[Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:
Rob Crittenden
rcritten at redhat.com
Thu May 4 13:24:40 UTC 2017
Michael Plemmons wrote:
> I realized that I was not very clear in my statement about testing with
> ldapsearch. I had initially run it without logging in with a DN. I was
> just running the local ldapsearch -x command. I then tested on
> ipa12.mgmt and ipa11.mgmt logging in with a full DN for the admin and
> "cn=Directory Manager" from ipa12.mgmt (broken server) and ipa11.mgmt
> and both ldapsearch command succeeded.
>
> I ran the following from ipa12.mgmt and ipa11.mgmt as a non root user.
> I also ran the command showing a line count for the output and the line
> counts for each were the same when run from ipa12.mgmt and ipa11.mgmt.
>
> ldapsearch -LLL -h ipa12.mgmt.crosschx.com
> <http://ipa12.mgmt.crosschx.com> -D "DN" -w PASSWORD -b
> "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn
>
> ldapsearch -LLL -h ipa12.mgmt.crosschx.com
> <http://ipa12.mgmt.crosschx.com> -D "cn=directory manager" -w PASSWORD dn
The CA has its own suffix and replication agreements. Given the auth
error and recent (5 months) renewal of CA credentials I'd check that the
CA agent authentication entries are correct.
Against each master with a CA run:
$ ldapsearch -LLL -x -D 'cn=directory manager' -W -b
uid=ipara,ou=people,o=ipaca description
The format is 2;serial#,subject,issuer
Then on each run:
# certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial
The serial # should match that in the description everywhere.
rob
>
>
>
>
>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
> *
> 614.427.2411
> mike.plemmons at crosschx.com <mailto:mike.plemmons at crosschx.com>
> www.crosschx.com <http://www.crosschx.com/>
>
> On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons
> <michael.plemmons at crosschx.com <mailto:michael.plemmons at crosschx.com>>
> wrote:
>
> I have a three node IPA cluster.
>
> ipa11.mgmt - was a master over 6 months ago
> ipa13.mgmt - current master
> ipa12.mgmt
>
> ipa13 has agreements with ipa11 and ipa12. ipa11 and ipa12 do not
> have agreements between each other.
>
> It appears that either ipa12.mgmt lost some level of its replication
> agreement with ipa13. I saw some level because users / hosts were
> replicated between all systems but we started seeing DNS was not
> resolving properly from ipa12. I do not know when this started.
>
> When looking at replication agreements on ipa12 I did not see any
> agreement with ipa13.
>
> When I run ipa-replica-manage list all three hosts show has master.
>
> When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt is a replica.
>
> When I run ipa-replica-manage ipa12.mgmt nothing returned.
>
> I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt
> ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com>
> ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com> on ipa12.mgmt
>
> I then ran the following
>
> ipa-replica-manage force-sync --from ipa13.mgmt.crosschx.com
> <http://ipa13.mgmt.crosschx.com>
>
> ipa-replica-manage re-initialize --from ipa13.mgmt.crosschx.com
> <http://ipa13.mgmt.crosschx.com>
>
> I was still seeing bad DNS returns when dig'ing against ipa12.mgmt.
> I was able to create user and DNS records and see the information
> replicated properly across all three nodes.
>
> I then ran ipactl stop on ipa12.mgmt and then ipactl start on
> ipa12.mgmt because I wanted to make sure everything was running
> fresh after the changes above. While IPA was staring up (DNS
> started) we were able to see valid DNS queries returned but
> pki-tomcat would not start.
>
> I am not sure what I need to do in order to get this working. I
> have included the output of certutil and getcert below from all
> three servers as well as the debug output for pki.
>
>
> While the IPA system is coming up I am able to successfully run
> ldapsearch -x as the root user and see results. I am also able to
> login with the "cn=Directory Manager" account and see results.
>
>
> The debug log shows the following error.
>
>
> [03/May/2017:21:22:01][localhost-startStop-1]:
> ============================================
> [03/May/2017:21:22:01][localhost-startStop-1]: ===== DEBUG
> SUBSYSTEM INITIALIZED =======
> [03/May/2017:21:22:01][localhost-startStop-1]:
> ============================================
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at
> autoShutdown? false
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> autoShutdown crumb file path?
> /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to
> look for cert for auto-shutdown support:auditSigningCert cert-pki-ca
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found
> cert:auditSigningCert cert-pki-ca
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init
> id=debug
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> initialized debug
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> initSubsystem id=log
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to
> init id=log
> [03/May/2017:21:22:01][localhost-startStop-1]: Creating
> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
> [03/May/2017:21:22:01][localhost-startStop-1]: Creating
> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
> [03/May/2017:21:22:01][localhost-startStop-1]: Creating
> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions)
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at
> autoShutdown? false
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> autoShutdown crumb file path?
> /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to
> look for cert for auto-shutdown support:auditSigningCert cert-pki-ca
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found
> cert:auditSigningCert cert-pki-ca
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init
> id=log
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> initialized log
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> initSubsystem id=jss
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to
> init id=jss
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at
> autoShutdown? false
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> autoShutdown crumb file path?
> /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to
> look for cert for auto-shutdown support:auditSigningCert cert-pki-ca
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found
> cert:auditSigningCert cert-pki-ca
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init
> id=jss
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> initialized jss
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
> initSubsystem id=dbs
> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to
> init id=dbs
> [03/May/2017:21:22:01][localhost-startStop-1]: DBSubsystem: init()
> mEnableSerialMgmt=true
> [03/May/2017:21:22:01][localhost-startStop-1]: Creating
> LdapBoundConnFactor(DBSubsystem)
> [03/May/2017:21:22:01][localhost-startStop-1]: LdapBoundConnFactory:
> init
> [03/May/2017:21:22:01][localhost-startStop-1]:
> LdapBoundConnFactory:doCloning true
> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init()
> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init begins
> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init ends
> [03/May/2017:21:22:01][localhost-startStop-1]: init: before
> makeConnection errorIfDown is true
> [03/May/2017:21:22:01][localhost-startStop-1]: makeConnection:
> errorIfDown true
> [03/May/2017:21:22:02][localhost-startStop-1]:
> SSLClientCertificateSelectionCB: Setting desired cert nickname to:
> subsystemCert cert-pki-ca
> [03/May/2017:21:22:02][localhost-startStop-1]: LdapJssSSLSocket: set
> client auth cert nickname subsystemCert cert-pki-ca
> [03/May/2017:21:22:02][localhost-startStop-1]:
> SSLClientCertificatSelectionCB: Entering!
> [03/May/2017:21:22:02][localhost-startStop-1]:
> SSLClientCertificateSelectionCB: returning: null
> [03/May/2017:21:22:02][localhost-startStop-1]: SSL handshake happened
> Could not connect to LDAP server host ipa12.mgmt.crosschx.com
> <http://ipa12.mgmt.crosschx.com> port 636 Error
> netscape.ldap.LDAPException: Authentication failed (48)
> at
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
> at
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
> at
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
> at
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
> at
> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
> at
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
> at
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
> at
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
> at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
> at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
> at
> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
> at
> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Internal Database Error encountered: Could not connect to LDAP
> server host ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com>
> port 636 Error netscape.ldap.LDAPException: Authentication failed (48)
> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
> at
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
> at
> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
> at
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
> at
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
> at
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
> at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
> at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
> at
> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
> at
> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> [03/May/2017:21:22:02][localhost-startStop-1]: CMSEngine.shutdown()
>
>
> =============================
>
>
> IPA11.MGMT
>
> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/
> Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert
> u,u,u MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> IPA CA CT,C,C
> (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ Certificate
> Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert
> cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu
> ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u
> Server-Cert cert-pki-ca u,u,u IPA13.MGMT (root)>certutil -L -d
> /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname Trust
> Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u MGMT.CROSSCHX.COM
> <http://MGMT.CROSSCHX.COM> IPA CA CT,C,C (root)>certutil -L -d
> /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu
> auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca
> u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u
> IPA12.MGMT (root)>certutil -L -d
> /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname Trust
> Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u MGMT.CROSSCHX.COM
> <http://MGMT.CROSSCHX.COM> IPA CA C,, (root)>certutil -L -d
> /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu
> auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca
> u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u
> ================================================= IPA11.MGMT
> (root)>getcert list Number of certificates and requests being
> tracked: 8. Request ID '20161229155314': status: MONITORING stuck:
> no key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS
> Certificate
> DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS
> Certificate DB' CA: IPA issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=ipa11.mgmt.crosschx.com
> <http://ipa11.mgmt.crosschx.com>,O=MGMT.CROSSCHX.COM
> <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:52:43 UTC key
> usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save
> command: /usr/libexec/ipa/certmonger/restart_dirsrv
> MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID
> '20161229155652': status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB' CA:
> dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=CA Audit,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> expires:
> 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save
> command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert
> cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155654':
> status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB' CA:
> dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> expires: 2018-11-12 13:00:26 UTC key usage:
> digitalSignature,nonRepudiation,keyCertSign,cRLSign eku:
> id-kp-OCSPSigning pre-save command:
> /usr/libexec/ipa/certmonger/stop_pkicad post-save command:
> /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert
> cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155655':
> status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin set certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB' CA:
> dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=CA Subsystem,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> expires: 2018-11-12 13:00:28 UTC key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> /usr/libexec/ipa/certmonger/stop_pkicad post-save command:
> /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
> cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155657':
> status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB' CA:
> dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25 UTC key
> usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save
> command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command:
> /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
> cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155659':
> status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS
> Certificate DB',pin set certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS
> Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=ipa11.mgmt.crosschx.com
> <http://ipa11.mgmt.crosschx.com>,O=MGMT.CROSSCHX.COM
> <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 15:56:20 UTC key
> usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save
> command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
> cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155921':
> status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB' CA: IPA issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=ipa11.mgmt.crosschx.com
> <http://ipa11.mgmt.crosschx.com>,O=MGMT.CROSSCHX.COM
> <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:52:46 UTC key
> usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save
> command: /usr/libexec/ipa/certmonger/restart_httpd track: yes
> auto-renew: yes Request ID '20161229160009': status: MONITORING
> stuck: no key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> expires:
> 2018-11-12 13:01:34 UTC key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command:
> /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
> ================================== IPA13.MGMT (root)>getcert list
> Number of certificates and requests being tracked: 8. Request ID
> '20161229143449': status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS
> Certificate
> DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS
> Certificate DB' CA: IPA issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=ipa13.mgmt.crosschx.com
> <http://ipa13.mgmt.crosschx.com>,O=MGMT.CROSSCHX.COM
> <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 14:34:20 UTC key
> usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save
> command: /usr/libexec/ipa/certmonger/restart_dirsrv
> MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID
> '20161229143826': status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB' CA:
> dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=CA Audit,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> expires:
> 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save
> command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert
> cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143828':
> status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB' CA:
> dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> expires: 2018-11-12 13:00:26 UTC key usage:
> digitalSignature,nonRepudiation,keyCertSign,cRLSign eku:
> id-kp-OCSPSigning pre-save command:
> /usr/libexec/ipa/certmonger/stop_pkicad post-save command:
> /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert
> cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143831':
> status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin set certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB' CA:
> dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=CA Subsystem,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> expires: 2018-11-12 13:00:28 UTC key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> /usr/libexec/ipa/certmonger/stop_pkicad post-save command:
> /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
> cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143833':
> status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB' CA:
> dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25 UTC key
> usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save
> command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command:
> /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
> cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143835':
> status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS
> Certificate DB',pin set certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS
> Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=ipa13.mgmt.crosschx.com
> <http://ipa13.mgmt.crosschx.com>,O=MGMT.CROSSCHX.COM
> <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 14:37:54 UTC key
> usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save
> command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
> cert-pki-ca" track: yes auto-renew: yes Request ID '20161229144057':
> status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB' CA: IPA issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=ipa13.mgmt.crosschx.com
> <http://ipa13.mgmt.crosschx.com>,O=MGMT.CROSSCHX.COM
> <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 14:34:23 UTC key
> usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save
> command: /usr/libexec/ipa/certmonger/restart_httpd track: yes
> auto-renew: yes Request ID '20161229144146': status: MONITORING
> stuck: no key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> expires:
> 2018-11-12 13:01:34 UTC key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command:
> /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
> =========================== IPA12.MGMT (root)>getcert list Number of
> certificates and requests being tracked: 8. Request ID
> '20161229151518': status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS
> Certificate
> DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS
> Certificate DB' CA: IPA issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=ipa12.mgmt.crosschx.com
> <http://ipa12.mgmt.crosschx.com>,O=MGMT.CROSSCHX.COM
> <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:14:51 UTC key
> usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save
> command: /usr/libexec/ipa/certmonger/restart_dirsrv
> MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID
> '20161229151850': status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB' CA:
> dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=CA Audit,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> expires:
> 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save
> command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert
> cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151852':
> status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB' CA:
> dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> expires: 2018-11-12 13:00:26 UTC key usage:
> digitalSignature,nonRepudiation,keyCertSign,cRLSign eku:
> id-kp-OCSPSigning pre-save command:
> /usr/libexec/ipa/certmonger/stop_pkicad post-save command:
> /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert
> cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151854':
> status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin set certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB' CA:
> dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=CA Subsystem,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
> expires: 2018-11-12 13:00:28 UTC key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> /usr/libexec/ipa/certmonger/stop_pkicad post-save command:
> /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
> cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151856':
> status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB' CA:
> dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=Certificate Authority,O=MGMT.CROSSCHX.COM
> <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25 UTC key
> usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save
> command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command:
> /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
> cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151858':
> status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS
> Certificate DB',pin set certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS
> Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=ipa12.mgmt.crosschx.com
> <http://ipa12.mgmt.crosschx.com>,O=MGMT.CROSSCHX.COM
> <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 15:18:16 UTC key
> usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save
> command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
> cert-pki-ca" track: yes auto-renew: yes Request ID '20161229152115':
> status: MONITORING stuck: no key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB' CA: IPA issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=ipa12.mgmt.crosschx.com
> <http://ipa12.mgmt.crosschx.com>,O=MGMT.CROSSCHX.COM
> <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:14:54 UTC key
> usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save
> command: /usr/libexec/ipa/certmonger/restart_httpd track: yes
> auto-renew: yes Request ID '20161229152204': status: MONITORING
> stuck: no key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate
> Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> subject:
> CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> expires:
> 2018-11-12 13:01:34 UTC key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
> /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command:
> /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
>
>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
> *
> 614.427.2411
> mike.plemmons at crosschx.com <mailto:mike.plemmons at crosschx.com>
> www.crosschx.com <http://www.crosschx.com/>
>
>
>
>
More information about the Freeipa-users
mailing list