<html><head></head><body><div style="color:#000; background-color:#fff; font-family:verdana, helvetica, sans-serif;font-size:24px"><div id="yui_3_16_0_ym19_1_1469042370452_24542">dear <br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1469042370452_24544">thanks, but would you please check below and let me know what is your idea?I checked your command but it did not work.</div><div id="yui_3_16_0_ym19_1_1469042370452_24565" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1469042370452_24567" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1469042370452_24541"><br></div><div id="yui_3_16_0_ym19_1_1469042370452_24539" dir="ltr">Number of certificates and requests being tracked: 8.<br id="yui_3_16_0_ym19_1_1469042370452_24474">Request ID '20140817123525':<br id="yui_3_16_0_ym19_1_1469042370452_24475"> status: MONITORING<br id="yui_3_16_0_ym19_1_1469042370452_24476"> ca-error: Unable to determine principal name for signing request.<br id="yui_3_16_0_ym19_1_1469042370452_24477"> stuck: no<br id="yui_3_16_0_ym19_1_1469042370452_24478"> key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br id="yui_3_16_0_ym19_1_1469042370452_24479"> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'<br id="yui_3_16_0_ym19_1_1469042370452_24480"> CA: IPA<br id="yui_3_16_0_ym19_1_1469042370452_24481"> issuer: CN=Certificate Authority,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469042370452_24482"> subject: CN=IPA RA,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469042370452_24483"> expCOMes: 2018-06-30 07:56:06 UTC<br id="yui_3_16_0_ym19_1_1469042370452_24484"> eku: id-kp-serverAuth,id-kp-clientAuth<br id="yui_3_16_0_ym19_1_1469042370452_24485"> pre-save command:<br id="yui_3_16_0_ym19_1_1469042370452_24486"> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert<br id="yui_3_16_0_ym19_1_1469042370452_24487"> track: yes<br id="yui_3_16_0_ym19_1_1469042370452_24488"> auto-renew: yes<br id="yui_3_16_0_ym19_1_1469042370452_24489">Request ID '20140817123534':<br id="yui_3_16_0_ym19_1_1469042370452_24490"> status: CA_UNREACHABLE<br id="yui_3_16_0_ym19_1_1469042370452_24491"> ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)).<br id="yui_3_16_0_ym19_1_1469042370452_24492"> stuck: yes<br id="yui_3_16_0_ym19_1_1469042370452_24493"> key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt'<br id="yui_3_16_0_ym19_1_1469042370452_24494"> certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS Certificate DB'<br id="yui_3_16_0_ym19_1_1469042370452_24495"> CA: IPA<br id="yui_3_16_0_ym19_1_1469042370452_24496"> issuer: CN=Certificate Authority,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469042370452_24497"> subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469042370452_24498"> expCOMes: 2016-08-17 12:35:34 UTC<br id="yui_3_16_0_ym19_1_1469042370452_24499"> eku: id-kp-serverAuth,id-kp-clientAuth<br id="yui_3_16_0_ym19_1_1469042370452_24500"> pre-save command:<br id="yui_3_16_0_ym19_1_1469042370452_24501"> post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv EXAMPLE.-COM<br id="yui_3_16_0_ym19_1_1469042370452_24502"> track: yes<br id="yui_3_16_0_ym19_1_1469042370452_24503"> auto-renew: yes<br id="yui_3_16_0_ym19_1_1469042370452_24504">Request ID '20140817123602':<br id="yui_3_16_0_ym19_1_1469042370452_24505"> status: CA_UNREACHABLE<br id="yui_3_16_0_ym19_1_1469042370452_24506"> ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)).<br id="yui_3_16_0_ym19_1_1469042370452_24507"> stuck: yes<br id="yui_3_16_0_ym19_1_1469042370452_24508"> key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt'<br id="yui_3_16_0_ym19_1_1469042370452_24509"> certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'<br id="yui_3_16_0_ym19_1_1469042370452_24510"> CA: IPA<br id="yui_3_16_0_ym19_1_1469042370452_24511"> issuer: CN=Certificate Authority,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469042370452_24512"> subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469042370452_24513"> expCOMes: 2016-08-17 12:36:02 UTC<br id="yui_3_16_0_ym19_1_1469042370452_24514"> eku: id-kp-serverAuth,id-kp-clientAuth<br id="yui_3_16_0_ym19_1_1469042370452_24515"> pre-save command:<br id="yui_3_16_0_ym19_1_1469042370452_24516"> post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv PKI-IPA<br id="yui_3_16_0_ym19_1_1469042370452_24517"> track: yes<br id="yui_3_16_0_ym19_1_1469042370452_24518"> auto-renew: yes<br id="yui_3_16_0_ym19_1_1469042370452_24519">Request ID '20140817123752':<br id="yui_3_16_0_ym19_1_1469042370452_24520"> status: CA_UNREACHABLE<br id="yui_3_16_0_ym19_1_1469042370452_24521"> ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)).<br id="yui_3_16_0_ym19_1_1469042370452_24522"> stuck: yes<br id="yui_3_16_0_ym19_1_1469042370452_24523"> key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br id="yui_3_16_0_ym19_1_1469042370452_24524"> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'<br id="yui_3_16_0_ym19_1_1469042370452_24525"> CA: IPA<br id="yui_3_16_0_ym19_1_1469042370452_24526"> issuer: CN=Certificate Authority,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469042370452_24527"> subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469042370452_24528"> expCOMes: 2016-08-17 12:37:51 UTC<br id="yui_3_16_0_ym19_1_1469042370452_24529"> eku: id-kp-serverAuth,id-kp-clientAuth<br id="yui_3_16_0_ym19_1_1469042370452_24530"> pre-save command:<br id="yui_3_16_0_ym19_1_1469042370452_24531"> post-save command: /usr/lib64/ipa/certmonger/restart_httpd<br id="yui_3_16_0_ym19_1_1469042370452_24532"> track: yes<br id="yui_3_16_0_ym19_1_1469042370452_24533"> auto-renew: yes<br id="yui_3_16_0_ym19_1_1469042370452_24534">You have new mail in /var/spool/mail/root<br></div><div><span></span></div><div class="qtdSeparateBR"><br><br></div><div style="display: block;" class="yahoo_quoted"> <div style="font-family: verdana, helvetica, sans-serif; font-size: 24px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"> <font face="Arial" size="2"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Florence Blanc-Renaud <flo@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> mohammad sereshki <mohammadsereshki@yahoo.com>; Freeipa-users <freeipa-users@redhat.com> <br> <b><span style="font-weight: bold;">Sent:</span></b> Thursday, July 21, 2016 11:30 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Freeipa-users] regenerate certificate<br> </font> </div> <div class="y_msg_container"><br>On 07/20/2016 10:04 PM, mohammad sereshki wrote:<br clear="none">> hi<br clear="none">> I check my IPA server which is version ipa-server-3.0.0-25 , command<br clear="none">> "ipa-get-cert list" show, my certificate will be expired in next 20 days,<br clear="none">> I do not know how to regenerate them<br clear="none">> but command "getcert list" shows epirtion certificates are related just<br clear="none">> to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" , has enough<br clear="none">> time .<br clear="none">> would you please help me to know how to regenerate CA:IPA certificates?<br clear="none">><br clear="none">> Best Regards<br clear="none">><br clear="none">><br clear="none">><br clear="none"><br clear="none">Hi Mohammad,<br clear="none"><br clear="none">the certificates issued by IPA CA are normally tracked by certmonger and <br clear="none">automatically renewed when they are near their expiration date. To make <br clear="none">sure that your certificates are tracked, you can issue<div class="yqt0157115984" id="yqtfd29169"><br clear="none">$ ipa-getcert list</div><br clear="none">and check the "status:" field for each certificate. It should display <br clear="none">"MONITORING".<br clear="none"><br clear="none">If you want to manually renew them, you must note their request ID and <br clear="none">use the command<br clear="none">$ ipa-getcert resubmit -i $REQUEST_ID<br clear="none"><br clear="none">Hope this helps,<br clear="none">Flo.<div class="yqt0157115984" id="yqtfd96957"><br clear="none"></div><br><br></div> </div> </div> </div></div></body></html>