[Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:
Michael Plemmons
michael.plemmons at crosschx.com
Thu May 4 02:16:24 UTC 2017
I realized that I was not very clear in my statement about testing with
ldapsearch. I had initially run it without logging in with a DN. I was
just running the local ldapsearch -x command. I then tested on ipa12.mgmt
and ipa11.mgmt logging in with a full DN for the admin and "cn=Directory
Manager" from ipa12.mgmt (broken server) and ipa11.mgmt and both ldapsearch
command succeeded.
I ran the following from ipa12.mgmt and ipa11.mgmt as a non root user. I
also ran the command showing a line count for the output and the line
counts for each were the same when run from ipa12.mgmt and ipa11.mgmt.
ldapsearch -LLL -h ipa12.mgmt.crosschx.com -D "DN" -w PASSWORD -b
"cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn
ldapsearch -LLL -h ipa12.mgmt.crosschx.com -D "cn=directory manager" -w
PASSWORD dn
*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
mike.plemmons at crosschx.com
www.crosschx.com
On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons <
michael.plemmons at crosschx.com> wrote:
> I have a three node IPA cluster.
>
> ipa11.mgmt - was a master over 6 months ago
> ipa13.mgmt - current master
> ipa12.mgmt
>
> ipa13 has agreements with ipa11 and ipa12. ipa11 and ipa12 do not have
> agreements between each other.
>
> It appears that either ipa12.mgmt lost some level of its replication
> agreement with ipa13. I saw some level because users / hosts were
> replicated between all systems but we started seeing DNS was not resolving
> properly from ipa12. I do not know when this started.
>
> When looking at replication agreements on ipa12 I did not see any
> agreement with ipa13.
>
> When I run ipa-replica-manage list all three hosts show has master.
>
> When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt is a replica.
>
> When I run ipa-replica-manage ipa12.mgmt nothing returned.
>
> I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt
> ipa12.mgmt.crosschx.com ipa13.mgmt.crosschx.com on ipa12.mgmt
>
> I then ran the following
>
> ipa-replica-manage force-sync --from ipa13.mgmt.crosschx.com
>
> ipa-replica-manage re-initialize --from ipa13.mgmt.crosschx.com
>
> I was still seeing bad DNS returns when dig'ing against ipa12.mgmt. I was
> able to create user and DNS records and see the information replicated
> properly across all three nodes.
>
> I then ran ipactl stop on ipa12.mgmt and then ipactl start on ipa12.mgmt
> because I wanted to make sure everything was running fresh after the
> changes above. While IPA was staring up (DNS started) we were able to see
> valid DNS queries returned but pki-tomcat would not start.
>
> I am not sure what I need to do in order to get this working. I have
> included the output of certutil and getcert below from all three servers as
> well as the debug output for pki.
>
>
> While the IPA system is coming up I am able to successfully run ldapsearch
> -x as the root user and see results. I am also able to login with the
> "cn=Directory Manager" account and see results.
>
>
> The debug log shows the following error.
>
>
> [03/May/2017:21:22:01][localhost-startStop-1]:
> ============================================
> [03/May/2017:21:22:01][localhost-startStop-1]: ===== DEBUG SUBSYSTEM
> INITIALIZED =======
> [03/May/2017:21:22:01][localhost-startStop-1]:
> ============================================
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at
> autoShutdown? false
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown
> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look
> for cert for auto-shutdown support:auditSigningCert cert-pki-ca
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found
> cert:auditSigningCert cert-pki-ca
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init
> id=debug
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized
> debug
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem
> id=log
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init
> id=log
> [03/May/2017:21:22:01][localhost-startStop-1]: Creating
> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
> [03/May/2017:21:22:01][localhost-startStop-1]: Creating
> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
> [03/May/2017:21:22:01][localhost-startStop-1]: Creating
> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions)
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at
> autoShutdown? false
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown
> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look
> for cert for auto-shutdown support:auditSigningCert cert-pki-ca
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found
> cert:auditSigningCert cert-pki-ca
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init id=log
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized log
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem
> id=jss
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init
> id=jss
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at
> autoShutdown? false
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown
> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look
> for cert for auto-shutdown support:auditSigningCert cert-pki-ca
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found
> cert:auditSigningCert cert-pki-ca
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init id=jss
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized jss
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem
> id=dbs
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init
> id=dbs
> [03/May/2017:21:22:01][localhost-startStop-1]: DBSubsystem: init()
> mEnableSerialMgmt=true
> [03/May/2017:21:22:01][localhost-startStop-1]: Creating
> LdapBoundConnFactor(DBSubsystem)
> [03/May/2017:21:22:01][localhost-startStop-1]: LdapBoundConnFactory: init
> [03/May/2017:21:22:01][localhost-startStop-1]:
> LdapBoundConnFactory:doCloning true
> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init()
> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init begins
> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init ends
> [03/May/2017:21:22:01][localhost-startStop-1]: init: before
> makeConnection errorIfDown is true
> [03/May/2017:21:22:01][localhost-startStop-1]: makeConnection:
> errorIfDown true
> [03/May/2017:21:22:02][localhost-startStop-1]:
> SSLClientCertificateSelectionCB: Setting desired cert nickname to:
> subsystemCert cert-pki-ca
> [03/May/2017:21:22:02][localhost-startStop-1]: LdapJssSSLSocket: set
> client auth cert nickname subsystemCert cert-pki-ca
> [03/May/2017:21:22:02][localhost-startStop-1]:
> SSLClientCertificatSelectionCB: Entering!
> [03/May/2017:21:22:02][localhost-startStop-1]:
> SSLClientCertificateSelectionCB: returning: null
> [03/May/2017:21:22:02][localhost-startStop-1]: SSL handshake happened
> Could not connect to LDAP server host ipa12.mgmt.crosschx.com port 636
> Error netscape.ldap.LDAPException: Authentication failed (48)
> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(
> LdapBoundConnFactory.java:205)
> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(
> LdapBoundConnFactory.java:166)
> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(
> LdapBoundConnFactory.java:130)
> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(
> CMSEngine.java:1169)
> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(
> CMSEngine.java:1075)
> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
> at com.netscape.cms.servlet.base.CMSStartServlet.init(
> CMSStartServlet.java:114)
> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.security.SecurityUtil$1.run(
> SecurityUtil.java:288)
> at org.apache.catalina.security.SecurityUtil$1.run(
> SecurityUtil.java:285)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> at org.apache.catalina.security.SecurityUtil.execute(
> SecurityUtil.java:320)
> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(
> SecurityUtil.java:175)
> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(
> SecurityUtil.java:124)
> at org.apache.catalina.core.StandardWrapper.initServlet(
> StandardWrapper.java:1270)
> at org.apache.catalina.core.StandardWrapper.loadServlet(
> StandardWrapper.java:1195)
> at org.apache.catalina.core.StandardWrapper.load(
> StandardWrapper.java:1085)
> at org.apache.catalina.core.StandardContext.loadOnStartup(
> StandardContext.java:5318)
> at org.apache.catalina.core.StandardContext.startInternal(
> StandardContext.java:5610)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
> at org.apache.catalina.core.ContainerBase.addChildInternal(
> ContainerBase.java:899)
> at org.apache.catalina.core.ContainerBase.access$000(
> ContainerBase.java:133)
> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(
> ContainerBase.java:156)
> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(
> ContainerBase.java:145)
> at java.security.AccessController.doPrivileged(Native Method)
> at org.apache.catalina.core.ContainerBase.addChild(
> ContainerBase.java:873)
> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
> at org.apache.catalina.startup.HostConfig.deployDescriptor(
> HostConfig.java:679)
> at org.apache.catalina.startup.HostConfig$DeployDescriptor.
> run(HostConfig.java:1966)
> at java.util.concurrent.Executors$RunnableAdapter.
> call(Executors.java:511)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Internal Database Error encountered: Could not connect to LDAP server host
> ipa12.mgmt.crosschx.com port 636 Error netscape.ldap.LDAPException:
> Authentication failed (48)
> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(
> CMSEngine.java:1169)
> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(
> CMSEngine.java:1075)
> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
> at com.netscape.cms.servlet.base.CMSStartServlet.init(
> CMSStartServlet.java:114)
> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.security.SecurityUtil$1.run(
> SecurityUtil.java:288)
> at org.apache.catalina.security.SecurityUtil$1.run(
> SecurityUtil.java:285)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> at org.apache.catalina.security.SecurityUtil.execute(
> SecurityUtil.java:320)
> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(
> SecurityUtil.java:175)
> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(
> SecurityUtil.java:124)
> at org.apache.catalina.core.StandardWrapper.initServlet(
> StandardWrapper.java:1270)
> at org.apache.catalina.core.StandardWrapper.loadServlet(
> StandardWrapper.java:1195)
> at org.apache.catalina.core.StandardWrapper.load(
> StandardWrapper.java:1085)
> at org.apache.catalina.core.StandardContext.loadOnStartup(
> StandardContext.java:5318)
> at org.apache.catalina.core.StandardContext.startInternal(
> StandardContext.java:5610)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
> at org.apache.catalina.core.ContainerBase.addChildInternal(
> ContainerBase.java:899)
> at org.apache.catalina.core.ContainerBase.access$000(
> ContainerBase.java:133)
> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(
> ContainerBase.java:156)
> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(
> ContainerBase.java:145)
> at java.security.AccessController.doPrivileged(Native Method)
> at org.apache.catalina.core.ContainerBase.addChild(
> ContainerBase.java:873)
> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
> at org.apache.catalina.startup.HostConfig.deployDescriptor(
> HostConfig.java:679)
> at org.apache.catalina.startup.HostConfig$DeployDescriptor.
> run(HostConfig.java:1966)
> at java.util.concurrent.Executors$RunnableAdapter.
> call(Executors.java:511)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> [03/May/2017:21:22:02][localhost-startStop-1]: CMSEngine.shutdown()
>
>
> =============================
>
>
> IPA11.MGMT
>
>
> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA CT,C,C
>
> (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> caSigningCert cert-pki-ca CTu,Cu,Cu
> auditSigningCert cert-pki-ca u,u,Pu
> ocspSigningCert cert-pki-ca u,u,u
> subsystemCert cert-pki-ca u,u,u
> Server-Cert cert-pki-ca u,u,u
>
>
>
>
>
> IPA13.MGMT
> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA CT,C,C
>
> (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> caSigningCert cert-pki-ca CTu,Cu,Cu
> auditSigningCert cert-pki-ca u,u,Pu
> ocspSigningCert cert-pki-ca u,u,u
> subsystemCert cert-pki-ca u,u,u
> Server-Cert cert-pki-ca u,u,u
>
>
>
>
> IPA12.MGMT
> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA C,,
>
> (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> caSigningCert cert-pki-ca CTu,Cu,Cu
> auditSigningCert cert-pki-ca u,u,Pu
> ocspSigningCert cert-pki-ca u,u,u
> subsystemCert cert-pki-ca u,u,u
> Server-Cert cert-pki-ca u,u,u
>
> =================================================
>
> IPA11.MGMT
> (root)>getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20161229155314':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
> expires: 2018-12-30 15:52:43 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM
> track: yes
> auto-renew: yes
> Request ID '20161229155652':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=CA Audit,O=MGMT.CROSSCHX.COM
> expires: 2018-11-12 13:00:29 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20161229155654':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
> expires: 2018-11-12 13:00:26 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> eku: id-kp-OCSPSigning
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20161229155655':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM
> expires: 2018-11-12 13:00:28 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20161229155657':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> expires: 2036-11-22 13:00:25 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20161229155659':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
> expires: 2018-12-19 15:56:20 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20161229155921':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
> expires: 2018-12-30 15:52:46 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> Request ID '20161229160009':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=IPA RA,O=MGMT.CROSSCHX.COM
> expires: 2018-11-12 13:01:34 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
>
>
>
>
> ==================================
>
> IPA13.MGMT
>
> (root)>getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20161229143449':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
> expires: 2018-12-30 14:34:20 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM
> track: yes
> auto-renew: yes
> Request ID '20161229143826':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=CA Audit,O=MGMT.CROSSCHX.COM
> expires: 2018-11-12 13:00:29 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20161229143828':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
> expires: 2018-11-12 13:00:26 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> eku: id-kp-OCSPSigning
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20161229143831':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM
> expires: 2018-11-12 13:00:28 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20161229143833':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> expires: 2036-11-22 13:00:25 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20161229143835':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
> expires: 2018-12-19 14:37:54 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20161229144057':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
> expires: 2018-12-30 14:34:23 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> Request ID '20161229144146':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=IPA RA,O=MGMT.CROSSCHX.COM
> expires: 2018-11-12 13:01:34 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
>
>
>
> ===========================
>
> IPA12.MGMT
>
> (root)>getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20161229151518':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
> expires: 2018-12-30 15:14:51 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM
> track: yes
> auto-renew: yes
> Request ID '20161229151850':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=CA Audit,O=MGMT.CROSSCHX.COM
> expires: 2018-11-12 13:00:29 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20161229151852':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
> expires: 2018-11-12 13:00:26 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> eku: id-kp-OCSPSigning
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20161229151854':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM
> expires: 2018-11-12 13:00:28 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20161229151856':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> expires: 2036-11-22 13:00:25 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20161229151858':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
> expires: 2018-12-19 15:18:16 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20161229152115':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
> expires: 2018-12-30 15:14:54 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> Request ID '20161229152204':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> subject: CN=IPA RA,O=MGMT.CROSSCHX.COM
> expires: 2018-11-12 13:01:34 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
>
>
>
>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
> 614.427.2411
> mike.plemmons at crosschx.com
> www.crosschx.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170503/370eba1a/attachment.htm>
More information about the Freeipa-users
mailing list