[Freeipa-users] IPA v3 Certificate not renewed
Junhe Jian
jian at traffics.de
Thu Jun 4 14:57:48 UTC 2015
Hi Rob,
i set the date in past "26 MAY 2015"
and add "NSSEnforceValidCerts off" to nss.conf
and resubmit the 3 ID
[root at be-ipasrv httpd]# getcert resubmit -i 20130528090822
Resubmitting "20130528090822" to "IPA".
[root at be-ipasrv httpd]# getcert resubmit -i 20130528090849
Resubmitting "20130528090849" to "IPA".
[root at be-ipasrv httpd]# getcert resubmit -i 20130528090923
Resubmitting "20130528090923" to "IPA".
Restart ipa and certmonger
now I get error in http_error
[Tue May 26 10:00:30 2015] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Tue May 26 10:00:30 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue May 26 10:00:31 2015] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured.
[Tue May 26 10:00:31 2015] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9"
[Tue May 26 10:00:31 2015] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
[Tue May 26 10:00:31 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Tue May 26 10:00:31 2015] [notice] ModSecurity: LIBXML compiled version="2.7.6"
[Tue May 26 10:00:31 2015] [notice] Digest: generating secret for digest authentication ...
[Tue May 26 10:00:31 2015] [notice] Digest: done
[Tue May 26 10:00:32 2015] [notice] Apache/2.2.15 (Unix) mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.14.0.0 Basic ECC PHP/5.3.25 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations
[Tue May 26 10:00:33 2015] [error] ipa: INFO: *** PROCESS START ***
[Tue May 26 10:00:33 2015] [error] ipa: INFO: *** PROCESS START ***
[Tue May 26 10:01:23 2015] [warn] proxy: No protocol handler was valid for the URL /ca/agent/ca/displayBySerial. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Tue May 26 10:01:23 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Internal Server Error)
[Tue May 26 10:01:23 2015] [error] ipa: INFO: host/example.de at EXAMPLE.DE: cert_request(u'MIIDvjCCAqYCAQAwUDEhMB8GA1UEChMYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFMSswKQYDVQQDEyJiZS1pcGFzcnYudGliZXQudHJhZmZpY3Mtc3dpdGNoLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAshxjlzWHlUYC262eB9BKIYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+ESYFZsPiuSXjjs9VmbgEmuM9Dz/4jIfVQXDAecGfcpDfLQxkMcRhaVaOHXwEGeM19xUig6s2kWa81T+TNwEKItNXmovQSpE+6cxpcT3rH00b89F/Z2vUIXagEJnJMuXEdqz3XpaXr6ahcYXgCSDq7L8VSd7zbguEpWZmD0lZ8857+tVXz6LBHryko3n5qyTpwFJ5M/hd6FoJyWTDulCKaF20sHsOBp+P18YcLUmR8pHjA9LQ4m/4dd5cG9yBwIDAQABoIIBJzAaBgkqhkiG9w0BCRQxDRMLU2VydmVyLUNlcnQwggEHBgkqhkiG9w0BCQ4xgfkwgfYwDgYDVR0PAQEABAQDAgTwMIHBBgNVHREBAQAEgbYwgbOgUAYKKwYBBAGCNxQCA6BCDEBsZGFwL2JlLWlwYXNydi50aWJldC50cmFmZmljcy1zd2l0Y2guZGVAVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFoF8GBisGAQUCAqBVMFOgGhsYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFoTUwM6ADAgEBoSwwKhsEbGRhcBsiYmUtaXBhc3J2LnRpYmV0LnRyYWZmaWNzLXN3aXRjaC5kZTAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAIX+XKk/Mxa0KN+rYikYjoaX6/VVj2eOI+O+nUe2CoFNz2r+r2HUb/lkl6+zOZpO3Stq+Qx/Bk8M230OFCigycz19Uxkmz5n5r8nxxtifWZUcC7wO+ZdEURUcDIfeg8lraBOsBWjiId+0TCVtuFJxbuNQkmy3lpt6uQoiDB4XB3/DbEYi9jWrXrtT4XpKrzaj6wsoxVJi1M2JsywFrzio7yhDLtUsXVmycwm5Kw1kQPELBQgCpkzpba85u2uvD2z9DZ/AykXcd0DLRmbNaFAKdg5E+8dN6IySp30Dqyfkoldhi4zKtMCurn2WBDO3A19BP52iwOXOgKKReiGJd2X0eM=', principal=u'ldap/example.de at EXAMPLE.DE', add=True): CertificateOperationError
[Tue May 26 10:01:29 2015] [warn] proxy: No protocol handler was valid for the URL /ca/agent/ca/displayBySerial. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Tue May 26 10:01:29 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Internal Server Error)
[Tue May 26 10:01:29 2015] [error] ipa: INFO: host/example.de at EXAMPLE.DE: cert_request(u'MIIDzDCCArQCAQAwUDEhMB8GA1UEChMYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFMSswKQYDVQQDEyJiZS1pcGFzcnYudGliZXQudHJhZmZpY3Mtc3dpdGNoLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwb1hNjym7KUoL5Sdv5xsx1tn8W65DghiDdY9RKmqQik1QanWXVvhVCmvNgUeOmXkQBBRwZHRqKvV5JiZfnm1qvk/eHbujzzocmJITktP8uxDgugCe4XzBdNYckrFKvwRVkZVfv0vUuYtCoVTUOo9yH17pwvzywUTwCO0PXRcy+9Ch1NViLbuFrhynNXrNBf9s62nyRBgrexcHPU6QXZoFSmu75QKqh7pqddG9ngPdi+PTW+1RwOnGFSVStrb0KGfLBPY9yX8OaRbqCt0PmLlGW3jnzBm+UT4yiHeudGa2bt/LXRmGsaIz6uIJL4Gxdcx4eQJMUwSU3hApuEuObdplwIDAQABoIIBNTAaBgkqhkiG9w0BCRQxDRMLU2VydmVyLUNlcnQwggEVBgkqhkiG9w0BCQ4xggEGMIIBAjAOBgNVHQ8BAQAEBAMCBPAwgc0GA1UdEQEBAASBwjCBv6BWBgorBgEEAYI3FAIDoEgMRmRvZ3RhZ2xkYXAvYmUtaXBhc3J2LnRpYmV0LnRyYWZmaWNzLXN3aXRjaC5kZUBUSUJFVC5UUkFGRklDUy1TV0lUQ0guREWgZQYGKwYBBQICoFswWaAaGxhUSUJFVC5UUkFGRklDUy1TV0lUQ0guREWhOzA5oAMCAQGhMjAwGwpkb2d0YWdsZGFwGyJiZS1pcGFzcnYudGliZXQudHJhZmZpY3Mtc3dpdGNoLmRlMCAGA1UdJQEBAAQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAUl4xz38rDD1ocOtoRvv+y+SNkLONmgLtPgy3U7KFmsySEWkfwNrGIpgJg/RGgsRnNFxatOvTrhBISzIuvlpxtA2v4er4LtbLx1EAieta1Tu+x7vAkZfdFN3gY18Z3UrmKEDJ4xUyVB2za3p9Bz8zGHlpYJ7NCLNOXqB3bFH3KgmtPpw2zKvIrqU5GqJnPk47eZgTJcvFcPQtsjdir1o3uemd1kTfYwnPN+wX6umH8/Y8iBMrtTbT36K5PqcBK1BZug8Qypu/e+S/NQ1dRK+o5jL8ruOVaNQuai7svoFlhaqSx8oB+BoVNXnYT4B2+ynVWFcY3IBe+t2eJgvkJNjkxw==', principal=u'dogtagldap/example.de at EXAMPLE.DE', add=True): CertificateOperationError
[Tue May 26 10:01:34 2015] [warn] proxy: No protocol handler was valid for the URL /ca/agent/ca/displayBySerial. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Tue May 26 10:01:34 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Internal Server Error)
[Tue May 26 10:01:34 2015] [error] ipa: INFO: host/example.de at EXAMPLE.DE: cert_request(u'MIIDvjCCAqYCAQAwUDEhMB8GA1UEChMYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFMSswKQYDVQQDEyJiZS1pcGFzcnYudGliZXQudHJhZmZpY3Mtc3dpdGNoLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00K4xFX20ER7sKdSD13xHK+qboUSQGoshw3Fhb55ZiPAj5e0N6iDtLPAoo2MI8J/HtXIlW32yVEHrWGezkzcbh4uXQsig5EjicC75vZ0MQDVrNMj3u2P/HeqkAzZvoEpX7CyemK2lp3NdgwmnWbE6xzM7/owJm3cLZxXl9yAM0f2813Zk94BOfxNPDubfcLNo2ZIOcH5eDZ4JTy2AiNLrQvoqt3ceXJ5dKPV58JSEyZO4xhF7dftw2ZKleh7OId3zePhOgM7twV/22HxuBxAVKapLldh0iofeBUOdGpALzSG+LaxFIHL5aeJ0brTH213PtRttaJ87ZZ4j3PaSx5OJQIDAQABoIIBJzAaBgkqhkiG9w0BCRQxDRMLU2VydmVyLUNlcnQwggEHBgkqhkiG9w0BCQ4xgfkwgfYwDgYDVR0PAQEABAQDAgTwMIHBBgNVHREBAQAEgbYwgbOgUAYKKwYBBAGCNxQCA6BCDEBIVFRQL2JlLWlwYXNydi50aWJldC50cmFmZmljcy1zd2l0Y2guZGVAVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFoF8GBisGAQUCAqBVMFOgGhsYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFoTUwM6ADAgEBoSwwKhsESFRUUBsiYmUtaXBhc3J2LnRpYmV0LnRyYWZmaWNzLXN3aXRjaC5kZTAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAKj57WgJGQRR4SCFmstbB/c0rdqIW8csAf1yqU4PW9B2x145QEdWlgjxfBlB6i5dr9Mx1NjJVhNicR3EAqofNsEC+ppk8M2LPn5MVuRtfJ6SaqfUEgrQs1+XK2yyf2StamGW5QSPhX5ub9tq0MzYxBKhZ9XOemga2QpEnzAHNOXtMObeFzGRR0Eh5+LwL383F38GCr54VhHoLXd8/hC8RA+CSMCKCPCK4G9fjExvaDkVWhErCtY6NP7soxHWYRKB3ipErEXI7Wkpjq26MxulK9z3y9jHL/fBffZ7Kh7TM9LSu48CD99hm3c3eBQjukr/dgT+XxQQqHP5yaIGPJCdC4Y=', principal=u'HTTP/example.de at EXAMPLE.DE', add=True): CertificateOperationError
_____________________________________________
Best regards
Junhe Jian
-----Ursprüngliche Nachricht-----
Von: Rob Crittenden [mailto:rcritten at redhat.com]
Gesendet: Donnerstag, 4. Juni 2015 16:38
An: Junhe Jian; freeipa-users at redhat.com
Betreff: Re: [Freeipa-users] IPA v3 Certificate not renewed
Junhe Jian wrote:
> Hello everyone,
>
> I'm new here and have problem with IPA Server
>
> our single IPA Server all Certificate was expired.
>
> Autorenewal not worked, so I read the docu
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal and do manually
>
> my server is centos 6.4
>
> [root at be-ipasrv ~]# rpm -qa | grep ipa
>
> ipa-client-3.0.0-26.el6_4.4.x86_64
>
> ipa-server-3.0.0-26.el6_4.4.x86_64
>
> python-iniparse-0.3.1-2.1.el6.noarch
>
> ipa-python-3.0.0-26.el6_4.4.x86_64
>
> libipa_hbac-1.9.2-82.7.el6_4.x86_64
>
> libipa_hbac-python-1.9.2-82.7.el6_4.x86_64
>
> ipa-pki-common-theme-9.0.3-7.el6.noarch
>
> ipa-admintools-3.0.0-26.el6_4.4.x86_64
>
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>
> ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
>
> I change the Domain name to EXAMPLE
>
> The 5 CAs: dogtag-ipa-renew-agent get new certificate and has status
> MONITORING.
>
> Only the last 3 CA: IPA (dirv-slapd-PKI-IPA, dirv-slapd-EXAMPLE,
> /etc/httpd/alias) not renew, hab Status CA_UNREACHABLE
>
> Number of certificates and requests being tracked: 8.
>
> Request ID '20130528090810':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='379816045864'
>
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O= EXAMPLE.DE
>
> subject: CN=CA Audit,O= EXAMPLE.DE
>
> expires: 2017-04-29 08:14:24 UTC
>
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090811':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='379816045864'
>
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O= EXAMPLE.DE
>
> subject: CN=OCSP Subsystem,O= EXAMPLE.DE
>
> expires: 2017-04-29 08:13:24 UTC
>
> eku: id-kp-OCSPSigning
>
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090812':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='379816045864'
>
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O= EXAMPLE.DE
>
> subject: CN=CA Subsystem,O= EXAMPLE.DE
>
> expires: 2017-04-29 08:13:24 UTC
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090813':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O= EXAMPLE.DE
>
> subject: CN=IPA RA,O= EXAMPLE.DE
>
> expires: 2017-04-29 08:13:24 UTC
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090814':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin='379816045864'
>
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O= EXAMPLE.DE
>
> subject: CN= EXAMPLE.de,O= EXAMPLE.DE
>
> expires: 2017-04-29 08:13:24 UTC
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command:
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090822':
>
> status: CA_UNREACHABLE
>
> ca-error: Server failed request, will retry: 4301 (RPC failed
> at server. Certificate operation cannot be completed: Unable to
> communicate with CMS (Internal Server Error)).
>
> stuck: yes
>
> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-
> EXAMPLE -DE',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/dirsrv/slapd- EXAMPLE -DE/pwdfile.txt'
>
> certificate: type=NSSDB,location='/etc/dirsrv/slapd- EXAMPLE
> -DE',nickname='Server-Cert',token='NSS Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O= EXAMPLE.DE
>
> subject: CN=example.de,O= EXAMPLE.DE
>
> expires: 2015-05-29 09:08:22 UTC
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> EXAMPLE -DE
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090849':
>
> status: CA_UNREACHABLE
>
> ca-error: Server failed request, will retry: 4301 (RPC failed
> at server. Certificate operation cannot be completed: Unable to
> communicate with CMS (Internal Server Error)).
>
> stuck: yes
>
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
> ,token='NSS Certificate
> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
> ,token='NSS
> Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O= EXAMPLE.DE
>
> subject: CN=example.de,O= EXAMPLE.DE
>
> expires: 2015-05-29 09:08:49 UTC
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> PKI-IPA
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090923':
>
> status: CA_UNREACHABLE
>
> ca-error: Server failed request, will retry: 4301 (RPC failed
> at server. Certificate operation cannot be completed: Unable to
> communicate with CMS (Internal Server Error)).
>
> stuck: yes
>
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N
> SS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N
> SS
> Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O= EXAMPLE.DE
>
> subject: CN=example.de,O= EXAMPLE.DE
>
> expires: 2015-05-29 09:09:23 UTC
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>
> track: yes
>
> auto-renew: yes
>
> later I update the os to centos 6.6
>
> [root at be-ipasrv]# rpm -qa | grep ipa
>
> sssd-ipa-1.11.6-30.el6_6.4.x86_64
>
> ipa-admintools-3.0.0-42.el6.centos.x86_64
>
> ipa-python-3.0.0-42.el6.centos.x86_64
>
> python-iniparse-0.3.1-2.1.el6.noarch
>
> libipa_hbac-python-1.11.6-30.el6_6.4.x86_64
>
> ipa-pki-common-theme-9.0.3-7.el6.noarch
>
> ipa-server-3.0.0-42.el6.centos.x86_64
>
> ipa-client-3.0.0-42.el6.centos.x86_64
>
> ipa-server-selinux-3.0.0-42.el6.centos.x86_64
>
> libipa_hbac-1.11.6-30.el6_6.4.x86_64
>
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>
> i get same status of the last 3.
>
> Request ID '20130528090822':
>
> status: CA_UNREACHABLE
>
> ca-error: Server at https://example.de/ipa/xml
> <https://example.de/ipa/xml> failed request,
> will retry: 4301 (RPC failed at server. Certificate operation cannot
> be
> completed: Failure decoding Certificate Signing Request).
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-DE',nickname='Server-Ce
> rt',token='NSS Certificate
> DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-DE/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-DE',nickname='Server-Ce
> rt',token='NSS
> Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O=EXAMPLE.DE
>
> subject: CN=example.de,O=EXAMPLE.DE
>
> expires: 2015-05-29 09:08:22 UTC
>
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command:
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090849':
>
> status: CA_UNREACHABLE
>
> ca-error: Server at https://example.de/ipa/xml
> <https://example.de/ipa/xml> failed request,
> will retry: 4301 (RPC failed at server. Certificate operation cannot
> be
> completed: Failure decoding Certificate Signing Request).
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
> ,token='NSS Certificate
> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
> ,token='NSS
> Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O=EXAMPLE.DE
>
> subject: CN=example.de,O=EXAMPLE.DE
>
> expires: 2015-05-29 09:08:49 UTC
>
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command:
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090923':
>
> status: CA_UNREACHABLE
>
> ca-error: Server at https://example.de/ipa/xml
> <https://example.de/ipa/xml> failed request,
> will retry: 4301 (RPC failed at server. Certificate operation cannot
> be
> completed: Failure decoding Certificate Signing Request).
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N
> SS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N
> SS
> Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O=EXAMPLE.DE
>
> subject: CN=example.de,O=EXAMPLE.DE
>
> expires: 2015-05-29 09:09:23 UTC
>
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command:
>
> track: yes
>
> auto-renew: yes
>
> i read all the post on redhat archive and goolge. I cannot find a solution.
>
> Anybody know the issue?
I'd suggest starting with the apache error log, /var/log/httpd/errors.
That should tell you what the Internal Error is.
rob
More information about the Freeipa-users
mailing list