[Freeipa-users] IPA certificates expired, please help!
Rob Crittenden
rcritten at redhat.com
Wed Jul 20 14:08:34 UTC 2016
Glad you got the certificates successfully renewed.
Can you open a new e-mail thread on this new problem so we can keep the
issues separated?
IPA gets little information back when dogtag fails to install. You need
to look in /var/log/<something>/debug for more information. The exact
location depends on the version of IPA.
rob
Linov Suresh wrote:
> Great! That worked, and I was successfully renewed the certificates on
> the IPA server and I was trying to create a IPA replica server and got
> an error,[root at neit-lab <mailto:root at neit-lab>~]# ipa-replica-install
> --setup-ca --setup-dns --no-forwarders --skip-conncheck
> /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager
> (existing master) password: Configuring NTP daemon (ntpd) [1/4]:
> stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to
> start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd).
> Configuring directory server for the CA (pkids): Estimated time 30
> seconds [1/3]: creating directory server user [2/3]: creating directory
> server instance [3/3]: restarting directory server Done configuring
> directory server for the CA (pkids). Configuring certificate server
> (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating
> certificate server user [2/17]: creating pki-ca instance [3/17]:
> configuring certificate server instance ipa : CRITICAL failed to
> configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent
> ConfigureCA -cs_hostname neit-lab.teloip.net
> <http://neit-lab.teloip.net> -cs_port 9445 -client_certdb_dir
> /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin
> UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email
> root at localhost <mailto:root at localhost>-admin_password XXXXXXXX
> -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
> -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET <http://TELOIP.NET>
> -ldap_host neit-lab.teloip.net <http://neit-lab.teloip.net> -ldap_port
> 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn
> o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm
> SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name
> pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA
> Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
> <http://TELOIP.NET> -ca_ocsp_cert_subject_name CN=OCSP
> Subsystem,O=TELOIP.NET <http://TELOIP.NET> -ca_server_cert_subject_name
> CN=neit-lab.teloip.net <http://neit-lab.teloip.net>,O=TELOIP.NET
> <http://TELOIP.NET> -ca_audit_signing_cert_subject_name CN=CA
> Audit,O=TELOIP.NET <http://TELOIP.NET> -ca_sign_cert_subject_name
> CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET> -external
> false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX
> -sd_hostname caer.teloip.net <http://caer.teloip.net> -sd_admin_port 443
> -sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true
> -clone_uri https://caer.teloip.net:443'
> <https://caer.teloip.net:443'/>returned non-zero exit status 255 Your
> system may be partly configured. Run /usr/sbin/ipa-server-install
> --uninstall to clean up. Configuration of CA failed [root at neit-lab
> <mailto:root at neit-lab>~]#
>
> I did a clean up using /usr/sbin/ipa-server-install --uninstall but it
> wasn't helpful.Wondering if you can help us on this,
>
>
>
> On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Linov Suresh wrote:
>
> I have followed Redhat official documentation,
> https://access.redhat.com/solutions/643753 for certificate renewal,
> which says *add: usercertificate. (step 12)*
> *
> *
> While on the other hand FreeIPA official documentaion
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to
> *add:
> usercertificate;binary*
>
> Just wondering if we need to*add *the certificate? or*replace* the
> existing certificate and which format do we need to use? *pem*
> or *der*.
>
> We already successfully renewed the certificates about months
> back, but
> they were expired about 6 months back and we were not able to
> renew till
> now, and is affected our production environment.
>
> Pleas help us.
>
>
> You shouldn't have to mess with these values at all. In 3.0 this is
> handled somewhat automatically.
>
> I'd restart the CA, then certmonger and see if the communication
> error goes away for the CA subservice certificates (the internal error).
>
> # service pki-cad restart
> <pause a bit>
> # service certmonger restart
>
> I find it very strange that the certificates were set to expire
> yesterday but it isn't a show-stopper necessarily assuming you can
> get the CA back up.
>
> Assuming you can, then go back in time again, this time just a few
> days and try renewing the LDAP and Apache server certs again.
>
> rob
>
>
> On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh
> <linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>>>
> wrote:
>
> We have cloned and created another virtual server from the
> template.
> Surprisingly this server certificates were also expired at
> the same
> time as the previous, just lasted for a day.
> This issue has something to do with the kerberos tickets?
>
> I am new to IPA and your help is highly appreciated.
>
> On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh
> <linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>>>
> wrote:
>
> *Update: my webserver and LDAP certificates were expired at
> 2016-07-18 15:54:36 UTC and the certificates are in
> CA_UNREACHABLE state.*
> *
> *
> *Could you please help us?
> *
>
> [root at caer tmp]# getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20111214223243':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504
> (libcurl failed to execute the HTTP POST transaction. Peer
> certificate cannot be authenticated with known CA
> certificates).
> stuck: yes
> key pair storage:
>
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate
> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
> certificate:
>
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> subject: CN=caer.teloip.net
> <http://caer.teloip.net>
> <http://caer.teloip.net>,O=TELOIP.NET
> <http://TELOIP.NET> <http://TELOIP.NET>
> *expires: 2016-07-18 15:54:36 UTC*
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223300':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504
> (libcurl failed to execute the HTTP POST transaction. Peer
> certificate cannot be authenticated with known CA
> certificates).
> stuck: yes
> key pair storage:
>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> subject: CN=caer.teloip.net
> <http://caer.teloip.net>
> <http://caer.teloip.net>,O=TELOIP.NET
> <http://TELOIP.NET> <http://TELOIP.NET>
> *expires: 2016-07-18 15:54:52 UTC*
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223316':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504
> (libcurl failed to execute the HTTP POST transaction. Peer
> certificate cannot be authenticated with known CA
> certificates).
> stuck: yes
> key pair storage:
>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> subject: CN=caer.teloip.net
> <http://caer.teloip.net>
> <http://caer.teloip.net>,O=TELOIP.NET
> <http://TELOIP.NET> <http://TELOIP.NET>
> *expires: 2016-07-18 15:55:04 UTC*
>
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130519130741':
> status: MONITORING
> ca-error: Internal error: no response to
>
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
> stuck: no
> key pair storage:
>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> subject: CN=CA Audit,O=TELOIP.NET
> <http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:10:49 UTC
> pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert
> cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130742':
> status: MONITORING
> ca-error: Internal error: no response to
>
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
> stuck: no
> key pair storage:
>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> subject: CN=OCSP Subsystem,O=TELOIP.NET
> <http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-OCSPSigning
> pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert
> cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130743':
> status: MONITORING
> ca-error: Internal error: no response to
>
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
> stuck: no
> key pair storage:
>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> subject: CN=CA Subsystem,O=TELOIP.NET
> <http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert
> cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130744':
> status: MONITORING
> ca-error: Internal error: no response to
>
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
> stuck: no
> key pair storage:
>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> subject: CN=RA Subsystem,O=TELOIP.NET
> <http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> Request ID '20130519130745':
> status: MONITORING
> ca-error: Internal error: no response to
>
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
> stuck: no
> key pair storage:
>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS
> Certificate DB',pin='297100916664'
> certificate:
>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> subject: CN=caer.teloip.net
> <http://caer.teloip.net>
> <http://caer.teloip.net>,O=TELOIP.NET
> <http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> /usr/lib64/ipa/certmonger/restart_dirsrv "TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET>"
> track: yes
> auto-renew: yes
>
> On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh
> <linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>>>
> wrote:
>
> Yes, PKI is running and I don't see any errors in
> selftests,
> I have followed
> https://access.redhat.com/solutions/643753
> and restarted the PKI in step 10.
>
> The only change which I made was clean
> up userCertificate;binary before adding new
> userCertificatein LDAP, which is step 12.
>
>
> [root at caer ~]# /etc/init.d/pki-cad status
> pki-ca (pid 8634) is running...
> [
> OK ]
> Unsecure Port =
> http://caer.teloip.net:9180/ca/ee/ca
> Secure Agent Port =
> https://caer.teloip.net:9443/ca/agent/ca
> Secure EE Port =
> https://caer.teloip.net:9444/ca/ee/ca
> Secure Admin Port =
> https://caer.teloip.net:9445/ca/services
> EE Client Auth Port =
> https://caer.teloip.net:9446/ca/eeca/ca
> PKI Console Port = pkiconsole
> https://caer.teloip.net:9445/ca
> Tomcat Port = 9701 (for shutdown)
>
> PKI Instance Name: pki-ca
>
> PKI Subsystem Type: Root CA (Security Domain)
>
> Registered PKI Security Domain Information:
>
>
> ==========================================================================
> Name: IPA
> URL: https://caer.teloip.net:9445
>
>
> ==========================================================================
> [root at caer ~]#
> [root at caer ~]# tail -f /var/log/pki-ca/selftests.log
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
> SelfTestSubsystem: loading all self test plugin logger
> parameters
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
> SelfTestSubsystem: loading all self test plugin
> instances
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
> SelfTestSubsystem: loading all self test plugin
> instance
> parameters
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
> SelfTestSubsystem: loading self test plugins in
> on-demand order
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
> SelfTestSubsystem: loading self test plugins in
> startup order
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
> SelfTestSubsystem: Self test plugins have been
> successfully
> loaded!
> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]
> SelfTestSubsystem: Running self test plugins
> specified to be
> executed at startup:
> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]
> CAPresence:
> CA is present
> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]
> SystemCertsVerification: system certs verification
> success
> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]
> SelfTestSubsystem: All CRITICAL self test plugins ran
> SUCCESSFULLY at startup!
>
> Your help is highly appreciated!
>
> Linov Suresh
>
> 70 Forest Manor Rd.
> Toronto
> ON M2J 0A9
> Mobile: +1 647 406 9438
> <tel:%2B1%20647%20406%209438> <tel:%2B1%20647%20406%209438>
> Linkedin: ca.linkedin.com/in/linov/
> <http://ca.linkedin.com/in/linov/>
> <http://ca.linkedin.com/in/linov/>
> Website: http://mylinuxthoughts.blogspot.com
>
>
> On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik
> <pvoborni at redhat.com <mailto:pvoborni at redhat.com>
> <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com>>> wrote:
>
> On 07/18/2016 05:45 AM, Linov Suresh wrote:
> > Thanks for the update Rob. I went back to Jan
> 20, 2016, restarted CA and
> > certmonger. Look like certificates were
> renewed. But I'm getting a different
> > error now,
> >
> > *ca-error: Internal error: no response to
> >
>
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".*
>
> Is PKI running? When you change the time, does
> restart
> of IPA help?
>
> >
> > [root at caer ~]# getcert list
> > Number of certificates and requests being
> tracked: 8.
> > Request ID '20111214223243':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> > Certificate
> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> > subject: CN=caer.teloip.net
> <http://caer.teloip.net>
> <http://caer.teloip.net>
> <http://caer.teloip.net>,O=TELOIP.NET
> <http://TELOIP.NET> <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > expires: 2016-07-18 15:54:36 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20111214223300':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> >
> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB'
> > CA: IPA
> > issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> > subject: CN=caer.teloip.net
> <http://caer.teloip.net>
> <http://caer.teloip.net>
> <http://caer.teloip.net>,O=TELOIP.NET
> <http://TELOIP.NET> <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > expires: 2016-07-18 15:54:52 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20111214223316':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> > subject: CN=caer.teloip.net
> <http://caer.teloip.net>
> <http://caer.teloip.net>
> <http://caer.teloip.net>,O=TELOIP.NET
> <http://TELOIP.NET> <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > expires: 2016-07-18 15:55:04 UTC
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130741':
> > status: MONITORING
> > ca-error: Internal error: no response to
> >
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664'
> > certificate:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> > subject: CN=CA Audit,O=TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET> <http://TELOIP.NET>
> > expires: 2017-10-13 14:10:49 UTC
> > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> > "auditSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130742':
> > status: MONITORING
> > ca-error: Internal error: no response to
> >
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664'
> > certificate:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> > subject: CN=OCSP
> Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET> <http://TELOIP.NET>
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-OCSPSigning
> > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> > "ocspSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130743':
> > status: MONITORING
> > ca-error: Internal error: no response to
> >
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664'
> > certificate:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> > subject: CN=CA
> Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET> <http://TELOIP.NET>
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> > "subsystemCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130744':
> > status: MONITORING
> > ca-error: Internal error: no response to
> >
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate
> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> > subject: CN=RA
> Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET> <http://TELOIP.NET>
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> /usr/lib64/ipa/certmonger/restart_httpd
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130745':
> > status: MONITORING
> > ca-error: Internal error: no response to
> >
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664'
> > certificate:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> > subject: CN=caer.teloip.net
> <http://caer.teloip.net>
> <http://caer.teloip.net>
> <http://caer.teloip.net>,O=TELOIP.NET
> <http://TELOIP.NET> <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> /usr/lib64/ipa/certmonger/restart_dirsrv "TELOIP.NET
> <http://TELOIP.NET> <http://TELOIP.NET>
> > <http://TELOIP.NET>"
> > track: yes
> > auto-renew: yes
> > [root at caer ~]#
> >
> > Your help is highly appreciated!
> >
> >
> >
> > On Fri, Jul 15, 2016 at 5:08 PM, Rob
> Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
> > <mailto:rcritten at redhat.com
> <mailto:rcritten at redhat.com>
>
> <mailto:rcritten at redhat.com
> <mailto:rcritten at redhat.com>>>> wrote:
> >
> > Linov Suresh wrote:
> >
> > I logged into my IPA master, and
> found that
> the cert had expired again,
> > we renewed these certificates about
> 18 months
> ago.
> >
> > Our environment is CentOS 6.4 and
> IPA 3.0.0-26.
> >
> >
> > I followed the Redhat
> documentation,How do
> I manually renew Identity
> > Management (IPA) certificates
> after they
> have expired? (Master IPA
> > Server),
> https://access.redhat.com/solutions/643753 but no luck.
> >
> >
> > I have also changed the directive
> "NSSEnforceValidCerts off" in
> > /etc/httpd/conf.d/nss.conf and the
> value of
> nsslapd-validate-cert is warn.
> >
> > ldapsearch -x -h localhost -p 7389 -D
> 'cn=directory manager' -w *******
> > -b cn=config | grep
> nsslapd-validate-cert
> >
> > nsslapd-validate-cert: warn
> >
> > Here is my getcert list,
> >
> > [root at caer ~]# getcert list
> >
> >
> > It looks like your CA subsystem
> certificates all
> renewed successfully it is
> > just the webserver and LDAP certificates
> that
> need renewing so that's good.
> >
> > What I'd do is go back in time again to
> say Jan
> 20, 2016 and restart
> > certmonger. That should make it retry
> the renewals.
> >
> > rob
> >
> >
> >
> >
>
>
>
> --
> Petr Vobornik
>
>
>
>
>
>
>
More information about the Freeipa-users
mailing list