<div dir="ltr">Great! That worked, and I was successfully renewed the certificates on the IPA server and I was trying to create a IPA replica server and got an error,<span style="color:rgb(51,51,51);font-family:monospace;font-size:11.375px;line-height:19.6px;white-space:pre-wrap">
[</span><a target="_blank" href="mailto:root@neit-lab" style="color:rgb(0,136,206);text-decoration:none;font-family:monospace;font-size:11.375px;line-height:19.6px;white-space:pre-wrap">root@neit-lab</a><span style="color:rgb(51,51,51);font-family:monospace;font-size:11.375px;line-height:19.6px;white-space:pre-wrap"> ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders --skip-conncheck /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg
Directory Manager (existing master) password:
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds
[1/17]: creating certificate server user
[2/17]: creating pki-ca instance
[3/17]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname <a href="http://neit-lab.teloip.net">neit-lab.teloip.net</a> -cs_port 9445 -client_certdb_dir /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email </span><a target="_blank" href="mailto:root@localhost" style="color:rgb(0,136,206);text-decoration:none;font-family:monospace;font-size:11.375px;line-height:19.6px;white-space:pre-wrap">root@localhost</a><span style="color:rgb(51,51,51);font-family:monospace;font-size:11.375px;line-height:19.6px;white-space:pre-wrap"> -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=<a href="http://TELOIP.NET">TELOIP.NET</a> -ldap_host <a href="http://neit-lab.teloip.net">neit-lab.teloip.net</a> -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=<a href="http://TELOIP.NET">TELOIP.NET</a> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=<a href="http://TELOIP.NET">TELOIP.NET</a> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=<a href="http://TELOIP.NET">TELOIP.NET</a> -ca_server_cert_subject_name CN=<a href="http://neit-lab.teloip.net">neit-lab.teloip.net</a>,O=<a href="http://TELOIP.NET">TELOIP.NET</a> -ca_audit_signing_cert_subject_name CN=CA Audit,O=<a href="http://TELOIP.NET">TELOIP.NET</a> -ca_sign_cert_subject_name CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a> -external false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX -sd_hostname <a href="http://caer.teloip.net">caer.teloip.net</a> -sd_admin_port 443 -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true -clone_uri </span><a target="_blank" href="https://caer.teloip.net:443'/" style="color:rgb(0,136,206);text-decoration:none;font-family:monospace;font-size:11.375px;line-height:19.6px;white-space:pre-wrap">https://caer.teloip.net:443'</a><span style="color:rgb(51,51,51);font-family:monospace;font-size:11.375px;line-height:19.6px;white-space:pre-wrap"> returned non-zero exit status 255
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Configuration of CA failed
[</span><a target="_blank" href="mailto:root@neit-lab" style="color:rgb(0,136,206);text-decoration:none;font-family:monospace;font-size:11.375px;line-height:19.6px;white-space:pre-wrap">root@neit-lab</a><span style="color:rgb(51,51,51);font-family:monospace;font-size:11.375px;line-height:19.6px;white-space:pre-wrap"> ~]# </span><div><span style="color:rgb(51,51,51);font-family:monospace;font-size:11.375px;line-height:19.6px;white-space:pre-wrap"><br></span></div><div>I did a clean up using /usr/sbin/ipa-server-install --uninstall but it wasn't helpful.<span style="color:rgb(51,51,51);font-family:monospace;font-size:11.375px;line-height:19.6px;white-space:pre-wrap"> </span><span style="color:rgb(51,51,51);font-family:monospace;font-size:11.375px;line-height:19.6px;white-space:pre-wrap">
</span>Wondering if you can help us on this,</div><div class="gmail_extra"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div style="background-color:rgb(255,255,255)"><ul style="margin:0px;padding:0px 0px 8px;border:0px;outline:0px;font-size:12px;font-family:Helvetica,FreeSans,'Liberation Sans',Helmet,Arial,sans-serif;vertical-align:baseline;list-style:none;line-height:17px;display:table-cell;width:504px;color:rgb(51,51,51)"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;line-height:normal"><br></div></ul></div></div></div></div></div>
<br><div class="gmail_quote">On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Linov Suresh wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
I have followed Redhat official documentation,<br>
<a href="https://access.redhat.com/solutions/643753" rel="noreferrer" target="_blank">https://access.redhat.com/solutions/643753</a> for certificate renewal,<br></span>
which says *add: usercertificate. (step 12)*<br>
*<br>
*<span class=""><br>
While on the other hand FreeIPA official documentaion<br>
</span><a href="http://www.freeipa.org/page/IPA_2x_Certificate_Renewal" rel="noreferrer" target="_blank">http://www.freeipa.org/page/IPA_2x_Certificate_Renewal</a> , say to *add:<br>
usercertificate;binary*<br>
<br>
Just wondering if we need to*add *the certificate? or*replace* the<br>
existing certificate and which format do we need to use? *pem* or *der*.<span class=""><br>
<br>
We already successfully renewed the certificates about months back, but<br>
they were expired about 6 months back and we were not able to renew till<br>
now, and is affected our production environment.<br>
<br>
Pleas help us.<br>
</span></blockquote>
<br>
You shouldn't have to mess with these values at all. In 3.0 this is handled somewhat automatically.<br>
<br>
I'd restart the CA, then certmonger and see if the communication error goes away for the CA subservice certificates (the internal error).<br>
<br>
# service pki-cad restart<br>
<pause a bit><br>
# service certmonger restart<br>
<br>
I find it very strange that the certificates were set to expire yesterday but it isn't a show-stopper necessarily assuming you can get the CA back up.<br>
<br>
Assuming you can, then go back in time again, this time just a few days and try renewing the LDAP and Apache server certs again.<br>
<br>
rob<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
<br>
On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh <<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br></span><span class="">
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>> wrote:<br>
<br>
We have cloned and created another virtual server from the template.<br>
Surprisingly this server certificates were also expired at the same<br>
time as the previous, just lasted for a day.<br>
This issue has something to do with the kerberos tickets?<br>
<br>
I am new to IPA and your help is highly appreciated.<br>
<br>
On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh<br></span>
<<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>> wrote:<br>
<br>
*Update: my webserver and LDAP certificates were expired at<span class=""><br>
2016-07-18 15:54:36 UTC and the certificates are in<br></span>
CA_UNREACHABLE state.*<br>
*<br>
*<br>
*Could you please help us?<br>
*<span class=""><br>
<br>
[root@caer tmp]# getcert list<br>
Number of certificates and requests being tracked: 8.<br>
Request ID '20111214223243':<br>
status: CA_UNREACHABLE<br>
ca-error: Server failed request, will retry: -504<br>
(libcurl failed to execute the HTTP POST transaction. Peer<br>
certificate cannot be authenticated with known CA certificates).<br>
stuck: yes<br>
key pair storage:<br>
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br>
Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'<br>
certificate:<br>
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br>
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br></span><span class="">
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br></span>
*expires: 2016-07-18 15:54:36 UTC*<span class=""><br>
eku: id-kp-serverAuth<br>
pre-save command:<br>
post-save command:<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20111214223300':<br>
status: CA_UNREACHABLE<br>
ca-error: Server failed request, will retry: -504<br>
(libcurl failed to execute the HTTP POST transaction. Peer<br>
certificate cannot be authenticated with known CA certificates).<br>
stuck: yes<br>
key pair storage:<br>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>
certificate:<br>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br></span><span class="">
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br></span>
*expires: 2016-07-18 15:54:52 UTC*<span class=""><br>
eku: id-kp-serverAuth<br>
pre-save command:<br>
post-save command:<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20111214223316':<br>
status: CA_UNREACHABLE<br>
ca-error: Server failed request, will retry: -504<br>
(libcurl failed to execute the HTTP POST transaction. Peer<br>
certificate cannot be authenticated with known CA certificates).<br>
stuck: yes<br>
key pair storage:<br>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
certificate:<br>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br></span><span class="">
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br></span>
*expires: 2016-07-18 15:55:04 UTC*<div><div class="h5"><br>
eku: id-kp-serverAuth<br>
pre-save command:<br>
post-save command:<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20130519130741':<br>
status: MONITORING<br>
ca-error: Internal error: no response to<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true</a>".<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'<br>
certificate:<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=CA Audit,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
expires: 2017-10-13 14:10:49 UTC<br>
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>
post-save command:<br>
/usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert<br>
cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20130519130742':<br>
status: MONITORING<br>
ca-error: Internal error: no response to<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'<br>
certificate:<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=OCSP Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
expires: 2017-10-13 14:09:49 UTC<br>
eku: id-kp-OCSPSigning<br>
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>
post-save command:<br>
/usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert<br>
cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20130519130743':<br>
status: MONITORING<br>
ca-error: Internal error: no response to<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'<br>
certificate:<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=CA Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
expires: 2017-10-13 14:09:49 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>
post-save command:<br>
/usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20130519130744':<br>
status: MONITORING<br>
ca-error: Internal error: no response to<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true</a>".<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
certificate:<br>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=RA Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
expires: 2017-10-13 14:09:49 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command:<br>
post-save command: /usr/lib64/ipa/certmonger/restart_httpd<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20130519130745':<br>
status: MONITORING<br>
ca-error: Internal error: no response to<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>".<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS<br>
Certificate DB',pin='297100916664'<br>
certificate:<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS<br>
Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
expires: 2017-10-13 14:09:49 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command:<br>
post-save command:<br>
/usr/lib64/ipa/certmonger/restart_dirsrv "<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>>"<br>
track: yes<br>
auto-renew: yes<br>
<br></div></div><span class="">
On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh<br></span><span class="">
<<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>> wrote:<br>
<br>
Yes, PKI is running and I don't see any errors in selftests,<br>
I have followed <a href="https://access.redhat.com/solutions/643753" rel="noreferrer" target="_blank">https://access.redhat.com/solutions/643753</a><br>
and restarted the PKI in step 10.<br>
<br>
The only change which I made was clean<br>
up userCertificate;binary before adding new<br></span>
userCertificatein LDAP, which is step 12.<div><div class="h5"><br>
<br>
[root@caer ~]# /etc/init.d/pki-cad status<br>
pki-ca (pid 8634) is running... [<br>
OK ]<br>
Unsecure Port = <a href="http://caer.teloip.net:9180/ca/ee/ca" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca</a><br>
Secure Agent Port =<br>
<a href="https://caer.teloip.net:9443/ca/agent/ca" rel="noreferrer" target="_blank">https://caer.teloip.net:9443/ca/agent/ca</a><br>
Secure EE Port = <a href="https://caer.teloip.net:9444/ca/ee/ca" rel="noreferrer" target="_blank">https://caer.teloip.net:9444/ca/ee/ca</a><br>
Secure Admin Port =<br>
<a href="https://caer.teloip.net:9445/ca/services" rel="noreferrer" target="_blank">https://caer.teloip.net:9445/ca/services</a><br>
EE Client Auth Port =<br>
<a href="https://caer.teloip.net:9446/ca/eeca/ca" rel="noreferrer" target="_blank">https://caer.teloip.net:9446/ca/eeca/ca</a><br>
PKI Console Port = pkiconsole<br>
<a href="https://caer.teloip.net:9445/ca" rel="noreferrer" target="_blank">https://caer.teloip.net:9445/ca</a><br>
Tomcat Port = 9701 (for shutdown)<br>
<br>
PKI Instance Name: pki-ca<br>
<br>
PKI Subsystem Type: Root CA (Security Domain)<br>
<br>
Registered PKI Security Domain Information:<br>
<br>
==========================================================================<br>
Name: IPA<br>
URL: <a href="https://caer.teloip.net:9445" rel="noreferrer" target="_blank">https://caer.teloip.net:9445</a><br>
<br>
==========================================================================<br>
[root@caer ~]#<br>
[root@caer ~]# tail -f /var/log/pki-ca/selftests.log<br>
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]<br>
SelfTestSubsystem: loading all self test plugin logger<br>
parameters<br>
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]<br>
SelfTestSubsystem: loading all self test plugin instances<br>
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]<br>
SelfTestSubsystem: loading all self test plugin instance<br>
parameters<br>
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]<br>
SelfTestSubsystem: loading self test plugins in on-demand order<br>
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]<br>
SelfTestSubsystem: loading self test plugins in startup order<br>
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]<br>
SelfTestSubsystem: Self test plugins have been successfully<br>
loaded!<br>
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]<br>
SelfTestSubsystem: Running self test plugins specified to be<br>
executed at startup:<br>
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence:<br>
CA is present<br>
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]<br>
SystemCertsVerification: system certs verification success<br>
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]<br>
SelfTestSubsystem: All CRITICAL self test plugins ran<br>
SUCCESSFULLY at startup!<br>
<br>
Your help is highly appreciated!<br>
<br>
Linov Suresh<br>
<br>
70 Forest Manor Rd.<br>
Toronto<br>
ON M2J 0A9<br></div></div>
Mobile: <a href="tel:%2B1%20647%20406%209438" value="+16474069438" target="_blank">+1 647 406 9438</a> <tel:%2B1%20647%20406%209438><br>
Linkedin: <a href="http://ca.linkedin.com/in/linov/" rel="noreferrer" target="_blank">ca.linkedin.com/in/linov/</a><br>
<<a href="http://ca.linkedin.com/in/linov/" rel="noreferrer" target="_blank">http://ca.linkedin.com/in/linov/</a>><span class=""><br>
Website: <a href="http://mylinuxthoughts.blogspot.com" rel="noreferrer" target="_blank">http://mylinuxthoughts.blogspot.com</a><br>
<br>
<br>
On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik<br></span><div><div class="h5">
<<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>>> wrote:<br>
<br>
On 07/18/2016 05:45 AM, Linov Suresh wrote:<br>
> Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and<br>
> certmonger. Look like certificates were renewed. But I'm getting a different<br>
> error now,<br>
><br>
> *ca-error: Internal error: no response to<br>
><br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".*<br>
<br>
Is PKI running? When you change the time, does restart<br>
of IPA help?<br>
<br>
><br>
> [root@caer ~]# getcert list<br>
> Number of certificates and requests being tracked: 8.<br>
> Request ID '20111214223243':<br>
> status: MONITORING<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br>
> Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'<br>
> certificate:<br>
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br>
> Certificate DB'<br>
> CA: IPA<br>
> issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> expires: 2016-07-18 15:54:36 UTC<br>
> eku: id-kp-serverAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20111214223300':<br>
> status: MONITORING<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate<br>
> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>
> certificate:<br>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate<br>
> DB'<br>
> CA: IPA<br>
> issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br></div></div><span class="">
> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> expires: 2016-07-18 15:54:52 UTC<br>
> eku: id-kp-serverAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20111214223316':<br>
> status: MONITORING<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
> certificate:<br>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> Certificate DB'<br>
> CA: IPA<br>
> issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br></span><span class="">
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br></span><span class="">
> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> expires: 2016-07-18 15:55:04 UTC<br>
> eku: id-kp-serverAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20130519130741':<br>
> status: MONITORING<br>
> ca-error: Internal error: no response to<br>
> "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true</a>".<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'<br>
> certificate:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
> CA: dogtag-ipa-renew-agent<br>
> issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> subject: CN=CA Audit,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br></span>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><span class=""><br>
> expires: 2017-10-13 14:10:49 UTC<br>
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> "auditSigningCert cert-pki-ca"<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20130519130742':<br>
> status: MONITORING<br>
> ca-error: Internal error: no response to<br>
> "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'<br>
> certificate:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
> CA: dogtag-ipa-renew-agent<br>
> issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> subject: CN=OCSP Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br></span>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><span class=""><br>
> expires: 2017-10-13 14:09:49 UTC<br>
> eku: id-kp-OCSPSigning<br>
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> "ocspSigningCert cert-pki-ca"<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20130519130743':<br>
> status: MONITORING<br>
> ca-error: Internal error: no response to<br>
> "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'<br>
> certificate:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
> CA: dogtag-ipa-renew-agent<br>
> issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> subject: CN=CA Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br></span>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><span class=""><br>
> expires: 2017-10-13 14:09:49 UTC<br>
> eku: id-kp-serverAuth,id-kp-clientAuth<br>
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> "subsystemCert cert-pki-ca"<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20130519130744':<br>
> status: MONITORING<br>
> ca-error: Internal error: no response to<br>
> "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true</a>".<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate<br>
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
> certificate:<br>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'<br>
> CA: dogtag-ipa-renew-agent<br>
> issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> subject: CN=RA Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br></span>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><span class=""><br>
> expires: 2017-10-13 14:09:49 UTC<br>
> eku: id-kp-serverAuth,id-kp-clientAuth<br>
> pre-save command:<br>
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20130519130745':<br>
> status: MONITORING<br>
> ca-error: Internal error: no response to<br>
> "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>".<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br>
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'<br>
> certificate:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
> CA: dogtag-ipa-renew-agent<br>
> issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br></span><span class="">
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br></span><span class="">
> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> expires: 2017-10-13 14:09:49 UTC<br>
> eku: id-kp-serverAuth,id-kp-clientAuth<br>
> pre-save command:<br>
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv "<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>>"<br>
> track: yes<br>
> auto-renew: yes<br>
> [root@caer ~]#<br>
><br>
> Your help is highly appreciated!<br>
><br>
><br>
><br>
> On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>><br></span>
> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><div><div class="h5"><br>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>> wrote:<br>
><br>
> Linov Suresh wrote:<br>
><br>
> I logged into my IPA master, and found that<br>
the cert had expired again,<br>
> we renewed these certificates about 18 months<br>
ago.<br>
><br>
> Our environment is CentOS 6.4 and IPA 3.0.0-26.<br>
><br>
><br>
> I followed the Redhat documentation,How do<br>
I manually renew Identity<br>
> Management (IPA) certificates after they<br>
have expired? (Master IPA<br>
> Server),<br>
<a href="https://access.redhat.com/solutions/643753" rel="noreferrer" target="_blank">https://access.redhat.com/solutions/643753</a> but no luck.<br>
><br>
><br>
> I have also changed the directive<br>
"NSSEnforceValidCerts off" in<br>
> /etc/httpd/conf.d/nss.conf and the value of<br>
nsslapd-validate-cert is warn.<br>
><br>
> ldapsearch -x -h localhost -p 7389 -D<br>
'cn=directory manager' -w *******<br>
> -b cn=config | grep nsslapd-validate-cert<br>
><br>
> nsslapd-validate-cert: warn<br>
><br>
> Here is my getcert list,<br>
><br>
> [root@caer ~]# getcert list<br>
><br>
><br>
> It looks like your CA subsystem certificates all<br>
renewed successfully it is<br>
> just the webserver and LDAP certificates that<br>
need renewing so that's good.<br>
><br>
> What I'd do is go back in time again to say Jan<br>
20, 2016 and restart<br>
> certmonger. That should make it retry the renewals.<br>
><br>
> rob<br>
><br>
><br>
><br>
><br>
<br>
<br>
<br>
--<br>
Petr Vobornik<br>
<br>
<br>
<br>
<br>
<br>
</div></div></blockquote>
<br>
</blockquote></div><br></div></div>