[Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
Rob Crittenden
rcritten at redhat.com
Thu May 5 21:39:08 UTC 2016
Anthony Cheng wrote:
> More updates; it turns out that there were some duplicate and expired
> certificates as well as incorrect trust attributes; (e.g. seeing 2
> instances of Server-Cert from certutil -L -d /etc/httpd/alias). So I
> deleted the duplicate cert and re-add certificate w/ valid date and
> fix cert trust attributes along the way.
You're fixing the wrong place. Apache is up and serving which is how you
are getting Not Found. It is dogtag that isn't starting for some reason.
Maybe Endi has some ideas.
rob
>
> So it went from this
>
> [root at test ~]# certutil -L -d /etc/httpd/alias
>
> Certificate Nickname Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Server-Cert u,u,u
> ipaCert u,u,u
> sample.NET IPA CA CT,C,C
> ipaCert u,u,u
> Signing-Cert u,u,u
> Server-Cert u,u,u
>
> to this
>
> [root at test ~]# certutil -L -d /etc/httpd/alias
>
> Certificate Nickname Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> ipaCert u,u,u
> Server-Cert u,u,u
> sample.NET IPA CA CT,C,C
> Signing-Cert u,u,u
>
> And also re-try resubmit/restart processes but unfortunately error
> persists ( ca-error: Server failed request, will retry: 4301 (RPC
> failed at server. Certificate operation cannot be completed : Unable
> to communicate with CMS (Not Found)).)
>
> Currently I am on the process to recreate this problem on RHEL 6 to
> try to get RH support on this.
>
> Thanks, Anthony
>
>
> On Wed, May 4, 2016 at 10:34 AM, Anthony Cheng
> <anthony.wan.cheng at gmail.com> wrote:
>> On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden <rcritten at redhat.com> wrote:
>>> Anthony Cheng wrote:
>>>>
>>>> Small update, I found an article on the RH solution library
>>>> (https://access.redhat.com/solutions/2020223) that has the same error
>>>> code that I am getting and I followed the steps with certutil to update
>>>> the cert attributes but it is still not working. The article is listed
>>>> as "Solution in Progress".
>>>>
>>>> [root at test ~]# getcert list | more
>>>>
>>>> Number of certificates and requests being tracked: 7.
>>>>
>>>> Request ID '20111214223243':
>>>>
>>>> status: CA_UNREACHABLE
>>>>
>>>> ca-error: Server failed request, will retry: 4301 (RPC failed at
>>>> server.Certificate operation cannot be comp
>>>>
>>>> leted: Unable to communicate with CMS (Not Found)).
>>>
>>>
>>> Not Found means the CA didn't start. You need to examine the debug and
>>> selftest logs to determine why.
>>>
>>> rob
>>
>> selftests.log is empty; there are entries for other time but not for
>> the test to when I set the clock to renew certs.
>>
>> [root at test pki-ca]# clock
>> Fri 29 Jan 2016 08:19:54 AM UTC -0.960583 seconds
>> [root at test pki-ca]#
>> [root at test pki-ca]#
>>
>> [root at test pki-ca]# ll * | grep self
>> -rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log
>> -rw-r-----. 1 pkiuser pkiuser 1206 Apr 7 2015
>> selftests.log.20150407143526
>> -rw-r-----. 1 pkiuser pkiuser 3673 Jun 30 2015
>> selftests.log.20150630163924
>> -rw-r-----. 1 pkiuser pkiuser 1217 Aug 31 20:07
>> selftests.log.20150831160735
>> -rw-r-----. 1 pkiuser pkiuser 3798 Oct 24 14:12
>> selftests.log.20151024101159
>>
>> From debug log I see some error messages:
>>
>> [28/Jan/2016:21:09:03][main]: SigningUnit init: debug
>> org.mozilla.jss.crypto.ObjectNotFoundException
>> [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
>> Certificate object not found
>> at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
>>
>> Full log:
>>
>> [28/Jan/2016:21:07:30][main]: CMSEngine.shutdown()
>> [28/Jan/2016:21:09:02][main]: ============================================
>> [28/Jan/2016:21:09:02][main]: ===== DEBUG SUBSYSTEM INITIALIZED =======
>> [28/Jan/2016:21:09:02][main]: ============================================
>> [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug
>> [28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug
>> [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log
>> [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> AUDIT_LOG_STARTUP
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> AUDIT_LOG_SHUTDOWN
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> CONFIG_CERT_POLICY
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> CONFIG_CERT_PROFILE
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> CONFIG_CRL_PROFILE
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> CONFIG_OCSP_PROFILE
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ROLE
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ACL
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> CONFIG_SIGNED_AUDIT
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> CONFIG_ENCRYPTION
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> CONFIG_TRUSTED_PUBLIC_KEY
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_DRM
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> SELFTESTS_EXECUTION
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUDIT_LOG_DELETE
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: LOG_PATH_CHANGE
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> PRIVATE_KEY_ARCHIVE_REQUEST
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> KEY_RECOVERY_REQUEST
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> KEY_RECOVERY_REQUEST_ASYNC
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> KEY_RECOVERY_AGENT_LOGIN
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> KEY_RECOVERY_REQUEST_PROCESSED
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> KEY_GEN_ASYMMETRIC
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> NON_PROFILE_CERT_REQUEST
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> PROFILE_CERT_REQUEST
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> CERT_REQUEST_PROCESSED
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> CERT_STATUS_CHANGE_REQUEST
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> CERT_STATUS_CHANGE_REQUEST_PROCESSED
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_SUCCESS
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_FAIL
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: INTER_BOUNDARY
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_FAIL
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_SUCCESS
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> CERT_PROFILE_APPROVAL
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> PROOF_OF_POSSESSION
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_RETRIEVAL
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_VALIDATION
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> CMC_SIGNED_REQUEST_SIG_VERIFY
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> SERVER_SIDE_KEYGEN_REQUEST
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> COMPUTE_SESSION_KEY_REQUEST
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> DIVERSIFY_KEY_REQUEST
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> ENCRYPT_DATA_REQUEST
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> OCSP_ADD_CA_REQUEST
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> OCSP_ADD_CA_REQUEST_PROCESSED
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> OCSP_REMOVE_CA_REQUEST
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> COMPUTE_RANDOM_DATA_REQUEST
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
>> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
>> CIMC_CERT_VERIFICATION
>> [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=log
>> [28/Jan/2016:21:09:02][main]: CMSEngine: initialized log
>> [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=os
>> [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=os
>> [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=os
>> [28/Jan/2016:21:09:02][main]: CMSEngine: initialized os
>> [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=jss
>> [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=jss
>> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
>> cipher rsa_rc4_40_md5
>> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
>> cipher rsa_rc2_40_md5
>> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
>> cipher rsa_des_sha
>> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
>> cipher rsa_rc4_128_md5
>> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
>> cipher rsa_3des_sha
>> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
>> cipher rsa_fips_des_sha
>> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
>> cipher rsa_fips_3des_sha
>> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
>> cipher fortezza
>> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
>> cipher fortezza_rc4_128_sha
>> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
>> cipher rsa_null_md5
>> [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=jss
>> [28/Jan/2016:21:09:02][main]: CMSEngine: initialized jss
>> [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=dbs
>> [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=dbs
>> [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init
>> [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true
>> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init()
>> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins
>> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal
>> LDAP Database
>> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory cache
>> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password not in memory
>> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: try
>> to get it from password store
>> [28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password
>> store initialized before.
>> [28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password
>> store initialized.
>> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore:
>> about to get from passwored store: Internal LDAP Da
>> tabase
>> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore:
>> password store available
>> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore:
>> password for Internal LDAP Database not found, tryi
>> ng internaldb
>> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: password ok: store in memory cache
>> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init ends
>> [28/Jan/2016:21:09:02][main]: init: before makeConnection errorIfDown is true
>> [28/Jan/2016:21:09:02][main]: makeConnection: errorIfDown true
>> [28/Jan/2016:21:09:02][main]: Established LDAP connection using basic
>> authentication to host test.sample.net port 738
>> 9 as cn=Directory Manager
>> [28/Jan/2016:21:09:02][main]: initializing with mininum 3 and maximum
>> 15 connections to host test.sample.net port 738
>> 9, secure connection, false, authentication type 1
>> [28/Jan/2016:21:09:02][main]: increasing minimum connections by 3
>> [28/Jan/2016:21:09:02][main]: new total available connections 3
>> [28/Jan/2016:21:09:02][main]: new number of connections 3
>> [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=dbs
>> [28/Jan/2016:21:09:02][main]: CMSEngine: initialized dbs
>> [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=usrgrp
>> [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=usrgrp
>> [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init
>> [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true
>> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init()
>> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins
>> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal
>> LDAP Database
>> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory cache
>> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: got password from memory
>> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password found for prompt.
>> [28/Jan/2016:21:09:03][main]: LdapAuthInfo: password ok: store in memory cache
>> [28/Jan/2016:21:09:03][main]: LdapAuthInfo: init ends
>> [28/Jan/2016:21:09:03][main]: init: before makeConnection errorIfDown is false
>> [28/Jan/2016:21:09:03][main]: makeConnection: errorIfDown false
>> [28/Jan/2016:21:09:03][main]: Established LDAP connection using basic
>> authentication to host test.sample.net port 738
>> 9 as cn=Directory Manager
>> [28/Jan/2016:21:09:03][main]: initializing with mininum 3 and maximum
>> 15 connections to host test.sample.net port 738
>> 9, secure connection, false, authentication type 1
>> [28/Jan/2016:21:09:03][main]: increasing minimum connections by 3
>> [28/Jan/2016:21:09:03][main]: new total available connections 3
>> [28/Jan/2016:21:09:03][main]: new number of connections 3
>> [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=usrgrp
>> [28/Jan/2016:21:09:03][main]: CMSEngine: initialized usrgrp
>> [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=registry
>> [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=registry
>> [28/Jan/2016:21:09:03][main]: RegistrySubsystem: start init
>> [28/Jan/2016:21:09:03][main]: added plugin profileOutput
>> pkcs7OutputImpl PKCS7 Output PKCS7 Output com.netscape.cms.p
>> rofile.output.PKCS7Output
>> [28/Jan/2016:21:09:03][main]: added plugin profileOutput
>> cmmfOutputImpl CMMF Response Output CMMF Response Output com
>> .netscape.cms.profile.output.CMMFOutput
>> [28/Jan/2016:21:09:03][main]: added plugin profileOutput
>> certOutputImpl Certificate Output Certificate Output com.net
>> scape.cms.profile.output.CertOutput
>> [28/Jan/2016:21:09:03][main]: added plugin profileOutput
>> nsNKeyOutputImpl nsNKeyOutputImpl nsNKeyOutputImpl com.netsc
>> ape.cms.profile.output.nsNKeyOutput
>> [28/Jan/2016:21:09:03][main]: added plugin profileInput
>> submitterInfoInputImpl Submitter Information Input Submitter
>> Information Input com.netscape.cms.profile.input.SubmitterInfoInput
>> [28/Jan/2016:21:09:03][main]: added plugin profileInput
>> serialNumRenewInputImpl Certificate Renewal Request Serial Nu
>> mber Input Certificate Renewal Request Serial Number Input
>> com.netscape.cms.profile.input.SerialNumRenewInput
>> [28/Jan/2016:21:09:03][main]: added plugin profileInput
>> dualKeyGenInputImpl Dual Key Generation Input Dual Key Genera
>> tion Input com.netscape.cms.profile.input.DualKeyGenInput
>> [28/Jan/2016:21:09:03][main]: added plugin profileInput
>> nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl nsNKeyCertReqIn
>> putImpl com.netscape.cms.profile.input.nsNKeyCertReqInput
>> [28/Jan/2016:21:09:03][main]: added plugin profileInput
>> fileSigningInputImpl File Signing Input File Signing Input co
>> m.netscape.cms.profile.input.FileSigningInput
>> [28/Jan/2016:21:09:03][main]: added plugin profileInput
>> certReqInputImpl Certificate Request Input Certificate Reques
>> t Input com.netscape.cms.profile.input.CertReqInput
>> [28/Jan/2016:21:09:03][main]: added plugin profileInput
>> cmcCertReqInputImpl CMC Certificate Request Input CMC Certifi
>> cate Request Input com.netscape.cms.profile.input.CMCCertReqInput
>> [28/Jan/2016:21:09:03][main]: added plugin profileInput
>> nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl nsHKeyCertReqIn
>> putImpl com.netscape.cms.profile.input.nsHKeyCertReqInput
>> [28/Jan/2016:21:09:03][main]: added plugin profileInput
>> subjectDNInputImpl Subject DN Input Subject DN Input com.nets
>> cape.cms.profile.input.SubjectDNInput
>> [28/Jan/2016:21:09:03][main]: added plugin profileInput
>> keyGenInputImpl Key Generation Input Key Generation Input com
>> .netscape.cms.profile.input.KeyGenInput
>> [28/Jan/2016:21:09:03][main]: added plugin profileInput
>> genericInputImpl Generic Input Generic Input com.netscape.cms
>> .profile.input.GenericInput
>> [28/Jan/2016:21:09:03][main]: added plugin profileInput imageInputImpl
>> Image Input Image Input com.netscape.cms.profi
>> le.input.ImageInput
>> [28/Jan/2016:21:09:03][main]: added plugin profileInput
>> subjectNameInputImpl Subject Name Input Subject Name Input co
>> m.netscape.cms.profile.input.SubjectNameInput
>> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
>> basicConstraintsExtConstraintImpl Basic Constraints Exten
>> sion Constraint Basic Constraints Extension Constraint
>> com.netscape.cms.profile.constraint.BasicConstraintsExtConstra
>> int
>> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
>> noConstraintImpl No Constraint No Constraint com.netscape
>> .cms.profile.constraint.NoConstraint
>> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
>> signingAlgConstraintImpl Signing Algorithm Constraint Sig
>> ning Algorithm Constraint
>> com.netscape.cms.profile.constraint.SigningAlgConstraint
>> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
>> extendedKeyUsageExtConstraintImpl Extended Key Usage Exte
>> nsion Constraint Extended Key Usage Extension Constraint
>> com.netscape.cms.profile.constraint.ExtendedKeyUsageExtConst
>> raint
>> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
>> extensionConstraintImpl Extension Constraint Extension Co
>> nstraint com.netscape.cms.profile.constraint.ExtensionConstraint
>> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
>> subjectNameConstraintImpl Subject Name Constraint Subject
>> Name Constraint com.netscape.cms.profile.constraint.SubjectNameConstraint
>> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
>> uniqueSubjectNameConstraintImpl Unique Subject Name Const
>> raint Unique Subject Name Constraint
>> com.netscape.cms.profile.constraint.UniqueSubjectNameConstraint
>> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
>> keyUsageExtConstraintImpl Key Usage Extension Constraint
>> Key Usage Extension Constraint
>> com.netscape.cms.profile.constraint.KeyUsageExtConstraint
>> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
>> renewGracePeriodConstraintImpl Renewal Grace Period Const
>> raint Renewal Grace Period Constraint
>> com.netscape.cms.profile.constraint.RenewGracePeriodConstraint
>> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
>> keyConstraintImpl Key Constraint Key Constraint com.netsc
>> ape.cms.profile.constraint.KeyConstraint
>> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
>> nsCertTypeExtConstraintImpl Netscape Certificate Type Ext
>> ension Constraint Netscape Certificate Type Extension Constraint
>> com.netscape.cms.profile.constraint.NSCertTypeExtCon
>> straint
>> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
>> validityConstraintImpl Validity Constraint Validity Const
>> raint com.netscape.cms.profile.constraint.ValidityConstraint
>> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
>> uniqueKeyConstraintImpl Unique Public Key Constraint Uniq
>> ue Public Key Constraint com.netscape.cms.profile.constraint.UniqueKeyConstraint
>> [28/Jan/2016:21:09:03][main]: added plugin profile caEnrollImpl
>> Generic Certificate Enrollment Profile Certificate Au
>> thority Generic Certificate Enrollment Profile
>> com.netscape.cms.profile.common.CAEnrollProfile
>> [28/Jan/2016:21:09:03][main]: added plugin profile
>> caUserCertEnrollImpl User Certificate Enrollment Profile Certifica
>> te Authority User Certificate Enrollment Profile
>> com.netscape.cms.profile.common.UserCertCAEnrollProfile
>> [28/Jan/2016:21:09:03][main]: added plugin profile
>> caServerCertEnrollImpl Server Certificate Enrollment Profile Certi
>> ficate Authority Server Certificate Enrollment Profile
>> com.netscape.cms.profile.common.ServerCertCAEnrollProfile
>> [28/Jan/2016:21:09:03][main]: added plugin profile caCACertEnrollImpl
>> CA Certificate Enrollment Profile Certificate A
>> uthority CA Certificate Enrollment Profile
>> com.netscape.cms.profile.common.CACertCAEnrollProfile
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> userKeyDefaultImpl User Supplied Key Default User Supplied K
>> ey Default com.netscape.cms.profile.def.UserKeyDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> freshestCRLExtDefaultImpl Freshest CRL Extension Default Fre
>> shest CRL Extension Default com.netscape.cms.profile.def.FreshestCRLExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> authInfoAccessExtDefaultImpl Authority Info Access Extension
>> Default Authority Info Access Extension Default
>> com.netscape.cms.profile.def.AuthInfoAccessExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> nsTokenUserKeySubjectNameDefaultImpl nsTokenUserKeySubjectNa
>> meDefault nsTokenUserKeySubjectNameDefaultImpl
>> com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> genericExtDefaultImpl Generic Extension Generic Extension co
>> m.netscape.cms.profile.def.GenericExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> authorityKeyIdentifierExtDefaultImpl Authority Key Identifie
>> r Extension Default Authority Key Identifier Extension Default
>> com.netscape.cms.profile.def.AuthorityKeyIdentifierExt
>> Default
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> issuerAltNameExtDefaultImpl Issuer Alternative Name Extensio
>> n Default Issuer Alternative Name Extension Default
>> com.netscape.cms.profile.def.IssuerAltNameExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> basicConstraintsExtDefaultImpl Basic Constraints Extension D
>> efault Basic Constraints Extension Default
>> com.netscape.cms.profile.def.BasicConstraintsExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> keyUsageExtDefaultImpl Key Usage Extension Default Key Usage
>> Extension Default com.netscape.cms.profile.def.KeyUsageExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> ocspNoCheckExtDefaultImpl OCSP No Check Extension Default OC
>> SP No Check Extension Default com.netscape.cms.profile.def.OCSPNoCheckExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> subjectAltNameExtDefaultImpl Subject Alternative Name Extens
>> ion Default Subject Alternative Name Extension Default
>> com.netscape.cms.profile.def.SubjectAltNameExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> userValidityDefaultImpl User Supplied Validity Default User
>> Supplied Validity Default com.netscape.cms.profile.def.UserValidityDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> userSubjectNameDefaultImpl User Supplied Subject Name Defaul
>> t User Supplied Subject Name Default
>> com.netscape.cms.profile.def.UserSubjectNameDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> subjectDirAttributesExtDefaultImpl Subject Directory Attribu
>> tes Extension Default Subject Directory Attributes Extension Default
>> com.netscape.cms.profile.def.SubjectDirAttribute
>> sExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> certificateVersionDefaultImpl Certificate Version Default Ce
>> rtificate Version Default com.netscape.cms.profile.def.CertificateVersionDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> extendedKeyUsageExtDefaultImpl Extended Key Usage Extension
>> Default Extended Key Usage Extension Default
>> com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> policyConstraintsExtDefaultImpl Policy Constraints Extension
>> Default Policy Constraints Extension Default
>> com.netscape.cms.profile.def.PolicyConstraintsExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> crlDistributionPointsExtDefaultImpl CRL Distribution Points
>> Extension Default CRL Distribution Points Extension Default
>> com.netscape.cms.profile.def.CRLDistributionPointsExtDefa
>> ult
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> certificatePoliciesExtDefaultImpl Certificate Policies Exten
>> sion Default Certificate Policies Extension Default
>> com.netscape.cms.profile.def.CertificatePoliciesExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> validityDefaultImpl Validity Default Validty Default com.net
>> scape.cms.profile.def.ValidityDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> privateKeyPeriodExtDefaultImpl Private Key Period Ext Defaul
>> t Private Key Period Ext Default
>> com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy noDefaultImpl
>> No Default No Default com.netscape.cms.profile
>> .def.NoDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> imageDefaultImpl Image Default Image Default com.netscape.cm
>> s.profile.def.ImageDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> subjectInfoAccessExtDefaultImpl Subject Info Access Extensio
>> n Default Subject Info Access Extension Default
>> com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> autoAssignDefaultImpl Auto Request Assignment Default Auto R
>> equest Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> policyMappingsExtDefaultImpl Policy Mappings Extension Defau
>> lt Policy Mappings Extension Default
>> com.netscape.cms.profile.def.PolicyMappingsExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> caValidityDefaultImpl CA Certificate Validity Default CA Cer
>> tificate Validty Default com.netscape.cms.profile.def.CAValidityDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> userExtensionDefaultImpl User Supplied Extension Default Use
>> r Supplied Extension Default com.netscape.cms.profile.def.UserExtensionDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> nsCertTypeExtDefaultImpl Netscape Certificate Type Extension
>> Default Netscape Certificate Type Extension Default
>> com.netscape.cms.profile.def.NSCertTypeExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> authTokenSubjectNameDefaultImpl Token Supplied Subject Name
>> Default Token Supplied Subject Name Default
>> com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> subjectNameDefaultImpl Subject Name Default Subject Name Def
>> ault com.netscape.cms.profile.def.SubjectNameDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> userSigningAlgDefaultImpl User Supplied Signing Alg Default
>> User Supplied Signing Alg Default
>> com.netscape.cms.profile.def.UserSigningAlgDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> subjectKeyIdentifierExtDefaultImpl Subject Key Identifier De
>> fault Subject Key Identifier Default
>> com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension
>> Default Inhibit Any-Policy Extension Default
>> com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubje
>> ctNameDefault nsTokenDeviceKeySubjectNameDefaultImpl
>> com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> nscCommentExtDefaultImpl Netscape Comment Extension Default
>> Netscape Comment Extension Default
>> com.netscape.cms.profile.def.NSCCommentExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> signingAlgDefaultImpl Signing Algorithm Default Signing Algo
>> rithm Default com.netscape.cms.profile.def.SigningAlgDefault
>> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
>> nameConstraintsExtDefaultImpl Name Constraints Extension Def
>> ault Name Constraints Extension Default
>> com.netscape.cms.profile.def.NameConstraintsExtDefault
>> [28/Jan/2016:21:09:03][main]: added plugin profileUpdater
>> subsystemGroupUpdaterImpl Updater for Subsystem Group Updat
>> er for Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater
>> [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=registry
>> [28/Jan/2016:21:09:03][main]: CMSEngine: initialized registry
>> [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=oidmap
>> [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=oidmap
>> [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=oidmap
>> [28/Jan/2016:21:09:03][main]: CMSEngine: initialized oidmap
>> [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=X500Name
>> [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=X500Name
>> [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=X500Name
>> [28/Jan/2016:21:09:03][main]: CMSEngine: initialized X500Name
>> [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=request
>> [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=request
>> [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=request
>> [28/Jan/2016:21:09:03][main]: CMSEngine: initialized request
>> [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=ca
>> [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=ca
>> [28/Jan/2016:21:09:03][main]: CertificateAuthority init
>> [28/Jan/2016:21:09:03][main]: Cert Repot inited
>> [28/Jan/2016:21:09:03][main]: CRL Repot inited
>> [28/Jan/2016:21:09:03][main]: Replica Repot inited
>> [28/Jan/2016:21:09:03][main]: ca.signing Signing Unit nickname
>> caSigningCert cert-pki-ca
>> [28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name
>> [28/Jan/2016:21:09:03][main]: Found cert by nickname: 'caSigningCert
>> cert-pki-ca' with serial number: 1
>> [28/Jan/2016:21:09:03][main]: converted to x509CertImpl
>> [28/Jan/2016:21:09:03][main]: Got private key from cert
>> [28/Jan/2016:21:09:03][main]: Got public key from cert
>> [28/Jan/2016:21:09:03][main]: got signing algorithm RSASignatureWithSHA256Digest
>> [28/Jan/2016:21:09:03][main]: CA signing unit inited
>> [28/Jan/2016:21:09:03][main]: cachainNum= 0
>> [28/Jan/2016:21:09:03][main]: in init - got CA chain from JSS.
>> [28/Jan/2016:21:09:03][main]: ca.ocsp_signing Signing Unit nickname
>> ca.ocsp_signing.cert
>> [28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name
>> [28/Jan/2016:21:09:03][main]: SigningUnit init: debug
>> org.mozilla.jss.crypto.ObjectNotFoundException
>> [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
>> Certificate object not found
>> at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
>> at com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)
>> at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
>> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
>> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
>> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
>> at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
>> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
>> at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
>> at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
>> at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
>> at org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
>> at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
>> at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
>> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
>> at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
>> at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
>> at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
>> at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
>> at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
>> at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
>> at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
>> at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
>> at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
>> at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
>> at org.apache.catalina.core.StandardService.start(StandardService.java:516)
>> at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
>> at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:616)
>> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
>> [28/Jan/2016:21:09:03][main]: CMSEngine.shutdown()
>> [28/Jan/2016:21:14:02][Timer-0]: CMSEngine: getPasswordStore():
>> password store initialized before.
>> [28/Jan/2016:21:14:02][Timer-0]: CMSEngine: getPasswordStore():
>> password store initialized.
>> [28/Jan/2016:21:19:02][Timer-0]: CMSEngine: getPasswordStore():
>> password store initialized before.
>> [28/Jan/2016:21:19:02][Timer-0]: CMSEngine: getPasswordStore():
>> password store initialized.
>>
>>
>>
>>
>>>
>>>>
>>>> stuck: yes
>>>>
>>>> key pair storage:
>>>>
>>>> type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
>>>> Certifi
>>>>
>>>> cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt'
>>>>
>>>> certificate:
>>>>
>>>> type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
>>>> Certificate
>>>>
>>>> DB'
>>>>
>>>> CA: IPA
>>>>
>>>> issuer: CN=Certificate Authority,O=SAMPLE.NET <http://SAMPLE.NET>
>>>>
>>>> subject: CN=caer.SAMPLE.net <http://caer.SAMPLE.net>,O=SAMPLE.NET
>>>> <http://SAMPLE.NET>
>>>>
>>>> expires: 2016-01-29 14:09:46 UTC
>>>>
>>>> eku: id-kp-serverAuth
>>>>
>>>> pre-save command:
>>>>
>>>> post-save command:
>>>>
>>>> track: yes
>>>>
>>>> auto-renew: yes
>>>>
>>>>
>>>>
>>>> On Mon, May 2, 2016 at 5:35 PM Anthony Cheng
>>>> <anthony.wan.cheng at gmail.com <mailto:anthony.wan.cheng at gmail.com>> wrote:
>>>>
>>>> On Mon, May 2, 2016 at 9:54 AM Rob Crittenden <rcritten at redhat.com
>>>> <mailto:rcritten at redhat.com>> wrote:
>>>>
>>>> Anthony Cheng wrote:
>>>> > On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden
>>>> <rcritten at redhat.com <mailto:rcritten at redhat.com>
>>>> > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
>>>> wrote:
>>>> >
>>>> > Anthony Cheng wrote:
>>>> > > OK so I made process on my cert renew issue; I was
>>>> able to get kinit
>>>> > > working so I can follow the rest of the steps here
>>>> > > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
>>>> > >
>>>> > > However, after using
>>>> > >
>>>> > > ldapmodify -x -h localhost -p 7389 -D 'cn=directory
>>>> manager' -w
>>>> > password
>>>> > >
>>>> > > and restarting apache (/sbin/service httpd restart),
>>>> resubmitting 3
>>>> > > certs (ipa-getcert resubmit -i <ID>) and restarting
>>>> IPA (resubmit
>>>> > -i <ID>)
>>>> > > (/sbin/service ipa restart), I still see:
>>>> > >
>>>> > > [root at test ~]# ipa-getcert list | more
>>>> > > Number of certificates and requests being tracked: 8.
>>>> > > Request ID '20111214223243':
>>>> > > status: CA_UNREACHABLE
>>>> > > ca-error: Server failed request, will retry:
>>>> 4301 (RPC
>>>> > failed
>>>> > > at server. Certificate operation cannot be compl
>>>> > > eted: Unable to communicate with CMS (Not Found)).
>>>> >
>>>> > IPA proxies requests to the CA through Apache. This means
>>>> that while
>>>> > tomcat started ok it didn't load the dogtag CA
>>>> application, hence the
>>>> > Not Found.
>>>> >
>>>> > Check the CA debug and selftest logs to see why it failed
>>>> to start
>>>> > properly.
>>>> >
>>>> > [ snip ]
>>>> >
>>>> > Actually after a reboot that error went away and I just get
>>>> this error
>>>> > instead "ca-error: Server failed request, will retry: -504
>>>> (libcurl
>>>> > failed to execute the HTTP POST transaction. Peer certificate
>>>> cannot be
>>>> > auth enticated with known CA certificates)." from "getcert
>>>> list"
>>>> >
>>>> > Result of service ipa restart is interesting since it shows
>>>> today's time
>>>> > when I already changed date/time/disable NTP so somehow the
>>>> system still
>>>> > know today's time.
>>>> >
>>>> > PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert:
>>>> > CERT_VerifyCertificateNow: verify certificate failed for cert
>>>> > Server-Cert of family cn=RSA,cn=encryption,cn=config
>>>> (Netscape Portable
>>>> > Runtime error -8181 - Peer's Certificate has expired.)
>>>>
>>>> Hard to say. I'd confirm that there is no time syncing service
>>>> running,
>>>> ntp or otherwise.
>>>>
>>>>
>>>> I found out why the time kept changing; it was due to the fact that
>>>> it has VM tools installed (i didn't configure this box) so it
>>>> automatically sync time during bootup.
>>>>
>>>> I did still see this error message:
>>>>
>>>> ca-error: Server failed request, will retry: 4301 (RPC failed at
>>>> server. Certificate operation cannot be completed: Unable to
>>>> communicate with CMS (Not Found))
>>>>
>>>> I tried the step http://www.freeipa.org/page/Troubleshooting with
>>>>
>>>> certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt
>>>> openssl x509 -text -in /tmp/ra.crt
>>>> certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt
>>>> service httpd restart
>>>>
>>>> So that I can get rid of one of the CA cert that is expired (kept
>>>> the 1st one) but still getting same error
>>>>
>>>> What exactly is CMS and why is it not found?
>>>>
>>>>
>>>> I did notice that the selftest log is empty with a different time:
>>>>
>>>> -rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11
>>>> /var/log/pki-ca/selftests.log
>>>>
>>>> [root at test ~]# clock Wed 27 Jan 2016 03:33:00 PM UTC -0.046800 seconds
>>>>
>>>>
>>>> Here are some debug log after reboot:
>>>>
>>>> [root at test pki-ca]# tail -n 100 catalina.out
>>>>
>>>> INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
>>>>
>>>> Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start
>>>>
>>>> INFO: Jk running ID=0 time=1/23config=null
>>>>
>>>> Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start
>>>>
>>>> INFO: Server startup in 1722 ms
>>>>
>>>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>>>>
>>>> INFO: Pausing Coyote HTTP/1.1 on http-9180
>>>>
>>>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>>>>
>>>> INFO: Pausing Coyote HTTP/1.1 on http-9443
>>>>
>>>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>>>>
>>>> INFO: Pausing Coyote HTTP/1.1 on http-9445
>>>>
>>>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>>>>
>>>> INFO: Pausing Coyote HTTP/1.1 on http-9444
>>>>
>>>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>>>>
>>>> INFO: Pausing Coyote HTTP/1.1 on http-9446
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop
>>>>
>>>> INFO: Stopping service Catalina
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>> clearReferencesThreads
>>>>
>>>> SEVERE: A web application appears to have started a thread named
>>>> [Timer-0] but has failed to stop it. This is very like
>>>>
>>>> ly to create a memory leak.
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>> clearReferencesThreads
>>>>
>>>> SEVERE: A web application appears to have started a thread named
>>>> [/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu
>>>>
>>>> t has failed to stop it. This is very likely to create a memory leak.
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>> clearReferencesThreads
>>>>
>>>> SEVERE: A web application appears to have started a thread named
>>>> [/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6]
>>>>
>>>> but has failed to stop it. This is very likely to create a memory
>>>> leak.
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>> clearReferencesThreads
>>>>
>>>> SEVERE: A web application appears to have started a thread named
>>>> [/var/lib/pki-ca/logs/system.flush-6] but has failed t
>>>>
>>>> o stop it. This is very likely to create a memory leak.
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>> clearReferencesThreads
>>>>
>>>> SEVERE: A web application appears to have started a thread named
>>>> [/var/lib/pki-ca/logs/system.rollover-8] but has faile
>>>>
>>>> d to stop it. This is very likely to create a memory leak.
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>> clearReferencesThreads
>>>>
>>>> SEVERE: A web application appears to have started a thread named
>>>> [/var/lib/pki-ca/logs/transactions.flush-9] but has fa
>>>>
>>>> iled to stop it. This is very likely to create a memory leak.
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>> clearReferencesThreads
>>>>
>>>> SEVERE: A web application appears to have started a thread named
>>>> [/var/lib/pki-ca/logs/transactions.rollover-10] but ha
>>>>
>>>> s failed to stop it. This is very likely to create a memory leak.
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>> clearReferencesThreads
>>>>
>>>> SEVERE: A web application appears to have started a thread named
>>>> [LDAPConnThread-2 ldap://test.sample.net:7389
>>>> <http://test.sample.net:7389>] but has failed to stop it. This is
>>>> very likely to create a memory leak.
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>> clearReferencesThreads
>>>>
>>>> SEVERE: A web application appears to have started a thread named
>>>> [LDAPConnThread-3 ldap://test.sample.net:7389
>>>> <http://test.sample.net:7389>] but has failed to stop it. This is
>>>> very likely to create a memory leak.
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>> clearReferencesThreads
>>>>
>>>> SEVERE: A web application appears to have started a thread named
>>>> [LDAPConnThread-4 ldap://test.sample.net:7389
>>>> <http://test.sample.net:7389>] but has failed to stop it. This is
>>>> very likely to create a memory leak.
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>> clearThreadLocalMap
>>>>
>>>> SEVERE: A web application created a ThreadLocal with key of type
>>>> [null] (value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a
>>>> value of type [java.text.SimpleDateFormat] (value
>>>> [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when
>>>> the web application was stopped. To prevent a memory leak, the
>>>> ThreadLocal has been forcibly removed.
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>> clearThreadLocalMap
>>>>
>>>> SEVERE: A web application created a ThreadLocal with key of type
>>>> [null] (value [com.netscape.cmscore.util.Debug$1 at 228b677f]) and a
>>>> value of type [java.text.SimpleDateFormat] (value
>>>> [java.text.SimpleDateFormat at d1b317c9]) but failed to remove it when
>>>> the web application was stopped. To prevent a memory leak, the
>>>> ThreadLocal has been forcibly removed.
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
>>>> destroy
>>>>
>>>> INFO: Stopping Coyote HTTP/1.1 on http-9180
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
>>>> destroy
>>>>
>>>> INFO: Stopping Coyote HTTP/1.1 on http-9443
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
>>>> destroy
>>>>
>>>> INFO: Stopping Coyote HTTP/1.1 on http-9445
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
>>>> destroy
>>>>
>>>> INFO: Stopping Coyote HTTP/1.1 on http-9444
>>>>
>>>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
>>>> destroy
>>>>
>>>> INFO: Stopping Coyote HTTP/1.1 on http-9446
>>>>
>>>> Jan 27, 2016 2:57:36 PM
>>>> org.apache.catalina.core.AprLifecycleListener init
>>>>
>>>> INFO: The APR based Apache Tomcat Native library which allows
>>>> optimal performance in production environments was not found on the
>>>> java.library.path:
>>>>
>>>> /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
>>>>
>>>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>>>>
>>>> INFO: Initializing Coyote HTTP/1.1 on http-9180
>>>>
>>>> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
>>>> unsupported by NSS. This is probably O.K. unless ECC support has
>>>> been installed.
>>>>
>>>> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
>>>> unsupported by NSS. This is probably O.K. unless ECC support has
>>>> been installed.
>>>>
>>>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>>>>
>>>> INFO: Initializing Coyote HTTP/1.1 on http-9443
>>>>
>>>> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
>>>> unsupported by NSS. This is probably O.K. unless ECC support has
>>>> been installed.
>>>>
>>>> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
>>>> unsupported by NSS. This is probably O.K. unless ECC support has
>>>> been installed.
>>>>
>>>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>>>>
>>>> INFO: Initializing Coyote HTTP/1.1 on http-9445
>>>>
>>>> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
>>>> unsupported by NSS. This is probably O.K. unless ECC support has
>>>> been installed.
>>>>
>>>> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
>>>> unsupported by NSS. This is probably O.K. unless ECC support has
>>>> been installed.
>>>>
>>>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>>>>
>>>> INFO: Initializing Coyote HTTP/1.1 on http-9444
>>>>
>>>> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
>>>> unsupported by NSS. This is probably O.K. unless ECC support has
>>>> been installed.
>>>>
>>>> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
>>>> unsupported by NSS. This is probably O.K. unless ECC support has
>>>> been installed.
>>>>
>>>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>>>>
>>>> INFO: Initializing Coyote HTTP/1.1 on http-9446
>>>>
>>>> Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load
>>>>
>>>> INFO: Initialization processed in 2198 ms
>>>>
>>>> Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start
>>>>
>>>> INFO: Starting service Catalina
>>>>
>>>> Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start
>>>>
>>>> INFO: Starting Servlet Engine: Apache Tomcat/6.0.24
>>>>
>>>> Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig
>>>> deployDirectory
>>>>
>>>> INFO: Deploying web application directory ROOT
>>>>
>>>> Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig
>>>> deployDirectory
>>>>
>>>> INFO: Deploying web application directory ca
>>>>
>>>> 64-bit osutil library loaded
>>>>
>>>> 64-bit osutil library loaded
>>>>
>>>> Certificate object not found
>>>>
>>>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>>>>
>>>> INFO: Starting Coyote HTTP/1.1 on http-9180
>>>>
>>>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>>>>
>>>> INFO: Starting Coyote HTTP/1.1 on http-9443
>>>>
>>>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>>>>
>>>> INFO: Starting Coyote HTTP/1.1 on http-9445
>>>>
>>>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>>>>
>>>> INFO: Starting Coyote HTTP/1.1 on http-9444
>>>>
>>>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>>>>
>>>> INFO: Starting Coyote HTTP/1.1 on http-9446
>>>>
>>>> Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init
>>>>
>>>> INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
>>>>
>>>> Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start
>>>>
>>>> INFO: Jk running ID=0 time=0/40config=null
>>>>
>>>> Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start
>>>>
>>>> INFO: Server startup in 2592 ms
>>>>
>>>> [root at test pki-ca]# tail -n 100 debug
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> subjectAltNameExtDefaultImpl Subject Alternative Name Extension
>>>> Default Subject Alternative Name Extension Default
>>>> com.netscape.cms.profile.def.SubjectAltNameExtDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> userValidityDefaultImpl User Supplied Validity Default User Supplied
>>>> Validity Default com.netscape.cms.profile.def.UserValidityDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> userSubjectNameDefaultImpl User Supplied Subject Name Default User
>>>> Supplied Subject Name Default
>>>> com.netscape.cms.profile.def.UserSubjectNameDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> subjectDirAttributesExtDefaultImpl Subject Directory Attributes
>>>> Extension Default Subject Directory Attributes Extension Default
>>>> com.netscape.cms.profile.def.SubjectDirAttributesExtDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> certificateVersionDefaultImpl Certificate Version Default
>>>> Certificate Version Default
>>>> com.netscape.cms.profile.def.CertificateVersionDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default
>>>> Extended Key Usage Extension Default
>>>> com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> policyConstraintsExtDefaultImpl Policy Constraints Extension Default
>>>> Policy Constraints Extension Default
>>>> com.netscape.cms.profile.def.PolicyConstraintsExtDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> crlDistributionPointsExtDefaultImpl CRL Distribution Points
>>>> Extension Default CRL Distribution Points Extension Default
>>>> com.netscape.cms.profile.def.CRLDistributionPointsExtDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> certificatePoliciesExtDefaultImpl Certificate Policies Extension
>>>> Default Certificate Policies Extension Default
>>>> com.netscape.cms.profile.def.CertificatePoliciesExtDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> validityDefaultImpl Validity Default Validty Default
>>>> com.netscape.cms.profile.def.ValidityDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> privateKeyPeriodExtDefaultImpl Private Key Period Ext Default
>>>> Private Key Period Ext Default
>>>> com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> noDefaultImpl No Default No Default
>>>> com.netscape.cms.profile.def.NoDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> imageDefaultImpl Image Default Image Default
>>>> com.netscape.cms.profile.def.ImageDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> subjectInfoAccessExtDefaultImpl Subject Info Access Extension
>>>> Default Subject Info Access Extension Default
>>>> com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> autoAssignDefaultImpl Auto Request Assignment Default Auto Request
>>>> Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> policyMappingsExtDefaultImpl Policy Mappings Extension Default
>>>> Policy Mappings Extension Default
>>>> com.netscape.cms.profile.def.PolicyMappingsExtDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> caValidityDefaultImpl CA Certificate Validity Default CA Certificate
>>>> Validty Default com.netscape.cms.profile.def.CAValidityDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> userExtensionDefaultImpl User Supplied Extension Default User
>>>> Supplied Extension Default
>>>> com.netscape.cms.profile.def.UserExtensionDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default
>>>> Netscape Certificate Type Extension Default
>>>> com.netscape.cms.profile.def.NSCertTypeExtDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default
>>>> Token Supplied Subject Name Default
>>>> com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> subjectNameDefaultImpl Subject Name Default Subject Name Default
>>>> com.netscape.cms.profile.def.SubjectNameDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> userSigningAlgDefaultImpl User Supplied Signing Alg Default User
>>>> Supplied Signing Alg Default
>>>> com.netscape.cms.profile.def.UserSigningAlgDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default
>>>> Subject Key Identifier Default
>>>> com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default
>>>> Inhibit Any-Policy Extension Default
>>>> com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> nsTokenDeviceKeySubjectNameDefaultImpl
>>>> nsTokenDeviceKeySubjectNameDefault
>>>> nsTokenDeviceKeySubjectNameDefaultImpl
>>>> com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape
>>>> Comment Extension Default
>>>> com.netscape.cms.profile.def.NSCCommentExtDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm
>>>> Default com.netscape.cms.profile.def.SigningAlgDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>> nameConstraintsExtDefaultImpl Name Constraints Extension Default
>>>> Name Constraints Extension Default
>>>> com.netscape.cms.profile.def.NameConstraintsExtDefault
>>>>
>>>> [27/Jan/2016:15:30:43][main]: added plugin profileUpdater
>>>> subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for
>>>> Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized request
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CertificateAuthority init
>>>>
>>>> [27/Jan/2016:15:30:43][main]: Cert Repot inited
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CRL Repot inited
>>>>
>>>> [27/Jan/2016:15:30:43][main]: Replica Repot inited
>>>>
>>>> [27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname
>>>> caSigningCert cert-pki-ca
>>>>
>>>> [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token
>>>> by name
>>>>
>>>> [27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert
>>>> cert-pki-ca' with serial number: 1
>>>>
>>>> [27/Jan/2016:15:30:43][main]: converted to x509CertImpl
>>>>
>>>> [27/Jan/2016:15:30:43][main]: Got private key from cert
>>>>
>>>> [27/Jan/2016:15:30:43][main]: Got public key from cert
>>>>
>>>> [27/Jan/2016:15:30:43][main]: got signing algorithm
>>>> RSASignatureWithSHA256Digest
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CA signing unit inited
>>>>
>>>> [27/Jan/2016:15:30:43][main]: cachainNum= 0
>>>>
>>>> [27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS.
>>>>
>>>> [27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname
>>>> ca.ocsp_signing.cert
>>>>
>>>> [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token
>>>> by name
>>>>
>>>> [27/Jan/2016:15:30:43][main]: SigningUnit init: debug
>>>> org.mozilla.jss.crypto.ObjectNotFoundException
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException
>>>>
>>>> Certificate object not found
>>>>
>>>> at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
>>>>
>>>> at
>>>>
>>>> com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)
>>>>
>>>> at
>>>>
>>>> com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
>>>>
>>>> at
>>>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
>>>>
>>>> at
>>>> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
>>>>
>>>> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
>>>>
>>>> at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
>>>>
>>>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
>>>>
>>>> at
>>>>
>>>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
>>>>
>>>> at
>>>>
>>>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
>>>>
>>>> at
>>>>
>>>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
>>>>
>>>> at
>>>>
>>>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
>>>>
>>>> at
>>>>
>>>> org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
>>>>
>>>> at
>>>>
>>>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
>>>>
>>>> at
>>>>
>>>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
>>>>
>>>> at
>>>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
>>>>
>>>> at
>>>>
>>>> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
>>>>
>>>> at
>>>>
>>>> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
>>>>
>>>> at
>>>> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
>>>>
>>>> at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
>>>>
>>>> at
>>>>
>>>> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
>>>>
>>>> at
>>>>
>>>> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
>>>>
>>>> at
>>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
>>>>
>>>> at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
>>>>
>>>> at
>>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
>>>>
>>>> at
>>>> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
>>>>
>>>> at
>>>>
>>>> org.apache.catalina.core.StandardService.start(StandardService.java:516)
>>>>
>>>> at
>>>> org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
>>>>
>>>> at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
>>>>
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>
>>>> at
>>>>
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>>>
>>>> at
>>>>
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>
>>>> at java.lang.reflect.Method.invoke(Method.java:616)
>>>>
>>>> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
>>>>
>>>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
>>>>
>>>> [27/Jan/2016:15:30:43][main]: CMSEngine.shutdown()
>>>>
>>>>
>>>>
>>>>
>>>> >
>>>>
>>>> > > Would really greatly appreciate any help on this.
>>>> > >
>>>> > > Also I noticed after I do ldapmodify of
>>>> usercertificate binary
>>>> > data with
>>>> > >
>>>> > > add: usercertificate;binary
>>>> > > usercertificate;binary: !@#$@!#$#@$
>>>> >
>>>> > You really pasted in binary? Or was this base64-encoded
>>>> data?
>>>> >
>>>> > I wonder if there is a problem in the wiki. If this is
>>>> really a binary
>>>> > value you should start with a DER-encoded cert and load
>>>> it using
>>>> > something like:
>>>> >
>>>> > dn: uid=ipara,ou=people,o=ipaca
>>>> > changetype: modify
>>>> > add: usercertificate;binary
>>>> > usercertificate;binary:< file:///path/to/cert.der
>>>> >
>>>> > You can use something like openssl x509 to switch between
>>>> PEM and DER
>>>> > formats.
>>>> >
>>>> > I have a vague memory that dogtag can deal with a
>>>> multi-valued
>>>> > usercertificate attribute.
>>>> >
>>>> > rob
>>>> >
>>>> >
>>>> > Yes the wiki stated binary, the result of:
>>>> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
>>>> > uid=ipara,ou=People,o=ipaca -W
>>>> >
>>>> > shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...
>>>> >
>>>> > But the actual data is from a PEM though.
>>>>
>>>> Ok. So I looked at my CA data and it doesn't use the binary
>>>> subtype, so
>>>> my entries look like:
>>>>
>>>> userCertificate:: MIID....
>>>>
>>>> It might make a difference if dogtag is looking for the subtype
>>>> or not.
>>>>
>>>> rob
>>>>
>>>> >
>>>> > >
>>>> > > Then I re-run
>>>> > >
>>>> > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory
>>>> manager' -W
>>>> > -b uid=ipara,ou=People,o=ipaca
>>>> > >
>>>> > > I see 2 entries for usercertificate;binary (before
>>>> modify there
>>>> > was only
>>>> > > 1) but they are duplicate and NOT from data that I
>>>> added. That seems
>>>> > > incorrect to me.
>>>> > >
>>>> > >
>>>> > > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
>>>> > > <anthony.wan.cheng at gmail.com
>>>> <mailto:anthony.wan.cheng at gmail.com>
>>>> <mailto:anthony.wan.cheng at gmail.com
>>>> <mailto:anthony.wan.cheng at gmail.com>>
>>>> > <mailto:anthony.wan.cheng at gmail.com
>>>> <mailto:anthony.wan.cheng at gmail.com>
>>>> > <mailto:anthony.wan.cheng at gmail.com
>>>> <mailto:anthony.wan.cheng at gmail.com>>>> wrote:
>>>> > >
>>>> > > klist is actually empty; kinit admin fails.
>>>> Sounds like then
>>>> > > getcert resubmit has a dependency on kerberoes. I
>>>> can get a
>>>> > backup
>>>> > > image that has a valid ticket but it is only good
>>>> for 1 day (and
>>>> > > dated pasted the cert expire).
>>>> > >
>>>> > > Also I had asked awhile back about whether there
>>>> is dependency on
>>>> > > DIRSRV to renew the cert; didn't get any response
>>>> but I suspect
>>>> > > there is a dependency.
>>>> > >
>>>> > > Regarding the clock skew, I found out from
>>>> /var/log/message that
>>>> > > shows me this so it may be from named:
>>>> > >
>>>> > > Jan 28 14:10:42 test named[2911]: Failed to init
>>>> credentials
>>>> > (Clock
>>>> > > skew too great)
>>>> > > Jan 28 14:10:42 test named[2911]: loading
>>>> configuration: failure
>>>> > > Jan 28 14:10:42 test named[2911]: exiting (due to
>>>> fatal error)
>>>> > > Jan 28 14:10:44 test ns-slapd: GSSAPI Error:
>>>> Unspecified GSS
>>>> > > failure. Minor code may provide more information
>>>> (Creden
>>>> > > tials cache file '/tmp/krb5cc_496' not found)
>>>> > >
>>>> > > I don't have a krb5cc_496 file (since klist is
>>>> empty), so
>>>> > sounds to
>>>> > > me I need to get a kerberoes ticket before going any
>>>> > further. Also
>>>> > > is the file /etc/krb5.keytab access/modification
>>>> time
>>>> > important? I
>>>> > > had changed time back to before the cert
>>>> expiration date and
>>>> > reboot
>>>> > > and try renew but the error message about clock
>>>> skew is still
>>>> > > there. That seems strange.
>>>> > >
>>>> > > Lastly, as a absolute last resort, can I
>>>> regenerate a new cert
>>>> > > myself?
>>>> > >
>>>> >
>>>>
>>>> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
>>>> > >
>>>> > > [root at test /]# klist
>>>> > > klist: No credentials cache found (ticket cache
>>>> > FILE:/tmp/krb5cc_0)
>>>> > > [root at test /]# service ipa start
>>>> > > Starting Directory Service
>>>> > > Starting dirsrv:
>>>> > > PKI-IPA...
>>>> > [ OK ]
>>>> > > sample-NET...
>>>> > [ OK ]
>>>> > > Starting KDC Service
>>>> > > Starting Kerberos 5 KDC:
>>>> [
>>>> > OK ]
>>>> > > Starting KPASSWD Service
>>>> > > Starting Kerberos 5 Admin Server:
>>>> [
>>>> > OK ]
>>>> > > Starting DNS Service
>>>> > > Starting named:
>>>> > [FAILED]
>>>> > > Failed to start DNS Service
>>>> > > Shutting down
>>>> > > Stopping Kerberos 5 KDC:
>>>> [
>>>> > OK ]
>>>> > > Stopping Kerberos 5 Admin Server:
>>>> [
>>>> > OK ]
>>>> > > Stopping named:
>>>> [
>>>> > OK ]
>>>> > > Stopping httpd:
>>>> [
>>>> > OK ]
>>>> > > Stopping pki-ca:
>>>> [
>>>> > OK ]
>>>> > > Shutting down dirsrv:
>>>> > > PKI-IPA...
>>>> > [ OK ]
>>>> > > sample-NET...
>>>> > [ OK ]
>>>> > > Aborting ipactl
>>>> > > [root at test /]# klist
>>>> > > klist: No credentials cache found (ticket cache
>>>> > FILE:/tmp/krb5cc_0)
>>>> > > [root at test /]# service ipa status
>>>> > > Directory Service: STOPPED
>>>> > > Failed to get list of services to probe status:
>>>> > > Directory Server is stopped
>>>> > >
>>>> > > On Thu, Apr 28, 2016 at 3:21 AM David Kupka
>>>> > <dkupka at redhat.com <mailto:dkupka at redhat.com>
>>>> <mailto:dkupka at redhat.com <mailto:dkupka at redhat.com>>
>>>> > > <mailto:dkupka at redhat.com
>>>> <mailto:dkupka at redhat.com> <mailto:dkupka at redhat.com
>>>> <mailto:dkupka at redhat.com>>>> wrote:
>>>> > >
>>>> > > On 27/04/16 21:54, Anthony Cheng wrote:
>>>> > > > Hi list,
>>>> > > >
>>>> > > > I am trying to renew expired certificates
>>>> following the
>>>> > > manual renewal procedure
>>>> > > > here
>>>> > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
>>>> > > but even with
>>>> > > > resetting the system/hardware clock to a
>>>> time before
>>>> > expires,
>>>> > > I am getting the
>>>> > > > error "ca-error: Error setting up ccache
>>>> for local "host"
>>>> > > service using default
>>>> > > > keytab: Clock skew too great."
>>>> > > >
>>>> > > > With NTP disable and clock reset why would
>>>> it complain
>>>> > about
>>>> > > clock skew and how
>>>> > > > does it even know about the current time?
>>>> > > >
>>>> > > > [root at test certs]# getcert list
>>>> > > > Number of certificates and requests being
>>>> tracked: 8.
>>>> > > > Request ID '20111214223243':
>>>> > > > status: MONITORING
>>>> > > > ca-error: Error setting up ccache
>>>> for local
>>>> > "host"
>>>> > > service using
>>>> > > > default keytab: Clock skew too great.
>>>> > > > stuck: no
>>>> > > > key pair storage:
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
>>>> > > > Certificate
>>>> > >
>>>> DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
>>>> > > > certificate:
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
>>>> > > > Certificate DB'
>>>> > > > CA: IPA
>>>> > > > issuer: CN=Certificate
>>>> Authority,O=sample.NET
>>>> > > > subject: CN=test.sample.net
>>>> <http://test.sample.net>
>>>> > <http://test.sample.net> <http://test.sample.net>
>>>> > > <http://test.sample.net>,O=sample.NET
>>>> > > > expires: 2016-01-29 14:09:46 UTC
>>>> > > > eku: id-kp-serverAuth
>>>> > > > pre-save command:
>>>> > > > post-save command:
>>>> > > > track: yes
>>>> > > > auto-renew: yes
>>>> > > > Request ID '20111214223300':
>>>> > > > status: MONITORING
>>>> > > > ca-error: Error setting up ccache
>>>> for local
>>>> > "host"
>>>> > > service using
>>>> > > > default keytab: Clock skew too great.
>>>> > > > stuck: no
>>>> > > > key pair storage:
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>>> > > Certificate
>>>> > > >
>>>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>>>> > > > certificate:
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>>> > > Certificate
>>>> > > > DB'
>>>> > > > CA: IPA
>>>> > > > issuer: CN=Certificate
>>>> Authority,O=sample.NET
>>>> > > > subject: CN=test.sample.net
>>>> <http://test.sample.net>
>>>> > <http://test.sample.net> <http://test.sample.net>
>>>> > > <http://test.sample.net>,O=sample.NET
>>>> > > > expires: 2016-01-29 14:09:45 UTC
>>>> > > > eku: id-kp-serverAuth
>>>> > > > pre-save command:
>>>> > > > post-save command:
>>>> > > > track: yes
>>>> > > > auto-renew: yes
>>>> > > > Request ID '20111214223316':
>>>> > > > status: MONITORING
>>>> > > > ca-error: Error setting up ccache
>>>> for local
>>>> > "host"
>>>> > > service using
>>>> > > > default keytab: Clock skew too great.
>>>> > > > stuck: no
>>>> > > > key pair storage:
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>>> > > > Certificate
>>>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> > > > certificate:
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>>> > > > Certificate DB'
>>>> > > > CA: IPA
>>>> > > > issuer: CN=Certificate
>>>> Authority,O=sample.NET
>>>> > > > subject: CN=test.sample.net
>>>> <http://test.sample.net>
>>>> > <http://test.sample.net> <http://test.sample.net>
>>>> > > <http://test.sample.net>,O=sample.NET
>>>> > > > expires: 2016-01-29 14:09:45 UTC
>>>> > > > eku: id-kp-serverAuth
>>>> > > > pre-save command:
>>>> > > > post-save command:
>>>> > > > track: yes
>>>> > > > auto-renew: yes
>>>> > > > Request ID '20130519130741':
>>>> > > > status: NEED_CSR_GEN_PIN
>>>> > > > ca-error: Internal error: no
>>>> response to
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
>>>> > > > stuck: yes
>>>> > > > key pair storage:
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>>>> > > > cert-pki-ca',token='NSS Certificate
>>>> DB',pin='297100916664
>>>> > > > '
>>>> > > > certificate:
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>>>> > > > cert-pki-ca',token='NSS Certificate DB'
>>>> > > > CA: dogtag-ipa-renew-agent
>>>> > > > issuer: CN=Certificate
>>>> Authority,O=sample.NET
>>>> > > > subject: CN=CA Audit,O=sample.NET
>>>> > > > expires: 2017-10-13 14:10:49 UTC
>>>> > > > pre-save command:
>>>> > /usr/lib64/ipa/certmonger/stop_pkicad
>>>> > > > post-save command:
>>>> > > /usr/lib64/ipa/certmonger/renew_ca_cert
>>>> > > > "auditSigningCert cert-pki-ca"
>>>> > > > track: yes
>>>> > > > auto-renew: yes
>>>> > > > Request ID '20130519130742':
>>>> > > > status: NEED_CSR_GEN_PIN
>>>> > > > ca-error: Internal error: no
>>>> response to
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
>>>> > > > stuck: yes
>>>> > > > key pair storage:
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>>>> > > > cert-pki-ca',token='NSS Certificate
>>>> DB',pin='297100916664
>>>> > > > '
>>>> > > > certificate:
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>>>> > > > cert-pki-ca',token='NSS Certificate DB'
>>>> > > > CA: dogtag-ipa-renew-agent
>>>> > > > issuer: CN=Certificate
>>>> Authority,O=sample.NET
>>>> > > > subject: CN=OCSP
>>>> Subsystem,O=sample.NET
>>>> > > > expires: 2017-10-13 14:09:49 UTC
>>>> > > > eku: id-kp-OCSPSigning
>>>> > > > pre-save command:
>>>> > /usr/lib64/ipa/certmonger/stop_pkicad
>>>> > > > post-save command:
>>>> > > /usr/lib64/ipa/certmonger/renew_ca_cert
>>>> > > > "ocspSigningCert cert-pki-ca"
>>>> > > > track: yes
>>>> > > > auto-renew: yes
>>>> > > > Request ID '20130519130743':
>>>> > > > status: NEED_CSR_GEN_PIN
>>>> > > > ca-error: Internal error: no
>>>> response to
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
>>>> > > > stuck: yes
>>>> > > > key pair storage:
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>>> > > > cert-pki-ca',token='NSS Certificate
>>>> DB',pin='297100916664
>>>> > > > '
>>>> > > > certificate:
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>>> > > > cert-pki-ca',token='NSS Certificate DB'
>>>> > > > CA: dogtag-ipa-renew-agent
>>>> > > > issuer: CN=Certificate
>>>> Authority,O=sample.NET
>>>> > > > subject: CN=CA
>>>> Subsystem,O=sample.NET
>>>> > > > expires: 2017-10-13 14:09:49 UTC
>>>> > > > eku:
>>>> id-kp-serverAuth,id-kp-clientAuth
>>>> > > > pre-save command:
>>>> > /usr/lib64/ipa/certmonger/stop_pkicad
>>>> > > > post-save command:
>>>> > > /usr/lib64/ipa/certmonger/renew_ca_cert
>>>> > > > "subsystemCert cert-pki-ca"
>>>> > > > track: yes
>>>> > > > auto-renew: yes
>>>> > > > Request ID '20130519130744':
>>>> > > > status: MONITORING
>>>> > > > ca-error: Internal error: no
>>>> response to
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
>>>> > > > stuck: no
>>>> > > > key pair storage:
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>>> > > Certificate
>>>> > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> > > > certificate:
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>>> > > Certificate DB'
>>>> > > > CA: dogtag-ipa-renew-agent
>>>> > > > issuer: CN=Certificate
>>>> Authority,O=sample.NET
>>>> > > > subject: CN=RA
>>>> Subsystem,O=sample.NET
>>>> > > > expires: 2017-10-13 14:09:49 UTC
>>>> > > > eku:
>>>> id-kp-serverAuth,id-kp-clientAuth
>>>> > > > pre-save command:
>>>> > > > post-save command:
>>>> > > /usr/lib64/ipa/certmonger/renew_ra_cert
>>>> > > > track: yes
>>>> > > > auto-renew: yes
>>>> > > > Request ID '20130519130745':
>>>> > > > status: NEED_CSR_GEN_PIN
>>>> > > > ca-error: Internal error: no
>>>> response to
>>>> > > >
>>>> > >
>>>> >
>>>>
>>>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
>>>> > > > stuck: yes
>>>> > > > key pair storage:
>>>> > > >
>>>> >
>>>>
>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>>>> > > > cert-pki-ca',token='NSS Certificate
>>>> DB',pin='297100916664
>>>> > > > '
>>>> > > > certificate:
>>>> > > >
>>>> >
>>>>
>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
More information about the Freeipa-users
mailing list