[Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert
Gronde, Christopher (Contractor)
Christopher.Gronde at fincen.gov
Thu Oct 8 14:49:56 UTC 2015
When I ran "getcert list" rather than "ipa-getcert list" I get the following:
# getcert list
Number of certificates and requests being tracked: 2.
Request ID '20150922143354':
status: NEED_TO_SUBMIT
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=ITMODEV.GOV
subject: CN=IPA RA,O=ITMODEV.GOV
expires: 2013-10-09 11:45:01 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20151007150853':
status: CA_UNREACHABLE
ca-error: Server at https://comipa02.itmodev.gov/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=ITMODEV.GOV
subject: CN=comipa02.itmodev.gov,O=ITMODEV.GOV
expires: 2015-09-23 17:46:26 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: Thursday, October 08, 2015 10:33 AM
To: Gronde, Christopher (Contractor) <Christopher.Gronde at fincen.gov>; Alexander Bokovoy <abokovoy at redhat.com>
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert
Gronde, Christopher (Contractor) wrote:
> Currently running ipa-server-3.0.0-47.el6.x86_64
>
> I have stopped ntpd and reset the date to Sept 21st. Yes I agree this has been baffling me for days.
You should be tracking 8 certificates. The output of `getcert list` should look something like:
Number of certificates and requests being tracked: 8.
Request ID '20150102143352':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2016-12-22 14:33:08 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150102143353':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2016-12-22 14:33:07 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150102143354':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2016-12-22 14:33:07 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150102143355':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2016-12-22 14:33:51 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20150102143356':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa.example.com,O=EXAMPLE.COM
expires: 2016-12-22 14:33:07 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150102143410':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa.example.com,O=EXAMPLE.COM
expires: 2017-01-02 14:34:09 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
EXAMPLE-COM
track: yes
auto-renew: yes
Request ID '20150102143452':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa.example.com,O=EXAMPLE.COM
expires: 2017-01-02 14:34:51 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
track: yes
auto-renew: yes
Request ID '20150102143632':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa.example.com,O=EXAMPLE.COM
expires: 2017-01-02 14:36:32 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
What is missing are the certs for 389-ds and for the CA itself. I'm guessing those are also expired/expiring.
rob
>
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Thursday, October 08, 2015 9:49 AM
> To: Gronde, Christopher (Contractor) <Christopher.Gronde at fincen.gov>;
> Alexander Bokovoy <abokovoy at redhat.com>
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Certmonger and dogtag not
> working....issues manually renewing Server-Cert
>
> Gronde, Christopher (Contractor) wrote:
>> Now I am getting CA_UNREACHABLE
>>
>> # ipa-getcert resubmit -i 20151007150853 -p
>> /etc/httpd/alias/pwdfile.txt -K HTTP/comipa02.<example>.gov -C
>> /usr/lib64/ipa/certmonger/restart_httpd
>> Resubmitting "20151007150853" to "IPA".
>>
>> # ipa-getcert list
>> Number of certificates and requests being tracked: 2.
>> Request ID '20151007150853':
>> status: CA_UNREACHABLE
>> ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm '<example>.GOV'.
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=<example>.GOV
>> subject: CN=comipa02.itmodev.gov,O=<example>.GOV
>> expires: 2015-09-23 17:46:26 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>
> What really baffles me is what happened to the original tracking for these certificates. Based on the original e-mail only 2 of the 8 are being tracked at all.
>
> What version of IPA is this? rpm -q ipa-server
>
> I'm guessing that the IPA services aren't running due to the expired certificates. You'll need to roll back the time to before Sept 22, at last, to get things up and running.
>
> rob
>
>>
>>
>> -----Original Message-----
>> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
>> Sent: Thursday, October 08, 2015 9:00 AM
>> To: Gronde, Christopher (Contractor) <Christopher.Gronde at fincen.gov>
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Certmonger and dogtag not
>> working....issues manually renewing Server-Cert
>>
>> Hi,
>>
>> On Thu, 08 Oct 2015, Gronde, Christopher (Contractor) wrote:
>>> Thank you for your response!
>> Do not respond directly, send your emails to the mailing list, please.
>>
>>> Yes "getent passwd admin" does work
>>>
>>> # getent passwd admin
>>> admin:*:1278200000:1278200000:Administrator:/home/admin:/bin/bash
>>>
>>> The second not returned:
>>>
>>> # ipa-getcert resubmit -i 20151007150853 -p
>>> /etc/httpd/alias/pwdfile.txt Resubmitting "20151007150853" to "IPA".
>>>
>>> ]# ipa-getcert resubmit -i 20151007150853 -p
>>> /etc/httpd/alias/pwdfile.txt Resubmitting "20151007150853" to "IPA".
>>> [root at comipa02 conf.d]# ipa-getcert list Number of certificates and
>>> requests being tracked: 2.
>>> Request ID '20151007150853':
>>> status: MONITORING
>>> ca-error: Unable to determine principal name for signing request.
>> So it doesn't know whom to map the cert to.
>>
>> When re-submitting the request with ipa-getcert, add
>> -K HTTP/comipa02.itmodev.gov
>>
>> While at it, I've looked at my test setup and I can see that your
>> configuration below lacks restart of httpd after certificate was
>> rotated:
>> -C /usr/lib64/ipa/certmonger/restart_httpd
>>
>>
>>> stuck: no
>>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
>>> CA: IPA
>>> issuer: CN=Certificate Authority,O=<example>.GOV
>>> subject: CN=comipa02.itmodev.gov,O=<example>.GOV
>>> expires: 2015-09-23 17:46:26 UTC
>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command:
>>> post-save command:
>>> track: yes
>>> auto-renew: yes
>>>
>>> This Cert however still shows expired. What do I need to do to go about renewing it?
>>>
>>> # certutil -V -u V -n Server-Cert -d /etc/httpd/alias
>>> certutil: certificate is invalid: Peer's Certificate has expired.
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
>>> Sent: Thursday, October 08, 2015 2:22 AM
>>> To: Gronde, Christopher (Contractor) <Christopher.Gronde at fincen.gov>
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Certmonger and dogtag not
>>> working....issues manually renewing Server-Cert
>>>
>>> On Wed, 07 Oct 2015, Gronde, Christopher (Contractor) wrote:
>>>> I am new to FreeIPA and have inherited two IPA servers not sure if
>>>> one is a master/slave or how they are different. I will try to
>>>> give some pertinent outputs below of some of the things I am
>>>> seeing. I know the Server-Cert is expired but can't figure out how
>>>> to renew it. There also appears to be Kerberos authentication
>>>> issues going on as I'm trying to fix it.
>>>>
>>>> #getcert list -d /etc/httpd/alias -n ipaCert Number of certificates
>>>> and requests being tracked: 2.
>>>> Request ID '20150922143354':
>>>> status: NEED_TO_SUBMIT
>>>> stuck: no
>>>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
>>>> CA: dogtag-ipa-retrieve-agent-submit
>>>> issuer: CN=Certificate Authority,O=<example>.GOV
>>>> subject: CN=IPA RA,O=<example>.GOV
>>>> expires: 2013-10-09 11:45:01 UTC
>>>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>> pre-save command:
>>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>> track: yes
>>>> auto-renew: yes
>>>>
>>>> #certutil -V -u V -n Server-Cert -d /etc/httpd/alias
>>>> certutil: certificate is invalid: Peer's Certificate has expired.
>>>>
>>>>
>>>> #certutil -L -d /etc/httpd/alias -n Server-Cert
>>>> Certificate:
>>>> Data:
>>>> Version: 3 (0x2)
>>>> Serial Number: 166 (0xa6)
>>>> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
>>>> Issuer: "CN=Certificate Authority,O=<example>.GOV"
>>>> Validity:
>>>> Not Before: Sun Sep 22 17:46:26 2013
>>>> Not After : Wed Sep 23 17:46:26 2015
>>>> Subject: "CN=comipa02.<example>.gov,O=<example>.GOV"
>>>> Subject Public Key Info:
>>>> Public Key Algorithm: PKCS #1 RSA Encryption
>>>> RSA Public Key:
>>>> Modulus:
>>>> c6:8e:37:ee:72:82:58:78:4e:16:b8:18:f3:28:05:d9:
>>>> e5:3c:ee:01:ec:3e:28:d5:87:be:e4:74:ec:e5:27:40:
>>>> ca:9c:eb:61:a2:ad:44:c0:d9:2e:6d:93:fd:67:4c:f8:
>>>> 6d:f6:f2:63:6f:e6:00:4a:2a:c4:44:f5:e7:32:50:40:
>>>> 51:5b:0e:15:69:25:ef:c9:4f:47:ad:ba:90:fb:36:6d:
>>>> 14:3f:04:c4:7b:c3:e6:b1:30:7b:56:2d:d3:0f:d9:2f:
>>>> c9:57:89:c7:21:8a:a6:d4:2a:63:27:6c:54:53:7b:44:
>>>> 9a:0b:da:8f:b9:88:ec:b4:95:d3:5c:6c:cf:7b:dc:30:
>>>> ef:25:db:fd:89:26:7f:25:34:9d:6e:7b:b0:94:62:81:
>>>> 0e:b8:d6:3e:95:0e:71:e2:3f:6b:e2:3d:f2:71:8d:4c:
>>>> ec:41:e2:fa:c7:8b:50:80:90:68:a8:88:5c:07:c6:cc:
>>>> 5a:48:fc:7f:37:28:78:b3:2e:79:05:73:a5:9d:75:ae:
>>>> 15:bc:55:6c:85:ab:cd:2e:44:6b:10:c2:25:d8:bb:03:
>>>> 11:3f:69:44:3e:1c:ba:a3:c9:fa:36:ae:a6:6e:f4:51:
>>>> a0:74:ff:e9:31:40:51:69:d2:49:47:a8:38:7a:9b:b8:
>>>> 32:04:4c:ad:6d:52:91:53:61:a3:fa:37:82:f4:38:cb
>>>> Exponent: 65537 (0x10001)
>>>> Signed Extensions:
>>>> Name: Certificate Authority Key Identifier
>>>> Key ID:
>>>> ab:01:f6:f0:b1:f6:58:15:f9:0d:e6:35:83:44:ab:50:
>>>> c3:13:4b:16
>>>>
>>>> Name: Authority Information Access
>>>> Method: PKIX Online Certificate Status Protocol
>>>> Location:
>>>> URI: "http://comipa01.<example>.gov:80/ca/ocsp"
>>>>
>>>> Name: Certificate Key Usage
>>>> Critical: True
>>>> Usages: Digital Signature
>>>> Non-Repudiation
>>>> Key Encipherment
>>>> Data Encipherment
>>>>
>>>> Name: Extended Key Usage
>>>> TLS Web Server Authentication Certificate
>>>> TLS Web Client Authentication Certificate
>>>>
>>>> Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
>>>> Signature:
>>>> 2d:e0:48:99:ca:e8:e3:33:40:de:9b:a9:bf:a0:37:98:
>>>> d3:22:f7:d5:ff:a6:2b:fd:b3:fc:c8:c3:f0:16:ee:a5:
>>>> 44:5a:8d:d8:eb:eb:56:08:95:3e:48:2d:a1:be:a0:c2:
>>>> 64:a3:55:62:ab:42:3b:e6:ff:90:3e:0f:a2:59:2a:7a:
>>>> c0:f3:81:bb:6d:27:6a:1d:12:41:89:cb:fc:cf:5d:fa:
>>>> b5:f6:6d:b9:1a:b8:fb:cc:84:3c:5d:98:da:79:64:07:
>>>> 6f:c0:d1:9d:8a:e1:03:70:71:87:39:f6:fc:a0:4a:a2:
>>>> 43:57:0a:dc:33:6b:f4:4e:be:0a:5b:26:83:eb:e3:57:
>>>> ad:aa:5c:d4:f7:1f:0d:38:f2:71:85:b0:27:9c:8e:57:
>>>> 01:51:b5:e8:e7:a4:9f:a0:0b:bd:96:45:ac:30:86:d5:
>>>> b8:78:56:5e:29:3e:70:9d:80:b0:25:50:fc:c6:e1:a7:
>>>> 0a:1c:e9:da:1d:00:1f:53:9b:fd:9b:a9:74:1b:45:8f:
>>>> 7d:f0:c4:cc:ff:ae:1f:0f:3e:2d:8f:81:80:ee:27:38:
>>>> f6:5b:39:b4:54:7c:56:c5:b4:0e:93:b8:24:18:42:70:
>>>> 5d:d3:7b:c9:db:be:14:22:1c:29:16:84:ab:4d:05:b0:
>>>> 7b:1b:7d:e4:94:0d:39:42:71:33:94:57:16:7b:90:6f
>>>> Fingerprint (SHA-256):
>>>> DD:B0:8E:6B:5F:61:D1:7C:29:ED:CB:8C:8D:7E:9F:94:BE:40:E7:8B:AD:55:ED:14:E9:32:C4:7A:F0:0A:F3:2C
>>>> Fingerprint (SHA1):
>>>> 88:51:F1:8F:3A:BD:7E:24:0D:4D:4A:CE:94:FB:A9:75:14:82:58:FA
>>>>
>>>> Certificate Trust Flags:
>>>> SSL Flags:
>>>> User
>>>> Email Flags:
>>>> User
>>>> Object Signing Flags:
>>>> User
>>>>
>>>> #ipa-getkeytab -s compia02.itmodev.gov -p host/comipa02.itmodev.gov
>>>> -k /etc/krb5.keytab Kerberos User Principal not found. Do you have a valid Credential Cache?
>>> So, let's start here.
>>>
>>> First above you have a typo: compia02.itmodev.gov versus comipa02.itmodev.gov. However, as this is your IPA master, I'm not sure why you need to re-retrieve its host keytab. Does user name resolution (getent passwd admin) work on the master? If it does, you *don't* need to change existing keytab.
>>>
>>> Second, in the output below we can see that certmonger needs a PIN for the request to proceed:
>>>> #ipa-getcert list
>>>> Number of certificates and requests being tracked: 2.
>>>> Request ID '20151007150853':
>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>>> 'Newly added request needs a PIN to read the key material'
>>>
>>>> stuck: yes
>>>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
>>>> CA: IPA
>>>> issuer:
>>>> subject:
>>>> expires: unknown
>>>> pre-save command:
>>>> post-save command:
>>>> track: yes
>>>> auto-renew: yes
>>>
>>> The PIN is in /etc/httpd/alias/pwdfile.txt, to supply it to certmonger, you need to re-submit the request and specify the pin:
>>>
>>> ipa-getcert resubmit -i 20151007150853 -p
>>> /etc/httpd/alias/pwdfile.txt
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>
>> --
>> / Alexander Bokovoy
>>
>>
>
>
More information about the Freeipa-users
mailing list