<div dir="ltr">We have cloned and created another virtual server from the template. Surprisingly this server certificates were also expired at the same time as the previous, just lasted for a day. <div>This issue has something to do with the kerberos tickets? <div class="gmail_extra"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div style="background-color:rgb(255,255,255)"><br></div><div style="background-color:rgb(255,255,255)">I new to IPA and your help is highly appreciated. </div></div></div></div></div>
<br><div class="gmail_quote">On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh <span dir="ltr"><<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><b>Update: my <span style="font-size:12.8px">webserver and LDAP certificates were expired at 2016-07-18 15:54:36 UTC and the certificates are in </span>CA_UNREACHABLE state.</b><div><b><br></b></div><div><b>Could you please help us? <br></b><div></div><div class="gmail_extra"><div><div data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div style="background-color:rgb(255,255,255)"><div><br></div><div><div>[root@caer tmp]# getcert list</div><span class=""><div>Number of certificates and requests being tracked: 8.</div><div>Request ID '20111214223243':</div></span><span class=""><div>        status: CA_UNREACHABLE</div><div>        ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates).</div><div>        stuck: yes</div></span><span class=""><div>        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'</div><div>        certificate: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB'</div><div>        CA: IPA</div><div>        issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" target="_blank">TELOIP.NET</a></div></span><div>        subject: CN=<a href="http://caer.teloip.net" target="_blank">caer.teloip.net</a>,O=<a href="http://TELOIP.NET" target="_blank">TELOIP.NET</a></div><span class=""><div>       <b> expires: 2016-07-18 15:54:36 UTC</b></div><div>        eku: id-kp-serverAuth</div><div>        pre-save command: </div><div>        post-save command: </div><div>        track: yes</div><div>        auto-renew: yes</div><div>Request ID '20111214223300':</div></span><span class=""><div>        status: CA_UNREACHABLE</div><div>        ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates).</div><div>        stuck: yes</div></span><span class=""><div>        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'</div><div>        certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'</div><div>        CA: IPA</div><div>        issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" target="_blank">TELOIP.NET</a></div></span><div>        subject: CN=<a href="http://caer.teloip.net" target="_blank">caer.teloip.net</a>,O=<a href="http://TELOIP.NET" target="_blank">TELOIP.NET</a></div><span class=""><div>       <b> expires: 2016-07-18 15:54:52 UTC</b></div><div>        eku: id-kp-serverAuth</div><div>        pre-save command: </div><div>        post-save command: </div><div>        track: yes</div><div>        auto-renew: yes</div><div>Request ID '20111214223316':</div></span><span class=""><div>        status: CA_UNREACHABLE</div><div>        ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates).</div><div>        stuck: yes</div></span><span class=""><div>        key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div><div>        certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'</div><div>        CA: IPA</div><div>        issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" target="_blank">TELOIP.NET</a></div></span><div>        subject: CN=<a href="http://caer.teloip.net" target="_blank">caer.teloip.net</a>,O=<a href="http://TELOIP.NET" target="_blank">TELOIP.NET</a></div><span class=""><div>        <b>expires: 2016-07-18 15:55:04 UTC</b></div><div>        eku: id-kp-serverAuth</div><div>        pre-save command: </div><div>        post-save command: </div><div>        track: yes</div><div>        auto-renew: yes</div><div>Request ID '20130519130741':</div><div>        status: MONITORING</div><div>        ca-error: Internal error: no response to "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true</a>".</div><div>        stuck: no</div><div>        key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664'</div><div>        certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'</div><div>        CA: dogtag-ipa-renew-agent</div><div>        issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" target="_blank">TELOIP.NET</a></div></span><div>        subject: CN=CA Audit,O=<a href="http://TELOIP.NET" target="_blank">TELOIP.NET</a></div><span class=""><div>        expires: 2017-10-13 14:10:49 UTC</div><div>        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad</div><div>        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"</div><div>        track: yes</div><div>        auto-renew: yes</div><div>Request ID '20130519130742':</div><div>        status: MONITORING</div><div>        ca-error: Internal error: no response to "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".</div><div>        stuck: no</div><div>        key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664'</div><div>        certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'</div><div>        CA: dogtag-ipa-renew-agent</div><div>        issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" target="_blank">TELOIP.NET</a></div></span><div>        subject: CN=OCSP Subsystem,O=<a href="http://TELOIP.NET" target="_blank">TELOIP.NET</a></div><span class=""><div>        expires: 2017-10-13 14:09:49 UTC</div><div>        eku: id-kp-OCSPSigning</div><div>        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad</div><div>        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"</div><div>        track: yes</div><div>        auto-renew: yes</div><div>Request ID '20130519130743':</div><div>        status: MONITORING</div><div>        ca-error: Internal error: no response to "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".</div><div>        stuck: no</div><div>        key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664'</div><div>        certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'</div><div>        CA: dogtag-ipa-renew-agent</div><div>        issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" target="_blank">TELOIP.NET</a></div></span><div>        subject: CN=CA Subsystem,O=<a href="http://TELOIP.NET" target="_blank">TELOIP.NET</a></div><span class=""><div>        expires: 2017-10-13 14:09:49 UTC</div><div>        eku: id-kp-serverAuth,id-kp-clientAuth</div><div>        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad</div><div>        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"</div><div>        track: yes</div><div>        auto-renew: yes</div><div>Request ID '20130519130744':</div><div>        status: MONITORING</div><div>        ca-error: Internal error: no response to "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true</a>".</div><div>        stuck: no</div><div>        key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div><div>        certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'</div><div>        CA: dogtag-ipa-renew-agent</div><div>        issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" target="_blank">TELOIP.NET</a></div></span><div>        subject: CN=RA Subsystem,O=<a href="http://TELOIP.NET" target="_blank">TELOIP.NET</a></div><span class=""><div>        expires: 2017-10-13 14:09:49 UTC</div><div>        eku: id-kp-serverAuth,id-kp-clientAuth</div><div>        pre-save command: </div><div>        post-save command: /usr/lib64/ipa/certmonger/restart_httpd</div><div>        track: yes</div><div>        auto-renew: yes</div><div>Request ID '20130519130745':</div><div>        status: MONITORING</div><div>        ca-error: Internal error: no response to "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>".</div><div>        stuck: no</div><div>        key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='297100916664'</div><div>        certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'</div><div>        CA: dogtag-ipa-renew-agent</div><div>        issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" target="_blank">TELOIP.NET</a></div></span><div>        subject: CN=<a href="http://caer.teloip.net" target="_blank">caer.teloip.net</a>,O=<a href="http://TELOIP.NET" target="_blank">TELOIP.NET</a></div><span class=""><div>        expires: 2017-10-13 14:09:49 UTC</div><div>        eku: id-kp-serverAuth,id-kp-clientAuth</div><div>        pre-save command: </div><div>        post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv "<a href="http://TELOIP.NET" target="_blank">TELOIP.NET</a>"</div></span><div>        track: yes</div><div>        auto-renew: yes</div></div></div></div></div></div></div><div><div class="h5">
<br><div class="gmail_quote">On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh <span dir="ltr"><<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr">Yes, PKI is running and I don't see any errors in selftests, I have followed <a href="https://access.redhat.com/solutions/643753" target="_blank">https://access.redhat.com/solutions/643753</a> and restarted the PKI in step 10. <div><br></div><div>The only change which I made was clean up userCertificate;binary before adding new userCertificate<font face="Consolas, Monaco, Andale Mono, monospace"><span style="line-height:18.5714px;white-space:pre-wrap"> </span></font><span style="font-family:Consolas,Monaco,"Andale Mono",monospace;line-height:18.5714px;white-space:pre-wrap">in LDAP, which is step 12. </span><div><br></div><div><div>[root@caer ~]# /etc/init.d/pki-cad status</div><div>pki-ca (pid 8634) is running...                            [  OK  ]</div><div>    Unsecure Port       = <a href="http://caer.teloip.net:9180/ca/ee/ca" target="_blank">http://caer.teloip.net:9180/ca/ee/ca</a></div><div>    Secure Agent Port   = <a href="https://caer.teloip.net:9443/ca/agent/ca" target="_blank">https://caer.teloip.net:9443/ca/agent/ca</a></div><div>    Secure EE Port      = <a href="https://caer.teloip.net:9444/ca/ee/ca" target="_blank">https://caer.teloip.net:9444/ca/ee/ca</a></div><div>    Secure Admin Port   = <a href="https://caer.teloip.net:9445/ca/services" target="_blank">https://caer.teloip.net:9445/ca/services</a></div><div>    EE Client Auth Port = <a href="https://caer.teloip.net:9446/ca/eeca/ca" target="_blank">https://caer.teloip.net:9446/ca/eeca/ca</a></div><div>    PKI Console Port    = pkiconsole <a href="https://caer.teloip.net:9445/ca" target="_blank">https://caer.teloip.net:9445/ca</a></div><div>    Tomcat Port         = 9701 (for shutdown)</div><div><br></div><div>    PKI Instance Name:   pki-ca</div><div><br></div><div>    PKI Subsystem Type:  Root CA (Security Domain)</div><div><br></div><div>    Registered PKI Security Domain Information:</div><div>    ==========================================================================</div><div>    Name:  IPA</div><div>    URL:   <a href="https://caer.teloip.net:9445" target="_blank">https://caer.teloip.net:9445</a></div><div>    ==========================================================================</div><div>[root@caer ~]# </div><div>[root@caer ~]# tail -f /var/log/pki-ca/selftests.log</div><div>8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:  loading all self test plugin logger parameters</div><div>8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:  loading all self test plugin instances</div><div>8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:  loading all self test plugin instance parameters</div><div>8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:  loading self test plugins in on-demand order</div><div>8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:  loading self test plugins in startup order</div><div>8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded!</div><div>8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup:</div><div>8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence:  CA is present</div><div>8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SystemCertsVerification: system certs verification success</div><div>8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at startup!</div><span><div><br></div><div>Your help is highly appreciated!</div></span></div></div></div><div class="gmail_extra"><br clear="all"><div><div data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div style="background-color:rgb(255,255,255)"><div></div><ul style="margin:0px;padding:0px 0px 8px;border:0px;outline:0px;font-size:12px;font-family:Helvetica,FreeSans,"Liberation Sans",Helmet,Arial,sans-serif;vertical-align:baseline;list-style:none;line-height:17px;display:table-cell;width:504px;color:rgb(51,51,51)"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;line-height:normal">Linov Suresh</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;line-height:normal"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;line-height:normal">70 Forest Manor Rd.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;line-height:normal">Toronto</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;line-height:normal">ON M2J 0A9<br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;line-height:normal">Mobile: <a href="tel:%2B1%20647%20406%209438" value="+16474069438" target="_blank">+1 647 406 9438</a></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;line-height:normal">Linkedin: <a href="http://ca.linkedin.com/in/linov/" target="_blank">ca.linkedin.com/in/linov/</a></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;line-height:normal">Website: <a href="http://mylinuxthoughts.blogspot.com" target="_blank">http://mylinuxthoughts.blogspot.com</a></div></ul></div></div></div></div></div></div><div><div>
<br><div class="gmail_quote">On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik <span dir="ltr"><<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span>On 07/18/2016 05:45 AM, Linov Suresh wrote:<br>
> Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and<br>
> certmonger. Look like certificates were renewed. But I'm getting a different<br>
> error now,<br>
><br>
</span>> *ca-error: Internal error: no response to<br>
> "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".*<br>
<br>
Is PKI running? When you change the time, does restart of IPA help?<br>
<span><br>
><br>
> [root@caer ~]# getcert list<br>
> Number of certificates and requests being tracked: 8.<br>
> Request ID '20111214223243':<br>
>          status: MONITORING<br>
>          stuck: no<br>
>          key pair storage:<br>
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br>
> Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'<br>
>          certificate:<br>
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br>
> Certificate DB'<br>
>          CA: IPA<br>
</span>>          issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
>          subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<span>>          expires: 2016-07-18 15:54:36 UTC<br>
>          eku: id-kp-serverAuth<br>
>          pre-save command:<br>
>          post-save command:<br>
>          track: yes<br>
>          auto-renew: yes<br>
> Request ID '20111214223300':<br>
>          status: MONITORING<br>
>          stuck: no<br>
>          key pair storage:<br>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate<br>
> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>
>          certificate:<br>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate<br>
> DB'<br>
>          CA: IPA<br>
</span>>          issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
>          subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<span>>          expires: 2016-07-18 15:54:52 UTC<br>
>          eku: id-kp-serverAuth<br>
>          pre-save command:<br>
>          post-save command:<br>
>          track: yes<br>
>          auto-renew: yes<br>
> Request ID '20111214223316':<br>
>          status: MONITORING<br>
>          stuck: no<br>
>          key pair storage:<br>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
>          certificate:<br>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> Certificate DB'<br>
>          CA: IPA<br>
</span>>          issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
>          subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<span>>          expires: 2016-07-18 15:55:04 UTC<br>
>          eku: id-kp-serverAuth<br>
>          pre-save command:<br>
>          post-save command:<br>
>          track: yes<br>
>          auto-renew: yes<br>
> Request ID '20130519130741':<br>
>          status: MONITORING<br>
>          ca-error: Internal error: no response to<br>
> "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true</a>".<br>
>          stuck: no<br>
>          key pair storage:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'<br>
>          certificate:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
>          CA: dogtag-ipa-renew-agent<br>
</span>>          issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
>          subject: CN=CA Audit,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<span>>          expires: 2017-10-13 14:10:49 UTC<br>
>          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>
>          post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> "auditSigningCert cert-pki-ca"<br>
>          track: yes<br>
>          auto-renew: yes<br>
> Request ID '20130519130742':<br>
>          status: MONITORING<br>
>          ca-error: Internal error: no response to<br>
> "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".<br>
>          stuck: no<br>
>          key pair storage:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'<br>
>          certificate:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
>          CA: dogtag-ipa-renew-agent<br>
</span>>          issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
>          subject: CN=OCSP Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<span>>          expires: 2017-10-13 14:09:49 UTC<br>
>          eku: id-kp-OCSPSigning<br>
>          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>
>          post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> "ocspSigningCert cert-pki-ca"<br>
>          track: yes<br>
>          auto-renew: yes<br>
> Request ID '20130519130743':<br>
>          status: MONITORING<br>
>          ca-error: Internal error: no response to<br>
> "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".<br>
>          stuck: no<br>
>          key pair storage:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'<br>
>          certificate:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
>          CA: dogtag-ipa-renew-agent<br>
</span>>          issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
>          subject: CN=CA Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<span>>          expires: 2017-10-13 14:09:49 UTC<br>
>          eku: id-kp-serverAuth,id-kp-clientAuth<br>
>          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad<br>
>          post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert<br>
> "subsystemCert cert-pki-ca"<br>
>          track: yes<br>
>          auto-renew: yes<br>
> Request ID '20130519130744':<br>
>          status: MONITORING<br>
>          ca-error: Internal error: no response to<br>
> "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true</a>".<br>
>          stuck: no<br>
>          key pair storage:<br>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate<br>
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
>          certificate:<br>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'<br>
>          CA: dogtag-ipa-renew-agent<br>
</span>>          issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
>          subject: CN=RA Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<span>>          expires: 2017-10-13 14:09:49 UTC<br>
>          eku: id-kp-serverAuth,id-kp-clientAuth<br>
>          pre-save command:<br>
>          post-save command: /usr/lib64/ipa/certmonger/restart_httpd<br>
>          track: yes<br>
>          auto-renew: yes<br>
> Request ID '20130519130745':<br>
>          status: MONITORING<br>
>          ca-error: Internal error: no response to<br>
> "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>".<br>
>          stuck: no<br>
>          key pair storage:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br>
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'<br>
>          certificate:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
>          CA: dogtag-ipa-renew-agent<br>
</span>>          issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
>          subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<span>>          expires: 2017-10-13 14:09:49 UTC<br>
>          eku: id-kp-serverAuth,id-kp-clientAuth<br>
>          pre-save command:<br>
>          post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv "<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
</span>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>>"<br>
<span>>          track: yes<br>
>          auto-renew: yes<br>
> [root@caer ~]#<br>
><br>
> Your help is highly appreciated!<br>
><br>
><br>
><br>
> On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br>
</span><div><div>> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote:<br>
><br>
>     Linov Suresh wrote:<br>
><br>
>         I logged into my IPA master, and found that the cert had expired again,<br>
>         we renewed these certificates about 18 months ago.<br>
><br>
>         Our environment is CentOS 6.4 and IPA 3.0.0-26.<br>
><br>
><br>
>            I followed the Redhat documentation,How do I manually renew Identity<br>
>            Management (IPA) certificates after they have expired? (Master IPA<br>
>            Server), <a href="https://access.redhat.com/solutions/643753" rel="noreferrer" target="_blank">https://access.redhat.com/solutions/643753</a> but no luck.<br>
><br>
><br>
>         I have also changed the directive "NSSEnforceValidCerts off" in<br>
>         /etc/httpd/conf.d/nss.conf and the value of nsslapd-validate-cert is warn.<br>
><br>
>         ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w *******<br>
>         -b  cn=config | grep  nsslapd-validate-cert<br>
><br>
>         nsslapd-validate-cert: warn<br>
><br>
>         Here is my getcert list,<br>
><br>
>         [root@caer ~]# getcert list<br>
><br>
><br>
>     It looks like your CA subsystem certificates all renewed successfully it is<br>
>     just the webserver and LDAP certificates that need renewing so that's good.<br>
><br>
>     What I'd do is go back in time again to say Jan 20, 2016 and restart<br>
>     certmonger. That should make it retry the renewals.<br>
><br>
>     rob<br>
><br>
><br>
><br>
><br>
<br>
<br>
<br>
</div></div><span><font color="#888888">--<br>
Petr Vobornik<br>
</font></span></blockquote></div><br></div></div></div>
</blockquote></div><br></div></div></div></div></div>
</blockquote></div><br></div></div></div>