<div dir="ltr"><div class="gmail_extra"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div style="background-color:rgb(255,255,255)"><div><span style="font-size:13px">Thank you very much Rob. </span></div><div><span style="font-size:13px">Let me remove the duplicate certificates and try to renew the certificates again to see if "</span><b>ca-error: Internal error: no response to "<a href="http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true">http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true</a>"</b>." goes away? <br></div><div><br></div></div></div></div></div></div>
<br><div class="gmail_quote">On Fri, Jul 22, 2016 at 2:45 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Linov Suresh wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
Could you please verify, if we have set correct trust attributes on the<br>
certificates<br>
<br>
*root@caer ~]# certutil -d /var/lib/pki-ca/alias/ -L*<br>
<br>
Certificate Nickname Trust<br>
Attributes<br>
<br>
SSL,S/MIME,JAR/XPI<br>
<br>
subsystemCert cert-pki-ca u,u,Pu<br>
ocspSigningCert cert-pki-ca u,u,u<br>
caSigningCert cert-pki-ca CTu,Cu,Cu<br>
subsystemCert cert-pki-ca u,u,Pu<br>
Server-Cert cert-pki-ca u,u,u<br>
auditSigningCert cert-pki-ca u,u,Pu<br>
*<br>
*<br>
*[root@caer ~]# certutil -d /etc/httpd/alias/ -L*<br>
<br>
Certificate Nickname Trust<br>
Attributes<br>
<br>
SSL,S/MIME,JAR/XPI<br>
<br>
ipaCert u,u,u<br>
Server-Cert u,u,u<br>
<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> IPA CA<br>
CT,C,C<br>
ipaCert u,u,u<br>
Signing-Cert u,u,u<br>
Server-Cert u,u,u<br>
<br>
*[root@caer ~]# certutil -d /etc/dirsrv/slapd-TELOIP-NET/ -L*<br>
<br>
Certificate Nickname Trust<br>
Attributes<br>
<br>
SSL,S/MIME,JAR/XPI<br>
<br>
Server-Cert u,u,u<br>
<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> IPA CA<br>
CT,,C<br>
Server-Cert u,u,u<br>
[root@caer ~]#<br>
<br>
*Please note, there are duplicate certificates in CA, HTTP and LDAP<br>
directory, subsystemCert cert-pki-ca, ipaCert and Server-Cert. I was<br>
wondering if we need to remove these duplicate certificates? *<br>
</blockquote>
<br>
Yeah you should remove the duplicate certs, they seem to cause problems with dogtag at least (certmonger _should_ handle this automatically, we'll be looking into it soonish).<br>
<br>
To remove the duplicate cert:<br>
<br>
1. Shutdown the service<br>
2. Back up the NSS database<br>
3. certutil -L -d /path/to/db -n <nickname> -a > somefile<br>
4. split somefile into separate files so each file as a BEGIN/END certificate<br>
5. openssl x509 -text -in -infile somefile1..n<br>
6. Pick the one with the most recent issuance date<br>
7. You backed up the NSS database, right?<br>
8. certutil -D -d /path/to/db -n <nickname><br>
9. certutil -A -d /path/to/db -n <nickname> -t u,u,u -a -i somefilex<br>
10. Start the service, watch logs for errors<br>
<br>
For the trust use whatever the original trust value was.<br>
<br>
You don't need the P trust flag on the subsystemCert in the CA, only the auditSigningCert.<br>
<br>
I doubt the duplicated Server-Cert will be a problem. NSS is supposed to deal with this automatically, picking the "most correct" cert to use based on the validity period.<br>
<br>
rob<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<br>
<br>
On Fri, Jul 22, 2016 at 9:36 AM, Linov Suresh <<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a><br>
<mailto:<a href="mailto:linov.suresh@gmail.com" target="_blank">linov.suresh@gmail.com</a>>> wrote:<br>
<br>
I'm facing another issue now, my kerberos tickets are not renewing,<br>
<br>
*[root@caer ~]# ipa cert-show 1*<br>
ipa: ERROR: Ticket expired<br>
<br>
*[root@caer ~]# klist*<br>
Ticket cache: FILE:/tmp/krb5cc_0<br>
Default principal: <a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>><br>
<br>
Valid starting Expires Service principal<br>
07/20/16 14:42:26 07/21/16 14:42:22 krbtgt/<a href="mailto:TELOIP.NET@TELOIP.NET" target="_blank">TELOIP.NET@TELOIP.NET</a><br>
<mailto:<a href="mailto:TELOIP.NET@TELOIP.NET" target="_blank">TELOIP.NET@TELOIP.NET</a>><br>
07/20/16 14:42:36 07/21/16 14:42:22<br>
HTTP/<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a> <mailto:<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a>><br>
07/21/16 11:40:15 07/21/16 14:42:22<br>
ldap/<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a> <mailto:<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a>><br>
<br>
I need to manually renew the tickets every day,<br>
<br>
*[root@caer ~]# kinit admin*<br>
Password for <a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>>:<br>
Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 2016<br>
<br>
*[root@caer ~]# klist *<br>
Ticket cache: FILE:/tmp/krb5cc_0<br>
Default principal: <a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>><br>
<br>
Valid starting Expires Service principal<br>
07/22/16 09:34:52 07/23/16 09:34:49 krbtgt/<a href="mailto:TELOIP.NET@TELOIP.NET" target="_blank">TELOIP.NET@TELOIP.NET</a><br>
<mailto:<a href="mailto:TELOIP.NET@TELOIP.NET" target="_blank">TELOIP.NET@TELOIP.NET</a>><br>
<br>
<br>
On Thu, Jul 21, 2016 at 12:23 PM, Rob Crittenden<br>
<<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote:<br>
<br>
Linov Suresh wrote:<br>
<br>
The httpd_error log doesn't contain the part where `ipa<br>
cert-show 1` was<br>
run. If it is from the same time.<br>
<br>
*I am not sure about that, please see httpd_error when `ipa<br>
cert-show 1`<br>
was run*<br>
<br>
<br>
The IPA API log isn't going to show much in this case.<br>
<br>
Requests to the CA are proxied through IPA. The CA WAR is not<br>
running on tomcat so when Apache tries to proxy the request<br>
tomcat returns a 404, Not Found.<br>
<br>
You need to start with the dogtag debug and selftest logs to see<br>
what is going on. The logs are pretty verbose and can be<br>
challenging to read.<br>
<br>
rob<br>
<br>
<br>
[root@caer ~]# *tail -f /var/log/httpd/error_log*<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI<br>
wsgi_dispatch.__call__:<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI<br>
xmlserver_session.__call__:<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session<br>
cookie_id =<br>
bc2c7ed0eccd840dc266efaf9ece913c<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session<br>
data in<br>
cache with id=bc2c7ed0eccd840dc266efaf9ece913c<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:<br>
xmlserver_session.__call__:<br>
session_id=bc2c7ed0eccd840dc266efaf9ece913c<br>
start_timestamp=2016-07-21T11:58:54<br>
access_timestamp=2016-07-21T12:01:21<br>
expiration_timestamp=2016-07-21T12:18:54<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: storing<br>
ccache data into<br>
file "/var/run/ipa_memcached/krbcc_13554"<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:<br>
get_credential_times:<br>
principal=HTTP/<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a><br>
<mailto:<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a>><br>
<mailto:<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a><br>
<mailto:<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a>>>, authtime=07/21/16<br>
10:31:46,<br>
starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44,<br>
renew_till=12/31/69 19:00:00<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:<br>
get_credential_times:<br>
principal=HTTP/<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a><br>
<mailto:<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a>><br>
<mailto:<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a><br>
<mailto:<a href="mailto:caer.teloip.net@TELOIP.NET" target="_blank">caer.teloip.net@TELOIP.NET</a>>>, authtime=07/21/16<br>
10:31:46,<br>
<br>
starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44,<br>
renew_till=12/31/69 19:00:00<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: KRB5_CCache<br>
FILE:/var/run/ipa_memcached/krbcc_13554 endtime=1469197904<br>
(07/22/16<br>
10:31:44)<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:<br>
set_session_expiration_time: duration_type=inactivity_timeout<br>
duration=1200 max_age=1469197604 expiration=1469118081.77<br>
(2016-07-21T12:21:21)<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI<br>
xmlserver.__call__:<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Created<br>
connection<br>
context.ldap2<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI<br>
WSGIExecutioner.__call__:<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: raw:<br>
cert_show(u'1')<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert_show(u'1')<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: IPA: virtual<br>
verify<br>
retrieve certificate<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:<br>
ipaserver.plugins.dogtag.ra.get_certificate()<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request<br>
'<a href="https://caer.teloip.net:443/ca/agent/ca/displayBySerial" rel="noreferrer" target="_blank">https://caer.teloip.net:443/ca/agent/ca/displayBySerial</a>'<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request<br>
post<br>
'xml=true&serialNumber=1'<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: NSSConnection<br>
init<br>
<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Connecting:<br>
<a href="http://10.20.0.75:0" rel="noreferrer" target="_blank">10.20.0.75:0</a> <<a href="http://10.20.0.75:0" rel="noreferrer" target="_blank">http://10.20.0.75:0</a>><br>
<<a href="http://10.20.0.75:0" rel="noreferrer" target="_blank">http://10.20.0.75:0</a>><br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:<br>
auth_certificate_callback: check_sig=True is_server=False<br>
*.*<br>
*.*<br>
*.*<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage =<br>
SSLServer intended_usage = SSLServer<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid<br>
True for<br>
"CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>>"<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake<br>
complete, peer<br>
= <a href="http://10.20.0.75:443" rel="noreferrer" target="_blank">10.20.0.75:443</a> <<a href="http://10.20.0.75:443" rel="noreferrer" target="_blank">http://10.20.0.75:443</a>> <<a href="http://10.20.0.75:443" rel="noreferrer" target="_blank">http://10.20.0.75:443</a>><br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:<br>
auth_certificate_callback: check_sig=True is_server=False<br>
*.*<br>
*.*<br>
*.*<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage =<br>
SSLServer intended_usage = SSLServer<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid<br>
True for<br>
"CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>>"<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake<br>
complete, peer<br>
= <a href="http://10.20.0.75:443" rel="noreferrer" target="_blank">10.20.0.75:443</a> <<a href="http://10.20.0.75:443" rel="noreferrer" target="_blank">http://10.20.0.75:443</a>> <<a href="http://10.20.0.75:443" rel="noreferrer" target="_blank">http://10.20.0.75:443</a>><br>
[Thu Jul 21 12:01:21 2016] [error] ipa: ERROR:<br>
ipaserver.plugins.dogtag.ra.get_certificate(): Unable to<br>
communicate<br>
with CMS (Not Found)<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: INFO:<br>
<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>><br>
<mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>>>:<br>
cert_show(u'1'): CertificateOperationError<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: response:<br>
CertificateOperationError: Certificate operation cannot be<br>
completed:<br>
Unable to communicate with CMS (Not Found)<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Destroyed<br>
connection<br>
context.ldap2<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: reading<br>
ccache data from<br>
file "/var/run/ipa_memcached/krbcc_13554"<br>
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: store session:<br>
session_id=bc2c7ed0eccd840dc266efaf9ece913c<br>
start_timestamp=2016-07-21T11:58:54<br>
access_timestamp=2016-07-21T12:01:21<br>
expiration_timestamp=2016-07-21T12:21:21<br>
<br>
<br>
Does `ipa cert-show` communicate with the same replica? Could be<br>
verified by `ipa -vv cert-show`<br>
<br>
*It's asking for the serial number of the certificate. If I<br>
give 64<br>
(serial number of ipaCert ), I get ipa: ERROR: Certificate<br>
operation<br>
cannot be completed: Unable to communicate with CMS (Not Found)*<br>
<br>
*[root@caer ~]# ipa -vv cert-show*<br>
ipa: DEBUG: importing all plugin modules in<br>
'/usr/lib/python2.6/site-packages/ipalib/plugins'...<br>
*.*<br>
*.*<br>
*.*<br>
ipa: DEBUG: stdout=ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;<br>
Domain=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>; Path=/ipa; Expires=Thu,<br>
21 Jul 2016 16:25:32 GMT; Secure; HttpOnly<br>
ipa: DEBUG: stderr=<br>
ipa: DEBUG: found session_cookie in persistent storage for<br>
principal<br>
'<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>><br>
<mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>>>', cookie:<br>
'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;<br>
Domain=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>; Path=/ipa; Expires=Thu, 21 Jul<br>
2016 16:25:32<br>
GMT; Secure; HttpOnly'<br>
ipa: DEBUG: setting session_cookie into context<br>
'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;'<br>
ipa: INFO: trying <a href="https://caer.teloip.net/ipa/session/xml" rel="noreferrer" target="_blank">https://caer.teloip.net/ipa/session/xml</a><br>
ipa: DEBUG: Created connection context.xmlclient<br>
Serial number: 64<br>
ipa: DEBUG: raw: cert_show(u'64')<br>
ipa: DEBUG: cert_show(u'64')<br>
ipa: INFO: Forwarding 'cert_show' to server<br>
u'<a href="https://caer.teloip.net/ipa/session/xml" rel="noreferrer" target="_blank">https://caer.teloip.net/ipa/session/xml</a>'<br>
ipa: DEBUG: NSSConnection init <a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
ipa: DEBUG: Connecting: <a href="http://10.20.0.75:0" rel="noreferrer" target="_blank">10.20.0.75:0</a> <<a href="http://10.20.0.75:0" rel="noreferrer" target="_blank">http://10.20.0.75:0</a>><br>
<<a href="http://10.20.0.75:0" rel="noreferrer" target="_blank">http://10.20.0.75:0</a>><br>
send: u'POST /ipa/session/xml HTTP/1.0\r\nHost:<br>
<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>\r\nAccept-Language: en-us\r\nReferer:<br>
<a href="https://caer.teloip.net/ipa/xml%5Cr%5CnCookie" rel="noreferrer" target="_blank">https://caer.teloip.net/ipa/xml\r\nCookie</a><br>
<<a href="https://caer.teloip.net/ipa/xml%5Cr%5CnCookie" rel="noreferrer" target="_blank">https://caer.teloip.net/ipa/xml%5Cr%5CnCookie</a>>:<br>
ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;\r\nUser-Agent:<br>
<a href="http://xmlrpclib.py/1.0.1" rel="noreferrer" target="_blank">xmlrpclib.py/1.0.1</a> <<a href="http://xmlrpclib.py/1.0.1" rel="noreferrer" target="_blank">http://xmlrpclib.py/1.0.1</a>><br>
<<a href="http://xmlrpclib.py/1.0.1" rel="noreferrer" target="_blank">http://xmlrpclib.py/1.0.1</a>> (by <a href="http://www.pythonware.com" rel="noreferrer" target="_blank">www.pythonware.com</a><br>
<<a href="http://www.pythonware.com" rel="noreferrer" target="_blank">http://www.pythonware.com</a>><br>
<<a href="http://www.pythonware.com" rel="noreferrer" target="_blank">http://www.pythonware.com</a>>)\r\nContent-Type:<br>
text/xml\r\nContent-Length: 268\r\n\r\n'<br>
ipa: DEBUG: auth_certificate_callback: check_sig=True<br>
is_server=False<br>
*.*<br>
*.*<br>
*.*<br>
ipa: DEBUG: approved_usage = SSLServer intended_usage =<br>
SSLServer<br>
ipa: DEBUG: cert valid True for "CN=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>>"<br>
ipa: DEBUG: handshake complete, peer = <a href="http://10.20.0.75:443" rel="noreferrer" target="_blank">10.20.0.75:443</a><br>
<<a href="http://10.20.0.75:443" rel="noreferrer" target="_blank">http://10.20.0.75:443</a>><br>
<<a href="http://10.20.0.75:443" rel="noreferrer" target="_blank">http://10.20.0.75:443</a>><br>
send: "<?xml version='1.0'<br>
encoding='UTF-8'?>\n<methodCall>\n<methodName>cert_show</methodName>\n<params>\n<param>\n<value><array><data>\n<value><string>64</string></value>\n</data></array></value>\n</param>\n<param>\n<value><struct>\n</struct></value>\n</param>\n</params>\n</methodCall>\n"<br>
reply: 'HTTP/1.1 200 Success\r\n'<br>
header: Date: Thu, 21 Jul 2016 16:05:40 GMT<br>
header: Server: Apache/2.2.15 (CentOS)<br>
header: Set-Cookie:<br>
ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;<br>
Domain=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>; Path=/ipa; Expires=Thu,<br>
21 Jul 2016 16:25:40 GMT; Secure; HttpOnly<br>
header: Connection: close<br>
header: Content-Type: text/xml; charset=utf-8<br>
ipa: DEBUG: received Set-Cookie<br>
'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;<br>
Domain=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>; Path=/ipa; Expires=Thu, 21 Jul<br>
2016 16:25:40<br>
GMT; Secure; HttpOnly'<br>
ipa: DEBUG: storing cookie<br>
'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;<br>
Domain=<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">caer.teloip.net</a> <<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>><br>
<<a href="http://caer.teloip.net" rel="noreferrer" target="_blank">http://caer.teloip.net</a>>; Path=/ipa; Expires=Thu, 21 Jul<br>
2016 16:25:40<br>
GMT; Secure; HttpOnly' for principal <a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a><br>
<mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>><br>
<mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>>><br>
ipa: DEBUG: args=keyctl search @s user<br>
<a href="mailto:ipa_session_cookie%3Aadmin@TELOIP.NET" target="_blank">ipa_session_cookie:admin@TELOIP.NET</a><br>
<mailto:<a href="mailto:ipa_session_cookie%253Aadmin@TELOIP.NET" target="_blank">ipa_session_cookie%3Aadmin@TELOIP.NET</a>><br>
<mailto:<a href="mailto:ipa_session_cookie%253Aadmin@TELOIP.NET" target="_blank">ipa_session_cookie%3Aadmin@TELOIP.NET</a><br>
<mailto:<a href="mailto:ipa_session_cookie%25253Aadmin@TELOIP.NET" target="_blank">ipa_session_cookie%253Aadmin@TELOIP.NET</a>>><br>
ipa: DEBUG: stdout=457971704<br>
<br>
ipa: DEBUG: stderr=<br>
ipa: DEBUG: args=keyctl search @s user<br>
<a href="mailto:ipa_session_cookie%3Aadmin@TELOIP.NET" target="_blank">ipa_session_cookie:admin@TELOIP.NET</a><br>
<mailto:<a href="mailto:ipa_session_cookie%253Aadmin@TELOIP.NET" target="_blank">ipa_session_cookie%3Aadmin@TELOIP.NET</a>><br>
<mailto:<a href="mailto:ipa_session_cookie%253Aadmin@TELOIP.NET" target="_blank">ipa_session_cookie%3Aadmin@TELOIP.NET</a><br>
<mailto:<a href="mailto:ipa_session_cookie%25253Aadmin@TELOIP.NET" target="_blank">ipa_session_cookie%253Aadmin@TELOIP.NET</a>>><br>
ipa: DEBUG: stdout=457971704<br>
<br>
ipa: DEBUG: stderr=<br>
ipa: DEBUG: args=keyctl pupdate 457971704<br>
ipa: DEBUG: stdout=<br>
ipa: DEBUG: stderr=<br>
body: "<?xml version='1.0'<br>
encoding='UTF-8'?>\n<methodResponse>\n<fault>\n<value><struct>\n<member>\n<name>faultCode</name>\n<value><int>4301</int></value>\n</member>\n<member>\n<name>faultString</name>\n<value><string>Certificate<br>
operation cannot be completed: Unable to communicate with<br>
CMS (Not<br>
Found)</string></value>\n</member>\n</struct></value>\n</fault>\n</methodResponse>\n"<br>
ipa: DEBUG: Caught fault 4301 from server<br>
<a href="https://caer.teloip.net/ipa/session/xml" rel="noreferrer" target="_blank">https://caer.teloip.net/ipa/session/xml</a>: Certificate<br>
operation cannot be<br>
completed: Unable to communicate with CMS (Not Found)<br>
ipa: DEBUG: Destroyed connection context.xmlclient<br>
ipa: ERROR: Certificate operation cannot be completed: Unable to<br>
communicate with CMS (Not Found)<br>
[root@caer ~]#<br>
<br>
<br>
But more interesting is: SelfTestSubsystem: The CRITICAL<br>
self test<br>
plugin called<br>
selftests.container.instance.SystemCertsVerification<br>
running at startup FAILED!<br>
<br>
Are you sure that CA is running?<br>
# ipactl status<br>
*Yes, CA is runnig, *<br>
<br>
*[root@caer ~]# ipactl status*<br>
Directory Service: RUNNING<br>
KDC Service: RUNNING<br>
KPASSWD Service: RUNNING<br>
DNS Service: RUNNING<br>
MEMCACHE Service: RUNNING<br>
HTTP Service: RUNNING<br>
CA Service: RUNNING<br>
<br>
This looks like that self test fail and therefore CA<br>
shouldn't start. It<br>
also says that some of CA cert is not valid. Which one might<br>
be seen in<br>
/var/log/pki-ca/debug but a bigger chunk would be needed.<br>
<br>
*[root@caer ~]# tail -100 /var/log/pki-ca/debug *<br>
<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: conn is<br>
connected true<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn:<br>
mNumConns now 1<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: In<br>
findCertRecordsInListRawJumpto with Jumpto 20160721114829Z<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: In<br>
DBVirtualList filter<br>
attrs startFrom sortKey pageSize filter:<br>
(certStatus=REVOKED) attrs:<br>
[objectclass, certRevokedOn, certRecordId, certRevoInfo,<br>
notAfter,<br>
x509cert] pageSize -200 startFrom 20160721114829Z<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn:<br>
mNumConns now 2<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn:<br>
mNumConns now 3<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: getEntries<br>
returning 0<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: mTop 0<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: Getting<br>
Virtual List size: 0<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: index may be<br>
empty<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]:<br>
updateCertStatus done<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting<br>
cert checkRanges<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial<br>
numbers left in<br>
range: 268369849<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial<br>
Number: 71<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers<br>
available: 268369849<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: cert<br>
checkRanges done<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting<br>
request checkRanges<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial<br>
numbers left in<br>
range: 9989888<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial<br>
Number: 112<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers<br>
available: 9989888<br>
[21/Jul/2016:11:48:29][CertStatusUpdateThread]: request<br>
checkRanges done<br>
[21/Jul/2016:11:53:28][Timer-0]: CMSEngine:<br>
getPasswordStore(): password<br>
store initialized before.<br>
[21/Jul/2016:11:53:28][Timer-0]: CMSEngine:<br>
getPasswordStore(): password<br>
store initialized.<br>
[21/Jul/2016:11:58:28][Timer-0]: CMSEngine:<br>
getPasswordStore(): password<br>
store initialized before.<br>
[21/Jul/2016:11:58:28][Timer-0]: CMSEngine:<br>
getPasswordStore(): password<br>
store initialized.<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: About to start<br>
updateCertStatus<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting<br>
updateCertStatus (entered lock)<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br>
updateCertStatus()<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br>
LdapBoundConnFactory::getConn()<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn<br>
is connected:<br>
true<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is<br>
connected true<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:<br>
mNumConns now 2<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]:<br>
getInvalidCertificatesByNotBeforeDate filter<br>
(certStatus=INVALID)<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]:<br>
getInvalidCertificatesByNotBeforeDate: about to call<br>
findCertRecordsInList<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br>
LdapBoundConnFactory::getConn()<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn<br>
is connected:<br>
true<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is<br>
connected true<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:<br>
mNumConns now 1<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br>
findCertRecordsInListRawJumpto with Jumpto 20160721115829Z<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br>
DBVirtualList filter<br>
attrs startFrom sortKey pageSize filter:<br>
(certStatus=INVALID) attrs:<br>
[objectclass, certRecordId, x509cert] pageSize -200 startFrom<br>
20160721115829Z<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:<br>
mNumConns now 2<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br>
getInvalidCertsByNotBeforeDate finally.<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:<br>
mNumConns now 3<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries<br>
returning 0<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting<br>
Virtual List size: 0<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be<br>
empty<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br>
LdapBoundConnFactory::getConn()<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn<br>
is connected:<br>
true<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is<br>
connected true<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:<br>
mNumConns now 2<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]:<br>
getValidCertsByNotAfterDate filter (certStatus=VALID)<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br>
LdapBoundConnFactory::getConn()<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn<br>
is connected:<br>
true<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is<br>
connected true<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:<br>
mNumConns now 1<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br>
findCertRecordsInListRawJumpto with Jumpto 20160721115829Z<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br>
DBVirtualList filter<br>
attrs startFrom sortKey pageSize filter: (certStatus=VALID)<br>
attrs:<br>
[objectclass, certRecordId, x509cert] pageSize -200 startFrom<br>
20160721115829Z<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:<br>
mNumConns now 2<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:<br>
mNumConns now 3<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries<br>
returning 1<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting<br>
Virtual List<br>
size: 14<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]:<br>
transidValidCertificates: list size: 14<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]:<br>
transitValidCertificates: ltSize 1<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]:<br>
getElementAt: 0 mTop 0<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: reverse<br>
direction<br>
getting index 0<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Record does not<br>
qualify,notAfter Thu Jan 12 09:11:48 EST 2017 date Thu Jul<br>
21 11:58:29<br>
EDT 2016<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]:<br>
transitCertList EXPIRED<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br>
LdapBoundConnFactory::getConn()<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn<br>
is connected:<br>
true<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is<br>
connected true<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:<br>
mNumConns now 2<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]:<br>
getRevokedCertificatesByNotAfterDate filter (certStatus=REVOKED)<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]:<br>
getRevokedCertificatesByNotAfterDate: about to call<br>
findCertRecordsInList<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br>
LdapBoundConnFactory::getConn()<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn<br>
is connected:<br>
true<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is<br>
connected true<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:<br>
mNumConns now 1<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br>
findCertRecordsInListRawJumpto with Jumpto 20160721115829Z<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: In<br>
DBVirtualList filter<br>
attrs startFrom sortKey pageSize filter:<br>
(certStatus=REVOKED) attrs:<br>
[objectclass, certRevokedOn, certRecordId, certRevoInfo,<br>
notAfter,<br>
x509cert] pageSize -200 startFrom 20160721115829Z<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:<br>
mNumConns now 2<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:<br>
mNumConns now 3<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries<br>
returning 0<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting<br>
Virtual List size: 0<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be<br>
empty<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]:<br>
updateCertStatus done<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting<br>
cert checkRanges<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial<br>
numbers left in<br>
range: 268369849<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial<br>
Number: 71<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers<br>
available: 268369849<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: cert<br>
checkRanges done<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting<br>
request checkRanges<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial<br>
numbers left in<br>
range: 9989888<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial<br>
Number: 112<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers<br>
available: 9989888<br>
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: request<br>
checkRanges done<br>
[21/Jul/2016:12:03:28][Timer-0]: CMSEngine:<br>
getPasswordStore(): password<br>
store initialized before.<br>
[21/Jul/2016:12:03:28][Timer-0]: CMSEngine:<br>
getPasswordStore(): password<br>
store initialized.<br>
<br>
On Thu, Jul 21, 2016 at 11:46 AM, Petr Vobornik<br>
<<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>><br>
<mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a> <mailto:<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>>>><br>
wrote:<br>
<br>
On 07/21/2016 05:14 PM, Linov Suresh wrote:<br>
> I set debug=true in /etc/ipa/default.conf<br>
><br>
> Here are my logs,<br>
<br>
The httpd_error log doesn't contain the part where `ipa<br>
cert-show 1` was<br>
run. If it is from the same time. Does `ipa cert-show`<br>
communicate with<br>
the same replica? Could be verified by `ipa -vv cert-show`<br>
<br>
But more interesting is:<br>
<br>
SelfTestSubsystem: The CRITICAL self test plugin called<br>
selftests.container.instance.SystemCertsVerification<br>
running at startup<br>
FAILED!<br>
<br>
Are you sure that CA is running?<br>
# ipactl status<br>
<br>
This looks like that self test fail and therefore CA<br>
shouldn't start. It<br>
also says that some of CA cert is not valid. Which one<br>
might be seen in<br>
/var/log/pki-ca/debug but a bigger chunk would be needed.<br>
<br>
><br>
> *[root@caer ~]# tail -f /var/log/httpd/error_log*<br>
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: WSGI<br>
WSGIExecutioner.__call__:<br>
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: raw:<br>
user_show(u'admin',<br>
> rights=False, all=False, raw=False, version=u'2.46')<br>
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:<br>
user_show(u'admin', rights=False,<br>
> all=False, raw=False, version=u'2.46')<br>
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:<br>
get_memberof:<br>
> entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net<br>
><br>
<br>
memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'),<br>
> ipapython.dn.DN('cn=replication<br>
> administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'),<br>
ipapython.dn.DN('cn=add<br>
> replication<br>
agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br>
> ipapython.dn.DN('cn=modify replication<br>
> agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br>
ipapython.dn.DN('cn=remove<br>
> replication<br>
agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br>
> ipapython.dn.DN('cn=unlock user<br>
> accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br>
ipapython.dn.DN('cn=manage<br>
> service<br>
keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br>
> ipapython.dn.DN('cn=trust<br>
admins,cn=groups,cn=accounts,dc=teloip,dc=net'),<br>
> ipapython.dn.DN('cn=host<br>
enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'),<br>
> ipapython.dn.DN('cn=manage host<br>
> keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br>
ipapython.dn.DN('cn=enroll a<br>
> host,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br>
ipapython.dn.DN('cn=add host<br>
> password,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br>
ipapython.dn.DN('cn=add<br>
> krbprincipalname to a<br>
host,cn=permissions,cn=pbac,dc=teloip,dc=net')]<br>
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:<br>
get_memberof: result<br>
><br>
<br>
direct=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'),<br>
> ipapython.dn.DN('cn=trust<br>
admins,cn=groups,cn=accounts,dc=teloip,dc=net')]<br>
> indirect=[ipapython.dn.DN('cn=replication<br>
> administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'),<br>
ipapython.dn.DN('cn=add<br>
> replication<br>
agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br>
> ipapython.dn.DN('cn=modify replication<br>
> agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br>
ipapython.dn.DN('cn=remove<br>
> replication<br>
agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br>
> ipapython.dn.DN('cn=unlock user<br>
> accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br>
ipapython.dn.DN('cn=manage<br>
> service<br>
keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br>
> ipapython.dn.DN('cn=host<br>
enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'),<br>
> ipapython.dn.DN('cn=manage host<br>
> keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br>
ipapython.dn.DN('cn=enroll a<br>
> host,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br>
ipapython.dn.DN('cn=add host<br>
> password,cn=permissions,cn=pbac,dc=teloip,dc=net'),<br>
ipapython.dn.DN('cn=add<br>
> krbprincipalname to a<br>
host,cn=permissions,cn=pbac,dc=teloip,dc=net')]<br>
> [Thu Jul 21 11:00:38 2016] [error] ipa: INFO:<br>
<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>><br>
<mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>>><br>
> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>><br>
<mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>>>>:<br>
<br>
user_show(u'admin', rights=False, all=False,<br>
> raw=False, version=u'2.46'): SUCCESS<br>
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:<br>
response: entries returned 1<br>
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:<br>
Destroyed connection context.ldap2<br>
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:<br>
reading ccache data from file<br>
> "/var/run/ipa_memcached/krbcc_13554"<br>
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: store<br>
session:<br>
> session_id=10c5de02f8ae0f3969b96ef0f2e3a96d<br>
start_timestamp=2016-07-21T10:43:26<br>
> access_timestamp=2016-07-21T11:00:38<br>
expiration_timestamp=2016-07-21T11:20:38<br>
><br>
> *[root@caer ~]# tail -f /var/log/pki-ca/debug*<br>
> [21/Jul/2016:11:08:29][CertStatusUpdateThread]:<br>
RequestQueue: curReqId: 9990001<br>
> [21/Jul/2016:11:08:29][CertStatusUpdateThread]:<br>
getElementAt: 1 mTop 107<br>
> [21/Jul/2016:11:08:29][CertStatusUpdateThread]:<br>
reverse direction getting index 4<br>
> [21/Jul/2016:11:08:29][CertStatusUpdateThread]:<br>
RequestQueue: curReqId: 112<br>
> [21/Jul/2016:11:08:29][CertStatusUpdateThread]:<br>
RequestQueue: getLastRequestId :<br>
> returning value 112<br>
> [21/Jul/2016:11:08:29][CertStatusUpdateThread]:<br>
Repository: mLastSerialNo: 112<br>
> [21/Jul/2016:11:08:29][CertStatusUpdateThread]:<br>
Serial numbers left in range:<br>
> 9989888<br>
> [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Last<br>
Serial Number: 112<br>
> [21/Jul/2016:11:08:29][CertStatusUpdateThread]:<br>
Serial Numbers available: 9989888<br>
> [21/Jul/2016:11:08:29][CertStatusUpdateThread]:<br>
request checkRanges done<br>
><br>
> *[root@caer ~]# tail -f /var/log/pki-ca/transactions*<br>
> 6563.CRLIssuingPoint-MasterCRL -<br>
[20/Jul/2016:17:00:00 EDT] [20]<br>
[1] CRL Update<br>
> completed. CRL ID: MasterCRL CRL Number: 8,912 last<br>
update time:<br>
7/20/16 5:00 PM<br>
> next update time: 7/20/16 9:00 PM Number of entries<br>
in the CRL:<br>
11 time: 25 CRL<br>
> time: 25 delta CRL time: 0<br>
(0,0,0,0,0,0,0,8,17,0,0,25,25)<br>
> 6563.CRLIssuingPoint-MasterCRL -<br>
[20/Jul/2016:21:00:00 EDT] [20]<br>
[1] CRL update<br>
> started. CRL ID: MasterCRL CRL Number: 8,913<br>
Delta CRL<br>
Enabled: false CRL<br>
> Cache Enabled: true Cache Recovery Enabled: true<br>
Cache Cleared:<br>
false Cache:<br>
> 11,0,0,0<br>
> 6563.CRLIssuingPoint-MasterCRL -<br>
[20/Jul/2016:21:00:00 EDT] [20]<br>
[1] CRL Update<br>
> completed. CRL ID: MasterCRL CRL Number: 8,913 last<br>
update time:<br>
7/20/16 9:00 PM<br>
> next update time: 7/21/16 1:00 AM Number of entries<br>
in the CRL:<br>
11 time: 11 CRL<br>
> time: 11 delta CRL time: 0<br>
(0,0,0,0,0,0,0,6,5,0,0,11,11)<br>
> 6563.CRLIssuingPoint-MasterCRL -<br>
[21/Jul/2016:01:00:00 EDT] [20]<br>
[1] CRL update<br>
> started. CRL ID: MasterCRL CRL Number: 8,914<br>
Delta CRL<br>
Enabled: false CRL<br>
> Cache Enabled: true Cache Recovery Enabled: true<br>
Cache Cleared:<br>
false Cache:<br>
> 11,0,0,0<br>
> 6563.CRLIssuingPoint-MasterCRL -<br>
[21/Jul/2016:01:00:00 EDT] [20]<br>
[1] CRL Update<br>
> completed. CRL ID: MasterCRL CRL Number: 8,914 last<br>
update time:<br>
7/21/16 1:00 AM<br>
> next update time: 7/21/16 5:00 AM Number of entries<br>
in the CRL:<br>
11 time: 13 CRL<br>
> time: 13 delta CRL time: 0<br>
(0,0,0,0,0,0,0,6,7,0,0,13,13)<br>
> 6563.CRLIssuingPoint-MasterCRL -<br>
[21/Jul/2016:05:00:00 EDT] [20]<br>
[1] CRL update<br>
> started. CRL ID: MasterCRL CRL Number: 8,915<br>
Delta CRL<br>
Enabled: false CRL<br>
> Cache Enabled: true Cache Recovery Enabled: true<br>
Cache Cleared:<br>
false Cache:<br>
> 11,0,0,0<br>
> 6563.CRLIssuingPoint-MasterCRL -<br>
[21/Jul/2016:05:00:00 EDT] [20]<br>
[1] CRL Update<br>
> completed. CRL ID: MasterCRL CRL Number: 8,915 last<br>
update time:<br>
7/21/16 5:00 AM<br>
> next update time: 7/21/16 9:00 AM Number of entries<br>
in the CRL:<br>
11 time: 16 CRL<br>
> time: 16 delta CRL time: 0<br>
(0,0,0,0,0,0,0,8,8,0,0,16,16)<br>
> 6563.CRLIssuingPoint-MasterCRL -<br>
[21/Jul/2016:09:00:00 EDT] [20]<br>
[1] CRL update<br>
> started. CRL ID: MasterCRL CRL Number: 8,916<br>
Delta CRL<br>
Enabled: false CRL<br>
> Cache Enabled: true Cache Recovery Enabled: true<br>
Cache Cleared:<br>
false Cache:<br>
> 11,0,0,0<br>
> 6563.CRLIssuingPoint-MasterCRL -<br>
[21/Jul/2016:09:00:00 EDT] [20]<br>
[1] CRL Update<br>
> completed. CRL ID: MasterCRL CRL Number: 8,916 last<br>
update time:<br>
7/21/16 9:00 AM<br>
> next update time: 7/21/16 1:00 PM Number of entries<br>
in the CRL:<br>
11 time: 13 CRL<br>
> time: 13 delta CRL time: 0<br>
(0,0,0,0,0,0,0,6,7,0,0,13,13)<br>
> 10657.http-9443-2 - [21/Jul/2016:10:28:19 EDT] [20]<br>
[1] renewal<br>
reqID 112<br>
> fromAgent userID: ipara authenticated by<br>
certUserDBAuthMgr is<br>
completed DN<br>
> requested: CN=CA Audit,O=<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">TELOIP.NET</a><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> <<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>><br>
<<a href="http://TELOIP.NET" rel="noreferrer" target="_blank">http://TELOIP.NET</a>> cert issued serial<br>
> number: 0x47 time: 39<br>
><br>
> *[root@caer ~]# tail -f /var/log/pki-ca/selftests.log*<br>
> 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]<br>
SelfTestSubsystem: loading all<br>
> self test plugin logger parameters<br>
> 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]<br>
SelfTestSubsystem: loading all<br>
> self test plugin instances<br>
> 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]<br>
SelfTestSubsystem: loading all<br>
> self test plugin instance parameters<br>
> 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]<br>
SelfTestSubsystem: loading<br>
> self test plugins in on-demand order<br>
> 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]<br>
SelfTestSubsystem: loading<br>
> self test plugins in startup order<br>
> 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]<br>
SelfTestSubsystem: Self test<br>
> plugins have been successfully loaded!<br>
> 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1]<br>
SelfTestSubsystem: Running self<br>
> test plugins specified to be executed at startup:<br>
> 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1]<br>
CAPresence: CA is present<br>
> 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1]<br>
SystemCertsVerification: system<br>
> certs verification failure<br>
> 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1]<br>
SelfTestSubsystem: The CRITICAL<br>
> self test plugin called<br>
selftests.container.instance.SystemCertsVerification<br>
> running at startup FAILED!<br>
><br>
> But intrestingly, [root@caer ~]# ipa cert-show 1<br>
returns "*ipa:<br>
ERROR:<br>
> Certificate operation cannot be completed: Unable to</blockquote>
</blockquote></div><br></div></div>