<html><head></head><body><div style="color:#000; background-color:#fff; font-family:verdana, helvetica, sans-serif;font-size:24px"><div id="yui_3_16_0_ym19_1_1469042370452_54319">hi</div><div>would you please explain more</div><div>?<br></div><div><span></span></div><div id="yui_3_16_0_ym19_1_1469042370452_54320" class="qtdSeparateBR"><br><br></div><div style="display: block;" id="yui_3_16_0_ym19_1_1469042370452_54325" class="yahoo_quoted"> <div id="yui_3_16_0_ym19_1_1469042370452_54324" style="font-family: verdana, helvetica, sans-serif; font-size: 24px;"> <div id="yui_3_16_0_ym19_1_1469042370452_54323" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_ym19_1_1469042370452_54322" dir="ltr"> <font id="yui_3_16_0_ym19_1_1469042370452_54321" face="Arial" size="2"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Rob Crittenden <rcritten@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> mohammad sereshki <mohammadsereshki@yahoo.com>; Florence Blanc-Renaud <flo@redhat.com>; Freeipa-users <freeipa-users@redhat.com> <br> <b><span style="font-weight: bold;">Sent:</span></b> Thursday, July 21, 2016 11:09 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Freeipa-users] regenerate certificate<br> </font> </div> <div id="yui_3_16_0_ym19_1_1469042370452_54326" class="y_msg_container"><br>mohammad sereshki wrote:<br clear="none">> hi<br clear="none">> it is result of command, seems issue is another thing<br clear="none">><br clear="none">><br clear="none">> ipa cert-show 1<br clear="none">> ipa: ERROR: Certificate operation cannot be completed: Unable to<br clear="none">> communicate with CMS (Not Found)<br clear="none"><br clear="none">Which means that the CA still isn't up. You're going to need to look at <br clear="none">the dogtag logs in /var/log/pki*. debug is probably the place to start.<br clear="none"><br clear="none">rob<br clear="none"><br clear="none">><br clear="none">><br clear="none">><br clear="none">> ------------------------------------------------------------------------<br clear="none">> *From:* Rob Crittenden <<a shape="rect" ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br clear="none">> *To:* mohammad sereshki <<a shape="rect" ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>; Florence<br clear="none">> Blanc-Renaud <<a shape="rect" ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>; Freeipa-users <<a shape="rect" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><br clear="none">> *Sent:* Thursday, July 21, 2016 8:08 PM<br clear="none">> *Subject:* Re: [Freeipa-users] regenerate certificate<br clear="none">><br clear="none">> mohammad sereshki wrote:<br clear="none">> > dear<br clear="none">> > thanks, but would you please check below and let me know what is your<br clear="none">> > idea?I checked your command but it did not work.<br clear="none">><br clear="none">> The Not Found suggests that the CA is not up. I'd try restarting the<br clear="none">> pki-cad process to see if that helps.<br clear="none">><br clear="none">> A simple test that communication is working is: ipa cert-show 1<br clear="none">><br clear="none">> The output isn't important as long as it isn't an error.<br clear="none">><br clear="none">> rob<br clear="none">><br clear="none">><br clear="none">> ><br clear="none">> ><br clear="none">> ><br clear="none">> > Number of certificates and requests being tracked: 8.<br clear="none">> > Request ID '20140817123525':<br clear="none">> > status: MONITORING<br clear="none">> > ca-error: Unable to determine principal name for signing<br clear="none">> request.<br clear="none">> > stuck: no<br clear="none">> > key paCOM storage:<br clear="none">> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br clear="none">> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br clear="none">> > certificate:<br clear="none">> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br clear="none">> > Certificate DB'<br clear="none">> > CA: IPA<br clear="none">> > issuer: CN=Certificate Authority,O=EXAMPLE.COM<br clear="none">> > subject: CN=IPA RA,O=EXAMPLE.COM<br clear="none">> > expCOMes: 2018-06-30 07:56:06 UTC<br clear="none">> > eku: id-kp-serverAuth,id-kp-clientAuth<br clear="none">> > pre-save command:<br clear="none">> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert<br clear="none">> > track: yes<br clear="none">> > auto-renew: yes<br clear="none">> > Request ID '20140817123534':<br clear="none">> > status: CA_UNREACHABLE<br clear="none">> > ca-error: Server failed request, will retry: 4301 (RPC failed<br clear="none">> > at server. Certificate operation cannot be completed: Unable to<br clear="none">> > communicate with CMS (Not Found)).<br clear="none">> > stuck: yes<br clear="none">> > key paCOM storage:<br clear="none">> ><br clear="none">> type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS<br clear="none">> > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt'<br clear="none">> > certificate:<br clear="none">> ><br clear="none">> type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS<br clear="none">> > Certificate DB'<br clear="none">> > CA: IPA<br clear="none">> > issuer: CN=Certificate Authority,O=EXAMPLE.COM<br clear="none">> > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM<br clear="none">> > expCOMes: 2016-08-17 12:35:34 UTC<br clear="none">> > eku: id-kp-serverAuth,id-kp-clientAuth<br clear="none">> > pre-save command:<br clear="none">> > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv<br clear="none">> > EXAMPLE.-COM<br clear="none">> > track: yes<br clear="none">> > auto-renew: yes<br clear="none">> > Request ID '20140817123602':<br clear="none">> > status: CA_UNREACHABLE<br clear="none">> > ca-error: Server failed request, will retry: 4301 (RPC failed<br clear="none">> > at server. Certificate operation cannot be completed: Unable to<br clear="none">> > communicate with CMS (Not Found)).<br clear="none">> > stuck: yes<br clear="none">> > key paCOM storage:<br clear="none">> ><br clear="none">> type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br clear="none">> > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt'<br clear="none">> > certificate:<br clear="none">> ><br clear="none">> type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br clear="none">> > Certificate DB'<br clear="none">> > CA: IPA<br clear="none">> > issuer: CN=Certificate Authority,O=EXAMPLE.COM<br clear="none">> > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM<br clear="none">> > expCOMes: 2016-08-17 12:36:02 UTC<br clear="none">> > eku: id-kp-serverAuth,id-kp-clientAuth<br clear="none">> > pre-save command:<br clear="none">> > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv<br clear="none">> > PKI-IPA<br clear="none">> > track: yes<br clear="none">> > auto-renew: yes<br clear="none">> > Request ID '20140817123752':<br clear="none">> > status: CA_UNREACHABLE<br clear="none">> > ca-error: Server failed request, will retry: 4301 (RPC failed<br clear="none">> > at server. Certificate operation cannot be completed: Unable to<br clear="none">> > communicate with CMS (Not Found)).<br clear="none">> > stuck: yes<br clear="none">> > key paCOM storage:<br clear="none">> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br clear="none">> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br clear="none">> > certificate:<br clear="none">> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br clear="none">> > Certificate DB'<br clear="none">> > CA: IPA<br clear="none">> > issuer: CN=Certificate Authority,O=EXAMPLE.COM<br clear="none">> > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM<br clear="none">> > expCOMes: 2016-08-17 12:37:51 UTC<br clear="none">> > eku: id-kp-serverAuth,id-kp-clientAuth<br clear="none">> > pre-save command:<br clear="none">> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd<br clear="none">> > track: yes<br clear="none">> > auto-renew: yes<br clear="none">> > You have new mail in /var/spool/mail/root<br clear="none">> ><br clear="none">> ><br clear="none">> > ------------------------------------------------------------------------<br clear="none">> > *From:* Florence Blanc-Renaud <<a shape="rect" ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a shape="rect" ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>><br clear="none">> > *To:* mohammad sereshki <<a shape="rect" ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a><br clear="none">> <mailto:<a shape="rect" ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>>; Freeipa-users<br clear="none">> > <<a shape="rect" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a shape="rect" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>><div class="yqt4794781726" id="yqtfd01549"><br clear="none">> > *Sent:* Thursday, July 21, 2016 11:30 AM<br clear="none">> > *Subject:* Re: [Freeipa-users] regenerate certificate<br clear="none">> ><br clear="none">> > On 07/20/2016 10:04 PM, mohammad sereshki wrote:<br clear="none">> > > hi<br clear="none">> > > I check my IPA server which is version ipa-server-3.0.0-25 , command<br clear="none">> > > "ipa-get-cert list" show, my certificate will be expired in next<br clear="none">> 20 days,<br clear="none">> > > I do not know how to regenerate them<br clear="none">> > > but command "getcert list" shows epirtion certificates are related<br clear="none">> just<br clear="none">> > > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" , has<br clear="none">> enough<br clear="none">> > > time .<br clear="none">> > > would you please help me to know how to regenerate CA:IPA<br clear="none">> certificates?<br clear="none">> > ><br clear="none">> > > Best Regards<br clear="none">> > ><br clear="none">> > ><br clear="none">> > ><br clear="none">> ><br clear="none">> > Hi Mohammad,<br clear="none">> ><br clear="none">> > the certificates issued by IPA CA are normally tracked by certmonger and<br clear="none">> > automatically renewed when they are near their expiration date. To make<br clear="none">> > sure that your certificates are tracked, you can issue<br clear="none">> ><br clear="none">> > $ ipa-getcert list<br clear="none">> ><br clear="none">> > and check the "status:" field for each certificate. It should display<br clear="none">> > "MONITORING".<br clear="none">> ><br clear="none">> > If you want to manually renew them, you must note their request ID and<br clear="none">> > use the command<br clear="none">> > $ ipa-getcert resubmit -i $REQUEST_ID<br clear="none">> ><br clear="none">> > Hope this helps,<br clear="none">> > Flo.<br clear="none">> ><br clear="none">> ><br clear="none">> ><br clear="none">> ><br clear="none">> ><br clear="none">><br clear="none">><br clear="none">><br clear="none"><br clear="none"></div><br><br></div> </div> </div> </div></div></body></html>