<html><head></head><body><div style="color:#000; background-color:#fff; font-family:verdana, helvetica, sans-serif;font-size:24px"><div id="yui_3_16_0_ym19_1_1469042370452_90656">hi</div><div id="yui_3_16_0_ym19_1_1469042370452_90654" dir="ltr">ignore my last email,I ran list of certs, you can see I have 2 of auditSigningCert, what is this , do you know it? </div><div id="yui_3_16_0_ym19_1_1469042370452_90653" dir="ltr"> </div><div id="yui_3_16_0_ym19_1_1469042370452_90652" dir="ltr"> </div><div id="yui_3_16_0_ym19_1_1469042370452_90614" dir="ltr">certutil -L -d /var/lib/pki-ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI subsystemCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,Pu </div><div></div><div id="yui_3_16_0_ym19_1_1469042370452_90598" class="qtdSeparateBR"> </div><div style="display: block;" id="yui_3_16_0_ym19_1_1469042370452_90602" class="yahoo_quoted"> <div id="yui_3_16_0_ym19_1_1469042370452_90601" style="font-family: verdana, helvetica, sans-serif; font-size: 24px;"> <div id="yui_3_16_0_ym19_1_1469042370452_90600" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_ym19_1_1469042370452_90599" dir="ltr"> <hr size="1"> From: Rob Crittenden <rcritten@redhat.com> To: mohammad sereshki <mohammadsereshki@yahoo.com>; "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Friday, July 22, 2016 12:45 AM Subject: Re: [Freeipa-users] Freeipa-users Digest, Vol 96, Issue 125 </div> <div id="yui_3_16_0_ym19_1_1469042370452_90610" class="y_msg_container"> mohammad sereshki wrote: > hi > I did some changes not I get below werror when I open HTTP service in > web interface What changes did you do? From a previous e-mail the problem is that the CA couldn't validate its own certificates. This is sometimes an issue with certificate trust. To look at it run: # certutil -L -d /var/lib/pki-ca/alias The auditSigningCert should have a trust of u,u,Pu. If it doesn't you can fix it with: # certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca' -t u,u,Pu > Certificate operation cannot be completed: EXCEPTION (Certificate serial > number 0x276 not found) Do you have other CA masters (if not you should, but do that once things are stable)? rob > > > ------------------------------------------------------------------------ > *From:* "<a ymailto="mailto:freeipa-users-request@redhat.com" href="mailto:freeipa-users-request@redhat.com">freeipa-users-request@redhat.com</a>" > <<a ymailto="mailto:freeipa-users-request@redhat.com" href="mailto:freeipa-users-request@redhat.com">freeipa-users-request@redhat.com</a>> > *To:* <a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> > *Sent:* Thursday, July 21, 2016 11:38 PM > *Subject:* Freeipa-users Digest, Vol 96, Issue 125 > > Send Freeipa-users mailing list submissions to > <a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> > > To subscribe or unsubscribe via the World Wide Web, visit > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > or, via email, send a message with subject or body 'help' to > <a ymailto="mailto:freeipa-users-request@redhat.com" href="mailto:freeipa-users-request@redhat.com">freeipa-users-request@redhat.com</a> <mailto:<a ymailto="mailto:freeipa-users-request@redhat.com" href="mailto:freeipa-users-request@redhat.com">freeipa-users-request@redhat.com</a>> > > You can reach the person managing the list at > <a ymailto="mailto:freeipa-users-owner@redhat.com" href="mailto:freeipa-users-owner@redhat.com">freeipa-users-owner@redhat.com</a> <mailto:<a ymailto="mailto:freeipa-users-owner@redhat.com" href="mailto:freeipa-users-owner@redhat.com">freeipa-users-owner@redhat.com</a>> > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > > 1. Re: regenerate certificate (mohammad sereshki) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 21 Jul 2016 19:08:16 +0000 (UTC) > From: mohammad sereshki <<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a> > <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>> > To: Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> > <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>, Florence Blanc-Renaud > <<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>>, Freeipa-users > <<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>> > Subject: Re: [Freeipa-users] regenerate certificate > Message-ID: > <<a ymailto="mailto:1119368990.3296955.1469128096522.JavaMail.yahoo@mail.yahoo.com" href="mailto:1119368990.3296955.1469128096522.JavaMail.yahoo@mail.yahoo.com">1119368990.3296955.1469128096522.JavaMail.yahoo@mail.yahoo.com</a> > <mailto:<a ymailto="mailto:1119368990.3296955.1469128096522.JavaMail.yahoo@mail.yahoo.com" href="mailto:1119368990.3296955.1469128096522.JavaMail.yahoo@mail.yahoo.com">1119368990.3296955.1469128096522.JavaMail.yahoo@mail.yahoo.com</a>>> > Content-Type: text/plain; charset="utf-8" > > and this is for catalina.out > > SEVERE: A web application created a ThreadLocal with key of type [null] > (value [com.netscape.cmscore.util.Debug$<a ymailto="mailto:1@39139da8" href="mailto:1@39139da8">1@39139da8</a> <mailto:<a ymailto="mailto:1@39139da8" href="mailto:1@39139da8">1@39139da8</a>>]) > and a > value of type [java.text.SimpleDateFormat] (value > [<a ymailto="mailto:java.text.SimpleDateFormat@d1b317c9" href="mailto:java.text.SimpleDateFormat@d1b317c9">java.text.SimpleDateFormat@d1b317c9</a> > <mailto:<a ymailto="mailto:java.text.SimpleDateFormat@d1b317c9" href="mailto:java.text.SimpleDateFormat@d1b317c9">java.text.SimpleDateFormat@d1b317c9</a>>]) but failed to remove it > when the web appli > cation was stopped. To prevent a memory leak, the ThreadLocal has been > forcibly removed. > Jul 21, 2016 11:10:10 PM org.apache.catalina.loader.WebappClassLoader > clearThreadLocalMap > SEVERE: A web application created a ThreadLocal with key of type [null] > (value [com.netscape.cmscore.util.Debug$<a ymailto="mailto:1@39139da8" href="mailto:1@39139da8">1@39139da8</a> <mailto:<a ymailto="mailto:1@39139da8" href="mailto:1@39139da8">1@39139da8</a>>]) > and a > value of type [java.text.SimpleDateFormat] (value > [<a ymailto="mailto:java.text.SimpleDateFormat@d1b317c9" href="mailto:java.text.SimpleDateFormat@d1b317c9">java.text.SimpleDateFormat@d1b317c9</a> > <mailto:<a ymailto="mailto:java.text.SimpleDateFormat@d1b317c9" href="mailto:java.text.SimpleDateFormat@d1b317c9">java.text.SimpleDateFormat@d1b317c9</a>>]) but failed to remove it > when the web appli > cation was stopped. To prevent a memory leak, the ThreadLocal has been > forcibly removed. > Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-9180 > Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-9443 > Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-9445 > Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-9444 > Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-9446 > Exception in thread "Timer-0" java.lang.NullPointerException > ??????? at com.netscape.certsrv.apps.CMS.getConfigStore(CMS.java:771) > ??????? at > com.netscape.cms.servlet.csadmin.LDAPSecurityDomainSessionTable.getSessionIds(LDAPSecurityDomainSessionTable.java:156) > ??????? at > com.netscape.cms.servlet.csadmin.SessionTimer.run(SessionTimer.java:33) > ??????? at java.util.TimerThread.mainLoop(Timer.java:555) > ??????? at java.util.TimerThread.run(Timer.java:505) > Jul 21, 2016 11:10:43 PM org.apache.catalina.core.AprLifecycleListener init > INFO: The APR based Apache Tomcat Native library which allows optimal > performance in production environments was not found on the > java.library.path: > /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib > Jul 21, 2016 11:10:43 PM org.apache.coyote.http11.Http11Protocol init > INFO: Initializing Coyote HTTP/1.1 on http-9180 > Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" > unsupported by NSS. This is probably O.K. unless ECC support has been > installed. > Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" > unsupported by NSS. This is probably O.K. unless ECC support has been > installed. > : > > > > From: mohammad sereshki <<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a> > <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>> > To: Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>; > Florence Blanc-Renaud <<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>>; > Freeipa-users <<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>> > Sent: Thursday, July 21, 2016 11:36 PM > Subject: Re: [Freeipa-users] regenerate certificate > > and below is for selftests.log > > 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: > Running self test plugins specified to be executed at startup: > 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] CAPresence:? CA is present > 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] > SystemCertsVerification: system certs verification failure > 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: The > CRITICAL self test plugin called > selftests.container.instance.SystemCertsVerification running at startup > FAILED! > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: > Initializing self test plugins: > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? > loading all self test plugin logger parameters > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? > loading all self test plugin instances > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? > loading all self test plugin instance parameters > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? > loading self test plugins in on-demand order > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? > loading self test plugins in startup order > 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Self > test plugins have been successfully loaded! > 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: > Running self test plugins specified to be executed at startup: > 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] CAPresence:? CA is present > 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] > SystemCertsVerification: system certs verification failure > 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: The > CRITICAL self test plugin called > selftests.container.instance.SystemCertsVerification running at startup > FAILED! > (END) > > > > From: mohammad sereshki <<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a> > <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>> > To: Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>; > Florence Blanc-Renaud <<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>>; > Freeipa-users <<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>> > Sent: Thursday, July 21, 2016 11:34 PM > Subject: Re: [Freeipa-users] regenerate certificate > > hiI find below in debug file under /var/log/pki-cawhat is your comment? > > 21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization > for servlet: caDisplayBySerial is LD > AP based, not XML {1}, use default authz mgr: {2}. > [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized before. > [21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password > store initialized. > [21/Jul/2016:23:20:45][CertStatusUpdateThread]: About to start > updateCertStatus > [21/Jul/2016:23:20:45][CertStatusUpdateThread]: Starting > updateCertStatus (entered lock) > > > > From: Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> > <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> > To: mohammad sereshki <<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a> > <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>>; Florence Blanc-Renaud > <<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>>; Freeipa-users > <<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>> > Sent: Thursday, July 21, 2016 11:21 PM > Subject: Re: [Freeipa-users] regenerate certificate > > mohammad sereshki wrote: > > hi > > would you please explain more > > ? > > Your CA (dogtag) is not running. The CA is written in java and deployed > as a WAR in tomcat. If something goes wrong during initialization the CA > will exit but tomcat will not. > > Requests to the CA are returning 404 Not Found because the application > is not running in dogtag. > > You need to look at the logs in /var/log/pki-ca to see what is going on. > > I'd start with selftests.log then move onto catalina.out and debug. > > rob > > > > > > > ------------------------------------------------------------------------ > > *From:* Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> > > *To:* mohammad sereshki <<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a> > <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>>; Florence > > Blanc-Renaud <<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>>; Freeipa-users > <<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>> > > *Sent:* Thursday, July 21, 2016 11:09 PM > > *Subject:* Re: [Freeipa-users] regenerate certificate > > > > mohammad sereshki wrote: > >? > hi > >? > it is result of command, seems issue is another thing > >? > > >? > > >? >? ipa cert-show 1 > >? > ipa: ERROR: Certificate operation cannot be completed: Unable to > >? > communicate with CMS (Not Found) > > > > Which means that the CA still isn't up. You're going to need to look at > > the dogtag logs in /var/log/pki*. debug is probably the place to start. > > > > rob > > > >? > > >? > > >? > > >? > > ------------------------------------------------------------------------ > >? > *From:* Rob Crittenden <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> > <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> > <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>> > >? > *To:* mohammad sereshki <<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a> > <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>> > > <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a> > <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>>>; Florence > >? > Blanc-Renaud <<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>> > <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>>>; Freeipa-users > > <<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> > <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>>> > >? > *Sent:* Thursday, July 21, 2016 8:08 PM > >? > *Subject:* Re: [Freeipa-users] regenerate certificate > >? > > >? > mohammad sereshki wrote: > >? >? > dear > >? >? > thanks, but would you please check below and let me know what > is your > >? >? > idea?I checked your command but it did not work. > >? > > >? > The Not Found suggests that the CA is not up. I'd try restarting the > >? > pki-cad process to see if that helps. > >? > > >? > A simple test that communication is working is: ipa cert-show 1 > >? > > >? > The output isn't important as long as it isn't an error. > >? > > >? > rob > >? > > >? > > >? >? > > >? >? > > >? >? > > >? >? > Number of certificates and requests being tracked: 8. > >? >? > Request ID '20140817123525': > >? >? >? ? ? ? ? status: MONITORING > >? >? >? ? ? ? ? ca-error: Unable to determine principal name for signing > >? > request. > >? >? >? ? ? ? ? stuck: no > >? >? >? ? ? ? ? key paCOM storage: > >? >? > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > >? >? >? ? ? ? ? certificate: > >? >? > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >? >? > Certificate DB' > >? >? >? ? ? ? ? CA: IPA > >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM > >? >? >? ? ? ? ? subject: CN=IPA RA,O=EXAMPLE.COM > >? >? >? ? ? ? ? expCOMes: 2018-06-30 07:56:06 UTC > >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth > >? >? >? ? ? ? ? pre-save command: > >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > >? >? >? ? ? ? ? track: yes > >? >? >? ? ? ? ? auto-renew: yes > >? >? > Request ID '20140817123534': > >? >? >? ? ? ? ? status: CA_UNREACHABLE > >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC > failed > >? >? > at server.? Certificate operation cannot be completed: Unable to > >? >? > communicate with CMS (Not Found)). > >? >? >? ? ? ? ? stuck: yes > >? >? >? ? ? ? ? key paCOM storage: > >? >? > > >? > > > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > >? >? > Certificate > DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' > >? >? >? ? ? ? ? certificate: > >? >? > > >? > > > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > >? >? > Certificate DB' > >? >? >? ? ? ? ? CA: IPA > >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM > >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:35:34 UTC > >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth > >? >? >? ? ? ? ? pre-save command: > >? >? >? ? ? ? ? post-save command: > /usr/lib64/ipa/certmonger/restart_dCOMsrv > >? >? > EXAMPLE.-COM > >? >? >? ? ? ? ? track: yes > >? >? >? ? ? ? ? auto-renew: yes > >? >? > Request ID '20140817123602': > >? >? >? ? ? ? ? status: CA_UNREACHABLE > >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC > failed > >? >? > at server.? Certificate operation cannot be completed: Unable to > >? >? > communicate with CMS (Not Found)). > >? >? >? ? ? ? ? stuck: yes > >? >? >? ? ? ? ? key paCOM storage: > >? >? > > >? > > > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > >? >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' > >? >? >? ? ? ? ? certificate: > >? >? > > >? > > > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > >? >? > Certificate DB' > >? >? >? ? ? ? ? CA: IPA > >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM > >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:36:02 UTC > >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth > >? >? >? ? ? ? ? pre-save command: > >? >? >? ? ? ? ? post-save command: > /usr/lib64/ipa/certmonger/restart_dCOMsrv > >? >? > PKI-IPA > >? >? >? ? ? ? ? track: yes > >? >? >? ? ? ? ? auto-renew: yes > >? >? > Request ID '20140817123752': > >? >? >? ? ? ? ? status: CA_UNREACHABLE > >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC > failed > >? >? > at server.? Certificate operation cannot be completed: Unable to > >? >? > communicate with CMS (Not Found)). > >? >? >? ? ? ? ? stuck: yes > >? >? >? ? ? ? ? key paCOM storage: > >? >? > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > >? >? >? ? ? ? ? certificate: > >? >? > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > >? >? > Certificate DB' > >? >? >? ? ? ? ? CA: IPA > >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM > >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:37:51 UTC > >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth > >? >? >? ? ? ? ? pre-save command: > >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_httpd > >? >? >? ? ? ? ? track: yes > >? >? >? ? ? ? ? auto-renew: yes > >? >? > You have new mail in /var/spool/mail/root > >? >? > > >? >? > > >? >? > > > ------------------------------------------------------------------------ > >? >? > *From:* Florence Blanc-Renaud <<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a> > <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>> > > <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>> > <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>> <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a> > <mailto:<a ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>>>> > >? >? > *To:* mohammad sereshki <<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a> > <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>> > > <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a> <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>> > >? > <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a> <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>> > > <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a> > <mailto:<a ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>>>>; Freeipa-users > >? >? > <<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> > <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>> > > <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>> > <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>>>> > > > >? >? > *Sent:* Thursday, July 21, 2016 11:30 AM > >? >? > *Subject:* Re: [Freeipa-users] regenerate certificate > >? >? > > >? >? > On 07/20/2016 10:04 PM, mohammad sereshki wrote: > >? >? >? > hi > >? >? >? > I check my IPA server which is version ipa-server-3.0.0-25 , > > command > >? >? >? > "ipa-get-cert list" show, my certificate will be expired in next > >? > 20 days, > >? >? >? > I do not know how to regenerate them > >? >? >? > but command "getcert list" shows epirtion certificates are > related > >? > just > >? >? >? > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,? has > >? > enough > >? >? >? > time . > >? >? >? > would you please help me to know how to regenerate CA:IPA > >? > certificates? > >? >? >? > > >? >? >? > Best Regards > >? >? >? > > >? >? >? > > >? >? >? > > >? >? > > >? >? > Hi Mohammad, > >? >? > > >? >? > the certificates issued by IPA CA are normally tracked by > > certmonger and > >? >? > automatically renewed when they are near their expiration date. To > > make > >? >? > sure that your certificates are tracked, you can issue > >? >? > > >? >? > $ ipa-getcert list > >? >? > > >? >? > and check the "status:" field for each certificate. It should > display > >? >? > "MONITORING". > >? >? > > >? >? > If you want to manually renew them, you must note their request > ID and > >? >? > use the command > >? >? > $ ipa-getcert resubmit -i $REQUEST_ID > >? >? > > >? >? > Hope this helps, > >? >? > Flo. > >? >? > > >? >? > > >? >? > > >? >? > > >? >? > > >? > > >? > > >? > > > > > > > > > > > > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <<a href="https://www.redhat.com/archives/freeipa-users/attachments/20160721/ef74f106/attachment.html" target="_blank">https://www.redhat.com/archives/freeipa-users/attachments/20160721/ef74f106/attachment.html</a>> > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > End of Freeipa-users Digest, Vol 96, Issue 125 > ********************************************** > > > > </div> </div> </div> </div></div></body></html>