<div dir="ltr"><div>I have a three node IPA cluster.</div><div><br></div><div>ipa11.mgmt - was a master over 6 months ago</div><div>ipa13.mgmt - current master</div><div>ipa12.mgmt</div><div><br></div><div>ipa13 has agreements with ipa11 and ipa12. ipa11 and ipa12 do not have agreements between each other.</div><div><br></div><div>It appears that either ipa12.mgmt lost some level of its replication agreement with ipa13. I saw some level because users / hosts were replicated between all systems but we started seeing DNS was not resolving properly from ipa12. I do not know when this started.</div><div><br></div><div>When looking at replication agreements on ipa12 I did not see any agreement with ipa13.</div><div><br></div><div>When I run ipa-replica-manage list all three hosts show has master.</div><div><br></div><div>When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt is a replica.</div><div><br></div><div>When I run ipa-replica-manage ipa12.mgmt nothing returned.</div><div><br></div><div>I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt <a href="http://ipa12.mgmt.crosschx.com">ipa12.mgmt.crosschx.com</a> <a href="http://ipa13.mgmt.crosschx.com">ipa13.mgmt.crosschx.com</a> on ipa12.mgmt</div><div><br></div><div>I then ran the following</div><div><br></div><div>ipa-replica-manage force-sync --from <a href="http://ipa13.mgmt.crosschx.com">ipa13.mgmt.crosschx.com</a></div><div><br></div><div>ipa-replica-manage re-initialize --from <a href="http://ipa13.mgmt.crosschx.com">ipa13.mgmt.crosschx.com</a></div><div><br></div><div>I was still seeing bad DNS returns when dig'ing against ipa12.mgmt. I was able to create user and DNS records and see the information replicated properly across all three nodes.</div><div><br></div><div>I then ran ipactl stop on ipa12.mgmt and then ipactl start on ipa12.mgmt because I wanted to make sure everything was running fresh after the changes above. While IPA was staring up (DNS started) we were able to see valid DNS queries returned but pki-tomcat would not start.</div><div><br></div><div><div>I am not sure what I need to do in order to get this working. I have included the output of certutil and getcert below from all three servers as well as the debug output for pki.</div><div><br></div><div><br></div><div>While the IPA system is coming up I am able to successfully run ldapsearch -x as the root user and see results. I am also able to login with the "cn=Directory Manager" account and see results.</div></div><div><br></div><div><br></div><div>The debug log shows the following error.</div><div><br></div><div><br></div><div><div>[03/May/2017:21:22:01][localhost-startStop-1]: ============================================</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED =======</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: ============================================</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init id=debug</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized debug</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem id=log</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init id=log</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions)</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init id=log</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized log</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem id=jss</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init id=jss</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init id=jss</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized jss</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init id=dbs</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: Creating LdapBoundConnFactor(DBSubsystem)</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: LdapBoundConnFactory: init</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: LdapBoundConnFactory:doCloning true</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init()</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init begins</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init ends</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: init: before makeConnection errorIfDown is true</div><div>[03/May/2017:21:22:01][localhost-startStop-1]: makeConnection: errorIfDown true</div><div>[03/May/2017:21:22:02][localhost-startStop-1]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca</div><div>[03/May/2017:21:22:02][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca</div><div>[03/May/2017:21:22:02][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering!</div><div>[03/May/2017:21:22:02][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: null</div><div>[03/May/2017:21:22:02][localhost-startStop-1]: SSL handshake happened</div><div>Could not connect to LDAP server host <a href="http://ipa12.mgmt.crosschx.com">ipa12.mgmt.crosschx.com</a> port 636 Error netscape.ldap.LDAPException: Authentication failed (48)</div><div> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)</div><div> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)</div><div> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)</div><div> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)</div><div> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)</div><div> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)</div><div> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)</div><div> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)</div><div> at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)</div><div> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)</div><div> at javax.servlet.GenericServlet.init(GenericServlet.java:158)</div><div> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)</div><div> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</div><div> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div><div> at java.lang.reflect.Method.invoke(Method.java:498)</div><div> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)</div><div> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)</div><div> at java.security.AccessController.doPrivileged(Native Method)</div><div> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)</div><div> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)</div><div> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)</div><div> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)</div><div> at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)</div><div> at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)</div><div> at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)</div><div> at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)</div><div> at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)</div><div> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)</div><div> at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)</div><div> at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)</div><div> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)</div><div> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)</div><div> at java.security.AccessController.doPrivileged(Native Method)</div><div> at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)</div><div> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)</div><div> at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)</div><div> at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)</div><div> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)</div><div> at java.util.concurrent.FutureTask.run(FutureTask.java:266)</div><div> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</div><div> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</div><div> at java.lang.Thread.run(Thread.java:745)</div><div>Internal Database Error encountered: Could not connect to LDAP server host <a href="http://ipa12.mgmt.crosschx.com">ipa12.mgmt.crosschx.com</a> port 636 Error netscape.ldap.LDAPException: Authentication failed (48)</div><div> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)</div><div> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)</div><div> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)</div><div> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)</div><div> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)</div><div> at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)</div><div> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)</div><div> at javax.servlet.GenericServlet.init(GenericServlet.java:158)</div><div> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)</div><div> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</div><div> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</div><div> at java.lang.reflect.Method.invoke(Method.java:498)</div><div> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)</div><div> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)</div><div> at java.security.AccessController.doPrivileged(Native Method)</div><div> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)</div><div> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)</div><div> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)</div><div> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)</div><div> at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)</div><div> at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)</div><div> at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)</div><div> at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)</div><div> at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)</div><div> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)</div><div> at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)</div><div> at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)</div><div> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)</div><div> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)</div><div> at java.security.AccessController.doPrivileged(Native Method)</div><div> at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)</div><div> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)</div><div> at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)</div><div> at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)</div><div> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)</div><div> at java.util.concurrent.FutureTask.run(FutureTask.java:266)</div><div> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)</div><div> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)</div><div> at java.lang.Thread.run(Thread.java:745)</div><div>[03/May/2017:21:22:02][localhost-startStop-1]: CMSEngine.shutdown()</div></div><div><br></div><div><br></div><div><div class="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><pre style="color:rgb(0,0,0);margin:0em">=============================</pre><pre style="color:rgb(0,0,0);margin:0em"><br></pre><pre style="margin:0em"><font color="#000000">IPA11.MGMT</font></pre><pre style="margin:0em"><font color="#000000"> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u <a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> IPA CA CT,C,C (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u IPA13.MGMT (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u <a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> IPA CA CT,C,C (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u IPA12.MGMT (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u <a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> IPA CA C,, (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u ================================================= IPA11.MGMT (root)>getcert list Number of certificates and requests being tracked: 8. Request ID '20161229155314': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa11.mgmt.crosschx.com">ipa11.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-12-30 15:52:43 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID '20161229155652': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=CA Audit,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155654': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=OCSP Subsystem,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:26 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155655': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=CA Subsystem,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:28 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155657': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2036-11-22 13:00:25 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155659': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa11.mgmt.crosschx.com">ipa11.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-12-19 15:56:20 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155921': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa11.mgmt.crosschx.com">ipa11.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-12-30 15:52:46 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20161229160009': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=IPA RA,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:01:34 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes ================================== IPA13.MGMT (root)>getcert list Number of certificates and requests being tracked: 8. Request ID '20161229143449': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa13.mgmt.crosschx.com">ipa13.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-12-30 14:34:20 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID '20161229143826': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=CA Audit,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143828': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=OCSP Subsystem,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:26 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143831': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=CA Subsystem,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:28 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143833': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2036-11-22 13:00:25 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143835': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa13.mgmt.crosschx.com">ipa13.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-12-19 14:37:54 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229144057': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa13.mgmt.crosschx.com">ipa13.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-12-30 14:34:23 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20161229144146': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=IPA RA,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:01:34 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes =========================== IPA12.MGMT (root)>getcert list Number of certificates and requests being tracked: 8. Request ID '20161229151518': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa12.mgmt.crosschx.com">ipa12.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-12-30 15:14:51 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID '20161229151850': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=CA Audit,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151852': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=OCSP Subsystem,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:26 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151854': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=CA Subsystem,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:28 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151856': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2036-11-22 13:00:25 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151858': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa12.mgmt.crosschx.com">ipa12.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-12-19 15:18:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229152115': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa12.mgmt.crosschx.com">ipa12.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-12-30 15:14:54 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20161229152204': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> subject: CN=IPA RA,O=<a href="http://MGMT.CROSSCHX.COM">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:01:34 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes </font><span style="color:rgb(0,0,0)"> </span></pre></div><div dir="ltr"><div dir="ltr" style="font-size:12.8px"><br></div><div dir="ltr"><b style="font-size:12.8px"><font size="2">Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br></font></b><div>614.427.2411</div><div><a href="mailto:mike.plemmons@crosschx.com" style="font-size:12.8px" target="_blank">mike.plemmons@crosschx.com</a><br></div><div style="font-size:12.8px"><a href="http://www.crosschx.com/" target="_blank">www.crosschx.com</a></div></div></div></div></div></div></div></div></div></div></div></div> </div>