<div dir="ltr"><div class="gmail_extra"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div style="background-color:rgb(255,255,255)"><div>Could you please verify, if we have set correct <span style="font-size:12.8px">trust attributes on the certificates</span></div><div><br></div><div><b>root@caer ~]# certutil -d /var/lib/pki-ca/alias/ -L</b></div><div><br></div><div>Certificate Nickname Trust Attributes</div><div> SSL,S/MIME,JAR/XPI</div><div><br></div><div>subsystemCert cert-pki-ca u,u,Pu</div><div>ocspSigningCert cert-pki-ca u,u,u</div><div>caSigningCert cert-pki-ca CTu,Cu,Cu</div><div>subsystemCert cert-pki-ca u,u,Pu</div><div>Server-Cert cert-pki-ca u,u,u</div><div>auditSigningCert cert-pki-ca u,u,Pu</div><div><b><br></b></div><div><b>[root@caer ~]# certutil -d /etc/httpd/alias/ -L</b></div><div><br></div><div>Certificate Nickname Trust Attributes</div><div> SSL,S/MIME,JAR/XPI</div><div><br></div><div>ipaCert u,u,u</div><div>Server-Cert u,u,u</div><div><a href="http://TELOIP.NET">TELOIP.NET</a> IPA CA CT,C,C</div><div>ipaCert u,u,u</div><div>Signing-Cert u,u,u</div><div>Server-Cert u,u,u</div><div><br></div><div><b>[root@caer ~]# certutil -d /etc/dirsrv/slapd-TELOIP-NET/ -L</b></div><div><br></div><div>Certificate Nickname Trust Attributes</div><div> SSL,S/MIME,JAR/XPI</div><div><br></div><div>Server-Cert u,u,u</div><div><a href="http://TELOIP.NET">TELOIP.NET</a> IPA CA CT,,C</div><div>Server-Cert u,u,u</div><div>[root@caer ~]# </div></div></div></div></div></div> <div class="gmail_extra"><br></div><div class="gmail_extra"><b>Please note, there are duplicate certificates in CA, HTTP and LDAP directory, subsystemCert cert-pki-ca, ipaCert and Server-Cert. I was wondering if we need to remove these duplicate certificates? </b></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_quote">On Fri, Jul 22, 2016 at 9:36 AM, Linov Suresh <span dir="ltr"><<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div><div data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div style="background-color:rgb(255,255,255)"><div>I'm facing another issue now, my kerberos tickets are not renewing,</div><div><br></div><div><span class=""><div><b>[root@caer ~]# ipa cert-show 1</b></div></span><div>ipa: ERROR: Ticket expired</div></div><div><br></div><div><div><b>[root@caer ~]# klist</b> </div><div>Ticket cache: FILE:/tmp/krb5cc_0</div><div>Default principal: <a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a></div><div><br></div><div>Valid starting Expires Service principal</div><div>07/20/16 14:42:26 07/21/16 14:42:22 krbtgt/<a href="mailto:TELOIP.NET@TELOIP.NET" target="_blank">TELOIP.NET@TELOIP.NET</a></div><div>07/20/16 14:42:36 07/21/16 14:42:22 HTTP/<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a></div><div>07/21/16 11:40:15 07/21/16 14:42:22 ldap/<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a></div></div><div><br></div><div>I need to manually renew the tickets every day,</div><div><br></div><div><div><b>[root@caer ~]# kinit admin</b></div><div>Password for <a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>: </div><div>Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 2016</div></div><div><br></div><div><div><b>[root@caer ~]# klist </b></div><div>Ticket cache: FILE:/tmp/krb5cc_0</div><div>Default principal: <a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a></div><div><br></div><div>Valid starting Expires Service principal</div><div>07/22/16 09:34:52 07/23/16 09:34:49 krbtgt/<a href="mailto:TELOIP.NET@TELOIP.NET" target="_blank">TELOIP.NET@TELOIP.NET</a></div></div><div><br></div></div></div></div></div></div><div><div class="h5"> <br><div class="gmail_quote">On Thu, Jul 21, 2016 at 12:23 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Linov Suresh wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span> The httpd_error log doesn't contain the part where `ipa cert-show 1` was<br> run. If it is from the same time.<br> <br></span> *I am not sure about that, please see httpd_error when `ipa cert-show 1`<br> was run*<br> </blockquote> <br> The IPA API log isn't going to show much in this case.<br> <br> Requests to the CA are proxied through IPA. The CA WAR is not running on tomcat so when Apache tries to proxy the request tomcat returns a 404, Not Found.<br> <br> You need to start with the dogtag debug and selftest logs to see what is going on. The logs are pretty verbose and can be challenging to read.<br> <br> rob<br> <br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"> <br> [root@caer ~]# *tail -f /var/log/httpd/error_log*<span><br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI wsgi_dispatch.__call__:<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI<br> xmlserver_session.__call__:<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session cookie_id =<br> bc2c7ed0eccd840dc266efaf9ece913c<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session data in<br> cache with id=bc2c7ed0eccd840dc266efaf9ece913c<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:<br> xmlserver_session.__call__: session_id=bc2c7ed0eccd840dc266efaf9ece913c<br> start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21<br> expiration_timestamp=2016-07-21T12:18:54<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: storing ccache data into<br> file "/var/run/ipa_memcached/krbcc_13554"<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times:<br> principal=HTTP/<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a><br></span> <mailto:<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a>>, authtime=07/21/16 10:31:46,<span><br> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44,<br> renew_till=12/31/69 19:00:00<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times:<br> principal=HTTP/<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a><br></span> <mailto:<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a>>, authtime=07/21/16 10:31:46,<div><div><br> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44,<br> renew_till=12/31/69 19:00:00<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: KRB5_CCache<br> FILE:/var/run/ipa_memcached/krbcc_13554 endtime=1469197904 (07/22/16<br> 10:31:44)<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:<br> set_session_expiration_time: duration_type=inactivity_timeout<br> duration=1200 max_age=1469197604 expiration=1469118081.77<br> (2016-07-21T12:21:21)<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI xmlserver.__call__:<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Created connection<br> context.ldap2<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI<br> WSGIExecutioner.__call__:<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: raw: cert_show(u'1')<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert_show(u'1')<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: IPA: virtual verify<br> retrieve certificate<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:<br> ipaserver.plugins.dogtag.ra.get_certificate()<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request<br> '<a href="https://caer.teloip.net:443/ca/agent/ca/displayBySerial" rel="noreferrer" target="_blank">https://caer.teloip.net:443/ca/agent/ca/displayBySerial</a>'<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request post<br> 'xml=true&serialNumber=1'<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: NSSConnection init<br> </div></div><a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><span><br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Connecting: <a href="http://10.20.0.75:0" rel="noreferrer" target="_blank">10.20.0.75:0</a><br></span> <<a href="http://10.20.0.75:0" rel="noreferrer" target="_blank">http://10.20.0.75:0</a>><span><br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:<br> auth_certificate_callback: check_sig=True is_server=False<br></span> *.*<br> *.*<br> *.*<span><br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage =<br> SSLServer intended_usage = SSLServer<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid True for<br></span> "CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>>"<span><br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake complete, peer<br></span> = <a href="http://10.20.0.75:443" rel="noreferrer" target="_blank">10.20.0.75:443</a> <<a href="http://10.20.0.75:443" rel="noreferrer" target="_blank">http://10.20.0.75:443</a>><span><br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:<br> auth_certificate_callback: check_sig=True is_server=False<br></span> *.*<br> *.*<br> *.*<span><br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage =<br> SSLServer intended_usage = SSLServer<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid True for<br></span> "CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>>"<span><br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake complete, peer<br></span> = <a href="http://10.20.0.75:443" rel="noreferrer" target="_blank">10.20.0.75:443</a> <<a href="http://10.20.0.75:443" rel="noreferrer" target="_blank">http://10.20.0.75:443</a>><span><br> [Thu Jul 21 12:01:21 2016] [error] ipa: ERROR:<br> ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate<br> with CMS (Not Found)<br> [Thu Jul 21 12:01:21 2016] [error] ipa: INFO: <a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a><br></span> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>>: cert_show(u'1'): CertificateOperationError<span><br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: response:<br> CertificateOperationError: Certificate operation cannot be completed:<br> Unable to communicate with CMS (Not Found)<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Destroyed connection<br> context.ldap2<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: reading ccache data from<br> file "/var/run/ipa_memcached/krbcc_13554"<br> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: store session:<br> session_id=bc2c7ed0eccd840dc266efaf9ece913c<br> start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21<br> expiration_timestamp=2016-07-21T12:21:21<br> <br> <br> Does `ipa cert-show` communicate with the same replica? Could be<br> verified by `ipa -vv cert-show`<br> <br></span> *It's asking for the serial number of the certificate. If I give 64<span><br> (serial number of ipaCert ), I get ipa: ERROR: Certificate operation<br></span> cannot be completed: Unable to communicate with CMS (Not Found)*<br> <br> *[root@caer ~]# ipa -vv cert-show*<span><br> ipa: DEBUG: importing all plugin modules in<br> '/usr/lib/python2.6/site-packages/ipalib/plugins'...<br></span> *.*<br> *.*<br> *.*<br> ipa: DEBUG: stdout=ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;<br> Domain=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>; Path=/ipa; Expires=Thu,<span><br> 21 Jul 2016 16:25:32 GMT; Secure; HttpOnly<br> ipa: DEBUG: stderr=<br> ipa: DEBUG: found session_cookie in persistent storage for principal<br></span> '<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>>', cookie:<br> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:32<span><br> GMT; Secure; HttpOnly'<br> ipa: DEBUG: setting session_cookie into context<br> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;'<br> ipa: INFO: trying <a href="https://caer.teloip.net/ipa/session/xml" rel="noreferrer" target="_blank">https://caer.teloip.net/ipa/session/xml</a><br> ipa: DEBUG: Created connection context.xmlclient<br> Serial number: 64<br> ipa: DEBUG: raw: cert_show(u'64')<br> ipa: DEBUG: cert_show(u'64')<br> ipa: INFO: Forwarding 'cert_show' to server<br> u'<a href="https://caer.teloip.net/ipa/session/xml" rel="noreferrer" target="_blank">https://caer.teloip.net/ipa/session/xml</a>'<br></span> ipa: DEBUG: NSSConnection init <a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br> ipa: DEBUG: Connecting: <a href="http://10.20.0.75:0" rel="noreferrer" target="_blank">10.20.0.75:0</a> <<a href="http://10.20.0.75:0" rel="noreferrer" target="_blank">http://10.20.0.75:0</a>><span><br> send: u'POST /ipa/session/xml HTTP/1.0\r\nHost: <a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br></span> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>\r\nAccept-Language: en-us\r\nReferer:<span><br> <a href="https://caer.teloip.net/ipa/xml%5Cr%5CnCookie" rel="noreferrer" target="_blank">https://caer.teloip.net/ipa/xml\r\nCookie</a>:<br> ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;\r\nUser-Agent:<br> </span><a href="http://xmlrpclib.py/1.0.1" rel="noreferrer" target="_blank">xmlrpclib.py/1.0.1</a> <<a href="http://xmlrpclib.py/1.0.1" rel="noreferrer" target="_blank">http://xmlrpclib.py/1.0.1</a>> (by <a href="http://www.pythonware.com" rel="noreferrer" target="_blank">www.pythonware.com</a><br> <<a href="http://www.pythonware.com" rel="noreferrer" target="_blank">http://www.pythonware.com</a>>)\r\nContent-Type:<span><br> text/xml\r\nContent-Length: 268\r\n\r\n'<br> ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False<br></span> *.*<br> *.*<br> *.*<span><br> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer<br> ipa: DEBUG: cert valid True for "CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br></span><span> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>>"<br></span><span> ipa: DEBUG: handshake complete, peer = <a href="http://10.20.0.75:443" rel="noreferrer" target="_blank">10.20.0.75:443</a><br></span> <<a href="http://10.20.0.75:443" rel="noreferrer" target="_blank">http://10.20.0.75:443</a>><span><br> send: "<?xml version='1.0'<br> encoding='UTF-8'?>\n<methodCall>\n<methodName>cert_show</methodName>\n<params>\n<param>\n<value><array><data>\n<value><string>64</string></value>\n</data></array></value>\n</param>\n<param>\n<value><struct>\n</struct></value>\n</param>\n</params>\n</methodCall>\n"<br> reply: 'HTTP/1.1 200 Success\r\n'<br> header: Date: Thu, 21 Jul 2016 16:05:40 GMT<br> header: Server: Apache/2.2.15 (CentOS)<br> header: Set-Cookie: ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;<br></span> Domain=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>; Path=/ipa; Expires=Thu,<span><br> 21 Jul 2016 16:25:40 GMT; Secure; HttpOnly<br> header: Connection: close<br> header: Content-Type: text/xml; charset=utf-8<br> ipa: DEBUG: received Set-Cookie<br> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br></span> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:40<span><br> GMT; Secure; HttpOnly'<br> ipa: DEBUG: storing cookie<br> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br></span> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:40<span><br> GMT; Secure; HttpOnly' for principal <a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a><br></span> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>><span><br> ipa: DEBUG: args=keyctl search @s user<br> <a href="mailto:ipa_session_cookie%3Aadmin@TELOIP.NET" target="_blank">ipa_session_cookie:admin@TELOIP.NET</a><br></span> <mailto:<a href="mailto:ipa_session_cookie%253Aadmin@TELOIP.NET" target="_blank">ipa_session_cookie%3Aadmin@TELOIP.NET</a>><span><br> ipa: DEBUG: stdout=457971704<br> <br> ipa: DEBUG: stderr=<br> ipa: DEBUG: args=keyctl search @s user<br> <a href="mailto:ipa_session_cookie%3Aadmin@TELOIP.NET" target="_blank">ipa_session_cookie:admin@TELOIP.NET</a><br></span> <mailto:<a href="mailto:ipa_session_cookie%253Aadmin@TELOIP.NET" target="_blank">ipa_session_cookie%3Aadmin@TELOIP.NET</a>><span><br> ipa: DEBUG: stdout=457971704<br> <br> ipa: DEBUG: stderr=<br> ipa: DEBUG: args=keyctl pupdate 457971704<br> ipa: DEBUG: stdout=<br> ipa: DEBUG: stderr=<br> body: "<?xml version='1.0'<br> encoding='UTF-8'?>\n<methodResponse>\n<fault>\n<value><struct>\n<member>\n<name>faultCode</name>\n<value><int>4301</int></value>\n</member>\n<member>\n<name>faultString</name>\n<value><string>Certificate<br> operation cannot be completed: Unable to communicate with CMS (Not<br> Found)</string></value>\n</member>\n</struct></value>\n</fault>\n</methodResponse>\n"<br> ipa: DEBUG: Caught fault 4301 from server<br> <a href="https://caer.teloip.net/ipa/session/xml" rel="noreferrer" target="_blank">https://caer.teloip.net/ipa/session/xml</a>: Certificate operation cannot be<br> completed: Unable to communicate with CMS (Not Found)<br> ipa: DEBUG: Destroyed connection context.xmlclient<br> ipa: ERROR: Certificate operation cannot be completed: Unable to<br> communicate with CMS (Not Found)<br> [root@caer ~]#<br> <br> <br> But more interesting is: SelfTestSubsystem: The CRITICAL self test<br> plugin called selftests.container.instance.SystemCertsVerification<br> running at startup FAILED!<br> <br> Are you sure that CA is running?<br> # ipactl status<br></span> *Yes, CA is runnig, *<br> <br> *[root@caer ~]# ipactl status*<span><br> Directory Service: RUNNING<br> KDC Service: RUNNING<br> KPASSWD Service: RUNNING<br> DNS Service: RUNNING<br> MEMCACHE Service: RUNNING<br> HTTP Service: RUNNING<br> CA Service: RUNNING<br> <br> This looks like that self test fail and therefore CA shouldn't start. It<br> also says that some of CA cert is not valid. Which one might be seen in<br> /var/log/pki-ca/debug but a bigger chunk would be needed.<br> <br></span> *[root@caer ~]# tail -100 /var/log/pki-ca/debug *<div><div><br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: conn is<br> connected true<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: mNumConns now 1<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In<br> findCertRecordsInListRawJumpto with Jumpto 20160721114829Z<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In DBVirtualList filter<br> attrs startFrom sortKey pageSize filter: (certStatus=REVOKED) attrs:<br> [objectclass, certRevokedOn, certRecordId, certRevoInfo, notAfter,<br> x509cert] pageSize -200 startFrom 20160721114829Z<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn: mNumConns now 2<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn: mNumConns now 3<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getEntries returning 0<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: mTop 0<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Getting Virtual List size: 0<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: index may be empty<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: updateCertStatus done<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting cert checkRanges<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial numbers left in<br> range: 268369849<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial Number: 71<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers<br> available: 268369849<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: cert checkRanges done<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting request checkRanges<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial numbers left in<br> range: 9989888<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial Number: 112<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers<br> available: 9989888<br> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: request checkRanges done<br> [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: getPasswordStore(): password<br> store initialized before.<br> [21/Jul/2016:11:53:28][Timer-0]: CMSEngine: getPasswordStore(): password<br> store initialized.<br> [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: getPasswordStore(): password<br> store initialized before.<br> [21/Jul/2016:11:58:28][Timer-0]: CMSEngine: getPasswordStore(): password<br> store initialized.<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: About to start<br> updateCertStatus<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting<br> updateCertStatus (entered lock)<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In updateCertStatus()<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br> LdapBoundConnFactory::getConn()<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected:<br> true<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is<br> connected true<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 2<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]:<br> getInvalidCertificatesByNotBeforeDate filter (certStatus=INVALID)<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]:<br> getInvalidCertificatesByNotBeforeDate: about to call findCertRecordsInList<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br> LdapBoundConnFactory::getConn()<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected:<br> true<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is<br> connected true<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 1<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In DBVirtualList filter<br> attrs startFrom sortKey pageSize filter: (certStatus=INVALID) attrs:<br> [objectclass, certRecordId, x509cert] pageSize -200 startFrom<br> 20160721115829Z<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 2<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br> getInvalidCertsByNotBeforeDate finally.<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 3<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries returning 0<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting Virtual List size: 0<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be empty<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br> LdapBoundConnFactory::getConn()<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected:<br> true<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is<br> connected true<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 2<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]:<br> getValidCertsByNotAfterDate filter (certStatus=VALID)<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br> LdapBoundConnFactory::getConn()<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected:<br> true<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is<br> connected true<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 1<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In DBVirtualList filter<br> attrs startFrom sortKey pageSize filter: (certStatus=VALID) attrs:<br> [objectclass, certRecordId, x509cert] pageSize -200 startFrom<br> 20160721115829Z<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 2<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 3<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries returning 1<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting Virtual List<br> size: 14<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]:<br> transidValidCertificates: list size: 14<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]:<br> transitValidCertificates: ltSize 1<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getElementAt: 0 mTop 0<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: reverse direction<br> getting index 0<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Record does not<br> qualify,notAfter Thu Jan 12 09:11:48 EST 2017 date Thu Jul 21 11:58:29<br> EDT 2016<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: transitCertList EXPIRED<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br> LdapBoundConnFactory::getConn()<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected:<br> true<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is<br> connected true<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 2<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]:<br> getRevokedCertificatesByNotAfterDate filter (certStatus=REVOKED)<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]:<br> getRevokedCertificatesByNotAfterDate: about to call findCertRecordsInList<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br> LdapBoundConnFactory::getConn()<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected:<br> true<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is<br> connected true<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 1<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In DBVirtualList filter<br> attrs startFrom sortKey pageSize filter: (certStatus=REVOKED) attrs:<br> [objectclass, certRevokedOn, certRecordId, certRevoInfo, notAfter,<br> x509cert] pageSize -200 startFrom 20160721115829Z<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 2<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 3<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries returning 0<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting Virtual List size: 0<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be empty<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: updateCertStatus done<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting cert checkRanges<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial numbers left in<br> range: 268369849<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial Number: 71<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers<br> available: 268369849<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: cert checkRanges done<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting request checkRanges<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial numbers left in<br> range: 9989888<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial Number: 112<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers<br> available: 9989888<br> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: request checkRanges done<br> [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: getPasswordStore(): password<br> store initialized before.<br> [21/Jul/2016:12:03:28][Timer-0]: CMSEngine: getPasswordStore(): password<br> store initialized.<br> <br> On Thu, Jul 21, 2016 at 11:46 AM, Petr Vobornik <<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a><br></div></div><div><div> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>>> wrote:<br> <br> On 07/21/2016 05:14 PM, Linov Suresh wrote:<br> > I set debug=true in /etc/ipa/default.conf<br> ><br> > Here are my logs,<br> <br> The httpd_error log doesn't contain the part where `ipa cert-show 1` was<br> run. If it is from the same time. Does `ipa cert-show` communicate with<br> the same replica? Could be verified by `ipa -vv cert-show`<br> <br> But more interesting is:<br> <br> SelfTestSubsystem: The CRITICAL self test plugin called<br> selftests.container.instance.SystemCertsVerification running at startup<br> FAILED!<br> <br> Are you sure that CA is running?<br> # ipactl status<br> <br> This looks like that self test fail and therefore CA shouldn't start. It<br> also says that some of CA cert is not valid. Which one might be seen in<br> /var/log/pki-ca/debug but a bigger chunk would be needed.<br> <br> ><br> > *[root@caer ~]# tail -f /var/log/httpd/error_log*<br> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: WSGI<br> WSGIExecutioner.__call__:<br> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: raw:<br> user_show(u'admin',<br> > rights=False, all=False, raw=False, version=u'2.46')<br> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:<br> user_show(u'admin', rights=False,<br> > all=False, raw=False, version=u'2.46')<br> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof:<br> > entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net<br> ><br> memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'),<br> > ipapython.dn.DN('cn=replication<br> > administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'),<br> ipapython.dn.DN('cn=add<br> > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br> > ipapython.dn.DN('cn=modify replication<br> > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br> ipapython.dn.DN('cn=remove<br> > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br> > ipapython.dn.DN('cn=unlock user<br> > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br> ipapython.dn.DN('cn=manage<br> > service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br> > ipapython.dn.DN('cn=trust<br> admins,cn=groups,cn=accounts,dc=teloip,dc=net'),<br> > ipapython.dn.DN('cn=host<br> enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'),<br> > ipapython.dn.DN('cn=manage host<br> > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br> ipapython.dn.DN('cn=enroll a<br> > host,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br> ipapython.dn.DN('cn=add host<br> > password,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br> ipapython.dn.DN('cn=add<br> > krbprincipalname to a host,cn=permissions,cn=pbac,dc=teloip,dc=net')]<br> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: result<br> ><br> direct=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'),<br> > ipapython.dn.DN('cn=trust<br> admins,cn=groups,cn=accounts,dc=teloip,dc=net')]<br> > indirect=[ipapython.dn.DN('cn=replication<br> > administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'),<br> ipapython.dn.DN('cn=add<br> > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br> > ipapython.dn.DN('cn=modify replication<br> > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br> ipapython.dn.DN('cn=remove<br> > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br> > ipapython.dn.DN('cn=unlock user<br> > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br> ipapython.dn.DN('cn=manage<br> > service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br> > ipapython.dn.DN('cn=host<br> enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'),<br> > ipapython.dn.DN('cn=manage host<br> > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br> ipapython.dn.DN('cn=enroll a<br> > host,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br> ipapython.dn.DN('cn=add host<br> > password,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br> ipapython.dn.DN('cn=add<br> > krbprincipalname to a host,cn=permissions,cn=pbac,dc=teloip,dc=net')]<br> > [Thu Jul 21 11:00:38 2016] [error] ipa: INFO: <a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a><br> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>><br></div></div> > <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>>>:<div><div><br> user_show(u'admin', rights=False, all=False,<br> > raw=False, version=u'2.46'): SUCCESS<br> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: response: entries returned 1<br> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: Destroyed connection context.ldap2<br> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: reading ccache data from file<br> > "/var/run/ipa_memcached/krbcc_13554"<br> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: store session:<br> > session_id=10c5de02f8ae0f3969b96ef0f2e3a96d start_timestamp=2016-07-21T10:43:26<br> > access_timestamp=2016-07-21T11:00:38 expiration_timestamp=2016-07-21T11:20:38<br> ><br> > *[root@caer ~]# tail -f /var/log/pki-ca/debug*<br> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: curReqId: 9990001<br> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: getElementAt: 1 mTop 107<br> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: reverse direction getting index 4<br> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: curReqId: 112<br> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: getLastRequestId :<br> > returning value 112<br> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Repository: mLastSerialNo: 112<br> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial numbers left in range:<br> > 9989888<br> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Last Serial Number: 112<br> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial Numbers available: 9989888<br> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: request checkRanges done<br> ><br> > *[root@caer ~]# tail -f /var/log/pki-ca/transactions*<br> > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:17:00:00 EDT] [20]<br> [1] CRL Update<br> > completed. CRL ID: MasterCRL CRL Number: 8,912 last update time:<br> 7/20/16 5:00 PM<br> > next update time: 7/20/16 9:00 PM Number of entries in the CRL:<br> 11 time: 25 CRL<br> > time: 25 delta CRL time: 0 (0,0,0,0,0,0,0,8,17,0,0,25,25)<br> > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20]<br> [1] CRL update<br> > started. CRL ID: MasterCRL CRL Number: 8,913 Delta CRL<br> Enabled: false CRL<br> > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared:<br> false Cache:<br> > 11,0,0,0<br> > 6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20]<br> [1] CRL Update<br> > completed. CRL ID: MasterCRL CRL Number: 8,913 last update time:<br> 7/20/16 9:00 PM<br> > next update time: 7/21/16 1:00 AM Number of entries in the CRL:<br> 11 time: 11 CRL<br> > time: 11 delta CRL time: 0 (0,0,0,0,0,0,0,6,5,0,0,11,11)<br> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20]<br> [1] CRL update<br> > started. CRL ID: MasterCRL CRL Number: 8,914 Delta CRL<br> Enabled: false CRL<br> > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared:<br> false Cache:<br> > 11,0,0,0<br> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20]<br> [1] CRL Update<br> > completed. CRL ID: MasterCRL CRL Number: 8,914 last update time:<br> 7/21/16 1:00 AM<br> > next update time: 7/21/16 5:00 AM Number of entries in the CRL:<br> 11 time: 13 CRL<br> > time: 13 delta CRL time: 0 (0,0,0,0,0,0,0,6,7,0,0,13,13)<br> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20]<br> [1] CRL update<br> > started. CRL ID: MasterCRL CRL Number: 8,915 Delta CRL<br> Enabled: false CRL<br> > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared:<br> false Cache:<br> > 11,0,0,0<br> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20]<br> [1] CRL Update<br> > completed. CRL ID: MasterCRL CRL Number: 8,915 last update time:<br> 7/21/16 5:00 AM<br> > next update time: 7/21/16 9:00 AM Number of entries in the CRL:<br> 11 time: 16 CRL<br> > time: 16 delta CRL time: 0 (0,0,0,0,0,0,0,8,8,0,0,16,16)<br> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20]<br> [1] CRL update<br> > started. CRL ID: MasterCRL CRL Number: 8,916 Delta CRL<br> Enabled: false CRL<br> > Cache Enabled: true Cache Recovery Enabled: true Cache Cleared:<br> false Cache:<br> > 11,0,0,0<br> > 6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20]<br> [1] CRL Update<br> > completed. CRL ID: MasterCRL CRL Number: 8,916 last update time:<br> 7/21/16 9:00 AM<br> > next update time: 7/21/16 1:00 PM Number of entries in the CRL:<br> 11 time: 13 CRL<br> > time: 13 delta CRL time: 0 (0,0,0,0,0,0,0,6,7,0,0,13,13)<br> > 10657.http-9443-2 - [21/Jul/2016:10:28:19 EDT] [20] [1] renewal<br> reqID 112<br> > fromAgent userID: ipara authenticated by certUserDBAuthMgr is<br> completed DN<br> > requested: CN=CA Audit,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> cert issued serial<br> > number: 0x47 time: 39<br> ><br> > *[root@caer ~]# tail -f /var/log/pki-ca/selftests.log*<br> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading all<br> > self test plugin logger parameters<br> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading all<br> > self test plugin instances<br> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading all<br> > self test plugin instance parameters<br> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading<br> > self test plugins in on-demand order<br> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: loading<br> > self test plugins in startup order<br> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: Self test<br> > plugins have been successfully loaded!<br> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SelfTestSubsystem: Running self<br> > test plugins specified to be executed at startup:<br> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] CAPresence: CA is present<br> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SystemCertsVerification: system<br> > certs verification failure<br> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SelfTestSubsystem: The CRITICAL<br> > self test plugin called selftests.container.instance.SystemCertsVerification<br> > running at startup FAILED!<br> ><br> > But intrestingly, [root@caer ~]# ipa cert-show 1 returns "*ipa:<br> ERROR:<br> > Certificate operation cannot be completed: Unable to communicate with CMS (Not<br> > Found)*"<br> ><br> > On Thu, Jul 21, 2016 at 10:04 AM, Linov Suresh <<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>><br></div></div><span> > <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a> <mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>>> wrote:<br> ><br> > This could be because of incorrect trust attributes trust on the<br> > certificates, the current attributes are,<br> ><br> > [root@caer ~]# certutil -L -d /var/lib/pki-ca/alias<br> ><br> > Certificate Nickname Trust Attributes<br> > SSL,S/MIME,JAR/XPI<br> ><br> > ocspSigningCert cert-pki-ca u,u,Pu<br> > subsystemCert cert-pki-ca u,u,Pu<br> > caSigningCert cert-pki-ca CTu,Cu,Cu<br> > subsystemCert cert-pki-ca u,u,Pu<br> > Server-Cert cert-pki-ca u,u,u<br> > auditSigningCert cert-pki-ca u,u,Pu<br> ><br> > I'm going to fix the trust attributes and try.<br> ><br> > On Thu, Jul 21, 2016 at 9:45 AM, Petr Vobornik <<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>><br></span><div><div> > <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>>>> wrote:<br> ><br> > On 07/20/2016 09:41 PM, Linov Suresh wrote:<br> > > I have restarted the pki-cad and checked if<br> communication with the CA is<br> > > working, but no luck,<br> > ><br> > > Debug logs in /var/log/pki-ca do not have anything<br> unusual. Can you think of<br> > > anything other than this?<br> ><br> > /var/log/httpd/error_log when /etc/ipa.conf is set to<br> debug=true<br> ><br> <a href="https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data" rel="noreferrer" target="_blank">https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data</a><br> ><br> > /var/log/pki-ca/debug<br> > /var/log/pki-ca/transactions<br> > /var/log/pki-ca/selftest.log<br> ><br> > ><br> > > [root@caer ~]# ipa cert-show 1<br> > > Certificate:<br> MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP<br> > ><br> SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0<br> > ><br> MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w<br> > ><br> HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA<br> > ><br> A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV<br> > ><br> ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e<br> > ><br> tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb<br> > ><br> UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe<br> > ><br> tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7<br> > ><br> 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j<br> > ><br> BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV<br> > ><br> HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG<br> > ><br> AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5<br> > ><br> MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj<br> > ><br> kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y<br> > ><br> 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV<br> > ><br> nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt<br> > ><br> e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK<br> > ><br> b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30=<br> > > Subject: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > > Issuer: CN=Certificate Authority,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br> > > Not Before: Wed Dec 14 22:29:56 2011 UTC<br> > > Not After: Sat Dec 14 22:29:56 2019 UTC<br> > > Fingerprint (MD5):<br> c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a<br> > > Fingerprint (SHA1):<br> ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e<br> > > Serial number (hex): 0x1<br> > > Serial number: 1<br> > > [root@caer ~]#<br> > ><br> > > *ca-error: Internal error: no response to<br> > ><br> ><br> "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>".<br> > > *<br> > ><br> > ><br> > ><br> > > On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden<br> <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>><br> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>><br> > > <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>><br> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>>> wrote:<br> > ><br> > > Linov Suresh wrote:<br> > ><br> > > Thanks for your help Rob, I will create a<br> separate thread for IPA<br> > > replication issue. But we are still getting<br> > > *<br> > > *<br> > > *ca-error: Internal error: no response to<br> > ><br> "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true" rel="noreferrer" target="_blank">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true</a>".*<br> > ><br> > > Could you please help us to fix this?<br> > ><br> > ><br> > > I think your CA isn't quite fixed yet. I'd restart<br> pki-cad then do something<br> > > like: ipa cert-show 1<br> > ><br> > > You should get back a cert (doesn't really matter<br> what cert).<br> > ><br> > > Otherwise I'd check the CA debug log somewhere in<br> /var/log/pki<br> > ><br> > > rob<br> > ><br> <br> <br> --<br> Petr Vobornik<br> <br> <br> </div></div></blockquote> <br> </blockquote></div><br></div></div></div></div> </blockquote></div><br></div></div>