<div dir="ltr"><div>Small update, I found an article on the RH solution library (<a href="https://access.redhat.com/solutions/2020223">https://access.redhat.com/solutions/2020223</a>) that has the same error code that I am getting and I followed the steps with certutil to update the cert attributes but it is still not working. The article is listed as "Solution in Progress".<br><br></div><div>
<p class="MsoNormal">[root@test ~]# getcert list | more</p>
<p class="MsoNormal">Number of certificates and requests being tracked: 7.</p>
<p class="MsoNormal">Request ID '20111214223243':</p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>status:
CA_UNREACHABLE</p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>ca-error:
Server failed request, will retry: 4301 (RPC failed at server.<span style="mso-spacerun:yes"> </span>Certificate operation cannot be comp</p>
<p class="MsoNormal">leted: Unable to communicate with CMS (Not Found)).</p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>stuck: yes</p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certifi</p>
<p class="MsoNormal">cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt'</p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>certificate:
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certificate</p>
<p class="MsoNormal">DB'</p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>CA: IPA</p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>issuer:
CN=Certificate Authority,O=<a href="http://SAMPLE.NET">SAMPLE.NET</a></p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>subject:
CN=<a href="http://caer.SAMPLE.net">caer.SAMPLE.net</a>,O=<a href="http://SAMPLE.NET">SAMPLE.NET</a></p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>expires:
2016-01-29 14:09:46 UTC</p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>eku:
id-kp-serverAuth</p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>pre-save
command:</p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>post-save
command:</p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>track: yes</p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>auto-renew:
yes</p>
<br></div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, May 2, 2016 at 5:35 PM Anthony Cheng <<a href="mailto:anthony.wan.cheng@gmail.com">anthony.wan.cheng@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div dir="ltr">On Mon, May 2, 2016 at 9:54 AM Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Anthony Cheng wrote:<br>
> On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote:<br>
><br>
> Anthony Cheng wrote:<br>
> > OK so I made process on my cert renew issue; I was able to get kinit<br>
> > working so I can follow the rest of the steps here<br>
> > (<a href="http://www.freeipa.org/page/IPA_2x_Certificate_Renewal" rel="noreferrer" target="_blank">http://www.freeipa.org/page/IPA_2x_Certificate_Renewal</a>)<br>
> ><br>
> > However, after using<br>
> ><br>
> > ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w<br>
> password<br>
> ><br>
> > and restarting apache (/sbin/service httpd restart), resubmitting 3<br>
> > certs (ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit<br>
> -i <ID>)<br>
> > (/sbin/service ipa restart), I still see:<br>
> ><br>
> > [root@test ~]# ipa-getcert list | more<br>
> > Number of certificates and requests being tracked: 8.<br>
> > Request ID '20111214223243':<br>
> > status: CA_UNREACHABLE<br>
> > ca-error: Server failed request, will retry: 4301 (RPC<br>
> failed<br>
> > at server. Certificate operation cannot be compl<br>
> > eted: Unable to communicate with CMS (Not Found)).<br>
><br>
> IPA proxies requests to the CA through Apache. This means that while<br>
> tomcat started ok it didn't load the dogtag CA application, hence the<br>
> Not Found.<br>
><br>
> Check the CA debug and selftest logs to see why it failed to start<br>
> properly.<br>
><br>
> [ snip ]<br>
><br>
> Actually after a reboot that error went away and I just get this error<br>
> instead "ca-error: Server failed request, will retry: -504 (libcurl<br>
> failed to execute the HTTP POST transaction. Peer certificate cannot be<br>
> auth enticated with known CA certificates)." from "getcert list"<br>
><br>
> Result of service ipa restart is interesting since it shows today's time<br>
> when I already changed date/time/disable NTP so somehow the system still<br>
> know today's time.<br>
><br>
> PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert:<br>
> CERT_VerifyCertificateNow: verify certificate failed for cert<br>
> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable<br>
> Runtime error -8181 - Peer's Certificate has expired.)<br>
<br>
Hard to say. I'd confirm that there is no time syncing service running,<br>
ntp or otherwise.<br>
<br></blockquote><div><br></div></div></div><div dir="ltr"><div class="gmail_quote"><div>I found out why the time kept changing; it was due to the fact that it has VM tools installed (i didn't configure this box) so it automatically sync time during bootup.<br> <br></div><div>I did still see this error message:<br><br>ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found))<br></div><div><br></div><div>I tried the step <a href="http://www.freeipa.org/page/Troubleshooting" target="_blank">http://www.freeipa.org/page/Troubleshooting</a> with<br><pre>certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt<br>openssl x509 -text -in /tmp/ra.crt<br>certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt<br>service httpd restart<br></pre>So that I can get rid of one of the CA cert that is expired (kept the 1st one) but still getting same error<br></div>
<p>What exactly is CMS and why is it not found?<br></p><p><br></p><p>I did notice that the selftest log is empty with a different time:</p><p>-rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 /var/log/pki-ca/selftests.log <br></p><p>[root@test ~]# clock
Wed 27 Jan 2016 03:33:00 PM UTC -0.046800 seconds
<br></p><p><br></p><p>Here are some debug log after reboot:<br></p><p>[root@test pki-ca]# tail -n 100 catalina.out</p>
<p>INFO: JK: ajp13 listening on /<a href="http://0.0.0.0:9447" target="_blank">0.0.0.0:9447</a></p>
<p>Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start</p>
<p>INFO: Jk running ID=0 time=1/23<span> </span>config=null</p>
<p>Jan 27, 2016 2:45:31 PM
org.apache.catalina.startup.Catalina start</p>
<p>INFO: Server startup in 1722 ms</p>
<p>Jan 27, 2016 2:56:21 PM
org.apache.coyote.http11.Http11Protocol pause</p>
<p>INFO: Pausing Coyote HTTP/1.1 on http-9180</p>
<p>Jan 27, 2016 2:56:21 PM
org.apache.coyote.http11.Http11Protocol pause</p>
<p>INFO: Pausing Coyote HTTP/1.1 on http-9443</p>
<p>Jan 27, 2016 2:56:21 PM
org.apache.coyote.http11.Http11Protocol pause</p>
<p>INFO: Pausing Coyote HTTP/1.1 on http-9445</p>
<p>Jan 27, 2016 2:56:21 PM
org.apache.coyote.http11.Http11Protocol pause</p>
<p>INFO: Pausing Coyote HTTP/1.1 on http-9444</p>
<p>Jan 27, 2016 2:56:21 PM
org.apache.coyote.http11.Http11Protocol pause</p>
<p>INFO: Pausing Coyote HTTP/1.1 on http-9446</p>
<p>Jan 27, 2016 2:56:22 PM
org.apache.catalina.core.StandardService stop</p>
<p>INFO: Stopping service Catalina</p>
<p>Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads</p>
<p>SEVERE: A web application appears to have started a
thread named [Timer-0] but has failed to stop it. This is very like</p>
<p>ly to create a memory leak.</p>
<p>Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads</p>
<p>SEVERE: A web application appears to have started a
thread named [/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu</p>
<p>t has failed to stop it. This is very likely to create a
memory leak.</p>
<p>Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads</p>
<p>SEVERE: A web application appears to have started a
thread named [/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6]</p>
<p><span> </span>but has failed to
stop it. This is very likely to create a memory leak.</p>
<p>Jan 27, 2016 2:56:22 PM
org.apache.catalina.loader.WebappClassLoader clearReferencesThreads</p>
<p>SEVERE: A web application appears to have started a
thread named [/var/lib/pki-ca/logs/system.flush-6] but has failed t</p>
<p>o stop it. This is very likely to create a memory leak.</p>
<p>Jan 27, 2016 2:56:22 PM
org.apache.catalina.loader.WebappClassLoader clearReferencesThreads</p>
<p>SEVERE: A web application appears to have started a
thread named [/var/lib/pki-ca/logs/system.rollover-8] but has faile</p>
<p>d to stop it. This is very likely to create a memory
leak.</p>
<p>Jan 27, 2016 2:56:22 PM
org.apache.catalina.loader.WebappClassLoader clearReferencesThreads</p>
<p>SEVERE: A web application appears to have started a
thread named [/var/lib/pki-ca/logs/transactions.flush-9] but has fa</p>
<p>iled to stop it. This is very likely to create a memory
leak.</p>
<p>Jan 27, 2016 2:56:22 PM
org.apache.catalina.loader.WebappClassLoader clearReferencesThreads</p>
<p>SEVERE: A web application appears to have started a
thread named [/var/lib/pki-ca/logs/transactions.rollover-10] but ha</p>
<p>s failed to stop it. This is very likely to create a
memory leak.</p>
<p>Jan 27, 2016 2:56:22 PM
org.apache.catalina.loader.WebappClassLoader clearReferencesThreads</p>
<p>SEVERE: A web application appears to have started a
thread named [LDAPConnThread-2 ldap://<a href="http://test.sample.net:7389" target="_blank">test.sample.net:7389</a>] but has failed to
stop it. This is very likely to create a memory leak.</p>
<p>Jan 27, 2016 2:56:22 PM
org.apache.catalina.loader.WebappClassLoader clearReferencesThreads</p>
<p>SEVERE: A web application appears to have started a
thread named [LDAPConnThread-3 ldap://<a href="http://test.sample.net:7389" target="_blank">test.sample.net:7389</a>] but has failed to
stop it. This is very likely to create a memory leak.</p>
<p>Jan 27, 2016 2:56:22 PM
org.apache.catalina.loader.WebappClassLoader clearReferencesThreads</p>
<p>SEVERE: A web application appears to have started a
thread named [LDAPConnThread-4 ldap://<a href="http://test.sample.net:7389" target="_blank">test.sample.net:7389</a>] but has failed to
stop it. This is very likely to create a memory leak.</p>
<p>Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap</p>
<p>SEVERE: A web application created a ThreadLocal with key
of type [null] (value [com.netscape.cmscore.util.Debug$1@228b677f]) and a value
of type [java.text.SimpleDateFormat] (value
[java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web
application was stopped. To prevent a memory leak, the ThreadLocal has been
forcibly removed.</p>
<p>Jan 27, 2016 2:56:22 PM
org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap</p>
<p>SEVERE: A web application created a ThreadLocal with key
of type [null] (value [com.netscape.cmscore.util.Debug$1@228b677f]) and a value
of type [java.text.SimpleDateFormat] (value
[java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web
application was stopped. To prevent a memory leak, the ThreadLocal has been
forcibly removed.</p>
<p>Jan 27, 2016 2:56:22 PM
org.apache.coyote.http11.Http11Protocol destroy</p>
<p>INFO: Stopping Coyote HTTP/1.1 on http-9180</p>
<p>Jan 27, 2016 2:56:22 PM
org.apache.coyote.http11.Http11Protocol destroy</p>
<p>INFO: Stopping Coyote HTTP/1.1 on http-9443</p>
<p>Jan 27, 2016 2:56:22 PM
org.apache.coyote.http11.Http11Protocol destroy</p>
<p>INFO: Stopping Coyote HTTP/1.1 on http-9445</p>
<p>Jan 27, 2016 2:56:22 PM
org.apache.coyote.http11.Http11Protocol destroy</p>
<p>INFO: Stopping Coyote HTTP/1.1 on http-9444</p>
<p>Jan 27, 2016 2:56:22 PM
org.apache.coyote.http11.Http11Protocol destroy</p>
<p>INFO: Stopping Coyote HTTP/1.1 on http-9446</p>
<p>Jan 27, 2016 2:57:36 PM
org.apache.catalina.core.AprLifecycleListener init</p>
<p>INFO: The APR based Apache Tomcat Native library which
allows optimal performance in production environments was not found on the
java.library.path:
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib</p>
<p>Jan 27, 2016 2:57:37 PM
org.apache.coyote.http11.Http11Protocol init</p>
<p>INFO: Initializing Coyote HTTP/1.1 on http-9180</p>
<p>Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has been
installed.</p>
<p>Warning: SSL ECC cipher
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is
probably O.K. unless ECC support has been installed.</p>
<p>Jan 27, 2016 2:57:37 PM
org.apache.coyote.http11.Http11Protocol init</p>
<p>INFO: Initializing Coyote HTTP/1.1 on http-9443</p>
<p>Warning: SSL ECC cipher
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is
probably O.K. unless ECC support has been installed.</p>
<p>Warning: SSL ECC cipher
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is
probably O.K. unless ECC support has been installed.</p>
<p>Jan 27, 2016 2:57:37 PM
org.apache.coyote.http11.Http11Protocol init</p>
<p>INFO: Initializing Coyote HTTP/1.1 on http-9445</p>
<p>Warning: SSL ECC cipher
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is
probably O.K. unless ECC support has been installed.</p>
<p>Warning: SSL ECC cipher
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is
probably O.K. unless ECC support has been installed.</p>
<p>Jan 27, 2016 2:57:37 PM
org.apache.coyote.http11.Http11Protocol init</p>
<p>INFO: Initializing Coyote HTTP/1.1 on http-9444</p>
<p>Warning: SSL ECC cipher
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is
probably O.K. unless ECC support has been installed.</p>
<p>Warning: SSL ECC cipher
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is
probably O.K. unless ECC support has been installed.</p>
<p>Jan 27, 2016 2:57:37 PM
org.apache.coyote.http11.Http11Protocol init</p>
<p>INFO: Initializing Coyote HTTP/1.1 on http-9446</p>
<p>Jan 27, 2016 2:57:37 PM
org.apache.catalina.startup.Catalina load</p>
<p>INFO: Initialization processed in 2198 ms</p>
<p>Jan 27, 2016 2:57:37 PM
org.apache.catalina.core.StandardService start</p>
<p>INFO: Starting service Catalina</p>
<p>Jan 27, 2016 2:57:37 PM
org.apache.catalina.core.StandardEngine start</p>
<p>INFO: Starting Servlet Engine: Apache Tomcat/6.0.24</p>
<p>Jan 27, 2016 2:57:37 PM
org.apache.catalina.startup.HostConfig deployDirectory</p>
<p>INFO: Deploying web application directory ROOT</p>
<p>Jan 27, 2016 2:57:38 PM
org.apache.catalina.startup.HostConfig deployDirectory</p>
<p>INFO: Deploying web application directory ca</p>
<p>64-bit osutil library loaded</p>
<p>64-bit osutil library loaded</p>
<p>Certificate object not found</p>
<p>Jan 27, 2016 2:57:40 PM
org.apache.coyote.http11.Http11Protocol start</p>
<p>INFO: Starting Coyote HTTP/1.1 on http-9180</p>
<p>Jan 27, 2016 2:57:40 PM
org.apache.coyote.http11.Http11Protocol start</p>
<p>INFO: Starting Coyote HTTP/1.1 on http-9443</p>
<p>Jan 27, 2016 2:57:40 PM
org.apache.coyote.http11.Http11Protocol start</p>
<p>INFO: Starting Coyote HTTP/1.1 on http-9445</p>
<p>Jan 27, 2016 2:57:40 PM
org.apache.coyote.http11.Http11Protocol start</p>
<p>INFO: Starting Coyote HTTP/1.1 on http-9444</p>
<p>Jan 27, 2016 2:57:40 PM
org.apache.coyote.http11.Http11Protocol start</p>
<p>INFO: Starting Coyote HTTP/1.1 on http-9446</p>
<p>Jan 27, 2016 2:57:40 PM
org.apache.jk.common.ChannelSocket init</p>
<p>INFO: JK: ajp13 listening on /<a href="http://0.0.0.0:9447" target="_blank">0.0.0.0:9447</a></p>
<p>Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start</p>
<p>INFO: Jk running ID=0 time=0/40<span> </span>config=null</p>
<p>Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina
start</p>
<p>INFO: Server startup in 2592 ms</p>
<p>[root@test pki-ca]# tail -n 100 debug</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectAltNameExtDefaultImpl Subject Alternative Name Extension Default Subject
Alternative Name Extension Default
com.netscape.cms.profile.def.SubjectAltNameExtDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userValidityDefaultImpl User Supplied Validity Default User Supplied Validity
Default com.netscape.cms.profile.def.UserValidityDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSubjectNameDefaultImpl User Supplied Subject Name Default User Supplied
Subject Name Default com.netscape.cms.profile.def.UserSubjectNameDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectDirAttributesExtDefaultImpl Subject Directory Attributes Extension
Default Subject Directory Attributes Extension Default
com.netscape.cms.profile.def.SubjectDirAttributesExtDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificateVersionDefaultImpl Certificate Version Default Certificate Version
Default com.netscape.cms.profile.def.CertificateVersionDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default Extended
Key Usage Extension Default
com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyConstraintsExtDefaultImpl Policy Constraints Extension Default Policy
Constraints Extension Default
com.netscape.cms.profile.def.PolicyConstraintsExtDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
crlDistributionPointsExtDefaultImpl CRL Distribution Points Extension Default
CRL Distribution Points Extension Default com.netscape.cms.profile.def.CRLDistributionPointsExtDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificatePoliciesExtDefaultImpl Certificate Policies Extension Default
Certificate Policies Extension Default
com.netscape.cms.profile.def.CertificatePoliciesExtDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
validityDefaultImpl Validity Default Validty Default
com.netscape.cms.profile.def.ValidityDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
privateKeyPeriodExtDefaultImpl Private Key Period Ext Default Private Key
Period Ext Default com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
noDefaultImpl No Default No Default com.netscape.cms.profile.def.NoDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
imageDefaultImpl Image Default Image Default
com.netscape.cms.profile.def.ImageDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectInfoAccessExtDefaultImpl Subject Info Access Extension Default Subject
Info Access Extension Default
com.netscape.cms.profile.def.SubjectInfoAccessExtDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
autoAssignDefaultImpl Auto Request Assignment Default Auto Request Assignment
Default com.netscape.cms.profile.def.AutoAssignDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyMappingsExtDefaultImpl Policy Mappings Extension Default Policy Mappings
Extension Default com.netscape.cms.profile.def.PolicyMappingsExtDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
caValidityDefaultImpl CA Certificate Validity Default CA Certificate Validty
Default com.netscape.cms.profile.def.CAValidityDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userExtensionDefaultImpl User Supplied Extension Default User Supplied
Extension Default com.netscape.cms.profile.def.UserExtensionDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default Netscape
Certificate Type Extension Default
com.netscape.cms.profile.def.NSCertTypeExtDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default Token
Supplied Subject Name Default com.netscape.cms.profile.def.AuthTokenSubjectNameDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectNameDefaultImpl Subject Name Default Subject Name Default
com.netscape.cms.profile.def.SubjectNameDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSigningAlgDefaultImpl User Supplied Signing Alg Default User Supplied
Signing Alg Default com.netscape.cms.profile.def.UserSigningAlgDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default Subject Key
Identifier Default com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default Inhibit
Any-Policy Extension Default
com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubjectNameDefault nsTokenDeviceKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape Comment
Extension Default com.netscape.cms.profile.def.NSCCommentExtDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm Default
com.netscape.cms.profile.def.SigningAlgDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nameConstraintsExtDefaultImpl Name Constraints Extension Default Name
Constraints Extension Default
com.netscape.cms.profile.def.NameConstraintsExtDefault</p>
<p>[27/Jan/2016:15:30:43][main]: added plugin profileUpdater
subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for Subsystem
Group com.netscape.cms.profile.updater.SubsystemGroupUpdater</p>
<p>[27/Jan/2016:15:30:43][main]: CMSEngine: done init
id=registry</p>
<p>[27/Jan/2016:15:30:43][main]: CMSEngine: initialized
registry</p>
<p>[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem
id=oidmap</p>
<p>[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init
id=oidmap</p>
<p>[27/Jan/2016:15:30:43][main]: CMSEngine: done init
id=oidmap</p>
<p>[27/Jan/2016:15:30:43][main]: CMSEngine: initialized
oidmap</p>
<p>[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem
id=X500Name</p>
<p>[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init
id=X500Name</p>
<p>[27/Jan/2016:15:30:43][main]: CMSEngine: done init
id=X500Name</p>
<p>[27/Jan/2016:15:30:43][main]: CMSEngine: initialized
X500Name</p>
<p>[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem
id=request</p>
<p>[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init
id=request</p>
<p>[27/Jan/2016:15:30:43][main]: CMSEngine: done init
id=request</p>
<p>[27/Jan/2016:15:30:43][main]: CMSEngine: initialized
request</p>
<p>[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem
id=ca</p>
<p>[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init
id=ca</p>
<p>[27/Jan/2016:15:30:43][main]: CertificateAuthority init</p>
<p>[27/Jan/2016:15:30:43][main]: Cert Repot inited</p>
<p>[27/Jan/2016:15:30:43][main]: CRL Repot inited</p>
<p>[27/Jan/2016:15:30:43][main]: Replica Repot inited</p>
<p>[27/Jan/2016:15:30:43][main]: ca.signing Signing Unit
nickname caSigningCert cert-pki-ca</p>
<p>[27/Jan/2016:15:30:43][main]: Got token Internal Key
Storage Token by name</p>
<p>[27/Jan/2016:15:30:43][main]: Found cert by nickname:
'caSigningCert cert-pki-ca' with serial number: 1</p>
<p>[27/Jan/2016:15:30:43][main]: converted to x509CertImpl</p>
<p>[27/Jan/2016:15:30:43][main]: Got private key from cert</p>
<p>[27/Jan/2016:15:30:43][main]: Got public key from cert</p>
<p>[27/Jan/2016:15:30:43][main]: got signing algorithm
RSASignatureWithSHA256Digest</p>
<p>[27/Jan/2016:15:30:43][main]: CA signing unit inited</p>
<p>[27/Jan/2016:15:30:43][main]: cachainNum= 0</p>
<p>[27/Jan/2016:15:30:43][main]: in init - got CA chain from
JSS.</p>
<p>[27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing
Unit nickname ca.ocsp_signing.cert</p>
<p>[27/Jan/2016:15:30:43][main]: Got token Internal Key
Storage Token by name</p>
<p>[27/Jan/2016:15:30:43][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException</p>
<p>[27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException</p>
<p>Certificate object not found</p>
<p><span> </span>at
com.netscape.ca.SigningUnit.init(SigningUnit.java:190)</p>
<p><span> </span>at
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)</p>
<p><span> </span><span> </span>at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)</p>
<p><span> </span>at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)</p>
<p><span> </span>at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)</p>
<p><span> </span>at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)</p>
<p><span> </span>at
com.netscape.certsrv.apps.CMS.init(CMS.java:153)</p>
<p><span> </span>at
com.netscape.certsrv.apps.CMS.start(CMS.java:1530)</p>
<p><span> </span>at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)</p>
<p><span> </span>at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)</p>
<p><span> </span>at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)</p>
<p><span> </span>at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)</p>
<p><span> </span>at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)</p>
<p><span> </span>at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)</p>
<p><span> </span>at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)</p>
<p><span> </span>at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)</p>
<p><span> </span>at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)</p>
<p><span> </span><span> </span>at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)</p>
<p><span> </span>at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)</p>
<p><span> </span>at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)</p>
<p><span> </span>at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)</p>
<p><span> </span>at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)</p>
<p><span> </span>at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)</p>
<p><span> </span><span> </span>at
org.apache.catalina.core.StandardHost.start(StandardHost.java:722)</p>
<p><span> </span>at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)</p>
<p><span> </span>at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)</p>
<p><span> </span>at org.apache.catalina.core.StandardService.start(StandardService.java:516)</p>
<p><span> </span>at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)</p>
<p><span> </span>at
org.apache.catalina.startup.Catalina.start(Catalina.java:593)</p>
<p><span> </span>at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)</p>
<p><span> </span>at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)</p>
<p><span> </span>at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</p>
<p><span> </span>at
java.lang.reflect.Method.invoke(Method.java:616)</p>
<p><span> </span>at
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)</p>
<p><span> </span>at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)</p>
<p>[27/Jan/2016:15:30:43][main]: CMSEngine.shutdown()</p></div></div><div dir="ltr"><div class="gmail_quote">
<br><br><br> ><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
> > Would really greatly appreciate any help on this.<br>
> ><br>
> > Also I noticed after I do ldapmodify of usercertificate binary<br>
> data with<br>
> ><br>
> > add: usercertificate;binary<br>
> > usercertificate;binary: !@#$@!#$#@$<br>
><br>
> You really pasted in binary? Or was this base64-encoded data?<br>
><br>
> I wonder if there is a problem in the wiki. If this is really a binary<br>
> value you should start with a DER-encoded cert and load it using<br>
> something like:<br>
><br>
> dn: uid=ipara,ou=people,o=ipaca<br>
> changetype: modify<br>
> add: usercertificate;binary<br>
> usercertificate;binary:< file:///path/to/cert.der<br>
><br>
> You can use something like openssl x509 to switch between PEM and DER<br>
> formats.<br>
><br>
> I have a vague memory that dogtag can deal with a multi-valued<br>
> usercertificate attribute.<br>
><br>
> rob<br>
><br>
><br>
> Yes the wiki stated binary, the result of:<br>
> ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b<br>
> uid=ipara,ou=People,o=ipaca -W<br>
><br>
> shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...<br>
><br>
> But the actual data is from a PEM though.<br>
<br>
Ok. So I looked at my CA data and it doesn't use the binary subtype, so<br>
my entries look like:<br>
<br>
userCertificate:: MIID....<br>
<br>
It might make a difference if dogtag is looking for the subtype or not.<br>
<br>
rob<br>
<br>
><br>
> ><br>
> > Then I re-run<br>
> ><br>
> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W<br>
> -b uid=ipara,ou=People,o=ipaca<br>
> ><br>
> > I see 2 entries for usercertificate;binary (before modify there<br>
> was only<br>
> > 1) but they are duplicate and NOT from data that I added. That seems<br>
> > incorrect to me.<br>
> ><br>
> ><br>
> > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng<br>
> > <<a href="mailto:anthony.wan.cheng@gmail.com" target="_blank">anthony.wan.cheng@gmail.com</a> <mailto:<a href="mailto:anthony.wan.cheng@gmail.com" target="_blank">anthony.wan.cheng@gmail.com</a>><br>
> <mailto:<a href="mailto:anthony.wan.cheng@gmail.com" target="_blank">anthony.wan.cheng@gmail.com</a><br>
> <mailto:<a href="mailto:anthony.wan.cheng@gmail.com" target="_blank">anthony.wan.cheng@gmail.com</a>>>> wrote:<br>
> ><br>
> > klist is actually empty; kinit admin fails. Sounds like then<br>
> > getcert resubmit has a dependency on kerberoes. I can get a<br>
> backup<br>
> > image that has a valid ticket but it is only good for 1 day (and<br>
> > dated pasted the cert expire).<br>
> ><br>
> > Also I had asked awhile back about whether there is dependency on<br>
> > DIRSRV to renew the cert; didn't get any response but I suspect<br>
> > there is a dependency.<br>
> ><br>
> > Regarding the clock skew, I found out from /var/log/message that<br>
> > shows me this so it may be from named:<br>
> ><br>
> > Jan 28 14:10:42 test named[2911]: Failed to init credentials<br>
> (Clock<br>
> > skew too great)<br>
> > Jan 28 14:10:42 test named[2911]: loading configuration: failure<br>
> > Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)<br>
> > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS<br>
> > failure. Minor code may provide more information (Creden<br>
> > tials cache file '/tmp/krb5cc_496' not found)<br>
> ><br>
> > I don't have a krb5cc_496 file (since klist is empty), so<br>
> sounds to<br>
> > me I need to get a kerberoes ticket before going any<br>
> further. Also<br>
> > is the file /etc/krb5.keytab access/modification time<br>
> important? I<br>
> > had changed time back to before the cert expiration date and<br>
> reboot<br>
> > and try renew but the error message about clock skew is still<br>
> > there. That seems strange.<br>
> ><br>
> > Lastly, as a absolute last resort, can I regenerate a new cert<br>
> > myself?<br>
> ><br>
> <a href="https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html" rel="noreferrer" target="_blank">https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html</a><br>
> ><br>
> > [root@test /]# klist<br>
> > klist: No credentials cache found (ticket cache<br>
> FILE:/tmp/krb5cc_0)<br>
> > [root@test /]# service ipa start<br>
> > Starting Directory Service<br>
> > Starting dirsrv:<br>
> > PKI-IPA...<br>
> [ OK ]<br>
> > sample-NET...<br>
> [ OK ]<br>
> > Starting KDC Service<br>
> > Starting Kerberos 5 KDC: [<br>
> OK ]<br>
> > Starting KPASSWD Service<br>
> > Starting Kerberos 5 Admin Server: [<br>
> OK ]<br>
> > Starting DNS Service<br>
> > Starting named:<br>
> [FAILED]<br>
> > Failed to start DNS Service<br>
> > Shutting down<br>
> > Stopping Kerberos 5 KDC: [<br>
> OK ]<br>
> > Stopping Kerberos 5 Admin Server: [<br>
> OK ]<br>
> > Stopping named: [<br>
> OK ]<br>
> > Stopping httpd: [<br>
> OK ]<br>
> > Stopping pki-ca: [<br>
> OK ]<br>
> > Shutting down dirsrv:<br>
> > PKI-IPA...<br>
> [ OK ]<br>
> > sample-NET...<br>
> [ OK ]<br>
> > Aborting ipactl<br>
> > [root@test /]# klist<br>
> > klist: No credentials cache found (ticket cache<br>
> FILE:/tmp/krb5cc_0)<br>
> > [root@test /]# service ipa status<br>
> > Directory Service: STOPPED<br>
> > Failed to get list of services to probe status:<br>
> > Directory Server is stopped<br>
> ><br>
> > On Thu, Apr 28, 2016 at 3:21 AM David Kupka<br>
> <<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a> <mailto:<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a>><br>
> > <mailto:<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a> <mailto:<a href="mailto:dkupka@redhat.com" target="_blank">dkupka@redhat.com</a>>>> wrote:<br>
> ><br>
> > On 27/04/16 21:54, Anthony Cheng wrote:<br>
> > > Hi list,<br>
> > ><br>
> > > I am trying to renew expired certificates following the<br>
> > manual renewal procedure<br>
> > > here<br>
> (<a href="http://www.freeipa.org/page/IPA_2x_Certificate_Renewal" rel="noreferrer" target="_blank">http://www.freeipa.org/page/IPA_2x_Certificate_Renewal</a>)<br>
> > but even with<br>
> > > resetting the system/hardware clock to a time before<br>
> expires,<br>
> > I am getting the<br>
> > > error "ca-error: Error setting up ccache for local "host"<br>
> > service using default<br>
> > > keytab: Clock skew too great."<br>
> > ><br>
> > > With NTP disable and clock reset why would it complain<br>
> about<br>
> > clock skew and how<br>
> > > does it even know about the current time?<br>
> > ><br>
> > > [root@test certs]# getcert list<br>
> > > Number of certificates and requests being tracked: 8.<br>
> > > Request ID '20111214223243':<br>
> > > status: MONITORING<br>
> > > ca-error: Error setting up ccache for local<br>
> "host"<br>
> > service using<br>
> > > default keytab: Clock skew too great.<br>
> > > stuck: no<br>
> > > key pair storage:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS<br>
> > > Certificate<br>
> > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'<br>
> > > certificate:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS<br>
> > > Certificate DB'<br>
> > > CA: IPA<br>
> > > issuer: CN=Certificate Authority,O=sample.NET<br>
> > > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a><br>
> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>><br>
> > <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET<br>
> > > expires: 2016-01-29 14:09:46 UTC<br>
> > > eku: id-kp-serverAuth<br>
> > > pre-save command:<br>
> > > post-save command:<br>
> > > track: yes<br>
> > > auto-renew: yes<br>
> > > Request ID '20111214223300':<br>
> > > status: MONITORING<br>
> > > ca-error: Error setting up ccache for local<br>
> "host"<br>
> > service using<br>
> > > default keytab: Clock skew too great.<br>
> > > stuck: no<br>
> > > key pair storage:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
> > Certificate<br>
> > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>
> > > certificate:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
> > Certificate<br>
> > > DB'<br>
> > > CA: IPA<br>
> > > issuer: CN=Certificate Authority,O=sample.NET<br>
> > > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a><br>
> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>><br>
> > <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET<br>
> > > expires: 2016-01-29 14:09:45 UTC<br>
> > > eku: id-kp-serverAuth<br>
> > > pre-save command:<br>
> > > post-save command:<br>
> > > track: yes<br>
> > > auto-renew: yes<br>
> > > Request ID '20111214223316':<br>
> > > status: MONITORING<br>
> > > ca-error: Error setting up ccache for local<br>
> "host"<br>
> > service using<br>
> > > default keytab: Clock skew too great.<br>
> > > stuck: no<br>
> > > key pair storage:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
> > > certificate:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> > > Certificate DB'<br>
> > > CA: IPA<br>
> > > issuer: CN=Certificate Authority,O=sample.NET<br>
> > > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a><br>
> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>><br>
> > <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET<br>
> > > expires: 2016-01-29 14:09:45 UTC<br>
> > > eku: id-kp-serverAuth<br>
> > > pre-save command:<br>
> > > post-save command:<br>
> > > track: yes<br>
> > > auto-renew: yes<br>
> > > Request ID '20130519130741':<br>
> > > status: NEED_CSR_GEN_PIN<br>
> > > ca-error: Internal error: no response to<br>
> > ><br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true</a>".<br>
> > > stuck: yes<br>
> > > key pair storage:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>
> > > '<br>
> > > certificate:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> > > cert-pki-ca',token='NSS Certificate DB'<br>
> > > CA: dogtag-ipa-renew-agent<br>
> > > issuer: CN=Certificate Authority,O=sample.NET<br>
> > > subject: CN=CA Audit,O=sample.NET<br>
> > > expires: 2017-10-13 14:10:49 UTC<br>
> > > pre-save command:<br>
> /usr/lib64/ipa/certmonger/stop_pkicad<br>
> > > post-save command:<br>
> > /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> > > "auditSigningCert cert-pki-ca"<br>
> > > track: yes<br>
> > > auto-renew: yes<br>
> > > Request ID '20130519130742':<br>
> > > status: NEED_CSR_GEN_PIN<br>
> > > ca-error: Internal error: no response to<br>
> > ><br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".<br>
> > > stuck: yes<br>
> > > key pair storage:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>
> > > '<br>
> > > certificate:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> > > cert-pki-ca',token='NSS Certificate DB'<br>
> > > CA: dogtag-ipa-renew-agent<br>
> > > issuer: CN=Certificate Authority,O=sample.NET<br>
> > > subject: CN=OCSP Subsystem,O=sample.NET<br>
> > > expires: 2017-10-13 14:09:49 UTC<br>
> > > eku: id-kp-OCSPSigning<br>
> > > pre-save command:<br>
> /usr/lib64/ipa/certmonger/stop_pkicad<br>
> > > post-save command:<br>
> > /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> > > "ocspSigningCert cert-pki-ca"<br>
> > > track: yes<br>
> > > auto-renew: yes<br>
> > > Request ID '20130519130743':<br>
> > > status: NEED_CSR_GEN_PIN<br>
> > > ca-error: Internal error: no response to<br>
> > ><br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".<br>
> > > stuck: yes<br>
> > > key pair storage:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>
> > > '<br>
> > > certificate:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
> > > cert-pki-ca',token='NSS Certificate DB'<br>
> > > CA: dogtag-ipa-renew-agent<br>
> > > issuer: CN=Certificate Authority,O=sample.NET<br>
> > > subject: CN=CA Subsystem,O=sample.NET<br>
> > > expires: 2017-10-13 14:09:49 UTC<br>
> > > eku: id-kp-serverAuth,id-kp-clientAuth<br>
> > > pre-save command:<br>
> /usr/lib64/ipa/certmonger/stop_pkicad<br>
> > > post-save command:<br>
> > /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> > > "subsystemCert cert-pki-ca"<br>
> > > track: yes<br>
> > > auto-renew: yes<br>
> > > Request ID '20130519130744':<br>
> > > status: MONITORING<br>
> > > ca-error: Internal error: no response to<br>
> > ><br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true</a>".<br>
> > > stuck: no<br>
> > > key pair storage:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
> > Certificate<br>
> > > DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
> > > certificate:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
> > Certificate DB'<br>
> > > CA: dogtag-ipa-renew-agent<br>
> > > issuer: CN=Certificate Authority,O=sample.NET<br>
> > > subject: CN=RA Subsystem,O=sample.NET<br>
> > > expires: 2017-10-13 14:09:49 UTC<br>
> > > eku: id-kp-serverAuth,id-kp-clientAuth<br>
> > > pre-save command:<br>
> > > post-save command:<br>
> > /usr/lib64/ipa/certmonger/renew_ra_cert<br>
> > > track: yes<br>
> > > auto-renew: yes<br>
> > > Request ID '20130519130745':<br>
> > > status: NEED_CSR_GEN_PIN<br>
> > > ca-error: Internal error: no response to<br>
> > ><br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>".<br>
> > > stuck: yes<br>
> > > key pair storage:<br>
> > ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br>
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>
> > > '<br>
> > > certificate:<br>
> > ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br>
> > > cert-pki-ca',token='NSS Certificate DB'<br>
> > > CA: dogtag-ipa-renew-agent<br>
> > > issuer: CN=Certificate Authority,O=sample.NET<br>
> > > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a><br>
> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>><br>
> > <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET<br>
> > > expires: 2017-10-13 14:09:49 UTC<br>
> > > eku: id-kp-serverAuth,id-kp-clientAuth<br>
> > > pre-save command:<br>
> > > post-save command:<br>
> > > track: yes<br>
> > > auto-renew: yes[root@test certs]# getcert list<br>
> > > Number of certificates and requests being tracked: 8.<br>
> > > Request ID '20111214223243':<br>
> > > status: MONITORING<br>
> > > ca-error: Error setting up ccache for local<br>
> "host"<br>
> > service using<br>
> > > default keytab: Clock skew too great.<br>
> > > stuck: no<br>
> > > key pair storage:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS<br>
> > > Certificate<br>
> > DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'<br>
> > > certificate:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS<br>
> > > Certificate DB'<br>
> > > CA: IPA<br>
> > > issuer: CN=Certificate Authority,O=sample.NET<br>
> > > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a><br>
> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>><br>
> > <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET<br>
> > > expires: 2016-01-29 14:09:46 UTC<br>
> > > eku: id-kp-serverAuth<br>
> > > pre-save command:<br>
> > > post-save command:<br>
> > > track: yes<br>
> > > auto-renew: yes<br>
> > > Request ID '20111214223300':<br>
> > > status: MONITORING<br>
> > > ca-error: Error setting up ccache for local<br>
> "host"<br>
> > service using<br>
> > > default keytab: Clock skew too great.<br>
> > > stuck: no<br>
> > > key pair storage:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
> > Certificate<br>
> > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>
> > > certificate:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
> > Certificate<br>
> > > DB'<br>
> > > CA: IPA<br>
> > > issuer: CN=Certificate Authority,O=sample.NET<br>
> > > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a><br>
> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>><br>
> > <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET<br>
> > > expires: 2016-01-29 14:09:45 UTC<br>
> > > eku: id-kp-serverAuth<br>
> > > pre-save command:<br>
> > > post-save command:<br>
> > > track: yes<br>
> > > auto-renew: yes<br>
> > > Request ID '20111214223316':<br>
> > > status: MONITORING<br>
> > > ca-error: Error setting up ccache for local<br>
> "host"<br>
> > service using<br>
> > > default keytab: Clock skew too great.<br>
> > > stuck: no<br>
> > > key pair storage:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
> > > certificate:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> > > Certificate DB'<br>
> > > CA: IPA<br>
> > > issuer: CN=Certificate Authority,O=sample.NET<br>
> > > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a><br>
> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>><br>
> > <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET<br>
> > > expires: 2016-01-29 14:09:45 UTC<br>
> > > eku: id-kp-serverAuth<br>
> > > pre-save command:<br>
> > > post-save command:<br>
> > > track: yes<br>
> > > auto-renew: yes<br>
> > > Request ID '20130519130741':<br>
> > > status: NEED_CSR_GEN_PIN<br>
> > > ca-error: Internal error: no response to<br>
> > ><br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true</a>".<br>
> > > stuck: yes<br>
> > > key pair storage:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>
> > > '<br>
> > > certificate:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> > > cert-pki-ca',token='NSS Certificate DB'<br>
> > > CA: dogtag-ipa-renew-agent<br>
> > > issuer: CN=Certificate Authority,O=sample.NET<br>
> > > subject: CN=CA Audit,O=sample.NET<br>
> > > expires: 2017-10-13 14:10:49 UTC<br>
> > > pre-save command:<br>
> /usr/lib64/ipa/certmonger/stop_pkicad<br>
> > > post-save command:<br>
> > /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> > > "auditSigningCert cert-pki-ca"<br>
> > > track: yes<br>
> > > auto-renew: yes<br>
> > > Request ID '20130519130742':<br>
> > > status: NEED_CSR_GEN_PIN<br>
> > > ca-error: Internal error: no response to<br>
> > ><br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".<br>
> > > stuck: yes<br>
> > > key pair storage:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>
> > > '<br>
> > > certificate:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> > > cert-pki-ca',token='NSS Certificate DB'<br>
> > > CA: dogtag-ipa-renew-agent<br>
> > > issuer: CN=Certificate Authority,O=sample.NET<br>
> > > subject: CN=OCSP Subsystem,O=sample.NET<br>
> > > expires: 2017-10-13 14:09:49 UTC<br>
> > > eku: id-kp-OCSPSigning<br>
> > > pre-save command:<br>
> /usr/lib64/ipa/certmonger/stop_pkicad<br>
> > > post-save command:<br>
> > /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> > > "ocspSigningCert cert-pki-ca"<br>
> > > track: yes<br>
> > > auto-renew: yes<br>
> > > Request ID '20130519130743':<br>
> > > status: NEED_CSR_GEN_PIN<br>
> > > ca-error: Internal error: no response to<br>
> > ><br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".<br>
> > > stuck: yes<br>
> > > key pair storage:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>
> > > '<br>
> > > certificate:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
> > > cert-pki-ca',token='NSS Certificate DB'<br>
> > > CA: dogtag-ipa-renew-agent<br>
> > > issuer: CN=Certificate Authority,O=sample.NET<br>
> > > subject: CN=CA Subsystem,O=sample.NET<br>
> > > expires: 2017-10-13 14:09:49 UTC<br>
> > > eku: id-kp-serverAuth,id-kp-clientAuth<br>
> > > pre-save command:<br>
> /usr/lib64/ipa/certmonger/stop_pkicad<br>
> > > post-save command:<br>
> > /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> > > "subsystemCert cert-pki-ca"<br>
> > > track: yes<br>
> > > auto-renew: yes<br>
> > > Request ID '20130519130744':<br>
> > > status: MONITORING<br>
> > > ca-error: Internal error: no response to<br>
> > ><br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true</a>".<br>
> > > stuck: no<br>
> > > key pair storage:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
> > Certificate<br>
> > > DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
> > > certificate:<br>
> > ><br>
> ><br>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
> > Certificate DB'<br>
> > > CA: dogtag-ipa-renew-agent<br>
> > > issuer: CN=Certificate Authority,O=sample.NET<br>
> > > subject: CN=RA Subsystem,O=sample.NET<br>
> > > expires: 2017-10-13 14:09:49 UTC<br>
> > > eku: id-kp-serverAuth,id-kp-clientAuth<br>
> > > pre-save command:<br>
> > > post-save command:<br>
> > /usr/lib64/ipa/certmonger/renew_ra_cert<br>
> > > track: yes<br>
> > > auto-renew: yes<br>
> > > Request ID '20130519130745':<br>
> > > status: NEED_CSR_GEN_PIN<br>
> > > ca-error: Internal error: no response to<br>
> > ><br>
> ><br>
> "<a href="http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true" rel="noreferrer" target="_blank">http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>".<br>
> > > stuck: yes<br>
> > > key pair storage:<br>
> > ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br>
> > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664<br>
> > > '<br>
> > > certificate:<br>
> > ><br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br>
> > > cert-pki-ca',token='NSS Certificate DB'<br>
> > > CA: dogtag-ipa-renew-agent<br>
> > > issuer: CN=Certificate Authority,O=sample.NET<br>
> > > subject: CN=<a href="http://test.sample.net" rel="noreferrer" target="_blank">test.sample.net</a><br>
> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>> <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>><br>
> > <<a href="http://test.sample.net" rel="noreferrer" target="_blank">http://test.sample.net</a>>,O=sample.NET<br>
> > > expires: 2017-10-13 14:09:49 UTC<br>
> > > eku: id-kp-serverAuth,id-kp-clientAuth<br>
> > > pre-save command:<br>
> > > post-save command:<br>
> > > track: yes<br>
> > > auto-renew: yes<br>
> > > --<br>
> > ><br>
> > > Thanks, Anthony<br>
> > ><br>
> > ><br>
> > ><br>
> ><br>
> > Hello Anthony!<br>
> ><br>
> > After stopping NTP (or other time synchronizing service)<br>
> and setting<br>
> > time manually server really don't have a way to determine<br>
> that<br>
> > its time<br>
> > differs from the real one.<br>
> ><br>
> > I think this might be issue with Kerberos ticket. You can<br>
> show<br>
> > content<br>
> > of root's ticket cache using klist. If there is anything<br>
> clean<br>
> > it with<br>
> > kdestroy and try to resubmit the request again.<br>
> ><br>
> > --<br>
> > David Kupka<br>
> ><br>
> > --<br>
> ><br>
> > Thanks, Anthony<br>
> ><br>
> > --<br>
> ><br>
> > Thanks, Anthony<br>
> ><br>
> ><br>
> ><br>
><br>
> --<br>
><br>
> Thanks, Anthony<br>
><br>
<br>
</blockquote></div></div><div dir="ltr">-- <br></div><p dir="ltr">Thanks, Anthony</p>
</blockquote></div><div dir="ltr">-- <br></div><p dir="ltr">Thanks, Anthony</p>