[Freeipa-users] regenerate certificate
Rob Crittenden
rcritten at redhat.com
Thu Jul 21 18:51:13 UTC 2016
mohammad sereshki wrote:
> hi
> would you please explain more
> ?
Your CA (dogtag) is not running. The CA is written in java and deployed
as a WAR in tomcat. If something goes wrong during initialization the CA
will exit but tomcat will not.
Requests to the CA are returning 404 Not Found because the application
is not running in dogtag.
You need to look at the logs in /var/log/pki-ca to see what is going on.
I'd start with selftests.log then move onto catalina.out and debug.
rob
>
>
> ------------------------------------------------------------------------
> *From:* Rob Crittenden <rcritten at redhat.com>
> *To:* mohammad sereshki <mohammadsereshki at yahoo.com>; Florence
> Blanc-Renaud <flo at redhat.com>; Freeipa-users <freeipa-users at redhat.com>
> *Sent:* Thursday, July 21, 2016 11:09 PM
> *Subject:* Re: [Freeipa-users] regenerate certificate
>
> mohammad sereshki wrote:
> > hi
> > it is result of command, seems issue is another thing
> >
> >
> > ipa cert-show 1
> > ipa: ERROR: Certificate operation cannot be completed: Unable to
> > communicate with CMS (Not Found)
>
> Which means that the CA still isn't up. You're going to need to look at
> the dogtag logs in /var/log/pki*. debug is probably the place to start.
>
> rob
>
> >
> >
> >
> > ------------------------------------------------------------------------
> > *From:* Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com>>
> > *To:* mohammad sereshki <mohammadsereshki at yahoo.com
> <mailto:mohammadsereshki at yahoo.com>>; Florence
> > Blanc-Renaud <flo at redhat.com <mailto:flo at redhat.com>>; Freeipa-users
> <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>
> > *Sent:* Thursday, July 21, 2016 8:08 PM
> > *Subject:* Re: [Freeipa-users] regenerate certificate
> >
> > mohammad sereshki wrote:
> > > dear
> > > thanks, but would you please check below and let me know what is your
> > > idea?I checked your command but it did not work.
> >
> > The Not Found suggests that the CA is not up. I'd try restarting the
> > pki-cad process to see if that helps.
> >
> > A simple test that communication is working is: ipa cert-show 1
> >
> > The output isn't important as long as it isn't an error.
> >
> > rob
> >
> >
> > >
> > >
> > >
> > > Number of certificates and requests being tracked: 8.
> > > Request ID '20140817123525':
> > > status: MONITORING
> > > ca-error: Unable to determine principal name for signing
> > request.
> > > stuck: no
> > > key paCOM storage:
> > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > > subject: CN=IPA RA,O=EXAMPLE.COM
> > > expCOMes: 2018-06-30 07:56:06 UTC
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20140817123534':
> > > status: CA_UNREACHABLE
> > > ca-error: Server failed request, will retry: 4301 (RPC failed
> > > at server. Certificate operation cannot be completed: Unable to
> > > communicate with CMS (Not Found)).
> > > stuck: yes
> > > key paCOM storage:
> > >
> >
> type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
> > > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
> > > expCOMes: 2016-08-17 12:35:34 UTC
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv
> > > EXAMPLE.-COM
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20140817123602':
> > > status: CA_UNREACHABLE
> > > ca-error: Server failed request, will retry: 4301 (RPC failed
> > > at server. Certificate operation cannot be completed: Unable to
> > > communicate with CMS (Not Found)).
> > > stuck: yes
> > > key paCOM storage:
> > >
> >
> type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
> > > expCOMes: 2016-08-17 12:36:02 UTC
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv
> > > PKI-IPA
> > > track: yes
> > > auto-renew: yes
> > > Request ID '20140817123752':
> > > status: CA_UNREACHABLE
> > > ca-error: Server failed request, will retry: 4301 (RPC failed
> > > at server. Certificate operation cannot be completed: Unable to
> > > communicate with CMS (Not Found)).
> > > stuck: yes
> > > key paCOM storage:
> > >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
> > > expCOMes: 2016-08-17 12:37:51 UTC
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> > > track: yes
> > > auto-renew: yes
> > > You have new mail in /var/spool/mail/root
> > >
> > >
> > >
> ------------------------------------------------------------------------
> > > *From:* Florence Blanc-Renaud <flo at redhat.com
> <mailto:flo at redhat.com> <mailto:flo at redhat.com <mailto:flo at redhat.com>>>
> > > *To:* mohammad sereshki <mohammadsereshki at yahoo.com
> <mailto:mohammadsereshki at yahoo.com>
> > <mailto:mohammadsereshki at yahoo.com
> <mailto:mohammadsereshki at yahoo.com>>>; Freeipa-users
> > > <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> <mailto:freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>>
>
> > > *Sent:* Thursday, July 21, 2016 11:30 AM
> > > *Subject:* Re: [Freeipa-users] regenerate certificate
> > >
> > > On 07/20/2016 10:04 PM, mohammad sereshki wrote:
> > > > hi
> > > > I check my IPA server which is version ipa-server-3.0.0-25 ,
> command
> > > > "ipa-get-cert list" show, my certificate will be expired in next
> > 20 days,
> > > > I do not know how to regenerate them
> > > > but command "getcert list" shows epirtion certificates are related
> > just
> > > > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" , has
> > enough
> > > > time .
> > > > would you please help me to know how to regenerate CA:IPA
> > certificates?
> > > >
> > > > Best Regards
> > > >
> > > >
> > > >
> > >
> > > Hi Mohammad,
> > >
> > > the certificates issued by IPA CA are normally tracked by
> certmonger and
> > > automatically renewed when they are near their expiration date. To
> make
> > > sure that your certificates are tracked, you can issue
> > >
> > > $ ipa-getcert list
> > >
> > > and check the "status:" field for each certificate. It should display
> > > "MONITORING".
> > >
> > > If you want to manually renew them, you must note their request ID and
> > > use the command
> > > $ ipa-getcert resubmit -i $REQUEST_ID
> > >
> > > Hope this helps,
> > > Flo.
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
>
>
>
More information about the Freeipa-users
mailing list