[Freeipa-users] Freeipa-users Digest, Vol 96, Issue 125

mohammad sereshki mohammadsereshki at yahoo.com
Thu Jul 21 20:03:26 UTC 2016 

hiI did some changes not I get below werror when I open HTTP service in web interface

Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0x276 not found)

      From: "freeipa-users-request at redhat.com" <freeipa-users-request at redhat.com>
 To: freeipa-users at redhat.com 
 Sent: Thursday, July 21, 2016 11:38 PM
 Subject: Freeipa-users Digest, Vol 96, Issue 125
   
Send Freeipa-users mailing list submissions to
    freeipa-users at redhat.com

To subscribe or unsubscribe via the World Wide Web, visit
    https://www.redhat.com/mailman/listinfo/freeipa-users
or, via email, send a message with subject or body 'help' to
    freeipa-users-request at redhat.com

You can reach the person managing the list at
    freeipa-users-owner at redhat.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeipa-users digest..."


Today's Topics:

  1. Re: regenerate certificate (mohammad sereshki)


----------------------------------------------------------------------

Message: 1
Date: Thu, 21 Jul 2016 19:08:16 +0000 (UTC)
From: mohammad sereshki <mohammadsereshki at yahoo.com>
To: Rob Crittenden <rcritten at redhat.com>,    Florence Blanc-Renaud
    <flo at redhat.com>,    Freeipa-users <freeipa-users at redhat.com>
Subject: Re: [Freeipa-users] regenerate certificate
Message-ID:
    <1119368990.3296955.1469128096522.JavaMail.yahoo at mail.yahoo.com>
Content-Type: text/plain; charset="utf-8"

and this is for catalina.out

SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1 at 39139da8]) and a
value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when the web appli
cation was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed.
Jul 21, 2016 11:10:10 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1 at 39139da8]) and a
value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when the web appli
cation was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed.
Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9180
Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9443
Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9445
Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9444
Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9446
Exception in thread "Timer-0" java.lang.NullPointerException
??????? at com.netscape.certsrv.apps.CMS.getConfigStore(CMS.java:771)
??????? at com.netscape.cms.servlet.csadmin.LDAPSecurityDomainSessionTable.getSessionIds(LDAPSecurityDomainSessionTable.java:156)
??????? at com.netscape.cms.servlet.csadmin.SessionTimer.run(SessionTimer.java:33)
??????? at java.util.TimerThread.mainLoop(Timer.java:555)
??????? at java.util.TimerThread.run(Timer.java:505)
Jul 21, 2016 11:10:43 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Jul 21, 2016 11:10:43 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9180
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed.
:



      From: mohammad sereshki <mohammadsereshki at yahoo.com>
 To: Rob Crittenden <rcritten at redhat.com>; Florence Blanc-Renaud <flo at redhat.com>; Freeipa-users <freeipa-users at redhat.com> 
 Sent: Thursday, July 21, 2016 11:36 PM
 Subject: Re: [Freeipa-users] regenerate certificate
  
and below is for selftests.log

3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup:
3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] CAPresence:? CA is present
3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SystemCertsVerification: system certs verification failure
3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Initializing self test plugins:
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading all self test plugin logger parameters
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading all self test plugin instances
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading all self test plugin instance parameters
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading self test plugins in on-demand order
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:? loading self test plugins in startup order
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded!
1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup:
1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] CAPresence:? CA is present
1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SystemCertsVerification: system certs verification failure
1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!
(END)



      From: mohammad sereshki <mohammadsereshki at yahoo.com>
 To: Rob Crittenden <rcritten at redhat.com>; Florence Blanc-Renaud <flo at redhat.com>; Freeipa-users <freeipa-users at redhat.com> 
 Sent: Thursday, July 21, 2016 11:34 PM
 Subject: Re: [Freeipa-users] regenerate certificate
  
hiI find below in debug file under /var/log/pki-cawhat is your comment?

21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization for servlet: caDisplayBySerial is LD
AP based, not XML {1}, use default authz mgr: {2}.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized before.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store initialized.
[21/Jul/2016:23:20:45][CertStatusUpdateThread]: About to start updateCertStatus
[21/Jul/2016:23:20:45][CertStatusUpdateThread]: Starting updateCertStatus (entered lock)



      From: Rob Crittenden <rcritten at redhat.com>
 To: mohammad sereshki <mohammadsereshki at yahoo.com>; Florence Blanc-Renaud <flo at redhat.com>; Freeipa-users <freeipa-users at redhat.com> 
 Sent: Thursday, July 21, 2016 11:21 PM
 Subject: Re: [Freeipa-users] regenerate certificate
  
mohammad sereshki wrote:
> hi
> would you please explain more
> ?

Your CA (dogtag) is not running. The CA is written in java and deployed 
as a WAR in tomcat. If something goes wrong during initialization the CA 
will exit but tomcat will not.

Requests to the CA are returning 404 Not Found because the application 
is not running in dogtag.

You need to look at the logs in /var/log/pki-ca to see what is going on.

I'd start with selftests.log then move onto catalina.out and debug.

rob

>
>
> ------------------------------------------------------------------------
> *From:* Rob Crittenden <rcritten at redhat.com>
> *To:* mohammad sereshki <mohammadsereshki at yahoo.com>; Florence
> Blanc-Renaud <flo at redhat.com>; Freeipa-users <freeipa-users at redhat.com>
> *Sent:* Thursday, July 21, 2016 11:09 PM
> *Subject:* Re: [Freeipa-users] regenerate certificate
>
> mohammad sereshki wrote:
>? > hi
>? > it is result of command, seems issue is another thing
>? >
>? >
>? >? ipa cert-show 1
>? > ipa: ERROR: Certificate operation cannot be completed: Unable to
>? > communicate with CMS (Not Found)
>
> Which means that the CA still isn't up. You're going to need to look at
> the dogtag logs in /var/log/pki*. debug is probably the place to start.
>
> rob
>
>? >
>? >
>? >
>? > ------------------------------------------------------------------------
>? > *From:* Rob Crittenden <rcritten at redhat.com <mailto:rcritten at redhat.com>>
>? > *To:* mohammad sereshki <mohammadsereshki at yahoo.com
> <mailto:mohammadsereshki at yahoo.com>>; Florence
>? > Blanc-Renaud <flo at redhat.com <mailto:flo at redhat.com>>; Freeipa-users
> <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>
>? > *Sent:* Thursday, July 21, 2016 8:08 PM
>? > *Subject:* Re: [Freeipa-users] regenerate certificate
>? >
>? > mohammad sereshki wrote:
>? >? > dear
>? >? > thanks, but would you please check below and let me know what is your
>? >? > idea?I checked your command but it did not work.
>? >
>? > The Not Found suggests that the CA is not up. I'd try restarting the
>? > pki-cad process to see if that helps.
>? >
>? > A simple test that communication is working is: ipa cert-show 1
>? >
>? > The output isn't important as long as it isn't an error.
>? >
>? > rob
>? >
>? >
>? >? >
>? >? >
>? >? >
>? >? > Number of certificates and requests being tracked: 8.
>? >? > Request ID '20140817123525':
>? >? >? ? ? ? ? status: MONITORING
>? >? >? ? ? ? ? ca-error: Unable to determine principal name for signing
>? > request.
>? >? >? ? ? ? ? stuck: no
>? >? >? ? ? ? ? key paCOM storage:
>? >? > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>? >? >? ? ? ? ? certificate:
>? >? > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>? >? > Certificate DB'
>? >? >? ? ? ? ? CA: IPA
>? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM
>? >? >? ? ? ? ? subject: CN=IPA RA,O=EXAMPLE.COM
>? >? >? ? ? ? ? expCOMes: 2018-06-30 07:56:06 UTC
>? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth
>? >? >? ? ? ? ? pre-save command:
>? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>? >? >? ? ? ? ? track: yes
>? >? >? ? ? ? ? auto-renew: yes
>? >? > Request ID '20140817123534':
>? >? >? ? ? ? ? status: CA_UNREACHABLE
>? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed
>? >? > at server.? Certificate operation cannot be completed: Unable to
>? >? > communicate with CMS (Not Found)).
>? >? >? ? ? ? ? stuck: yes
>? >? >? ? ? ? ? key paCOM storage:
>? >? >
>? >
> type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
>? >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt'
>? >? >? ? ? ? ? certificate:
>? >? >
>? >
> type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
>? >? > Certificate DB'
>? >? >? ? ? ? ? CA: IPA
>? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM
>? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
>? >? >? ? ? ? ? expCOMes: 2016-08-17 12:35:34 UTC
>? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth
>? >? >? ? ? ? ? pre-save command:
>? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv
>? >? > EXAMPLE.-COM
>? >? >? ? ? ? ? track: yes
>? >? >? ? ? ? ? auto-renew: yes
>? >? > Request ID '20140817123602':
>? >? >? ? ? ? ? status: CA_UNREACHABLE
>? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed
>? >? > at server.? Certificate operation cannot be completed: Unable to
>? >? > communicate with CMS (Not Found)).
>? >? >? ? ? ? ? stuck: yes
>? >? >? ? ? ? ? key paCOM storage:
>? >? >
>? >
> type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>? >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt'
>? >? >? ? ? ? ? certificate:
>? >? >
>? >
> type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>? >? > Certificate DB'
>? >? >? ? ? ? ? CA: IPA
>? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM
>? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
>? >? >? ? ? ? ? expCOMes: 2016-08-17 12:36:02 UTC
>? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth
>? >? >? ? ? ? ? pre-save command:
>? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv
>? >? > PKI-IPA
>? >? >? ? ? ? ? track: yes
>? >? >? ? ? ? ? auto-renew: yes
>? >? > Request ID '20140817123752':
>? >? >? ? ? ? ? status: CA_UNREACHABLE
>? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC failed
>? >? > at server.? Certificate operation cannot be completed: Unable to
>? >? > communicate with CMS (Not Found)).
>? >? >? ? ? ? ? stuck: yes
>? >? >? ? ? ? ? key paCOM storage:
>? >? >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>? >? >? ? ? ? ? certificate:
>? >? >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>? >? > Certificate DB'
>? >? >? ? ? ? ? CA: IPA
>? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM
>? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
>? >? >? ? ? ? ? expCOMes: 2016-08-17 12:37:51 UTC
>? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth
>? >? >? ? ? ? ? pre-save command:
>? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>? >? >? ? ? ? ? track: yes
>? >? >? ? ? ? ? auto-renew: yes
>? >? > You have new mail in /var/spool/mail/root
>? >? >
>? >? >
>? >? >
> ------------------------------------------------------------------------
>? >? > *From:* Florence Blanc-Renaud <flo at redhat.com
> <mailto:flo at redhat.com> <mailto:flo at redhat.com <mailto:flo at redhat.com>>>
>? >? > *To:* mohammad sereshki <mohammadsereshki at yahoo.com
> <mailto:mohammadsereshki at yahoo.com>
>? > <mailto:mohammadsereshki at yahoo.com
> <mailto:mohammadsereshki at yahoo.com>>>; Freeipa-users
>? >? > <freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> <mailto:freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>>
>
>? >? > *Sent:* Thursday, July 21, 2016 11:30 AM
>? >? > *Subject:* Re: [Freeipa-users] regenerate certificate
>? >? >
>? >? > On 07/20/2016 10:04 PM, mohammad sereshki wrote:
>? >? >? > hi
>? >? >? > I check my IPA server which is version ipa-server-3.0.0-25 ,
> command
>? >? >? > "ipa-get-cert list" show, my certificate will be expired in next
>? > 20 days,
>? >? >? > I do not know how to regenerate them
>? >? >? > but command "getcert list" shows epirtion certificates are related
>? > just
>? >? >? > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,? has
>? > enough
>? >? >? > time .
>? >? >? > would you please help me to know how to regenerate CA:IPA
>? > certificates?
>? >? >? >
>? >? >? > Best Regards
>? >? >? >
>? >? >? >
>? >? >? >
>? >? >
>? >? > Hi Mohammad,
>? >? >
>? >? > the certificates issued by IPA CA are normally tracked by
> certmonger and
>? >? > automatically renewed when they are near their expiration date. To
> make
>? >? > sure that your certificates are tracked, you can issue
>? >? >
>? >? > $ ipa-getcert list
>? >? >
>? >? > and check the "status:" field for each certificate. It should display
>? >? > "MONITORING".
>? >? >
>? >? > If you want to manually renew them, you must note their request ID and
>? >? > use the command
>? >? > $ ipa-getcert resubmit -i $REQUEST_ID
>? >? >
>? >? > Hope this helps,
>? >? > Flo.
>? >? >
>? >? >
>? >? >
>? >? >
>? >? >
>? >
>? >
>? >
>
>
>



  

  

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.redhat.com/archives/freeipa-users/attachments/20160721/ef74f106/attachment.html>

------------------------------

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

End of Freeipa-users Digest, Vol 96, Issue 125
**********************************************


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160721/77c59670/attachment.htm>

More information about the Freeipa-users mailing list