't know
what the <pin> is referenced very early on the
instruction set.</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><br>
</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">I Googled a bit an saw some advice about rolling the
clock back, then restarting certmonger to renew the certs.
Here is the output of that process.</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><br>
</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">[root@ipa ~]# date</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Thu Apr 10 00:13:51 EDT 2014</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">[root@ipa ~]# /etc/init.d/certmonger restart</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Stopping certmonger:
[ OK ]</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Starting certmonger:
[ OK ]</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">[root@ipa ~]# </div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><br class="" style="">
</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">That did not work.</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><br>
</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><br>
</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Here are some errors from syslog</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><br class="" style="">
</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Apr 10 00:13:57 ipa certmonger: Error setting up
ccache for "host" service on client using default keytab:
Cannot contact any KDC for realm ‘MyORG’.</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Apr 10 00:13:57 ipa certmonger: Error 7 connecting to
<a class="moz-txt-link-freetext" href="http://myhost.mydomain.com:9180/ca/ee/ca/profileSubmit">http://myhost.mydomain.com:9180/ca/ee/ca/profileSubmit</a>:
Couldn't connect to server.</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Apr 10 00:13:57 ipa certmonger: Error setting up
ccache for "host" service on client using default keytab:
Cannot contact any KDC for realm 'MyORG'.</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Apr 10 00:13:57 ipa certmonger: Error setting up
ccache for "host" service on client using default keytab:
Cannot contact any KDC for realm 'MyORG'.</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><br>
</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Any ideas would greatly be appreciated.</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style=""><br>
</div>
<div dir="ltr" class="" id="yui_3_16_0_1_1428694803812_8173"
style="">Thanks.</div>
<div dir="ltr" class="" style=""
id="yui_3_16_0_1_1428694803812_8173"><br class="" style="">
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Check if your KDC started OK.<br>
Check krb5kdc.log<br>
<br>
More troubleshooting tips here:
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Troubleshooting">http://www.freeipa.org/page/Troubleshooting</a><br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>