<div dir="ltr">Thanks for your help Rob, I will create a separate thread for IPA replication issue. But we are still getting <div><b><br></b></div><div><b>ca-error: Internal error: no response to "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".</b><br></div><div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div style="background-color:rgb(255,255,255)"><div></div><ul style="margin:0px;padding:0px 0px 8px;border:0px;outline:0px;font-size:12px;font-family:Helvetica,FreeSans,"Liberation Sans",Helmet,Arial,sans-serif;vertical-align:baseline;list-style:none;line-height:17px;display:table-cell;width:504px;color:rgb(51,51,51)"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;line-height:normal">Could you please help us to fix this? </div></ul></div></div></div></div></div>
<br><div class="gmail_quote">On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Glad you got the certificates successfully renewed.<br>
<br>
Can you open a new e-mail thread on this new problem so we can keep the issues separated?<br>
<br>
IPA gets little information back when dogtag fails to install. You need to look in /var/log/<something>/debug for more information. The exact location depends on the version of IPA.<br>
<br>
rob<br>
<br>
Linov Suresh wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
Great! That worked, and I was successfully renewed the certificates on<br>
the IPA server and I was trying to create a IPA replica server and got<br>
an error,[root@neit-lab <mailto:<a href="mailto:root@neit-lab" target="_blank">root@neit-lab</a>>~]# ipa-replica-install<br>
--setup-ca --setup-dns --no-forwarders --skip-conncheck<br>
/var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager<br>
(existing master) password: Configuring NTP daemon (ntpd) [1/4]:<br>
stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to<br>
start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd).<br>
Configuring directory server for the CA (pkids): Estimated time 30<br>
seconds [1/3]: creating directory server user [2/3]: creating directory<br>
server instance [3/3]: restarting directory server Done configuring<br>
directory server for the CA (pkids). Configuring certificate server<br>
(pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating<br>
certificate server user [2/17]: creating pki-ca instance [3/17]:<br>
configuring certificate server instance ipa : CRITICAL failed to<br>
configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent<br>
ConfigureCA -cs_hostname <a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">neit-lab.teloip.net</a><br>
<<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>> -cs_port 9445 -client_certdb_dir<br>
/tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin<br>
UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email<br>
root@localhost <mailto:<a href="mailto:root@localhost" target="_blank">root@localhost</a>>-admin_password XXXXXXXX<br>
-agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa<br>
-agent_cert_subject CN=ipa-ca-agent,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
-ldap_host <a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">neit-lab.teloip.net</a> <<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>> -ldap_port<br>
7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn<br>
o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm<br>
SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name<br>
pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA<br>
Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> -ca_ocsp_cert_subject_name CN=OCSP<br>
Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> -ca_server_cert_subject_name<br>
CN=<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">neit-lab.teloip.net</a> <<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> -ca_audit_signing_cert_subject_name CN=CA<br>
Audit,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> -ca_sign_cert_subject_name<br>
CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> -external<br>
false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX<br>
-sd_hostname <a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>> -sd_admin_port 443<br>
-sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true<br>
-clone_uri <a href="https://caer.teloip.net:443" rel="noreferrer" target="_blank">https://caer.teloip.net:443</a>'<br>
<https://caer.teloip.net:443'/>returned non-zero exit status 255 Your<br>
system may be partly configured. Run /usr/sbin/ipa-server-install<br>
--uninstall to clean up. Configuration of CA failed [root@neit-lab<br>
<mailto:<a href="mailto:root@neit-lab" target="_blank">root@neit-lab</a>>~]#<br>
<br>
I did a clean up using /usr/sbin/ipa-server-install --uninstall but it<br>
wasn't helpful.Wondering if you can help us on this,<br>
<br>
<br>
<br>
On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote:<br>
<br>
Linov Suresh wrote:<br>
<br>
I have followed Redhat official documentation,<br>
<a href="https://access.redhat.com/solutions/643753" rel="noreferrer" target="_blank">https://access.redhat.com/solutions/643753</a> for certificate renewal,<br>
which says *add: usercertificate. (step 12)*<br>
*<br>
*<br>
While on the other hand FreeIPA official documentaion<br>
<a href="http://www.freeipa.org/page/IPA_2x_Certificate_Renewal" rel="noreferrer" target="_blank">http://www.freeipa.org/page/IPA_2x_Certificate_Renewal</a> , say to<br>
*add:<br>
usercertificate;binary*<br>
<br>
Just wondering if we need to*add *the certificate? or*replace* the<br>
existing certificate and which format do we need to use? *pem*<br>
or *der*.<br>
<br>
We already successfully renewed the certificates about months<br>
back, but<br>
they were expired about 6 months back and we were not able to<br>
renew till<br>
now, and is affected our production environment.<br>
<br>
Pleas help us.<br>
<br>
<br>
You shouldn't have to mess with these values at all. In 3.0 this is<br>
handled somewhat automatically.<br>
<br>
I'd restart the CA, then certmonger and see if the communication<br>
error goes away for the CA subservice certificates (the internal error).<br>
<br>
# service pki-cad restart<br>
<pause a bit><br>
# service certmonger restart<br>
<br>
I find it very strange that the certificates were set to expire<br>
yesterday but it isn't a show-stopper necessarily assuming you can<br>
get the CA back up.<br>
<br>
Assuming you can, then go back in time again, this time just a few<br>
days and try renewing the LDAP and Apache server certs again.<br>
<br>
rob<br>
<br>
<br>
On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh<br>
<<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>>><br>
wrote:<br>
<br>
We have cloned and created another virtual server from the<br>
template.<br>
Surprisingly this server certificates were also expired at<br>
the same<br>
time as the previous, just lasted for a day.<br>
This issue has something to do with the kerberos tickets?<br>
<br>
I am new to IPA and your help is highly appreciated.<br>
<br>
On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh<br>
<<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>>><br>
wrote:<br>
<br>
*Update: my webserver and LDAP certificates were expired at<br>
2016-07-18 15:54:36 UTC and the certificates are in<br>
CA_UNREACHABLE state.*<br>
*<br>
*<br>
*Could you please help us?<br>
*<br>
<br>
[root@caer tmp]# getcert list<br>
Number of certificates and requests being tracked: 8.<br>
Request ID '20111214223243':<br>
status: CA_UNREACHABLE<br>
ca-error: Server failed request, will retry: -504<br>
(libcurl failed to execute the HTTP POST transaction. Peer<br>
certificate cannot be authenticated with known CA<br>
certificates).<br>
stuck: yes<br>
key pair storage:<br>
<br>
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br>
Certificate<br>
DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'<br>
certificate:<br>
<br>
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br>
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
*expires: 2016-07-18 15:54:36 UTC*<br>
eku: id-kp-serverAuth<br>
pre-save command:<br>
post-save command:<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20111214223300':<br>
status: CA_UNREACHABLE<br>
ca-error: Server failed request, will retry: -504<br>
(libcurl failed to execute the HTTP POST transaction. Peer<br>
certificate cannot be authenticated with known CA<br>
certificates).<br>
stuck: yes<br>
key pair storage:<br>
<br>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
Certificate<br>
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>
certificate:<br>
<br>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
*expires: 2016-07-18 15:54:52 UTC*<br>
eku: id-kp-serverAuth<br>
pre-save command:<br>
post-save command:<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20111214223316':<br>
status: CA_UNREACHABLE<br>
ca-error: Server failed request, will retry: -504<br>
(libcurl failed to execute the HTTP POST transaction. Peer<br>
certificate cannot be authenticated with known CA<br>
certificates).<br>
stuck: yes<br>
key pair storage:<br>
<br>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
certificate:<br>
<br>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
*expires: 2016-07-18 15:55:04 UTC*<br>
<br>
eku: id-kp-serverAuth<br>
pre-save command:<br>
post-save command:<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20130519130741':<br>
status: MONITORING<br>
ca-error: Internal error: no response to<br>
<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true</a>".<br>
stuck: no<br>
key pair storage:<br>
<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'<br>
certificate:<br>
<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=CA Audit,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
expires: 2017-10-13 14:10:49 UTC<br>
pre-save command:<br>
/usr/lib64/ipa/certmonger/stop_pkicad<br>
post-save command:<br>
/usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert<br>
cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20130519130742':<br>
status: MONITORING<br>
ca-error: Internal error: no response to<br>
<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".<br>
stuck: no<br>
key pair storage:<br>
<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'<br>
certificate:<br>
<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=OCSP Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
expires: 2017-10-13 14:09:49 UTC<br>
eku: id-kp-OCSPSigning<br>
pre-save command:<br>
/usr/lib64/ipa/certmonger/stop_pkicad<br>
post-save command:<br>
/usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert<br>
cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20130519130743':<br>
status: MONITORING<br>
ca-error: Internal error: no response to<br>
<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".<br>
stuck: no<br>
key pair storage:<br>
<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'<br>
certificate:<br>
<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=CA Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
expires: 2017-10-13 14:09:49 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command:<br>
/usr/lib64/ipa/certmonger/stop_pkicad<br>
post-save command:<br>
/usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert<br>
cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20130519130744':<br>
status: MONITORING<br>
ca-error: Internal error: no response to<br>
<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true</a>".<br>
stuck: no<br>
key pair storage:<br>
<br>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
certificate:<br>
<br>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=RA Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
expires: 2017-10-13 14:09:49 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command:<br>
post-save command:<br>
/usr/lib64/ipa/certmonger/restart_httpd<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20130519130745':<br>
status: MONITORING<br>
ca-error: Internal error: no response to<br>
<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>".<br>
stuck: no<br>
key pair storage:<br>
<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS<br>
Certificate DB',pin='297100916664'<br>
certificate:<br>
<br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS<br>
Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
expires: 2017-10-13 14:09:49 UTC<br>
eku: id-kp-serverAuth,id-kp-clientAuth<br>
pre-save command:<br>
post-save command:<br>
/usr/lib64/ipa/certmonger/restart_dirsrv "<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>>"<br>
track: yes<br>
auto-renew: yes<br>
<br>
On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh<br>
<<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>>><br>
wrote:<br>
<br>
Yes, PKI is running and I don't see any errors in<br>
selftests,<br>
I have followed<br>
<a href="https://access.redhat.com/solutions/643753" rel="noreferrer" target="_blank">https://access.redhat.com/solutions/643753</a><br>
and restarted the PKI in step 10.<br>
<br>
The only change which I made was clean<br>
up userCertificate;binary before adding new<br>
userCertificatein LDAP, which is step 12.<br>
<br>
<br>
[root@caer ~]# /etc/init.d/pki-cad status<br>
pki-ca (pid 8634) is running...<br>
[<br>
OK ]<br>
Unsecure Port =<br>
<a href="http://caer.teloip.net:9180/ca/ee/ca" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca</a><br>
Secure Agent Port =<br>
<a href="https://caer.teloip.net:9443/ca/agent/ca" rel="noreferrer" target="_blank">https://caer.teloip.net:9443/ca/agent/ca</a><br>
Secure EE Port =<br>
<a href="https://caer.teloip.net:9444/ca/ee/ca" rel="noreferrer" target="_blank">https://caer.teloip.net:9444/ca/ee/ca</a><br>
Secure Admin Port =<br>
<a href="https://caer.teloip.net:9445/ca/services" rel="noreferrer" target="_blank">https://caer.teloip.net:9445/ca/services</a><br>
EE Client Auth Port =<br>
<a href="https://caer.teloip.net:9446/ca/eeca/ca" rel="noreferrer" target="_blank">https://caer.teloip.net:9446/ca/eeca/ca</a><br>
PKI Console Port = pkiconsole<br>
<a href="https://caer.teloip.net:9445/ca" rel="noreferrer" target="_blank">https://caer.teloip.net:9445/ca</a><br>
Tomcat Port = 9701 (for shutdown)<br>
<br>
PKI Instance Name: pki-ca<br>
<br>
PKI Subsystem Type: Root CA (Security Domain)<br>
<br>
Registered PKI Security Domain Information:<br>
<br>
<br>
==========================================================================<br>
Name: IPA<br>
URL: <a href="https://caer.teloip.net:9445" rel="noreferrer" target="_blank">https://caer.teloip.net:9445</a><br>
<br>
<br>
==========================================================================<br>
[root@caer ~]#<br>
[root@caer ~]# tail -f /var/log/pki-ca/selftests.log<br>
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]<br>
SelfTestSubsystem: loading all self test plugin logger<br>
parameters<br>
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]<br>
SelfTestSubsystem: loading all self test plugin<br>
instances<br>
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]<br>
SelfTestSubsystem: loading all self test plugin<br>
instance<br>
parameters<br>
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]<br>
SelfTestSubsystem: loading self test plugins in<br>
on-demand order<br>
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]<br>
SelfTestSubsystem: loading self test plugins in<br>
startup order<br>
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]<br>
SelfTestSubsystem: Self test plugins have been<br>
successfully<br>
loaded!<br>
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]<br>
SelfTestSubsystem: Running self test plugins<br>
specified to be<br>
executed at startup:<br>
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]<br>
CAPresence:<br>
CA is present<br>
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]<br>
SystemCertsVerification: system certs verification<br>
success<br>
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]<br>
SelfTestSubsystem: All CRITICAL self test plugins ran<br>
SUCCESSFULLY at startup!<br>
<br>
Your help is highly appreciated!<br>
<br>
Linov Suresh<br>
<br>
70 Forest Manor Rd.<br>
Toronto<br>
ON M2J 0A9<br>
Mobile: <a href="tel:%2B1%20647%20406%209438" value="+16474069438" target="_blank">+1 647 406 9438</a><br>
<tel:%2B1%20647%20406%209438> <tel:%2B1%20647%20406%209438><br>
Linkedin: <a href="http://ca.linkedin.com/in/linov/" rel="noreferrer" target="_blank">ca.linkedin.com/in/linov/</a><br>
<<a href="http://ca.linkedin.com/in/linov/" rel="noreferrer" target="_blank">http://ca.linkedin.com/in/linov/</a>><br>
<<a href="http://ca.linkedin.com/in/linov/" rel="noreferrer" target="_blank">http://ca.linkedin.com/in/linov/</a>><br>
Website: <a href="http://mylinuxthoughts.blogspot.com" rel="noreferrer" target="_blank">http://mylinuxthoughts.blogspot.com</a><br>
<br>
<br>
On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik<br>
<<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>><br>
<mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>>>> wrote:<br>
<br>
On 07/18/2016 05:45 AM, Linov Suresh wrote:<br>
> Thanks for the update Rob. I went back to Jan<br>
20, 2016, restarted CA and<br>
> certmonger. Look like certificates were<br>
renewed. But I'm getting a different<br>
> error now,<br>
><br>
> *ca-error: Internal error: no response to<br>
><br>
<br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".*<br>
<br>
Is PKI running? When you change the time, does<br>
restart<br>
of IPA help?<br>
<br>
><br>
> [root@caer ~]# getcert list<br>
> Number of certificates and requests being<br>
tracked: 8.<br>
> Request ID '20111214223243':<br>
> status: MONITORING<br>
> stuck: no<br>
> key pair storage:<br>
><br>
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br>
> Certificate<br>
DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'<br>
> certificate:<br>
><br>
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br>
> Certificate DB'<br>
> CA: IPA<br>
> issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> expires: 2016-07-18 15:54:36 UTC<br>
> eku: id-kp-serverAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20111214223300':<br>
> status: MONITORING<br>
> stuck: no<br>
> key pair storage:<br>
><br>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
Certificate<br>
><br>
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br>
> certificate:<br>
><br>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
Certificate<br>
> DB'<br>
> CA: IPA<br>
> issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> expires: 2016-07-18 15:54:52 UTC<br>
> eku: id-kp-serverAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20111214223316':<br>
> status: MONITORING<br>
> stuck: no<br>
> key pair storage:<br>
><br>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> Certificate<br>
DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
> certificate:<br>
><br>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> Certificate DB'<br>
> CA: IPA<br>
> issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> expires: 2016-07-18 15:55:04 UTC<br>
> eku: id-kp-serverAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20130519130741':<br>
> status: MONITORING<br>
> ca-error: Internal error: no response to<br>
><br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true</a>".<br>
> stuck: no<br>
> key pair storage:<br>
><br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> cert-pki-ca',token='NSS Certificate<br>
DB',pin='297100916664'<br>
> certificate:<br>
><br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
> CA: dogtag-ipa-renew-agent<br>
> issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> subject: CN=CA Audit,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> expires: 2017-10-13 14:10:49 UTC<br>
> pre-save command:<br>
/usr/lib64/ipa/certmonger/stop_pkicad<br>
> post-save command:<br>
/usr/lib64/ipa/certmonger/renew_ca_cert<br>
> "auditSigningCert cert-pki-ca"<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20130519130742':<br>
> status: MONITORING<br>
> ca-error: Internal error: no response to<br>
><br>
"<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".<br>
> stuck: no<br>
> key pair storage:<br>
><br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> cert-pki-ca',token='NSS Certificate<br>
DB',pin='297100916664'<br>
> certificate:<br>
><br>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
> CA: dogtag-ipa-renew-agent<br>
> issuer: CN=Certificate<br>
Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> subject: CN=OCSP<br>
Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
> expires: 2017-10-13 14:09:49 UTC<br>
> eku: id-kp-OCSPSigning<br>
> pre-save command:<br>
/usr/lib64/ipa/certmonger/stop_pkicad<br>
> post-save command:<br>
/usr/lib64/ipa/certmonger/renew_ca_cert<br>
> "ocspSigningCert cert-pki-ca"<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20130519130743':</blockquote>
</blockquote></div><br></div></div></div>