<div dir="ltr"><div class="gmail_extra"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div style="background-color:rgb(255,255,255)"><div><div> </div><div>I set debug=true in /etc/ipa/default.conf</div><div><br></div><div>Here are my logs,</div><div><br></div><div><b>[root@caer ~]# tail -f /var/log/httpd/error_log</b></div><div>[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: WSGI WSGIExecutioner.__call__:</div><div>[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: raw: user_show(u'admin', rights=False, all=False, raw=False, version=u'2.46')</div><div>[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: user_show(u'admin', rights=False, all=False, raw=False, version=u'2.46')</div><div>[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), ipapython.dn.DN('cn=replication administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=modify replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=remove replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=unlock user accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=manage service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=trust admins,cn=groups,cn=accounts,dc=teloip,dc=net'), ipapython.dn.DN('cn=host enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=manage host keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=enroll a host,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add host password,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add krbprincipalname to a host,cn=permissions,cn=pbac,dc=teloip,dc=net')]</div><div>[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: result direct=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), ipapython.dn.DN('cn=trust admins,cn=groups,cn=accounts,dc=teloip,dc=net')] indirect=[ipapython.dn.DN('cn=replication administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=modify replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=remove replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=unlock user accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=manage service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=host enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=manage host keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=enroll a host,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add host password,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add krbprincipalname to a host,cn=permissions,cn=pbac,dc=teloip,dc=net')]</div><div>[Thu Jul 21 11:00:38 2016] [error] ipa: INFO: <a href="mailto:admin@TELOIP.NET">admin@TELOIP.NET</a>: user_show(u'admin', rights=False, all=False, raw=False, version=u'2.46'): SUCCESS</div><div>[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: response: entries returned 1</div><div>[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: Destroyed connection context.ldap2</div><div>[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: reading ccache data from file "/var/run/ipa_memcached/krbcc_13554"</div><div>[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: store session: session_id=10c5de02f8ae0f3969b96ef0f2e3a96d start_timestamp=2016-07-21T10:43:26 access_timestamp=2016-07-21T11:00:38 expiration_timestamp=2016-07-21T11:20:38</div><div><br></div><div><b>[root@caer ~]# tail -f /var/log/pki-ca/debug</b></div><div>[21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: curReqId: 9990001</div><div>[21/Jul/2016:11:08:29][CertStatusUpdateThread]: getElementAt: 1 mTop 107</div><div>[21/Jul/2016:11:08:29][CertStatusUpdateThread]: reverse direction getting index 4</div><div>[21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: curReqId: 112</div><div>[21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: getLastRequestId : returning value 112</div><div>[21/Jul/2016:11:08:29][CertStatusUpdateThread]: Repository: mLastSerialNo: 112</div><div>[21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial numbers left in range: 9989888</div><div>[21/Jul/2016:11:08:29][CertStatusUpdateThread]: Last Serial Number: 112</div><div>[21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial Numbers available: 9989888</div><div>[21/Jul/2016:11:08:29][CertStatusUpdateThread]: request checkRanges done</div><div><br></div><div><b>[root@caer ~]# tail -f /var/log/pki-ca/transactions</b></div><div>6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:17:00:00 EDT] [20] [1] CRL Update completed. CRL ID: MasterCRL CRL Number: 8,912 last update time: 7/20/16 5:00 PM next update time: 7/20/16 9:00 PM Number of entries in the CRL: 11 time: 25 CRL time: 25 delta CRL time: 0 (0,0,0,0,0,0,0,8,17,0,0,25,25)</div><div>6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20] [1] CRL update started. CRL ID: MasterCRL CRL Number: 8,913 Delta CRL Enabled: false CRL Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: false Cache: 11,0,0,0</div><div>6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20] [1] CRL Update completed. CRL ID: MasterCRL CRL Number: 8,913 last update time: 7/20/16 9:00 PM next update time: 7/21/16 1:00 AM Number of entries in the CRL: 11 time: 11 CRL time: 11 delta CRL time: 0 (0,0,0,0,0,0,0,6,5,0,0,11,11)</div><div>6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20] [1] CRL update started. CRL ID: MasterCRL CRL Number: 8,914 Delta CRL Enabled: false CRL Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: false Cache: 11,0,0,0</div><div>6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20] [1] CRL Update completed. CRL ID: MasterCRL CRL Number: 8,914 last update time: 7/21/16 1:00 AM next update time: 7/21/16 5:00 AM Number of entries in the CRL: 11 time: 13 CRL time: 13 delta CRL time: 0 (0,0,0,0,0,0,0,6,7,0,0,13,13)</div><div>6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20] [1] CRL update started. CRL ID: MasterCRL CRL Number: 8,915 Delta CRL Enabled: false CRL Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: false Cache: 11,0,0,0</div><div>6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20] [1] CRL Update completed. CRL ID: MasterCRL CRL Number: 8,915 last update time: 7/21/16 5:00 AM next update time: 7/21/16 9:00 AM Number of entries in the CRL: 11 time: 16 CRL time: 16 delta CRL time: 0 (0,0,0,0,0,0,0,8,8,0,0,16,16)</div><div>6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20] [1] CRL update started. CRL ID: MasterCRL CRL Number: 8,916 Delta CRL Enabled: false CRL Cache Enabled: true Cache Recovery Enabled: true Cache Cleared: false Cache: 11,0,0,0</div><div>6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20] [1] CRL Update completed. CRL ID: MasterCRL CRL Number: 8,916 last update time: 7/21/16 9:00 AM next update time: 7/21/16 1:00 PM Number of entries in the CRL: 11 time: 13 CRL time: 13 delta CRL time: 0 (0,0,0,0,0,0,0,6,7,0,0,13,13)</div><div>10657.http-9443-2 - [21/Jul/2016:10:28:19 EDT] [20] [1] renewal reqID 112 fromAgent userID: ipara authenticated by certUserDBAuthMgr is completed DN requested: CN=CA Audit,O=<a href="http://TELOIP.NET">TELOIP.NET</a> cert issued serial number: 0x47 time: 39</div><div><br></div><div><b>[root@caer ~]# tail -f /var/log/pki-ca/selftests.log</b></div><div>14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters</div><div>14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading all self test plugin instances</div><div>14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters</div><div>14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order</div><div>14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading self test plugins in startup order</div><div>14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded!</div><div>14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup:</div><div>14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] CAPresence: CA is present</div><div>14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SystemCertsVerification: system certs verification failure</div><div>14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!</div><div><br></div><div>But intrestingly, [root@caer ~]# ipa cert-show 1 returns "<b>ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)</b>"</div></div></div></div></div></div></div> <br><div class="gmail_quote">On Thu, Jul 21, 2016 at 10:04 AM, Linov Suresh <span dir="ltr"><<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div><div data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div style="background-color:rgb(255,255,255)">This could be because of incorrect trust attributes trust on the certificates, the current attributes are, </div><div style="background-color:rgb(255,255,255)"><br></div><div style="background-color:rgb(255,255,255)"><div>[root@caer ~]# certutil -L -d /var/lib/pki-ca/alias</div><div><br></div><div>Certificate Nickname Trust Attributes</div><div> SSL,S/MIME,JAR/XPI</div><div><br></div><div>ocspSigningCert cert-pki-ca u,u,Pu</div><div>subsystemCert cert-pki-ca u,u,Pu</div><div>caSigningCert cert-pki-ca CTu,Cu,Cu</div><div>subsystemCert cert-pki-ca u,u,Pu</div><div>Server-Cert cert-pki-ca u,u,u</div><div>auditSigningCert cert-pki-ca u,u,Pu</div><div><br></div><div>I'm going to fix the trust attributes and try.</div></div></div></div></div></div><div><div class="h5"> <br><div class="gmail_quote">On Thu, Jul 21, 2016 at 9:45 AM, Petr Vobornik <span dir="ltr"><<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span>On 07/20/2016 09:41 PM, Linov Suresh wrote:<br> > I have restarted the pki-cad and checked if communication with the CA is<br> > working, but no luck,<br> ><br> > Debug logs in /var/log/pki-ca do not have anything unusual. Can you think of<br> > anything other than this?<br> <br> </span>/var/log/httpd/error_log when /etc/ipa.conf is set to debug=true<br> <a href="https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data" rel="noreferrer" target="_blank">https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data</a><br> <br> /var/log/pki-ca/debug<br> /var/log/pki-ca/transactions<br> /var/log/pki-ca/selftest.log<br> <span><br> ><br> > [root@caer ~]# ipa cert-show 1<br> > Certificate: MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP<br> > SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0<br> > MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w<br> > HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA<br> > A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV<br> > ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e<br> > tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb<br> > UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe<br> > tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7<br> > 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j<br> > BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV<br> > HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG<br> > AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5<br> > MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj<br> > kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y<br> > 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV<br> > nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt<br> > e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK<br> > b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30=<br> </span>> Subject: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > Issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> <span>> Not Before: Wed Dec 14 22:29:56 2011 UTC<br> > Not After: Sat Dec 14 22:29:56 2019 UTC<br> > Fingerprint (MD5): c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a<br> > Fingerprint (SHA1): ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e<br> > Serial number (hex): 0x1<br> > Serial number: 1<br> > [root@caer ~]#<br> ><br> </span><span>> *ca-error: Internal error: no response to<br> </span>> "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>".<br> > *<br> <span>><br> ><br> ><br> > On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br> </span><span>> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote:<br> ><br> > Linov Suresh wrote:<br> ><br> </span><span>> Thanks for your help Rob, I will create a separate thread for IPA<br> > replication issue. But we are still getting<br> > *<br> > *<br> > *ca-error: Internal error: no response to<br> > "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".*<br> ><br> > Could you please help us to fix this?<br> ><br> ><br> > I think your CA isn't quite fixed yet. I'd restart pki-cad then do something<br> > like: ipa cert-show 1<br> ><br> > You should get back a cert (doesn't really matter what cert).<br> ><br> > Otherwise I'd check the CA debug log somewhere in /var/log/pki<br> ><br> > rob<br> ><br> ><br> ><br> > On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br> > <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>><br> </span><span>> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>> wrote:<br> ><br> </span><div><div>> Glad you got the certificates successfully renewed.<br> ><br> > Can you open a new e-mail thread on this new problem so we can keep<br> > the issues separated?<br> ><br> > IPA gets little information back when dogtag fails to install. You<br> > need to look in /var/log/<something>/debug for more information. The<br> > exact location depends on the version of IPA.<br> ><br> > rob<br> ><br> > Linov Suresh wrote:<br> ><br> > Great! That worked, and I was successfully renewed the<br> > certificates on<br> > the IPA server and I was trying to create a IPA replica server<br> > and got<br> > an error,[root@neit-lab <mailto:<a href="mailto:root@neit-lab" target="_blank">root@neit-lab</a><br> > <mailto:<a href="mailto:root@neit-lab" target="_blank">root@neit-lab</a>><br> > <mailto:<a href="mailto:root@neit-lab" target="_blank">root@neit-lab</a> <mailto:<a href="mailto:root@neit-lab" target="_blank">root@neit-lab</a>>>>~]#<br> > ipa-replica-install<br> > --setup-ca --setup-dns --no-forwarders --skip-conncheck<br> > /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager<br> > (existing master) password: Configuring NTP daemon (ntpd) [1/4]:<br> > stopping ntpd [2/4]: writing configuration [3/4]: configuring<br> > ntpd to<br> > start on boot [4/4]: starting ntpd Done configuring NTP daemon<br> > (ntpd).<br> > Configuring directory server for the CA (pkids): Estimated time 30<br> > seconds [1/3]: creating directory server user [2/3]: creating<br> > directory<br> > server instance [3/3]: restarting directory server Done configuring<br> > directory server for the CA (pkids). Configuring certificate server<br> > (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating<br> > certificate server user [2/17]: creating pki-ca instance [3/17]:<br> > configuring certificate server instance ipa : CRITICAL failed to<br> > configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent<br> > ConfigureCA -cs_hostname <a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">neit-lab.teloip.net</a><br> > <<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>><br> > <<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>><br> > <<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>> -cs_port 9445 -client_certdb_dir<br> > /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin<br> > UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin<br> > -admin_email<br> > root@localhost <mailto:<a href="mailto:root@localhost" target="_blank">root@localhost</a> <mailto:<a href="mailto:root@localhost" target="_blank">root@localhost</a>><br> > <mailto:<a href="mailto:root@localhost" target="_blank">root@localhost</a> <mailto:<a href="mailto:root@localhost" target="_blank">root@localhost</a>>>>-admin_password<br> > XXXXXXXX<br> > -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa<br> > -agent_cert_subject CN=ipa-ca-agent,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > -ldap_host <a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">neit-lab.teloip.net</a> <<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>><br> > <<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>><br> > <<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>> -ldap_port<br> > 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn<br> > o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm<br> > SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name<br> > pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA<br> > Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> -ca_ocsp_cert_subject_name CN=OCSP<br> > Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > -ca_server_cert_subject_name<br> > CN=<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">neit-lab.teloip.net</a> <<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>><br> > <<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>><br> > <<a href="http://neit-lab.teloip.net" rel="noreferrer" target="_blank">http://neit-lab.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> -ca_audit_signing_cert_subject_name CN=CA<br> > Audit,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > -ca_sign_cert_subject_name<br> > CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> -external<br> > false -clone true -clone_p12_file ca.p12 -clone_p12_password<br> > XXXXXXXX<br> > -sd_hostname <a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>> -sd_admin_port 443<br> > -sd_admin_name admin -sd_admin_password XXXXXXXX<br> > -clone_start_tls true<br> > -clone_uri <a href="https://caer.teloip.net:443" rel="noreferrer" target="_blank">https://caer.teloip.net:443</a>'<br> > <https://caer.teloip.net:443'/>returned non-zero exit status 255<br> > Your<br> > system may be partly configured. Run /usr/sbin/ipa-server-install<br> > --uninstall to clean up. Configuration of CA failed [root@neit-lab<br> > <mailto:<a href="mailto:root@neit-lab" target="_blank">root@neit-lab</a> <mailto:<a href="mailto:root@neit-lab" target="_blank">root@neit-lab</a>><br> > <mailto:<a href="mailto:root@neit-lab" target="_blank">root@neit-lab</a> <mailto:<a href="mailto:root@neit-lab" target="_blank">root@neit-lab</a>>>>~]#<br> ><br> > I did a clean up using /usr/sbin/ipa-server-install --uninstall<br> > but it<br> > wasn't helpful.Wondering if you can help us on this,<br> ><br> ><br> ><br> > On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden<br> > <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>><br> > <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>><br> > <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>><br> > <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>>> wrote:<br> ><br> > Linov Suresh wrote:<br> ><br> > I have followed Redhat official documentation,<br> > <a href="https://access.redhat.com/solutions/643753" rel="noreferrer" target="_blank">https://access.redhat.com/solutions/643753</a> for certificate renewal,<br> > which says *add: usercertificate. (step 12)*<br> > *<br> > *<br> > While on the other hand FreeIPA official documentaion<br> > <a href="http://www.freeipa.org/page/IPA_2x_Certificate_Renewal" rel="noreferrer" target="_blank">http://www.freeipa.org/page/IPA_2x_Certificate_Renewal</a> , say to<br> > *add:<br> > usercertificate;binary*<br> ><br> > Just wondering if we need to*add *the certificate?<br> > or*replace* the<br> > existing certificate and which format do we need to<br> > use? *pem*<br> > or *der*.<br> ><br> > We already successfully renewed the certificates about<br> > months<br> > back, but<br> > they were expired about 6 months back and we were not<br> > able to<br> > renew till<br> > now, and is affected our production environment.<br> ><br> > Pleas help us.<br> ><br> ><br> > You shouldn't have to mess with these values at all. In 3.0<br> > this is<br> > handled somewhat automatically.<br> ><br> > I'd restart the CA, then certmonger and see if the<br> > communication<br> > error goes away for the CA subservice certificates (the<br> > internal error).<br> ><br> > # service pki-cad restart<br> > <pause a bit><br> > # service certmonger restart<br> ><br> > I find it very strange that the certificates were set to<br> > expire<br> > yesterday but it isn't a show-stopper necessarily assuming<br> > you can<br> > get the CA back up.<br> ><br> > Assuming you can, then go back in time again, this time<br> > just a few<br> > days and try renewing the LDAP and Apache server certs again.<br> ><br> > rob<br> ><br> ><br> > On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh<br> > <<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>>><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>><br> </div></div>> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>>>>><br> <span>> wrote:<br> ><br> > We have cloned and created another virtual server<br> > from the<br> > template.<br> > Surprisingly this server certificates were also<br> > expired at<br> > the same<br> > time as the previous, just lasted for a day.<br> > This issue has something to do with the kerberos<br> > tickets?<br> ><br> > I am new to IPA and your help is highly appreciated.<br> ><br> > On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh<br> > <<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>>><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>><br> </span>> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>>>>><br> <div><div>> wrote:<br> ><br> > *Update: my webserver and LDAP certificates<br> > were expired at<br> > 2016-07-18 15:54:36 UTC and the certificates<br> > are in<br> > CA_UNREACHABLE state.*<br> > *<br> > *<br> > *Could you please help us?<br> > *<br> ><br> > [root@caer tmp]# getcert list<br> > Number of certificates and requests being<br> > tracked: 8.<br> > Request ID '20111214223243':<br> > status: CA_UNREACHABLE<br> > ca-error: Server failed request, will<br> > retry: -504<br> > (libcurl failed to execute the HTTP POST<br> > transaction. Peer<br> > certificate cannot be authenticated with known CA<br> > certificates).<br> > stuck: yes<br> > key pair storage:<br> ><br> ><br> ><br> > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br> > Certificate<br> > DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'<br> > certificate:<br> ><br> ><br> ><br> > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br> > Certificate DB'<br> > CA: IPA<br> > issuer: CN=Certificate<br> > Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > *expires: 2016-07-18 15:54:36 UTC*<br> > eku: id-kp-serverAuth<br> > pre-save command:<br> > post-save command:<br> > track: yes<br> > auto-renew: yes<br> > Request ID '20111214223300':<br> > status: CA_UNREACHABLE<br> > ca-error: Server failed request, will<br> > retry: -504<br> > (libcurl failed to execute the HTTP POST<br> > transaction. Peer<br> > certificate cannot be authenticated with known CA<br> > certificates).<br> > stuck: yes<br> > key pair storage:<br> ><br> ><br> ><br> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br> > Certificate<br> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'<br> > certificate:<br> ><br> ><br> ><br> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br> > Certificate DB'<br> > CA: IPA<br> > issuer: CN=Certificate<br> > Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> </div></div><div><div>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > *expires: 2016-07-18 15:54:52 UTC*<br> > eku: id-kp-serverAuth<br> > pre-save command:<br> > post-save command:<br> > track: yes<br> > auto-renew: yes<br> > Request ID '20111214223316':<br> > status: CA_UNREACHABLE<br> > ca-error: Server failed request, will<br> > retry: -504<br> > (libcurl failed to execute the HTTP POST<br> > transaction. Peer<br> > certificate cannot be authenticated with known CA<br> > certificates).<br> > stuck: yes<br> > key pair storage:<br> ><br> ><br> ><br> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br> > Certificate<br> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br> > certificate:<br> ><br> ><br> ><br> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br> > Certificate DB'<br> > CA: IPA<br> > issuer: CN=Certificate<br> > Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> </div></div><span>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> </span><div><div>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > *expires: 2016-07-18 15:55:04 UTC*<br> ><br> > eku: id-kp-serverAuth<br> > pre-save command:<br> > post-save command:<br> > track: yes<br> > auto-renew: yes<br> > Request ID '20130519130741':<br> > status: MONITORING<br> > ca-error: Internal error: no response to<br> ><br> ><br> ><br> > "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true</a>".<br> > stuck: no<br> > key pair storage:<br> ><br> ><br> ><br> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br> > cert-pki-ca',token='NSS Certificate<br> > DB',pin='297100916664'<br> > certificate:<br> ><br> ><br> ><br> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br> > cert-pki-ca',token='NSS Certificate DB'<br> > CA: dogtag-ipa-renew-agent<br> > issuer: CN=Certificate<br> > Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > subject: CN=CA Audit,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > expires: 2017-10-13 14:10:49 UTC<br> > pre-save command:<br> > /usr/lib64/ipa/certmonger/stop_pkicad<br> > post-save command:<br> > /usr/lib64/ipa/certmonger/renew_ca_cert<br> > "auditSigningCert<br> > cert-pki-ca"<br> > track: yes<br> > auto-renew: yes<br> > Request ID '20130519130742':<br> > status: MONITORING<br> > ca-error: Internal error: no response to<br> ><br> ><br> ><br> > "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".<br> > stuck: no<br> > key pair storage:<br> ><br> ><br> ><br> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br> > cert-pki-ca',token='NSS Certificate<br> > DB',pin='297100916664'<br> > certificate:<br> ><br> ><br> ><br> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br> > cert-pki-ca',token='NSS Certificate DB'<br> > CA: dogtag-ipa-renew-agent<br> > issuer: CN=Certificate<br> > Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > subject: CN=OCSP<br> > Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > expires: 2017-10-13 14:09:49 UTC<br> > eku: id-kp-OCSPSigning<br> > pre-save command:<br> > /usr/lib64/ipa/certmonger/stop_pkicad<br> > post-save command:<br> > /usr/lib64/ipa/certmonger/renew_ca_cert<br> > "ocspSigningCert<br> > cert-pki-ca"<br> > track: yes<br> > auto-renew: yes<br> > Request ID '20130519130743':<br> > status: MONITORING<br> > ca-error: Internal error: no response to<br> ><br> ><br> ><br> > "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".<br> > stuck: no<br> > key pair storage:<br> ><br> ><br> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br> > cert-pki-ca',token='NSS Certificate<br> > DB',pin='297100916664'<br> > certificate:<br> ><br> ><br> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br> > cert-pki-ca',token='NSS Certificate DB'<br> > CA: dogtag-ipa-renew-agent<br> > issuer: CN=Certificate<br> > Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > subject: CN=CA<br> > Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > expires: 2017-10-13 14:09:49 UTC<br> > eku: id-kp-serverAuth,id-kp-clientAuth<br> > pre-save command:<br> > /usr/lib64/ipa/certmonger/stop_pkicad<br> > post-save command:<br> > /usr/lib64/ipa/certmonger/renew_ca_cert<br> > "subsystemCert<br> > cert-pki-ca"<br> > track: yes<br> > auto-renew: yes<br> > Request ID '20130519130744':<br> > status: MONITORING<br> > ca-error: Internal error: no response to<br> ><br> ><br> ><br> > "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true</a>".<br> > stuck: no<br> > key pair storage:<br> ><br> ><br> ><br> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br> > Certificate<br> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br> > certificate:<br> ><br> ><br> ><br> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br> > Certificate DB'<br> > CA: dogtag-ipa-renew-agent<br> > issuer: CN=Certificate<br> > Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > subject: CN=RA<br> > Subsystem,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > expires: 2017-10-13 14:09:49 UTC<br> > eku: id-kp-serverAuth,id-kp-clientAuth<br> > pre-save command:<br> > post-save command:<br> > /usr/lib64/ipa/certmonger/restart_httpd<br> > track: yes<br> > auto-renew: yes<br> > Request ID '20130519130745':<br> > status: MONITORING<br> > ca-error: Internal error: no response to<br> ><br> ><br> ><br> > "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>".<br> > stuck: no<br> > key pair storage:<br> ><br> ><br> ><br> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br> > cert-pki-ca',token='NSS<br> > Certificate DB',pin='297100916664'<br> > certificate:<br> ><br> ><br> ><br> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br> > cert-pki-ca',token='NSS<br> > Certificate DB'<br> > CA: dogtag-ipa-renew-agent<br> > issuer: CN=Certificate<br> > Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> </div></div><span>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > subject: CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> </span><span>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > expires: 2017-10-13 14:09:49 UTC<br> > eku: id-kp-serverAuth,id-kp-clientAuth<br> > pre-save command:<br> > post-save command:<br> > /usr/lib64/ipa/certmonger/restart_dirsrv<br> > "<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>>"<br> > track: yes<br> > auto-renew: yes<br> ><br> > On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh<br> > <<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>>><br> </span><span>> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>><br> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>><br> </span>> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>>>>><br> <div><div>> wrote:<br> ><br> > Yes, PKI is running and I don't see any<br> > errors in<br> > selftests,<br> > I have followed<br> > <a href="https://access.redhat.com/solutions/643753" rel="noreferrer" target="_blank">https://access.redhat.com/solutions/643753</a><br> > and restarted the PKI in step 10.<br> ><br> > The only change which I made was clean<br> > up userCertificate;binary before adding new<br> > userCertificatein LDAP, which is step 12.<br> ><br> ><br> > [root@caer ~]# /etc/init.d/pki-cad status<br> > pki-ca (pid 8634) is running...<br> > [<br> > OK ]<br> > Unsecure Port =<br> > <a href="http://caer.teloip.net:9180/ca/ee/ca" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca</a><br> > Secure Agent Port =<br> > <a href="https://caer.teloip.net:9443/ca/agent/ca" rel="noreferrer" target="_blank">https://caer.teloip.net:9443/ca/agent/ca</a><br> > Secure EE Port =<br> > <a href="https://caer.teloip.net:9444/ca/ee/ca" rel="noreferrer" target="_blank">https://caer.teloip.net:9444/ca/ee/ca</a><br> > Secure Admin Port =<br> > <a href="https://caer.teloip.net:9445/ca/services" rel="noreferrer" target="_blank">https://caer.teloip.net:9445/ca/services</a><br> > EE Client Auth Port =<br> > <a href="https://caer.teloip.net:9446/ca/eeca/ca" rel="noreferrer" target="_blank">https://caer.teloip.net:9446/ca/eeca/ca</a><br> > PKI Console Port = pkiconsole<br> > <a href="https://caer.teloip.net:9445/ca" rel="noreferrer" target="_blank">https://caer.teloip.net:9445/ca</a><br> > Tomcat Port = 9701 (for<br> > shutdown)<br> ><br> > PKI Instance Name: pki-ca<br> ><br> > PKI Subsystem Type: Root CA<br> > (Security Domain)<br> ><br> > Registered PKI Security Domain<br> > Information:<br> ><br> ><br> ><br> ><br> > ==========================================================================<br> > Name: IPA<br> > URL: <a href="https://caer.teloip.net:9445" rel="noreferrer" target="_blank">https://caer.teloip.net:9445</a><br> ><br> ><br> ><br> ><br> > ==========================================================================<br> > [root@caer ~]#<br> > [root@caer ~]# tail -f<br> > /var/log/pki-ca/selftests.log<br> > 8634.main - [18/Jul/2016:11:46:20 EDT]<br> > [20] [1]<br> > SelfTestSubsystem: loading all self test<br> > plugin logger<br> > parameters<br> > 8634.main - [18/Jul/2016:11:46:20 EDT]<br> > [20] [1]<br> > SelfTestSubsystem: loading all self test<br> > plugin<br> > instances<br> > 8634.main - [18/Jul/2016:11:46:20 EDT]<br> > [20] [1]<br> > SelfTestSubsystem: loading all self test<br> > plugin<br> > instance<br> > parameters<br> > 8634.main - [18/Jul/2016:11:46:20 EDT]<br> > [20] [1]<br> > SelfTestSubsystem: loading self test<br> > plugins in<br> > on-demand order<br> > 8634.main - [18/Jul/2016:11:46:20 EDT]<br> > [20] [1]<br> > SelfTestSubsystem: loading self test<br> > plugins in<br> > startup order<br> > 8634.main - [18/Jul/2016:11:46:20 EDT]<br> > [20] [1]<br> > SelfTestSubsystem: Self test plugins have<br> > been<br> > successfully<br> > loaded!<br> > 8634.main - [18/Jul/2016:11:46:21 EDT]<br> > [20] [1]<br> > SelfTestSubsystem: Running self test plugins<br> > specified to be<br> > executed at startup:<br> > 8634.main - [18/Jul/2016:11:46:21 EDT]<br> > [20] [1]<br> > CAPresence:<br> > CA is present<br> > 8634.main - [18/Jul/2016:11:46:21 EDT]<br> > [20] [1]<br> > SystemCertsVerification: system certs<br> > verification<br> > success<br> > 8634.main - [18/Jul/2016:11:46:21 EDT]<br> > [20] [1]<br> > SelfTestSubsystem: All CRITICAL self test<br> > plugins ran<br> > SUCCESSFULLY at startup!<br> ><br> > Your help is highly appreciated!<br> ><br> > Linov Suresh<br> ><br> > 70 Forest Manor Rd.<br> > Toronto<br> > ON M2J 0A9<br> > Mobile: <a href="tel:%2B1%20647%20406%209438" value="+16474069438" target="_blank">+1 647 406 9438</a><br> > <tel:%2B1%20647%20406%209438><br> > <tel:%2B1%20647%20406%209438><br> > <tel:%2B1%20647%20406%209438><br> > <tel:%2B1%20647%20406%209438><br> > Linkedin: <a href="http://ca.linkedin.com/in/linov/" rel="noreferrer" target="_blank">ca.linkedin.com/in/linov/</a><br> > <<a href="http://ca.linkedin.com/in/linov/" rel="noreferrer" target="_blank">http://ca.linkedin.com/in/linov/</a>><br> > <<a href="http://ca.linkedin.com/in/linov/" rel="noreferrer" target="_blank">http://ca.linkedin.com/in/linov/</a>><br> > <<a href="http://ca.linkedin.com/in/linov/" rel="noreferrer" target="_blank">http://ca.linkedin.com/in/linov/</a>><br> > <<a href="http://ca.linkedin.com/in/linov/" rel="noreferrer" target="_blank">http://ca.linkedin.com/in/linov/</a>><br> > Website:<br> > <a href="http://mylinuxthoughts.blogspot.com" rel="noreferrer" target="_blank">http://mylinuxthoughts.blogspot.com</a><br> ><br> ><br> > On Mon, Jul 18, 2016 at 10:50 AM, Petr<br> > Vobornik<br> > <<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a><br> > <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>><br> > <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>>><br> > <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>><br> > <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>>>><br> > <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>><br> > <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>>><br> > <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>><br> </div></div><div><div>> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>>>>>> wrote:<br> ><br> > On 07/18/2016 05:45 AM, Linov Suresh<br> > wrote:<br> > > Thanks for the update Rob. I went<br> > back to Jan<br> > 20, 2016, restarted CA and<br> > > certmonger. Look like certificates were<br> > renewed. But I'm getting a different<br> > > error now,<br> > ><br> > > *ca-error: Internal error: no<br> > response to<br> > ><br> ><br> ><br> ><br> > "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true</a>".*<br> ><br> > Is PKI running? When you change the<br> > time, does<br> > restart<br> > of IPA help?<br> ><br> > ><br> > > [root@caer ~]# getcert list<br> > > Number of certificates and requests<br> > being<br> > tracked: 8.<br> > > Request ID '20111214223243':<br> > > status: MONITORING<br> > > stuck: no<br> > > key pair storage:<br> > ><br> ><br> ><br> > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br> > > Certificate<br> > DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'<br> > > certificate:<br> > ><br> ><br> ><br> > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS<br> > > Certificate DB'<br> > > CA: IPA<br> > > issuer: CN=Certificate<br> > Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> </div></div><div><div>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > > subject:<br> > CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br> > <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br> ><br> ><br> <br> <br> </div></div><span><font color="#888888">--<br> Petr Vobornik<br> </font></span></blockquote></div><br></div></div></div></div> </blockquote></div><br></div></div>