<html><head></head><body><div style="color:#000; background-color:#fff; font-family:verdana, helvetica, sans-serif;font-size:24px"><div id="yui_3_16_0_ym19_1_1469042370452_54319">hi</div><div>would you please explain more</div><div>?<br></div><div><span></span></div><div id="yui_3_16_0_ym19_1_1469042370452_54320" class="qtdSeparateBR"><br><br></div><div style="display: block;" id="yui_3_16_0_ym19_1_1469042370452_54325" class="yahoo_quoted">  <div id="yui_3_16_0_ym19_1_1469042370452_54324" style="font-family: verdana, helvetica, sans-serif; font-size: 24px;"> <div id="yui_3_16_0_ym19_1_1469042370452_54323" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_ym19_1_1469042370452_54322" dir="ltr"> <font id="yui_3_16_0_ym19_1_1469042370452_54321" face="Arial" size="2"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Rob Crittenden <rcritten@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> mohammad sereshki <mohammadsereshki@yahoo.com>; Florence Blanc-Renaud <flo@redhat.com>; Freeipa-users <freeipa-users@redhat.com> <br> <b><span style="font-weight: bold;">Sent:</span></b> Thursday, July 21, 2016 11:09 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Freeipa-users] regenerate certificate<br> </font> </div> <div id="yui_3_16_0_ym19_1_1469042370452_54326" class="y_msg_container"><br>mohammad sereshki wrote:<br clear="none">> hi<br clear="none">> it is result of command, seems issue is another thing<br clear="none">><br clear="none">><br clear="none">>   ipa cert-show 1<br clear="none">> ipa: ERROR: Certificate operation cannot be completed: Unable to<br clear="none">> communicate with CMS (Not Found)<br clear="none"><br clear="none">Which means that the CA still isn't up. You're going to need to look at <br clear="none">the dogtag logs in /var/log/pki*. debug is probably the place to start.<br clear="none"><br clear="none">rob<br clear="none"><br clear="none">><br clear="none">><br clear="none">><br clear="none">> ------------------------------------------------------------------------<br clear="none">> *From:* Rob Crittenden <<a shape="rect" ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br clear="none">> *To:* mohammad sereshki <<a shape="rect" ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>; Florence<br clear="none">> Blanc-Renaud <<a shape="rect" ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>; Freeipa-users <<a shape="rect" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><br clear="none">> *Sent:* Thursday, July 21, 2016 8:08 PM<br clear="none">> *Subject:* Re: [Freeipa-users] regenerate certificate<br clear="none">><br clear="none">> mohammad sereshki wrote:<br clear="none">>  > dear<br clear="none">>  > thanks, but would you please check below and let me know what is your<br clear="none">>  > idea?I checked your command but it did not work.<br clear="none">><br clear="none">> The Not Found suggests that the CA is not up. I'd try restarting the<br clear="none">> pki-cad process to see if that helps.<br clear="none">><br clear="none">> A simple test that communication is working is: ipa cert-show 1<br clear="none">><br clear="none">> The output isn't important as long as it isn't an error.<br clear="none">><br clear="none">> rob<br clear="none">><br clear="none">><br clear="none">>  ><br clear="none">>  ><br clear="none">>  ><br clear="none">>  > Number of certificates and requests being tracked: 8.<br clear="none">>  > Request ID '20140817123525':<br clear="none">>  >          status: MONITORING<br clear="none">>  >          ca-error: Unable to determine principal name for signing<br clear="none">> request.<br clear="none">>  >          stuck: no<br clear="none">>  >          key paCOM storage:<br clear="none">>  > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br clear="none">>  > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br clear="none">>  >          certificate:<br clear="none">>  > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br clear="none">>  > Certificate DB'<br clear="none">>  >          CA: IPA<br clear="none">>  >          issuer: CN=Certificate Authority,O=EXAMPLE.COM<br clear="none">>  >          subject: CN=IPA RA,O=EXAMPLE.COM<br clear="none">>  >          expCOMes: 2018-06-30 07:56:06 UTC<br clear="none">>  >          eku: id-kp-serverAuth,id-kp-clientAuth<br clear="none">>  >          pre-save command:<br clear="none">>  >          post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert<br clear="none">>  >          track: yes<br clear="none">>  >          auto-renew: yes<br clear="none">>  > Request ID '20140817123534':<br clear="none">>  >          status: CA_UNREACHABLE<br clear="none">>  >          ca-error: Server failed request, will retry: 4301 (RPC failed<br clear="none">>  > at server.  Certificate operation cannot be completed: Unable to<br clear="none">>  > communicate with CMS (Not Found)).<br clear="none">>  >          stuck: yes<br clear="none">>  >          key paCOM storage:<br clear="none">>  ><br clear="none">> type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS<br clear="none">>  > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt'<br clear="none">>  >          certificate:<br clear="none">>  ><br clear="none">> type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS<br clear="none">>  > Certificate DB'<br clear="none">>  >          CA: IPA<br clear="none">>  >          issuer: CN=Certificate Authority,O=EXAMPLE.COM<br clear="none">>  >          subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM<br clear="none">>  >          expCOMes: 2016-08-17 12:35:34 UTC<br clear="none">>  >          eku: id-kp-serverAuth,id-kp-clientAuth<br clear="none">>  >          pre-save command:<br clear="none">>  >          post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv<br clear="none">>  > EXAMPLE.-COM<br clear="none">>  >          track: yes<br clear="none">>  >          auto-renew: yes<br clear="none">>  > Request ID '20140817123602':<br clear="none">>  >          status: CA_UNREACHABLE<br clear="none">>  >          ca-error: Server failed request, will retry: 4301 (RPC failed<br clear="none">>  > at server.  Certificate operation cannot be completed: Unable to<br clear="none">>  > communicate with CMS (Not Found)).<br clear="none">>  >          stuck: yes<br clear="none">>  >          key paCOM storage:<br clear="none">>  ><br clear="none">> type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br clear="none">>  > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt'<br clear="none">>  >          certificate:<br clear="none">>  ><br clear="none">> type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br clear="none">>  > Certificate DB'<br clear="none">>  >          CA: IPA<br clear="none">>  >          issuer: CN=Certificate Authority,O=EXAMPLE.COM<br clear="none">>  >          subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM<br clear="none">>  >          expCOMes: 2016-08-17 12:36:02 UTC<br clear="none">>  >          eku: id-kp-serverAuth,id-kp-clientAuth<br clear="none">>  >          pre-save command:<br clear="none">>  >          post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv<br clear="none">>  > PKI-IPA<br clear="none">>  >          track: yes<br clear="none">>  >          auto-renew: yes<br clear="none">>  > Request ID '20140817123752':<br clear="none">>  >          status: CA_UNREACHABLE<br clear="none">>  >          ca-error: Server failed request, will retry: 4301 (RPC failed<br clear="none">>  > at server.  Certificate operation cannot be completed: Unable to<br clear="none">>  > communicate with CMS (Not Found)).<br clear="none">>  >          stuck: yes<br clear="none">>  >          key paCOM storage:<br clear="none">>  > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br clear="none">>  > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br clear="none">>  >          certificate:<br clear="none">>  > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br clear="none">>  > Certificate DB'<br clear="none">>  >          CA: IPA<br clear="none">>  >          issuer: CN=Certificate Authority,O=EXAMPLE.COM<br clear="none">>  >          subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM<br clear="none">>  >          expCOMes: 2016-08-17 12:37:51 UTC<br clear="none">>  >          eku: id-kp-serverAuth,id-kp-clientAuth<br clear="none">>  >          pre-save command:<br clear="none">>  >          post-save command: /usr/lib64/ipa/certmonger/restart_httpd<br clear="none">>  >          track: yes<br clear="none">>  >          auto-renew: yes<br clear="none">>  > You have new mail in /var/spool/mail/root<br clear="none">>  ><br clear="none">>  ><br clear="none">>  > ------------------------------------------------------------------------<br clear="none">>  > *From:* Florence Blanc-Renaud <<a shape="rect" ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a shape="rect" ymailto="mailto:flo@redhat.com" href="mailto:flo@redhat.com">flo@redhat.com</a>>><br clear="none">>  > *To:* mohammad sereshki <<a shape="rect" ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a><br clear="none">> <mailto:<a shape="rect" ymailto="mailto:mohammadsereshki@yahoo.com" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>>; Freeipa-users<br clear="none">>  > <<a shape="rect" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a shape="rect" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>><div class="yqt4794781726" id="yqtfd01549"><br clear="none">>  > *Sent:* Thursday, July 21, 2016 11:30 AM<br clear="none">>  > *Subject:* Re: [Freeipa-users] regenerate certificate<br clear="none">>  ><br clear="none">>  > On 07/20/2016 10:04 PM, mohammad sereshki wrote:<br clear="none">>  >  > hi<br clear="none">>  >  > I check my IPA server which is version ipa-server-3.0.0-25 , command<br clear="none">>  >  > "ipa-get-cert list" show, my certificate will be expired in next<br clear="none">> 20 days,<br clear="none">>  >  > I do not know how to regenerate them<br clear="none">>  >  > but command "getcert list" shows epirtion certificates are related<br clear="none">> just<br clear="none">>  >  > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,  has<br clear="none">> enough<br clear="none">>  >  > time .<br clear="none">>  >  > would you please help me to know how to regenerate CA:IPA<br clear="none">> certificates?<br clear="none">>  >  ><br clear="none">>  >  > Best Regards<br clear="none">>  >  ><br clear="none">>  >  ><br clear="none">>  >  ><br clear="none">>  ><br clear="none">>  > Hi Mohammad,<br clear="none">>  ><br clear="none">>  > the certificates issued by IPA CA are normally tracked by certmonger and<br clear="none">>  > automatically renewed when they are near their expiration date. To make<br clear="none">>  > sure that your certificates are tracked, you can issue<br clear="none">>  ><br clear="none">>  > $ ipa-getcert list<br clear="none">>  ><br clear="none">>  > and check the "status:" field for each certificate. It should display<br clear="none">>  > "MONITORING".<br clear="none">>  ><br clear="none">>  > If you want to manually renew them, you must note their request ID and<br clear="none">>  > use the command<br clear="none">>  > $ ipa-getcert resubmit -i $REQUEST_ID<br clear="none">>  ><br clear="none">>  > Hope this helps,<br clear="none">>  > Flo.<br clear="none">>  ><br clear="none">>  ><br clear="none">>  ><br clear="none">>  ><br clear="none">>  ><br clear="none">><br clear="none">><br clear="none">><br clear="none"><br clear="none"></div><br><br></div> </div> </div>  </div></div></body></html>