<div dir="ltr">Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and certmonger. Look like certificates were renewed. But I'm getting a different error now,<div><div><br></div><div><b>ca-error: Internal error: no response to "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".</b><br></div><div><br></div><div><div>[root@caer ~]# getcert list</div><div>Number of certificates and requests being tracked: 8.</div><div>Request ID '20111214223243':</div><div>        status: MONITORING</div><div>        stuck: no</div><div>        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'</div><div>        certificate: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB'</div><div>        CA: IPA</div><div>        issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div>        subject: CN=<a href="http://caer.teloip.net">caer.teloip.net</a>,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div>        expires: 2016-07-18 15:54:36 UTC</div><div>        eku: id-kp-serverAuth</div><div>        pre-save command:</div><div>        post-save command:</div><div>        track: yes</div><div>        auto-renew: yes</div><div>Request ID '20111214223300':</div><div>        status: MONITORING</div><div>        stuck: no</div><div>        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'</div><div>        certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'</div><div>        CA: IPA</div><div>        issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div>        subject: CN=<a href="http://caer.teloip.net">caer.teloip.net</a>,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div>        expires: 2016-07-18 15:54:52 UTC</div><div>        eku: id-kp-serverAuth</div><div>        pre-save command:</div><div>        post-save command:</div><div>        track: yes</div><div>        auto-renew: yes</div><div>Request ID '20111214223316':</div><div>        status: MONITORING</div><div>        stuck: no</div><div>        key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div><div>        certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'</div><div>        CA: IPA</div><div>        issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div>        subject: CN=<a href="http://caer.teloip.net">caer.teloip.net</a>,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div>        expires: 2016-07-18 15:55:04 UTC</div><div>        eku: id-kp-serverAuth</div><div>        pre-save command:</div><div>        post-save command:</div><div>        track: yes</div><div>        auto-renew: yes</div><div>Request ID '20130519130741':</div><div>        status: MONITORING</div><div>        ca-error: Internal error: no response to "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true</a>".</div><div>        stuck: no</div><div>        key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664'</div><div>        certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'</div><div>        CA: dogtag-ipa-renew-agent</div><div>        issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div>        subject: CN=CA Audit,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div>        expires: 2017-10-13 14:10:49 UTC</div><div>        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad</div><div>        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"</div><div>        track: yes</div><div>        auto-renew: yes</div><div>Request ID '20130519130742':</div><div>        status: MONITORING</div><div>        ca-error: Internal error: no response to "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".</div><div>        stuck: no</div><div>        key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664'</div><div>        certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'</div><div>        CA: dogtag-ipa-renew-agent</div><div>        issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div>        subject: CN=OCSP Subsystem,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div>        expires: 2017-10-13 14:09:49 UTC</div><div>        eku: id-kp-OCSPSigning</div><div>        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad</div><div>        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"</div><div>        track: yes</div><div>        auto-renew: yes</div><div>Request ID '20130519130743':</div><div>        status: MONITORING</div><div>        ca-error: Internal error: no response to "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".</div><div>        stuck: no</div><div>        key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664'</div><div>        certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'</div><div>        CA: dogtag-ipa-renew-agent</div><div>        issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div>        subject: CN=CA Subsystem,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div>        expires: 2017-10-13 14:09:49 UTC</div><div>        eku: id-kp-serverAuth,id-kp-clientAuth</div><div>        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad</div><div>        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"</div><div>        track: yes</div><div>        auto-renew: yes</div><div>Request ID '20130519130744':</div><div>        status: MONITORING</div><div>        ca-error: Internal error: no response to "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true</a>".</div><div>        stuck: no</div><div>        key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div><div>        certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'</div><div>        CA: dogtag-ipa-renew-agent</div><div>        issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div>        subject: CN=RA Subsystem,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div>        expires: 2017-10-13 14:09:49 UTC</div><div>        eku: id-kp-serverAuth,id-kp-clientAuth</div><div>        pre-save command:</div><div>        post-save command: /usr/lib64/ipa/certmonger/restart_httpd</div><div>        track: yes</div><div>        auto-renew: yes</div><div>Request ID '20130519130745':</div><div>        status: MONITORING</div><div>        ca-error: Internal error: no response to "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>".</div><div>        stuck: no</div><div>        key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='297100916664'</div><div>        certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'</div><div>        CA: dogtag-ipa-renew-agent</div><div>        issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div>        subject: CN=<a href="http://caer.teloip.net">caer.teloip.net</a>,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div>        expires: 2017-10-13 14:09:49 UTC</div><div>        eku: id-kp-serverAuth,id-kp-clientAuth</div><div>        pre-save command:</div><div>        post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv "<a href="http://TELOIP.NET">TELOIP.NET</a>"</div><div>        track: yes</div><div>        auto-renew: yes</div><div>[root@caer ~]#</div></div><div><br></div><div>Your help is highly appreciated!</div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div style="background-color:rgb(255,255,255)"><div></div><ul style="margin:0px;padding:0px 0px 8px;border:0px;outline:0px;font-size:12px;font-family:Helvetica,FreeSans,"Liberation Sans",Helmet,Arial,sans-serif;vertical-align:baseline;list-style:none;line-height:17px;display:table-cell;width:504px;color:rgb(51,51,51)"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;line-height:normal"><br></div></ul></div></div></div></div></div>
<br><div class="gmail_quote">On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Linov Suresh wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span class="">
I logged into my IPA master, and found that the cert had expired again,<br>
we renewed these certificates about 18 months ago.<br>
<br>
Our environment is CentOS 6.4 and IPA 3.0.0-26.<br>
<br>
<br></span>
  I followed the Redhat documentation,How do I manually renew Identity<span class=""><br>
  Management (IPA) certificates after they have expired? (Master IPA<br>
  Server), <a href="https://access.redhat.com/solutions/643753" rel="noreferrer" target="_blank">https://access.redhat.com/solutions/643753</a> but no luck.<br>
<br>
<br>
I have also changed the directive "NSSEnforceValidCerts off" in<br>
/etc/httpd/conf.d/nss.conf and the value of nsslapd-validate-cert is warn.<br>
<br>
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w *******<br>
-b  cn=config | grep  nsslapd-validate-cert<br>
<br>
nsslapd-validate-cert: warn<br>
<br>
Here is my getcert list,<br>
<br>
[root@caer ~]# getcert list<br>
</span></blockquote>
<br>
It looks like your CA subsystem certificates all renewed successfully it is just the webserver and LDAP certificates that need renewing so that's good.<br>
<br>
What I'd do is go back in time again to say Jan 20, 2016 and restart certmonger. That should make it retry the renewals.<span class=""><font color="#888888"><br>
<br>
rob<br>
</font></span></blockquote></div><br></div></div></div>