<html><head></head><body><div style="color:#000; background-color:#fff; font-family:verdana, helvetica, sans-serif;font-size:24px"><div dir="ltr" id="yui_3_16_0_ym19_1_1469042370452_68066">and this is for catalina.out<br></div><div id="yui_3_16_0_ym19_1_1469042370452_68065"><br></div><div id="yui_3_16_0_ym19_1_1469042370452_68063" dir="ltr">SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1@39139da8]) and a<br id="yui_3_16_0_ym19_1_1469042370452_68013">value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web appli<br id="yui_3_16_0_ym19_1_1469042370452_68014">cation was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed.<br id="yui_3_16_0_ym19_1_1469042370452_68015">Jul 21, 2016 11:10:10 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap<br id="yui_3_16_0_ym19_1_1469042370452_68016">SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1@39139da8]) and a<br id="yui_3_16_0_ym19_1_1469042370452_68017">value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web appli<br id="yui_3_16_0_ym19_1_1469042370452_68018">cation was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed.<br id="yui_3_16_0_ym19_1_1469042370452_68019">Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy<br id="yui_3_16_0_ym19_1_1469042370452_68020">INFO: Stopping Coyote HTTP/1.1 on http-9180<br id="yui_3_16_0_ym19_1_1469042370452_68021">Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy<br id="yui_3_16_0_ym19_1_1469042370452_68022">INFO: Stopping Coyote HTTP/1.1 on http-9443<br id="yui_3_16_0_ym19_1_1469042370452_68023">Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy<br id="yui_3_16_0_ym19_1_1469042370452_68024">INFO: Stopping Coyote HTTP/1.1 on http-9445<br id="yui_3_16_0_ym19_1_1469042370452_68025">Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy<br id="yui_3_16_0_ym19_1_1469042370452_68026">INFO: Stopping Coyote HTTP/1.1 on http-9444<br id="yui_3_16_0_ym19_1_1469042370452_68027">Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy<br id="yui_3_16_0_ym19_1_1469042370452_68028">INFO: Stopping Coyote HTTP/1.1 on http-9446<br id="yui_3_16_0_ym19_1_1469042370452_68029">Exception in thread "Timer-0" java.lang.NullPointerException<br id="yui_3_16_0_ym19_1_1469042370452_68030">        at com.netscape.certsrv.apps.CMS.getConfigStore(CMS.java:771)<br id="yui_3_16_0_ym19_1_1469042370452_68031">        at com.netscape.cms.servlet.csadmin.LDAPSecurityDomainSessionTable.getSessionIds(LDAPSecurityDomainSessionTable.java:156)<br id="yui_3_16_0_ym19_1_1469042370452_68032">        at com.netscape.cms.servlet.csadmin.SessionTimer.run(SessionTimer.java:33)<br id="yui_3_16_0_ym19_1_1469042370452_68033">        at java.util.TimerThread.mainLoop(Timer.java:555)<br id="yui_3_16_0_ym19_1_1469042370452_68034">        at java.util.TimerThread.run(Timer.java:505)<br id="yui_3_16_0_ym19_1_1469042370452_68035">Jul 21, 2016 11:10:43 PM org.apache.catalina.core.AprLifecycleListener init<br id="yui_3_16_0_ym19_1_1469042370452_68036">INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib<br id="yui_3_16_0_ym19_1_1469042370452_68037">Jul 21, 2016 11:10:43 PM org.apache.coyote.http11.Http11Protocol init<br id="yui_3_16_0_ym19_1_1469042370452_68038">INFO: Initializing Coyote HTTP/1.1 on http-9180<br id="yui_3_16_0_ym19_1_1469042370452_68039">Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed.<br id="yui_3_16_0_ym19_1_1469042370452_68040">Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed.<br id="yui_3_16_0_ym19_1_1469042370452_68041">:<br id="yui_3_16_0_ym19_1_1469042370452_68042"><br></div><div><span></span></div><div class="qtdSeparateBR"><br><br></div><div style="display: block;" class="yahoo_quoted">  <div style="font-family: verdana, helvetica, sans-serif; font-size: 24px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"> <font face="Arial" size="2"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> mohammad sereshki <mohammadsereshki@yahoo.com><br> <b><span style="font-weight: bold;">To:</span></b> Rob Crittenden <rcritten@redhat.com>; Florence Blanc-Renaud <flo@redhat.com>; Freeipa-users <freeipa-users@redhat.com> <br> <b><span style="font-weight: bold;">Sent:</span></b> Thursday, July 21, 2016 11:36 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Freeipa-users] regenerate certificate<br> </font> </div> <div class="y_msg_container"><br><div id="yiv3214049085"><div><div style="color:#000;background-color:#fff;font-family:verdana, helvetica, sans-serif;font-size:24px;"><div dir="ltr" id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65026">and below is for selftests.log<br clear="none"></div><div id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65025"><br clear="none"></div><div dir="ltr" id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65023">3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup:<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65006" clear="none">3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] CAPresence:  CA is present<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65007" clear="none">3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SystemCertsVerification: system certs verification failure<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65008" clear="none">3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65009" clear="none">1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Initializing self test plugins:<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65010" clear="none">1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:  loading all self test plugin logger parameters<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65011" clear="none">1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:  loading all self test plugin instances<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65012" clear="none">1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:  loading all self test plugin instance parameters<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65013" clear="none">1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:  loading self test plugins in on-demand order<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65014" clear="none">1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:  loading self test plugins in startup order<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65015" clear="none">1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded!<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65016" clear="none">1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup:<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65017" clear="none">1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] CAPresence:  CA is present<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65018" clear="none">1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SystemCertsVerification: system certs verification failure<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65019" clear="none">1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65020" clear="none">(END)<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_65021" clear="none"><br clear="none"></div><div><span></span></div><div class="yiv3214049085qtdSeparateBR"><br clear="none"><br clear="none"></div><div class="yiv3214049085yqt0018292263" id="yiv3214049085yqt87612"><div class="yiv3214049085yahoo_quoted" style="display:block;">  <div style="font-family:verdana, helvetica, sans-serif;font-size:24px;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div dir="ltr"> <font face="Arial" size="2"> </font><hr size="1"> <b><span style="font-weight:bold;">From:</span></b> mohammad sereshki <mohammadsereshki@yahoo.com><br clear="none"> <b><span style="font-weight:bold;">To:</span></b> Rob Crittenden <rcritten@redhat.com>; Florence Blanc-Renaud <flo@redhat.com>; Freeipa-users <freeipa-users@redhat.com> <br clear="none"> <b><span style="font-weight:bold;">Sent:</span></b> Thursday, July 21, 2016 11:34 PM<br clear="none"> <b><span style="font-weight:bold;">Subject:</span></b> Re: [Freeipa-users] regenerate certificate<br clear="none">  </div> <div class="yiv3214049085y_msg_container"><br clear="none"><div id="yiv3214049085"><div><div style="color:#000;background-color:#fff;font-family:verdana, helvetica, sans-serif;font-size:24px;"><div id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_62183">hi</div><div dir="ltr" id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_62182">I find below in debug file under /var/log/pki-ca</div><div dir="ltr" id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_62222">what is your comment?<br clear="none"></div><div id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_62181"><br clear="none"></div><div dir="ltr" id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_62179">21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization for servlet: caDisplayBySerial is LD<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_62141" clear="none">AP based, not XML {1}, use default authz mgr: {2}.<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_62142" clear="none">[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before.<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_62143" clear="none">[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized.<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_62144" clear="none">[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before.<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_62145" clear="none">[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized.<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_62146" clear="none">[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before.<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_62147" clear="none">[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized.<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_62148" clear="none">[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before.<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_62149" clear="none">[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized.<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_62150" clear="none">[21/Jul/2016:23:20:45][CertStatusUpdateThread]: About to start updateCertStatus<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_62151" clear="none">[21/Jul/2016:23:20:45][CertStatusUpdateThread]: Starting updateCertStatus (entered lock)<br id="yiv3214049085yui_3_16_0_ym19_1_1469042370452_62152" clear="none"><br clear="none"></div><div><span></span></div><div class="yiv3214049085qtdSeparateBR"><br clear="none"><br clear="none"></div><div class="yiv3214049085yqt6687153831" id="yiv3214049085yqt34072"><div class="yiv3214049085yahoo_quoted" style="display:block;">  <div style="font-family:verdana, helvetica, sans-serif;font-size:24px;"> <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div dir="ltr"> <font face="Arial" size="2"> </font><hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Rob Crittenden <rcritten@redhat.com><br clear="none"> <b><span style="font-weight:bold;">To:</span></b> mohammad sereshki <mohammadsereshki@yahoo.com>; Florence Blanc-Renaud <flo@redhat.com>; Freeipa-users <freeipa-users@redhat.com> <br clear="none"> <b><span style="font-weight:bold;">Sent:</span></b> Thursday, July 21, 2016 11:21 PM<br clear="none"> <b><span style="font-weight:bold;">Subject:</span></b> Re: [Freeipa-users] regenerate certificate<br clear="none">  </div> <div class="yiv3214049085y_msg_container"><br clear="none">mohammad sereshki wrote:<br clear="none">> hi<br clear="none">> would you please explain more<br clear="none">> ?<br clear="none"><br clear="none">Your CA (dogtag) is not running. The CA is written in java and deployed <br clear="none">as a WAR in tomcat. If something goes wrong during initialization the CA <br clear="none">will exit but tomcat will not.<br clear="none"><br clear="none">Requests to the CA are returning 404 Not Found because the application <br clear="none">is not running in dogtag.<br clear="none"><br clear="none">You need to look at the logs in /var/log/pki-ca to see what is going on.<br clear="none"><br clear="none">I'd start with selftests.log then move onto catalina.out and debug.<br clear="none"><br clear="none">rob<br clear="none"><br clear="none">><br clear="none">><br clear="none">> ------------------------------------------------------------------------<br clear="none">> *From:* Rob Crittenden <<a rel="nofollow" shape="rect" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br clear="none">> *To:* mohammad sereshki <<a rel="nofollow" shape="rect" ymailto="mailto:mohammadsereshki@yahoo.com" target="_blank" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>; Florence<br clear="none">> Blanc-Renaud <<a rel="nofollow" shape="rect" ymailto="mailto:flo@redhat.com" target="_blank" href="mailto:flo@redhat.com">flo@redhat.com</a>>; Freeipa-users <<a rel="nofollow" shape="rect" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><br clear="none">> *Sent:* Thursday, July 21, 2016 11:09 PM<br clear="none">> *Subject:* Re: [Freeipa-users] regenerate certificate<br clear="none">><br clear="none">> mohammad sereshki wrote:<br clear="none">>  > hi<br clear="none">>  > it is result of command, seems issue is another thing<br clear="none">>  ><br clear="none">>  ><br clear="none">>  >  ipa cert-show 1<br clear="none">>  > ipa: ERROR: Certificate operation cannot be completed: Unable to<br clear="none">>  > communicate with CMS (Not Found)<br clear="none">><br clear="none">> Which means that the CA still isn't up. You're going to need to look at<br clear="none">> the dogtag logs in /var/log/pki*. debug is probably the place to start.<br clear="none">><br clear="none">> rob<br clear="none">><br clear="none">>  ><br clear="none">>  ><br clear="none">>  ><br clear="none">>  > ------------------------------------------------------------------------<br clear="none">>  > *From:* Rob Crittenden <<a rel="nofollow" shape="rect" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>><br clear="none">>  > *To:* mohammad sereshki <<a rel="nofollow" shape="rect" ymailto="mailto:mohammadsereshki@yahoo.com" target="_blank" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a><br clear="none">> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:mohammadsereshki@yahoo.com" target="_blank" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>>; Florence<br clear="none">>  > Blanc-Renaud <<a rel="nofollow" shape="rect" ymailto="mailto:flo@redhat.com" target="_blank" href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:flo@redhat.com" target="_blank" href="mailto:flo@redhat.com">flo@redhat.com</a>>>; Freeipa-users<br clear="none">> <<a rel="nofollow" shape="rect" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>><br clear="none">>  > *Sent:* Thursday, July 21, 2016 8:08 PM<br clear="none">>  > *Subject:* Re: [Freeipa-users] regenerate certificate<br clear="none">>  ><br clear="none">>  > mohammad sereshki wrote:<br clear="none">>  >  > dear<br clear="none">>  >  > thanks, but would you please check below and let me know what is your<br clear="none">>  >  > idea?I checked your command but it did not work.<br clear="none">>  ><br clear="none">>  > The Not Found suggests that the CA is not up. I'd try restarting the<br clear="none">>  > pki-cad process to see if that helps.<br clear="none">>  ><br clear="none">>  > A simple test that communication is working is: ipa cert-show 1<br clear="none">>  ><br clear="none">>  > The output isn't important as long as it isn't an error.<br clear="none">>  ><br clear="none">>  > rob<br clear="none">>  ><br clear="none">>  ><br clear="none">>  >  ><br clear="none">>  >  ><br clear="none">>  >  ><br clear="none">>  >  > Number of certificates and requests being tracked: 8.<br clear="none">>  >  > Request ID '20140817123525':<br clear="none">>  >  >          status: MONITORING<br clear="none">>  >  >          ca-error: Unable to determine principal name for signing<br clear="none">>  > request.<br clear="none">>  >  >          stuck: no<br clear="none">>  >  >          key paCOM storage:<br clear="none">>  >  > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br clear="none">>  >  > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br clear="none">>  >  >          certificate:<br clear="none">>  >  > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br clear="none">>  >  > Certificate DB'<br clear="none">>  >  >          CA: IPA<br clear="none">>  >  >          issuer: CN=Certificate Authority,O=EXAMPLE.COM<br clear="none">>  >  >          subject: CN=IPA RA,O=EXAMPLE.COM<br clear="none">>  >  >          expCOMes: 2018-06-30 07:56:06 UTC<br clear="none">>  >  >          eku: id-kp-serverAuth,id-kp-clientAuth<br clear="none">>  >  >          pre-save command:<br clear="none">>  >  >          post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert<br clear="none">>  >  >          track: yes<br clear="none">>  >  >          auto-renew: yes<br clear="none">>  >  > Request ID '20140817123534':<br clear="none">>  >  >          status: CA_UNREACHABLE<br clear="none">>  >  >          ca-error: Server failed request, will retry: 4301 (RPC failed<br clear="none">>  >  > at server.  Certificate operation cannot be completed: Unable to<br clear="none">>  >  > communicate with CMS (Not Found)).<br clear="none">>  >  >          stuck: yes<br clear="none">>  >  >          key paCOM storage:<br clear="none">>  >  ><br clear="none">>  ><br clear="none">> type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS<br clear="none">>  >  > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt'<br clear="none">>  >  >          certificate:<br clear="none">>  >  ><br clear="none">>  ><br clear="none">> type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS<br clear="none">>  >  > Certificate DB'<br clear="none">>  >  >          CA: IPA<br clear="none">>  >  >          issuer: CN=Certificate Authority,O=EXAMPLE.COM<br clear="none">>  >  >          subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM<br clear="none">>  >  >          expCOMes: 2016-08-17 12:35:34 UTC<br clear="none">>  >  >          eku: id-kp-serverAuth,id-kp-clientAuth<br clear="none">>  >  >          pre-save command:<br clear="none">>  >  >          post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv<br clear="none">>  >  > EXAMPLE.-COM<br clear="none">>  >  >          track: yes<br clear="none">>  >  >          auto-renew: yes<br clear="none">>  >  > Request ID '20140817123602':<br clear="none">>  >  >          status: CA_UNREACHABLE<br clear="none">>  >  >          ca-error: Server failed request, will retry: 4301 (RPC failed<br clear="none">>  >  > at server.  Certificate operation cannot be completed: Unable to<br clear="none">>  >  > communicate with CMS (Not Found)).<br clear="none">>  >  >          stuck: yes<br clear="none">>  >  >          key paCOM storage:<br clear="none">>  >  ><br clear="none">>  ><br clear="none">> type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br clear="none">>  >  > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt'<br clear="none">>  >  >          certificate:<br clear="none">>  >  ><br clear="none">>  ><br clear="none">> type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br clear="none">>  >  > Certificate DB'<br clear="none">>  >  >          CA: IPA<br clear="none">>  >  >          issuer: CN=Certificate Authority,O=EXAMPLE.COM<br clear="none">>  >  >          subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM<br clear="none">>  >  >          expCOMes: 2016-08-17 12:36:02 UTC<br clear="none">>  >  >          eku: id-kp-serverAuth,id-kp-clientAuth<br clear="none">>  >  >          pre-save command:<br clear="none">>  >  >          post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv<br clear="none">>  >  > PKI-IPA<br clear="none">>  >  >          track: yes<br clear="none">>  >  >          auto-renew: yes<br clear="none">>  >  > Request ID '20140817123752':<br clear="none">>  >  >          status: CA_UNREACHABLE<br clear="none">>  >  >          ca-error: Server failed request, will retry: 4301 (RPC failed<br clear="none">>  >  > at server.  Certificate operation cannot be completed: Unable to<br clear="none">>  >  > communicate with CMS (Not Found)).<br clear="none">>  >  >          stuck: yes<br clear="none">>  >  >          key paCOM storage:<br clear="none">>  >  ><br clear="none">> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br clear="none">>  >  > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br clear="none">>  >  >          certificate:<br clear="none">>  >  ><br clear="none">> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br clear="none">>  >  > Certificate DB'<br clear="none">>  >  >          CA: IPA<br clear="none">>  >  >          issuer: CN=Certificate Authority,O=EXAMPLE.COM<br clear="none">>  >  >          subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM<br clear="none">>  >  >          expCOMes: 2016-08-17 12:37:51 UTC<br clear="none">>  >  >          eku: id-kp-serverAuth,id-kp-clientAuth<br clear="none">>  >  >          pre-save command:<br clear="none">>  >  >          post-save command: /usr/lib64/ipa/certmonger/restart_httpd<br clear="none">>  >  >          track: yes<br clear="none">>  >  >          auto-renew: yes<br clear="none">>  >  > You have new mail in /var/spool/mail/root<br clear="none">>  >  ><br clear="none">>  >  ><br clear="none">>  >  ><br clear="none">> ------------------------------------------------------------------------<br clear="none">>  >  > *From:* Florence Blanc-Renaud <<a rel="nofollow" shape="rect" ymailto="mailto:flo@redhat.com" target="_blank" href="mailto:flo@redhat.com">flo@redhat.com</a><br clear="none">> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:flo@redhat.com" target="_blank" href="mailto:flo@redhat.com">flo@redhat.com</a>> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:flo@redhat.com" target="_blank" href="mailto:flo@redhat.com">flo@redhat.com</a> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:flo@redhat.com" target="_blank" href="mailto:flo@redhat.com">flo@redhat.com</a>>>><br clear="none">>  >  > *To:* mohammad sereshki <<a rel="nofollow" shape="rect" ymailto="mailto:mohammadsereshki@yahoo.com" target="_blank" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a><br clear="none">> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:mohammadsereshki@yahoo.com" target="_blank" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>><br clear="none">>  > <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:mohammadsereshki@yahoo.com" target="_blank" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a><br clear="none">> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:mohammadsereshki@yahoo.com" target="_blank" href="mailto:mohammadsereshki@yahoo.com">mohammadsereshki@yahoo.com</a>>>>; Freeipa-users<br clear="none">>  >  > <<a rel="nofollow" shape="rect" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><div class="yiv3214049085yqt5676748100" id="yiv3214049085yqtfd25211"><br clear="none">> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <mailto:<a rel="nofollow" shape="rect" ymailto="mailto:freeipa-users@redhat.com" target="_blank" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>>><br clear="none">><br clear="none">>  >  > *Sent:* Thursday, July 21, 2016 11:30 AM<br clear="none">>  >  > *Subject:* Re: [Freeipa-users] regenerate certificate<br clear="none">>  >  ><br clear="none">>  >  > On 07/20/2016 10:04 PM, mohammad sereshki wrote:<br clear="none">>  >  >  > hi<br clear="none">>  >  >  > I check my IPA server which is version ipa-server-3.0.0-25 ,<br clear="none">> command<br clear="none">>  >  >  > "ipa-get-cert list" show, my certificate will be expired in next<br clear="none">>  > 20 days,<br clear="none">>  >  >  > I do not know how to regenerate them<br clear="none">>  >  >  > but command "getcert list" shows epirtion certificates are related<br clear="none">>  > just<br clear="none">>  >  >  > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,  has<br clear="none">>  > enough<br clear="none">>  >  >  > time .<br clear="none">>  >  >  > would you please help me to know how to regenerate CA:IPA<br clear="none">>  > certificates?<br clear="none">>  >  >  ><br clear="none">>  >  >  > Best Regards<br clear="none">>  >  >  ><br clear="none">>  >  >  ><br clear="none">>  >  >  ><br clear="none">>  >  ><br clear="none">>  >  > Hi Mohammad,<br clear="none">>  >  ><br clear="none">>  >  > the certificates issued by IPA CA are normally tracked by<br clear="none">> certmonger and<br clear="none">>  >  > automatically renewed when they are near their expiration date. To<br clear="none">> make<br clear="none">>  >  > sure that your certificates are tracked, you can issue<br clear="none">>  >  ><br clear="none">>  >  > $ ipa-getcert list<br clear="none">>  >  ><br clear="none">>  >  > and check the "status:" field for each certificate. It should display<br clear="none">>  >  > "MONITORING".<br clear="none">>  >  ><br clear="none">>  >  > If you want to manually renew them, you must note their request ID and<br clear="none">>  >  > use the command<br clear="none">>  >  > $ ipa-getcert resubmit -i $REQUEST_ID<br clear="none">>  >  ><br clear="none">>  >  > Hope this helps,<br clear="none">>  >  > Flo.<br clear="none">>  >  ><br clear="none">>  >  ><br clear="none">>  >  ><br clear="none">>  >  ><br clear="none">>  >  ><br clear="none">>  ><br clear="none">>  ><br clear="none">>  ><br clear="none">><br clear="none">><br clear="none">><br clear="none"><br clear="none"></div><br clear="none"><br clear="none"></div> </div> </div>  </div></div></div></div></div><br clear="none"><br clear="none"></div> </div> </div>  </div></div></div></div></div><br><br></div> </div> </div>  </div></div></body></html>