<div dir="ltr"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div style="background-color:rgb(255,255,255)"><ul style="margin:0px;padding:0px 0px 8px;border:0px;outline:0px;font-size:12px;font-family:Helvetica,FreeSans,"Liberation Sans",Helmet,Arial,sans-serif;vertical-align:baseline;list-style:none;line-height:17px;display:table-cell;width:504px;color:rgb(51,51,51)"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;line-height:normal"><p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-size:10pt;font-family:"Courier New";color:black">I logged into
my IPA master, and found that the cert had expired again, we renewed these
certificates about 18 months ago.</span></p>
<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-size:10pt;font-family:"Courier New";color:black"> </span></p>
<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-size:10pt;font-family:"Courier New";color:black">Our
environment is CentOS 6.4 and IPA 3.0.0-26.</span></p>
<p class="MsoNormal" style="background-image:initial;background-repeat:initial"><span style="font-size:10pt;font-family:"Courier New";color:black"> </span></p>
<h1 style="margin:0cm 0cm 4.5pt;line-height:15.45pt;background-image:initial;background-repeat:initial"><span style="font-size:10pt;font-family:"Courier New";color:black;font-weight:normal">I followed the Redhat documentation,</span><span style="font-size:10pt;font-family:"Courier New";color:black"> How do I manually renew Identity Management (IPA) certificates
after they have expired? (Master IPA Server), </span><span style="font-size:10pt;font-family:"Courier New";color:black;font-weight:normal"><a href="https://access.redhat.com/solutions/643753">https://access.redhat.com/solutions/643753</a>
but no luck.</span></h1>
<h1 style="margin:0cm 0cm 4.5pt;line-height:15.45pt;background-image:initial;background-repeat:initial"><span style="font-size:10pt;font-family:"Courier New";color:black;font-weight:normal"> </span></h1>
<h1 style="line-height:15.45pt;background-image:initial;background-repeat:initial"><pre><span lang="EN-US" style="font-weight:normal">I have also changed "NSSEnforceValidCerts off" in /etc/httpd/conf.d/nss.conf and the value of nsslapd-validate-cert is warn.</span></pre><pre><span lang="EN-US" style="font-weight:normal"> </span></pre><pre><span lang="EN-US" style="font-weight:normal">ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w ******* -b cn=config | grep nsslapd-validate-cert</span></pre><pre><span lang="EN-US" style="font-weight:normal">nsslapd-validate-cert: warn</span></pre><pre><span lang="EN-US" style="font-weight:normal"> </span></pre><pre><span lang="EN-US" style="font-weight:normal">Here is my getcert list,</span></pre><pre><span lang="EN-US" style="font-weight:normal"> </span></pre><pre><span lang="EN-US" style="font-weight:normal">[root@caer ~]# getcert list</span></pre><pre><span lang="EN-US" style="font-weight:normal">Number of certificates and requests being tracked: 8.</span></pre><pre><span lang="EN-US" style="font-weight:normal">Request ID '20111214223243':</span></pre><pre><span lang="EN-US" style="font-weight:normal"> status: CA_UNREACHABLE</span></pre><pre><span lang="EN-US" style="font-weight:normal"> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).</span></pre><pre><span lang="EN-US" style="font-weight:normal"> stuck: yes</span></pre><pre><span lang="EN-US" style="font-weight:normal"> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'</span></pre><pre><span lang="EN-US" style="font-weight:normal"> certificate: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB'</span></pre><pre><span lang="EN-US" style="font-weight:normal"> CA: IPA</span></pre><pre><span lang="EN-US" style="font-weight:normal"> issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></span></pre><pre><span lang="EN-US" style="font-weight:normal"> subject: CN=<a href="http://caer.teloip.net">caer.teloip.net</a>,O=<a href="http://TELOIP.NET">TELOIP.NET</a></span></pre><pre><span lang="EN-US" style="font-weight:normal"> expires: 2016-01-29 14:09:46 UTC</span></pre><pre><span lang="EN-US" style="font-weight:normal"> eku: id-kp-serverAuth</span></pre><pre><span lang="EN-US" style="font-weight:normal"> pre-save command: </span></pre><pre><span lang="EN-US" style="font-weight:normal"> post-save command: </span></pre><pre><span lang="EN-US" style="font-weight:normal"> track: yes</span></pre><pre><span lang="EN-US" style="font-weight:normal"> auto-renew: yes</span></pre><pre><span lang="EN-US" style="font-weight:normal">Request ID '20111214223300':</span></pre><pre><span lang="EN-US" style="font-weight:normal"> status: CA_UNREACHABLE</span></pre><pre><span lang="EN-US" style="font-weight:normal"> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).</span></pre><pre><span lang="EN-US" style="font-weight:normal"> stuck: yes</span></pre><pre><span lang="EN-US" style="font-weight:normal"> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'</span></pre><pre><span lang="EN-US" style="font-weight:normal"> certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'</span></pre><pre><span lang="EN-US" style="font-weight:normal"> CA: IPA</span></pre><pre><span lang="EN-US" style="font-weight:normal"> issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></span></pre><pre><span lang="EN-US" style="font-weight:normal"> subject: CN=<a href="http://caer.teloip.net">caer.teloip.net</a>,O=<a href="http://TELOIP.NET">TELOIP.NET</a></span></pre><pre><span lang="EN-US" style="font-weight:normal"> expires: 2016-01-29 14:09:45 UTC</span></pre><pre><span lang="EN-US" style="font-weight:normal"> eku: id-kp-serverAuth</span></pre><pre><span lang="EN-US" style="font-weight:normal"> pre-save command: </span></pre><pre><span lang="EN-US" style="font-weight:normal"> post-save command: </span></pre><pre><span lang="EN-US" style="font-weight:normal"> track: yes</span></pre><pre><span lang="EN-US" style="font-weight:normal"> auto-renew: yes</span></pre><pre><span lang="EN-US" style="font-weight:normal">Request ID '20111214223316':</span></pre><pre><span lang="EN-US" style="font-weight:normal"> status: CA_UNREACHABLE</span></pre><pre><span lang="EN-US" style="font-weight:normal"> ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).</span></pre><pre><span lang="EN-US" style="font-weight:normal"> stuck: yes</span></pre><pre><span lang="EN-US" style="font-weight:normal"> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</span></pre><pre><span lang="EN-US" style="font-weight:normal"> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'</span></pre><pre><span lang="EN-US" style="font-weight:normal"> CA: IPA</span></pre><pre><span lang="EN-US" style="font-weight:normal"> issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></span></pre><pre><span lang="EN-US" style="font-weight:normal"> subject: CN=<a href="http://caer.teloip.net">caer.teloip.net</a>,O=<a href="http://TELOIP.NET">TELOIP.NET</a></span></pre><pre><span lang="EN-US" style="font-weight:normal"> expires: 2016-01-29 14:09:45 UTC</span></pre><pre><span lang="EN-US" style="font-weight:normal"> eku: id-kp-serverAuth</span></pre><pre><span lang="EN-US" style="font-weight:normal"> pre-save command: </span></pre><pre><span lang="EN-US" style="font-weight:normal"> post-save command: </span></pre><pre><span lang="EN-US" style="font-weight:normal"> track: yes</span></pre><pre><span lang="EN-US" style="font-weight:normal"> auto-renew: yes</span></pre><pre><span lang="EN-US" style="font-weight:normal">Request ID '20130519130741':</span></pre><pre><span lang="EN-US" style="font-weight:normal"> status: MONITORING</span></pre><pre><span lang="EN-US" style="font-weight:normal"> stuck: no</span></pre><pre><span lang="EN-US" style="font-weight:normal"> key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664'</span></pre><pre><span lang="EN-US" style="font-weight:normal"> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'</span></pre><pre><span lang="EN-US" style="font-weight:normal"> CA: dogtag-ipa-renew-agent</span></pre><pre><span lang="EN-US" style="font-weight:normal"> issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></span></pre><pre><span lang="EN-US" style="font-weight:normal"> subject: CN=CA Audit,O=<a href="http://TELOIP.NET">TELOIP.NET</a></span></pre><pre><span lang="EN-US" style="font-weight:normal"> expires: 2017-10-13 14:10:49 UTC</span></pre><pre><span lang="EN-US" style="font-weight:normal"> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad</span></pre><pre><span lang="EN-US" style="font-weight:normal"> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"</span></pre><pre><span lang="EN-US" style="font-weight:normal"> track: yes</span></pre><pre><span lang="EN-US" style="font-weight:normal"> auto-renew: yes</span></pre><pre><span lang="EN-US" style="font-weight:normal">Request ID '20130519130742':</span></pre><pre><span lang="EN-US" style="font-weight:normal"> status: MONITORING</span></pre><pre><span lang="EN-US" style="font-weight:normal"> stuck: no</span></pre><pre><span lang="EN-US" style="font-weight:normal"> key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664'</span></pre><pre><span lang="EN-US" style="font-weight:normal"> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'</span></pre><pre><span lang="EN-US" style="font-weight:normal"> CA: dogtag-ipa-renew-agent</span></pre><pre><span lang="EN-US" style="font-weight:normal"> issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></span></pre><pre><span lang="EN-US" style="font-weight:normal"> subject: CN=OCSP Subsystem,O=<a href="http://TELOIP.NET">TELOIP.NET</a></span></pre><pre><span lang="EN-US" style="font-weight:normal"> expires: 2017-10-13 14:09:49 UTC</span></pre><pre><span lang="EN-US" style="font-weight:normal"> eku: id-kp-OCSPSigning</span></pre><pre><span lang="EN-US" style="font-weight:normal"> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad</span></pre><pre><span lang="EN-US" style="font-weight:normal"> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"</span></pre><pre><span lang="EN-US" style="font-weight:normal"> track: yes</span></pre><pre><span lang="EN-US" style="font-weight:normal"> auto-renew: yes</span></pre><pre><span lang="EN-US" style="font-weight:normal">Request ID '20130519130743':</span></pre><pre><span lang="EN-US" style="font-weight:normal"> status: MONITORING</span></pre><pre><span lang="EN-US" style="font-weight:normal"> stuck: no</span></pre><pre><span lang="EN-US" style="font-weight:normal"> key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664'</span></pre><pre><span lang="EN-US" style="font-weight:normal"> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'</span></pre><pre><span lang="EN-US" style="font-weight:normal"> CA: dogtag-ipa-renew-agent</span></pre><pre><span lang="EN-US" style="font-weight:normal"> issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></span></pre><pre><span lang="EN-US" style="font-weight:normal"> subject: CN=CA Subsystem,O=<a href="http://TELOIP.NET">TELOIP.NET</a></span></pre><pre><span lang="EN-US" style="font-weight:normal"> expires: 2017-10-13 14:09:49 UTC</span></pre><pre><span lang="EN-US" style="font-weight:normal"> eku: id-kp-serverAuth,id-kp-clientAuth</span></pre><pre><span lang="EN-US" style="font-weight:normal"> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad</span></pre><pre><span lang="EN-US" style="font-weight:normal"> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"</span></pre><pre><span lang="EN-US" style="font-weight:normal"> track: yes</span></pre><pre><span lang="EN-US" style="font-weight:normal"> auto-renew: yes</span></pre><pre><span lang="EN-US" style="font-weight:normal">Request ID '20130519130744':</span></pre><pre><span lang="EN-US" style="font-weight:normal"> status: MONITORING</span></pre><pre><span lang="EN-US" style="font-weight:normal"> stuck: no</span></pre><pre><span lang="EN-US" style="font-weight:normal"> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</span></pre><pre><span lang="EN-US" style="font-weight:normal"> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'</span></pre><pre><span lang="EN-US" style="font-weight:normal"> CA: dogtag-ipa-renew-agent</span></pre><pre><span lang="EN-US" style="font-weight:normal"> issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></span></pre><pre><span lang="EN-US" style="font-weight:normal"> subject: CN=RA Subsystem,O=<a href="http://TELOIP.NET">TELOIP.NET</a></span></pre><pre><span lang="EN-US" style="font-weight:normal"> expires: 2017-10-13 14:09:49 UTC</span></pre><pre><span lang="EN-US" style="font-weight:normal"> eku: id-kp-serverAuth,id-kp-clientAuth</span></pre><pre><span lang="EN-US" style="font-weight:normal"> pre-save command: </span></pre><pre><span lang="EN-US" style="font-weight:normal"> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert</span></pre><pre><span lang="EN-US" style="font-weight:normal"> track: yes</span></pre><pre><span lang="EN-US" style="font-weight:normal"> auto-renew: yes</span></pre><pre><span lang="EN-US" style="font-weight:normal">Request ID '20130519130745':</span></pre><pre><span lang="EN-US" style="font-weight:normal"> status: MONITORING</span></pre><pre><span lang="EN-US" style="font-weight:normal"> stuck: no</span></pre><pre><span lang="EN-US" style="font-weight:normal"> key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='297100916664'</span></pre><pre><span lang="EN-US" style="font-weight:normal"> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'</span></pre><pre><span lang="EN-US" style="font-weight:normal"> CA: dogtag-ipa-renew-agent</span></pre><pre><span lang="EN-US" style="font-weight:normal"> issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></span></pre><pre><span lang="EN-US" style="font-weight:normal"> subject: CN=<a href="http://caer.teloip.net">caer.teloip.net</a>,O=<a href="http://TELOIP.NET">TELOIP.NET</a></span></pre><pre><span lang="EN-US" style="font-weight:normal"> expires: 2017-10-13 14:09:49 UTC</span></pre><pre><span lang="EN-US" style="font-weight:normal"> eku: id-kp-serverAuth,id-kp-clientAuth</span></pre><pre><span lang="EN-US" style="font-weight:normal"> pre-save command: </span></pre><pre><span lang="EN-US" style="font-weight:normal"> post-save command: </span></pre><pre><span lang="EN-US" style="font-weight:normal"> track: yes</span></pre><pre><span lang="EN-US"><span style="font-weight:normal"> auto-renew: yes</span></span></pre></h1></div></ul></div></div></div></div></div>
</div>