[Freeipa-users] IPA certificates expired, please help!
Linov Suresh
linov.suresh at gmail.com
Thu Jul 21 14:04:51 UTC 2016
This could be because of incorrect trust attributes trust on the
certificates, the current attributes are,
[root at caer ~]# certutil -L -d /var/lib/pki-ca/alias
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,Pu
subsystemCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca CTu,Cu,Cu
subsystemCert cert-pki-ca u,u,Pu
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
I'm going to fix the trust attributes and try.
On Thu, Jul 21, 2016 at 9:45 AM, Petr Vobornik <pvoborni at redhat.com> wrote:
> On 07/20/2016 09:41 PM, Linov Suresh wrote:
> > I have restarted the pki-cad and checked if communication with the CA is
> > working, but no luck,
> >
> > Debug logs in /var/log/pki-ca do not have anything unusual. Can you
> think of
> > anything other than this?
>
> /var/log/httpd/error_log when /etc/ipa.conf is set to debug=true
>
> https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data
>
> /var/log/pki-ca/debug
> /var/log/pki-ca/transactions
> /var/log/pki-ca/selftest.log
>
> >
> > [root at caer ~]# ipa cert-show 1
> > Certificate:
> MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP
> > SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0
> > MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w
> > HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA
> > A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV
> > ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e
> > tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb
> > UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe
> > tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7
> > 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j
> > BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
> > HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG
> > AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5
> > MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj
> > kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y
> > 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV
> > nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt
> > e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK
> > b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30=
> > Subject: CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET>
> > Issuer: CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET>
> > Not Before: Wed Dec 14 22:29:56 2011 UTC
> > Not After: Sat Dec 14 22:29:56 2019 UTC
> > Fingerprint (MD5): c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a
> > Fingerprint (SHA1):
> ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e
> > Serial number (hex): 0x1
> > Serial number: 1
> > [root at caer ~]#
> >
> > *ca-error: Internal error: no response to
> > "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
> ".
> > *
> >
> >
> >
> > On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden <rcritten at redhat.com
> > <mailto:rcritten at redhat.com>> wrote:
> >
> > Linov Suresh wrote:
> >
> > Thanks for your help Rob, I will create a separate thread for IPA
> > replication issue. But we are still getting
> > *
> > *
> > *ca-error: Internal error: no response to
> > "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
> ".*
> >
> > Could you please help us to fix this?
> >
> >
> > I think your CA isn't quite fixed yet. I'd restart pki-cad then do
> something
> > like: ipa cert-show 1
> >
> > You should get back a cert (doesn't really matter what cert).
> >
> > Otherwise I'd check the CA debug log somewhere in /var/log/pki
> >
> > rob
> >
> >
> >
> > On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden <
> rcritten at redhat.com
> > <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
> wrote:
> >
> > Glad you got the certificates successfully renewed.
> >
> > Can you open a new e-mail thread on this new problem so we
> can keep
> > the issues separated?
> >
> > IPA gets little information back when dogtag fails to
> install. You
> > need to look in /var/log/<something>/debug for more
> information. The
> > exact location depends on the version of IPA.
> >
> > rob
> >
> > Linov Suresh wrote:
> >
> > Great! That worked, and I was successfully renewed the
> > certificates on
> > the IPA server and I was trying to create a IPA replica
> server
> > and got
> > an error,[root at neit-lab <mailto:root at neit-lab
> > <mailto:root at neit-lab>
> > <mailto:root at neit-lab <mailto:root at neit-lab>>>~]#
> > ipa-replica-install
> > --setup-ca --setup-dns --no-forwarders --skip-conncheck
> > /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg
> Directory Manager
> > (existing master) password: Configuring NTP daemon
> (ntpd) [1/4]:
> > stopping ntpd [2/4]: writing configuration [3/4]:
> configuring
> > ntpd to
> > start on boot [4/4]: starting ntpd Done configuring NTP
> daemon
> > (ntpd).
> > Configuring directory server for the CA (pkids):
> Estimated time 30
> > seconds [1/3]: creating directory server user [2/3]:
> creating
> > directory
> > server instance [3/3]: restarting directory server Done
> configuring
> > directory server for the CA (pkids). Configuring
> certificate server
> > (pki-cad): Estimated time 3 minutes 30 seconds [1/17]:
> creating
> > certificate server user [2/17]: creating pki-ca
> instance [3/17]:
> > configuring certificate server instance ipa : CRITICAL
> failed to
> > configure ca instance Command '/usr/bin/perl
> /usr/bin/pkisilent
> > ConfigureCA -cs_hostname neit-lab.teloip.net
> > <http://neit-lab.teloip.net>
> > <http://neit-lab.teloip.net>
> > <http://neit-lab.teloip.net> -cs_port 9445
> -client_certdb_dir
> > /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin
> > UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin
> > -admin_email
> > root at localhost <mailto:root at localhost <mailto:
> root at localhost>
> > <mailto:root at localhost <mailto:root at localhost
> >>>-admin_password
> > XXXXXXXX
> > -agent_name ipa-ca-agent -agent_key_size 2048
> -agent_key_type rsa
> > -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET
> > <http://TELOIP.NET>
> > <http://TELOIP.NET> <http://TELOIP.NET>
> > -ldap_host neit-lab.teloip.net <
> http://neit-lab.teloip.net>
> > <http://neit-lab.teloip.net>
> > <http://neit-lab.teloip.net> -ldap_port
> > 7389 -bind_dn cn=Directory Manager -bind_password
> XXXXXXXX -base_dn
> > o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
> -key_algorithm
> > SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
> -subsystem_name
> > pki-cad -token_name internal
> -ca_subsystem_cert_subject_name CN=CA
> > Subsystem,O=TELOIP.NET <http://TELOIP.NET> <
> http://TELOIP.NET>
> > <http://TELOIP.NET>
> > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=
> TELOIP.NET
> > <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET> -ca_ocsp_cert_subject_name CN=OCSP
> > Subsystem,O=TELOIP.NET <http://TELOIP.NET> <
> http://TELOIP.NET>
> > <http://TELOIP.NET>
> > -ca_server_cert_subject_name
> > CN=neit-lab.teloip.net <http://neit-lab.teloip.net>
> > <http://neit-lab.teloip.net>
> > <http://neit-lab.teloip.net>,O=TELOIP.NET <
> http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET>
> -ca_audit_signing_cert_subject_name CN=CA
> > Audit,O=TELOIP.NET <http://TELOIP.NET> <
> http://TELOIP.NET>
> > <http://TELOIP.NET>
> > -ca_sign_cert_subject_name
> > CN=Certificate Authority,O=TELOIP.NET <
> http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET> -external
> > false -clone true -clone_p12_file ca.p12
> -clone_p12_password
> > XXXXXXXX
> > -sd_hostname caer.teloip.net <http://caer.teloip.net>
> > <http://caer.teloip.net>
> > <http://caer.teloip.net> -sd_admin_port 443
> > -sd_admin_name admin -sd_admin_password XXXXXXXX
> > -clone_start_tls true
> > -clone_uri https://caer.teloip.net:443'
> > <https://caer.teloip.net:443'/>returned non-zero exit
> status 255
> > Your
> > system may be partly configured. Run
> /usr/sbin/ipa-server-install
> > --uninstall to clean up. Configuration of CA failed
> [root at neit-lab
> > <mailto:root at neit-lab <mailto:root at neit-lab>
> > <mailto:root at neit-lab <mailto:root at neit-lab>>>~]#
> >
> > I did a clean up using /usr/sbin/ipa-server-install
> --uninstall
> > but it
> > wasn't helpful.Wondering if you can help us on this,
> >
> >
> >
> > On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden
> > <rcritten at redhat.com <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com
> >
> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>>
> wrote:
> >
> > Linov Suresh wrote:
> >
> > I have followed Redhat official documentation,
> > https://access.redhat.com/solutions/643753 for certificate
> renewal,
> > which says *add: usercertificate. (step 12)*
> > *
> > *
> > While on the other hand FreeIPA official
> documentaion
> > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to
> > *add:
> > usercertificate;binary*
> >
> > Just wondering if we need to*add *the
> certificate?
> > or*replace* the
> > existing certificate and which format do we
> need to
> > use? *pem*
> > or *der*.
> >
> > We already successfully renewed the
> certificates about
> > months
> > back, but
> > they were expired about 6 months back and we
> were not
> > able to
> > renew till
> > now, and is affected our production
> environment.
> >
> > Pleas help us.
> >
> >
> > You shouldn't have to mess with these values at
> all. In 3.0
> > this is
> > handled somewhat automatically.
> >
> > I'd restart the CA, then certmonger and see if the
> > communication
> > error goes away for the CA subservice certificates
> (the
> > internal error).
> >
> > # service pki-cad restart
> > <pause a bit>
> > # service certmonger restart
> >
> > I find it very strange that the certificates were
> set to
> > expire
> > yesterday but it isn't a show-stopper necessarily
> assuming
> > you can
> > get the CA back up.
> >
> > Assuming you can, then go back in time again, this
> time
> > just a few
> > days and try renewing the LDAP and Apache server
> certs again.
> >
> > rob
> >
> >
> > On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh
> > <linov.suresh at gmail.com
> > <mailto:linov.suresh at gmail.com> <mailto:linov.suresh at gmail.com
> > <mailto:linov.suresh at gmail.com>>
> > <mailto:linov.suresh at gmail.com <mailto:
> linov.suresh at gmail.com>
> > <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>>>
> > <mailto:linov.suresh at gmail.com
> > <mailto:linov.suresh at gmail.com>
> > <mailto:linov.suresh at gmail.com <mailto:
> linov.suresh at gmail.com>>
> > <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
> > <mailto:linov.suresh at gmail.com <mailto:
> linov.suresh at gmail.com>>>>>
> > wrote:
> >
> > We have cloned and created another
> virtual server
> > from the
> > template.
> > Surprisingly this server certificates
> were also
> > expired at
> > the same
> > time as the previous, just lasted for a
> day.
> > This issue has something to do with the
> kerberos
> > tickets?
> >
> > I am new to IPA and your help is highly
> appreciated.
> >
> > On Mon, Jul 18, 2016 at 12:37 PM, Linov
> Suresh
> > <linov.suresh at gmail.com
> > <mailto:linov.suresh at gmail.com>
> > <mailto:linov.suresh at gmail.com <mailto:
> linov.suresh at gmail.com>>
> > <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
> > <mailto:linov.suresh at gmail.com <mailto:
> linov.suresh at gmail.com>>>
> > <mailto:linov.suresh at gmail.com
> > <mailto:linov.suresh at gmail.com>
> > <mailto:linov.suresh at gmail.com <mailto:
> linov.suresh at gmail.com>>
> > <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
> > <mailto:linov.suresh at gmail.com <mailto:
> linov.suresh at gmail.com>>>>>
> > wrote:
> >
> > *Update: my webserver and LDAP
> certificates
> > were expired at
> > 2016-07-18 15:54:36 UTC and the
> certificates
> > are in
> > CA_UNREACHABLE state.*
> > *
> > *
> > *Could you please help us?
> > *
> >
> > [root at caer tmp]# getcert list
> > Number of certificates and requests
> being
> > tracked: 8.
> > Request ID '20111214223243':
> > status: CA_UNREACHABLE
> > ca-error: Server failed
> request, will
> > retry: -504
> > (libcurl failed to execute the HTTP
> POST
> > transaction. Peer
> > certificate cannot be authenticated
> with known CA
> > certificates).
> > stuck: yes
> > key pair storage:
> >
> >
> >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> > Certificate
> >
> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
> > certificate:
> >
> >
> >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate
> > Authority,O=TELOIP.NET <http://TELOIP.NET> <
> http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > subject: CN=caer.teloip.net
> > <http://caer.teloip.net>
> > <http://caer.teloip.net>
> > <http://caer.teloip.net>
> > <http://caer.teloip.net>,O=TELOIP.NET
> > <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET> <http://TELOIP.NET>
> > *expires: 2016-07-18 15:54:36 UTC*
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20111214223300':
> > status: CA_UNREACHABLE
> > ca-error: Server failed
> request, will
> > retry: -504
> > (libcurl failed to execute the HTTP
> POST
> > transaction. Peer
> > certificate cannot be authenticated
> with known CA
> > certificates).
> > stuck: yes
> > key pair storage:
> >
> >
> >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate
> >
> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > certificate:
> >
> >
> >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate
> > Authority,O=TELOIP.NET <http://TELOIP.NET> <
> http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > subject: CN=caer.teloip.net
> > <http://caer.teloip.net>
> > <http://caer.teloip.net>
> > <http://caer.teloip.net>
> > <http://caer.teloip.net>,O=TELOIP.NET
> > <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET> <http://TELOIP.NET>
> > *expires: 2016-07-18 15:54:52 UTC*
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20111214223316':
> > status: CA_UNREACHABLE
> > ca-error: Server failed
> request, will
> > retry: -504
> > (libcurl failed to execute the HTTP
> POST
> > transaction. Peer
> > certificate cannot be authenticated
> with known CA
> > certificates).
> > stuck: yes
> > key pair storage:
> >
> >
> >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate
> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> >
> >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate
> > Authority,O=TELOIP.NET <http://TELOIP.NET> <
> http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > subject: CN=caer.teloip.net
> > <http://caer.teloip.net>
> > <http://caer.teloip.net>
> > <http://caer.teloip.net>
> > <http://caer.teloip.net>,O=TELOIP.NET
> > <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET> <http://TELOIP.NET>
> > *expires: 2016-07-18 15:55:04 UTC*
> >
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130741':
> > status: MONITORING
> > ca-error: Internal error: no
> response to
> >
> >
> >
> > "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
> ".
> > stuck: no
> > key pair storage:
> >
> >
> >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate
> > DB',pin='297100916664'
> > certificate:
> >
> >
> >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate
> DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate
> > Authority,O=TELOIP.NET <http://TELOIP.NET> <
> http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > subject: CN=CA Audit,O=
> TELOIP.NET
> > <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET> <http://TELOIP.NET>
> > expires: 2017-10-13 14:10:49
> UTC
> > pre-save command:
> > /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command:
> >
> /usr/lib64/ipa/certmonger/renew_ca_cert
> > "auditSigningCert
> > cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130742':
> > status: MONITORING
> > ca-error: Internal error: no
> response to
> >
> >
> >
> > "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
> ".
> > stuck: no
> > key pair storage:
> >
> >
> >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate
> > DB',pin='297100916664'
> > certificate:
> >
> >
> >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate
> DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate
> > Authority,O=TELOIP.NET <http://TELOIP.NET> <
> http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > subject: CN=OCSP
> > Subsystem,O=TELOIP.NET <http://TELOIP.NET> <
> http://TELOIP.NET>
> > <http://TELOIP.NET> <http://TELOIP.NET>
> > expires: 2017-10-13 14:09:49
> UTC
> > eku: id-kp-OCSPSigning
> > pre-save command:
> > /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command:
> >
> /usr/lib64/ipa/certmonger/renew_ca_cert
> > "ocspSigningCert
> > cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130743':
> > status: MONITORING
> > ca-error: Internal error: no
> response to
> >
> >
> >
> > "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
> ".
> > stuck: no
> > key pair storage:
> >
> >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate
> > DB',pin='297100916664'
> > certificate:
> >
> >
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate
> DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate
> > Authority,O=TELOIP.NET <http://TELOIP.NET> <
> http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > subject: CN=CA
> > Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET> <http://TELOIP.NET>
> > expires: 2017-10-13 14:09:49
> UTC
> > eku:
> id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command:
> >
> /usr/lib64/ipa/certmonger/renew_ca_cert
> > "subsystemCert
> > cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130744':
> > status: MONITORING
> > ca-error: Internal error: no
> response to
> >
> >
> >
> > "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
> ".
> > stuck: no
> > key pair storage:
> >
> >
> >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate
> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> >
> >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate
> > Authority,O=TELOIP.NET <http://TELOIP.NET> <
> http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > subject: CN=RA
> > Subsystem,O=TELOIP.NET <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET> <http://TELOIP.NET>
> > expires: 2017-10-13 14:09:49
> UTC
> > eku:
> id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > /usr/lib64/ipa/certmonger/restart_httpd
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130745':
> > status: MONITORING
> > ca-error: Internal error: no
> response to
> >
> >
> >
> > "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
> ".
> > stuck: no
> > key pair storage:
> >
> >
> >
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS
> > Certificate DB',pin='297100916664'
> > certificate:
> >
> >
> >
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS
> > Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate
> > Authority,O=TELOIP.NET <http://TELOIP.NET> <
> http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > subject: CN=caer.teloip.net
> > <http://caer.teloip.net>
> > <http://caer.teloip.net>
> > <http://caer.teloip.net>
> > <http://caer.teloip.net>,O=TELOIP.NET
> > <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET> <http://TELOIP.NET>
> > expires: 2017-10-13 14:09:49
> UTC
> > eku:
> id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> >
> /usr/lib64/ipa/certmonger/restart_dirsrv
> > "TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET>"
> > track: yes
> > auto-renew: yes
> >
> > On Mon, Jul 18, 2016 at 12:00 PM,
> Linov Suresh
> > <linov.suresh at gmail.com
> > <mailto:linov.suresh at gmail.com>
> > <mailto:linov.suresh at gmail.com <mailto:
> linov.suresh at gmail.com>>
> > <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
> > <mailto:linov.suresh at gmail.com <mailto:
> linov.suresh at gmail.com>>>
> > <mailto:linov.suresh at gmail.com
> > <mailto:linov.suresh at gmail.com>
> > <mailto:linov.suresh at gmail.com <mailto:
> linov.suresh at gmail.com>>
> > <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
> > <mailto:linov.suresh at gmail.com <mailto:
> linov.suresh at gmail.com>>>>>
> > wrote:
> >
> > Yes, PKI is running and I don't
> see any
> > errors in
> > selftests,
> > I have followed
> > https://access.redhat.com/solutions/643753
> > and restarted the PKI in step 10.
> >
> > The only change which I made was
> clean
> > up userCertificate;binary before
> adding new
> > userCertificatein LDAP, which is
> step 12.
> >
> >
> > [root at caer ~]#
> /etc/init.d/pki-cad status
> > pki-ca (pid 8634) is running...
> > [
> > OK ]
> > Unsecure Port =
> > http://caer.teloip.net:9180/ca/ee/ca
> > Secure Agent Port =
> > https://caer.teloip.net:9443/ca/agent/ca
> > Secure EE Port =
> > https://caer.teloip.net:9444/ca/ee/ca
> > Secure Admin Port =
> > https://caer.teloip.net:9445/ca/services
> > EE Client Auth Port =
> > https://caer.teloip.net:9446/ca/eeca/ca
> > PKI Console Port =
> pkiconsole
> > https://caer.teloip.net:9445/ca
> > Tomcat Port = 9701
> (for
> > shutdown)
> >
> > PKI Instance Name: pki-ca
> >
> > PKI Subsystem Type: Root CA
> > (Security Domain)
> >
> > Registered PKI Security
> Domain
> > Information:
> >
> >
> >
> >
> >
> ==========================================================================
> > Name: IPA
> > URL:
> https://caer.teloip.net:9445
> >
> >
> >
> >
> >
> ==========================================================================
> > [root at caer ~]#
> > [root at caer ~]# tail -f
> > /var/log/pki-ca/selftests.log
> > 8634.main - [18/Jul/2016:11:46:20
> EDT]
> > [20] [1]
> > SelfTestSubsystem: loading all
> self test
> > plugin logger
> > parameters
> > 8634.main - [18/Jul/2016:11:46:20
> EDT]
> > [20] [1]
> > SelfTestSubsystem: loading all
> self test
> > plugin
> > instances
> > 8634.main - [18/Jul/2016:11:46:20
> EDT]
> > [20] [1]
> > SelfTestSubsystem: loading all
> self test
> > plugin
> > instance
> > parameters
> > 8634.main - [18/Jul/2016:11:46:20
> EDT]
> > [20] [1]
> > SelfTestSubsystem: loading self
> test
> > plugins in
> > on-demand order
> > 8634.main - [18/Jul/2016:11:46:20
> EDT]
> > [20] [1]
> > SelfTestSubsystem: loading self
> test
> > plugins in
> > startup order
> > 8634.main - [18/Jul/2016:11:46:20
> EDT]
> > [20] [1]
> > SelfTestSubsystem: Self test
> plugins have
> > been
> > successfully
> > loaded!
> > 8634.main - [18/Jul/2016:11:46:21
> EDT]
> > [20] [1]
> > SelfTestSubsystem: Running self
> test plugins
> > specified to be
> > executed at startup:
> > 8634.main - [18/Jul/2016:11:46:21
> EDT]
> > [20] [1]
> > CAPresence:
> > CA is present
> > 8634.main - [18/Jul/2016:11:46:21
> EDT]
> > [20] [1]
> > SystemCertsVerification: system
> certs
> > verification
> > success
> > 8634.main - [18/Jul/2016:11:46:21
> EDT]
> > [20] [1]
> > SelfTestSubsystem: All CRITICAL
> self test
> > plugins ran
> > SUCCESSFULLY at startup!
> >
> > Your help is highly appreciated!
> >
> > Linov Suresh
> >
> > 70 Forest Manor Rd.
> > Toronto
> > ON M2J 0A9
> > Mobile: +1 647 406 9438
> > <tel:%2B1%20647%20406%209438>
> > <tel:%2B1%20647%20406%209438>
> > <tel:%2B1%20647%20406%209438>
> > <tel:%2B1%20647%20406%209438>
> > Linkedin:
> ca.linkedin.com/in/linov/
> > <http://ca.linkedin.com/in/linov/>
> > <http://ca.linkedin.com/in/linov/>
> > <http://ca.linkedin.com/in/linov/>
> > <
> http://ca.linkedin.com/in/linov/>
> > Website:
> > http://mylinuxthoughts.blogspot.com
> >
> >
> > On Mon, Jul 18, 2016 at 10:50 AM,
> Petr
> > Vobornik
> > <pvoborni at redhat.com
> > <mailto:pvoborni at redhat.com>
> > <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com
> >>
> > <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com>
> > <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com
> >>>
> > <mailto:pvoborni at redhat.com <mailto:
> pvoborni at redhat.com>
> > <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com
> >>
> > <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com>
> > <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com>>>>>
> wrote:
> >
> > On 07/18/2016 05:45 AM, Linov
> Suresh
> > wrote:
> > > Thanks for the update Rob.
> I went
> > back to Jan
> > 20, 2016, restarted CA and
> > > certmonger. Look like
> certificates were
> > renewed. But I'm getting a different
> > > error now,
> > >
> > > *ca-error: Internal error:
> no
> > response to
> > >
> >
> >
> >
> > "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
> ".*
> >
> > Is PKI running? When you
> change the
> > time, does
> > restart
> > of IPA help?
> >
> > >
> > > [root at caer ~]# getcert list
> > > Number of certificates and
> requests
> > being
> > tracked: 8.
> > > Request ID '20111214223243':
> > > status: MONITORING
> > > stuck: no
> > > key pair storage:
> > >
> >
> >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> > > Certificate
> >
> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
> > > certificate:
> > >
> >
> >
> >
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer:
> CN=Certificate
> > Authority,O=TELOIP.NET
> > <http://TELOIP.NET>
> > <http://TELOIP.NET> <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > <http://TELOIP.NET>
> > > subject:
> > CN=caer.teloip.net <http://caer.teloip.net>
> > <http://caer.teloip.net>
> >
> >
>
>
> --
> Petr Vobornik
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160721/0ea98c13/attachment.htm>
More information about the Freeipa-users
mailing list