[Freeipa-users] regenerate certificate

mohammad sereshki mohammadsereshki at yahoo.com
Thu Jul 21 18:42:12 UTC 2016 

hiwould you please explain more?


      From: Rob Crittenden <rcritten at redhat.com>
 To: mohammad sereshki <mohammadsereshki at yahoo.com>; Florence Blanc-Renaud <flo at redhat.com>; Freeipa-users <freeipa-users at redhat.com> 
 Sent: Thursday, July 21, 2016 11:09 PM
 Subject: Re: [Freeipa-users] regenerate certificate
   
mohammad sereshki wrote:
> hi
> it is result of command, seems issue is another thing
>
>
>  ipa cert-show 1
> ipa: ERROR: Certificate operation cannot be completed: Unable to
> communicate with CMS (Not Found)

Which means that the CA still isn't up. You're going to need to look at 
the dogtag logs in /var/log/pki*. debug is probably the place to start.

rob

>
>
>
> ------------------------------------------------------------------------
> *From:* Rob Crittenden <rcritten at redhat.com>
> *To:* mohammad sereshki <mohammadsereshki at yahoo.com>; Florence
> Blanc-Renaud <flo at redhat.com>; Freeipa-users <freeipa-users at redhat.com>
> *Sent:* Thursday, July 21, 2016 8:08 PM
> *Subject:* Re: [Freeipa-users] regenerate certificate
>
> mohammad sereshki wrote:
>  > dear
>  > thanks, but would you please check below and let me know what is your
>  > idea?I checked your command but it did not work.
>
> The Not Found suggests that the CA is not up. I'd try restarting the
> pki-cad process to see if that helps.
>
> A simple test that communication is working is: ipa cert-show 1
>
> The output isn't important as long as it isn't an error.
>
> rob
>
>
>  >
>  >
>  >
>  > Number of certificates and requests being tracked: 8.
>  > Request ID '20140817123525':
>  >          status: MONITORING
>  >          ca-error: Unable to determine principal name for signing
> request.
>  >          stuck: no
>  >          key paCOM storage:
>  > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>  > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>  >          certificate:
>  > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>  > Certificate DB'
>  >          CA: IPA
>  >          issuer: CN=Certificate Authority,O=EXAMPLE.COM
>  >          subject: CN=IPA RA,O=EXAMPLE.COM
>  >          expCOMes: 2018-06-30 07:56:06 UTC
>  >          eku: id-kp-serverAuth,id-kp-clientAuth
>  >          pre-save command:
>  >          post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>  >          track: yes
>  >          auto-renew: yes
>  > Request ID '20140817123534':
>  >          status: CA_UNREACHABLE
>  >          ca-error: Server failed request, will retry: 4301 (RPC failed
>  > at server.  Certificate operation cannot be completed: Unable to
>  > communicate with CMS (Not Found)).
>  >          stuck: yes
>  >          key paCOM storage:
>  >
> type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
>  > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt'
>  >          certificate:
>  >
> type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
>  > Certificate DB'
>  >          CA: IPA
>  >          issuer: CN=Certificate Authority,O=EXAMPLE.COM
>  >          subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
>  >          expCOMes: 2016-08-17 12:35:34 UTC
>  >          eku: id-kp-serverAuth,id-kp-clientAuth
>  >          pre-save command:
>  >          post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv
>  > EXAMPLE.-COM
>  >          track: yes
>  >          auto-renew: yes
>  > Request ID '20140817123602':
>  >          status: CA_UNREACHABLE
>  >          ca-error: Server failed request, will retry: 4301 (RPC failed
>  > at server.  Certificate operation cannot be completed: Unable to
>  > communicate with CMS (Not Found)).
>  >          stuck: yes
>  >          key paCOM storage:
>  >
> type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>  > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt'
>  >          certificate:
>  >
> type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>  > Certificate DB'
>  >          CA: IPA
>  >          issuer: CN=Certificate Authority,O=EXAMPLE.COM
>  >          subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
>  >          expCOMes: 2016-08-17 12:36:02 UTC
>  >          eku: id-kp-serverAuth,id-kp-clientAuth
>  >          pre-save command:
>  >          post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv
>  > PKI-IPA
>  >          track: yes
>  >          auto-renew: yes
>  > Request ID '20140817123752':
>  >          status: CA_UNREACHABLE
>  >          ca-error: Server failed request, will retry: 4301 (RPC failed
>  > at server.  Certificate operation cannot be completed: Unable to
>  > communicate with CMS (Not Found)).
>  >          stuck: yes
>  >          key paCOM storage:
>  > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>  > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>  >          certificate:
>  > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>  > Certificate DB'
>  >          CA: IPA
>  >          issuer: CN=Certificate Authority,O=EXAMPLE.COM
>  >          subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
>  >          expCOMes: 2016-08-17 12:37:51 UTC
>  >          eku: id-kp-serverAuth,id-kp-clientAuth
>  >          pre-save command:
>  >          post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>  >          track: yes
>  >          auto-renew: yes
>  > You have new mail in /var/spool/mail/root
>  >
>  >
>  > ------------------------------------------------------------------------
>  > *From:* Florence Blanc-Renaud <flo at redhat.com <mailto:flo at redhat.com>>
>  > *To:* mohammad sereshki <mohammadsereshki at yahoo.com
> <mailto:mohammadsereshki at yahoo.com>>; Freeipa-users
>  > <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>
>  > *Sent:* Thursday, July 21, 2016 11:30 AM
>  > *Subject:* Re: [Freeipa-users] regenerate certificate
>  >
>  > On 07/20/2016 10:04 PM, mohammad sereshki wrote:
>  >  > hi
>  >  > I check my IPA server which is version ipa-server-3.0.0-25 , command
>  >  > "ipa-get-cert list" show, my certificate will be expired in next
> 20 days,
>  >  > I do not know how to regenerate them
>  >  > but command "getcert list" shows epirtion certificates are related
> just
>  >  > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,  has
> enough
>  >  > time .
>  >  > would you please help me to know how to regenerate CA:IPA
> certificates?
>  >  >
>  >  > Best Regards
>  >  >
>  >  >
>  >  >
>  >
>  > Hi Mohammad,
>  >
>  > the certificates issued by IPA CA are normally tracked by certmonger and
>  > automatically renewed when they are near their expiration date. To make
>  > sure that your certificates are tracked, you can issue
>  >
>  > $ ipa-getcert list
>  >
>  > and check the "status:" field for each certificate. It should display
>  > "MONITORING".
>  >
>  > If you want to manually renew them, you must note their request ID and
>  > use the command
>  > $ ipa-getcert resubmit -i $REQUEST_ID
>  >
>  > Hope this helps,
>  > Flo.
>  >
>  >
>  >
>  >
>  >
>
>
>



  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160721/a5dbaa00/attachment.htm>

More information about the Freeipa-users mailing list