[Freeipa-users] IPA certificates expired, please help!
Petr Vobornik
pvoborni at redhat.com
Thu Jul 21 13:45:03 UTC 2016
On 07/20/2016 09:41 PM, Linov Suresh wrote:
> I have restarted the pki-cad and checked if communication with the CA is
> working, but no luck,
>
> Debug logs in /var/log/pki-ca do not have anything unusual. Can you think of
> anything other than this?
/var/log/httpd/error_log when /etc/ipa.conf is set to debug=true
https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data
/var/log/pki-ca/debug
/var/log/pki-ca/transactions
/var/log/pki-ca/selftest.log
>
> [root at caer ~]# ipa cert-show 1
> Certificate: MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP
> SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0
> MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w
> HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA
> A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV
> ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e
> tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb
> UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe
> tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7
> 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j
> BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
> HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG
> AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5
> MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj
> kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y
> 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV
> nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt
> e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK
> b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30=
> Subject: CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET>
> Issuer: CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET>
> Not Before: Wed Dec 14 22:29:56 2011 UTC
> Not After: Sat Dec 14 22:29:56 2019 UTC
> Fingerprint (MD5): c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a
> Fingerprint (SHA1): ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e
> Serial number (hex): 0x1
> Serial number: 1
> [root at caer ~]#
>
> *ca-error: Internal error: no response to
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
> *
>
>
>
> On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Linov Suresh wrote:
>
> Thanks for your help Rob, I will create a separate thread for IPA
> replication issue. But we are still getting
> *
> *
> *ca-error: Internal error: no response to
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".*
>
> Could you please help us to fix this?
>
>
> I think your CA isn't quite fixed yet. I'd restart pki-cad then do something
> like: ipa cert-show 1
>
> You should get back a cert (doesn't really matter what cert).
>
> Otherwise I'd check the CA debug log somewhere in /var/log/pki
>
> rob
>
>
>
> On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>
> Glad you got the certificates successfully renewed.
>
> Can you open a new e-mail thread on this new problem so we can keep
> the issues separated?
>
> IPA gets little information back when dogtag fails to install. You
> need to look in /var/log/<something>/debug for more information. The
> exact location depends on the version of IPA.
>
> rob
>
> Linov Suresh wrote:
>
> Great! That worked, and I was successfully renewed the
> certificates on
> the IPA server and I was trying to create a IPA replica server
> and got
> an error,[root at neit-lab <mailto:root at neit-lab
> <mailto:root at neit-lab>
> <mailto:root at neit-lab <mailto:root at neit-lab>>>~]#
> ipa-replica-install
> --setup-ca --setup-dns --no-forwarders --skip-conncheck
> /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager
> (existing master) password: Configuring NTP daemon (ntpd) [1/4]:
> stopping ntpd [2/4]: writing configuration [3/4]: configuring
> ntpd to
> start on boot [4/4]: starting ntpd Done configuring NTP daemon
> (ntpd).
> Configuring directory server for the CA (pkids): Estimated time 30
> seconds [1/3]: creating directory server user [2/3]: creating
> directory
> server instance [3/3]: restarting directory server Done configuring
> directory server for the CA (pkids). Configuring certificate server
> (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating
> certificate server user [2/17]: creating pki-ca instance [3/17]:
> configuring certificate server instance ipa : CRITICAL failed to
> configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent
> ConfigureCA -cs_hostname neit-lab.teloip.net
> <http://neit-lab.teloip.net>
> <http://neit-lab.teloip.net>
> <http://neit-lab.teloip.net> -cs_port 9445 -client_certdb_dir
> /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin
> UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin
> -admin_email
> root at localhost <mailto:root at localhost <mailto:root at localhost>
> <mailto:root at localhost <mailto:root at localhost>>>-admin_password
> XXXXXXXX
> -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
> -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET> <http://TELOIP.NET>
> -ldap_host neit-lab.teloip.net <http://neit-lab.teloip.net>
> <http://neit-lab.teloip.net>
> <http://neit-lab.teloip.net> -ldap_port
> 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn
> o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm
> SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name
> pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA
> Subsystem,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET> -ca_ocsp_cert_subject_name CN=OCSP
> Subsystem,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> -ca_server_cert_subject_name
> CN=neit-lab.teloip.net <http://neit-lab.teloip.net>
> <http://neit-lab.teloip.net>
> <http://neit-lab.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET> -ca_audit_signing_cert_subject_name CN=CA
> Audit,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> -ca_sign_cert_subject_name
> CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET> -external
> false -clone true -clone_p12_file ca.p12 -clone_p12_password
> XXXXXXXX
> -sd_hostname caer.teloip.net <http://caer.teloip.net>
> <http://caer.teloip.net>
> <http://caer.teloip.net> -sd_admin_port 443
> -sd_admin_name admin -sd_admin_password XXXXXXXX
> -clone_start_tls true
> -clone_uri https://caer.teloip.net:443'
> <https://caer.teloip.net:443'/>returned non-zero exit status 255
> Your
> system may be partly configured. Run /usr/sbin/ipa-server-install
> --uninstall to clean up. Configuration of CA failed [root at neit-lab
> <mailto:root at neit-lab <mailto:root at neit-lab>
> <mailto:root at neit-lab <mailto:root at neit-lab>>>~]#
>
> I did a clean up using /usr/sbin/ipa-server-install --uninstall
> but it
> wasn't helpful.Wondering if you can help us on this,
>
>
>
> On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>> wrote:
>
> Linov Suresh wrote:
>
> I have followed Redhat official documentation,
> https://access.redhat.com/solutions/643753 for certificate renewal,
> which says *add: usercertificate. (step 12)*
> *
> *
> While on the other hand FreeIPA official documentaion
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to
> *add:
> usercertificate;binary*
>
> Just wondering if we need to*add *the certificate?
> or*replace* the
> existing certificate and which format do we need to
> use? *pem*
> or *der*.
>
> We already successfully renewed the certificates about
> months
> back, but
> they were expired about 6 months back and we were not
> able to
> renew till
> now, and is affected our production environment.
>
> Pleas help us.
>
>
> You shouldn't have to mess with these values at all. In 3.0
> this is
> handled somewhat automatically.
>
> I'd restart the CA, then certmonger and see if the
> communication
> error goes away for the CA subservice certificates (the
> internal error).
>
> # service pki-cad restart
> <pause a bit>
> # service certmonger restart
>
> I find it very strange that the certificates were set to
> expire
> yesterday but it isn't a show-stopper necessarily assuming
> you can
> get the CA back up.
>
> Assuming you can, then go back in time again, this time
> just a few
> days and try renewing the LDAP and Apache server certs again.
>
> rob
>
>
> On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh
> <linov.suresh at gmail.com
> <mailto:linov.suresh at gmail.com> <mailto:linov.suresh at gmail.com
> <mailto:linov.suresh at gmail.com>>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>>>
> <mailto:linov.suresh at gmail.com
> <mailto:linov.suresh at gmail.com>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>>>>>
> wrote:
>
> We have cloned and created another virtual server
> from the
> template.
> Surprisingly this server certificates were also
> expired at
> the same
> time as the previous, just lasted for a day.
> This issue has something to do with the kerberos
> tickets?
>
> I am new to IPA and your help is highly appreciated.
>
> On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh
> <linov.suresh at gmail.com
> <mailto:linov.suresh at gmail.com>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>>>
> <mailto:linov.suresh at gmail.com
> <mailto:linov.suresh at gmail.com>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>>>>>
> wrote:
>
> *Update: my webserver and LDAP certificates
> were expired at
> 2016-07-18 15:54:36 UTC and the certificates
> are in
> CA_UNREACHABLE state.*
> *
> *
> *Could you please help us?
> *
>
> [root at caer tmp]# getcert list
> Number of certificates and requests being
> tracked: 8.
> Request ID '20111214223243':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will
> retry: -504
> (libcurl failed to execute the HTTP POST
> transaction. Peer
> certificate cannot be authenticated with known CA
> certificates).
> stuck: yes
> key pair storage:
>
>
>
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate
> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
> certificate:
>
>
>
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> subject: CN=caer.teloip.net
> <http://caer.teloip.net>
> <http://caer.teloip.net>
> <http://caer.teloip.net>
> <http://caer.teloip.net>,O=TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET> <http://TELOIP.NET>
> *expires: 2016-07-18 15:54:36 UTC*
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223300':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will
> retry: -504
> (libcurl failed to execute the HTTP POST
> transaction. Peer
> certificate cannot be authenticated with known CA
> certificates).
> stuck: yes
> key pair storage:
>
>
>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
>
>
>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> subject: CN=caer.teloip.net
> <http://caer.teloip.net>
> <http://caer.teloip.net>
> <http://caer.teloip.net>
> <http://caer.teloip.net>,O=TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET> <http://TELOIP.NET>
> *expires: 2016-07-18 15:54:52 UTC*
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223316':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will
> retry: -504
> (libcurl failed to execute the HTTP POST
> transaction. Peer
> certificate cannot be authenticated with known CA
> certificates).
> stuck: yes
> key pair storage:
>
>
>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
>
>
>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> subject: CN=caer.teloip.net
> <http://caer.teloip.net>
> <http://caer.teloip.net>
> <http://caer.teloip.net>
> <http://caer.teloip.net>,O=TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET> <http://TELOIP.NET>
> *expires: 2016-07-18 15:55:04 UTC*
>
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130519130741':
> status: MONITORING
> ca-error: Internal error: no response to
>
>
>
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
> stuck: no
> key pair storage:
>
>
>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664'
> certificate:
>
>
>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> subject: CN=CA Audit,O=TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:10:49 UTC
> pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert
> cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130742':
> status: MONITORING
> ca-error: Internal error: no response to
>
>
>
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
> stuck: no
> key pair storage:
>
>
>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664'
> certificate:
>
>
>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> subject: CN=OCSP
> Subsystem,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-OCSPSigning
> pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert
> cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130743':
> status: MONITORING
> ca-error: Internal error: no response to
>
>
>
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
> stuck: no
> key pair storage:
>
>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate
> DB',pin='297100916664'
> certificate:
>
>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> subject: CN=CA
> Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert
> cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130744':
> status: MONITORING
> ca-error: Internal error: no response to
>
>
>
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
> stuck: no
> key pair storage:
>
>
>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
>
>
>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> subject: CN=RA
> Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> Request ID '20130519130745':
> status: MONITORING
> ca-error: Internal error: no response to
>
>
>
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
> stuck: no
> key pair storage:
>
>
>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS
> Certificate DB',pin='297100916664'
> certificate:
>
>
>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate
> Authority,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> subject: CN=caer.teloip.net
> <http://caer.teloip.net>
> <http://caer.teloip.net>
> <http://caer.teloip.net>
> <http://caer.teloip.net>,O=TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> /usr/lib64/ipa/certmonger/restart_dirsrv
> "TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>"
> track: yes
> auto-renew: yes
>
> On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh
> <linov.suresh at gmail.com
> <mailto:linov.suresh at gmail.com>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>>>
> <mailto:linov.suresh at gmail.com
> <mailto:linov.suresh at gmail.com>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
> <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>>>>>
> wrote:
>
> Yes, PKI is running and I don't see any
> errors in
> selftests,
> I have followed
> https://access.redhat.com/solutions/643753
> and restarted the PKI in step 10.
>
> The only change which I made was clean
> up userCertificate;binary before adding new
> userCertificatein LDAP, which is step 12.
>
>
> [root at caer ~]# /etc/init.d/pki-cad status
> pki-ca (pid 8634) is running...
> [
> OK ]
> Unsecure Port =
> http://caer.teloip.net:9180/ca/ee/ca
> Secure Agent Port =
> https://caer.teloip.net:9443/ca/agent/ca
> Secure EE Port =
> https://caer.teloip.net:9444/ca/ee/ca
> Secure Admin Port =
> https://caer.teloip.net:9445/ca/services
> EE Client Auth Port =
> https://caer.teloip.net:9446/ca/eeca/ca
> PKI Console Port = pkiconsole
> https://caer.teloip.net:9445/ca
> Tomcat Port = 9701 (for
> shutdown)
>
> PKI Instance Name: pki-ca
>
> PKI Subsystem Type: Root CA
> (Security Domain)
>
> Registered PKI Security Domain
> Information:
>
>
>
>
> ==========================================================================
> Name: IPA
> URL: https://caer.teloip.net:9445
>
>
>
>
> ==========================================================================
> [root at caer ~]#
> [root at caer ~]# tail -f
> /var/log/pki-ca/selftests.log
> 8634.main - [18/Jul/2016:11:46:20 EDT]
> [20] [1]
> SelfTestSubsystem: loading all self test
> plugin logger
> parameters
> 8634.main - [18/Jul/2016:11:46:20 EDT]
> [20] [1]
> SelfTestSubsystem: loading all self test
> plugin
> instances
> 8634.main - [18/Jul/2016:11:46:20 EDT]
> [20] [1]
> SelfTestSubsystem: loading all self test
> plugin
> instance
> parameters
> 8634.main - [18/Jul/2016:11:46:20 EDT]
> [20] [1]
> SelfTestSubsystem: loading self test
> plugins in
> on-demand order
> 8634.main - [18/Jul/2016:11:46:20 EDT]
> [20] [1]
> SelfTestSubsystem: loading self test
> plugins in
> startup order
> 8634.main - [18/Jul/2016:11:46:20 EDT]
> [20] [1]
> SelfTestSubsystem: Self test plugins have
> been
> successfully
> loaded!
> 8634.main - [18/Jul/2016:11:46:21 EDT]
> [20] [1]
> SelfTestSubsystem: Running self test plugins
> specified to be
> executed at startup:
> 8634.main - [18/Jul/2016:11:46:21 EDT]
> [20] [1]
> CAPresence:
> CA is present
> 8634.main - [18/Jul/2016:11:46:21 EDT]
> [20] [1]
> SystemCertsVerification: system certs
> verification
> success
> 8634.main - [18/Jul/2016:11:46:21 EDT]
> [20] [1]
> SelfTestSubsystem: All CRITICAL self test
> plugins ran
> SUCCESSFULLY at startup!
>
> Your help is highly appreciated!
>
> Linov Suresh
>
> 70 Forest Manor Rd.
> Toronto
> ON M2J 0A9
> Mobile: +1 647 406 9438
> <tel:%2B1%20647%20406%209438>
> <tel:%2B1%20647%20406%209438>
> <tel:%2B1%20647%20406%209438>
> <tel:%2B1%20647%20406%209438>
> Linkedin: ca.linkedin.com/in/linov/
> <http://ca.linkedin.com/in/linov/>
> <http://ca.linkedin.com/in/linov/>
> <http://ca.linkedin.com/in/linov/>
> <http://ca.linkedin.com/in/linov/>
> Website:
> http://mylinuxthoughts.blogspot.com
>
>
> On Mon, Jul 18, 2016 at 10:50 AM, Petr
> Vobornik
> <pvoborni at redhat.com
> <mailto:pvoborni at redhat.com>
> <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com>>
> <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com>
> <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com>>>
> <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com>
> <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com>>
> <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com>
> <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com>>>>> wrote:
>
> On 07/18/2016 05:45 AM, Linov Suresh
> wrote:
> > Thanks for the update Rob. I went
> back to Jan
> 20, 2016, restarted CA and
> > certmonger. Look like certificates were
> renewed. But I'm getting a different
> > error now,
> >
> > *ca-error: Internal error: no
> response to
> >
>
>
>
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".*
>
> Is PKI running? When you change the
> time, does
> restart
> of IPA help?
>
> >
> > [root at caer ~]# getcert list
> > Number of certificates and requests
> being
> tracked: 8.
> > Request ID '20111214223243':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> >
>
>
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> > Certificate
> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
> > certificate:
> >
>
>
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate
> Authority,O=TELOIP.NET
> <http://TELOIP.NET>
> <http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> <http://TELOIP.NET>
> > subject:
> CN=caer.teloip.net <http://caer.teloip.net>
> <http://caer.teloip.net>
>
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list