<html><head></head><body><div style="color:#000; background-color:#fff; font-family:verdana, helvetica, sans-serif;font-size:24px"><div id="yui_3_16_0_ym19_1_1469042370452_84546">hi</div><div dir="ltr" id="yui_3_16_0_ym19_1_1469042370452_84556">I did some changes not I get below werror when I open HTTP service in web interface </div><div id="yui_3_16_0_ym19_1_1469042370452_84547"> </div><div id="yui_3_16_0_ym19_1_1469042370452_84758" dir="ltr">Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0x276 not found)</div><div id="yui_3_16_0_ym19_1_1469042370452_84759"></div><div id="yui_3_16_0_ym19_1_1469042370452_84760" class="qtdSeparateBR"> </div><div style="display: block;" id="yui_3_16_0_ym19_1_1469042370452_84764" class="yahoo_quoted"> <div id="yui_3_16_0_ym19_1_1469042370452_84763" style="font-family: verdana, helvetica, sans-serif; font-size: 24px;"> <div id="yui_3_16_0_ym19_1_1469042370452_84762" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_ym19_1_1469042370452_84761" dir="ltr"> <hr size="1"> From: "freeipa-users-request@redhat.com" <freeipa-users-request@redhat.com> To: freeipa-users@redhat.com Sent: Thursday, July 21, 2016 11:38 PM Subject: Freeipa-users Digest, Vol 96, Issue 125 </div> <div id="yui_3_16_0_ym19_1_1469042370452_84771" class="y_msg_container"> Send Freeipa-users mailing list submissions to <a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> To subscribe or unsubscribe via the World Wide Web, visit <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> or, via email, send a message with subject or body 'help' to <a ymailto="mailto:freeipa-users-request@redhat.com" href="mailto:freeipa-users-request@redhat.com">freeipa-users-request@redhat.com</a> You can reach the person managing the list at <a ymailto="mailto:freeipa-users-owner@redhat.com" href="mailto:freeipa-users-owner@redhat.com">freeipa-users-owner@redhat.com</a> When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-users digest..." Today's Topics: 1. Re: regenerate certificate (mohammad sereshki) ---------------------------------------------------------------------- Message: 1 Date: Thu, 21 Jul 2016 19:08:16 +0000 (UTC) From: mohammad sereshki <<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>> To: Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>, Florence Blanc-Renaud <<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>, Freeipa-users <<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> Subject: Re: [Freeipa-users] regenerate certificate Message-ID: <<a ymailto="mailto:1119368990.3296955.1469128096522.JavaMail.yahoo@mail.yahoo.com" href="mailto:1119368990.3296955.1469128096522.JavaMail.yahoo@mail.yahoo.com">1119368990.3296955.1469128096522.JavaMail.yahoo@mail.yahoo.com</a>> Content-Type: text/plain; charset="utf-8" and this is for catalina.out SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$<a ymailto="mailto:1@39139da8" href="mailto:1@39139da8">1@39139da8</a>]) and a value of type [java.text.SimpleDateFormat] (value [<a ymailto="mailto:java.text.SimpleDateFormat@d1b317c9" href="mailto:java.text.SimpleDateFormat@d1b317c9">java.text.SimpleDateFormat@d1b317c9</a>]) but failed to remove it when the web appli cation was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. Jul 21, 2016 11:10:10 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$<a ymailto="mailto:1@39139da8" href="mailto:1@39139da8">1@39139da8</a>]) and a value of type [java.text.SimpleDateFormat] (value [<a ymailto="mailto:java.text.SimpleDateFormat@d1b317c9" href="mailto:java.text.SimpleDateFormat@d1b317c9">java.text.SimpleDateFormat@d1b317c9</a>]) but failed to remove it when the web appli cation was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9180 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9443 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9445 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9444 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9446 Exception in thread "Timer-0" java.lang.NullPointerException ??????? at com.netscape.certsrv.apps.CMS.getConfigStore(CMS.java:771) ??????? at com.netscape.cms.servlet.csadmin.LDAPSecurityDomainSessionTable.getSessionIds(LDAPSecurityDomainSessionTable.java:156) ??????? at com.netscape.cms.servlet.csadmin.SessionTimer.run(SessionTimer.java:33) ??????? at java.util.TimerThread.mainLoop(Timer.java:555) ??????? at java.util.TimerThread.run(Timer.java:505) Jul 21, 2016 11:10:43 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib Jul 21, 2016 11:10:43 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-9180 Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. : From: mohammad sereshki <<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>> To: Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>; Florence Blanc-Renaud <<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>; Freeipa-users <<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> Sent: Thursday, July 21, 2016 11:36 PM Subject: Re: [Freeipa-users] regenerate certificate and below is for selftests.log 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] CAPresence:? CA is present 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SystemCertsVerification: system certs verification failure 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Initializing self test plugins: 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading all self test plugin logger parameters 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading all self test plugin instances 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading all self test plugin instance parameters 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading self test plugins in on-demand order 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading self test plugins in startup order 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] CAPresence:? CA is present 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SystemCertsVerification: system certs verification failure 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! (END) From: mohammad sereshki <<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>> To: Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>; Florence Blanc-Renaud <<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>; Freeipa-users <<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> Sent: Thursday, July 21, 2016 11:34 PM Subject: Re: [Freeipa-users] regenerate certificate hiI find below in debug file under /var/log/pki-cawhat is your comment? 21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization for servlet: caDisplayBySerial is LD AP based, not XML {1}, use default authz mgr: {2}. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before. [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized. [21/Jul/2016:23:20:45][CertStatusUpdateThread]: About to start updateCertStatus [21/Jul/2016:23:20:45][CertStatusUpdateThread]: Starting updateCertStatus (entered lock) From: Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> To: mohammad sereshki <<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>; Florence Blanc-Renaud <<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>; Freeipa-users <<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> Sent: Thursday, July 21, 2016 11:21 PM Subject: Re: [Freeipa-users] regenerate certificate mohammad sereshki wrote: > hi > would you please explain more > ? Your CA (dogtag) is not running. The CA is written in java and deployed as a WAR in tomcat. If something goes wrong during initialization the CA will exit but tomcat will not. Requests to the CA are returning 404 Not Found because the application is not running in dogtag. You need to look at the logs in /var/log/pki-ca to see what is going on. I'd start with selftests.log then move onto catalina.out and debug. rob > > > ------------------------------------------------------------------------ > *From:* Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> > *To:* mohammad sereshki <<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>; Florence > Blanc-Renaud <<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>; Freeipa-users <<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> > *Sent:* Thursday, July 21, 2016 11:09 PM > *Subject:* Re: [Freeipa-users] regenerate certificate > > mohammad sereshki wrote: >? > hi >? > it is result of command, seems issue is another thing >? > >? > >? >? ipa cert-show 1 >? > ipa: ERROR: Certificate operation cannot be completed: Unable to >? > communicate with CMS (Not Found) > > Which means that the CA still isn't up. You're going to need to look at > the dogtag logs in /var/log/pki*. debug is probably the place to start. > > rob > >? > >? > >? > >? > ------------------------------------------------------------------------ >? > *From:* Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> >? > *To:* mohammad sereshki <<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a> > <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>>; Florence >? > Blanc-Renaud <<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>>; Freeipa-users > <<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>> >? > *Sent:* Thursday, July 21, 2016 8:08 PM >? > *Subject:* Re: [Freeipa-users] regenerate certificate >? > >? > mohammad sereshki wrote: >? >? > dear >? >? > thanks, but would you please check below and let me know what is your >? >? > idea?I checked your command but it did not work. >? > >? > The Not Found suggests that the CA is not up. I'd try restarting the >? > pki-cad process to see if that helps. >? > >? > A simple test that communication is working is: ipa cert-show 1 >? > >? > The output isn't important as long as it isn't an error. >? > >? > rob >? > >? > >? >? > >? >? > >? >? > >? >? > Number of certificates and requests being tracked: 8. >? >? > Request ID '20140817123525': >? >? >? ? ? ? ? status: MONITORING >? >? >? ? ? ? ? ca-error: Unable to determine principal name for signing >? > request. >? >? >? ? ? ? ? stuck: no >? >? >? ? ? ? ? key paCOM storage: >? >? > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=IPA RA,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2018-06-30 07:56:06 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > Request ID '20140817123534': >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? > communicate with CMS (Not Found)). >? >? >? ? ? ? ? stuck: yes >? >? >? ? ? ? ? key paCOM storage: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS >? >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:35:34 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv >? >? > EXAMPLE.-COM >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > Request ID '20140817123602': >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? > communicate with CMS (Not Found)). >? >? >? ? ? ? ? stuck: yes >? >? >? ? ? ? ? key paCOM storage: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >? >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > >? > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:36:02 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv >? >? > PKI-IPA >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > Request ID '20140817123752': >? >? >? ? ? ? ? status: CA_UNREACHABLE >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed >? >? > at server.? Certificate operation cannot be completed: Unable to >? >? > communicate with CMS (Not Found)). >? >? >? ? ? ? ? stuck: yes >? >? >? ? ? ? ? key paCOM storage: >? >? > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >? >? >? ? ? ? ? certificate: >? >? > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >? >? > Certificate DB' >? >? >? ? ? ? ? CA: IPA >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:37:51 UTC >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth >? >? >? ? ? ? ? pre-save command: >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_httpd >? >? >? ? ? ? ? track: yes >? >? >? ? ? ? ? auto-renew: yes >? >? > You have new mail in /var/spool/mail/root >? >? > >? >? > >? >? > > ------------------------------------------------------------------------ >? >? > *From:* Florence Blanc-Renaud <<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a> > <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>> <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>>> >? >? > *To:* mohammad sereshki <<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a> > <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>> >? > <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a> > <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>>>; Freeipa-users >? >? > <<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> > <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>>> > >? >? > *Sent:* Thursday, July 21, 2016 11:30 AM >? >? > *Subject:* Re: [Freeipa-users] regenerate certificate >? >? > >? >? > On 07/20/2016 10:04 PM, mohammad sereshki wrote: >? >? >? > hi >? >? >? > I check my IPA server which is version ipa-server-3.0.0-25 , > command >? >? >? > "ipa-get-cert list" show, my certificate will be expired in next >? > 20 days, >? >? >? > I do not know how to regenerate them >? >? >? > but command "getcert list" shows epirtion certificates are related >? > just >? >? >? > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,? has >? > enough >? >? >? > time . >? >? >? > would you please help me to know how to regenerate CA:IPA >? > certificates? >? >? >? > >? >? >? > Best Regards >? >? >? > >? >? >? > >? >? >? > >? >? > >? >? > Hi Mohammad, >? >? > >? >? > the certificates issued by IPA CA are normally tracked by > certmonger and >? >? > automatically renewed when they are near their expiration date. To > make >? >? > sure that your certificates are tracked, you can issue >? >? > >? >? > $ ipa-getcert list >? >? > >? >? > and check the "status:" field for each certificate. It should display >? >? > "MONITORING". >? >? > >? >? > If you want to manually renew them, you must note their request ID and >? >? > use the command >? >? > $ ipa-getcert resubmit -i $REQUEST_ID >? >? > >? >? > Hope this helps, >? >? > Flo. >? >? > >? >? > >? >? > >? >? > >? >? > >? > >? > >? > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <<a href="https://www.redhat.com/archives/freeipa-users/attachments/20160721/ef74f106/attachment.html" target="_blank">https://www.redhat.com/archives/freeipa-users/attachments/20160721/ef74f106/attachment.html</a>> ------------------------------ _______________________________________________ Freeipa-users mailing list <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> End of Freeipa-users Digest, Vol 96, Issue 125 ********************************************** </div> </div> </div> </div></div></body></html>