[Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:
Michael Plemmons
michael.plemmons at crosschx.com
Thu May 4 02:52:15 UTC 2017
I ran another test. I started IPA with the ignore service failure option
and I tired doing ldap searches like this.
ldapsearch -H ldaps://ipa12.mgmt.crosschx.com
from both my laptop and from ipa11.mgmt and I get successful returns when
logging in as the admin user and as the directory manager.
I then looked closer at the LDAP access logs for the last time I tried to
start up PKI and got the auth failure and i see this.
[04/May/2017:02:22:45.859021005 +0000] conn=12 fd=101 slot=101 SSL
connection from 10.71.100.92 to 10.71.100.92
[04/May/2017:02:22:45.875672450 +0000] conn=12 TLS1.2 256-bit AES
[04/May/2017:02:22:45.940908536 +0000] conn=12 op=0 BIND dn="" method=sasl
version=3 mech=EXTERNAL
[04/May/2017:02:22:45.942441120 +0000] conn=12 op=0 RESULT err=48 tag=97
nentries=0 etime=0
Is dn="" supposed to be empty?
*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
mike.plemmons at crosschx.com
www.crosschx.com
On Wed, May 3, 2017 at 10:16 PM, Michael Plemmons <
michael.plemmons at crosschx.com> wrote:
> I realized that I was not very clear in my statement about testing with
> ldapsearch. I had initially run it without logging in with a DN. I was
> just running the local ldapsearch -x command. I then tested on ipa12.mgmt
> and ipa11.mgmt logging in with a full DN for the admin and "cn=Directory
> Manager" from ipa12.mgmt (broken server) and ipa11.mgmt and both ldapsearch
> command succeeded.
>
> I ran the following from ipa12.mgmt and ipa11.mgmt as a non root user. I
> also ran the command showing a line count for the output and the line
> counts for each were the same when run from ipa12.mgmt and ipa11.mgmt.
>
> ldapsearch -LLL -h ipa12.mgmt.crosschx.com -D "DN" -w PASSWORD -b
> "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn
>
> ldapsearch -LLL -h ipa12.mgmt.crosschx.com -D "cn=directory manager" -w
> PASSWORD dn
>
>
>
>
>
>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
> 614.427.2411
> mike.plemmons at crosschx.com
> www.crosschx.com
>
> On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons <
> michael.plemmons at crosschx.com> wrote:
>
>> I have a three node IPA cluster.
>>
>> ipa11.mgmt - was a master over 6 months ago
>> ipa13.mgmt - current master
>> ipa12.mgmt
>>
>> ipa13 has agreements with ipa11 and ipa12. ipa11 and ipa12 do not have
>> agreements between each other.
>>
>> It appears that either ipa12.mgmt lost some level of its replication
>> agreement with ipa13. I saw some level because users / hosts were
>> replicated between all systems but we started seeing DNS was not resolving
>> properly from ipa12. I do not know when this started.
>>
>> When looking at replication agreements on ipa12 I did not see any
>> agreement with ipa13.
>>
>> When I run ipa-replica-manage list all three hosts show has master.
>>
>> When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt is a replica.
>>
>> When I run ipa-replica-manage ipa12.mgmt nothing returned.
>>
>> I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt
>> ipa12.mgmt.crosschx.com ipa13.mgmt.crosschx.com on ipa12.mgmt
>>
>> I then ran the following
>>
>> ipa-replica-manage force-sync --from ipa13.mgmt.crosschx.com
>>
>> ipa-replica-manage re-initialize --from ipa13.mgmt.crosschx.com
>>
>> I was still seeing bad DNS returns when dig'ing against ipa12.mgmt. I
>> was able to create user and DNS records and see the information replicated
>> properly across all three nodes.
>>
>> I then ran ipactl stop on ipa12.mgmt and then ipactl start on ipa12.mgmt
>> because I wanted to make sure everything was running fresh after the
>> changes above. While IPA was staring up (DNS started) we were able to see
>> valid DNS queries returned but pki-tomcat would not start.
>>
>> I am not sure what I need to do in order to get this working. I have
>> included the output of certutil and getcert below from all three servers as
>> well as the debug output for pki.
>>
>>
>> While the IPA system is coming up I am able to successfully run
>> ldapsearch -x as the root user and see results. I am also able to login
>> with the "cn=Directory Manager" account and see results.
>>
>>
>> The debug log shows the following error.
>>
>>
>> [03/May/2017:21:22:01][localhost-startStop-1]:
>> ============================================
>> [03/May/2017:21:22:01][localhost-startStop-1]: ===== DEBUG SUBSYSTEM
>> INITIALIZED =======
>> [03/May/2017:21:22:01][localhost-startStop-1]:
>> ============================================
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at
>> autoShutdown? false
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown
>> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look
>> for cert for auto-shutdown support:auditSigningCert cert-pki-ca
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found
>> cert:auditSigningCert cert-pki-ca
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init
>> id=debug
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized
>> debug
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem
>> id=log
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init
>> id=log
>> [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
>> [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
>> [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions)
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at
>> autoShutdown? false
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown
>> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look
>> for cert for auto-shutdown support:auditSigningCert cert-pki-ca
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found
>> cert:auditSigningCert cert-pki-ca
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init
>> id=log
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized log
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem
>> id=jss
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init
>> id=jss
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at
>> autoShutdown? false
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown
>> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look
>> for cert for auto-shutdown support:auditSigningCert cert-pki-ca
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found
>> cert:auditSigningCert cert-pki-ca
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init
>> id=jss
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized jss
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem
>> id=dbs
>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init
>> id=dbs
>> [03/May/2017:21:22:01][localhost-startStop-1]: DBSubsystem: init()
>> mEnableSerialMgmt=true
>> [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>> LdapBoundConnFactor(DBSubsystem)
>> [03/May/2017:21:22:01][localhost-startStop-1]: LdapBoundConnFactory: init
>> [03/May/2017:21:22:01][localhost-startStop-1]:
>> LdapBoundConnFactory:doCloning true
>> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init()
>> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init begins
>> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init ends
>> [03/May/2017:21:22:01][localhost-startStop-1]: init: before
>> makeConnection errorIfDown is true
>> [03/May/2017:21:22:01][localhost-startStop-1]: makeConnection:
>> errorIfDown true
>> [03/May/2017:21:22:02][localhost-startStop-1]:
>> SSLClientCertificateSelectionCB: Setting desired cert nickname to:
>> subsystemCert cert-pki-ca
>> [03/May/2017:21:22:02][localhost-startStop-1]: LdapJssSSLSocket: set
>> client auth cert nickname subsystemCert cert-pki-ca
>> [03/May/2017:21:22:02][localhost-startStop-1]:
>> SSLClientCertificatSelectionCB: Entering!
>> [03/May/2017:21:22:02][localhost-startStop-1]:
>> SSLClientCertificateSelectionCB: returning: null
>> [03/May/2017:21:22:02][localhost-startStop-1]: SSL handshake happened
>> Could not connect to LDAP server host ipa12.mgmt.crosschx.com port 636
>> Error netscape.ldap.LDAPException: Authentication failed (48)
>> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConne
>> ction(LdapBoundConnFactory.java:205)
>> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap
>> BoundConnFactory.java:166)
>> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap
>> BoundConnFactory.java:130)
>> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
>> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.
>> java:1169)
>> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine
>> .java:1075)
>> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
>> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
>> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS
>> ervlet.java:114)
>> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>> .java:288)
>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>> .java:285)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>> at org.apache.catalina.security.SecurityUtil.execute(SecurityUt
>> il.java:320)
>> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:175)
>> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:124)
>> at org.apache.catalina.core.StandardWrapper.initServlet(Standar
>> dWrapper.java:1270)
>> at org.apache.catalina.core.StandardWrapper.loadServlet(Standar
>> dWrapper.java:1195)
>> at org.apache.catalina.core.StandardWrapper.load(StandardWrappe
>> r.java:1085)
>> at org.apache.catalina.core.StandardContext.loadOnStartup(Stand
>> ardContext.java:5318)
>> at org.apache.catalina.core.StandardContext.startInternal(Stand
>> ardContext.java:5610)
>> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
>> at org.apache.catalina.core.ContainerBase.addChildInternal(Cont
>> ainerBase.java:899)
>> at org.apache.catalina.core.ContainerBase.access$000(ContainerB
>> ase.java:133)
>> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.
>> run(ContainerBase.java:156)
>> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.
>> run(ContainerBase.java:145)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at org.apache.catalina.core.ContainerBase.addChild(ContainerBas
>> e.java:873)
>> at org.apache.catalina.core.StandardHost.addChild(StandardHost.
>> java:652)
>> at org.apache.catalina.startup.HostConfig.deployDescriptor(Host
>> Config.java:679)
>> at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(
>> HostConfig.java:1966)
>> at java.util.concurrent.Executors$RunnableAdapter.call(
>> Executors.java:511)
>> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>> Internal Database Error encountered: Could not connect to LDAP server
>> host ipa12.mgmt.crosschx.com port 636 Error netscape.ldap.LDAPException:
>> Authentication failed (48)
>> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
>> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.
>> java:1169)
>> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine
>> .java:1075)
>> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
>> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
>> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS
>> ervlet.java:114)
>> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>> .java:288)
>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>> .java:285)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>> at org.apache.catalina.security.SecurityUtil.execute(SecurityUt
>> il.java:320)
>> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:175)
>> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:124)
>> at org.apache.catalina.core.StandardWrapper.initServlet(Standar
>> dWrapper.java:1270)
>> at org.apache.catalina.core.StandardWrapper.loadServlet(Standar
>> dWrapper.java:1195)
>> at org.apache.catalina.core.StandardWrapper.load(StandardWrappe
>> r.java:1085)
>> at org.apache.catalina.core.StandardContext.loadOnStartup(Stand
>> ardContext.java:5318)
>> at org.apache.catalina.core.StandardContext.startInternal(Stand
>> ardContext.java:5610)
>> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
>> at org.apache.catalina.core.ContainerBase.addChildInternal(Cont
>> ainerBase.java:899)
>> at org.apache.catalina.core.ContainerBase.access$000(ContainerB
>> ase.java:133)
>> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.
>> run(ContainerBase.java:156)
>> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.
>> run(ContainerBase.java:145)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at org.apache.catalina.core.ContainerBase.addChild(ContainerBas
>> e.java:873)
>> at org.apache.catalina.core.StandardHost.addChild(StandardHost.
>> java:652)
>> at org.apache.catalina.startup.HostConfig.deployDescriptor(Host
>> Config.java:679)
>> at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(
>> HostConfig.java:1966)
>> at java.util.concurrent.Executors$RunnableAdapter.call(
>> Executors.java:511)
>> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>> [03/May/2017:21:22:02][localhost-startStop-1]: CMSEngine.shutdown()
>>
>>
>> =============================
>>
>>
>> IPA11.MGMT
>>
>>
>> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/
>>
>> Certificate Nickname Trust Attributes
>> SSL,S/MIME,JAR/XPI
>>
>> Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA CT,C,C
>>
>> (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/
>>
>> Certificate Nickname Trust Attributes
>> SSL,S/MIME,JAR/XPI
>>
>> caSigningCert cert-pki-ca CTu,Cu,Cu
>> auditSigningCert cert-pki-ca u,u,Pu
>> ocspSigningCert cert-pki-ca u,u,u
>> subsystemCert cert-pki-ca u,u,u
>> Server-Cert cert-pki-ca u,u,u
>>
>>
>>
>>
>>
>> IPA13.MGMT
>> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/
>>
>> Certificate Nickname Trust Attributes
>> SSL,S/MIME,JAR/XPI
>>
>> Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA CT,C,C
>>
>> (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/
>>
>> Certificate Nickname Trust Attributes
>> SSL,S/MIME,JAR/XPI
>>
>> caSigningCert cert-pki-ca CTu,Cu,Cu
>> auditSigningCert cert-pki-ca u,u,Pu
>> ocspSigningCert cert-pki-ca u,u,u
>> subsystemCert cert-pki-ca u,u,u
>> Server-Cert cert-pki-ca u,u,u
>>
>>
>>
>>
>> IPA12.MGMT
>> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/
>>
>> Certificate Nickname Trust Attributes
>> SSL,S/MIME,JAR/XPI
>>
>> Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA C,,
>>
>> (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/
>>
>> Certificate Nickname Trust Attributes
>> SSL,S/MIME,JAR/XPI
>>
>> caSigningCert cert-pki-ca CTu,Cu,Cu
>> auditSigningCert cert-pki-ca u,u,Pu
>> ocspSigningCert cert-pki-ca u,u,u
>> subsystemCert cert-pki-ca u,u,u
>> Server-Cert cert-pki-ca u,u,u
>>
>> =================================================
>>
>> IPA11.MGMT
>> (root)>getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20161229155314':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>> expires: 2018-12-30 15:52:43 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM
>> track: yes
>> auto-renew: yes
>> Request ID '20161229155652':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=CA Audit,O=MGMT.CROSSCHX.COM
>> expires: 2018-11-12 13:00:29 UTC
>> key usage: digitalSignature,nonRepudiation
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20161229155654':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
>> expires: 2018-11-12 13:00:26 UTC
>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>> eku: id-kp-OCSPSigning
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20161229155655':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM
>> expires: 2018-11-12 13:00:28 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20161229155657':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> expires: 2036-11-22 13:00:25 UTC
>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20161229155659':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>> expires: 2018-12-19 15:56:20 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20161229155921':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>> expires: 2018-12-30 15:52:46 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>> Request ID '20161229160009':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=IPA RA,O=MGMT.CROSSCHX.COM
>> expires: 2018-11-12 13:01:34 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>> track: yes
>> auto-renew: yes
>>
>>
>>
>>
>> ==================================
>>
>> IPA13.MGMT
>>
>> (root)>getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20161229143449':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>> expires: 2018-12-30 14:34:20 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM
>> track: yes
>> auto-renew: yes
>> Request ID '20161229143826':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=CA Audit,O=MGMT.CROSSCHX.COM
>> expires: 2018-11-12 13:00:29 UTC
>> key usage: digitalSignature,nonRepudiation
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20161229143828':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
>> expires: 2018-11-12 13:00:26 UTC
>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>> eku: id-kp-OCSPSigning
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20161229143831':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM
>> expires: 2018-11-12 13:00:28 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20161229143833':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> expires: 2036-11-22 13:00:25 UTC
>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20161229143835':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>> expires: 2018-12-19 14:37:54 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20161229144057':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>> expires: 2018-12-30 14:34:23 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>> Request ID '20161229144146':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=IPA RA,O=MGMT.CROSSCHX.COM
>> expires: 2018-11-12 13:01:34 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>> track: yes
>> auto-renew: yes
>>
>>
>>
>> ===========================
>>
>> IPA12.MGMT
>>
>> (root)>getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20161229151518':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>> expires: 2018-12-30 15:14:51 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM
>> track: yes
>> auto-renew: yes
>> Request ID '20161229151850':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=CA Audit,O=MGMT.CROSSCHX.COM
>> expires: 2018-11-12 13:00:29 UTC
>> key usage: digitalSignature,nonRepudiation
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20161229151852':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
>> expires: 2018-11-12 13:00:26 UTC
>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>> eku: id-kp-OCSPSigning
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20161229151854':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM
>> expires: 2018-11-12 13:00:28 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20161229151856':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> expires: 2036-11-22 13:00:25 UTC
>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20161229151858':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>> expires: 2018-12-19 15:18:16 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20161229152115':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM
>> expires: 2018-12-30 15:14:54 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>> Request ID '20161229152204':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> subject: CN=IPA RA,O=MGMT.CROSSCHX.COM
>> expires: 2018-11-12 13:01:34 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>> track: yes
>> auto-renew: yes
>>
>>
>>
>>
>> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
>> 614.427.2411
>> mike.plemmons at crosschx.com
>> www.crosschx.com
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170503/a424b5b8/attachment.htm>
More information about the Freeipa-users
mailing list