<html><head></head><body><div style="color:#000; background-color:#fff; font-family:bookman old style, new york, times, serif;font-size:13px"><div dir="ltr" id="yui_3_16_0_ym19_1_1469814286243_38063"><span id="yui_3_16_0_ym19_1_1469814286243_37984">I set time back on master ca and was able to renew its certs except for one that has yet to expire but should have renewed. I tried to resubmit it but it still does not renew and status says NEED_CSR_GEN_TOKEN. We do have a go daddy cert we use as well but it is valid still. Is it because of the nickname mismatches? I am not sure how to fix that.<br></span></div><div id="yui_3_16_0_ym19_1_1469814286243_39309" dir="ltr"><span id="yui_3_16_0_ym19_1_1469814286243_37984"><br></span></div><div id="yui_3_16_0_ym19_1_1469814286243_38106"><span id="yui_3_16_0_ym19_1_1469814286243_37984">ipa1-example.com</span></div><div id="yui_3_16_0_ym19_1_1469814286243_39003"><span id="yui_3_16_0_ym19_1_1469814286243_37984"><br></span></div><div id="yui_3_16_0_ym19_1_1469814286243_38115" dir="ltr"><span id="yui_3_16_0_ym19_1_1469814286243_38187">Request ID '20140729215756':<br id="yui_3_16_0_ym19_1_1469814286243_38092">    status: NEED_CSR_GEN_TOKEN<br id="yui_3_16_0_ym19_1_1469814286243_38093">    stuck: yes<br id="yui_3_16_0_ym19_1_1469814286243_38094">    key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-</span><span id="yui_3_16_0_ym19_1_1469814286243_38196"><span id="yui_3_16_0_ym19_1_1469814286243_38188">EXAMPLE</span>-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-</span><span id="yui_3_16_0_ym19_1_1469814286243_38178"><span id="yui_3_16_0_ym19_1_1469814286243_38197">EXAMPLE</span>-COM/pwdfile.txt'<br id="yui_3_16_0_ym19_1_1469814286243_38095">    certificate: type=NSSDB,location='/etc/dirsrv/slapd-</span><span id="yui_3_16_0_ym19_1_1469814286243_37984"><span id="yui_3_16_0_ym19_1_1469814286243_38179">EXAMPLE</span>-COM',nickname='Server-Cert',token='NSS Certificate DB'<br id="yui_3_16_0_ym19_1_1469814286243_38096">    CA: IPA<br id="yui_3_16_0_ym19_1_1469814286243_38097">    issuer: CN=Certificate Authority,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469814286243_38098">    subject: CN=ipa1.example.com,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469814286243_38099">    expires: 2016-07-29 20:39:21 UTC<br id="yui_3_16_0_ym19_1_1469814286243_38100">    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br id="yui_3_16_0_ym19_1_1469814286243_38101">    eku: id-kp-serverAuth,id-kp-clientAuth<br id="yui_3_16_0_ym19_1_1469814286243_38102">    pre-save command: <br id="yui_3_16_0_ym19_1_1469814286243_38103">    post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM<br id="yui_3_16_0_ym19_1_1469814286243_38104">    track: yes<br id="yui_3_16_0_ym19_1_1469814286243_38105">    auto-renew: yes</span></div><div id="yui_3_16_0_ym19_1_1469814286243_39004" dir="ltr"><span id="yui_3_16_0_ym19_1_1469814286243_37984"><br></span></div><div id="yui_3_16_0_ym19_1_1469814286243_39094" dir="ltr"><span id="yui_3_16_0_ym19_1_1469814286243_37984">certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/<br id="yui_3_16_0_ym19_1_1469814286243_39066"><br id="yui_3_16_0_ym19_1_1469814286243_39067">Certificate Nickname                                         Trust Attributes<br id="yui_3_16_0_ym19_1_1469814286243_39068">                                                             SSL,S/MIME,JAR/XPI<br id="yui_3_16_0_ym19_1_1469814286243_39069"><br id="yui_3_16_0_ym19_1_1469814286243_39070">NWF_GD                                                       u,u,u<br id="yui_3_16_0_ym19_1_1469814286243_39071">CN=Certificate Authority,O=EXAMPLE.COM                      CT,,C<br id="yui_3_16_0_ym19_1_1469814286243_39072">OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US CT,,C<br id="yui_3_16_0_ym19_1_1469814286243_39073">GD_CA                                                        CT,,C<br id="yui_3_16_0_ym19_1_1469814286243_39074">CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US CT,,C<br id="yui_3_16_0_ym19_1_1469814286243_39075"><br id="yui_3_16_0_ym19_1_1469814286243_39076"><br id="yui_3_16_0_ym19_1_1469814286243_39077">certutil -L -d /etc/dirsrv/slapd-PKI-IPA/<br id="yui_3_16_0_ym19_1_1469814286243_39078"><br id="yui_3_16_0_ym19_1_1469814286243_39079">Certificate Nickname                                         O=EXAMPLE.COM     Trust Attributes<br id="yui_3_16_0_ym19_1_1469814286243_39080">                                                             SSL,S/MIME,JAR/XPI<br id="yui_3_16_0_ym19_1_1469814286243_39081"><br id="yui_3_16_0_ym19_1_1469814286243_39082">EXAMPLE.COM IPA CA                                          CT,C,<br id="yui_3_16_0_ym19_1_1469814286243_39083">Server-Cert                                                  u,u,u<br id="yui_3_16_0_ym19_1_1469814286243_39084"><br id="yui_3_16_0_ym19_1_1469814286243_39085"><br id="yui_3_16_0_ym19_1_1469814286243_39086">certutil -L -d /etc/httpd/alias/<br id="yui_3_16_0_ym19_1_1469814286243_39087"><br id="yui_3_16_0_ym19_1_1469814286243_39088">Certificate Nickname                                         Trust Attributes<br id="yui_3_16_0_ym19_1_1469814286243_39089">                                                             SSL,S/MIME,JAR/XPI<br id="yui_3_16_0_ym19_1_1469814286243_39090"><br id="yui_3_16_0_ym19_1_1469814286243_39091">EXAMPLE.COM IPA CA                                           CT,C,<br id="yui_3_16_0_ym19_1_1469814286243_39092">ipaCert                                                      u,u,u<br id="yui_3_16_0_ym19_1_1469814286243_39093">Server-Cert                                                  u,u,u</span><br></div><div id="yui_3_16_0_ym19_1_1469814286243_37980" class="qtdSeparateBR"><br><div id="yui_3_16_0_ym19_1_1469814286243_38332">My other servers had varying degrees of success with their expired certificates, I have one server that would not renew 6 of its certs, 1 that would not renew 2 of its certs and 1 that would not renew 1 of its certs. These are examples of the last two - I will save the one that won't renew 6 as I am hoping I can apply same steps to those failures.<br></div><div id="yui_3_16_0_ym19_1_1469814286243_38703"><br></div><div id="yui_3_16_0_ym19_1_1469814286243_38749" dir="ltr"><b id="yui_3_16_0_ym19_1_1469814286243_39135">ipa2.example.com - 2 won't renew - one CA_unreachable even after successful restart of services and one NEED_CSR_GEN_TOKEN</b></div><div id="yui_3_16_0_ym19_1_1469814286243_38750"><br id="yui_3_16_0_ym19_1_1469814286243_38751"></div>Request ID '20140729215756':<br id="yui_3_16_0_ym19_1_1469814286243_38752">    status: NEED_CSR_GEN_TOKEN<br id="yui_3_16_0_ym19_1_1469814286243_38753">    stuck: yes<br id="yui_3_16_0_ym19_1_1469814286243_38754">   
 key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'<br id="yui_3_16_0_ym19_1_1469814286243_38755">    certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB'<br id="yui_3_16_0_ym19_1_1469814286243_38756">    CA: IPA<br id="yui_3_16_0_ym19_1_1469814286243_38757">    issuer: CN=Certificate Authority,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469814286243_38758">    subject: CN=ipa2.example.com,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469814286243_38759">    expires: 2016-07-29 20:39:21 UTC<br id="yui_3_16_0_ym19_1_1469814286243_38760">    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br id="yui_3_16_0_ym19_1_1469814286243_38761">    eku: id-kp-serverAuth,id-kp-clientAuth<br id="yui_3_16_0_ym19_1_1469814286243_38762">    pre-save command: <br id="yui_3_16_0_ym19_1_1469814286243_38763">    post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM<br id="yui_3_16_0_ym19_1_1469814286243_38764">    track: yes<br id="yui_3_16_0_ym19_1_1469814286243_38765">    auto-renew: yes<br id="yui_3_16_0_ym19_1_1469814286243_38766"><br id="yui_3_16_0_ym19_1_1469814286243_38767">Request ID '20140729215712':<br id="yui_3_16_0_ym19_1_1469814286243_38768">    status: CA_UNREACHABLE<br id="yui_3_16_0_ym19_1_1469814286243_38769">   
 ca-error: Error 60 connecting to 
https://ipa2.example.com:9443/ca/agent/ca/profileReview: Peer 
certificate cannot be authenticated with known CA certificates.<br id="yui_3_16_0_ym19_1_1469814286243_38770">    stuck: no<br id="yui_3_16_0_ym19_1_1469814286243_38771">   
 key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin set<br id="yui_3_16_0_ym19_1_1469814286243_38772">    certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'<br id="yui_3_16_0_ym19_1_1469814286243_38773">    CA: dogtag-ipa-renew-agent<br id="yui_3_16_0_ym19_1_1469814286243_38774">    issuer: CN=Certificate Authority,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469814286243_38775">    subject: CN=ipa2.example.com,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469814286243_38776">    expires: 2016-07-18 21:57:06 UTC<br id="yui_3_16_0_ym19_1_1469814286243_38777">    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br id="yui_3_16_0_ym19_1_1469814286243_38778">    eku: id-kp-serverAuth<br id="yui_3_16_0_ym19_1_1469814286243_38779">    pre-save command: <br id="yui_3_16_0_ym19_1_1469814286243_38780">    post-save command: <br id="yui_3_16_0_ym19_1_1469814286243_38781">    track: yes<br id="yui_3_16_0_ym19_1_1469814286243_38782"><div id="yui_3_16_0_ym19_1_1469814286243_38784" dir="ltr">    auto-renew: yes</div><div id="yui_3_16_0_ym19_1_1469814286243_38576"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1469814286243_38577"><b>ipa3 - 1 won't renew NEED_CSR_GEN_TOKEN</b></div><div id="yui_3_16_0_ym19_1_1469814286243_38785" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1469814286243_38619" dir="ltr">Request ID '20140729215511':<br id="yui_3_16_0_ym19_1_1469814286243_38670">    status: NEED_CSR_GEN_TOKEN<br id="yui_3_16_0_ym19_1_1469814286243_38671">    stuck: yes<br id="yui_3_16_0_ym19_1_1469814286243_38672">    key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'<br id="yui_3_16_0_ym19_1_1469814286243_38673">    certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB'<br id="yui_3_16_0_ym19_1_1469814286243_38674">    CA: IPA<br id="yui_3_16_0_ym19_1_1469814286243_38675">    issuer: CN=Certificate Authority,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469814286243_38676">    subject: CN=ipa3.example.com,O=EXAMPLE.COM<br id="yui_3_16_0_ym19_1_1469814286243_38677">    expires: 2016-07-29 20:38:41 UTC<br id="yui_3_16_0_ym19_1_1469814286243_38678">    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br id="yui_3_16_0_ym19_1_1469814286243_38679">    eku: id-kp-serverAuth,id-kp-clientAuth<br id="yui_3_16_0_ym19_1_1469814286243_38680">    pre-save command: <br id="yui_3_16_0_ym19_1_1469814286243_38681">    post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM<br id="yui_3_16_0_ym19_1_1469814286243_38682">    track: yes<br id="yui_3_16_0_ym19_1_1469814286243_38683">    auto-renew: yes<br id="yui_3_16_0_ym19_1_1469814286243_38684"><br></div><div id="yui_3_16_0_ym19_1_1469814286243_38346"><br></div><br id="yui_3_16_0_ym19_1_1469814286243_38509"><div id="yui_3_16_0_ym19_1_1469814286243_38510" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1469814286243_38349"><br></div></div><div style="display: block;" id="yui_3_16_0_ym19_1_1469814286243_37975" class="yahoo_quoted">  <div id="yui_3_16_0_ym19_1_1469814286243_37974" style="font-family: bookman old style, new york, times, serif; font-size: 13px;"> <div id="yui_3_16_0_ym19_1_1469814286243_37973" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_ym19_1_1469814286243_38239" dir="ltr"> <font id="yui_3_16_0_ym19_1_1469814286243_38238" face="Arial" size="2"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> sipazzo <sipazzo@yahoo.com><br> <b><span style="font-weight: bold;">To:</span></b> Rob Crittenden <rcritten@redhat.com>; "freeipa-users@redhat.com" <freeipa-users@redhat.com> <br> <b><span style="font-weight: bold;">Sent:</span></b> Friday, July 29, 2016 4:06 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Freeipa-users] certificates expired - won't renew<br> </font> </div> <div id="yui_3_16_0_ym19_1_1469814286243_37972" class="y_msg_container"><br><div id="yiv9754817306"><div id="yui_3_16_0_ym19_1_1469814286243_37971"><div id="yui_3_16_0_ym19_1_1469814286243_37970" style="color:#000;background-color:#fff;font-family:bookman old style, new york, times, serif;font-size:13px;"><div id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17234">Rob you are awesome and I don't know what I would do without you. So I have two things going on obviously. Following your instructions it looks like the DM password has correctly been set. I cannot change the admin password as a test because I get the cert errors. I am going to retry setting dates back and requesting new certs again following some of the threads I have seen. Could you please just clarify two points? On my 4 servers all running as CAs do I only need to set the date back to prior to expired certs running ipa-getcert list or the earliest expired date when running getcert list? The getcert list shows certs that have been expired since June but the ipa-getcert shows more recent. Also, does it matter which servers I do first? Meaning should I set time back on my "master" CA first.</div><div id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17248"><br clear="none"></div><div id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17249">This is the expiration output info from my master:</div><div id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17251"><br clear="none"></div><div dir="ltr" id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17271">[root@ipa2 ~]# ipa-getcert list | grep expires<br id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17296" clear="none">    expires: 2016-08-26 16:41:24 UTC<br id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17297" clear="none">    expires: 2016-08-26 16:41:23 UTC<br id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17298" clear="none">    expires: 2016-08-26 16:41:24 UTC<br id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17299" clear="none">[root@ipa2 ~]# getcert list | grep expires<br id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17300" clear="none">    expires: 2016-08-26 16:41:24 UTC<br id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17301" clear="none">    expires: 2016-08-15 16:47:26 UTC<br id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17302" clear="none">    expires: 2016-08-26 16:41:23 UTC<br id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17303" clear="none">    expires: 2016-08-26 16:41:24 UTC<br id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17304" clear="none">    expires: 2016-06-06 23:36:29 UTC<br id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17305" clear="none">    expires: 2016-06-06 23:36:28 UTC<br id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17306" clear="none">    expires: 2016-06-06 23:36:28 UTC<br id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17307" clear="none">    expires: 2016-06-06 23:37:09 UTC<br clear="none"></div><div id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17113"><span><br clear="none"></span></div><div id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17324"><span><br clear="none"></span></div><div id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17334"><span>Again thank you, as always.</span></div><div class="yiv9754817306qtdSeparateBR" id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17071"><br clear="none"><br clear="none"></div><div class="yiv9754817306yqt6900886666" id="yiv9754817306yqt88493"><div class="yiv9754817306yahoo_quoted" id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17067" style="display:block;">  <div id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17066" style="font-family:bookman old style, new york, times, serif;font-size:13px;"> <div id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17065" style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div dir="ltr" id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17064"> <font id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17063" face="Arial" size="2"> </font><hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Rob Crittenden <rcritten@redhat.com><br clear="none"> <b><span style="font-weight:bold;">To:</span></b> sipazzo <sipazzo@yahoo.com>; "freeipa-users@redhat.com" <freeipa-users@redhat.com> <br clear="none"> <b><span style="font-weight:bold;">Sent:</span></b> Friday, July 29, 2016 2:10 PM<br clear="none"> <b><span style="font-weight:bold;">Subject:</span></b> Re: [Freeipa-users] certificates expired - won't renew<br clear="none">  </div> <div class="yiv9754817306y_msg_container" id="yiv9754817306yui_3_16_0_ym19_1_1469814286243_17335"><br clear="none">sipazzo wrote:<br clear="none">> I have seen many threads on this so sorry to bring it up again but I<br clear="none">> have a freeipa domain, with 4 ipa servers running on redhat 6 version<br clear="none">> 3.0.0-50. The certificates are expired/expiring and will not renew and<br clear="none">> it is causing many issues for us. I have tried the many suggestions I<br clear="none">> have see in the archives such as changing the time to prior to<br clear="none">> expiration and attempting renew by resubmitting the requests but they<br clear="none">> never renew. An example of getcert list from the first server that expired:<br clear="none">><br clear="none">> Number of certificates and requests being tracked: 8.<br clear="none"><br clear="none">[snip]<div class="yiv9754817306yqt7837235487" id="yiv9754817306yqtfd80442"><br clear="none"><br clear="none">> localhost log in /var/log/pki-ca have errors like:<br clear="none">> tail localhost.2016-07-29.log<br clear="none">> Jul 29, 2016 8:55:51 AM org.apache.catalina.core.StandardWrapperValve invoke<br clear="none">> SEVERE: Servlet.service() for servlet caProfileSubmit threw exception<br clear="none">> java.io.IOException: CS server is not ready to serve.<br clear="none">>      at<br clear="none">> com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441)<br clear="none">>      at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)<br clear="none">>      at<br clear="none">> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)<br clear="none">>      at<br clear="none">> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)<br clear="none">>      at<br clear="none">> com.netscape.cms.servlet.filter.EERequestFilter.doFilter(EERequestFilter.java:176)<br clear="none">>      at<br clear="none">> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)<br clear="none">>      at org.<br clear="none">><br clear="none">> Debug log in /var/log/pki-cacd<br clear="none">>   tail debug<br clear="none">> [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password<br clear="none">> store initialized before.<br clear="none">> [29/Jul/2016:08:49:08][Timer-0]: CMSEngine: getPasswordStore(): password<br clear="none">> store initialized.<br clear="none">> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:<br clear="none">> netscape.ldap.LDAPException: error result (49)<br clear="none">> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable: unable to<br clear="none">> query sessionIds: java.io.IOException: Failed to connect to the internal<br clear="none">> database.<br clear="none">> [29/Jul/2016:08:49:08][Timer-0]: SecurityDomainSessionTable:<br clear="none">> getSessionIds: Error in disconnecting from database:<br clear="none">> java.lang.NullPointerException<br clear="none">> [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password<br clear="none">> store initialized before.<br clear="none">> [29/Jul/2016:08:54:08][Timer-0]: CMSEngine: getPasswordStore(): password<br clear="none">> store initialized.<br clear="none">> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable getLDAPConn:<br clear="none">> netscape.ldap.LDAPException: error result (49)<br clear="none">> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable: unable to<br clear="none">> query sessionIds: java.io.IOException: Failed to connect to the internal<br clear="none">> database.<br clear="none">> [29/Jul/2016:08:54:08][Timer-0]: SecurityDomainSessionTable:<br clear="none">> getSessionIds: Error in disconnecting from database:<br clear="none">> java.lang.NullPointerException<br clear="none">><br clear="none">><br clear="none">> Performing most IPA commands results in errors such as ipa: ERROR: cert<br clear="none">> validation failed for "CN=ipa1.example.com,O=EXAMPLE.COM"<br clear="none">> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)<br clear="none">><br clear="none">> Not sure if it is related but we lost our first IPA server some time ago<br clear="none">> and had to promote another to the CA master. Also, due to someone<br clear="none">> leaving the company at the beginning of the year we had to change the<br clear="none">> directory manager password. I followed all the directions to do so but<br clear="none">> it does not seem like it was a completely smooth transaction.</div><br clear="none"><br clear="none">It is related. Your CA can't connect to its database. You must have <br clear="none">missed a step when updating the DM password.<br clear="none"><br clear="none">As a goof I just tried it on my RHEL 6 install and it seems to work, <br clear="none">this is what I did:<br clear="none"><br clear="none"># service dirsrv stop<br clear="none"># /usr/bin/pwdhash password<br clear="none"><br clear="none">edit both /etc/dirsrv/slapd-REALM/dse.ldif and <br clear="none">/etc/dirsrv/slapd-PKI-IPA/dse.ldif to set nsslapd-rootpw<br clear="none"><br clear="none"># service dirsrv start<br clear="none"><br clear="none">Check both of the new passwords:<br clear="none"><br clear="none"># ldapsearch -x -D "cn=directory manager" -W -s base -b "" <br clear="none">"objectclass=*"<br clear="none"># ldapsearch -h localhost -po 7389 -x -D "cn=directory manager" -W -s <br clear="none">base -b "" "objectclass=*"<br clear="none"><br clear="none">Update internaldb value in /etc/pki-ca/password.conf with the new password.<br clear="none"><br clear="none">Update and test the admin user password:<br clear="none"><br clear="none"># ldappasswd -h localhost -ZZ -p 7389 -x -D "cn=Directory Manager" -W -S <br clear="none">uid=admin,ou=people,o=ipaca<br clear="none"># ldapsearch -h localhost -ZZ -p 7389 -x -D <br clear="none">"uid=admin,ou=people,o=ipaca" -W -b "" -s base<br clear="none"><br clear="none">Restart the CA<br clear="none"><br clear="none"># service pki-cad restart<br clear="none"><br clear="none">Note that things _still_ aren't going to work so hot with all the <br clear="none">expired certs but if you go back in time you will at least have a chance <br clear="none">of renewing things.<br clear="none"><br clear="none">rob<div class="yiv9754817306yqt7837235487" id="yiv9754817306yqtfd55937"><br clear="none"></div><br clear="none"><br clear="none"></div> </div> </div>  </div></div></div></div></div><br><br></div> </div> </div>  </div></div></body></html>