<div dir="ltr">I also looked at RUVs and here is what I found. I do not know if anything here is helpful.<div><br></div><div><div>ldapsearch -ZZ -h <a href="http://ipa11.mgmt.crosschx.com">ipa11.mgmt.crosschx.com</a> -D "cn=Directory Manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsds50ruv\|nsDS5ReplicaId"</div><div>nsDS5ReplicaId: 1095</div><div>nsds50ruv: {replicageneration} 58344598000000600000</div><div>nsds50ruv: {replica 1095 ldap://<a href="http://ipa11.mgmt.crosschx.com:389">ipa11.mgmt.crosschx.com:389</a>} 5865323f000004470</div><div>nsds50ruv: {replica 86 ldap://<a href="http://ipa13.mgmt.crosschx.com:389">ipa13.mgmt.crosschx.com:389</a>} 58651fdb00000056000</div><div>nsds50ruv: {replica 96 ldap://<a href="http://ipa11.mgmt.crosschx.com:389">ipa11.mgmt.crosschx.com:389</a>} 5834459c00000060000</div><div>nsds50ruv: {replica 91 ldap://<a href="http://ipa13.mgmt.crosschx.com:389">ipa13.mgmt.crosschx.com:389</a>} 583449970000005b000</div><div>nsds50ruv: {replica 97 ldap://<a href="http://ipa12.mgmt.crosschx.com:389">ipa12.mgmt.crosschx.com:389</a>} 583445c300000061000</div><div>nsds50ruv: {replica 81 ldap://<a href="http://ipa12.mgmt.crosschx.com:389">ipa12.mgmt.crosschx.com:389</a>} 5865295600000051000</div><div><br></div><div>IPA12 - this is the problem node.</div><div>ldapsearch -ZZ -h <a href="http://ipa12.mgmt.crosschx.com">ipa12.mgmt.crosschx.com</a> -D "cn=Directory Manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsds50ruv\|nsDS5ReplicaId"</div><div>nsDS5ReplicaId: 81</div><div>nsds50ruv: {replicageneration} 58344598000000600000</div><div>nsds50ruv: {replica 81 ldap://<a href="http://ipa12.mgmt.crosschx.com:389">ipa12.mgmt.crosschx.com:389</a>} 5865295600000051000</div><div>nsds50ruv: {replica 96 ldap://<a href="http://ipa11.mgmt.crosschx.com:389">ipa11.mgmt.crosschx.com:389</a>} 5834459c00000060000</div><div>nsds50ruv: {replica 86 ldap://<a href="http://ipa13.mgmt.crosschx.com:389">ipa13.mgmt.crosschx.com:389</a>} 58651fdb00000056000</div><div>nsds50ruv: {replica 91 ldap://<a href="http://ipa13.mgmt.crosschx.com:389">ipa13.mgmt.crosschx.com:389</a>} 583449970000005b000</div><div>nsds50ruv: {replica 97 ldap://<a href="http://ipa12.mgmt.crosschx.com:389">ipa12.mgmt.crosschx.com:389</a>} 583445c300000061000</div><div><br></div><div>ldapsearch -ZZ -h <a href="http://ipa13.mgmt.crosschx.com">ipa13.mgmt.crosschx.com</a> -D "cn=Directory Manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsds50ruv\|nsDS5ReplicaId"</div><div>nsDS5ReplicaId: 86</div><div>nsds50ruv: {replicageneration} 58344598000000600000</div><div>nsds50ruv: {replica 86 ldap://<a href="http://ipa13.mgmt.crosschx.com:389">ipa13.mgmt.crosschx.com:389</a>} 58651fdb00000056000</div><div>nsds50ruv: {replica 1095 ldap://<a href="http://ipa11.mgmt.crosschx.com:389">ipa11.mgmt.crosschx.com:389</a>} 5865323f000004470</div><div>nsds50ruv: {replica 96 ldap://<a href="http://ipa11.mgmt.crosschx.com:389">ipa11.mgmt.crosschx.com:389</a>} 5834459c00000060000</div><div>nsds50ruv: {replica 91 ldap://<a href="http://ipa13.mgmt.crosschx.com:389">ipa13.mgmt.crosschx.com:389</a>} 583449970000005b000</div><div>nsds50ruv: {replica 97 ldap://<a href="http://ipa12.mgmt.crosschx.com:389">ipa12.mgmt.crosschx.com:389</a>} 583445c300000061000</div><div>nsds50ruv: {replica 81 ldap://<a href="http://ipa12.mgmt.crosschx.com:389">ipa12.mgmt.crosschx.com:389</a>} 5865295600000051000</div></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><div dir="ltr"><div dir="ltr" style="font-size:12.8px"><br></div><div dir="ltr"><b style="font-size:12.8px"><font size="2">Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br></font></b><div>614.427.2411</div><div><a href="mailto:mike.plemmons@crosschx.com" style="font-size:12.8px" target="_blank">mike.plemmons@crosschx.com</a><br></div><div style="font-size:12.8px"><a href="http://www.crosschx.com/" target="_blank">www.crosschx.com</a></div></div></div></div></div></div></div></div></div></div></div></div></div> <br><div class="gmail_quote">On Wed, May 3, 2017 at 10:52 PM, Michael Plemmons <span dir="ltr"><<a href="mailto:michael.plemmons@crosschx.com" target="_blank">michael.plemmons@crosschx.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I ran another test. I started IPA with the ignore service failure option and I tired doing ldap searches like this.<div><br></div><div>ldapsearch -H ldaps://<a href="http://ipa12.mgmt.crosschx.com" target="_blank">ipa12.mgmt.crosschx.<wbr>com</a></div><div><br></div><div>from both my laptop and from ipa11.mgmt and I get successful returns when logging in as the admin user and as the directory manager.</div><div><br></div><div>I then looked closer at the LDAP access logs for the last time I tried to start up PKI and got the auth failure and i see this.</div><div><br></div><div><br></div><div><div>[04/May/2017:02:22:45.<wbr>859021005 +0000] conn=12 fd=101 slot=101 SSL connection from 10.71.100.92 to 10.71.100.92</div><div>[04/May/2017:02:22:45.<wbr>875672450 +0000] conn=12 TLS1.2 256-bit AES</div><div>[04/May/2017:02:22:45.<wbr>940908536 +0000] conn=12 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL</div><div>[04/May/2017:02:22:45.<wbr>942441120 +0000] conn=12 op=0 RESULT err=48 tag=97 nentries=0 etime=0</div></div><div><br></div><div>Is dn="" supposed to be empty?</div><div><br></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="m_-6633309559365244558gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><div dir="ltr"><div dir="ltr" style="font-size:12.8px"><br></div><div dir="ltr"><b style="font-size:12.8px"><font size="2">Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br></font></b><div>614.427.2411</div><div><a href="mailto:mike.plemmons@crosschx.com" style="font-size:12.8px" target="_blank">mike.plemmons@crosschx.com</a><br></div><div style="font-size:12.8px"><a href="http://www.crosschx.com/" target="_blank">www.crosschx.com</a></div></div></div></div></div></div></div></div></div></div></div></div></div> <br><div class="gmail_quote">On Wed, May 3, 2017 at 10:16 PM, Michael Plemmons <span dir="ltr"><<a href="mailto:michael.plemmons@crosschx.com" target="_blank">michael.plemmons@crosschx.com</a><wbr>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I realized that I was not very clear in my statement about testing with ldapsearch. I had initially run it without logging in with a DN. I was just running the local ldapsearch -x command. I then tested on ipa12.mgmt and ipa11.mgmt logging in with a full DN for the admin and "cn=Directory Manager" from ipa12.mgmt (broken server) and ipa11.mgmt and both ldapsearch command succeeded. <div><br></div><div>I ran the following from ipa12.mgmt and ipa11.mgmt as a non root user. I also ran the command showing a line count for the output and the line counts for each were the same when run from ipa12.mgmt and ipa11.mgmt.</div><div><br></div><div><div>ldapsearch -LLL -h <a href="http://ipa12.mgmt.crosschx.com" target="_blank">ipa12.mgmt.crosschx.com</a> -D "DN" -w PASSWORD -b "cn=users,cn=accounts,dc=mgmt,<wbr>dc=crosschx,dc=com" dn</div><div><br></div><div>ldapsearch -LLL -h <a href="http://ipa12.mgmt.crosschx.com" target="_blank">ipa12.mgmt.crosschx.com</a> -D "cn=directory manager" -w PASSWORD dn</div></div><div><br></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="m_-6633309559365244558m_-5348699649136511951gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><div dir="ltr"><div dir="ltr" style="font-size:12.8px"><br></div><div dir="ltr"><b style="font-size:12.8px"><font size="2">Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br></font></b><div>614.427.2411</div><div><a href="mailto:mike.plemmons@crosschx.com" style="font-size:12.8px" target="_blank">mike.plemmons@crosschx.com</a><br></div><div style="font-size:12.8px"><a href="http://www.crosschx.com/" target="_blank">www.crosschx.com</a></div></div></div></div></div></div></div></div></div></div></div></div></div> <br><div class="gmail_quote">On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons <span dir="ltr"><<a href="mailto:michael.plemmons@crosschx.com" target="_blank">michael.plemmons@crosschx.com</a><wbr>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>I have a three node IPA cluster.</div><div><br></div><div>ipa11.mgmt - was a master over 6 months ago</div><div>ipa13.mgmt - current master</div><div>ipa12.mgmt</div><div><br></div><div>ipa13 has agreements with ipa11 and ipa12. ipa11 and ipa12 do not have agreements between each other.</div><div><br></div><div>It appears that either ipa12.mgmt lost some level of its replication agreement with ipa13. I saw some level because users / hosts were replicated between all systems but we started seeing DNS was not resolving properly from ipa12. I do not know when this started.</div><div><br></div><div>When looking at replication agreements on ipa12 I did not see any agreement with ipa13.</div><div><br></div><div>When I run ipa-replica-manage list all three hosts show has master.</div><div><br></div><div>When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt is a replica.</div><div><br></div><div>When I run ipa-replica-manage ipa12.mgmt nothing returned.</div><div><br></div><div>I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt <a href="http://ipa12.mgmt.crosschx.com" target="_blank">ipa12.mgmt.crosschx.com</a> <a href="http://ipa13.mgmt.crosschx.com" target="_blank">ipa13.mgmt.crosschx.com</a> on ipa12.mgmt</div><div><br></div><div>I then ran the following</div><div><br></div><div>ipa-replica-manage force-sync --from <a href="http://ipa13.mgmt.crosschx.com" target="_blank">ipa13.mgmt.crosschx.com</a></div><div><br></div><div>ipa-replica-manage re-initialize --from <a href="http://ipa13.mgmt.crosschx.com" target="_blank">ipa13.mgmt.crosschx.com</a></div><div><br></div><div>I was still seeing bad DNS returns when dig'ing against ipa12.mgmt. I was able to create user and DNS records and see the information replicated properly across all three nodes.</div><div><br></div><div>I then ran ipactl stop on ipa12.mgmt and then ipactl start on ipa12.mgmt because I wanted to make sure everything was running fresh after the changes above. While IPA was staring up (DNS started) we were able to see valid DNS queries returned but pki-tomcat would not start.</div><div><br></div><div><div>I am not sure what I need to do in order to get this working. I have included the output of certutil and getcert below from all three servers as well as the debug output for pki.</div><div><br></div><div><br></div><div>While the IPA system is coming up I am able to successfully run ldapsearch -x as the root user and see results. I am also able to login with the "cn=Directory Manager" account and see results.</div></div><div><br></div><div><br></div><div>The debug log shows the following error.</div><div><br></div><div><br></div><div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: ==============================<wbr>==============</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED =======</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: ==============================<wbr>==============</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: restart at autoShutdown? false</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/a<wbr>utoShutdown.crumb</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: done init id=debug</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: initialized debug</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: initSubsystem id=log</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: ready to init id=log</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: Creating RollingLogFile(/var/lib/pki/pk<wbr>i-tomcat/logs/ca/signedAudit/c<wbr>a_audit)</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: Creating RollingLogFile(/var/lib/pki/pk<wbr>i-tomcat/logs/ca/system)</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: Creating RollingLogFile(/var/lib/pki/pk<wbr>i-tomcat/logs/ca/transactions)</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: restart at autoShutdown? false</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/a<wbr>utoShutdown.crumb</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: done init id=log</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: initialized log</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: initSubsystem id=jss</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: ready to init id=jss</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: restart at autoShutdown? false</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/a<wbr>utoShutdown.crumb</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: done init id=jss</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: initialized jss</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: initSubsystem id=dbs</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: CMSEngine: ready to init id=dbs</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: Creating LdapBoundConnFactor(DBSubsyste<wbr>m)</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: LdapBoundConnFactory: init</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: LdapBoundConnFactory:doCloning true</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: LdapAuthInfo: init()</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: LdapAuthInfo: init begins</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: LdapAuthInfo: init ends</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: init: before makeConnection errorIfDown is true</div><div>[03/May/2017:21:22:01][localho<wbr>st-startStop-1]: makeConnection: errorIfDown true</div><div>[03/May/2017:21:22:02][localho<wbr>st-startStop-1]: SSLClientCertificateSelectionC<wbr>B: Setting desired cert nickname to: subsystemCert cert-pki-ca</div><div>[03/May/2017:21:22:02][localho<wbr>st-startStop-1]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca</div><div>[03/May/2017:21:22:02][localho<wbr>st-startStop-1]: SSLClientCertificatSelectionCB<wbr>: Entering!</div><div>[03/May/2017:21:22:02][localho<wbr>st-startStop-1]: SSLClientCertificateSelectionC<wbr>B: returning: null</div><div>[03/May/2017:21:22:02][localho<wbr>st-startStop-1]: SSL handshake happened</div><div>Could not connect to LDAP server host <a href="http://ipa12.mgmt.crosschx.com" target="_blank">ipa12.mgmt.crosschx.com</a> port 636 Error netscape.ldap.LDAPException: Authentication failed (48)</div><div> at com.netscape.cmscore.ldapconn.<wbr>LdapBoundConnFactory.makeConne<wbr>ction(LdapBoundConnFactory.jav<wbr>a:205)</div><div> at com.netscape.cmscore.ldapconn.<wbr>LdapBoundConnFactory.init(Ldap<wbr>BoundConnFactory.java:166)</div><div> at com.netscape.cmscore.ldapconn.<wbr>LdapBoundConnFactory.init(Ldap<wbr>BoundConnFactory.java:130)</div><div> at com.netscape.cmscore.dbs.DBSub<wbr>system.init(DBSubsystem.java:6<wbr>54)</div><div> at com.netscape.cmscore.apps.CMSE<wbr>ngine.initSubsystem(CMSEngine.<wbr>java:1169)</div><div> at com.netscape.cmscore.apps.CMSE<wbr>ngine.initSubsystems(CMSEngine<wbr>.java:1075)</div><div> at com.netscape.cmscore.apps.CMSE<wbr>ngine.init(CMSEngine.java:571)</div><div> at com.netscape.certsrv.apps.CMS.<wbr>init(CMS.java:187)</div><div> at com.netscape.certsrv.apps.CMS.<wbr>start(CMS.java:1616)</div><div> at com.netscape.cms.servlet.base.<wbr>CMSStartServlet.init(CMSStartS<wbr>ervlet.java:114)</div><div> at javax.servlet.GenericServlet.i<wbr>nit(GenericServlet.java:158)</div><div> at sun.reflect.NativeMethodAccess<wbr>orImpl.invoke0(Native Method)</div><div> at sun.reflect.NativeMethodAccess<wbr>orImpl.invoke(NativeMethodAcce<wbr>ssorImpl.java:62)</div><div> at sun.reflect.DelegatingMethodAc<wbr>cessorImpl.invoke(DelegatingMe<wbr>thodAccessorImpl.java:43)</div><div> at java.lang.reflect.Method.invok<wbr>e(Method.java:498)</div><div> at org.apache.catalina.security.S<wbr>ecurityUtil$1.run(SecurityUtil<wbr>.java:288)</div><div> at org.apache.catalina.security.S<wbr>ecurityUtil$1.run(SecurityUtil<wbr>.java:285)</div><div> at java.security.AccessController<wbr>.doPrivileged(Native Method)</div><div> at <a href="http://javax.security.auth.Subject.do" target="_blank">javax.security.auth.Subject.do</a><wbr>AsPrivileged(Subject.java:549)</div><div> at org.apache.catalina.security.S<wbr>ecurityUtil.execute(SecurityUt<wbr>il.java:320)</div><div> at org.apache.catalina.security.S<wbr>ecurityUtil.doAsPrivilege(Secu<wbr>rityUtil.java:175)</div><div> at org.apache.catalina.security.S<wbr>ecurityUtil.doAsPrivilege(Secu<wbr>rityUtil.java:124)</div><div> at org.apache.catalina.core.Stand<wbr>ardWrapper.initServlet(Standar<wbr>dWrapper.java:1270)</div><div> at org.apache.catalina.core.Stand<wbr>ardWrapper.loadServlet(Standar<wbr>dWrapper.java:1195)</div><div> at org.apache.catalina.core.Stand<wbr>ardWrapper.load(StandardWrappe<wbr>r.java:1085)</div><div> at org.apache.catalina.core.Stand<wbr>ardContext.loadOnStartup(Stand<wbr>ardContext.java:5318)</div><div> at org.apache.catalina.core.Stand<wbr>ardContext.startInternal(Stand<wbr>ardContext.java:5610)</div><div> at org.apache.catalina.util.Lifec<wbr>ycleBase.start(LifecycleBase.j<wbr>ava:147)</div><div> at org.apache.catalina.core.Conta<wbr>inerBase.addChildInternal(Cont<wbr>ainerBase.java:899)</div><div> at org.apache.catalina.core.Conta<wbr>inerBase.access$000(ContainerB<wbr>ase.java:133)</div><div> at org.apache.catalina.core.Conta<wbr>inerBase$PrivilegedAddChild.ru<wbr>n(ContainerBase.java:156)</div><div> at org.apache.catalina.core.Conta<wbr>inerBase$PrivilegedAddChild.ru<wbr>n(ContainerBase.java:145)</div><div> at java.security.AccessController<wbr>.doPrivileged(Native Method)</div><div> at org.apache.catalina.core.Conta<wbr>inerBase.addChild(ContainerBas<wbr>e.java:873)</div><div> at org.apache.catalina.core.Stand<wbr>ardHost.addChild(StandardHost.<wbr>java:652)</div><div> at org.apache.catalina.startup.Ho<wbr>stConfig.deployDescriptor(Host<wbr>Config.java:679)</div><div> at org.apache.catalina.startup.Ho<wbr>stConfig$DeployDescriptor.run(<wbr>HostConfig.java:1966)</div><div> at java.util.concurrent.Executors<wbr>$RunnableAdapter.call(Executor<wbr>s.java:511)</div><div> at java.util.concurrent.FutureTas<wbr>k.run(FutureTask.java:266)</div><div> at java.util.concurrent.ThreadPoo<wbr>lExecutor.runWorker(ThreadPool<wbr>Executor.java:1142)</div><div> at java.util.concurrent.ThreadPoo<wbr>lExecutor$Worker.run(ThreadPoo<wbr>lExecutor.java:617)</div><div> at java.lang.Thread.run(Thread.ja<wbr>va:745)</div><div>Internal Database Error encountered: Could not connect to LDAP server host <a href="http://ipa12.mgmt.crosschx.com" target="_blank">ipa12.mgmt.crosschx.com</a> port 636 Error netscape.ldap.LDAPException: Authentication failed (48)</div><div> at com.netscape.cmscore.dbs.DBSub<wbr>system.init(DBSubsystem.java:6<wbr>76)</div><div> at com.netscape.cmscore.apps.CMSE<wbr>ngine.initSubsystem(CMSEngine.<wbr>java:1169)</div><div> at com.netscape.cmscore.apps.CMSE<wbr>ngine.initSubsystems(CMSEngine<wbr>.java:1075)</div><div> at com.netscape.cmscore.apps.CMSE<wbr>ngine.init(CMSEngine.java:571)</div><div> at com.netscape.certsrv.apps.CMS.<wbr>init(CMS.java:187)</div><div> at com.netscape.certsrv.apps.CMS.<wbr>start(CMS.java:1616)</div><div> at com.netscape.cms.servlet.base.<wbr>CMSStartServlet.init(CMSStartS<wbr>ervlet.java:114)</div><div> at javax.servlet.GenericServlet.i<wbr>nit(GenericServlet.java:158)</div><div> at sun.reflect.NativeMethodAccess<wbr>orImpl.invoke0(Native Method)</div><div> at sun.reflect.NativeMethodAccess<wbr>orImpl.invoke(NativeMethodAcce<wbr>ssorImpl.java:62)</div><div> at sun.reflect.DelegatingMethodAc<wbr>cessorImpl.invoke(DelegatingMe<wbr>thodAccessorImpl.java:43)</div><div> at java.lang.reflect.Method.invok<wbr>e(Method.java:498)</div><div> at org.apache.catalina.security.S<wbr>ecurityUtil$1.run(SecurityUtil<wbr>.java:288)</div><div> at org.apache.catalina.security.S<wbr>ecurityUtil$1.run(SecurityUtil<wbr>.java:285)</div><div> at java.security.AccessController<wbr>.doPrivileged(Native Method)</div><div> at <a href="http://javax.security.auth.Subject.do" target="_blank">javax.security.auth.Subject.do</a><wbr>AsPrivileged(Subject.java:549)</div><div> at org.apache.catalina.security.S<wbr>ecurityUtil.execute(SecurityUt<wbr>il.java:320)</div><div> at org.apache.catalina.security.S<wbr>ecurityUtil.doAsPrivilege(Secu<wbr>rityUtil.java:175)</div><div> at org.apache.catalina.security.S<wbr>ecurityUtil.doAsPrivilege(Secu<wbr>rityUtil.java:124)</div><div> at org.apache.catalina.core.Stand<wbr>ardWrapper.initServlet(Standar<wbr>dWrapper.java:1270)</div><div> at org.apache.catalina.core.Stand<wbr>ardWrapper.loadServlet(Standar<wbr>dWrapper.java:1195)</div><div> at org.apache.catalina.core.Stand<wbr>ardWrapper.load(StandardWrappe<wbr>r.java:1085)</div><div> at org.apache.catalina.core.Stand<wbr>ardContext.loadOnStartup(Stand<wbr>ardContext.java:5318)</div><div> at org.apache.catalina.core.Stand<wbr>ardContext.startInternal(Stand<wbr>ardContext.java:5610)</div><div> at org.apache.catalina.util.Lifec<wbr>ycleBase.start(LifecycleBase.j<wbr>ava:147)</div><div> at org.apache.catalina.core.Conta<wbr>inerBase.addChildInternal(Cont<wbr>ainerBase.java:899)</div><div> at org.apache.catalina.core.Conta<wbr>inerBase.access$000(ContainerB<wbr>ase.java:133)</div><div> at org.apache.catalina.core.Conta<wbr>inerBase$PrivilegedAddChild.ru<wbr>n(ContainerBase.java:156)</div><div> at org.apache.catalina.core.Conta<wbr>inerBase$PrivilegedAddChild.ru<wbr>n(ContainerBase.java:145)</div><div> at java.security.AccessController<wbr>.doPrivileged(Native Method)</div><div> at org.apache.catalina.core.Conta<wbr>inerBase.addChild(ContainerBas<wbr>e.java:873)</div><div> at org.apache.catalina.core.Stand<wbr>ardHost.addChild(StandardHost.<wbr>java:652)</div><div> at org.apache.catalina.startup.Ho<wbr>stConfig.deployDescriptor(Host<wbr>Config.java:679)</div><div> at org.apache.catalina.startup.Ho<wbr>stConfig$DeployDescriptor.run(<wbr>HostConfig.java:1966)</div><div> at java.util.concurrent.Executors<wbr>$RunnableAdapter.call(Executor<wbr>s.java:511)</div><div> at java.util.concurrent.FutureTas<wbr>k.run(FutureTask.java:266)</div><div> at java.util.concurrent.ThreadPoo<wbr>lExecutor.runWorker(ThreadPool<wbr>Executor.java:1142)</div><div> at java.util.concurrent.ThreadPoo<wbr>lExecutor$Worker.run(ThreadPoo<wbr>lExecutor.java:617)</div><div> at java.lang.Thread.run(Thread.ja<wbr>va:745)</div><div>[03/May/2017:21:22:02][localho<wbr>st-startStop-1]: CMSEngine.shutdown()</div></div><div><br></div><div><br></div><div><div class="m_-6633309559365244558m_-5348699649136511951m_1336266395061717507gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><pre style="color:rgb(0,0,0);margin:0em">=============================</pre><pre style="color:rgb(0,0,0);margin:0em"><br></pre><pre style="margin:0em"><font color="#000000">IPA11.MGMT</font></pre><pre style="margin:0em"><font color="#000000"> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCH<wbr>X-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u <a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> IPA CA CT,C,C (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u IPA13.MGMT (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCH<wbr>X-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u <a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> IPA CA CT,C,C (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u IPA12.MGMT (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCH<wbr>X-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u <a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> IPA CA C,, (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u ==============================<wbr>=================== IPA11.MGMT (root)>getcert list Number of certificates and requests being tracked: 8. Request ID '20161229155314': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirs<wbr>rv/slapd-MGMT-CROSSCHX-COM',ni<wbr>ckname='Server-Cert',token='NS<wbr>S Certificate DB',pinfile='/etc/dirsrv/slapd<wbr>-MGMT-CROSSCHX-COM/pwdfile.txt<wbr>' certificate: type=NSSDB,location='/etc/dirs<wbr>rv/slapd-MGMT-CROSSCHX-COM',ni<wbr>ckname='Server-Cert',token='NS<wbr>S Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa11.mgmt.crosschx.com" target="_blank">ipa11.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">M<wbr>GMT.CROSSCHX.COM</a> expires: 2018-12-30 15:52:43 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command: post-save command: /usr/libexec/ipa/certmonger/re<wbr>start_dirsrv MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID '20161229155652': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='au<wbr>ditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='au<wbr>ditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=CA Audit,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiatio<wbr>n pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155654': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='oc<wbr>spSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='oc<wbr>spSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=OCSP Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:26 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155655': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='su<wbr>bsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='su<wbr>bsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=CA Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:28 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155657': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='ca<wbr>SigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='ca<wbr>SigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> expires: 2036-11-22 13:00:25 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155659': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='Se<wbr>rver-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='Se<wbr>rver-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa11.mgmt.crosschx.com" target="_blank">ipa11.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">M<wbr>GMT.CROSSCHX.COM</a> expires: 2018-12-19 15:56:20 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment eku: id-kp-serverAuth,id-kp-clientA<wbr>uth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155921': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt' certificate: type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa11.mgmt.crosschx.com" target="_blank">ipa11.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">M<wbr>GMT.CROSSCHX.COM</a> expires: 2018-12-30 15:52:46 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command: post-save command: /usr/libexec/ipa/certmonger/re<wbr>start_httpd track: yes auto-renew: yes Request ID '20161229160009': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt' certificate: type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=IPA RA,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:01:34 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ra_cert track: yes auto-renew: yes ==============================<wbr>==== IPA13.MGMT (root)>getcert list Number of certificates and requests being tracked: 8. Request ID '20161229143449': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirs<wbr>rv/slapd-MGMT-CROSSCHX-COM',ni<wbr>ckname='Server-Cert',token='NS<wbr>S Certificate DB',pinfile='/etc/dirsrv/slapd<wbr>-MGMT-CROSSCHX-COM/pwdfile.txt<wbr>' certificate: type=NSSDB,location='/etc/dirs<wbr>rv/slapd-MGMT-CROSSCHX-COM',ni<wbr>ckname='Server-Cert',token='NS<wbr>S Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa13.mgmt.crosschx.com" target="_blank">ipa13.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">M<wbr>GMT.CROSSCHX.COM</a> expires: 2018-12-30 14:34:20 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command: post-save command: /usr/libexec/ipa/certmonger/re<wbr>start_dirsrv MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID '20161229143826': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='au<wbr>ditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='au<wbr>ditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=CA Audit,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiatio<wbr>n pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143828': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='oc<wbr>spSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='oc<wbr>spSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=OCSP Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:26 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143831': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='su<wbr>bsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='su<wbr>bsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=CA Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:28 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143833': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='ca<wbr>SigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='ca<wbr>SigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> expires: 2036-11-22 13:00:25 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143835': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='Se<wbr>rver-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='Se<wbr>rver-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa13.mgmt.crosschx.com" target="_blank">ipa13.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">M<wbr>GMT.CROSSCHX.COM</a> expires: 2018-12-19 14:37:54 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment eku: id-kp-serverAuth,id-kp-clientA<wbr>uth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229144057': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt' certificate: type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa13.mgmt.crosschx.com" target="_blank">ipa13.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">M<wbr>GMT.CROSSCHX.COM</a> expires: 2018-12-30 14:34:23 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command: post-save command: /usr/libexec/ipa/certmonger/re<wbr>start_httpd track: yes auto-renew: yes Request ID '20161229144146': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt' certificate: type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=IPA RA,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:01:34 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ra_cert track: yes auto-renew: yes =========================== IPA12.MGMT (root)>getcert list Number of certificates and requests being tracked: 8. Request ID '20161229151518': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirs<wbr>rv/slapd-MGMT-CROSSCHX-COM',ni<wbr>ckname='Server-Cert',token='NS<wbr>S Certificate DB',pinfile='/etc/dirsrv/slapd<wbr>-MGMT-CROSSCHX-COM/pwdfile.txt<wbr>' certificate: type=NSSDB,location='/etc/dirs<wbr>rv/slapd-MGMT-CROSSCHX-COM',ni<wbr>ckname='Server-Cert',token='NS<wbr>S Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa12.mgmt.crosschx.com" target="_blank">ipa12.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">M<wbr>GMT.CROSSCHX.COM</a> expires: 2018-12-30 15:14:51 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command: post-save command: /usr/libexec/ipa/certmonger/re<wbr>start_dirsrv MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID '20161229151850': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='au<wbr>ditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='au<wbr>ditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=CA Audit,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiatio<wbr>n pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151852': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='oc<wbr>spSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='oc<wbr>spSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=OCSP Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:26 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151854': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='su<wbr>bsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='su<wbr>bsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=CA Subsystem,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:00:28 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151856': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='ca<wbr>SigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='ca<wbr>SigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> expires: 2036-11-22 13:00:25 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151858': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='Se<wbr>rver-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='Se<wbr>rver-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa12.mgmt.crosschx.com" target="_blank">ipa12.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">M<wbr>GMT.CROSSCHX.COM</a> expires: 2018-12-19 15:18:16 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment eku: id-kp-serverAuth,id-kp-clientA<wbr>uth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/st<wbr>op_pkicad post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229152115': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt' certificate: type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=<a href="http://ipa12.mgmt.crosschx.com" target="_blank">ipa12.mgmt.crosschx.com</a>,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">M<wbr>GMT.CROSSCHX.COM</a> expires: 2018-12-30 15:14:54 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command: post-save command: /usr/libexec/ipa/certmonger/re<wbr>start_httpd track: yes auto-renew: yes Request ID '20161229152204': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt' certificate: type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> subject: CN=IPA RA,O=<a href="http://MGMT.CROSSCHX.COM" target="_blank">MGMT.CROSSCHX.COM</a> expires: 2018-11-12 13:01:34 UTC key usage: digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment eku: id-kp-serverAuth,id-kp-clientA<wbr>uth pre-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/re<wbr>new_ra_cert track: yes auto-renew: yes </font><span style="color:rgb(0,0,0)"> </span></pre></div><div dir="ltr"><div dir="ltr" style="font-size:12.8px"><br></div><div dir="ltr"><b style="font-size:12.8px"><font size="2">Mike Plemmons | Senior DevOps Engineer | CROSSCHX<br></font></b><div>614.427.2411</div><div><a href="mailto:mike.plemmons@crosschx.com" style="font-size:12.8px" target="_blank">mike.plemmons@crosschx.com</a><br></div><div style="font-size:12.8px"><a href="http://www.crosschx.com/" target="_blank">www.crosschx.com</a></div></div></div></div></div></div></div></div></div></div></div></div> </div> </blockquote></div><br></div> </blockquote></div><br></div> </blockquote></div><br></div>