[Freeipa-users] regenerate certificate
mohammad sereshki
mohammadsereshki at yahoo.com
Thu Jul 21 18:42:12 UTC 2016
hiwould you please explain more?
From: Rob Crittenden <rcritten at redhat.com>
To: mohammad sereshki <mohammadsereshki at yahoo.com>; Florence Blanc-Renaud <flo at redhat.com>; Freeipa-users <freeipa-users at redhat.com>
Sent: Thursday, July 21, 2016 11:09 PM
Subject: Re: [Freeipa-users] regenerate certificate
mohammad sereshki wrote:
> hi
> it is result of command, seems issue is another thing
>
>
> ipa cert-show 1
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (Not Found)
Which means that the CA still isn't up. You're going to need to look at
the dogtag logs in /var/log/pki*. debug is probably the place to start.
rob
>
>
>
> ------------------------------------------------------------------------
> *From:* Rob Crittenden <rcritten at redhat.com>
> *To:* mohammad sereshki <mohammadsereshki at yahoo.com>; Florence
> Blanc-Renaud <flo at redhat.com>; Freeipa-users <freeipa-users at redhat.com>
> *Sent:* Thursday, July 21, 2016 8:08 PM
> *Subject:* Re: [Freeipa-users] regenerate certificate
>
> mohammad sereshki wrote:
> > dear
> > thanks, but would you please check below and let me know what is your
> > idea?I checked your command but it did not work.
>
> The Not Found suggests that the CA is not up. I'd try restarting the
> pki-cad process to see if that helps.
>
> A simple test that communication is working is: ipa cert-show 1
>
> The output isn't important as long as it isn't an error.
>
> rob
>
>
> >
> >
> >
> > Number of certificates and requests being tracked: 8.
> > Request ID '20140817123525':
> > status: MONITORING
> > ca-error: Unable to determine principal name for signing
> request.
> > stuck: no
> > key paCOM storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > subject: CN=IPA RA,O=EXAMPLE.COM
> > expCOMes: 2018-06-30 07:56:06 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> > track: yes
> > auto-renew: yes
> > Request ID '20140817123534':
> > status: CA_UNREACHABLE
> > ca-error: Server failed request, will retry: 4301 (RPC failed
> > at server. Certificate operation cannot be completed: Unable to
> > communicate with CMS (Not Found)).
> > stuck: yes
> > key paCOM storage:
> >
> type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
> > expCOMes: 2016-08-17 12:35:34 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv
> > EXAMPLE.-COM
> > track: yes
> > auto-renew: yes
> > Request ID '20140817123602':
> > status: CA_UNREACHABLE
> > ca-error: Server failed request, will retry: 4301 (RPC failed
> > at server. Certificate operation cannot be completed: Unable to
> > communicate with CMS (Not Found)).
> > stuck: yes
> > key paCOM storage:
> >
> type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
> > expCOMes: 2016-08-17 12:36:02 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv
> > PKI-IPA
> > track: yes
> > auto-renew: yes
> > Request ID '20140817123752':
> > status: CA_UNREACHABLE
> > ca-error: Server failed request, will retry: 4301 (RPC failed
> > at server. Certificate operation cannot be completed: Unable to
> > communicate with CMS (Not Found)).
> > stuck: yes
> > key paCOM storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
> > expCOMes: 2016-08-17 12:37:51 UTC
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> > track: yes
> > auto-renew: yes
> > You have new mail in /var/spool/mail/root
> >
> >
> > ------------------------------------------------------------------------
> > *From:* Florence Blanc-Renaud <flo at redhat.com <mailto:flo at redhat.com>>
> > *To:* mohammad sereshki <mohammadsereshki at yahoo.com
> <mailto:mohammadsereshki at yahoo.com>>; Freeipa-users
> > <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>
> > *Sent:* Thursday, July 21, 2016 11:30 AM
> > *Subject:* Re: [Freeipa-users] regenerate certificate
> >
> > On 07/20/2016 10:04 PM, mohammad sereshki wrote:
> > > hi
> > > I check my IPA server which is version ipa-server-3.0.0-25 , command
> > > "ipa-get-cert list" show, my certificate will be expired in next
> 20 days,
> > > I do not know how to regenerate them
> > > but command "getcert list" shows epirtion certificates are related
> just
> > > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" , has
> enough
> > > time .
> > > would you please help me to know how to regenerate CA:IPA
> certificates?
> > >
> > > Best Regards
> > >
> > >
> > >
> >
> > Hi Mohammad,
> >
> > the certificates issued by IPA CA are normally tracked by certmonger and
> > automatically renewed when they are near their expiration date. To make
> > sure that your certificates are tracked, you can issue
> >
> > $ ipa-getcert list
> >
> > and check the "status:" field for each certificate. It should display
> > "MONITORING".
> >
> > If you want to manually renew them, you must note their request ID and
> > use the command
> > $ ipa-getcert resubmit -i $REQUEST_ID
> >
> > Hope this helps,
> > Flo.
> >
> >
> >
> >
> >
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160721/a5dbaa00/attachment.htm>
More information about the Freeipa-users
mailing list