[Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:
Michael Plemmons
michael.plemmons at crosschx.com
Fri May 5 19:33:35 UTC 2017
I think I found the email thread. Asking for help with crashed freeIPA
istance. That email pointed to this link,
https://www.redhat.com/archives/freeipa-users/2017-January/msg00215.html.
That link talked about changing the CS.cfg file to use port 389 for PKI to
auth to LDAP. I made the necessary changes and PKI came up successfully.
*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
mike.plemmons at crosschx.com
www.crosschx.com
On Fri, May 5, 2017 at 3:19 PM, Michael Plemmons <
michael.plemmons at crosschx.com> wrote:
>
>
>
>
>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
> 614.427.2411
> mike.plemmons at crosschx.com
> www.crosschx.com
>
> On Fri, May 5, 2017 at 3:15 PM, Rob Crittenden <rcritten at redhat.com>
> wrote:
>
>> Michael Plemmons wrote:
>> > I just realized that I sent the reply directly to Rob and not to the
>> > list. My response is inline
>>
>> Ok, this is actually good news.
>>
>> I made a similar proposal in another case and I was completely wrong.
>> Flo had the user do something and it totally fixed their auth error, I
>> just can't remember what it was or find the e-mail thread. I'm pretty
>> sure it was this calendar year though.
>>
>> rob
>>
>>
> Do you or Flo know what I could search for in the past emails to find the
> answer to the problem?
>
>
>
>> >
>> >
>> >
>> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
>> > *
>> > 614.427.2411
>> > mike.plemmons at crosschx.com <mailto:mike.plemmons at crosschx.com>
>> > www.crosschx.com <http://www.crosschx.com/>
>> >
>> > On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons
>> > <michael.plemmons at crosschx.com <mailto:michael.plemmons at crosschx.com>>
>> > wrote:
>> >
>> >
>> >
>> >
>> >
>> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
>> > *
>> > 614.427.2411
>> > mike.plemmons at crosschx.com <mailto:mike.plemmons at crosschx.com>
>> > www.crosschx.com <http://www.crosschx.com/>
>> >
>> > On Thu, May 4, 2017 at 9:24 AM, Rob Crittenden <rcritten at redhat.com
>> > <mailto:rcritten at redhat.com>> wrote:
>> >
>> > Michael Plemmons wrote:
>> > > I realized that I was not very clear in my statement about
>> > testing with
>> > > ldapsearch. I had initially run it without logging in with a
>> > DN. I was
>> > > just running the local ldapsearch -x command. I then tested
>> on
>> > > ipa12.mgmt and ipa11.mgmt logging in with a full DN for the
>> > admin and
>> > > "cn=Directory Manager" from ipa12.mgmt (broken server) and
>> > ipa11.mgmt
>> > > and both ldapsearch command succeeded.
>> > >
>> > > I ran the following from ipa12.mgmt and ipa11.mgmt as a non
>> > root user.
>> > > I also ran the command showing a line count for the output and
>> > the line
>> > > counts for each were the same when run from ipa12.mgmt and
>> > ipa11.mgmt.
>> > >
>> > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com
>> > <http://ipa12.mgmt.crosschx.com>
>> > > <http://ipa12.mgmt.crosschx.com
>> > <http://ipa12.mgmt.crosschx.com>> -D "DN" -w PASSWORD -b
>> > > "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn
>> > >
>> > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com
>> > <http://ipa12.mgmt.crosschx.com>
>> > > <http://ipa12.mgmt.crosschx.com
>> > <http://ipa12.mgmt.crosschx.com>> -D "cn=directory manager" -w
>> > PASSWORD dn
>> >
>> > The CA has its own suffix and replication agreements. Given the
>> auth
>> > error and recent (5 months) renewal of CA credentials I'd check
>> > that the
>> > CA agent authentication entries are correct.
>> >
>> > Against each master with a CA run:
>> >
>> > $ ldapsearch -LLL -x -D 'cn=directory manager' -W -b
>> > uid=ipara,ou=people,o=ipaca description
>> >
>> > The format is 2;serial#,subject,issuer
>> >
>> > Then on each run:
>> >
>> > # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial
>> >
>> > The serial # should match that in the description everywhere.
>> >
>> > rob
>> >
>> >
>> >
>> > On the CA (IPA13.MGMT) I ran the ldapsearch command and see that the
>> > serial number is 7. I then ran the certutil command on all three
>> > servers and the serial number is 7 as well.
>> >
>> >
>> > I also ran the ldapsearch command against the other two servers and
>> > they also showed a serial number of 7.
>> >
>> >
>> >
>> >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
>> > > *
>> > > 614.427.2411
>> > > mike.plemmons at crosschx.com <mailto:mike.plemmons at crosschx.com
>> >
>> > <mailto:mike.plemmons at crosschx.com
>> > <mailto:mike.plemmons at crosschx.com>>
>> > > www.crosschx.com <http://www.crosschx.com>
>> > <http://www.crosschx.com/>
>> > >
>> > > On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons
>> > > <michael.plemmons at crosschx.com
>> > <mailto:michael.plemmons at crosschx.com>
>> > <mailto:michael.plemmons at crosschx.com
>> > <mailto:michael.plemmons at crosschx.com>>>
>> > > wrote:
>> > >
>> > > I have a three node IPA cluster.
>> > >
>> > > ipa11.mgmt - was a master over 6 months ago
>> > > ipa13.mgmt - current master
>> > > ipa12.mgmt
>> > >
>> > > ipa13 has agreements with ipa11 and ipa12. ipa11 and
>> > ipa12 do not
>> > > have agreements between each other.
>> > >
>> > > It appears that either ipa12.mgmt lost some level of its
>> > replication
>> > > agreement with ipa13. I saw some level because users /
>> > hosts were
>> > > replicated between all systems but we started seeing DNS
>> > was not
>> > > resolving properly from ipa12. I do not know when this
>> > started.
>> > >
>> > > When looking at replication agreements on ipa12 I did not
>> > see any
>> > > agreement with ipa13.
>> > >
>> > > When I run ipa-replica-manage list all three hosts show
>> > has master.
>> > >
>> > > When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt
>> > is a replica.
>> > >
>> > > When I run ipa-replica-manage ipa12.mgmt nothing returned.
>> > >
>> > > I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt
>> > > ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com>
>> > <http://ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com
>> >>
>> > > ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com>
>> > <http://ipa13.mgmt.crosschx.com
>> > <http://ipa13.mgmt.crosschx.com>> on ipa12.mgmt
>> > >
>> > > I then ran the following
>> > >
>> > > ipa-replica-manage force-sync --from
>> > ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com>
>> > > <http://ipa13.mgmt.crosschx.com
>> > <http://ipa13.mgmt.crosschx.com>>
>> > >
>> > > ipa-replica-manage re-initialize --from
>> > ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com>
>> > > <http://ipa13.mgmt.crosschx.com
>> > <http://ipa13.mgmt.crosschx.com>>
>> > >
>> > > I was still seeing bad DNS returns when dig'ing against
>> > ipa12.mgmt.
>> > > I was able to create user and DNS records and see the
>> > information
>> > > replicated properly across all three nodes.
>> > >
>> > > I then ran ipactl stop on ipa12.mgmt and then ipactl
>> start on
>> > > ipa12.mgmt because I wanted to make sure everything was
>> > running
>> > > fresh after the changes above. While IPA was staring up
>> (DNS
>> > > started) we were able to see valid DNS queries returned
>> but
>> > > pki-tomcat would not start.
>> > >
>> > > I am not sure what I need to do in order to get this
>> > working. I
>> > > have included the output of certutil and getcert below
>> > from all
>> > > three servers as well as the debug output for pki.
>> > >
>> > >
>> > > While the IPA system is coming up I am able to
>> > successfully run
>> > > ldapsearch -x as the root user and see results. I am also
>> > able to
>> > > login with the "cn=Directory Manager" account and see
>> results.
>> > >
>> > >
>> > > The debug log shows the following error.
>> > >
>> > >
>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>> > > ============================================
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: =====
>> DEBUG
>> > > SUBSYSTEM INITIALIZED =======
>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>> > > ============================================
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > restart at
>> > > autoShutdown? false
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > > autoShutdown crumb file path?
>> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > about to
>> > > look for cert for auto-shutdown support:auditSigningCert
>> > cert-pki-ca
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > found
>> > > cert:auditSigningCert cert-pki-ca
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > done init
>> > > id=debug
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > > initialized debug
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > > initSubsystem id=log
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > ready to
>> > > init id=log
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>> > >
>> > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/
>> ca_audit)
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>> > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>> > > RollingLogFile(/var/lib/pki/p
>> ki-tomcat/logs/ca/transactions)
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > restart at
>> > > autoShutdown? false
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > > autoShutdown crumb file path?
>> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > about to
>> > > look for cert for auto-shutdown support:auditSigningCert
>> > cert-pki-ca
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > found
>> > > cert:auditSigningCert cert-pki-ca
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > done init
>> > > id=log
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > > initialized log
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > > initSubsystem id=jss
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > ready to
>> > > init id=jss
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > restart at
>> > > autoShutdown? false
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > > autoShutdown crumb file path?
>> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > about to
>> > > look for cert for auto-shutdown support:auditSigningCert
>> > cert-pki-ca
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > found
>> > > cert:auditSigningCert cert-pki-ca
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > done init
>> > > id=jss
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > > initialized jss
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > > initSubsystem id=dbs
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine:
>> > ready to
>> > > init id=dbs
>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>> > DBSubsystem: init()
>> > > mEnableSerialMgmt=true
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>> > > LdapBoundConnFactor(DBSubsystem)
>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>> > LdapBoundConnFactory:
>> > > init
>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>> > > LdapBoundConnFactory:doCloning true
>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>> > LdapAuthInfo: init()
>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>> > LdapAuthInfo: init begins
>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>> > LdapAuthInfo: init ends
>> > > [03/May/2017:21:22:01][localhost-startStop-1]: init:
>> before
>> > > makeConnection errorIfDown is true
>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>> makeConnection:
>> > > errorIfDown true
>> > > [03/May/2017:21:22:02][localhost-startStop-1]:
>> > > SSLClientCertificateSelectionCB: Setting desired cert
>> > nickname to:
>> > > subsystemCert cert-pki-ca
>> > > [03/May/2017:21:22:02][localhost-startStop-1]:
>> > LdapJssSSLSocket: set
>> > > client auth cert nickname subsystemCert cert-pki-ca
>> > > [03/May/2017:21:22:02][localhost-startStop-1]:
>> > > SSLClientCertificatSelectionCB: Entering!
>> > > [03/May/2017:21:22:02][localhost-startStop-1]:
>> > > SSLClientCertificateSelectionCB: returning: null
>> > > [03/May/2017:21:22:02][localhost-startStop-1]: SSL
>> > handshake happened
>> > > Could not connect to LDAP server host
>> > ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com>
>> > > <http://ipa12.mgmt.crosschx.com
>> > <http://ipa12.mgmt.crosschx.com>> port 636 Error
>> > > netscape.ldap.LDAPException: Authentication failed (48)
>> > > at
>> > >
>> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConne
>> ction(LdapBoundConnFactory.java:205)
>> > > at
>> > >
>> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap
>> BoundConnFactory.java:166)
>> > > at
>> > >
>> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap
>> BoundConnFactory.java:130)
>> > > at
>> > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
>> > > at
>> > >
>> > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.
>> java:1169)
>> > > at
>> > >
>> > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine
>> .java:1075)
>> > > at
>> > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
>> > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>> > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
>> > > at
>> > >
>> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS
>> ervlet.java:114)
>> > > at
>> > javax.servlet.GenericServlet.init(GenericServlet.java:158)
>> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>> > Method)
>> > > at
>> > >
>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>> > > at
>> > >
>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> > > at java.lang.reflect.Method.invoke(Method.java:498)
>> > > at
>> > >
>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>> .java:288)
>> > > at
>> > >
>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>> .java:285)
>> > > at java.security.AccessController.doPrivileged(Native
>> > Method)
>> > > at javax.security.auth.Subject.do
>> > <http://javax.security.auth.Subject.do>AsPrivileged(Subject
>> .java:549)
>> > > at
>> > >
>> > org.apache.catalina.security.SecurityUtil.execute(SecurityUt
>> il.java:320)
>> > > at
>> > >
>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:175)
>> > > at
>> > >
>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:124)
>> > > at
>> > >
>> > org.apache.catalina.core.StandardWrapper.initServlet(Standar
>> dWrapper.java:1270)
>> > > at
>> > >
>> > org.apache.catalina.core.StandardWrapper.loadServlet(Standar
>> dWrapper.java:1195)
>> > > at
>> > >
>> > org.apache.catalina.core.StandardWrapper.load(StandardWrappe
>> r.java:1085)
>> > > at
>> > >
>> > org.apache.catalina.core.StandardContext.loadOnStartup(Stand
>> ardContext.java:5318)
>> > > at
>> > >
>> > org.apache.catalina.core.StandardContext.startInternal(Stand
>> ardContext.java:5610)
>> > > at
>> > >
>> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.
>> java:147)
>> > > at
>> > >
>> > org.apache.catalina.core.ContainerBase.addChildInternal(Cont
>> ainerBase.java:899)
>> > > at
>> > >
>> > org.apache.catalina.core.ContainerBase.access$000(ContainerB
>> ase.java:133)
>> > > at
>> > >
>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.
>> run(ContainerBase.java:156)
>> > > at
>> > >
>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.
>> run(ContainerBase.java:145)
>> > > at java.security.AccessController.doPrivileged(Native
>> > Method)
>> > > at
>> > >
>> > org.apache.catalina.core.ContainerBase.addChild(ContainerBas
>> e.java:873)
>> > > at
>> > >
>> > org.apache.catalina.core.StandardHost.addChild(StandardHost.
>> java:652)
>> > > at
>> > >
>> > org.apache.catalina.startup.HostConfig.deployDescriptor(Host
>> Config.java:679)
>> > > at
>> > >
>> > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(
>> HostConfig.java:1966)
>> > > at
>> > >
>> > java.util.concurrent.Executors$RunnableAdapter.call(
>> Executors.java:511)
>> > > at java.util.concurrent.FutureTas
>> k.run(FutureTask.java:266)
>> > > at
>> > >
>> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> > > at
>> > >
>> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> > > at java.lang.Thread.run(Thread.java:745)
>> > > Internal Database Error encountered: Could not connect to
>> LDAP
>> > > server host ipa12.mgmt.crosschx.com
>> > <http://ipa12.mgmt.crosschx.com> <http://ipa12.mgmt.crosschx.co
>> m
>> > <http://ipa12.mgmt.crosschx.com>>
>> > > port 636 Error netscape.ldap.LDAPException: Authentication
>> > failed (48)
>> > > at
>> > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
>> > > at
>> > >
>> > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.
>> java:1169)
>> > > at
>> > >
>> > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine
>> .java:1075)
>> > > at
>> > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
>> > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>> > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
>> > > at
>> > >
>> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS
>> ervlet.java:114)
>> > > at
>> > javax.servlet.GenericServlet.init(GenericServlet.java:158)
>> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>> > Method)
>> > > at
>> > >
>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>> > > at
>> > >
>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> > > at java.lang.reflect.Method.invoke(Method.java:498)
>> > > at
>> > >
>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>> .java:288)
>> > > at
>> > >
>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>> .java:285)
>> > > at java.security.AccessController.doPrivileged(Native
>> > Method)
>> > > at javax.security.auth.Subject.do
>> > <http://javax.security.auth.Subject.do>AsPrivileged(Subject
>> .java:549)
>> > > at
>> > >
>> > org.apache.catalina.security.SecurityUtil.execute(SecurityUt
>> il.java:320)
>> > > at
>> > >
>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:175)
>> > > at
>> > >
>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:124)
>> > > at
>> > >
>> > org.apache.catalina.core.StandardWrapper.initServlet(Standar
>> dWrapper.java:1270)
>> > > at
>> > >
>> > org.apache.catalina.core.StandardWrapper.loadServlet(Standar
>> dWrapper.java:1195)
>> > > at
>> > >
>> > org.apache.catalina.core.StandardWrapper.load(StandardWrappe
>> r.java:1085)
>> > > at
>> > >
>> > org.apache.catalina.core.StandardContext.loadOnStartup(Stand
>> ardContext.java:5318)
>> > > at
>> > >
>> > org.apache.catalina.core.StandardContext.startInternal(Stand
>> ardContext.java:5610)
>> > > at
>> > >
>> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.
>> java:147)
>> > > at
>> > >
>> > org.apache.catalina.core.ContainerBase.addChildInternal(Cont
>> ainerBase.java:899)
>> > > at
>> > >
>> > org.apache.catalina.core.ContainerBase.access$000(ContainerB
>> ase.java:133)
>> > > at
>> > >
>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.
>> run(ContainerBase.java:156)
>> > > at
>> > >
>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.
>> run(ContainerBase.java:145)
>> > > at java.security.AccessController.doPrivileged(Native
>> > Method)
>> > > at
>> > >
>> > org.apache.catalina.core.ContainerBase.addChild(ContainerBas
>> e.java:873)
>> > > at
>> > >
>> > org.apache.catalina.core.StandardHost.addChild(StandardHost.
>> java:652)
>> > > at
>> > >
>> > org.apache.catalina.startup.HostConfig.deployDescriptor(Host
>> Config.java:679)
>> > > at
>> > >
>> > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(
>> HostConfig.java:1966)
>> > > at
>> > >
>> > java.util.concurrent.Executors$RunnableAdapter.call(
>> Executors.java:511)
>> > > at java.util.concurrent.FutureTas
>> k.run(FutureTask.java:266)
>> > > at
>> > >
>> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> > > at
>> > >
>> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> > > at java.lang.Thread.run(Thread.java:745)
>> > > [03/May/2017:21:22:02][localhost-startStop-1]:
>> > CMSEngine.shutdown()
>> > >
>> > >
>> > > =============================
>> > >
>> > >
>> > > IPA11.MGMT
>> > >
>> > > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCH
>> X-COM/
>> > > Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
>> > Server-Cert
>> > > u,u,u MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> IPA CA CT,C,C
>> > > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/
>> > Certificate
>> > > Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert
>> > > cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu
>> > > ocspSigningCert cert-pki-ca u,u,u subsystemCert
>> > cert-pki-ca u,u,u
>> > > Server-Cert cert-pki-ca u,u,u IPA13.MGMT (root)>certutil
>> -L -d
>> > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname
>> > Trust
>> > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u
>> > MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > > <http://MGMT.CROSSCHX.COM> IPA CA CT,C,C (root)>certutil
>> -L -d
>> > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust
>> > Attributes
>> > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu
>> > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert
>> > cert-pki-ca
>> > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert
>> > cert-pki-ca u,u,u
>> > > IPA12.MGMT (root)>certutil -L -d
>> > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname
>> > Trust
>> > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u
>> > MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > > <http://MGMT.CROSSCHX.COM> IPA CA C,, (root)>certutil -L
>> -d
>> > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust
>> > Attributes
>> > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu
>> > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert
>> > cert-pki-ca
>> > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert
>> > cert-pki-ca u,u,u
>> > > =================================================
>> IPA11.MGMT
>> > > (root)>getcert list Number of certificates and requests
>> being
>> > > tracked: 8. Request ID '20161229155314': status:
>> > MONITORING stuck:
>> > > no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',
>> nickname='Server-Cert',token='NSS
>> > > Certificate
>> > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.
>> txt'
>> > > certificate:
>> > >
>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',
>> nickname='Server-Cert',token='NSS
>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=ipa11.mgmt.crosschx.com <http://ipa11.mgmt.crosschx.co
>> m>
>> > > <http://ipa11.mgmt.crosschx.com
>> > <http://ipa11.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM>
>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:52:43
>> > UTC key
>> > > usage:
>> > >
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>> ment
>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>> > post-save
>> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv
>> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID
>> > > '20161229155652': status: MONITORING stuck: no key pair
>> > storage:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>> ditSigningCert
>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>> ditSigningCert
>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=CA Audit,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>> >
>> > <http://MGMT.CROSSCHX.COM> expires:
>> > > 2018-11-12 13:00:29 UTC key usage:
>> > digitalSignature,nonRepudiation
>> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> > post-save
>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> > "auditSigningCert
>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>> > '20161229155654':
>> > > status: MONITORING stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>> spSigningCert
>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>> spSigningCert
>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>> > > expires: 2018-11-12 13:00:26 UTC key usage:
>> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku:
>> > > id-kp-OCSPSigning pre-save command:
>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>> command:
>> > > /usr/libexec/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert
>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>> > '20161229155655':
>> > > status: MONITORING stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>> bsystemCert
>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>> bsystemCert
>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>> > > expires: 2018-11-12 13:00:28 UTC key usage:
>> > >
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>> ment
>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>> command:
>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>> > '20161229155657':
>> > > status: MONITORING stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>> SigningCert
>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>> SigningCert
>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM>
>> > > <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25
>> > UTC key
>> > > usage: digitalSignature,nonRepudiatio
>> n,keyCertSign,cRLSign
>> > pre-save
>> > > command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save
>> > command:
>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>> > '20161229155659':
>> > > status: MONITORING stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>> rver-Cert
>> > cert-pki-ca',token='NSS
>> > > Certificate DB',pin set certificate:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>> rver-Cert
>> > cert-pki-ca',token='NSS
>> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer:
>> > CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=ipa11.mgmt.crosschx.com <http://ipa11.mgmt.crosschx.co
>> m>
>> > > <http://ipa11.mgmt.crosschx.com
>> > <http://ipa11.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM>
>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 15:56:20
>> > UTC key
>> > > usage:
>> > >
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>> ment
>> > > eku: id-kp-serverAuth,id-kp-clientA
>> uth,id-kp-emailProtection
>> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> > post-save
>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> > "Server-Cert
>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>> > '20161229155921':
>> > > status: MONITORING stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>> ',token='NSS
>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > certificate:
>> > >
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>> ',token='NSS
>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=ipa11.mgmt.crosschx.com <http://ipa11.mgmt.crosschx.co
>> m>
>> > > <http://ipa11.mgmt.crosschx.com
>> > <http://ipa11.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM>
>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:52:46
>> > UTC key
>> > > usage:
>> > >
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>> ment
>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>> > post-save
>> > > command: /usr/libexec/ipa/certmonger/restart_httpd
>> track: yes
>> > > auto-renew: yes Request ID '20161229160009': status:
>> > MONITORING
>> > > stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',
>> token='NSS
>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > certificate:
>> > >
>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',
>> token='NSS
>> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:
>> > CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> expires:
>> > > 2018-11-12 13:01:34 UTC key usage:
>> > >
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>> ment
>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save
>> > command:
>> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes
>> > auto-renew: yes
>> > > ================================== IPA13.MGMT
>> > (root)>getcert list
>> > > Number of certificates and requests being tracked: 8.
>> > Request ID
>> > > '20161229143449': status: MONITORING stuck: no key pair
>> > storage:
>> > >
>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',
>> nickname='Server-Cert',token='NSS
>> > > Certificate
>> > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.
>> txt'
>> > > certificate:
>> > >
>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',
>> nickname='Server-Cert',token='NSS
>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.co
>> m>
>> > > <http://ipa13.mgmt.crosschx.com
>> > <http://ipa13.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM>
>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 14:34:20
>> > UTC key
>> > > usage:
>> > >
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>> ment
>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>> > post-save
>> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv
>> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID
>> > > '20161229143826': status: MONITORING stuck: no key pair
>> > storage:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>> ditSigningCert
>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>> ditSigningCert
>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=CA Audit,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>> >
>> > <http://MGMT.CROSSCHX.COM> expires:
>> > > 2018-11-12 13:00:29 UTC key usage:
>> > digitalSignature,nonRepudiation
>> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> > post-save
>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> > "auditSigningCert
>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>> > '20161229143828':
>> > > status: MONITORING stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>> spSigningCert
>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>> spSigningCert
>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>> > > expires: 2018-11-12 13:00:26 UTC key usage:
>> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku:
>> > > id-kp-OCSPSigning pre-save command:
>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>> command:
>> > > /usr/libexec/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert
>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>> > '20161229143831':
>> > > status: MONITORING stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>> bsystemCert
>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>> bsystemCert
>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>> > > expires: 2018-11-12 13:00:28 UTC key usage:
>> > >
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>> ment
>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>> command:
>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>> > '20161229143833':
>> > > status: MONITORING stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>> SigningCert
>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>> SigningCert
>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM>
>> > > <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25
>> > UTC key
>> > > usage: digitalSignature,nonRepudiatio
>> n,keyCertSign,cRLSign
>> > pre-save
>> > > command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save
>> > command:
>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>> > '20161229143835':
>> > > status: MONITORING stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>> rver-Cert
>> > cert-pki-ca',token='NSS
>> > > Certificate DB',pin set certificate:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>> rver-Cert
>> > cert-pki-ca',token='NSS
>> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer:
>> > CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.co
>> m>
>> > > <http://ipa13.mgmt.crosschx.com
>> > <http://ipa13.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM>
>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 14:37:54
>> > UTC key
>> > > usage:
>> > >
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>> ment
>> > > eku: id-kp-serverAuth,id-kp-clientA
>> uth,id-kp-emailProtection
>> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> > post-save
>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> > "Server-Cert
>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>> > '20161229144057':
>> > > status: MONITORING stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>> ',token='NSS
>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > certificate:
>> > >
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>> ',token='NSS
>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.co
>> m>
>> > > <http://ipa13.mgmt.crosschx.com
>> > <http://ipa13.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM>
>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 14:34:23
>> > UTC key
>> > > usage:
>> > >
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>> ment
>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>> > post-save
>> > > command: /usr/libexec/ipa/certmonger/restart_httpd
>> track: yes
>> > > auto-renew: yes Request ID '20161229144146': status:
>> > MONITORING
>> > > stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',
>> token='NSS
>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > certificate:
>> > >
>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',
>> token='NSS
>> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:
>> > CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> expires:
>> > > 2018-11-12 13:01:34 UTC key usage:
>> > >
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>> ment
>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save
>> > command:
>> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes
>> > auto-renew: yes
>> > > =========================== IPA12.MGMT (root)>getcert list
>> > Number of
>> > > certificates and requests being tracked: 8. Request ID
>> > > '20161229151518': status: MONITORING stuck: no key pair
>> > storage:
>> > >
>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',
>> nickname='Server-Cert',token='NSS
>> > > Certificate
>> > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.
>> txt'
>> > > certificate:
>> > >
>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',
>> nickname='Server-Cert',token='NSS
>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.co
>> m>
>> > > <http://ipa12.mgmt.crosschx.com
>> > <http://ipa12.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM>
>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:14:51
>> > UTC key
>> > > usage:
>> > >
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>> ment
>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>> > post-save
>> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv
>> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID
>> > > '20161229151850': status: MONITORING stuck: no key pair
>> > storage:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>> ditSigningCert
>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>> ditSigningCert
>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=CA Audit,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>> >
>> > <http://MGMT.CROSSCHX.COM> expires:
>> > > 2018-11-12 13:00:29 UTC key usage:
>> > digitalSignature,nonRepudiation
>> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> > post-save
>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> > "auditSigningCert
>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>> > '20161229151852':
>> > > status: MONITORING stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>> spSigningCert
>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>> spSigningCert
>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>> > > expires: 2018-11-12 13:00:26 UTC key usage:
>> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku:
>> > > id-kp-OCSPSigning pre-save command:
>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>> command:
>> > > /usr/libexec/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert
>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>> > '20161229151854':
>> > > status: MONITORING stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>> bsystemCert
>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>> bsystemCert
>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>> > > expires: 2018-11-12 13:00:28 UTC key usage:
>> > >
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>> ment
>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>> command:
>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>> > '20161229151856':
>> > > status: MONITORING stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>> SigningCert
>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>> SigningCert
>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM>
>> > > <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25
>> > UTC key
>> > > usage: digitalSignature,nonRepudiatio
>> n,keyCertSign,cRLSign
>> > pre-save
>> > > command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save
>> > command:
>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>> > '20161229151858':
>> > > status: MONITORING stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>> rver-Cert
>> > cert-pki-ca',token='NSS
>> > > Certificate DB',pin set certificate:
>> > >
>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>> rver-Cert
>> > cert-pki-ca',token='NSS
>> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer:
>> > CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.co
>> m>
>> > > <http://ipa12.mgmt.crosschx.com
>> > <http://ipa12.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM>
>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 15:18:16
>> > UTC key
>> > > usage:
>> > >
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>> ment
>> > > eku: id-kp-serverAuth,id-kp-clientA
>> uth,id-kp-emailProtection
>> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> > post-save
>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> > "Server-Cert
>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>> > '20161229152115':
>> > > status: MONITORING stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>> ',token='NSS
>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > certificate:
>> > >
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>> ',token='NSS
>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.co
>> m>
>> > > <http://ipa12.mgmt.crosschx.com
>> > <http://ipa12.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>> > <http://MGMT.CROSSCHX.COM>
>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:14:54
>> > UTC key
>> > > usage:
>> > >
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>> ment
>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>> > post-save
>> > > command: /usr/libexec/ipa/certmonger/restart_httpd
>> track: yes
>> > > auto-renew: yes Request ID '20161229152204': status:
>> > MONITORING
>> > > stuck: no key pair storage:
>> > >
>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',
>> token='NSS
>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > certificate:
>> > >
>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',
>> token='NSS
>> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:
>> > CN=Certificate
>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> subject:
>> > > CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>> > <http://MGMT.CROSSCHX.COM> expires:
>> > > 2018-11-12 13:01:34 UTC key usage:
>> > >
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>> ment
>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save
>> > command:
>> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes
>> > auto-renew: yes
>> > >
>> > >
>> > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
>> > > *
>> > > 614.427.2411
>> > > mike.plemmons at crosschx.com
>> > <mailto:mike.plemmons at crosschx.com>
>> > <mailto:mike.plemmons at crosschx.com
>> > <mailto:mike.plemmons at crosschx.com>>
>> > > www.crosschx.com <http://www.crosschx.com>
>> > <http://www.crosschx.com/>
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>> >
>> >
>> >
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170505/3e259eaa/attachment.htm>
More information about the Freeipa-users
mailing list