[Freeipa-users] regenerate certificate
Rob Crittenden
rcritten at redhat.com
Thu Jul 21 15:38:20 UTC 2016
mohammad sereshki wrote:
> dear
> thanks, but would you please check below and let me know what is your
> idea?I checked your command but it did not work.
The Not Found suggests that the CA is not up. I'd try restarting the
pki-cad process to see if that helps.
A simple test that communication is working is: ipa cert-show 1
The output isn't important as long as it isn't an error.
rob
>
>
>
> Number of certificates and requests being tracked: 8.
> Request ID '20140817123525':
> status: MONITORING
> ca-error: Unable to determine principal name for signing request.
> stuck: no
> key paCOM storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=IPA RA,O=EXAMPLE.COM
> expCOMes: 2018-06-30 07:56:06 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20140817123534':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed
> at server. Certificate operation cannot be completed: Unable to
> communicate with CMS (Not Found)).
> stuck: yes
> key paCOM storage:
> type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
> expCOMes: 2016-08-17 12:35:34 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv
> EXAMPLE.-COM
> track: yes
> auto-renew: yes
> Request ID '20140817123602':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed
> at server. Certificate operation cannot be completed: Unable to
> communicate with CMS (Not Found)).
> stuck: yes
> key paCOM storage:
> type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
> expCOMes: 2016-08-17 12:36:02 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv
> PKI-IPA
> track: yes
> auto-renew: yes
> Request ID '20140817123752':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed
> at server. Certificate operation cannot be completed: Unable to
> communicate with CMS (Not Found)).
> stuck: yes
> key paCOM storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
> expCOMes: 2016-08-17 12:37:51 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> You have new mail in /var/spool/mail/root
>
>
> ------------------------------------------------------------------------
> *From:* Florence Blanc-Renaud <flo at redhat.com>
> *To:* mohammad sereshki <mohammadsereshki at yahoo.com>; Freeipa-users
> <freeipa-users at redhat.com>
> *Sent:* Thursday, July 21, 2016 11:30 AM
> *Subject:* Re: [Freeipa-users] regenerate certificate
>
> On 07/20/2016 10:04 PM, mohammad sereshki wrote:
> > hi
> > I check my IPA server which is version ipa-server-3.0.0-25 , command
> > "ipa-get-cert list" show, my certificate will be expired in next 20 days,
> > I do not know how to regenerate them
> > but command "getcert list" shows epirtion certificates are related just
> > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" , has enough
> > time .
> > would you please help me to know how to regenerate CA:IPA certificates?
> >
> > Best Regards
> >
> >
> >
>
> Hi Mohammad,
>
> the certificates issued by IPA CA are normally tracked by certmonger and
> automatically renewed when they are near their expiration date. To make
> sure that your certificates are tracked, you can issue
>
> $ ipa-getcert list
>
> and check the "status:" field for each certificate. It should display
> "MONITORING".
>
> If you want to manually renew them, you must note their request ID and
> use the command
> $ ipa-getcert resubmit -i $REQUEST_ID
>
> Hope this helps,
> Flo.
>
>
>
>
>
More information about the Freeipa-users
mailing list