[Freeipa-users] IPA certificates expired, please help!
Linov Suresh
linov.suresh at gmail.com
Thu Jul 21 15:14:55 UTC 2016
I set debug=true in /etc/ipa/default.conf
Here are my logs,
*[root at caer ~]# tail -f /var/log/httpd/error_log*
[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: WSGI
WSGIExecutioner.__call__:
[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: raw: user_show(u'admin',
rights=False, all=False, raw=False, version=u'2.46')
[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: user_show(u'admin',
rights=False, all=False, raw=False, version=u'2.46')
[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof:
entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net
memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'),
ipapython.dn.DN('cn=replication
administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'),
ipapython.dn.DN('cn=add replication
agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
ipapython.dn.DN('cn=modify replication
agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
ipapython.dn.DN('cn=remove replication
agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
ipapython.dn.DN('cn=unlock user
accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'),
ipapython.dn.DN('cn=manage service
keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=trust
admins,cn=groups,cn=accounts,dc=teloip,dc=net'), ipapython.dn.DN('cn=host
enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'),
ipapython.dn.DN('cn=manage host
keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),
ipapython.dn.DN('cn=enroll a
host,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add
host password,cn=permissions,cn=pbac,dc=teloip,dc=net'),
ipapython.dn.DN('cn=add krbprincipalname to a
host,cn=permissions,cn=pbac,dc=teloip,dc=net')]
[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: result
direct=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'),
ipapython.dn.DN('cn=trust admins,cn=groups,cn=accounts,dc=teloip,dc=net')]
indirect=[ipapython.dn.DN('cn=replication
administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'),
ipapython.dn.DN('cn=add replication
agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
ipapython.dn.DN('cn=modify replication
agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
ipapython.dn.DN('cn=remove replication
agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
ipapython.dn.DN('cn=unlock user
accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'),
ipapython.dn.DN('cn=manage service
keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=host
enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'),
ipapython.dn.DN('cn=manage host
keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),
ipapython.dn.DN('cn=enroll a
host,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add
host password,cn=permissions,cn=pbac,dc=teloip,dc=net'),
ipapython.dn.DN('cn=add krbprincipalname to a
host,cn=permissions,cn=pbac,dc=teloip,dc=net')]
[Thu Jul 21 11:00:38 2016] [error] ipa: INFO: admin at TELOIP.NET:
user_show(u'admin', rights=False, all=False, raw=False, version=u'2.46'):
SUCCESS
[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: response: entries returned 1
[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: Destroyed connection
context.ldap2
[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: reading ccache data from
file "/var/run/ipa_memcached/krbcc_13554"
[Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: store session:
session_id=10c5de02f8ae0f3969b96ef0f2e3a96d
start_timestamp=2016-07-21T10:43:26 access_timestamp=2016-07-21T11:00:38
expiration_timestamp=2016-07-21T11:20:38
*[root at caer ~]# tail -f /var/log/pki-ca/debug*
[21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: curReqId:
9990001
[21/Jul/2016:11:08:29][CertStatusUpdateThread]: getElementAt: 1 mTop 107
[21/Jul/2016:11:08:29][CertStatusUpdateThread]: reverse direction getting
index 4
[21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: curReqId: 112
[21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue:
getLastRequestId : returning value 112
[21/Jul/2016:11:08:29][CertStatusUpdateThread]: Repository: mLastSerialNo:
112
[21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial numbers left in
range: 9989888
[21/Jul/2016:11:08:29][CertStatusUpdateThread]: Last Serial Number: 112
[21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial Numbers available:
9989888
[21/Jul/2016:11:08:29][CertStatusUpdateThread]: request checkRanges done
*[root at caer ~]# tail -f /var/log/pki-ca/transactions*
6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:17:00:00 EDT] [20] [1] CRL
Update completed. CRL ID: MasterCRL CRL Number: 8,912 last update time:
7/20/16 5:00 PM next update time: 7/20/16 9:00 PM Number of entries in the
CRL: 11 time: 25 CRL time: 25 delta CRL time: 0
(0,0,0,0,0,0,0,8,17,0,0,25,25)
6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20] [1] CRL
update started. CRL ID: MasterCRL CRL Number: 8,913 Delta CRL Enabled:
false CRL Cache Enabled: true Cache Recovery Enabled: true Cache
Cleared: false Cache: 11,0,0,0
6563.CRLIssuingPoint-MasterCRL - [20/Jul/2016:21:00:00 EDT] [20] [1] CRL
Update completed. CRL ID: MasterCRL CRL Number: 8,913 last update time:
7/20/16 9:00 PM next update time: 7/21/16 1:00 AM Number of entries in the
CRL: 11 time: 11 CRL time: 11 delta CRL time: 0
(0,0,0,0,0,0,0,6,5,0,0,11,11)
6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20] [1] CRL
update started. CRL ID: MasterCRL CRL Number: 8,914 Delta CRL Enabled:
false CRL Cache Enabled: true Cache Recovery Enabled: true Cache
Cleared: false Cache: 11,0,0,0
6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:01:00:00 EDT] [20] [1] CRL
Update completed. CRL ID: MasterCRL CRL Number: 8,914 last update time:
7/21/16 1:00 AM next update time: 7/21/16 5:00 AM Number of entries in the
CRL: 11 time: 13 CRL time: 13 delta CRL time: 0
(0,0,0,0,0,0,0,6,7,0,0,13,13)
6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20] [1] CRL
update started. CRL ID: MasterCRL CRL Number: 8,915 Delta CRL Enabled:
false CRL Cache Enabled: true Cache Recovery Enabled: true Cache
Cleared: false Cache: 11,0,0,0
6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:05:00:00 EDT] [20] [1] CRL
Update completed. CRL ID: MasterCRL CRL Number: 8,915 last update time:
7/21/16 5:00 AM next update time: 7/21/16 9:00 AM Number of entries in the
CRL: 11 time: 16 CRL time: 16 delta CRL time: 0
(0,0,0,0,0,0,0,8,8,0,0,16,16)
6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20] [1] CRL
update started. CRL ID: MasterCRL CRL Number: 8,916 Delta CRL Enabled:
false CRL Cache Enabled: true Cache Recovery Enabled: true Cache
Cleared: false Cache: 11,0,0,0
6563.CRLIssuingPoint-MasterCRL - [21/Jul/2016:09:00:00 EDT] [20] [1] CRL
Update completed. CRL ID: MasterCRL CRL Number: 8,916 last update time:
7/21/16 9:00 AM next update time: 7/21/16 1:00 PM Number of entries in the
CRL: 11 time: 13 CRL time: 13 delta CRL time: 0
(0,0,0,0,0,0,0,6,7,0,0,13,13)
10657.http-9443-2 - [21/Jul/2016:10:28:19 EDT] [20] [1] renewal reqID 112
fromAgent userID: ipara authenticated by certUserDBAuthMgr is completed DN
requested: CN=CA Audit,O=TELOIP.NET cert issued serial number: 0x47 time: 39
*[root at caer ~]# tail -f /var/log/pki-ca/selftests.log*
14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem:
loading all self test plugin logger parameters
14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem:
loading all self test plugin instances
14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem:
loading all self test plugin instance parameters
14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem:
loading self test plugins in on-demand order
14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem:
loading self test plugins in startup order
14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1] SelfTestSubsystem: Self
test plugins have been successfully loaded!
14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SelfTestSubsystem: Running
self test plugins specified to be executed at startup:
14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] CAPresence: CA is present
14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SystemCertsVerification:
system certs verification failure
14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup
FAILED!
But intrestingly, [root at caer ~]# ipa cert-show 1 returns "*ipa: ERROR:
Certificate operation cannot be completed: Unable to communicate with CMS
(Not Found)*"
On Thu, Jul 21, 2016 at 10:04 AM, Linov Suresh <linov.suresh at gmail.com>
wrote:
> This could be because of incorrect trust attributes trust on the
> certificates, the current attributes are,
>
> [root at caer ~]# certutil -L -d /var/lib/pki-ca/alias
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> ocspSigningCert cert-pki-ca u,u,Pu
> subsystemCert cert-pki-ca u,u,Pu
> caSigningCert cert-pki-ca CTu,Cu,Cu
> subsystemCert cert-pki-ca u,u,Pu
> Server-Cert cert-pki-ca u,u,u
> auditSigningCert cert-pki-ca u,u,Pu
>
> I'm going to fix the trust attributes and try.
>
> On Thu, Jul 21, 2016 at 9:45 AM, Petr Vobornik <pvoborni at redhat.com>
> wrote:
>
>> On 07/20/2016 09:41 PM, Linov Suresh wrote:
>> > I have restarted the pki-cad and checked if communication with the CA is
>> > working, but no luck,
>> >
>> > Debug logs in /var/log/pki-ca do not have anything unusual. Can you
>> think of
>> > anything other than this?
>>
>> /var/log/httpd/error_log when /etc/ipa.conf is set to debug=true
>>
>> https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data
>>
>> /var/log/pki-ca/debug
>> /var/log/pki-ca/transactions
>> /var/log/pki-ca/selftest.log
>>
>> >
>> > [root at caer ~]# ipa cert-show 1
>> > Certificate:
>> MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP
>> > SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0
>> > MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w
>> > HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA
>> > A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV
>> > ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e
>> > tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb
>> > UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe
>> > tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7
>> > 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j
>> > BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
>> > HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG
>> > AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5
>> > MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj
>> > kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y
>> > 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV
>> > nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt
>> > e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK
>> > b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30=
>> > Subject: CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET>
>> > Issuer: CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET>
>> > Not Before: Wed Dec 14 22:29:56 2011 UTC
>> > Not After: Sat Dec 14 22:29:56 2019 UTC
>> > Fingerprint (MD5): c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a
>> > Fingerprint (SHA1):
>> ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e
>> > Serial number (hex): 0x1
>> > Serial number: 1
>> > [root at caer ~]#
>> >
>> > *ca-error: Internal error: no response to
>> > "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
>> ".
>> > *
>> >
>> >
>> >
>> > On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden <rcritten at redhat.com
>> > <mailto:rcritten at redhat.com>> wrote:
>> >
>> > Linov Suresh wrote:
>> >
>> > Thanks for your help Rob, I will create a separate thread for
>> IPA
>> > replication issue. But we are still getting
>> > *
>> > *
>> > *ca-error: Internal error: no response to
>> > "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
>> ".*
>> >
>> > Could you please help us to fix this?
>> >
>> >
>> > I think your CA isn't quite fixed yet. I'd restart pki-cad then do
>> something
>> > like: ipa cert-show 1
>> >
>> > You should get back a cert (doesn't really matter what cert).
>> >
>> > Otherwise I'd check the CA debug log somewhere in /var/log/pki
>> >
>> > rob
>> >
>> >
>> >
>> > On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden <
>> rcritten at redhat.com
>> > <mailto:rcritten at redhat.com>
>> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
>> wrote:
>> >
>> > Glad you got the certificates successfully renewed.
>> >
>> > Can you open a new e-mail thread on this new problem so we
>> can keep
>> > the issues separated?
>> >
>> > IPA gets little information back when dogtag fails to
>> install. You
>> > need to look in /var/log/<something>/debug for more
>> information. The
>> > exact location depends on the version of IPA.
>> >
>> > rob
>> >
>> > Linov Suresh wrote:
>> >
>> > Great! That worked, and I was successfully renewed the
>> > certificates on
>> > the IPA server and I was trying to create a IPA
>> replica server
>> > and got
>> > an error,[root at neit-lab <mailto:root at neit-lab
>> > <mailto:root at neit-lab>
>> > <mailto:root at neit-lab <mailto:root at neit-lab>>>~]#
>> > ipa-replica-install
>> > --setup-ca --setup-dns --no-forwarders --skip-conncheck
>> > /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg
>> Directory Manager
>> > (existing master) password: Configuring NTP daemon
>> (ntpd) [1/4]:
>> > stopping ntpd [2/4]: writing configuration [3/4]:
>> configuring
>> > ntpd to
>> > start on boot [4/4]: starting ntpd Done configuring
>> NTP daemon
>> > (ntpd).
>> > Configuring directory server for the CA (pkids):
>> Estimated time 30
>> > seconds [1/3]: creating directory server user [2/3]:
>> creating
>> > directory
>> > server instance [3/3]: restarting directory server
>> Done configuring
>> > directory server for the CA (pkids). Configuring
>> certificate server
>> > (pki-cad): Estimated time 3 minutes 30 seconds [1/17]:
>> creating
>> > certificate server user [2/17]: creating pki-ca
>> instance [3/17]:
>> > configuring certificate server instance ipa : CRITICAL
>> failed to
>> > configure ca instance Command '/usr/bin/perl
>> /usr/bin/pkisilent
>> > ConfigureCA -cs_hostname neit-lab.teloip.net
>> > <http://neit-lab.teloip.net>
>> > <http://neit-lab.teloip.net>
>> > <http://neit-lab.teloip.net> -cs_port 9445
>> -client_certdb_dir
>> > /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin
>> > UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin
>> > -admin_email
>> > root at localhost <mailto:root at localhost <mailto:
>> root at localhost>
>> > <mailto:root at localhost <mailto:root at localhost
>> >>>-admin_password
>> > XXXXXXXX
>> > -agent_name ipa-ca-agent -agent_key_size 2048
>> -agent_key_type rsa
>> > -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET> <http://TELOIP.NET>
>> > -ldap_host neit-lab.teloip.net <
>> http://neit-lab.teloip.net>
>> > <http://neit-lab.teloip.net>
>> > <http://neit-lab.teloip.net> -ldap_port
>> > 7389 -bind_dn cn=Directory Manager -bind_password
>> XXXXXXXX -base_dn
>> > o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
>> -key_algorithm
>> > SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX
>> -subsystem_name
>> > pki-cad -token_name internal
>> -ca_subsystem_cert_subject_name CN=CA
>> > Subsystem,O=TELOIP.NET <http://TELOIP.NET> <
>> http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=
>> TELOIP.NET
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET> -ca_ocsp_cert_subject_name CN=OCSP
>> > Subsystem,O=TELOIP.NET <http://TELOIP.NET> <
>> http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > -ca_server_cert_subject_name
>> > CN=neit-lab.teloip.net <http://neit-lab.teloip.net>
>> > <http://neit-lab.teloip.net>
>> > <http://neit-lab.teloip.net>,O=TELOIP.NET <
>> http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> -ca_audit_signing_cert_subject_name CN=CA
>> > Audit,O=TELOIP.NET <http://TELOIP.NET> <
>> http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > -ca_sign_cert_subject_name
>> > CN=Certificate Authority,O=TELOIP.NET <
>> http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET> -external
>> > false -clone true -clone_p12_file ca.p12
>> -clone_p12_password
>> > XXXXXXXX
>> > -sd_hostname caer.teloip.net <http://caer.teloip.net>
>> > <http://caer.teloip.net>
>> > <http://caer.teloip.net> -sd_admin_port 443
>> > -sd_admin_name admin -sd_admin_password XXXXXXXX
>> > -clone_start_tls true
>> > -clone_uri https://caer.teloip.net:443'
>> > <https://caer.teloip.net:443'/>returned non-zero exit
>> status 255
>> > Your
>> > system may be partly configured. Run
>> /usr/sbin/ipa-server-install
>> > --uninstall to clean up. Configuration of CA failed
>> [root at neit-lab
>> > <mailto:root at neit-lab <mailto:root at neit-lab>
>> > <mailto:root at neit-lab <mailto:root at neit-lab>>>~]#
>> >
>> > I did a clean up using /usr/sbin/ipa-server-install
>> --uninstall
>> > but it
>> > wasn't helpful.Wondering if you can help us on this,
>> >
>> >
>> >
>> > On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden
>> > <rcritten at redhat.com <mailto:rcritten at redhat.com>
>> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>
>> > <mailto:rcritten at redhat.com <mailto:
>> rcritten at redhat.com>
>> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>>
>> wrote:
>> >
>> > Linov Suresh wrote:
>> >
>> > I have followed Redhat official documentation,
>> > https://access.redhat.com/solutions/643753 for certificate
>> renewal,
>> > which says *add: usercertificate. (step 12)*
>> > *
>> > *
>> > While on the other hand FreeIPA official
>> documentaion
>> > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to
>> > *add:
>> > usercertificate;binary*
>> >
>> > Just wondering if we need to*add *the
>> certificate?
>> > or*replace* the
>> > existing certificate and which format do we
>> need to
>> > use? *pem*
>> > or *der*.
>> >
>> > We already successfully renewed the
>> certificates about
>> > months
>> > back, but
>> > they were expired about 6 months back and we
>> were not
>> > able to
>> > renew till
>> > now, and is affected our production
>> environment.
>> >
>> > Pleas help us.
>> >
>> >
>> > You shouldn't have to mess with these values at
>> all. In 3.0
>> > this is
>> > handled somewhat automatically.
>> >
>> > I'd restart the CA, then certmonger and see if the
>> > communication
>> > error goes away for the CA subservice
>> certificates (the
>> > internal error).
>> >
>> > # service pki-cad restart
>> > <pause a bit>
>> > # service certmonger restart
>> >
>> > I find it very strange that the certificates were
>> set to
>> > expire
>> > yesterday but it isn't a show-stopper necessarily
>> assuming
>> > you can
>> > get the CA back up.
>> >
>> > Assuming you can, then go back in time again,
>> this time
>> > just a few
>> > days and try renewing the LDAP and Apache server
>> certs again.
>> >
>> > rob
>> >
>> >
>> > On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh
>> > <linov.suresh at gmail.com
>> > <mailto:linov.suresh at gmail.com> <mailto:linov.suresh at gmail.com
>> > <mailto:linov.suresh at gmail.com>>
>> > <mailto:linov.suresh at gmail.com <mailto:
>> linov.suresh at gmail.com>
>> > <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com
>> >>>
>> > <mailto:linov.suresh at gmail.com
>> > <mailto:linov.suresh at gmail.com>
>> > <mailto:linov.suresh at gmail.com <mailto:
>> linov.suresh at gmail.com>>
>> > <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
>> > <mailto:linov.suresh at gmail.com <mailto:
>> linov.suresh at gmail.com>>>>>
>> > wrote:
>> >
>> > We have cloned and created another
>> virtual server
>> > from the
>> > template.
>> > Surprisingly this server certificates
>> were also
>> > expired at
>> > the same
>> > time as the previous, just lasted for a
>> day.
>> > This issue has something to do with the
>> kerberos
>> > tickets?
>> >
>> > I am new to IPA and your help is highly
>> appreciated.
>> >
>> > On Mon, Jul 18, 2016 at 12:37 PM, Linov
>> Suresh
>> > <linov.suresh at gmail.com
>> > <mailto:linov.suresh at gmail.com>
>> > <mailto:linov.suresh at gmail.com <mailto:
>> linov.suresh at gmail.com>>
>> > <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
>> > <mailto:linov.suresh at gmail.com <mailto:
>> linov.suresh at gmail.com>>>
>> > <mailto:linov.suresh at gmail.com
>> > <mailto:linov.suresh at gmail.com>
>> > <mailto:linov.suresh at gmail.com <mailto:
>> linov.suresh at gmail.com>>
>> > <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
>> > <mailto:linov.suresh at gmail.com <mailto:
>> linov.suresh at gmail.com>>>>>
>> > wrote:
>> >
>> > *Update: my webserver and LDAP
>> certificates
>> > were expired at
>> > 2016-07-18 15:54:36 UTC and the
>> certificates
>> > are in
>> > CA_UNREACHABLE state.*
>> > *
>> > *
>> > *Could you please help us?
>> > *
>> >
>> > [root at caer tmp]# getcert list
>> > Number of certificates and requests
>> being
>> > tracked: 8.
>> > Request ID '20111214223243':
>> > status: CA_UNREACHABLE
>> > ca-error: Server failed
>> request, will
>> > retry: -504
>> > (libcurl failed to execute the HTTP
>> POST
>> > transaction. Peer
>> > certificate cannot be authenticated
>> with known CA
>> > certificates).
>> > stuck: yes
>> > key pair storage:
>> >
>> >
>> >
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>> > Certificate
>> >
>> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
>> > certificate:
>> >
>> >
>> >
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>> > Certificate DB'
>> > CA: IPA
>> > issuer: CN=Certificate
>> > Authority,O=TELOIP.NET <http://TELOIP.NET> <
>> http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > subject: CN=caer.teloip.net
>> > <http://caer.teloip.net>
>> > <http://caer.teloip.net>
>> > <http://caer.teloip.net>
>> > <http://caer.teloip.net>,O=
>> TELOIP.NET
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET> <http://TELOIP.NET>
>> > *expires: 2016-07-18 15:54:36 UTC*
>> > eku: id-kp-serverAuth
>> > pre-save command:
>> > post-save command:
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20111214223300':
>> > status: CA_UNREACHABLE
>> > ca-error: Server failed
>> request, will
>> > retry: -504
>> > (libcurl failed to execute the HTTP
>> POST
>> > transaction. Peer
>> > certificate cannot be authenticated
>> with known CA
>> > certificates).
>> > stuck: yes
>> > key pair storage:
>> >
>> >
>> >
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> > Certificate
>> >
>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>> > certificate:
>> >
>> >
>> >
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> > Certificate DB'
>> > CA: IPA
>> > issuer: CN=Certificate
>> > Authority,O=TELOIP.NET <http://TELOIP.NET> <
>> http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > subject: CN=caer.teloip.net
>> > <http://caer.teloip.net>
>> > <http://caer.teloip.net>
>> > <http://caer.teloip.net>
>> > <http://caer.teloip.net>,O=
>> TELOIP.NET
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET> <http://TELOIP.NET>
>> > *expires: 2016-07-18 15:54:52 UTC*
>> > eku: id-kp-serverAuth
>> > pre-save command:
>> > post-save command:
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20111214223316':
>> > status: CA_UNREACHABLE
>> > ca-error: Server failed
>> request, will
>> > retry: -504
>> > (libcurl failed to execute the HTTP
>> POST
>> > transaction. Peer
>> > certificate cannot be authenticated
>> with known CA
>> > certificates).
>> > stuck: yes
>> > key pair storage:
>> >
>> >
>> >
>> >
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> > Certificate
>> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > certificate:
>> >
>> >
>> >
>> >
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> > Certificate DB'
>> > CA: IPA
>> > issuer: CN=Certificate
>> > Authority,O=TELOIP.NET <http://TELOIP.NET> <
>> http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > subject: CN=caer.teloip.net
>> > <http://caer.teloip.net>
>> > <http://caer.teloip.net>
>> > <http://caer.teloip.net>
>> > <http://caer.teloip.net>,O=
>> TELOIP.NET
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET> <http://TELOIP.NET>
>> > *expires: 2016-07-18 15:55:04 UTC*
>> >
>> > eku: id-kp-serverAuth
>> > pre-save command:
>> > post-save command:
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130741':
>> > status: MONITORING
>> > ca-error: Internal error:
>> no response to
>> >
>> >
>> >
>> > "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
>> ".
>> > stuck: no
>> > key pair storage:
>> >
>> >
>> >
>> >
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> > cert-pki-ca',token='NSS Certificate
>> > DB',pin='297100916664'
>> > certificate:
>> >
>> >
>> >
>> >
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> > cert-pki-ca',token='NSS Certificate
>> DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate
>> > Authority,O=TELOIP.NET <http://TELOIP.NET> <
>> http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > subject: CN=CA Audit,O=
>> TELOIP.NET
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET> <http://TELOIP.NET>
>> > expires: 2017-10-13
>> 14:10:49 UTC
>> > pre-save command:
>> > /usr/lib64/ipa/certmonger/stop_pkicad
>> > post-save command:
>> >
>> /usr/lib64/ipa/certmonger/renew_ca_cert
>> > "auditSigningCert
>> > cert-pki-ca"
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130742':
>> > status: MONITORING
>> > ca-error: Internal error:
>> no response to
>> >
>> >
>> >
>> > "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
>> ".
>> > stuck: no
>> > key pair storage:
>> >
>> >
>> >
>> >
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> > cert-pki-ca',token='NSS Certificate
>> > DB',pin='297100916664'
>> > certificate:
>> >
>> >
>> >
>> >
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> > cert-pki-ca',token='NSS Certificate
>> DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate
>> > Authority,O=TELOIP.NET <http://TELOIP.NET> <
>> http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > subject: CN=OCSP
>> > Subsystem,O=TELOIP.NET <http://TELOIP.NET> <
>> http://TELOIP.NET>
>> > <http://TELOIP.NET> <http://TELOIP.NET>
>> > expires: 2017-10-13
>> 14:09:49 UTC
>> > eku: id-kp-OCSPSigning
>> > pre-save command:
>> > /usr/lib64/ipa/certmonger/stop_pkicad
>> > post-save command:
>> >
>> /usr/lib64/ipa/certmonger/renew_ca_cert
>> > "ocspSigningCert
>> > cert-pki-ca"
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130743':
>> > status: MONITORING
>> > ca-error: Internal error:
>> no response to
>> >
>> >
>> >
>> > "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
>> ".
>> > stuck: no
>> > key pair storage:
>> >
>> >
>> >
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> > cert-pki-ca',token='NSS Certificate
>> > DB',pin='297100916664'
>> > certificate:
>> >
>> >
>> >
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> > cert-pki-ca',token='NSS Certificate
>> DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate
>> > Authority,O=TELOIP.NET <http://TELOIP.NET> <
>> http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > subject: CN=CA
>> > Subsystem,O=TELOIP.NET <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET> <http://TELOIP.NET>
>> > expires: 2017-10-13
>> 14:09:49 UTC
>> > eku:
>> id-kp-serverAuth,id-kp-clientAuth
>> > pre-save command:
>> > /usr/lib64/ipa/certmonger/stop_pkicad
>> > post-save command:
>> >
>> /usr/lib64/ipa/certmonger/renew_ca_cert
>> > "subsystemCert
>> > cert-pki-ca"
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130744':
>> > status: MONITORING
>> > ca-error: Internal error:
>> no response to
>> >
>> >
>> >
>> > "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
>> ".
>> > stuck: no
>> > key pair storage:
>> >
>> >
>> >
>> >
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> > Certificate
>> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > certificate:
>> >
>> >
>> >
>> >
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> > Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate
>> > Authority,O=TELOIP.NET <http://TELOIP.NET> <
>> http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > subject: CN=RA
>> > Subsystem,O=TELOIP.NET <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET> <http://TELOIP.NET>
>> > expires: 2017-10-13
>> 14:09:49 UTC
>> > eku:
>> id-kp-serverAuth,id-kp-clientAuth
>> > pre-save command:
>> > post-save command:
>> > /usr/lib64/ipa/certmonger/restart_httpd
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130745':
>> > status: MONITORING
>> > ca-error: Internal error:
>> no response to
>> >
>> >
>> >
>> > "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
>> ".
>> > stuck: no
>> > key pair storage:
>> >
>> >
>> >
>> >
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> > cert-pki-ca',token='NSS
>> > Certificate DB',pin='297100916664'
>> > certificate:
>> >
>> >
>> >
>> >
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> > cert-pki-ca',token='NSS
>> > Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate
>> > Authority,O=TELOIP.NET <http://TELOIP.NET> <
>> http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > subject: CN=caer.teloip.net
>> > <http://caer.teloip.net>
>> > <http://caer.teloip.net>
>> > <http://caer.teloip.net>
>> > <http://caer.teloip.net>,O=
>> TELOIP.NET
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET> <http://TELOIP.NET>
>> > expires: 2017-10-13
>> 14:09:49 UTC
>> > eku:
>> id-kp-serverAuth,id-kp-clientAuth
>> > pre-save command:
>> > post-save command:
>> >
>> /usr/lib64/ipa/certmonger/restart_dirsrv
>> > "TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET>"
>> > track: yes
>> > auto-renew: yes
>> >
>> > On Mon, Jul 18, 2016 at 12:00 PM,
>> Linov Suresh
>> > <linov.suresh at gmail.com
>> > <mailto:linov.suresh at gmail.com>
>> > <mailto:linov.suresh at gmail.com <mailto:
>> linov.suresh at gmail.com>>
>> > <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
>> > <mailto:linov.suresh at gmail.com <mailto:
>> linov.suresh at gmail.com>>>
>> > <mailto:linov.suresh at gmail.com
>> > <mailto:linov.suresh at gmail.com>
>> > <mailto:linov.suresh at gmail.com <mailto:
>> linov.suresh at gmail.com>>
>> > <mailto:linov.suresh at gmail.com <mailto:linov.suresh at gmail.com>
>> > <mailto:linov.suresh at gmail.com <mailto:
>> linov.suresh at gmail.com>>>>>
>> > wrote:
>> >
>> > Yes, PKI is running and I don't
>> see any
>> > errors in
>> > selftests,
>> > I have followed
>> > https://access.redhat.com/solutions/643753
>> > and restarted the PKI in step 10.
>> >
>> > The only change which I made was
>> clean
>> > up userCertificate;binary before
>> adding new
>> > userCertificatein LDAP, which is
>> step 12.
>> >
>> >
>> > [root at caer ~]#
>> /etc/init.d/pki-cad status
>> > pki-ca (pid 8634) is running...
>> > [
>> > OK ]
>> > Unsecure Port =
>> > http://caer.teloip.net:9180/ca/ee/ca
>> > Secure Agent Port =
>> > https://caer.teloip.net:9443/ca/agent/ca
>> > Secure EE Port =
>> > https://caer.teloip.net:9444/ca/ee/ca
>> > Secure Admin Port =
>> > https://caer.teloip.net:9445/ca/services
>> > EE Client Auth Port =
>> > https://caer.teloip.net:9446/ca/eeca/ca
>> > PKI Console Port =
>> pkiconsole
>> > https://caer.teloip.net:9445/ca
>> > Tomcat Port = 9701
>> (for
>> > shutdown)
>> >
>> > PKI Instance Name: pki-ca
>> >
>> > PKI Subsystem Type: Root CA
>> > (Security Domain)
>> >
>> > Registered PKI Security
>> Domain
>> > Information:
>> >
>> >
>> >
>> >
>> >
>> ==========================================================================
>> > Name: IPA
>> > URL:
>> https://caer.teloip.net:9445
>> >
>> >
>> >
>> >
>> >
>> ==========================================================================
>> > [root at caer ~]#
>> > [root at caer ~]# tail -f
>> > /var/log/pki-ca/selftests.log
>> > 8634.main -
>> [18/Jul/2016:11:46:20 EDT]
>> > [20] [1]
>> > SelfTestSubsystem: loading all
>> self test
>> > plugin logger
>> > parameters
>> > 8634.main -
>> [18/Jul/2016:11:46:20 EDT]
>> > [20] [1]
>> > SelfTestSubsystem: loading all
>> self test
>> > plugin
>> > instances
>> > 8634.main -
>> [18/Jul/2016:11:46:20 EDT]
>> > [20] [1]
>> > SelfTestSubsystem: loading all
>> self test
>> > plugin
>> > instance
>> > parameters
>> > 8634.main -
>> [18/Jul/2016:11:46:20 EDT]
>> > [20] [1]
>> > SelfTestSubsystem: loading self
>> test
>> > plugins in
>> > on-demand order
>> > 8634.main -
>> [18/Jul/2016:11:46:20 EDT]
>> > [20] [1]
>> > SelfTestSubsystem: loading self
>> test
>> > plugins in
>> > startup order
>> > 8634.main -
>> [18/Jul/2016:11:46:20 EDT]
>> > [20] [1]
>> > SelfTestSubsystem: Self test
>> plugins have
>> > been
>> > successfully
>> > loaded!
>> > 8634.main -
>> [18/Jul/2016:11:46:21 EDT]
>> > [20] [1]
>> > SelfTestSubsystem: Running self
>> test plugins
>> > specified to be
>> > executed at startup:
>> > 8634.main -
>> [18/Jul/2016:11:46:21 EDT]
>> > [20] [1]
>> > CAPresence:
>> > CA is present
>> > 8634.main -
>> [18/Jul/2016:11:46:21 EDT]
>> > [20] [1]
>> > SystemCertsVerification: system
>> certs
>> > verification
>> > success
>> > 8634.main -
>> [18/Jul/2016:11:46:21 EDT]
>> > [20] [1]
>> > SelfTestSubsystem: All CRITICAL
>> self test
>> > plugins ran
>> > SUCCESSFULLY at startup!
>> >
>> > Your help is highly appreciated!
>> >
>> > Linov Suresh
>> >
>> > 70 Forest Manor Rd.
>> > Toronto
>> > ON M2J 0A9
>> > Mobile: +1 647 406 9438
>> > <tel:%2B1%20647%20406%209438>
>> > <tel:%2B1%20647%20406%209438>
>> > <tel:%2B1%20647%20406%209438>
>> > <tel:%2B1%20647%20406%209438>
>> > Linkedin:
>> ca.linkedin.com/in/linov/
>> > <http://ca.linkedin.com/in/linov/>
>> > <http://ca.linkedin.com/in/linov/>
>> > <http://ca.linkedin.com/in/linov/>
>> > <
>> http://ca.linkedin.com/in/linov/>
>> > Website:
>> > http://mylinuxthoughts.blogspot.com
>> >
>> >
>> > On Mon, Jul 18, 2016 at 10:50
>> AM, Petr
>> > Vobornik
>> > <pvoborni at redhat.com
>> > <mailto:pvoborni at redhat.com>
>> > <mailto:pvoborni at redhat.com <mailto:
>> pvoborni at redhat.com>>
>> > <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com>
>> > <mailto:pvoborni at redhat.com <mailto:
>> pvoborni at redhat.com>>>
>> > <mailto:pvoborni at redhat.com <mailto:
>> pvoborni at redhat.com>
>> > <mailto:pvoborni at redhat.com <mailto:
>> pvoborni at redhat.com>>
>> > <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com>
>> > <mailto:pvoborni at redhat.com <mailto:
>> pvoborni at redhat.com>>>>> wrote:
>> >
>> > On 07/18/2016 05:45 AM,
>> Linov Suresh
>> > wrote:
>> > > Thanks for the update Rob.
>> I went
>> > back to Jan
>> > 20, 2016, restarted CA and
>> > > certmonger. Look like
>> certificates were
>> > renewed. But I'm getting a different
>> > > error now,
>> > >
>> > > *ca-error: Internal
>> error: no
>> > response to
>> > >
>> >
>> >
>> >
>> > "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
>> ".*
>> >
>> > Is PKI running? When you
>> change the
>> > time, does
>> > restart
>> > of IPA help?
>> >
>> > >
>> > > [root at caer ~]# getcert
>> list
>> > > Number of certificates and
>> requests
>> > being
>> > tracked: 8.
>> > > Request ID
>> '20111214223243':
>> > > status: MONITORING
>> > > stuck: no
>> > > key pair storage:
>> > >
>> >
>> >
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>> > > Certificate
>> >
>> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
>> > > certificate:
>> > >
>> >
>> >
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>> > > Certificate DB'
>> > > CA: IPA
>> > > issuer:
>> CN=Certificate
>> > Authority,O=TELOIP.NET
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET> <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > <http://TELOIP.NET>
>> > > subject:
>> > CN=caer.teloip.net <http://caer.teloip.net>
>> > <http://caer.teloip.net>
>> >
>> >
>>
>>
>> --
>> Petr Vobornik
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160721/5f194f90/attachment.htm>
More information about the Freeipa-users
mailing list