[Freeipa-users] IPA certificates expired, please help!
Linov Suresh
linov.suresh at gmail.com
Fri Jul 22 19:36:44 UTC 2016
Thank you very much Rob.
Let me remove the duplicate certificates and try to renew the certificates
again to see if "*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
<http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true>"*."
goes away?
On Fri, Jul 22, 2016 at 2:45 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Linov Suresh wrote:
>
>> Could you please verify, if we have set correct trust attributes on the
>> certificates
>>
>> *root at caer ~]# certutil -d /var/lib/pki-ca/alias/ -L*
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> subsystemCert cert-pki-ca u,u,Pu
>> ocspSigningCert cert-pki-ca u,u,u
>> caSigningCert cert-pki-ca CTu,Cu,Cu
>> subsystemCert cert-pki-ca u,u,Pu
>> Server-Cert cert-pki-ca u,u,u
>> auditSigningCert cert-pki-ca u,u,Pu
>> *
>> *
>> *[root at caer ~]# certutil -d /etc/httpd/alias/ -L*
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> ipaCert u,u,u
>> Server-Cert u,u,u
>> TELOIP.NET <http://TELOIP.NET> IPA CA
>> CT,C,C
>> ipaCert u,u,u
>> Signing-Cert u,u,u
>> Server-Cert u,u,u
>>
>> *[root at caer ~]# certutil -d /etc/dirsrv/slapd-TELOIP-NET/ -L*
>>
>> Certificate Nickname Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> Server-Cert u,u,u
>> TELOIP.NET <http://TELOIP.NET> IPA CA
>> CT,,C
>> Server-Cert u,u,u
>> [root at caer ~]#
>>
>> *Please note, there are duplicate certificates in CA, HTTP and LDAP
>> directory, subsystemCert cert-pki-ca, ipaCert and Server-Cert. I was
>> wondering if we need to remove these duplicate certificates? *
>>
>
> Yeah you should remove the duplicate certs, they seem to cause problems
> with dogtag at least (certmonger _should_ handle this automatically, we'll
> be looking into it soonish).
>
> To remove the duplicate cert:
>
> 1. Shutdown the service
> 2. Back up the NSS database
> 3. certutil -L -d /path/to/db -n <nickname> -a > somefile
> 4. split somefile into separate files so each file as a BEGIN/END
> certificate
> 5. openssl x509 -text -in -infile somefile1..n
> 6. Pick the one with the most recent issuance date
> 7. You backed up the NSS database, right?
> 8. certutil -D -d /path/to/db -n <nickname>
> 9. certutil -A -d /path/to/db -n <nickname> -t u,u,u -a -i somefilex
> 10. Start the service, watch logs for errors
>
> For the trust use whatever the original trust value was.
>
> You don't need the P trust flag on the subsystemCert in the CA, only the
> auditSigningCert.
>
> I doubt the duplicated Server-Cert will be a problem. NSS is supposed to
> deal with this automatically, picking the "most correct" cert to use based
> on the validity period.
>
> rob
>
>
>>
>> On Fri, Jul 22, 2016 at 9:36 AM, Linov Suresh <linov.suresh at gmail.com
>> <mailto:linov.suresh at gmail.com>> wrote:
>>
>> I'm facing another issue now, my kerberos tickets are not renewing,
>>
>> *[root at caer ~]# ipa cert-show 1*
>> ipa: ERROR: Ticket expired
>>
>> *[root at caer ~]# klist*
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: admin at TELOIP.NET <mailto:admin at TELOIP.NET>
>>
>> Valid starting Expires Service principal
>> 07/20/16 14:42:26 07/21/16 14:42:22 krbtgt/TELOIP.NET at TELOIP.NET
>> <mailto:TELOIP.NET at TELOIP.NET>
>> 07/20/16 14:42:36 07/21/16 14:42:22
>> HTTP/caer.teloip.net at TELOIP.NET <mailto:caer.teloip.net at TELOIP.NET>
>> 07/21/16 11:40:15 07/21/16 14:42:22
>> ldap/caer.teloip.net at TELOIP.NET <mailto:caer.teloip.net at TELOIP.NET>
>>
>> I need to manually renew the tickets every day,
>>
>> *[root at caer ~]# kinit admin*
>> Password for admin at TELOIP.NET <mailto:admin at TELOIP.NET>:
>> Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15
>> 2016
>>
>> *[root at caer ~]# klist *
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: admin at TELOIP.NET <mailto:admin at TELOIP.NET>
>>
>> Valid starting Expires Service principal
>> 07/22/16 09:34:52 07/23/16 09:34:49 krbtgt/TELOIP.NET at TELOIP.NET
>> <mailto:TELOIP.NET at TELOIP.NET>
>>
>>
>> On Thu, Jul 21, 2016 at 12:23 PM, Rob Crittenden
>> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>
>> Linov Suresh wrote:
>>
>> The httpd_error log doesn't contain the part where `ipa
>> cert-show 1` was
>> run. If it is from the same time.
>>
>> *I am not sure about that, please see httpd_error when `ipa
>> cert-show 1`
>> was run*
>>
>>
>> The IPA API log isn't going to show much in this case.
>>
>> Requests to the CA are proxied through IPA. The CA WAR is not
>> running on tomcat so when Apache tries to proxy the request
>> tomcat returns a 404, Not Found.
>>
>> You need to start with the dogtag debug and selftest logs to see
>> what is going on. The logs are pretty verbose and can be
>> challenging to read.
>>
>> rob
>>
>>
>> [root at caer ~]# *tail -f /var/log/httpd/error_log*
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>> wsgi_dispatch.__call__:
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>> xmlserver_session.__call__:
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session
>> cookie_id =
>> bc2c7ed0eccd840dc266efaf9ece913c
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session
>> data in
>> cache with id=bc2c7ed0eccd840dc266efaf9ece913c
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>> xmlserver_session.__call__:
>> session_id=bc2c7ed0eccd840dc266efaf9ece913c
>> start_timestamp=2016-07-21T11:58:54
>> access_timestamp=2016-07-21T12:01:21
>> expiration_timestamp=2016-07-21T12:18:54
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: storing
>> ccache data into
>> file "/var/run/ipa_memcached/krbcc_13554"
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>> get_credential_times:
>> principal=HTTP/caer.teloip.net at TELOIP.NET
>> <mailto:caer.teloip.net at TELOIP.NET>
>> <mailto:caer.teloip.net at TELOIP.NET
>> <mailto:caer.teloip.net at TELOIP.NET>>, authtime=07/21/16
>> 10:31:46,
>> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44,
>> renew_till=12/31/69 19:00:00
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>> get_credential_times:
>> principal=HTTP/caer.teloip.net at TELOIP.NET
>> <mailto:caer.teloip.net at TELOIP.NET>
>> <mailto:caer.teloip.net at TELOIP.NET
>> <mailto:caer.teloip.net at TELOIP.NET>>, authtime=07/21/16
>> 10:31:46,
>>
>> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44,
>> renew_till=12/31/69 19:00:00
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: KRB5_CCache
>> FILE:/var/run/ipa_memcached/krbcc_13554 endtime=1469197904
>> (07/22/16
>> 10:31:44)
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>> set_session_expiration_time: duration_type=inactivity_timeout
>> duration=1200 max_age=1469197604 expiration=1469118081.77
>> (2016-07-21T12:21:21)
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>> xmlserver.__call__:
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Created
>> connection
>> context.ldap2
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>> WSGIExecutioner.__call__:
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: raw:
>> cert_show(u'1')
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert_show(u'1')
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: IPA: virtual
>> verify
>> retrieve certificate
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>> ipaserver.plugins.dogtag.ra.get_certificate()
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request
>> 'https://caer.teloip.net:443/ca/agent/ca/displayBySerial'
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request
>> post
>> 'xml=true&serialNumber=1'
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: NSSConnection
>> init
>> caer.teloip.net <http://caer.teloip.net>
>> <http://caer.teloip.net>
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Connecting:
>> 10.20.0.75:0 <http://10.20.0.75:0>
>> <http://10.20.0.75:0>
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>> auth_certificate_callback: check_sig=True is_server=False
>> *.*
>> *.*
>> *.*
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage
>> =
>> SSLServer intended_usage = SSLServer
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid
>> True for
>> "CN=caer.teloip.net <http://caer.teloip.net>
>> <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
>> <http://TELOIP.NET>"
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake
>> complete, peer
>> = 10.20.0.75:443 <http://10.20.0.75:443> <
>> http://10.20.0.75:443>
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>> auth_certificate_callback: check_sig=True is_server=False
>> *.*
>> *.*
>> *.*
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage
>> =
>> SSLServer intended_usage = SSLServer
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid
>> True for
>> "CN=caer.teloip.net <http://caer.teloip.net>
>> <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
>> <http://TELOIP.NET>"
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake
>> complete, peer
>> = 10.20.0.75:443 <http://10.20.0.75:443> <
>> http://10.20.0.75:443>
>> [Thu Jul 21 12:01:21 2016] [error] ipa: ERROR:
>> ipaserver.plugins.dogtag.ra.get_certificate(): Unable to
>> communicate
>> with CMS (Not Found)
>> [Thu Jul 21 12:01:21 2016] [error] ipa: INFO:
>> admin at TELOIP.NET <mailto:admin at TELOIP.NET>
>> <mailto:admin at TELOIP.NET <mailto:admin at TELOIP.NET>>:
>> cert_show(u'1'): CertificateOperationError
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: response:
>> CertificateOperationError: Certificate operation cannot be
>> completed:
>> Unable to communicate with CMS (Not Found)
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Destroyed
>> connection
>> context.ldap2
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: reading
>> ccache data from
>> file "/var/run/ipa_memcached/krbcc_13554"
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: store session:
>> session_id=bc2c7ed0eccd840dc266efaf9ece913c
>> start_timestamp=2016-07-21T11:58:54
>> access_timestamp=2016-07-21T12:01:21
>> expiration_timestamp=2016-07-21T12:21:21
>>
>>
>> Does `ipa cert-show` communicate with the same replica? Could
>> be
>> verified by `ipa -vv cert-show`
>>
>> *It's asking for the serial number of the certificate. If I
>> give 64
>> (serial number of ipaCert ), I get ipa: ERROR: Certificate
>> operation
>> cannot be completed: Unable to communicate with CMS (Not
>> Found)*
>>
>> *[root at caer ~]# ipa -vv cert-show*
>> ipa: DEBUG: importing all plugin modules in
>> '/usr/lib/python2.6/site-packages/ipalib/plugins'...
>> *.*
>> *.*
>> *.*
>> ipa: DEBUG:
>> stdout=ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;
>> Domain=caer.teloip.net <http://caer.teloip.net>
>> <http://caer.teloip.net>; Path=/ipa; Expires=Thu,
>> 21 Jul 2016 16:25:32 GMT; Secure; HttpOnly
>> ipa: DEBUG: stderr=
>> ipa: DEBUG: found session_cookie in persistent storage for
>> principal
>> 'admin at TELOIP.NET <mailto:admin at TELOIP.NET>
>> <mailto:admin at TELOIP.NET <mailto:admin at TELOIP.NET>>', cookie:
>> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;
>> Domain=caer.teloip.net <http://caer.teloip.net>
>> <http://caer.teloip.net>; Path=/ipa; Expires=Thu, 21 Jul
>> 2016 16:25:32
>> GMT; Secure; HttpOnly'
>> ipa: DEBUG: setting session_cookie into context
>> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;'
>> ipa: INFO: trying https://caer.teloip.net/ipa/session/xml
>> ipa: DEBUG: Created connection context.xmlclient
>> Serial number: 64
>> ipa: DEBUG: raw: cert_show(u'64')
>> ipa: DEBUG: cert_show(u'64')
>> ipa: INFO: Forwarding 'cert_show' to server
>> u'https://caer.teloip.net/ipa/session/xml'
>> ipa: DEBUG: NSSConnection init caer.teloip.net
>> <http://caer.teloip.net> <http://caer.teloip.net>
>> ipa: DEBUG: Connecting: 10.20.0.75:0 <http://10.20.0.75:0>
>> <http://10.20.0.75:0>
>> send: u'POST /ipa/session/xml HTTP/1.0\r\nHost:
>> caer.teloip.net <http://caer.teloip.net>
>> <http://caer.teloip.net>\r\nAccept-Language:
>> en-us\r\nReferer:
>> https://caer.teloip.net/ipa/xml\r\nCookie
>> <https://caer.teloip.net/ipa/xml%5Cr%5CnCookie>:
>> ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;\r\nUser-Agent:
>> xmlrpclib.py/1.0.1 <http://xmlrpclib.py/1.0.1>
>> <http://xmlrpclib.py/1.0.1> (by www.pythonware.com
>> <http://www.pythonware.com>
>> <http://www.pythonware.com>)\r\nContent-Type:
>> text/xml\r\nContent-Length: 268\r\n\r\n'
>> ipa: DEBUG: auth_certificate_callback: check_sig=True
>> is_server=False
>> *.*
>> *.*
>> *.*
>> ipa: DEBUG: approved_usage = SSLServer intended_usage =
>> SSLServer
>> ipa: DEBUG: cert valid True for "CN=caer.teloip.net
>> <http://caer.teloip.net>
>> <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
>> <http://TELOIP.NET>"
>> ipa: DEBUG: handshake complete, peer = 10.20.0.75:443
>> <http://10.20.0.75:443>
>> <http://10.20.0.75:443>
>> send: "<?xml version='1.0'
>>
>> encoding='UTF-8'?>\n<methodCall>\n<methodName>cert_show</methodName>\n<params>\n<param>\n<value><array><data>\n<value><string>64</string></value>\n</data></array></value>\n</param>\n<param>\n<value><struct>\n</struct></value>\n</param>\n</params>\n</methodCall>\n"
>> reply: 'HTTP/1.1 200 Success\r\n'
>> header: Date: Thu, 21 Jul 2016 16:05:40 GMT
>> header: Server: Apache/2.2.15 (CentOS)
>> header: Set-Cookie:
>> ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;
>> Domain=caer.teloip.net <http://caer.teloip.net>
>> <http://caer.teloip.net>; Path=/ipa; Expires=Thu,
>> 21 Jul 2016 16:25:40 GMT; Secure; HttpOnly
>> header: Connection: close
>> header: Content-Type: text/xml; charset=utf-8
>> ipa: DEBUG: received Set-Cookie
>> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;
>> Domain=caer.teloip.net <http://caer.teloip.net>
>> <http://caer.teloip.net>; Path=/ipa; Expires=Thu, 21 Jul
>> 2016 16:25:40
>> GMT; Secure; HttpOnly'
>> ipa: DEBUG: storing cookie
>> 'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;
>> Domain=caer.teloip.net <http://caer.teloip.net>
>> <http://caer.teloip.net>; Path=/ipa; Expires=Thu, 21 Jul
>> 2016 16:25:40
>> GMT; Secure; HttpOnly' for principal admin at TELOIP.NET
>> <mailto:admin at TELOIP.NET>
>> <mailto:admin at TELOIP.NET <mailto:admin at TELOIP.NET>>
>> ipa: DEBUG: args=keyctl search @s user
>> ipa_session_cookie:admin at TELOIP.NET
>> <mailto:ipa_session_cookie%3Aadmin at TELOIP.NET>
>> <mailto:ipa_session_cookie%3Aadmin at TELOIP.NET
>> <mailto:ipa_session_cookie%253Aadmin at TELOIP.NET>>
>> ipa: DEBUG: stdout=457971704
>>
>> ipa: DEBUG: stderr=
>> ipa: DEBUG: args=keyctl search @s user
>> ipa_session_cookie:admin at TELOIP.NET
>> <mailto:ipa_session_cookie%3Aadmin at TELOIP.NET>
>> <mailto:ipa_session_cookie%3Aadmin at TELOIP.NET
>> <mailto:ipa_session_cookie%253Aadmin at TELOIP.NET>>
>> ipa: DEBUG: stdout=457971704
>>
>> ipa: DEBUG: stderr=
>> ipa: DEBUG: args=keyctl pupdate 457971704
>> ipa: DEBUG: stdout=
>> ipa: DEBUG: stderr=
>> body: "<?xml version='1.0'
>>
>> encoding='UTF-8'?>\n<methodResponse>\n<fault>\n<value><struct>\n<member>\n<name>faultCode</name>\n<value><int>4301</int></value>\n</member>\n<member>\n<name>faultString</name>\n<value><string>Certificate
>> operation cannot be completed: Unable to communicate with
>> CMS (Not
>>
>> Found)</string></value>\n</member>\n</struct></value>\n</fault>\n</methodResponse>\n"
>> ipa: DEBUG: Caught fault 4301 from server
>> https://caer.teloip.net/ipa/session/xml: Certificate
>> operation cannot be
>> completed: Unable to communicate with CMS (Not Found)
>> ipa: DEBUG: Destroyed connection context.xmlclient
>> ipa: ERROR: Certificate operation cannot be completed: Unable
>> to
>> communicate with CMS (Not Found)
>> [root at caer ~]#
>>
>>
>> But more interesting is: SelfTestSubsystem: The CRITICAL
>> self test
>> plugin called
>> selftests.container.instance.SystemCertsVerification
>> running at startup FAILED!
>>
>> Are you sure that CA is running?
>> # ipactl status
>> *Yes, CA is runnig, *
>>
>> *[root at caer ~]# ipactl status*
>> Directory Service: RUNNING
>> KDC Service: RUNNING
>> KPASSWD Service: RUNNING
>> DNS Service: RUNNING
>> MEMCACHE Service: RUNNING
>> HTTP Service: RUNNING
>> CA Service: RUNNING
>>
>> This looks like that self test fail and therefore CA
>> shouldn't start. It
>> also says that some of CA cert is not valid. Which one might
>> be seen in
>> /var/log/pki-ca/debug but a bigger chunk would be needed.
>>
>> *[root at caer ~]# tail -100 /var/log/pki-ca/debug *
>>
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: conn
>> is
>> connected true
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn:
>> mNumConns now 1
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In
>> findCertRecordsInListRawJumpto with Jumpto 20160721114829Z
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In
>> DBVirtualList filter
>> attrs startFrom sortKey pageSize filter:
>> (certStatus=REVOKED) attrs:
>> [objectclass, certRevokedOn, certRecordId, certRevoInfo,
>> notAfter,
>> x509cert] pageSize -200 startFrom 20160721114829Z
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn:
>> mNumConns now 2
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn:
>> mNumConns now 3
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getEntries
>> returning 0
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: mTop 0
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Getting
>> Virtual List size: 0
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: index may be
>> empty
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]:
>> updateCertStatus done
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting
>> cert checkRanges
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial
>> numbers left in
>> range: 268369849
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial
>> Number: 71
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers
>> available: 268369849
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: cert
>> checkRanges done
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting
>> request checkRanges
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial
>> numbers left in
>> range: 9989888
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial
>> Number: 112
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers
>> available: 9989888
>> [21/Jul/2016:11:48:29][CertStatusUpdateThread]: request
>> checkRanges done
>> [21/Jul/2016:11:53:28][Timer-0]: CMSEngine:
>> getPasswordStore(): password
>> store initialized before.
>> [21/Jul/2016:11:53:28][Timer-0]: CMSEngine:
>> getPasswordStore(): password
>> store initialized.
>> [21/Jul/2016:11:58:28][Timer-0]: CMSEngine:
>> getPasswordStore(): password
>> store initialized before.
>> [21/Jul/2016:11:58:28][Timer-0]: CMSEngine:
>> getPasswordStore(): password
>> store initialized.
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: About to start
>> updateCertStatus
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting
>> updateCertStatus (entered lock)
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>> updateCertStatus()
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>> LdapBoundConnFactory::getConn()
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn
>> is connected:
>> true
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn
>> is
>> connected true
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:
>> mNumConns now 2
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>> getInvalidCertificatesByNotBeforeDate filter
>> (certStatus=INVALID)
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>> getInvalidCertificatesByNotBeforeDate: about to call
>> findCertRecordsInList
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>> LdapBoundConnFactory::getConn()
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn
>> is connected:
>> true
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn
>> is
>> connected true
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:
>> mNumConns now 1
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>> DBVirtualList filter
>> attrs startFrom sortKey pageSize filter:
>> (certStatus=INVALID) attrs:
>> [objectclass, certRecordId, x509cert] pageSize -200 startFrom
>> 20160721115829Z
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:
>> mNumConns now 2
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>> getInvalidCertsByNotBeforeDate finally.
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:
>> mNumConns now 3
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries
>> returning 0
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting
>> Virtual List size: 0
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be
>> empty
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>> LdapBoundConnFactory::getConn()
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn
>> is connected:
>> true
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn
>> is
>> connected true
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:
>> mNumConns now 2
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>> getValidCertsByNotAfterDate filter (certStatus=VALID)
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>> LdapBoundConnFactory::getConn()
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn
>> is connected:
>> true
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn
>> is
>> connected true
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:
>> mNumConns now 1
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>> DBVirtualList filter
>> attrs startFrom sortKey pageSize filter: (certStatus=VALID)
>> attrs:
>> [objectclass, certRecordId, x509cert] pageSize -200 startFrom
>> 20160721115829Z
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:
>> mNumConns now 2
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:
>> mNumConns now 3
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries
>> returning 1
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting
>> Virtual List
>> size: 14
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>> transidValidCertificates: list size: 14
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>> transitValidCertificates: ltSize 1
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>> getElementAt: 0 mTop 0
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: reverse
>> direction
>> getting index 0
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Record does
>> not
>> qualify,notAfter Thu Jan 12 09:11:48 EST 2017 date Thu Jul
>> 21 11:58:29
>> EDT 2016
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>> transitCertList EXPIRED
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>> LdapBoundConnFactory::getConn()
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn
>> is connected:
>> true
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn
>> is
>> connected true
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:
>> mNumConns now 2
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>> getRevokedCertificatesByNotAfterDate filter
>> (certStatus=REVOKED)
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>> getRevokedCertificatesByNotAfterDate: about to call
>> findCertRecordsInList
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>> LdapBoundConnFactory::getConn()
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn
>> is connected:
>> true
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn
>> is
>> connected true
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:
>> mNumConns now 1
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>> findCertRecordsInListRawJumpto with Jumpto 20160721115829Z
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>> DBVirtualList filter
>> attrs startFrom sortKey pageSize filter:
>> (certStatus=REVOKED) attrs:
>> [objectclass, certRevokedOn, certRecordId, certRevoInfo,
>> notAfter,
>> x509cert] pageSize -200 startFrom 20160721115829Z
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:
>> mNumConns now 2
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:
>> mNumConns now 3
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries
>> returning 0
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting
>> Virtual List size: 0
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be
>> empty
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>> updateCertStatus done
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting
>> cert checkRanges
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial
>> numbers left in
>> range: 268369849
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial
>> Number: 71
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers
>> available: 268369849
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: cert
>> checkRanges done
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting
>> request checkRanges
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial
>> numbers left in
>> range: 9989888
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial
>> Number: 112
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers
>> available: 9989888
>> [21/Jul/2016:11:58:29][CertStatusUpdateThread]: request
>> checkRanges done
>> [21/Jul/2016:12:03:28][Timer-0]: CMSEngine:
>> getPasswordStore(): password
>> store initialized before.
>> [21/Jul/2016:12:03:28][Timer-0]: CMSEngine:
>> getPasswordStore(): password
>> store initialized.
>>
>> On Thu, Jul 21, 2016 at 11:46 AM, Petr Vobornik
>> <pvoborni at redhat.com <mailto:pvoborni at redhat.com>
>> <mailto:pvoborni at redhat.com <mailto:pvoborni at redhat.com>>>
>> wrote:
>>
>> On 07/21/2016 05:14 PM, Linov Suresh wrote:
>> > I set debug=true in /etc/ipa/default.conf
>> >
>> > Here are my logs,
>>
>> The httpd_error log doesn't contain the part where `ipa
>> cert-show 1` was
>> run. If it is from the same time. Does `ipa cert-show`
>> communicate with
>> the same replica? Could be verified by `ipa -vv
>> cert-show`
>>
>> But more interesting is:
>>
>> SelfTestSubsystem: The CRITICAL self test plugin called
>> selftests.container.instance.SystemCertsVerification
>> running at startup
>> FAILED!
>>
>> Are you sure that CA is running?
>> # ipactl status
>>
>> This looks like that self test fail and therefore CA
>> shouldn't start. It
>> also says that some of CA cert is not valid. Which one
>> might be seen in
>> /var/log/pki-ca/debug but a bigger chunk would be needed.
>>
>> >
>> > *[root at caer ~]# tail -f /var/log/httpd/error_log*
>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: WSGI
>> WSGIExecutioner.__call__:
>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: raw:
>> user_show(u'admin',
>> > rights=False, all=False, raw=False, version=u'2.46')
>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:
>> user_show(u'admin', rights=False,
>> > all=False, raw=False, version=u'2.46')
>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:
>> get_memberof:
>> >
>> entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net
>> >
>>
>>
>> memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'),
>> > ipapython.dn.DN('cn=replication
>> >
>> administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'),
>> ipapython.dn.DN('cn=add
>> > replication
>> agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>> > ipapython.dn.DN('cn=modify replication
>> > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>> ipapython.dn.DN('cn=remove
>> > replication
>> agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>> > ipapython.dn.DN('cn=unlock user
>> > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>> ipapython.dn.DN('cn=manage
>> > service
>> keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>> > ipapython.dn.DN('cn=trust
>> admins,cn=groups,cn=accounts,dc=teloip,dc=net'),
>> > ipapython.dn.DN('cn=host
>> enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'),
>> > ipapython.dn.DN('cn=manage host
>> > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>> ipapython.dn.DN('cn=enroll a
>> > host,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>> ipapython.dn.DN('cn=add host
>> > password,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>> ipapython.dn.DN('cn=add
>> > krbprincipalname to a
>> host,cn=permissions,cn=pbac,dc=teloip,dc=net')]
>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:
>> get_memberof: result
>> >
>>
>>
>> direct=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'),
>> > ipapython.dn.DN('cn=trust
>> admins,cn=groups,cn=accounts,dc=teloip,dc=net')]
>> > indirect=[ipapython.dn.DN('cn=replication
>> >
>> administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'),
>> ipapython.dn.DN('cn=add
>> > replication
>> agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>> > ipapython.dn.DN('cn=modify replication
>> > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>> ipapython.dn.DN('cn=remove
>> > replication
>> agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>> > ipapython.dn.DN('cn=unlock user
>> > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>> ipapython.dn.DN('cn=manage
>> > service
>> keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>> > ipapython.dn.DN('cn=host
>> enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'),
>> > ipapython.dn.DN('cn=manage host
>> > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>> ipapython.dn.DN('cn=enroll a
>> > host,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>> ipapython.dn.DN('cn=add host
>> > password,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>> ipapython.dn.DN('cn=add
>> > krbprincipalname to a
>> host,cn=permissions,cn=pbac,dc=teloip,dc=net')]
>> > [Thu Jul 21 11:00:38 2016] [error] ipa: INFO:
>> admin at TELOIP.NET <mailto:admin at TELOIP.NET>
>> <mailto:admin at TELOIP.NET <mailto:admin at TELOIP.NET>>
>> > <mailto:admin at TELOIP.NET <mailto:admin at TELOIP.NET>
>> <mailto:admin at TELOIP.NET <mailto:admin at TELOIP.NET>>>:
>>
>> user_show(u'admin', rights=False, all=False,
>> > raw=False, version=u'2.46'): SUCCESS
>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:
>> response: entries returned 1
>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:
>> Destroyed connection context.ldap2
>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:
>> reading ccache data from file
>> > "/var/run/ipa_memcached/krbcc_13554"
>> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: store
>> session:
>> > session_id=10c5de02f8ae0f3969b96ef0f2e3a96d
>> start_timestamp=2016-07-21T10:43:26
>> > access_timestamp=2016-07-21T11:00:38
>> expiration_timestamp=2016-07-21T11:20:38
>> >
>> > *[root at caer ~]# tail -f /var/log/pki-ca/debug*
>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>> RequestQueue: curReqId: 9990001
>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>> getElementAt: 1 mTop 107
>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>> reverse direction getting index 4
>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>> RequestQueue: curReqId: 112
>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>> RequestQueue: getLastRequestId :
>> > returning value 112
>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>> Repository: mLastSerialNo: 112
>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>> Serial numbers left in range:
>> > 9989888
>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Last
>> Serial Number: 112
>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>> Serial Numbers available: 9989888
>> > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>> request checkRanges done
>> >
>> > *[root at caer ~]# tail -f /var/log/pki-ca/transactions*
>> > 6563.CRLIssuingPoint-MasterCRL -
>> [20/Jul/2016:17:00:00 EDT] [20]
>> [1] CRL Update
>> > completed. CRL ID: MasterCRL CRL Number: 8,912 last
>> update time:
>> 7/20/16 5:00 PM
>> > next update time: 7/20/16 9:00 PM Number of entries
>> in the CRL:
>> 11 time: 25 CRL
>> > time: 25 delta CRL time: 0
>> (0,0,0,0,0,0,0,8,17,0,0,25,25)
>> > 6563.CRLIssuingPoint-MasterCRL -
>> [20/Jul/2016:21:00:00 EDT] [20]
>> [1] CRL update
>> > started. CRL ID: MasterCRL CRL Number: 8,913
>> Delta CRL
>> Enabled: false CRL
>> > Cache Enabled: true Cache Recovery Enabled: true
>> Cache Cleared:
>> false Cache:
>> > 11,0,0,0
>> > 6563.CRLIssuingPoint-MasterCRL -
>> [20/Jul/2016:21:00:00 EDT] [20]
>> [1] CRL Update
>> > completed. CRL ID: MasterCRL CRL Number: 8,913 last
>> update time:
>> 7/20/16 9:00 PM
>> > next update time: 7/21/16 1:00 AM Number of entries
>> in the CRL:
>> 11 time: 11 CRL
>> > time: 11 delta CRL time: 0
>> (0,0,0,0,0,0,0,6,5,0,0,11,11)
>> > 6563.CRLIssuingPoint-MasterCRL -
>> [21/Jul/2016:01:00:00 EDT] [20]
>> [1] CRL update
>> > started. CRL ID: MasterCRL CRL Number: 8,914
>> Delta CRL
>> Enabled: false CRL
>> > Cache Enabled: true Cache Recovery Enabled: true
>> Cache Cleared:
>> false Cache:
>> > 11,0,0,0
>> > 6563.CRLIssuingPoint-MasterCRL -
>> [21/Jul/2016:01:00:00 EDT] [20]
>> [1] CRL Update
>> > completed. CRL ID: MasterCRL CRL Number: 8,914 last
>> update time:
>> 7/21/16 1:00 AM
>> > next update time: 7/21/16 5:00 AM Number of entries
>> in the CRL:
>> 11 time: 13 CRL
>> > time: 13 delta CRL time: 0
>> (0,0,0,0,0,0,0,6,7,0,0,13,13)
>> > 6563.CRLIssuingPoint-MasterCRL -
>> [21/Jul/2016:05:00:00 EDT] [20]
>> [1] CRL update
>> > started. CRL ID: MasterCRL CRL Number: 8,915
>> Delta CRL
>> Enabled: false CRL
>> > Cache Enabled: true Cache Recovery Enabled: true
>> Cache Cleared:
>> false Cache:
>> > 11,0,0,0
>> > 6563.CRLIssuingPoint-MasterCRL -
>> [21/Jul/2016:05:00:00 EDT] [20]
>> [1] CRL Update
>> > completed. CRL ID: MasterCRL CRL Number: 8,915 last
>> update time:
>> 7/21/16 5:00 AM
>> > next update time: 7/21/16 9:00 AM Number of entries
>> in the CRL:
>> 11 time: 16 CRL
>> > time: 16 delta CRL time: 0
>> (0,0,0,0,0,0,0,8,8,0,0,16,16)
>> > 6563.CRLIssuingPoint-MasterCRL -
>> [21/Jul/2016:09:00:00 EDT] [20]
>> [1] CRL update
>> > started. CRL ID: MasterCRL CRL Number: 8,916
>> Delta CRL
>> Enabled: false CRL
>> > Cache Enabled: true Cache Recovery Enabled: true
>> Cache Cleared:
>> false Cache:
>> > 11,0,0,0
>> > 6563.CRLIssuingPoint-MasterCRL -
>> [21/Jul/2016:09:00:00 EDT] [20]
>> [1] CRL Update
>> > completed. CRL ID: MasterCRL CRL Number: 8,916 last
>> update time:
>> 7/21/16 9:00 AM
>> > next update time: 7/21/16 1:00 PM Number of entries
>> in the CRL:
>> 11 time: 13 CRL
>> > time: 13 delta CRL time: 0
>> (0,0,0,0,0,0,0,6,7,0,0,13,13)
>> > 10657.http-9443-2 - [21/Jul/2016:10:28:19 EDT] [20]
>> [1] renewal
>> reqID 112
>> > fromAgent userID: ipara authenticated by
>> certUserDBAuthMgr is
>> completed DN
>> > requested: CN=CA Audit,O=TELOIP.NET
>> <http://TELOIP.NET> <http://TELOIP.NET>
>> <http://TELOIP.NET> cert issued serial
>> > number: 0x47 time: 39
>> >
>> > *[root at caer ~]# tail -f
>> /var/log/pki-ca/selftests.log*
>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]
>> SelfTestSubsystem: loading all
>> > self test plugin logger parameters
>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]
>> SelfTestSubsystem: loading all
>> > self test plugin instances
>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]
>> SelfTestSubsystem: loading all
>> > self test plugin instance parameters
>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]
>> SelfTestSubsystem: loading
>> > self test plugins in on-demand order
>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]
>> SelfTestSubsystem: loading
>> > self test plugins in startup order
>> > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]
>> SelfTestSubsystem: Self test
>> > plugins have been successfully loaded!
>> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1]
>> SelfTestSubsystem: Running self
>> > test plugins specified to be executed at startup:
>> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1]
>> CAPresence: CA is present
>> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1]
>> SystemCertsVerification: system
>> > certs verification failure
>> > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1]
>> SelfTestSubsystem: The CRITICAL
>> > self test plugin called
>> selftests.container.instance.SystemCertsVerification
>> > running at startup FAILED!
>> >
>> > But intrestingly, [root at caer ~]# ipa cert-show 1
>> returns "*ipa:
>> ERROR:
>> > Certificate operation cannot be completed: Unable to
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160722/d592b5c2/attachment.htm>
More information about the Freeipa-users
mailing list