<div dir="ltr">I have restarted the pki-cad and checked if communication with the CA is working, but no luck,<div><br></div><div>Debug logs in /var/log/pki-ca do not have anything unusual. Can you think of anything other than this? <br><div><br></div><div><div>[root@caer ~]# ipa cert-show 1</div><div> Certificate: MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP</div><div>SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0</div><div>MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w</div><div>HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA</div><div>A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV</div><div>ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e</div><div>tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb</div><div>UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe</div><div>tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7</div><div>5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j</div><div>BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV</div><div>HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG</div><div>AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5</div><div>MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj</div><div>kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y</div><div>5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV</div><div>nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt</div><div>e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK</div><div>b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30=</div><div> Subject: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div> Issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET">TELOIP.NET</a></div><div> Not Before: Wed Dec 14 22:29:56 2011 UTC</div><div> Not After: Sat Dec 14 22:29:56 2019 UTC</div><div> Fingerprint (MD5): c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a</div><div> Fingerprint (SHA1): ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e</div><div> Serial number (hex): 0x1</div><div> Serial number: 1</div><div>[root@caer ~]#</div><div><br></div><div><b>ca-error: Internal error: no response to "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>".<br></b></div><div><br></div><div></div><div><div class="gmail_extra"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div style="background-color:rgb(255,255,255)"><ul style="margin:0px;padding:0px 0px 8px;border:0px;outline:0px;font-size:12px;font-family:Helvetica,FreeSans,"Liberation Sans",Helmet,Arial,sans-serif;vertical-align:baseline;list-style:none;line-height:17px;display:table-cell;width:504px;color:rgb(51,51,51)"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;line-height:normal"><br></div></ul></div></div></div></div></div>
<br><div class="gmail_quote">On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Linov Suresh wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
Thanks for your help Rob, I will create a separate thread for IPA<br>
replication issue. But we are still getting<br>
*<br>
*<br>
*ca-error: Internal error: no response to<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".*<br>
<br>
Could you please help us to fix this?<br>
</blockquote>
<br>
I think your CA isn't quite fixed yet. I'd restart pki-cad then do something like: ipa cert-show 1<br>
<br>
You should get back a cert (doesn't really matter what cert).<br>
<br>
Otherwise I'd check the CA debug log somewhere in /var/log/pki<br>
<br>
rob<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<br>
<br>
On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote:<br>
<br>
Glad you got the certificates successfully renewed.<br>
<br>
Can you open a new e-mail thread on this new problem so we can keep<br>
the issues separated?<br>
<br>
IPA gets little information back when dogtag fails to install. You<br>
need to look in /var/log/<something>/debug for more information. The<br>
exact location depends on the version of IPA.<br>
<br>
rob<br>
<br>
Linov Suresh wrote:<br>
<br>
Great! That worked, and I was successfully renewed the<br>
certificates on<br>
the IPA server and I was trying to create a IPA replica server<br>
and got<br>
an error,[root@neit-lab <mailto:<a href="mailto:root@neit-lab" target="_blank">root@neit-lab</a><br>
<mailto:<a href="mailto:root@neit-lab" target="_blank">root@neit-lab</a>>>~]# ipa-replica-install<br>
--setup-ca --setup-dns --no-forwarders --skip-conncheck<br>
/var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager<br>
(existing master) password: Configuring NTP daemon (ntpd) [1/4]:<br>
stopping ntpd [2/4]: writing configuration [3/4]: configuring<br>
ntpd to<br>
start on boot [4/4]: starting ntpd Done configuring NTP daemon<br>
(ntpd).<br>
Configuring directory server for the CA (pkids): Estimated time 30<br>
seconds [1/3]: creating directory server user [2/3]: creating<br>
directory<br>
server instance [3/3]: restarting directory server Done configuring<br>
directory server for the CA (pkids). Configuring certificate server<br>
(pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating<br>
certificate server user [2/17]: creating pki-ca instance [3/17]:<br>
configuring certificate server instance ipa : CRITICAL failed to<br>
configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent<br>
ConfigureCA -cs_hostname <a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">neit-lab.teloip.net</a><br>
<<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>><br>
<<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>> -cs_port 9445 -client_certdb_dir<br>
/tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin<br>
UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email<br>
root@localhost <mailto:<a href="mailto:root@localhost" target="_blank">root@localhost</a><br>
<mailto:<a href="mailto:root@localhost" target="_blank">root@localhost</a>>>-admin_password XXXXXXXX<br>
-agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa<br>
-agent_cert_subject CN=ipa-ca-agent,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
-ldap_host <a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">neit-lab.teloip.net</a> <<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>><br>
<<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>> -ldap_port<br>
7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn<br>
o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm<br>
SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name<br>
pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA<br>
Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> -ca_ocsp_cert_subject_name CN=OCSP<br>
Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
-ca_server_cert_subject_name<br>
CN=<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">neit-lab.teloip.net</a> <<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>><br>
<<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> -ca_audit_signing_cert_subject_name CN=CA<br>
Audit,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
-ca_sign_cert_subject_name<br>
CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> -external<br>
false -clone true -clone_p12_file ca.p12 -clone_p12_password<br>
XXXXXXXX<br>
-sd_hostname <a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>> -sd_admin_port 443<br>
-sd_admin_name admin -sd_admin_password XXXXXXXX<br>
-clone_start_tls true<br>
-clone_uri <a href="https://caer.teloip.net:443" rel="noreferrer" target="_blank">https://caer.teloip.net:443</a>'<br>
<https://caer.teloip.net:443'/>returned non-zero exit status 255<br>
Your<br>
system may be partly configured. Run /usr/sbin/ipa-server-install<br>
--uninstall to clean up. Configuration of CA failed [root@neit-lab<br>
<mailto:<a href="mailto:root@neit-lab" target="_blank">root@neit-lab</a> <mailto:<a href="mailto:root@neit-lab" target="_blank">root@neit-lab</a>>>~]#<br>
<br>
I did a clean up using /usr/sbin/ipa-server-install --uninstall<br>
but it<br>
wasn't helpful.Wondering if you can help us on this,<br>
<br>
<br>
<br>
On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden<br>
<<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>><br>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>> wrote:<br>
<br>
Linov Suresh wrote:<br>
<br>
I have followed Redhat official documentation,<br>
<a href="https://access.redhat.com/solutions/643753" rel="noreferrer" target="_blank">https://access.redhat.com/solutions/643753</a> for certificate renewal,<br>
which says *add: usercertificate. (step 12)*<br>
*<br>
*<br>
While on the other hand FreeIPA official documentaion<br>
<a href="http://www.freeipa.org/page/IPA_2x_Certificate_Renewal" rel="noreferrer" target="_blank">http://www.freeipa.org/page/IPA_2x_Certificate_Renewal</a> , say to<br>
*add:<br>
usercertificate;binary*<br>
<br>
Just wondering if we need to*add *the certificate?<br>
or*replace* the<br>
existing certificate and which format do we need to<br>
use? *pem*<br>
or *der*.<br>
<br>
We already successfully renewed the certificates about<br>
months<br>
back, but<br>
they were expired about 6 months back and we were not<br>
able to<br>
renew till<br>
now, and is affected our production environment.<br>
<br>
Pleas help us.<br>
<br>
<br>
You shouldn't have to mess with these values at all. In 3.0<br>
this is<br>
handled somewhat automatically.<br>
<br>
I'd restart the CA, then certmonger and see if the<br>
communication<br>
error goes away for the CA subservice certificates (the<br>
internal error).<br>
<br>
# service pki-cad restart<br>
<pause a bit><br>
# service certmonger restart<br>
<br>
I find it very strange that the certificates were set to expire<br>
yesterday but it isn't a show-stopper necessarily assuming<br>
you can<br>
get the CA back up.<br>
<br>
Assuming you can, then go back in time again, this time<br>
just a few<br>
days and try renewing the LDAP and Apache server certs again.<br>
<br>
rob<br>
<br>
<br>
On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh<br>
<<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>>>><br>
wrote:<br>
<br>
We have cloned and created another virtual server<br>
from the<br>
template.<br>
Surprisingly this server certificates were also<br>
expired at<br>
the same<br>
time as the previous, just lasted for a day.<br>
This issue has something to do with the kerberos<br>
tickets?<br>
<br>
I am new to IPA and your help is highly appreciated.<br>
<br>
On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh<br>
<<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>>>><br>
wrote:<br>
<br>
*Update: my webserver and LDAP certificates<br>
were expired at<br>
2016-07-18 15:54:36 UTC and the certificates<br>
are in<br>
CA_UNREACHABLE state.*<br>
*<br>
*<br>
*Could you please help us?<br>
*<br>
<br>
[root@caer tmp]# getcert list<br>
Number of certificates and requests being<br>
tracked: 8.<br>
Request ID '20111214223243':<br>
status: CA_UNREACHABLE<br>
ca-error: Server failed request, will<br>
retry: -504<br>
(libcurl failed to execute the HTTP POST<br>
transaction. Peer<br>
certificate cannot be authenticated with known CA<br>
certificates).<br>
stuck: yes<br>
key pair storage:<br>
<br>
<br>
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br>
Certificate<br>
DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'<br>
certificate:<br>
<br>
<br>
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br>
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
*expires: 2016-07-18 15:54:36 UTC*<br>
eku: id-kp-serverAuth<br>
pre-save command:<br>
post-save command:<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20111214223300':<br>
status: CA_UNREACHABLE<br>
ca-error: Server failed request, will<br>
retry: -504<br>
(libcurl failed to execute the HTTP POST<br>
transaction. Peer<br>
certificate cannot be authenticated with known CA<br>
certificates).<br>
stuck: yes<br>
key pair storage:<br>
<br>
<br>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
Certificate<br>
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>
certificate:<br>
<br>
<br>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
*expires: 2016-07-18 15:54:52 UTC*<br>
eku: id-kp-serverAuth<br>
pre-save command:<br>
post-save command:<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20111214223316':<br>
status: CA_UNREACHABLE<br>
ca-error: Server failed request, will<br>
retry: -504<br>
(libcurl failed to execute the HTTP POST<br>
transaction. Peer<br>
certificate cannot be authenticated with known CA<br>
certificates).<br>
stuck: yes<br>
key pair storage:<br>
<br>
<br>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
Certificate<br>
DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
certificate:<br>
<br>
<br>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
*expires: 2016-07-18 15:55:04 UTC*<br>
<br>
eku: id-kp-serverAuth<br>
pre-save command:<br>
post-save command:<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20130519130741':<br>
status: MONITORING<br>
ca-error: Internal error: no response to<br>
<br>
<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true</a>".<br>
stuck: no<br>
key pair storage:<br>
<br>
<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
cert-pki-ca',token='NSS Certificate<br>
DB',pin='297100916664'<br>
certificate:<br>
<br>
<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=CA Audit,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
expires: 2017-10-13 14:10:49 UTC<br>
pre-save command:<br>
/usr/lib64/ipa/certmonger/stop_pkicad<br>
post-save command:<br>
/usr/lib64/ipa/certmonger/renew_ca_cert<br>
"auditSigningCert<br>
cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20130519130742':<br>
status: MONITORING<br>
ca-error: Internal error: no response to<br>
<br>
<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".<br>
stuck: no<br>
key pair storage:<br>
<br>
<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
cert-pki-ca',token='NSS Certificate<br>
DB',pin='297100916664'<br>
certificate:<br>
<br>
<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=OCSP<br>
Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
expires: 2017-10-13 14:09:49 UTC<br>
eku: id-kp-OCSPSigning<br>
pre-save command:<br>
/usr/lib64/ipa/certmonger/stop_pkicad<br>
post-save command:<br>
/usr/lib64/ipa/certmonger/renew_ca_cert<br>
"ocspSigningCert<br>
cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20130519130743':<br>
status: MONITORING<br>
ca-error: Internal error: no response to<br>
<br>
<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".<br>
stuck: no<br>
key pair storage:<br>
<br>
<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
cert-pki-ca',token='NSS Certificate<br>
DB',pin='297100916664'<br>
certificate:<br>
<br>
<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=CA Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
expires: 2017-10-13 14:09:49 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command:<br>
/usr/lib64/ipa/certmonger/stop_pkicad<br>
post-save command:<br>
/usr/lib64/ipa/certmonger/renew_ca_cert<br>
"subsystemCert<br>
cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20130519130744':<br>
status: MONITORING<br>
ca-error: Internal error: no response to<br>
<br>
<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true</a>".<br>
stuck: no<br>
key pair storage:<br>
<br>
<br>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
Certificate<br>
DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
certificate:<br>
<br>
<br>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=RA Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
expires: 2017-10-13 14:09:49 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command:<br>
post-save command:<br>
/usr/lib64/ipa/certmonger/restart_httpd<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20130519130745':<br>
status: MONITORING<br>
ca-error: Internal error: no response to<br>
<br>
<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>".<br>
stuck: no<br>
key pair storage:<br>
<br>
<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS<br>
Certificate DB',pin='297100916664'<br>
certificate:<br>
<br>
<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS<br>
Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
expires: 2017-10-13 14:09:49 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command:<br>
post-save command:<br>
/usr/lib64/ipa/certmonger/restart_dirsrv<br>
"<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>>"<br>
track: yes<br>
auto-renew: yes<br>
<br>
On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh<br>
<<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>>>><br>
wrote:<br>
<br>
Yes, PKI is running and I don't see any<br>
errors in<br>
selftests,<br>
I have followed<br>
<a href="https://access.redhat.com/solutions/643753" rel="noreferrer" target="_blank">https://access.redhat.com/solutions/643753</a><br>
and restarted the PKI in step 10.<br>
<br>
The only change which I made was clean<br>
up userCertificate;binary before adding new<br>
userCertificatein LDAP, which is step 12.<br>
<br>
<br>
[root@caer ~]# /etc/init.d/pki-cad status<br>
pki-ca (pid 8634) is running...<br>
[<br>
OK ]<br>
Unsecure Port =<br>
<a href="http://caer.teloip.net:9180/ca/ee/ca" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca</a><br>
Secure Agent Port =<br>
<a href="https://caer.teloip.net:9443/ca/agent/ca" rel="noreferrer" target="_blank">https://caer.teloip.net:9443/ca/agent/ca</a><br>
Secure EE Port =<br>
<a href="https://caer.teloip.net:9444/ca/ee/ca" rel="noreferrer" target="_blank">https://caer.teloip.net:9444/ca/ee/ca</a><br>
Secure Admin Port =<br>
<a href="https://caer.teloip.net:9445/ca/services" rel="noreferrer" target="_blank">https://caer.teloip.net:9445/ca/services</a><br>
EE Client Auth Port =<br>
<a href="https://caer.teloip.net:9446/ca/eeca/ca" rel="noreferrer" target="_blank">https://caer.teloip.net:9446/ca/eeca/ca</a><br>
PKI Console Port = pkiconsole<br>
<a href="https://caer.teloip.net:9445/ca" rel="noreferrer" target="_blank">https://caer.teloip.net:9445/ca</a><br>
Tomcat Port = 9701 (for shutdown)<br>
<br>
PKI Instance Name: pki-ca<br>
<br>
PKI Subsystem Type: Root CA<br>
(Security Domain)<br>
<br>
Registered PKI Security Domain<br>
Information:<br>
<br>
<br>
<br>
==========================================================================<br>
Name: IPA<br>
URL: <a href="https://caer.teloip.net:9445" rel="noreferrer" target="_blank">https://caer.teloip.net:9445</a><br>
<br>
<br>
<br>
==========================================================================<br>
[root@caer ~]#<br>
[root@caer ~]# tail -f<br>
/var/log/pki-ca/selftests.log<br>
8634.main - [18/Jul/2016:11:46:20 EDT]<br>
[20] [1]<br>
SelfTestSubsystem: loading all self test<br>
plugin logger<br>
parameters<br>
8634.main - [18/Jul/2016:11:46:20 EDT]<br>
[20] [1]<br>
SelfTestSubsystem: loading all self test<br>
plugin<br>
instances<br>
8634.main - [18/Jul/2016:11:46:20 EDT]<br>
[20] [1]<br>
SelfTestSubsystem: loading all self test<br>
plugin<br>
instance<br>
parameters<br>
8634.main - [18/Jul/2016:11:46:20 EDT]<br>
[20] [1]<br>
SelfTestSubsystem: loading self test<br>
plugins in<br>
on-demand order<br>
8634.main - [18/Jul/2016:11:46:20 EDT]<br>
[20] [1]<br>
SelfTestSubsystem: loading self test<br>
plugins in<br>
startup order<br>
8634.main - [18/Jul/2016:11:46:20 EDT]<br>
[20] [1]<br>
SelfTestSubsystem: Self test plugins have been<br>
successfully<br>
loaded!<br>
8634.main - [18/Jul/2016:11:46:21 EDT]<br>
[20] [1]<br>
SelfTestSubsystem: Running self test plugins<br>
specified to be<br>
executed at startup:<br>
8634.main - [18/Jul/2016:11:46:21 EDT]<br>
[20] [1]<br>
CAPresence:<br>
CA is present<br>
8634.main - [18/Jul/2016:11:46:21 EDT]<br>
[20] [1]<br>
SystemCertsVerification: system certs<br>
verification<br>
success<br>
8634.main - [18/Jul/2016:11:46:21 EDT]<br>
[20] [1]<br>
SelfTestSubsystem: All CRITICAL self test<br>
plugins ran<br>
SUCCESSFULLY at startup!<br>
<br>
Your help is highly appreciated!<br>
<br>
Linov Suresh<br>
<br>
70 Forest Manor Rd.<br>
Toronto<br>
ON M2J 0A9<br>
Mobile: <a href="tel:%2B1%20647%20406%209438" value="+16474069438" target="_blank">+1 647 406 9438</a><br>
<tel:%2B1%20647%20406%209438><br>
<tel:%2B1%20647%20406%209438> <tel:%2B1%20647%20406%209438><br>
Linkedin: <a href="http://ca.linkedin.com/in/linov/" rel="noreferrer" target="_blank">ca.linkedin.com/in/linov/</a><br>
<<a href="http://ca.linkedin.com/in/linov/" rel="noreferrer" target="_blank">http://ca.linkedin.com/in/linov/</a>><br>
<<a href="http://ca.linkedin.com/in/linov/" rel="noreferrer" target="_blank">http://ca.linkedin.com/in/linov/</a>><br>
<<a href="http://ca.linkedin.com/in/linov/" rel="noreferrer" target="_blank">http://ca.linkedin.com/in/linov/</a>><br>
Website:<br>
<a href="http://mylinuxthoughts.blogspot.com" rel="noreferrer" target="_blank">http://mylinuxthoughts.blogspot.com</a><br>
<br>
<br>
On Mon, Jul 18, 2016 at 10:50 AM, Petr<br>
Vobornik<br>
<<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a><br>
<mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a><br>
<mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>>><br>
<mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a><br>
<mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a><br>
<mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>>>>> wrote:<br>
<br>
On 07/18/2016 05:45 AM, Linov Suresh<br>
wrote:<br>
> Thanks for the update Rob. I went<br>
back to Jan<br>
20, 2016, restarted CA and<br>
> certmonger. Look like certificates were<br>
renewed. But I'm getting a different<br>
> error now,<br>
><br>
> *ca-error: Internal error: no<br>
response to<br>
><br>
<br>
<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".*<br>
<br>
Is PKI running? When you change the<br>
time, does<br>
restart<br>
of IPA help?<br>
<br>
><br>
> [root@caer ~]# getcert list<br>
> Number of certificates and requests<br>
being<br>
tracked: 8.<br>
> Request ID '20111214223243':<br>
> status: MONITORING<br>
> stuck: no<br>
> key pair storage:<br>
><br>
<br>
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br>
> Certificate<br>
DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'<br>
> certificate:<br>
><br>
<br>
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br>
> Certificate DB'<br>
> CA: IPA<br>
> issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> subject:<br>
CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>></blockquote>
</blockquote></div><br></div></div></div></div></div>