[Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:
Michael Plemmons
michael.plemmons at crosschx.com
Wed May 10 19:35:05 UTC 2017
The PKI service came up successfully but only when it uses BasicAuth rather
than SSL auth. I am not sure about what I need to do in order to get the
auth working over SSL again.
None of the certs are expired when I run getcert list and ipa-getcert list.
Since the failure is with attempts to login to LDAP over 636. I have been
attempting to auth to LDAP via port 636 and the ldapsearch is not
completing. When looking at packet captures, I see some the TCP handshake
and what appears to be the start of a SSL process and then everything hangs.
What is the proper method to test performing a ldapsearch over 636? Also,
the CS.cfg shows it wants to auth as cn=Directory Manager. I can
successfully auth with cn=Directory Manager over 389 but I think I am not
performing ldapsearch over 636 correctly.
*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
mike.plemmons at crosschx.com
www.crosschx.com
On Fri, May 5, 2017 at 3:33 PM, Michael Plemmons <
michael.plemmons at crosschx.com> wrote:
> I think I found the email thread. Asking for help with crashed freeIPA
> istance. That email pointed to this link, https://www.redhat.com/a
> rchives/freeipa-users/2017-January/msg00215.html. That link talked about
> changing the CS.cfg file to use port 389 for PKI to auth to LDAP. I made
> the necessary changes and PKI came up successfully.
>
>
>
>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
> 614.427.2411
> mike.plemmons at crosschx.com
> www.crosschx.com
>
> On Fri, May 5, 2017 at 3:19 PM, Michael Plemmons <
> michael.plemmons at crosschx.com> wrote:
>
>>
>>
>>
>>
>>
>> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
>> 614.427.2411
>> mike.plemmons at crosschx.com
>> www.crosschx.com
>>
>> On Fri, May 5, 2017 at 3:15 PM, Rob Crittenden <rcritten at redhat.com>
>> wrote:
>>
>>> Michael Plemmons wrote:
>>> > I just realized that I sent the reply directly to Rob and not to the
>>> > list. My response is inline
>>>
>>> Ok, this is actually good news.
>>>
>>> I made a similar proposal in another case and I was completely wrong.
>>> Flo had the user do something and it totally fixed their auth error, I
>>> just can't remember what it was or find the e-mail thread. I'm pretty
>>> sure it was this calendar year though.
>>>
>>> rob
>>>
>>>
>> Do you or Flo know what I could search for in the past emails to find the
>> answer to the problem?
>>
>>
>>
>>> >
>>> >
>>> >
>>> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
>>> > *
>>> > 614.427.2411
>>> > mike.plemmons at crosschx.com <mailto:mike.plemmons at crosschx.com>
>>> > www.crosschx.com <http://www.crosschx.com/>
>>> >
>>> > On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons
>>> > <michael.plemmons at crosschx.com <mailto:michael.plemmons at crosschx.com>>
>>> > wrote:
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
>>> > *
>>> > 614.427.2411
>>> > mike.plemmons at crosschx.com <mailto:mike.plemmons at crosschx.com>
>>> > www.crosschx.com <http://www.crosschx.com/>
>>> >
>>> > On Thu, May 4, 2017 at 9:24 AM, Rob Crittenden <
>>> rcritten at redhat.com
>>> > <mailto:rcritten at redhat.com>> wrote:
>>> >
>>> > Michael Plemmons wrote:
>>> > > I realized that I was not very clear in my statement about
>>> > testing with
>>> > > ldapsearch. I had initially run it without logging in with a
>>> > DN. I was
>>> > > just running the local ldapsearch -x command. I then tested
>>> on
>>> > > ipa12.mgmt and ipa11.mgmt logging in with a full DN for the
>>> > admin and
>>> > > "cn=Directory Manager" from ipa12.mgmt (broken server) and
>>> > ipa11.mgmt
>>> > > and both ldapsearch command succeeded.
>>> > >
>>> > > I ran the following from ipa12.mgmt and ipa11.mgmt as a non
>>> > root user.
>>> > > I also ran the command showing a line count for the output
>>> and
>>> > the line
>>> > > counts for each were the same when run from ipa12.mgmt and
>>> > ipa11.mgmt.
>>> > >
>>> > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com
>>> > <http://ipa12.mgmt.crosschx.com>
>>> > > <http://ipa12.mgmt.crosschx.com
>>> > <http://ipa12.mgmt.crosschx.com>> -D "DN" -w PASSWORD -b
>>> > > "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn
>>> > >
>>> > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com
>>> > <http://ipa12.mgmt.crosschx.com>
>>> > > <http://ipa12.mgmt.crosschx.com
>>> > <http://ipa12.mgmt.crosschx.com>> -D "cn=directory manager" -w
>>> > PASSWORD dn
>>> >
>>> > The CA has its own suffix and replication agreements. Given
>>> the auth
>>> > error and recent (5 months) renewal of CA credentials I'd check
>>> > that the
>>> > CA agent authentication entries are correct.
>>> >
>>> > Against each master with a CA run:
>>> >
>>> > $ ldapsearch -LLL -x -D 'cn=directory manager' -W -b
>>> > uid=ipara,ou=people,o=ipaca description
>>> >
>>> > The format is 2;serial#,subject,issuer
>>> >
>>> > Then on each run:
>>> >
>>> > # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial
>>> >
>>> > The serial # should match that in the description everywhere.
>>> >
>>> > rob
>>> >
>>> >
>>> >
>>> > On the CA (IPA13.MGMT) I ran the ldapsearch command and see that
>>> the
>>> > serial number is 7. I then ran the certutil command on all three
>>> > servers and the serial number is 7 as well.
>>> >
>>> >
>>> > I also ran the ldapsearch command against the other two servers and
>>> > they also showed a serial number of 7.
>>> >
>>> >
>>> >
>>> >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
>>> > > *
>>> > > 614.427.2411
>>> > > mike.plemmons at crosschx.com <mailto:mike.plemmons at crosschx
>>> .com>
>>> > <mailto:mike.plemmons at crosschx.com
>>> > <mailto:mike.plemmons at crosschx.com>>
>>> > > www.crosschx.com <http://www.crosschx.com>
>>> > <http://www.crosschx.com/>
>>> > >
>>> > > On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons
>>> > > <michael.plemmons at crosschx.com
>>> > <mailto:michael.plemmons at crosschx.com>
>>> > <mailto:michael.plemmons at crosschx.com
>>> > <mailto:michael.plemmons at crosschx.com>>>
>>> > > wrote:
>>> > >
>>> > > I have a three node IPA cluster.
>>> > >
>>> > > ipa11.mgmt - was a master over 6 months ago
>>> > > ipa13.mgmt - current master
>>> > > ipa12.mgmt
>>> > >
>>> > > ipa13 has agreements with ipa11 and ipa12. ipa11 and
>>> > ipa12 do not
>>> > > have agreements between each other.
>>> > >
>>> > > It appears that either ipa12.mgmt lost some level of its
>>> > replication
>>> > > agreement with ipa13. I saw some level because users /
>>> > hosts were
>>> > > replicated between all systems but we started seeing DNS
>>> > was not
>>> > > resolving properly from ipa12. I do not know when this
>>> > started.
>>> > >
>>> > > When looking at replication agreements on ipa12 I did not
>>> > see any
>>> > > agreement with ipa13.
>>> > >
>>> > > When I run ipa-replica-manage list all three hosts show
>>> > has master.
>>> > >
>>> > > When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt
>>> > is a replica.
>>> > >
>>> > > When I run ipa-replica-manage ipa12.mgmt nothing
>>> returned.
>>> > >
>>> > > I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt
>>> > > ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com>
>>> > <http://ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.co
>>> m>>
>>> > > ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com>
>>> > <http://ipa13.mgmt.crosschx.com
>>> > <http://ipa13.mgmt.crosschx.com>> on ipa12.mgmt
>>> > >
>>> > > I then ran the following
>>> > >
>>> > > ipa-replica-manage force-sync --from
>>> > ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com>
>>> > > <http://ipa13.mgmt.crosschx.com
>>> > <http://ipa13.mgmt.crosschx.com>>
>>> > >
>>> > > ipa-replica-manage re-initialize --from
>>> > ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com>
>>> > > <http://ipa13.mgmt.crosschx.com
>>> > <http://ipa13.mgmt.crosschx.com>>
>>> > >
>>> > > I was still seeing bad DNS returns when dig'ing against
>>> > ipa12.mgmt.
>>> > > I was able to create user and DNS records and see the
>>> > information
>>> > > replicated properly across all three nodes.
>>> > >
>>> > > I then ran ipactl stop on ipa12.mgmt and then ipactl
>>> start on
>>> > > ipa12.mgmt because I wanted to make sure everything was
>>> > running
>>> > > fresh after the changes above. While IPA was staring up
>>> (DNS
>>> > > started) we were able to see valid DNS queries returned
>>> but
>>> > > pki-tomcat would not start.
>>> > >
>>> > > I am not sure what I need to do in order to get this
>>> > working. I
>>> > > have included the output of certutil and getcert below
>>> > from all
>>> > > three servers as well as the debug output for pki.
>>> > >
>>> > >
>>> > > While the IPA system is coming up I am able to
>>> > successfully run
>>> > > ldapsearch -x as the root user and see results. I am
>>> also
>>> > able to
>>> > > login with the "cn=Directory Manager" account and see
>>> results.
>>> > >
>>> > >
>>> > > The debug log shows the following error.
>>> > >
>>> > >
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> > > ============================================
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: =====
>>> DEBUG
>>> > > SUBSYSTEM INITIALIZED =======
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> > > ============================================
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > restart at
>>> > > autoShutdown? false
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > > autoShutdown crumb file path?
>>> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > about to
>>> > > look for cert for auto-shutdown support:auditSigningCert
>>> > cert-pki-ca
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > found
>>> > > cert:auditSigningCert cert-pki-ca
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > done init
>>> > > id=debug
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > > initialized debug
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > > initSubsystem id=log
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > ready to
>>> > > init id=log
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>>> > >
>>> > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/c
>>> a_audit)
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>>> > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>>> > > RollingLogFile(/var/lib/pki/p
>>> ki-tomcat/logs/ca/transactions)
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > restart at
>>> > > autoShutdown? false
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > > autoShutdown crumb file path?
>>> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > about to
>>> > > look for cert for auto-shutdown support:auditSigningCert
>>> > cert-pki-ca
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > found
>>> > > cert:auditSigningCert cert-pki-ca
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > done init
>>> > > id=log
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > > initialized log
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > > initSubsystem id=jss
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > ready to
>>> > > init id=jss
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > restart at
>>> > > autoShutdown? false
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > > autoShutdown crumb file path?
>>> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > about to
>>> > > look for cert for auto-shutdown support:auditSigningCert
>>> > cert-pki-ca
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > found
>>> > > cert:auditSigningCert cert-pki-ca
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > done init
>>> > > id=jss
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > > initialized jss
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > > initSubsystem id=dbs
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> CMSEngine:
>>> > ready to
>>> > > init id=dbs
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> > DBSubsystem: init()
>>> > > mEnableSerialMgmt=true
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>>> > > LdapBoundConnFactor(DBSubsystem)
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> > LdapBoundConnFactory:
>>> > > init
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> > > LdapBoundConnFactory:doCloning true
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> > LdapAuthInfo: init()
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> > LdapAuthInfo: init begins
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> > LdapAuthInfo: init ends
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: init:
>>> before
>>> > > makeConnection errorIfDown is true
>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>> makeConnection:
>>> > > errorIfDown true
>>> > > [03/May/2017:21:22:02][localhost-startStop-1]:
>>> > > SSLClientCertificateSelectionCB: Setting desired cert
>>> > nickname to:
>>> > > subsystemCert cert-pki-ca
>>> > > [03/May/2017:21:22:02][localhost-startStop-1]:
>>> > LdapJssSSLSocket: set
>>> > > client auth cert nickname subsystemCert cert-pki-ca
>>> > > [03/May/2017:21:22:02][localhost-startStop-1]:
>>> > > SSLClientCertificatSelectionCB: Entering!
>>> > > [03/May/2017:21:22:02][localhost-startStop-1]:
>>> > > SSLClientCertificateSelectionCB: returning: null
>>> > > [03/May/2017:21:22:02][localhost-startStop-1]: SSL
>>> > handshake happened
>>> > > Could not connect to LDAP server host
>>> > ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com>
>>> > > <http://ipa12.mgmt.crosschx.com
>>> > <http://ipa12.mgmt.crosschx.com>> port 636 Error
>>> > > netscape.ldap.LDAPException: Authentication failed (48)
>>> > > at
>>> > >
>>> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConne
>>> ction(LdapBoundConnFactory.java:205)
>>> > > at
>>> > >
>>> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap
>>> BoundConnFactory.java:166)
>>> > > at
>>> > >
>>> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap
>>> BoundConnFactory.java:130)
>>> > > at
>>> > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:
>>> 654)
>>> > > at
>>> > >
>>> > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.
>>> java:1169)
>>> > > at
>>> > >
>>> > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine
>>> .java:1075)
>>> > > at
>>> > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
>>> > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>>> > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
>>> > > at
>>> > >
>>> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS
>>> ervlet.java:114)
>>> > > at
>>> > javax.servlet.GenericServlet.init(GenericServlet.java:158)
>>> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>> > Method)
>>> > > at
>>> > >
>>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>> ssorImpl.java:62)
>>> > > at
>>> > >
>>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>> thodAccessorImpl.java:43)
>>> > > at java.lang.reflect.Method.invoke(Method.java:498)
>>> > > at
>>> > >
>>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>>> .java:288)
>>> > > at
>>> > >
>>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>>> .java:285)
>>> > > at java.security.AccessController.doPrivileged(Native
>>> > Method)
>>> > > at javax.security.auth.Subject.do
>>> > <http://javax.security.auth.Subject.do>AsPrivileged(Subject
>>> .java:549)
>>> > > at
>>> > >
>>> > org.apache.catalina.security.SecurityUtil.execute(SecurityUt
>>> il.java:320)
>>> > > at
>>> > >
>>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>>> rityUtil.java:175)
>>> > > at
>>> > >
>>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>>> rityUtil.java:124)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.StandardWrapper.initServlet(Standar
>>> dWrapper.java:1270)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.StandardWrapper.loadServlet(Standar
>>> dWrapper.java:1195)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.StandardWrapper.load(StandardWrappe
>>> r.java:1085)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.StandardContext.loadOnStartup(Stand
>>> ardContext.java:5318)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.StandardContext.startInternal(Stand
>>> ardContext.java:5610)
>>> > > at
>>> > >
>>> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.j
>>> ava:147)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.ContainerBase.addChildInternal(Cont
>>> ainerBase.java:899)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.ContainerBase.access$000(ContainerB
>>> ase.java:133)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>>> n(ContainerBase.java:156)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>>> n(ContainerBase.java:145)
>>> > > at java.security.AccessController.doPrivileged(Native
>>> > Method)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.ContainerBase.addChild(ContainerBas
>>> e.java:873)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.StandardHost.addChild(StandardHost.
>>> java:652)
>>> > > at
>>> > >
>>> > org.apache.catalina.startup.HostConfig.deployDescriptor(Host
>>> Config.java:679)
>>> > > at
>>> > >
>>> > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(
>>> HostConfig.java:1966)
>>> > > at
>>> > >
>>> > java.util.concurrent.Executors$RunnableAdapter.call(Executor
>>> s.java:511)
>>> > > at java.util.concurrent.FutureTas
>>> k.run(FutureTask.java:266)
>>> > > at
>>> > >
>>> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:1142)
>>> > > at
>>> > >
>>> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:617)
>>> > > at java.lang.Thread.run(Thread.java:745)
>>> > > Internal Database Error encountered: Could not connect
>>> to LDAP
>>> > > server host ipa12.mgmt.crosschx.com
>>> > <http://ipa12.mgmt.crosschx.com> <
>>> http://ipa12.mgmt.crosschx.com
>>> > <http://ipa12.mgmt.crosschx.com>>
>>> > > port 636 Error netscape.ldap.LDAPException:
>>> Authentication
>>> > failed (48)
>>> > > at
>>> > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:
>>> 676)
>>> > > at
>>> > >
>>> > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.
>>> java:1169)
>>> > > at
>>> > >
>>> > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine
>>> .java:1075)
>>> > > at
>>> > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
>>> > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>>> > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
>>> > > at
>>> > >
>>> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS
>>> ervlet.java:114)
>>> > > at
>>> > javax.servlet.GenericServlet.init(GenericServlet.java:158)
>>> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>> > Method)
>>> > > at
>>> > >
>>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>> ssorImpl.java:62)
>>> > > at
>>> > >
>>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>> thodAccessorImpl.java:43)
>>> > > at java.lang.reflect.Method.invoke(Method.java:498)
>>> > > at
>>> > >
>>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>>> .java:288)
>>> > > at
>>> > >
>>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>>> .java:285)
>>> > > at java.security.AccessController.doPrivileged(Native
>>> > Method)
>>> > > at javax.security.auth.Subject.do
>>> > <http://javax.security.auth.Subject.do>AsPrivileged(Subject
>>> .java:549)
>>> > > at
>>> > >
>>> > org.apache.catalina.security.SecurityUtil.execute(SecurityUt
>>> il.java:320)
>>> > > at
>>> > >
>>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>>> rityUtil.java:175)
>>> > > at
>>> > >
>>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>>> rityUtil.java:124)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.StandardWrapper.initServlet(Standar
>>> dWrapper.java:1270)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.StandardWrapper.loadServlet(Standar
>>> dWrapper.java:1195)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.StandardWrapper.load(StandardWrappe
>>> r.java:1085)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.StandardContext.loadOnStartup(Stand
>>> ardContext.java:5318)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.StandardContext.startInternal(Stand
>>> ardContext.java:5610)
>>> > > at
>>> > >
>>> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.j
>>> ava:147)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.ContainerBase.addChildInternal(Cont
>>> ainerBase.java:899)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.ContainerBase.access$000(ContainerB
>>> ase.java:133)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>>> n(ContainerBase.java:156)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>>> n(ContainerBase.java:145)
>>> > > at java.security.AccessController.doPrivileged(Native
>>> > Method)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.ContainerBase.addChild(ContainerBas
>>> e.java:873)
>>> > > at
>>> > >
>>> > org.apache.catalina.core.StandardHost.addChild(StandardHost.
>>> java:652)
>>> > > at
>>> > >
>>> > org.apache.catalina.startup.HostConfig.deployDescriptor(Host
>>> Config.java:679)
>>> > > at
>>> > >
>>> > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(
>>> HostConfig.java:1966)
>>> > > at
>>> > >
>>> > java.util.concurrent.Executors$RunnableAdapter.call(Executor
>>> s.java:511)
>>> > > at java.util.concurrent.FutureTas
>>> k.run(FutureTask.java:266)
>>> > > at
>>> > >
>>> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:1142)
>>> > > at
>>> > >
>>> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:617)
>>> > > at java.lang.Thread.run(Thread.java:745)
>>> > > [03/May/2017:21:22:02][localhost-startStop-1]:
>>> > CMSEngine.shutdown()
>>> > >
>>> > >
>>> > > =============================
>>> > >
>>> > >
>>> > > IPA11.MGMT
>>> > >
>>> > > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCH
>>> X-COM/
>>> > > Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
>>> > Server-Cert
>>> > > u,u,u MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> IPA CA CT,C,C
>>> > > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/
>>> > Certificate
>>> > > Nickname Trust Attributes SSL,S/MIME,JAR/XPI
>>> caSigningCert
>>> > > cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu
>>> > > ocspSigningCert cert-pki-ca u,u,u subsystemCert
>>> > cert-pki-ca u,u,u
>>> > > Server-Cert cert-pki-ca u,u,u IPA13.MGMT (root)>certutil
>>> -L -d
>>> > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate
>>> Nickname
>>> > Trust
>>> > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u
>>> > MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > > <http://MGMT.CROSSCHX.COM> IPA CA CT,C,C
>>> (root)>certutil -L -d
>>> > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname
>>> Trust
>>> > Attributes
>>> > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu
>>> > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert
>>> > cert-pki-ca
>>> > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert
>>> > cert-pki-ca u,u,u
>>> > > IPA12.MGMT (root)>certutil -L -d
>>> > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate
>>> Nickname
>>> > Trust
>>> > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u
>>> > MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > > <http://MGMT.CROSSCHX.COM> IPA CA C,, (root)>certutil
>>> -L -d
>>> > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname
>>> Trust
>>> > Attributes
>>> > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu
>>> > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert
>>> > cert-pki-ca
>>> > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert
>>> > cert-pki-ca u,u,u
>>> > > =================================================
>>> IPA11.MGMT
>>> > > (root)>getcert list Number of certificates and requests
>>> being
>>> > > tracked: 8. Request ID '20161229155314': status:
>>> > MONITORING stuck:
>>> > > no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni
>>> ckname='Server-Cert',token='NSS
>>> > > Certificate
>>> > > DB',pinfile='/etc/dirsrv/slap
>>> d-MGMT-CROSSCHX-COM/pwdfile.txt'
>>> > > certificate:
>>> > >
>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni
>>> ckname='Server-Cert',token='NSS
>>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=ipa11.mgmt.crosschx.com <
>>> http://ipa11.mgmt.crosschx.com>
>>> > > <http://ipa11.mgmt.crosschx.com
>>> > <http://ipa11.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM>
>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:52:43
>>> > UTC key
>>> > > usage:
>>> > >
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>> ment
>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>>> > post-save
>>> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv
>>> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID
>>> > > '20161229155652': status: MONITORING stuck: no key pair
>>> > storage:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>>> ditSigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>>> ditSigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=CA Audit,O=MGMT.CROSSCHX.COM <
>>> http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> expires:
>>> > > 2018-11-12 13:00:29 UTC key usage:
>>> > digitalSignature,nonRepudiation
>>> > > pre-save command: /usr/libexec/ipa/certmonger/st
>>> op_pkicad
>>> > post-save
>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> > "auditSigningCert
>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>> > '20161229155654':
>>> > > status: MONITORING stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>>> spSigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>>> spSigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>>> > > expires: 2018-11-12 13:00:26 UTC key usage:
>>> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku:
>>> > > id-kp-OCSPSigning pre-save command:
>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>>> command:
>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert
>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>> > '20161229155655':
>>> > > status: MONITORING stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>>> bsystemCert
>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>>> bsystemCert
>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>>> > > expires: 2018-11-12 13:00:28 UTC key usage:
>>> > >
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>> ment
>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>>> command:
>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>> > '20161229155657':
>>> > > status: MONITORING stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>>> SigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>>> SigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM>
>>> > > <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25
>>> > UTC key
>>> > > usage: digitalSignature,nonRepudiatio
>>> n,keyCertSign,cRLSign
>>> > pre-save
>>> > > command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save
>>> > command:
>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>> > '20161229155659':
>>> > > status: MONITORING stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>>> rver-Cert
>>> > cert-pki-ca',token='NSS
>>> > > Certificate DB',pin set certificate:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>>> rver-Cert
>>> > cert-pki-ca',token='NSS
>>> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer:
>>> > CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=ipa11.mgmt.crosschx.com <
>>> http://ipa11.mgmt.crosschx.com>
>>> > > <http://ipa11.mgmt.crosschx.com
>>> > <http://ipa11.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM>
>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 15:56:20
>>> > UTC key
>>> > > usage:
>>> > >
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>> ment
>>> > > eku: id-kp-serverAuth,id-kp-clientA
>>> uth,id-kp-emailProtection
>>> > > pre-save command: /usr/libexec/ipa/certmonger/st
>>> op_pkicad
>>> > post-save
>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> > "Server-Cert
>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>> > '20161229155921':
>>> > > status: MONITORING stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>> ',token='NSS
>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> > certificate:
>>> > >
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>> ',token='NSS
>>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=ipa11.mgmt.crosschx.com <
>>> http://ipa11.mgmt.crosschx.com>
>>> > > <http://ipa11.mgmt.crosschx.com
>>> > <http://ipa11.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM>
>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:52:46
>>> > UTC key
>>> > > usage:
>>> > >
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>> ment
>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>>> > post-save
>>> > > command: /usr/libexec/ipa/certmonger/restart_httpd
>>> track: yes
>>> > > auto-renew: yes Request ID '20161229160009': status:
>>> > MONITORING
>>> > > stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to
>>> ken='NSS
>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> > certificate:
>>> > >
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to
>>> ken='NSS
>>> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:
>>> > CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> expires:
>>> > > 2018-11-12 13:01:34 UTC key usage:
>>> > >
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>> ment
>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save
>>> > command:
>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes
>>> > auto-renew: yes
>>> > > ================================== IPA13.MGMT
>>> > (root)>getcert list
>>> > > Number of certificates and requests being tracked: 8.
>>> > Request ID
>>> > > '20161229143449': status: MONITORING stuck: no key pair
>>> > storage:
>>> > >
>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni
>>> ckname='Server-Cert',token='NSS
>>> > > Certificate
>>> > > DB',pinfile='/etc/dirsrv/slap
>>> d-MGMT-CROSSCHX-COM/pwdfile.txt'
>>> > > certificate:
>>> > >
>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni
>>> ckname='Server-Cert',token='NSS
>>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=ipa13.mgmt.crosschx.com <
>>> http://ipa13.mgmt.crosschx.com>
>>> > > <http://ipa13.mgmt.crosschx.com
>>> > <http://ipa13.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM>
>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 14:34:20
>>> > UTC key
>>> > > usage:
>>> > >
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>> ment
>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>>> > post-save
>>> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv
>>> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID
>>> > > '20161229143826': status: MONITORING stuck: no key pair
>>> > storage:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>>> ditSigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>>> ditSigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=CA Audit,O=MGMT.CROSSCHX.COM <
>>> http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> expires:
>>> > > 2018-11-12 13:00:29 UTC key usage:
>>> > digitalSignature,nonRepudiation
>>> > > pre-save command: /usr/libexec/ipa/certmonger/st
>>> op_pkicad
>>> > post-save
>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> > "auditSigningCert
>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>> > '20161229143828':
>>> > > status: MONITORING stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>>> spSigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>>> spSigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>>> > > expires: 2018-11-12 13:00:26 UTC key usage:
>>> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku:
>>> > > id-kp-OCSPSigning pre-save command:
>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>>> command:
>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert
>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>> > '20161229143831':
>>> > > status: MONITORING stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>>> bsystemCert
>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>>> bsystemCert
>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>>> > > expires: 2018-11-12 13:00:28 UTC key usage:
>>> > >
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>> ment
>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>>> command:
>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>> > '20161229143833':
>>> > > status: MONITORING stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>>> SigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>>> SigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM>
>>> > > <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25
>>> > UTC key
>>> > > usage: digitalSignature,nonRepudiatio
>>> n,keyCertSign,cRLSign
>>> > pre-save
>>> > > command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save
>>> > command:
>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>> > '20161229143835':
>>> > > status: MONITORING stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>>> rver-Cert
>>> > cert-pki-ca',token='NSS
>>> > > Certificate DB',pin set certificate:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>>> rver-Cert
>>> > cert-pki-ca',token='NSS
>>> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer:
>>> > CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=ipa13.mgmt.crosschx.com <
>>> http://ipa13.mgmt.crosschx.com>
>>> > > <http://ipa13.mgmt.crosschx.com
>>> > <http://ipa13.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM>
>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 14:37:54
>>> > UTC key
>>> > > usage:
>>> > >
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>> ment
>>> > > eku: id-kp-serverAuth,id-kp-clientA
>>> uth,id-kp-emailProtection
>>> > > pre-save command: /usr/libexec/ipa/certmonger/st
>>> op_pkicad
>>> > post-save
>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> > "Server-Cert
>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>> > '20161229144057':
>>> > > status: MONITORING stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>> ',token='NSS
>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> > certificate:
>>> > >
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>> ',token='NSS
>>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=ipa13.mgmt.crosschx.com <
>>> http://ipa13.mgmt.crosschx.com>
>>> > > <http://ipa13.mgmt.crosschx.com
>>> > <http://ipa13.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM>
>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 14:34:23
>>> > UTC key
>>> > > usage:
>>> > >
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>> ment
>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>>> > post-save
>>> > > command: /usr/libexec/ipa/certmonger/restart_httpd
>>> track: yes
>>> > > auto-renew: yes Request ID '20161229144146': status:
>>> > MONITORING
>>> > > stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to
>>> ken='NSS
>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> > certificate:
>>> > >
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to
>>> ken='NSS
>>> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:
>>> > CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> expires:
>>> > > 2018-11-12 13:01:34 UTC key usage:
>>> > >
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>> ment
>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save
>>> > command:
>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes
>>> > auto-renew: yes
>>> > > =========================== IPA12.MGMT (root)>getcert
>>> list
>>> > Number of
>>> > > certificates and requests being tracked: 8. Request ID
>>> > > '20161229151518': status: MONITORING stuck: no key pair
>>> > storage:
>>> > >
>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni
>>> ckname='Server-Cert',token='NSS
>>> > > Certificate
>>> > > DB',pinfile='/etc/dirsrv/slap
>>> d-MGMT-CROSSCHX-COM/pwdfile.txt'
>>> > > certificate:
>>> > >
>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni
>>> ckname='Server-Cert',token='NSS
>>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=ipa12.mgmt.crosschx.com <
>>> http://ipa12.mgmt.crosschx.com>
>>> > > <http://ipa12.mgmt.crosschx.com
>>> > <http://ipa12.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM>
>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:14:51
>>> > UTC key
>>> > > usage:
>>> > >
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>> ment
>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>>> > post-save
>>> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv
>>> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID
>>> > > '20161229151850': status: MONITORING stuck: no key pair
>>> > storage:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>>> ditSigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>>> ditSigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=CA Audit,O=MGMT.CROSSCHX.COM <
>>> http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> expires:
>>> > > 2018-11-12 13:00:29 UTC key usage:
>>> > digitalSignature,nonRepudiation
>>> > > pre-save command: /usr/libexec/ipa/certmonger/st
>>> op_pkicad
>>> > post-save
>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> > "auditSigningCert
>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>> > '20161229151852':
>>> > > status: MONITORING stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>>> spSigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>>> spSigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>>> > > expires: 2018-11-12 13:00:26 UTC key usage:
>>> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku:
>>> > > id-kp-OCSPSigning pre-save command:
>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>>> command:
>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert
>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>> > '20161229151854':
>>> > > status: MONITORING stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>>> bsystemCert
>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>>> bsystemCert
>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>>> > > expires: 2018-11-12 13:00:28 UTC key usage:
>>> > >
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>> ment
>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>>> command:
>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>> > '20161229151856':
>>> > > status: MONITORING stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>>> SigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>>> SigningCert
>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM>
>>> > > <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25
>>> > UTC key
>>> > > usage: digitalSignature,nonRepudiatio
>>> n,keyCertSign,cRLSign
>>> > pre-save
>>> > > command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save
>>> > command:
>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>> > '20161229151858':
>>> > > status: MONITORING stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>>> rver-Cert
>>> > cert-pki-ca',token='NSS
>>> > > Certificate DB',pin set certificate:
>>> > >
>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>>> rver-Cert
>>> > cert-pki-ca',token='NSS
>>> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer:
>>> > CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=ipa12.mgmt.crosschx.com <
>>> http://ipa12.mgmt.crosschx.com>
>>> > > <http://ipa12.mgmt.crosschx.com
>>> > <http://ipa12.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM>
>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 15:18:16
>>> > UTC key
>>> > > usage:
>>> > >
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>> ment
>>> > > eku: id-kp-serverAuth,id-kp-clientA
>>> uth,id-kp-emailProtection
>>> > > pre-save command: /usr/libexec/ipa/certmonger/st
>>> op_pkicad
>>> > post-save
>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> > "Server-Cert
>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>> > '20161229152115':
>>> > > status: MONITORING stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>> ',token='NSS
>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> > certificate:
>>> > >
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>> ',token='NSS
>>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=ipa12.mgmt.crosschx.com <
>>> http://ipa12.mgmt.crosschx.com>
>>> > > <http://ipa12.mgmt.crosschx.com
>>> > <http://ipa12.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>> > <http://MGMT.CROSSCHX.COM>
>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:14:54
>>> > UTC key
>>> > > usage:
>>> > >
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>> ment
>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>>> > post-save
>>> > > command: /usr/libexec/ipa/certmonger/restart_httpd
>>> track: yes
>>> > > auto-renew: yes Request ID '20161229152204': status:
>>> > MONITORING
>>> > > stuck: no key pair storage:
>>> > >
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to
>>> ken='NSS
>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> > certificate:
>>> > >
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to
>>> ken='NSS
>>> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:
>>> > CN=Certificate
>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> subject:
>>> > > CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>> > <http://MGMT.CROSSCHX.COM> expires:
>>> > > 2018-11-12 13:01:34 UTC key usage:
>>> > >
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>> ment
>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save
>>> > command:
>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes
>>> > auto-renew: yes
>>> > >
>>> > >
>>> > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
>>> > > *
>>> > > 614.427.2411
>>> > > mike.plemmons at crosschx.com
>>> > <mailto:mike.plemmons at crosschx.com>
>>> > <mailto:mike.plemmons at crosschx.com
>>> > <mailto:mike.plemmons at crosschx.com>>
>>> > > www.crosschx.com <http://www.crosschx.com>
>>> > <http://www.crosschx.com/>
>>> > >
>>> > >
>>> > >
>>> > >
>>> >
>>> >
>>> >
>>> >
>>> >
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170510/e185c320/attachment.htm>
More information about the Freeipa-users
mailing list