[Freeipa-users] IPA certificates expired, please help!
Linov Suresh
linov.suresh at gmail.com
Wed Jul 20 19:41:49 UTC 2016
I have restarted the pki-cad and checked if communication with the CA is
working, but no luck,
Debug logs in /var/log/pki-ca do not have anything unusual. Can you think
of anything other than this?
[root at caer ~]# ipa cert-show 1
Certificate:
MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP
SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0
MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w
HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV
ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e
tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb
UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe
tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7
5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j
BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG
AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5
MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj
kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y
5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV
nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt
e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK
b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30=
Subject: CN=Certificate Authority,O=TELOIP.NET
Issuer: CN=Certificate Authority,O=TELOIP.NET
Not Before: Wed Dec 14 22:29:56 2011 UTC
Not After: Sat Dec 14 22:29:56 2019 UTC
Fingerprint (MD5): c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a
Fingerprint (SHA1):
ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e
Serial number (hex): 0x1
Serial number: 1
[root at caer ~]#
*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
<http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true>".*
On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Linov Suresh wrote:
>
>> Thanks for your help Rob, I will create a separate thread for IPA
>> replication issue. But we are still getting
>> *
>> *
>> *ca-error: Internal error: no response to
>> "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
>> ".*
>>
>> Could you please help us to fix this?
>>
>
> I think your CA isn't quite fixed yet. I'd restart pki-cad then do
> something like: ipa cert-show 1
>
> You should get back a cert (doesn't really matter what cert).
>
> Otherwise I'd check the CA debug log somewhere in /var/log/pki
>
> rob
>
>
>>
>> On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>> Glad you got the certificates successfully renewed.
>>
>> Can you open a new e-mail thread on this new problem so we can keep
>> the issues separated?
>>
>> IPA gets little information back when dogtag fails to install. You
>> need to look in /var/log/<something>/debug for more information. The
>> exact location depends on the version of IPA.
>>
>> rob
>>
>> Linov Suresh wrote:
>>
>> Great! That worked, and I was successfully renewed the
>> certificates on
>> the IPA server and I was trying to create a IPA replica server
>> and got
>> an error,[root at neit-lab <mailto:root at neit-lab
>> <mailto:root at neit-lab>>~]# ipa-replica-install
>> --setup-ca --setup-dns --no-forwarders --skip-conncheck
>> /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory
>> Manager
>> (existing master) password: Configuring NTP daemon (ntpd) [1/4]:
>> stopping ntpd [2/4]: writing configuration [3/4]: configuring
>> ntpd to
>> start on boot [4/4]: starting ntpd Done configuring NTP daemon
>> (ntpd).
>> Configuring directory server for the CA (pkids): Estimated time 30
>> seconds [1/3]: creating directory server user [2/3]: creating
>> directory
>> server instance [3/3]: restarting directory server Done
>> configuring
>> directory server for the CA (pkids). Configuring certificate
>> server
>> (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating
>> certificate server user [2/17]: creating pki-ca instance [3/17]:
>> configuring certificate server instance ipa : CRITICAL failed to
>> configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent
>> ConfigureCA -cs_hostname neit-lab.teloip.net
>> <http://neit-lab.teloip.net>
>> <http://neit-lab.teloip.net> -cs_port 9445 -client_certdb_dir
>> /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin
>> UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin
>> -admin_email
>> root at localhost <mailto:root at localhost
>> <mailto:root at localhost>>-admin_password XXXXXXXX
>> -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
>> -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET
>> <http://TELOIP.NET> <http://TELOIP.NET>
>> -ldap_host neit-lab.teloip.net <http://neit-lab.teloip.net>
>> <http://neit-lab.teloip.net> -ldap_port
>> 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX
>> -base_dn
>> o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm
>> SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name
>> pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA
>> Subsystem,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
>> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
>> <http://TELOIP.NET>
>> <http://TELOIP.NET> -ca_ocsp_cert_subject_name CN=OCSP
>> Subsystem,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
>> -ca_server_cert_subject_name
>> CN=neit-lab.teloip.net <http://neit-lab.teloip.net>
>> <http://neit-lab.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
>> <http://TELOIP.NET> -ca_audit_signing_cert_subject_name CN=CA
>> Audit,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
>> -ca_sign_cert_subject_name
>> CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET>
>> <http://TELOIP.NET> -external
>> false -clone true -clone_p12_file ca.p12 -clone_p12_password
>> XXXXXXXX
>> -sd_hostname caer.teloip.net <http://caer.teloip.net>
>> <http://caer.teloip.net> -sd_admin_port 443
>> -sd_admin_name admin -sd_admin_password XXXXXXXX
>> -clone_start_tls true
>> -clone_uri https://caer.teloip.net:443'
>> <https://caer.teloip.net:443'/>returned non-zero exit status 255
>> Your
>> system may be partly configured. Run /usr/sbin/ipa-server-install
>> --uninstall to clean up. Configuration of CA failed [root at neit-lab
>> <mailto:root at neit-lab <mailto:root at neit-lab>>~]#
>>
>> I did a clean up using /usr/sbin/ipa-server-install --uninstall
>> but it
>> wasn't helpful.Wondering if you can help us on this,
>>
>>
>>
>> On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden
>> <rcritten at redhat.com <mailto:rcritten at redhat.com>
>> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>>
>> Linov Suresh wrote:
>>
>> I have followed Redhat official documentation,
>> https://access.redhat.com/solutions/643753 for certificate
>> renewal,
>> which says *add: usercertificate. (step 12)*
>> *
>> *
>> While on the other hand FreeIPA official documentaion
>> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to
>> *add:
>> usercertificate;binary*
>>
>> Just wondering if we need to*add *the certificate?
>> or*replace* the
>> existing certificate and which format do we need to
>> use? *pem*
>> or *der*.
>>
>> We already successfully renewed the certificates about
>> months
>> back, but
>> they were expired about 6 months back and we were not
>> able to
>> renew till
>> now, and is affected our production environment.
>>
>> Pleas help us.
>>
>>
>> You shouldn't have to mess with these values at all. In 3.0
>> this is
>> handled somewhat automatically.
>>
>> I'd restart the CA, then certmonger and see if the
>> communication
>> error goes away for the CA subservice certificates (the
>> internal error).
>>
>> # service pki-cad restart
>> <pause a bit>
>> # service certmonger restart
>>
>> I find it very strange that the certificates were set to
>> expire
>> yesterday but it isn't a show-stopper necessarily assuming
>> you can
>> get the CA back up.
>>
>> Assuming you can, then go back in time again, this time
>> just a few
>> days and try renewing the LDAP and Apache server certs again.
>>
>> rob
>>
>>
>> On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh
>> <linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
>> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>>
>> <mailto:linov.suresh at gmail.com
>> <mailto:linov.suresh at gmail.com> <mailto:linov.suresh at gmail.com
>> <mailto:linov.suresh at gmail.com>>>>
>> wrote:
>>
>> We have cloned and created another virtual server
>> from the
>> template.
>> Surprisingly this server certificates were also
>> expired at
>> the same
>> time as the previous, just lasted for a day.
>> This issue has something to do with the kerberos
>> tickets?
>>
>> I am new to IPA and your help is highly appreciated.
>>
>> On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh
>> <linov.suresh at gmail.com
>> <mailto:linov.suresh at gmail.com> <mailto:linov.suresh at gmail.com
>> <mailto:linov.suresh at gmail.com>>
>> <mailto:linov.suresh at gmail.com
>> <mailto:linov.suresh at gmail.com> <mailto:linov.suresh at gmail.com
>> <mailto:linov.suresh at gmail.com>>>>
>> wrote:
>>
>> *Update: my webserver and LDAP certificates
>> were expired at
>> 2016-07-18 15:54:36 UTC and the certificates
>> are in
>> CA_UNREACHABLE state.*
>> *
>> *
>> *Could you please help us?
>> *
>>
>> [root at caer tmp]# getcert list
>> Number of certificates and requests being
>> tracked: 8.
>> Request ID '20111214223243':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will
>> retry: -504
>> (libcurl failed to execute the HTTP POST
>> transaction. Peer
>> certificate cannot be authenticated with known
>> CA
>> certificates).
>> stuck: yes
>> key pair storage:
>>
>>
>>
>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>> Certificate
>> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
>> certificate:
>>
>>
>>
>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate
>> Authority,O=TELOIP.NET <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> subject: CN=caer.teloip.net
>> <http://caer.teloip.net>
>> <http://caer.teloip.net>
>> <http://caer.teloip.net>,O=TELOIP.NET
>> <http://TELOIP.NET>
>> <http://TELOIP.NET> <http://TELOIP.NET>
>> *expires: 2016-07-18 15:54:36 UTC*
>> eku: id-kp-serverAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20111214223300':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will
>> retry: -504
>> (libcurl failed to execute the HTTP POST
>> transaction. Peer
>> certificate cannot be authenticated with known
>> CA
>> certificates).
>> stuck: yes
>> key pair storage:
>>
>>
>>
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate
>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>> certificate:
>>
>>
>>
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate
>> Authority,O=TELOIP.NET <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> subject: CN=caer.teloip.net
>> <http://caer.teloip.net>
>> <http://caer.teloip.net>
>> <http://caer.teloip.net>,O=TELOIP.NET
>> <http://TELOIP.NET>
>> <http://TELOIP.NET> <http://TELOIP.NET>
>> *expires: 2016-07-18 15:54:52 UTC*
>> eku: id-kp-serverAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20111214223316':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will
>> retry: -504
>> (libcurl failed to execute the HTTP POST
>> transaction. Peer
>> certificate cannot be authenticated with known
>> CA
>> certificates).
>> stuck: yes
>> key pair storage:
>>
>>
>>
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate
>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>>
>>
>>
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate
>> Authority,O=TELOIP.NET <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> subject: CN=caer.teloip.net
>> <http://caer.teloip.net>
>> <http://caer.teloip.net>
>> <http://caer.teloip.net>,O=TELOIP.NET
>> <http://TELOIP.NET>
>> <http://TELOIP.NET> <http://TELOIP.NET>
>> *expires: 2016-07-18 15:55:04 UTC*
>>
>> eku: id-kp-serverAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20130519130741':
>> status: MONITORING
>> ca-error: Internal error: no response
>> to
>>
>>
>> "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
>> ".
>> stuck: no
>> key pair storage:
>>
>>
>>
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate
>> DB',pin='297100916664'
>> certificate:
>>
>>
>>
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate
>> Authority,O=TELOIP.NET <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> subject: CN=CA Audit,O=TELOIP.NET
>> <http://TELOIP.NET>
>> <http://TELOIP.NET> <http://TELOIP.NET>
>> expires: 2017-10-13 14:10:49 UTC
>> pre-save command:
>> /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command:
>> /usr/lib64/ipa/certmonger/renew_ca_cert
>> "auditSigningCert
>> cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20130519130742':
>> status: MONITORING
>> ca-error: Internal error: no response
>> to
>>
>>
>> "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
>> ".
>> stuck: no
>> key pair storage:
>>
>>
>>
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate
>> DB',pin='297100916664'
>> certificate:
>>
>>
>>
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate
>> Authority,O=TELOIP.NET <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> subject: CN=OCSP
>> Subsystem,O=TELOIP.NET <http://TELOIP.NET>
>> <http://TELOIP.NET> <http://TELOIP.NET>
>> expires: 2017-10-13 14:09:49 UTC
>> eku: id-kp-OCSPSigning
>> pre-save command:
>> /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command:
>> /usr/lib64/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert
>> cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20130519130743':
>> status: MONITORING
>> ca-error: Internal error: no response
>> to
>>
>>
>> "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
>> ".
>> stuck: no
>> key pair storage:
>>
>>
>>
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate
>> DB',pin='297100916664'
>> certificate:
>>
>>
>>
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate
>> Authority,O=TELOIP.NET <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> subject: CN=CA Subsystem,O=TELOIP.NET
>> <http://TELOIP.NET>
>> <http://TELOIP.NET> <http://TELOIP.NET>
>> expires: 2017-10-13 14:09:49 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command:
>> /usr/lib64/ipa/certmonger/renew_ca_cert
>> "subsystemCert
>> cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20130519130744':
>> status: MONITORING
>> ca-error: Internal error: no response
>> to
>>
>>
>> "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
>> ".
>> stuck: no
>> key pair storage:
>>
>>
>>
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate
>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>>
>>
>>
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate
>> Authority,O=TELOIP.NET <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> subject: CN=RA Subsystem,O=TELOIP.NET
>> <http://TELOIP.NET>
>> <http://TELOIP.NET> <http://TELOIP.NET>
>> expires: 2017-10-13 14:09:49 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> /usr/lib64/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>> Request ID '20130519130745':
>> status: MONITORING
>> ca-error: Internal error: no response
>> to
>>
>>
>> "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
>> ".
>> stuck: no
>> key pair storage:
>>
>>
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS
>> Certificate DB',pin='297100916664'
>> certificate:
>>
>>
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate
>> Authority,O=TELOIP.NET <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> subject: CN=caer.teloip.net
>> <http://caer.teloip.net>
>> <http://caer.teloip.net>
>> <http://caer.teloip.net>,O=TELOIP.NET
>> <http://TELOIP.NET>
>> <http://TELOIP.NET> <http://TELOIP.NET>
>> expires: 2017-10-13 14:09:49 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> /usr/lib64/ipa/certmonger/restart_dirsrv
>> "TELOIP.NET <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> <http://TELOIP.NET>"
>> track: yes
>> auto-renew: yes
>>
>> On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh
>> <linov.suresh at gmail.com
>> <mailto:linov.suresh at gmail.com> <mailto:linov.suresh at gmail.com
>> <mailto:linov.suresh at gmail.com>>
>> <mailto:linov.suresh at gmail.com
>> <mailto:linov.suresh at gmail.com> <mailto:linov.suresh at gmail.com
>> <mailto:linov.suresh at gmail.com>>>>
>> wrote:
>>
>> Yes, PKI is running and I don't see any
>> errors in
>> selftests,
>> I have followed
>> https://access.redhat.com/solutions/643753
>> and restarted the PKI in step 10.
>>
>> The only change which I made was clean
>> up userCertificate;binary before adding new
>> userCertificatein LDAP, which is step 12.
>>
>>
>> [root at caer ~]# /etc/init.d/pki-cad status
>> pki-ca (pid 8634) is running...
>> [
>> OK ]
>> Unsecure Port =
>> http://caer.teloip.net:9180/ca/ee/ca
>> Secure Agent Port =
>> https://caer.teloip.net:9443/ca/agent/ca
>> Secure EE Port =
>> https://caer.teloip.net:9444/ca/ee/ca
>> Secure Admin Port =
>> https://caer.teloip.net:9445/ca/services
>> EE Client Auth Port =
>> https://caer.teloip.net:9446/ca/eeca/ca
>> PKI Console Port = pkiconsole
>> https://caer.teloip.net:9445/ca
>> Tomcat Port = 9701 (for
>> shutdown)
>>
>> PKI Instance Name: pki-ca
>>
>> PKI Subsystem Type: Root CA
>> (Security Domain)
>>
>> Registered PKI Security Domain
>> Information:
>>
>>
>>
>>
>> ==========================================================================
>> Name: IPA
>> URL: https://caer.teloip.net:9445
>>
>>
>>
>>
>> ==========================================================================
>> [root at caer ~]#
>> [root at caer ~]# tail -f
>> /var/log/pki-ca/selftests.log
>> 8634.main - [18/Jul/2016:11:46:20 EDT]
>> [20] [1]
>> SelfTestSubsystem: loading all self test
>> plugin logger
>> parameters
>> 8634.main - [18/Jul/2016:11:46:20 EDT]
>> [20] [1]
>> SelfTestSubsystem: loading all self test
>> plugin
>> instances
>> 8634.main - [18/Jul/2016:11:46:20 EDT]
>> [20] [1]
>> SelfTestSubsystem: loading all self test
>> plugin
>> instance
>> parameters
>> 8634.main - [18/Jul/2016:11:46:20 EDT]
>> [20] [1]
>> SelfTestSubsystem: loading self test
>> plugins in
>> on-demand order
>> 8634.main - [18/Jul/2016:11:46:20 EDT]
>> [20] [1]
>> SelfTestSubsystem: loading self test
>> plugins in
>> startup order
>> 8634.main - [18/Jul/2016:11:46:20 EDT]
>> [20] [1]
>> SelfTestSubsystem: Self test plugins have
>> been
>> successfully
>> loaded!
>> 8634.main - [18/Jul/2016:11:46:21 EDT]
>> [20] [1]
>> SelfTestSubsystem: Running self test plugins
>> specified to be
>> executed at startup:
>> 8634.main - [18/Jul/2016:11:46:21 EDT]
>> [20] [1]
>> CAPresence:
>> CA is present
>> 8634.main - [18/Jul/2016:11:46:21 EDT]
>> [20] [1]
>> SystemCertsVerification: system certs
>> verification
>> success
>> 8634.main - [18/Jul/2016:11:46:21 EDT]
>> [20] [1]
>> SelfTestSubsystem: All CRITICAL self test
>> plugins ran
>> SUCCESSFULLY at startup!
>>
>> Your help is highly appreciated!
>>
>> Linov Suresh
>>
>> 70 Forest Manor Rd.
>> Toronto
>> ON M2J 0A9
>> Mobile: +1 647 406 9438
>> <tel:%2B1%20647%20406%209438>
>> <tel:%2B1%20647%20406%209438>
>> <tel:%2B1%20647%20406%209438>
>> Linkedin: ca.linkedin.com/in/linov/
>> <http://ca.linkedin.com/in/linov/>
>> <http://ca.linkedin.com/in/linov/>
>> <http://ca.linkedin.com/in/linov/>
>> Website:
>> http://mylinuxthoughts.blogspot.com
>>
>>
>> On Mon, Jul 18, 2016 at 10:50 AM, Petr
>> Vobornik
>> <pvoborni at redhat.com
>> <mailto:pvoborni at redhat.com> <mailto:pvoborni at redhat.com
>> <mailto:pvoborni at redhat.com>>
>> <mailto:pvoborni at redhat.com
>> <mailto:pvoborni at redhat.com> <mailto:pvoborni at redhat.com
>> <mailto:pvoborni at redhat.com>>>> wrote:
>>
>> On 07/18/2016 05:45 AM, Linov Suresh
>> wrote:
>> > Thanks for the update Rob. I went
>> back to Jan
>> 20, 2016, restarted CA and
>> > certmonger. Look like certificates
>> were
>> renewed. But I'm getting a different
>> > error now,
>> >
>> > *ca-error: Internal error: no
>> response to
>> >
>>
>>
>> "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
>> ".*
>>
>> Is PKI running? When you change the
>> time, does
>> restart
>> of IPA help?
>>
>> >
>> > [root at caer ~]# getcert list
>> > Number of certificates and requests
>> being
>> tracked: 8.
>> > Request ID '20111214223243':
>> > status: MONITORING
>> > stuck: no
>> > key pair storage:
>> >
>>
>>
>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>> > Certificate
>> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
>> > certificate:
>> >
>>
>>
>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>> > Certificate DB'
>> > CA: IPA
>> > issuer: CN=Certificate
>> Authority,O=TELOIP.NET
>> <http://TELOIP.NET> <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> <http://TELOIP.NET>
>> > subject:
>> CN=caer.teloip.net <http://caer.teloip.net>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160720/1b0e99da/attachment.htm>
More information about the Freeipa-users
mailing list