<div dir="ltr">I found from [root@host pki-ca]# tail -n 100 /var/log/pki-ca/system that CA chain is missing; so I am thinking I may have to use <code class="">ipa-server-certinstall</code> to reinstall the two certs. 5135.main - [27/Jan/2016:14:10:14 EST] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException 2003.main - [27/Jan/2016:14:35:33 EST] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException 2003.TP-Processor3 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet caDisplayBySerial: The CA chain is missing or could not be obtained from the remote Certificate Manager or Registr ation Manager. The remote server could be down. 2003.TP-Processor2 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet caDisplayBySerial: The CA chain is missing or could not be obtained from the remote Certificate Manager or Registr ation Manager. The remote server could be down. 2000.main - [28/Jan/2016:07:43:00 EST] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException 2000.TP-Processor2 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet caDisplayBySerial: The CA chain is missing or could not be obtained from the remote Certificate Manager or Registr ation Manager. The remote server could be down. 2000.TP-Processor3 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet caDisplayBySerial: The CA chain is missing or could not be obtained from the remote Certificate Manager or Registr ation Manager. The remote server could be down. 2085.main - [03/Feb/2016:08:57:05 EST] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException 2085.TP-Processor2 - [27/Jan/2016:14:05:03 EST] [20] [3] Servlet caDisplayBySerial: The CA chain is missing or could not be obtained from the remote Certificate Manager or Registr ation Manager. The remote server could be down. <div class="gmail_extra"> <div class="gmail_quote">On Mon, May 16, 2016 at 11:45 AM, Adam Kaczka <<a href="mailto:akaczka86@gmail.com" target="_blank">akaczka86@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Certmonger cannot communicate with CA; the result of getlist cert shows: RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) </div>After setting time back, from /var/log/pki-ca/debug I get: [30/Dec/2015:08:10:25][main]: CMS:Caught EBaseException Certificate object not found at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) at com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1205) at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316) at com.netscape.certsrv.apps.CMS.init(CMS.java:153) at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4738) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardHost.start(StandardHost.java:722) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:516) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) [30/Dec/2015:08:10:25][main]: CMSEngine.shutdown() [30/Dec/2015:08:10:32][http-9180-1]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [30/Dec/2015:08:10:32][http-9180-1]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [30/Dec/2015:08:10:33][TP-Processor2]: according to ccMode, authorization for servlet: caDisplayBySerial is LDAP based, not XML {1}, use default authz mgr: {2}. [30/Dec/2015:08:10:33][TP-Processor3]: according to ccMode, authorization for servlet: caDisplayBySerial is LDAP based, not XML {1}, use default authz mgr: {2}. </div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"> <div class="gmail_quote">On Mon, May 16, 2016 at 6:28 AM, Petr Vobornik <<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 05/14/2016 12:01 AM, Adam Kaczka wrote: > Hi all, > > I have inherited a IPA system that has an expired cert and the old admins have > left; I followed (<a href="http://www.freeipa.org/page/IPA_2x_Certificate_Renewal" rel="noreferrer" target="_blank">http://www.freeipa.org/page/IPA_2x_Certificate_Renewal</a>) but > running into errors when I try to renew the CA certs even after time is reset. > Also tried the troubleshooting under > (<a href="http://www.freeipa.org/page/Troubleshooting#Authentication_Errors" rel="noreferrer" target="_blank">http://www.freeipa.org/page/Troubleshooting#Authentication_Errors</a>); > specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt" > to add the cert in the database. > > From the output of getcert list, I see both CA_UNREACHABLE and > NEED_CSR_GEN_PIN. I followed redhat article here > (<a href="https://access.redhat.com/solutions/1142913" rel="noreferrer" target="_blank">https://access.redhat.com/solutions/1142913</a>) which verified key file password > is correct and I have reset time. However the NEED_CSR_GEN_PIN status remains. > My company actually has redhat support but when they built this IPA whoever > built it was using Centos 6 so I am out of luck here. > > Would really appreciate any help since I am stuck at this point? What else I > can do at this point? e.g. Is generate a new CA cert necessary, etc.? Hi, you don't need to renew CA cert, it seems to be valid. But your server cert is expired. It expired on 2016-03-29. 1. Move date back before this date, e.g., 2016-03-27. 2. Verify that IPA is running `ipactl status`. Maybe restart will be needed. 3. run `getcert list` to see if certmonger can communicate with CA 4. if certmonger doesn't renew the certs automatically, run `getcert resubmit -i $certid` for the expired cert. <div><div> > > Version: > ipa-pki-ca-theme.noarch 9.0.3-7.el6 @base > ipa-pki-common-theme.noarch 9.0.3-7.el6 @base > ipa-pmincho-fonts.noarch 003.02-3.1.el6 @base > ipa-python.x86_64 3.0.0-47.el6.centos.2 @updates > ipa-server.x86_64 3.0.0-47.el6.centos.2 @updates > ipa-server-selinux.x86_64 3.0.0-47.el6.centos.2 @updates > > Part of error logs from /var/log/pki-ca/debug after I reset clock; I see these > errors which I think is relevlant?: > [27/Dec/2015:14:12:01][main]: SigningUnit init: debug > org.mozilla.jss.crypto.ObjectNotFoundException > Certificate object not found > [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException > Certificate object not found > [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown() > > Result seems to show key file password is correct: > certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f > /etc/dirsrv/slapd-REALM-NET/pwdfile.txt > certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and > Certificate Services" > < 0> rsa ############################ NSS Certificate DB:Server-Cert > > > certutil -L -d /var/lib/pki-ca/alias > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > caSigningCert cert-pki-ca CTu,Cu,Cu > > > certutil -L -d /etc/httpd/alias > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > ipaCert u,u,u </div></div>> <a href="http://REALM.COM" rel="noreferrer" target="_blank">REALM.COM</a> <<a href="http://REALM.COM" rel="noreferrer" target="_blank">http://REALM.COM</a>> IPA CA CT,C, > > > certutil -L -d /etc/dirsrv/slapd-REALM-COM > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > <a href="http://REALM.COM" rel="noreferrer" target="_blank">REALM.COM</a> <<a href="http://REALM.COM" rel="noreferrer" target="_blank">http://REALM.COM</a>> IPA CA CT,C,C > > > Output of getcert list: > > Number of certificates and requests being tracked: 7. > Request ID '21135214223243': > status: CA_UNREACHABLE > ca-error: Server at <a href="https://host.example.net/ipa/xml" rel="noreferrer" target="_blank">https://host.example.net/ipa/xml</a> failed request, > will retry: 4301 (RPC failed at server. Certificate oper > ation cannot be completed: Unable to communicate with CMS (Not Found)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfil > e='/etc/dirsrv/slapd-example-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=example.NET > subject: CN=<a href="http://host.example.net" rel="noreferrer" target="_blank">host.example.net</a> <<a href="http://host.example.net" rel="noreferrer" target="_blank">http://host.example.net</a>>,O=example.NET > expires: 2016-03-29 14:09:46 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '21135214223300': > status: CA_UNREACHABLE > ca-error: Server at <a href="https://host.example.net/ipa/xml" rel="noreferrer" target="_blank">https://host.example.net/ipa/xml</a> failed request, > will retry: 4301 (RPC failed at server. Certificate oper > ation cannot be completed: Unable to communicate with CMS (Not Found)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > DB',pinfile=' > /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate > DB' > CA: IPA > issuer: CN=Certificate Authority,O=example.NET > subject: CN=<a href="http://host.example.net" rel="noreferrer" target="_blank">host.example.net</a> <<a href="http://host.example.net" rel="noreferrer" target="_blank">http://host.example.net</a>>,O=example.NET <div><div>> expires: 2016-03-29 14:09:45 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "<a href="http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-" rel="noreferrer" target="_blank">http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-</a> > pki-ca&serial_num=61&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate > DB',pin set > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=example.NET > subject: CN=CA Audit,O=example.NET > expires: 2017-10-13 14:10:49 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "<a href="http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu" rel="noreferrer" target="_blank">http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu</a> > m=60&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate D > B',pin set > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=example.NET > subject: CN=OCSP Subsystem,O=example.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "<a href="http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu" rel="noreferrer" target="_blank">http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu</a> > m=62&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > ,pin set > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=example.NET > subject: CN=CA Subsystem,O=example.NET > expires: 2017-10-13 14:09:49 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to > "<a href="http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu" rel="noreferrer" target="_blank">http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu</a> > m=64&renewal=true&xml=true". > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate > DB',pinfile='/etc/httpd/al > ias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=example.NET > subject: CN=RA Subsystem,O=example.NET > expires: 2017-10-13 14:09:49 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20130519130745': > status: NEED_CSR_GEN_PIN > ca-error: Internal error: no response to > "<a href="http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu" rel="noreferrer" target="_blank">http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu</a> > m=63&renewal=true&xml=true". > stuck: yes > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',p > in set > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=example.NET </div></div>> subject: CN=<a href="http://host.example.net" rel="noreferrer" target="_blank">host.example.net</a> <<a href="http://host.example.net" rel="noreferrer" target="_blank">http://host.example.net</a>>,O=example.NET <div><div>> expires: 2017-10-13 14:09:49 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > > Regards, Adam > > > </div></div>-- Petr Vobornik </blockquote></div> </div> </div></div></blockquote></div> </div></div>