[Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket:
Michael Plemmons
michael.plemmons at crosschx.com
Mon May 15 18:33:04 UTC 2017
I have done more searching in my logs and I see the following errors.
This is in the localhost log file /var/lib/pki/pki-tomcat/logs
May 15, 2017 3:08:08 PM org.apache.catalina.core.ApplicationContext log
SEVERE: StandardWrapper.Throwable
java.lang.NullPointerException
May 15, 2017 3:08:08 PM org.apache.catalina.core.StandardContext
loadOnStartup
SEVERE: Servlet [castart] in web application [/ca] threw load() exception
java.lang.NullPointerException
May 15, 2017 3:08:09 PM org.apache.catalina.core.StandardHostValve invoke
SEVERE: Exception Processing /ca/admin/ca/getStatus
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
Looking at the debug log it says Authentication failed for port 636.
[15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: init()
[15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: init begins
[15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: init ends
[15/May/2017:17:39:25][localhost-startStop-1]: init: before makeConnection
errorIfDown is true
[15/May/2017:17:39:25][localhost-startStop-1]: makeConnection: errorIfDown
true
[15/May/2017:17:39:25][localhost-startStop-1]:
SSLClientCertificateSelectionCB: Setting desired cert nickname to:
subsystemCert cert-pki-ca
[15/May/2017:17:39:25][localhost-startStop-1]: LdapJssSSLSocket: set client
auth cert nickname subsystemCert cert-pki-ca
[15/May/2017:17:39:25][localhost-startStop-1]:
SSLClientCertificatSelectionCB: Entering!
[15/May/2017:17:39:25][localhost-startStop-1]:
SSLClientCertificateSelectionCB: returning: null
[15/May/2017:17:39:25][localhost-startStop-1]: SSL handshake happened
Could not connect to LDAP server host ipa12.mgmt.crosschx.com port 636
Error netscape.ldap.LDAPException: Authentication failed (48)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
I looked at the validity of the cert it mentions and it is fine.
(root)>getcert status -v -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
cert-pki-ca'
State MONITORING, stuck: no.
I then looked at the ldap errors around the time of this failure and I am
seeing this log entry.
[15/May/2017:17:38:42.063080758 +0000] set_krb5_creds - Could not get
initial credentials for principal [ldap/
ipa12.mgmt.crosschx.com at MGMT.CROSSCHX.COM] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
When I perform a klist against that keytab nothing appears out of the
ordinary compared to working IPA servers.
I am not sure what to look at next.
*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
mike.plemmons at crosschx.com
www.crosschx.com
On Wed, May 10, 2017 at 3:35 PM, Michael Plemmons <
michael.plemmons at crosschx.com> wrote:
> The PKI service came up successfully but only when it uses BasicAuth
> rather than SSL auth. I am not sure about what I need to do in order to
> get the auth working over SSL again.
>
> None of the certs are expired when I run getcert list and ipa-getcert list.
>
> Since the failure is with attempts to login to LDAP over 636. I have been
> attempting to auth to LDAP via port 636 and the ldapsearch is not
> completing. When looking at packet captures, I see some the TCP handshake
> and what appears to be the start of a SSL process and then everything hangs.
>
> What is the proper method to test performing a ldapsearch over 636? Also,
> the CS.cfg shows it wants to auth as cn=Directory Manager. I can
> successfully auth with cn=Directory Manager over 389 but I think I am not
> performing ldapsearch over 636 correctly.
>
>
>
>
> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
> 614.427.2411
> mike.plemmons at crosschx.com
> www.crosschx.com
>
> On Fri, May 5, 2017 at 3:33 PM, Michael Plemmons <
> michael.plemmons at crosschx.com> wrote:
>
>> I think I found the email thread. Asking for help with crashed freeIPA
>> istance. That email pointed to this link, https://www.redhat.com/a
>> rchives/freeipa-users/2017-January/msg00215.html. That link talked
>> about changing the CS.cfg file to use port 389 for PKI to auth to LDAP. I
>> made the necessary changes and PKI came up successfully.
>>
>>
>>
>>
>> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
>> 614.427.2411
>> mike.plemmons at crosschx.com
>> www.crosschx.com
>>
>> On Fri, May 5, 2017 at 3:19 PM, Michael Plemmons <
>> michael.plemmons at crosschx.com> wrote:
>>
>>>
>>>
>>>
>>>
>>>
>>> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
>>> 614.427.2411
>>> mike.plemmons at crosschx.com
>>> www.crosschx.com
>>>
>>> On Fri, May 5, 2017 at 3:15 PM, Rob Crittenden <rcritten at redhat.com>
>>> wrote:
>>>
>>>> Michael Plemmons wrote:
>>>> > I just realized that I sent the reply directly to Rob and not to the
>>>> > list. My response is inline
>>>>
>>>> Ok, this is actually good news.
>>>>
>>>> I made a similar proposal in another case and I was completely wrong.
>>>> Flo had the user do something and it totally fixed their auth error, I
>>>> just can't remember what it was or find the e-mail thread. I'm pretty
>>>> sure it was this calendar year though.
>>>>
>>>> rob
>>>>
>>>>
>>> Do you or Flo know what I could search for in the past emails to find
>>> the answer to the problem?
>>>
>>>
>>>
>>>> >
>>>> >
>>>> >
>>>> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
>>>> > *
>>>> > 614.427.2411
>>>> > mike.plemmons at crosschx.com <mailto:mike.plemmons at crosschx.com>
>>>> > www.crosschx.com <http://www.crosschx.com/>
>>>> >
>>>> > On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons
>>>> > <michael.plemmons at crosschx.com <mailto:michael.plemmons at crosschx.com
>>>> >>
>>>> > wrote:
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
>>>> > *
>>>> > 614.427.2411
>>>> > mike.plemmons at crosschx.com <mailto:mike.plemmons at crosschx.com>
>>>> > www.crosschx.com <http://www.crosschx.com/>
>>>> >
>>>> > On Thu, May 4, 2017 at 9:24 AM, Rob Crittenden <
>>>> rcritten at redhat.com
>>>> > <mailto:rcritten at redhat.com>> wrote:
>>>> >
>>>> > Michael Plemmons wrote:
>>>> > > I realized that I was not very clear in my statement about
>>>> > testing with
>>>> > > ldapsearch. I had initially run it without logging in with
>>>> a
>>>> > DN. I was
>>>> > > just running the local ldapsearch -x command. I then
>>>> tested on
>>>> > > ipa12.mgmt and ipa11.mgmt logging in with a full DN for the
>>>> > admin and
>>>> > > "cn=Directory Manager" from ipa12.mgmt (broken server) and
>>>> > ipa11.mgmt
>>>> > > and both ldapsearch command succeeded.
>>>> > >
>>>> > > I ran the following from ipa12.mgmt and ipa11.mgmt as a non
>>>> > root user.
>>>> > > I also ran the command showing a line count for the output
>>>> and
>>>> > the line
>>>> > > counts for each were the same when run from ipa12.mgmt and
>>>> > ipa11.mgmt.
>>>> > >
>>>> > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com
>>>> > <http://ipa12.mgmt.crosschx.com>
>>>> > > <http://ipa12.mgmt.crosschx.com
>>>> > <http://ipa12.mgmt.crosschx.com>> -D "DN" -w PASSWORD -b
>>>> > > "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn
>>>> > >
>>>> > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com
>>>> > <http://ipa12.mgmt.crosschx.com>
>>>> > > <http://ipa12.mgmt.crosschx.com
>>>> > <http://ipa12.mgmt.crosschx.com>> -D "cn=directory manager"
>>>> -w
>>>> > PASSWORD dn
>>>> >
>>>> > The CA has its own suffix and replication agreements. Given
>>>> the auth
>>>> > error and recent (5 months) renewal of CA credentials I'd
>>>> check
>>>> > that the
>>>> > CA agent authentication entries are correct.
>>>> >
>>>> > Against each master with a CA run:
>>>> >
>>>> > $ ldapsearch -LLL -x -D 'cn=directory manager' -W -b
>>>> > uid=ipara,ou=people,o=ipaca description
>>>> >
>>>> > The format is 2;serial#,subject,issuer
>>>> >
>>>> > Then on each run:
>>>> >
>>>> > # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial
>>>> >
>>>> > The serial # should match that in the description everywhere.
>>>> >
>>>> > rob
>>>> >
>>>> >
>>>> >
>>>> > On the CA (IPA13.MGMT) I ran the ldapsearch command and see that
>>>> the
>>>> > serial number is 7. I then ran the certutil command on all three
>>>> > servers and the serial number is 7 as well.
>>>> >
>>>> >
>>>> > I also ran the ldapsearch command against the other two servers
>>>> and
>>>> > they also showed a serial number of 7.
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
>>>> > > *
>>>> > > 614.427.2411
>>>> > > mike.plemmons at crosschx.com <mailto:mike.plemmons at crosschx
>>>> .com>
>>>> > <mailto:mike.plemmons at crosschx.com
>>>> > <mailto:mike.plemmons at crosschx.com>>
>>>> > > www.crosschx.com <http://www.crosschx.com>
>>>> > <http://www.crosschx.com/>
>>>> > >
>>>> > > On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons
>>>> > > <michael.plemmons at crosschx.com
>>>> > <mailto:michael.plemmons at crosschx.com>
>>>> > <mailto:michael.plemmons at crosschx.com
>>>> > <mailto:michael.plemmons at crosschx.com>>>
>>>> > > wrote:
>>>> > >
>>>> > > I have a three node IPA cluster.
>>>> > >
>>>> > > ipa11.mgmt - was a master over 6 months ago
>>>> > > ipa13.mgmt - current master
>>>> > > ipa12.mgmt
>>>> > >
>>>> > > ipa13 has agreements with ipa11 and ipa12. ipa11 and
>>>> > ipa12 do not
>>>> > > have agreements between each other.
>>>> > >
>>>> > > It appears that either ipa12.mgmt lost some level of its
>>>> > replication
>>>> > > agreement with ipa13. I saw some level because users /
>>>> > hosts were
>>>> > > replicated between all systems but we started seeing DNS
>>>> > was not
>>>> > > resolving properly from ipa12. I do not know when this
>>>> > started.
>>>> > >
>>>> > > When looking at replication agreements on ipa12 I did
>>>> not
>>>> > see any
>>>> > > agreement with ipa13.
>>>> > >
>>>> > > When I run ipa-replica-manage list all three hosts show
>>>> > has master.
>>>> > >
>>>> > > When I run ipa-replica-manage ipa11.mgmt I see
>>>> ipa13.mgmt
>>>> > is a replica.
>>>> > >
>>>> > > When I run ipa-replica-manage ipa12.mgmt nothing
>>>> returned.
>>>> > >
>>>> > > I ran ipa-replica-manage connect
>>>> --cacert=/etc/ipa/ca.crt
>>>> > > ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com
>>>> >
>>>> > <http://ipa12.mgmt.crosschx.com <
>>>> http://ipa12.mgmt.crosschx.com>>
>>>> > > ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com
>>>> >
>>>> > <http://ipa13.mgmt.crosschx.com
>>>> > <http://ipa13.mgmt.crosschx.com>> on ipa12.mgmt
>>>> > >
>>>> > > I then ran the following
>>>> > >
>>>> > > ipa-replica-manage force-sync --from
>>>> > ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com>
>>>> > > <http://ipa13.mgmt.crosschx.com
>>>> > <http://ipa13.mgmt.crosschx.com>>
>>>> > >
>>>> > > ipa-replica-manage re-initialize --from
>>>> > ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com>
>>>> > > <http://ipa13.mgmt.crosschx.com
>>>> > <http://ipa13.mgmt.crosschx.com>>
>>>> > >
>>>> > > I was still seeing bad DNS returns when dig'ing against
>>>> > ipa12.mgmt.
>>>> > > I was able to create user and DNS records and see the
>>>> > information
>>>> > > replicated properly across all three nodes.
>>>> > >
>>>> > > I then ran ipactl stop on ipa12.mgmt and then ipactl
>>>> start on
>>>> > > ipa12.mgmt because I wanted to make sure everything was
>>>> > running
>>>> > > fresh after the changes above. While IPA was staring
>>>> up (DNS
>>>> > > started) we were able to see valid DNS queries returned
>>>> but
>>>> > > pki-tomcat would not start.
>>>> > >
>>>> > > I am not sure what I need to do in order to get this
>>>> > working. I
>>>> > > have included the output of certutil and getcert below
>>>> > from all
>>>> > > three servers as well as the debug output for pki.
>>>> > >
>>>> > >
>>>> > > While the IPA system is coming up I am able to
>>>> > successfully run
>>>> > > ldapsearch -x as the root user and see results. I am
>>>> also
>>>> > able to
>>>> > > login with the "cn=Directory Manager" account and see
>>>> results.
>>>> > >
>>>> > >
>>>> > > The debug log shows the following error.
>>>> > >
>>>> > >
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> > > ============================================
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: =====
>>>> DEBUG
>>>> > > SUBSYSTEM INITIALIZED =======
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> > > ============================================
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > restart at
>>>> > > autoShutdown? false
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > > autoShutdown crumb file path?
>>>> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > about to
>>>> > > look for cert for auto-shutdown support:auditSigningCert
>>>> > cert-pki-ca
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > found
>>>> > > cert:auditSigningCert cert-pki-ca
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > done init
>>>> > > id=debug
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > > initialized debug
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > > initSubsystem id=log
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > ready to
>>>> > > init id=log
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>>>> > >
>>>> > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/c
>>>> a_audit)
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>>>> > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>>>> > > RollingLogFile(/var/lib/pki/p
>>>> ki-tomcat/logs/ca/transactions)
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > restart at
>>>> > > autoShutdown? false
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > > autoShutdown crumb file path?
>>>> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > about to
>>>> > > look for cert for auto-shutdown support:auditSigningCert
>>>> > cert-pki-ca
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > found
>>>> > > cert:auditSigningCert cert-pki-ca
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > done init
>>>> > > id=log
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > > initialized log
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > > initSubsystem id=jss
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > ready to
>>>> > > init id=jss
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > restart at
>>>> > > autoShutdown? false
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > > autoShutdown crumb file path?
>>>> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > about to
>>>> > > look for cert for auto-shutdown support:auditSigningCert
>>>> > cert-pki-ca
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > found
>>>> > > cert:auditSigningCert cert-pki-ca
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > done init
>>>> > > id=jss
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > > initialized jss
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > > initSubsystem id=dbs
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> CMSEngine:
>>>> > ready to
>>>> > > init id=dbs
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> > DBSubsystem: init()
>>>> > > mEnableSerialMgmt=true
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating
>>>> > > LdapBoundConnFactor(DBSubsystem)
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> > LdapBoundConnFactory:
>>>> > > init
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> > > LdapBoundConnFactory:doCloning true
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> > LdapAuthInfo: init()
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> > LdapAuthInfo: init begins
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> > LdapAuthInfo: init ends
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: init:
>>>> before
>>>> > > makeConnection errorIfDown is true
>>>> > > [03/May/2017:21:22:01][localhost-startStop-1]:
>>>> makeConnection:
>>>> > > errorIfDown true
>>>> > > [03/May/2017:21:22:02][localhost-startStop-1]:
>>>> > > SSLClientCertificateSelectionCB: Setting desired cert
>>>> > nickname to:
>>>> > > subsystemCert cert-pki-ca
>>>> > > [03/May/2017:21:22:02][localhost-startStop-1]:
>>>> > LdapJssSSLSocket: set
>>>> > > client auth cert nickname subsystemCert cert-pki-ca
>>>> > > [03/May/2017:21:22:02][localhost-startStop-1]:
>>>> > > SSLClientCertificatSelectionCB: Entering!
>>>> > > [03/May/2017:21:22:02][localhost-startStop-1]:
>>>> > > SSLClientCertificateSelectionCB: returning: null
>>>> > > [03/May/2017:21:22:02][localhost-startStop-1]: SSL
>>>> > handshake happened
>>>> > > Could not connect to LDAP server host
>>>> > ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com>
>>>> > > <http://ipa12.mgmt.crosschx.com
>>>> > <http://ipa12.mgmt.crosschx.com>> port 636 Error
>>>> > > netscape.ldap.LDAPException: Authentication failed (48)
>>>> > > at
>>>> > >
>>>> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConne
>>>> ction(LdapBoundConnFactory.java:205)
>>>> > > at
>>>> > >
>>>> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap
>>>> BoundConnFactory.java:166)
>>>> > > at
>>>> > >
>>>> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap
>>>> BoundConnFactory.java:130)
>>>> > > at
>>>> > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:
>>>> 654)
>>>> > > at
>>>> > >
>>>> > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.
>>>> java:1169)
>>>> > > at
>>>> > >
>>>> > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine
>>>> .java:1075)
>>>> > > at
>>>> > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
>>>> > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>>>> > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
>>>> > > at
>>>> > >
>>>> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS
>>>> ervlet.java:114)
>>>> > > at
>>>> > javax.servlet.GenericServlet.init(GenericServlet.java:158)
>>>> > > at sun.reflect.NativeMethodAccess
>>>> orImpl.invoke0(Native
>>>> > Method)
>>>> > > at
>>>> > >
>>>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>>> ssorImpl.java:62)
>>>> > > at
>>>> > >
>>>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>>> thodAccessorImpl.java:43)
>>>> > > at java.lang.reflect.Method.invoke(Method.java:498)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>>>> .java:288)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>>>> .java:285)
>>>> > > at java.security.AccessController.doPrivileged(Native
>>>> > Method)
>>>> > > at javax.security.auth.Subject.do
>>>> > <http://javax.security.auth.Subject.do>AsPrivileged(Subject
>>>> .java:549)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.security.SecurityUtil.execute(SecurityUt
>>>> il.java:320)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>>>> rityUtil.java:175)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>>>> rityUtil.java:124)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.StandardWrapper.initServlet(Standar
>>>> dWrapper.java:1270)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.StandardWrapper.loadServlet(Standar
>>>> dWrapper.java:1195)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.StandardWrapper.load(StandardWrappe
>>>> r.java:1085)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.StandardContext.loadOnStartup(Stand
>>>> ardContext.java:5318)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.StandardContext.startInternal(Stand
>>>> ardContext.java:5610)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.j
>>>> ava:147)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.ContainerBase.addChildInternal(Cont
>>>> ainerBase.java:899)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.ContainerBase.access$000(ContainerB
>>>> ase.java:133)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>>>> n(ContainerBase.java:156)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>>>> n(ContainerBase.java:145)
>>>> > > at java.security.AccessController.doPrivileged(Native
>>>> > Method)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.ContainerBase.addChild(ContainerBas
>>>> e.java:873)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.StandardHost.addChild(StandardHost.
>>>> java:652)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.startup.HostConfig.deployDescriptor(Host
>>>> Config.java:679)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(
>>>> HostConfig.java:1966)
>>>> > > at
>>>> > >
>>>> > java.util.concurrent.Executors$RunnableAdapter.call(Executor
>>>> s.java:511)
>>>> > > at java.util.concurrent.FutureTas
>>>> k.run(FutureTask.java:266)
>>>> > > at
>>>> > >
>>>> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>> Executor.java:1142)
>>>> > > at
>>>> > >
>>>> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>> lExecutor.java:617)
>>>> > > at java.lang.Thread.run(Thread.java:745)
>>>> > > Internal Database Error encountered: Could not connect
>>>> to LDAP
>>>> > > server host ipa12.mgmt.crosschx.com
>>>> > <http://ipa12.mgmt.crosschx.com> <
>>>> http://ipa12.mgmt.crosschx.com
>>>> > <http://ipa12.mgmt.crosschx.com>>
>>>> > > port 636 Error netscape.ldap.LDAPException:
>>>> Authentication
>>>> > failed (48)
>>>> > > at
>>>> > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:
>>>> 676)
>>>> > > at
>>>> > >
>>>> > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.
>>>> java:1169)
>>>> > > at
>>>> > >
>>>> > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine
>>>> .java:1075)
>>>> > > at
>>>> > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
>>>> > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>>>> > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
>>>> > > at
>>>> > >
>>>> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS
>>>> ervlet.java:114)
>>>> > > at
>>>> > javax.servlet.GenericServlet.init(GenericServlet.java:158)
>>>> > > at sun.reflect.NativeMethodAccess
>>>> orImpl.invoke0(Native
>>>> > Method)
>>>> > > at
>>>> > >
>>>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>>>> ssorImpl.java:62)
>>>> > > at
>>>> > >
>>>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>>> thodAccessorImpl.java:43)
>>>> > > at java.lang.reflect.Method.invoke(Method.java:498)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>>>> .java:288)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>>>> .java:285)
>>>> > > at java.security.AccessController.doPrivileged(Native
>>>> > Method)
>>>> > > at javax.security.auth.Subject.do
>>>> > <http://javax.security.auth.Subject.do>AsPrivileged(Subject
>>>> .java:549)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.security.SecurityUtil.execute(SecurityUt
>>>> il.java:320)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>>>> rityUtil.java:175)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>>>> rityUtil.java:124)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.StandardWrapper.initServlet(Standar
>>>> dWrapper.java:1270)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.StandardWrapper.loadServlet(Standar
>>>> dWrapper.java:1195)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.StandardWrapper.load(StandardWrappe
>>>> r.java:1085)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.StandardContext.loadOnStartup(Stand
>>>> ardContext.java:5318)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.StandardContext.startInternal(Stand
>>>> ardContext.java:5610)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.j
>>>> ava:147)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.ContainerBase.addChildInternal(Cont
>>>> ainerBase.java:899)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.ContainerBase.access$000(ContainerB
>>>> ase.java:133)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>>>> n(ContainerBase.java:156)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>>>> n(ContainerBase.java:145)
>>>> > > at java.security.AccessController.doPrivileged(Native
>>>> > Method)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.ContainerBase.addChild(ContainerBas
>>>> e.java:873)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.core.StandardHost.addChild(StandardHost.
>>>> java:652)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.startup.HostConfig.deployDescriptor(Host
>>>> Config.java:679)
>>>> > > at
>>>> > >
>>>> > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(
>>>> HostConfig.java:1966)
>>>> > > at
>>>> > >
>>>> > java.util.concurrent.Executors$RunnableAdapter.call(Executor
>>>> s.java:511)
>>>> > > at java.util.concurrent.FutureTas
>>>> k.run(FutureTask.java:266)
>>>> > > at
>>>> > >
>>>> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>> Executor.java:1142)
>>>> > > at
>>>> > >
>>>> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>> lExecutor.java:617)
>>>> > > at java.lang.Thread.run(Thread.java:745)
>>>> > > [03/May/2017:21:22:02][localhost-startStop-1]:
>>>> > CMSEngine.shutdown()
>>>> > >
>>>> > >
>>>> > > =============================
>>>> > >
>>>> > >
>>>> > > IPA11.MGMT
>>>> > >
>>>> > > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCH
>>>> X-COM/
>>>> > > Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
>>>> > Server-Cert
>>>> > > u,u,u MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>>> > <http://MGMT.CROSSCHX.COM> IPA CA CT,C,C
>>>> > > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/
>>>> > Certificate
>>>> > > Nickname Trust Attributes SSL,S/MIME,JAR/XPI
>>>> caSigningCert
>>>> > > cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca
>>>> u,u,Pu
>>>> > > ocspSigningCert cert-pki-ca u,u,u subsystemCert
>>>> > cert-pki-ca u,u,u
>>>> > > Server-Cert cert-pki-ca u,u,u IPA13.MGMT
>>>> (root)>certutil -L -d
>>>> > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate
>>>> Nickname
>>>> > Trust
>>>> > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u
>>>> > MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>>> > > <http://MGMT.CROSSCHX.COM> IPA CA CT,C,C
>>>> (root)>certutil -L -d
>>>> > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname
>>>> Trust
>>>> > Attributes
>>>> > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu
>>>> > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert
>>>> > cert-pki-ca
>>>> > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert
>>>> > cert-pki-ca u,u,u
>>>> > > IPA12.MGMT (root)>certutil -L -d
>>>> > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate
>>>> Nickname
>>>> > Trust
>>>> > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u
>>>> > MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM>
>>>> > > <http://MGMT.CROSSCHX.COM> IPA CA C,, (root)>certutil
>>>> -L -d
>>>> > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname
>>>> Trust
>>>> > Attributes
>>>> > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu
>>>> > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert
>>>> > cert-pki-ca
>>>> > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert
>>>> > cert-pki-ca u,u,u
>>>> > > =================================================
>>>> IPA11.MGMT
>>>> > > (root)>getcert list Number of certificates and requests
>>>> being
>>>> > > tracked: 8. Request ID '20161229155314': status:
>>>> > MONITORING stuck:
>>>> > > no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni
>>>> ckname='Server-Cert',token='NSS
>>>> > > Certificate
>>>> > > DB',pinfile='/etc/dirsrv/slap
>>>> d-MGMT-CROSSCHX-COM/pwdfile.txt'
>>>> > > certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni
>>>> ckname='Server-Cert',token='NSS
>>>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=ipa11.mgmt.crosschx.com <
>>>> http://ipa11.mgmt.crosschx.com>
>>>> > > <http://ipa11.mgmt.crosschx.com
>>>> > <http://ipa11.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM>
>>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:52:43
>>>> > UTC key
>>>> > > usage:
>>>> > >
>>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>>> ment
>>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save
>>>> command:
>>>> > post-save
>>>> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv
>>>> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID
>>>> > > '20161229155652': status: MONITORING stuck: no key pair
>>>> > storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>>>> ditSigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>>> certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>>>> ditSigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=CA Audit,O=MGMT.CROSSCHX.COM <
>>>> http://MGMT.CROSSCHX.COM>
>>>> > <http://MGMT.CROSSCHX.COM> expires:
>>>> > > 2018-11-12 13:00:29 UTC key usage:
>>>> > digitalSignature,nonRepudiation
>>>> > > pre-save command: /usr/libexec/ipa/certmonger/st
>>>> op_pkicad
>>>> > post-save
>>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> > "auditSigningCert
>>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>>> > '20161229155654':
>>>> > > status: MONITORING stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>>>> spSigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>>> certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>>>> spSigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>>>> > > expires: 2018-11-12 13:00:26 UTC key usage:
>>>> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>>> eku:
>>>> > > id-kp-OCSPSigning pre-save command:
>>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>>>> command:
>>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> "ocspSigningCert
>>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>>> > '20161229155655':
>>>> > > status: MONITORING stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>>>> bsystemCert
>>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>>> certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>>>> bsystemCert
>>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>>>> > > expires: 2018-11-12 13:00:28 UTC key usage:
>>>> > >
>>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>>> ment
>>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save
>>>> command:
>>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>>>> command:
>>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> "subsystemCert
>>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>>> > '20161229155657':
>>>> > > status: MONITORING stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>>>> SigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>>> certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>>>> SigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM>
>>>> > > <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25
>>>> > UTC key
>>>> > > usage: digitalSignature,nonRepudiatio
>>>> n,keyCertSign,cRLSign
>>>> > pre-save
>>>> > > command: /usr/libexec/ipa/certmonger/stop_pkicad
>>>> post-save
>>>> > command:
>>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> "caSigningCert
>>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>>> > '20161229155659':
>>>> > > status: MONITORING stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>>>> rver-Cert
>>>> > cert-pki-ca',token='NSS
>>>> > > Certificate DB',pin set certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>>>> rver-Cert
>>>> > cert-pki-ca',token='NSS
>>>> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer:
>>>> > CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=ipa11.mgmt.crosschx.com <
>>>> http://ipa11.mgmt.crosschx.com>
>>>> > > <http://ipa11.mgmt.crosschx.com
>>>> > <http://ipa11.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM>
>>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 15:56:20
>>>> > UTC key
>>>> > > usage:
>>>> > >
>>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>>> ment
>>>> > > eku: id-kp-serverAuth,id-kp-clientA
>>>> uth,id-kp-emailProtection
>>>> > > pre-save command: /usr/libexec/ipa/certmonger/st
>>>> op_pkicad
>>>> > post-save
>>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> > "Server-Cert
>>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>>> > '20161229155921':
>>>> > > status: MONITORING stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>>> ',token='NSS
>>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> > certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>>> ',token='NSS
>>>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=ipa11.mgmt.crosschx.com <
>>>> http://ipa11.mgmt.crosschx.com>
>>>> > > <http://ipa11.mgmt.crosschx.com
>>>> > <http://ipa11.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM>
>>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:52:46
>>>> > UTC key
>>>> > > usage:
>>>> > >
>>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>>> ment
>>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save
>>>> command:
>>>> > post-save
>>>> > > command: /usr/libexec/ipa/certmonger/restart_httpd
>>>> track: yes
>>>> > > auto-renew: yes Request ID '20161229160009': status:
>>>> > MONITORING
>>>> > > stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to
>>>> ken='NSS
>>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> > certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to
>>>> ken='NSS
>>>> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:
>>>> > CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> expires:
>>>> > > 2018-11-12 13:01:34 UTC key usage:
>>>> > >
>>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>>> ment
>>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save
>>>> command:
>>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save
>>>> > command:
>>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes
>>>> > auto-renew: yes
>>>> > > ================================== IPA13.MGMT
>>>> > (root)>getcert list
>>>> > > Number of certificates and requests being tracked: 8.
>>>> > Request ID
>>>> > > '20161229143449': status: MONITORING stuck: no key pair
>>>> > storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni
>>>> ckname='Server-Cert',token='NSS
>>>> > > Certificate
>>>> > > DB',pinfile='/etc/dirsrv/slap
>>>> d-MGMT-CROSSCHX-COM/pwdfile.txt'
>>>> > > certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni
>>>> ckname='Server-Cert',token='NSS
>>>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=ipa13.mgmt.crosschx.com <
>>>> http://ipa13.mgmt.crosschx.com>
>>>> > > <http://ipa13.mgmt.crosschx.com
>>>> > <http://ipa13.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM>
>>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 14:34:20
>>>> > UTC key
>>>> > > usage:
>>>> > >
>>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>>> ment
>>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save
>>>> command:
>>>> > post-save
>>>> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv
>>>> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID
>>>> > > '20161229143826': status: MONITORING stuck: no key pair
>>>> > storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>>>> ditSigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>>> certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>>>> ditSigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=CA Audit,O=MGMT.CROSSCHX.COM <
>>>> http://MGMT.CROSSCHX.COM>
>>>> > <http://MGMT.CROSSCHX.COM> expires:
>>>> > > 2018-11-12 13:00:29 UTC key usage:
>>>> > digitalSignature,nonRepudiation
>>>> > > pre-save command: /usr/libexec/ipa/certmonger/st
>>>> op_pkicad
>>>> > post-save
>>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> > "auditSigningCert
>>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>>> > '20161229143828':
>>>> > > status: MONITORING stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>>>> spSigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>>> certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>>>> spSigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>>>> > > expires: 2018-11-12 13:00:26 UTC key usage:
>>>> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>>> eku:
>>>> > > id-kp-OCSPSigning pre-save command:
>>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>>>> command:
>>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> "ocspSigningCert
>>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>>> > '20161229143831':
>>>> > > status: MONITORING stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>>>> bsystemCert
>>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>>> certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>>>> bsystemCert
>>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>>>> > > expires: 2018-11-12 13:00:28 UTC key usage:
>>>> > >
>>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>>> ment
>>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save
>>>> command:
>>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>>>> command:
>>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> "subsystemCert
>>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>>> > '20161229143833':
>>>> > > status: MONITORING stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>>>> SigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>>> certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>>>> SigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM>
>>>> > > <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25
>>>> > UTC key
>>>> > > usage: digitalSignature,nonRepudiatio
>>>> n,keyCertSign,cRLSign
>>>> > pre-save
>>>> > > command: /usr/libexec/ipa/certmonger/stop_pkicad
>>>> post-save
>>>> > command:
>>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> "caSigningCert
>>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>>> > '20161229143835':
>>>> > > status: MONITORING stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>>>> rver-Cert
>>>> > cert-pki-ca',token='NSS
>>>> > > Certificate DB',pin set certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>>>> rver-Cert
>>>> > cert-pki-ca',token='NSS
>>>> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer:
>>>> > CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=ipa13.mgmt.crosschx.com <
>>>> http://ipa13.mgmt.crosschx.com>
>>>> > > <http://ipa13.mgmt.crosschx.com
>>>> > <http://ipa13.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM>
>>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 14:37:54
>>>> > UTC key
>>>> > > usage:
>>>> > >
>>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>>> ment
>>>> > > eku: id-kp-serverAuth,id-kp-clientA
>>>> uth,id-kp-emailProtection
>>>> > > pre-save command: /usr/libexec/ipa/certmonger/st
>>>> op_pkicad
>>>> > post-save
>>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> > "Server-Cert
>>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>>> > '20161229144057':
>>>> > > status: MONITORING stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>>> ',token='NSS
>>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> > certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>>> ',token='NSS
>>>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=ipa13.mgmt.crosschx.com <
>>>> http://ipa13.mgmt.crosschx.com>
>>>> > > <http://ipa13.mgmt.crosschx.com
>>>> > <http://ipa13.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM>
>>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 14:34:23
>>>> > UTC key
>>>> > > usage:
>>>> > >
>>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>>> ment
>>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save
>>>> command:
>>>> > post-save
>>>> > > command: /usr/libexec/ipa/certmonger/restart_httpd
>>>> track: yes
>>>> > > auto-renew: yes Request ID '20161229144146': status:
>>>> > MONITORING
>>>> > > stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to
>>>> ken='NSS
>>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> > certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to
>>>> ken='NSS
>>>> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:
>>>> > CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> expires:
>>>> > > 2018-11-12 13:01:34 UTC key usage:
>>>> > >
>>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>>> ment
>>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save
>>>> command:
>>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save
>>>> > command:
>>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes
>>>> > auto-renew: yes
>>>> > > =========================== IPA12.MGMT (root)>getcert
>>>> list
>>>> > Number of
>>>> > > certificates and requests being tracked: 8. Request ID
>>>> > > '20161229151518': status: MONITORING stuck: no key pair
>>>> > storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni
>>>> ckname='Server-Cert',token='NSS
>>>> > > Certificate
>>>> > > DB',pinfile='/etc/dirsrv/slap
>>>> d-MGMT-CROSSCHX-COM/pwdfile.txt'
>>>> > > certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni
>>>> ckname='Server-Cert',token='NSS
>>>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=ipa12.mgmt.crosschx.com <
>>>> http://ipa12.mgmt.crosschx.com>
>>>> > > <http://ipa12.mgmt.crosschx.com
>>>> > <http://ipa12.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM>
>>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:14:51
>>>> > UTC key
>>>> > > usage:
>>>> > >
>>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>>> ment
>>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save
>>>> command:
>>>> > post-save
>>>> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv
>>>> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID
>>>> > > '20161229151850': status: MONITORING stuck: no key pair
>>>> > storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>>>> ditSigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>>> certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>>>> ditSigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=CA Audit,O=MGMT.CROSSCHX.COM <
>>>> http://MGMT.CROSSCHX.COM>
>>>> > <http://MGMT.CROSSCHX.COM> expires:
>>>> > > 2018-11-12 13:00:29 UTC key usage:
>>>> > digitalSignature,nonRepudiation
>>>> > > pre-save command: /usr/libexec/ipa/certmonger/st
>>>> op_pkicad
>>>> > post-save
>>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> > "auditSigningCert
>>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>>> > '20161229151852':
>>>> > > status: MONITORING stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>>>> spSigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>>> certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>>>> spSigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>>>> > > expires: 2018-11-12 13:00:26 UTC key usage:
>>>> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>>> eku:
>>>> > > id-kp-OCSPSigning pre-save command:
>>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>>>> command:
>>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> "ocspSigningCert
>>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>>> > '20161229151854':
>>>> > > status: MONITORING stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>>>> bsystemCert
>>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>>> certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>>>> bsystemCert
>>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM>
>>>> > > expires: 2018-11-12 13:00:28 UTC key usage:
>>>> > >
>>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>>> ment
>>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save
>>>> command:
>>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save
>>>> command:
>>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> "subsystemCert
>>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>>> > '20161229151856':
>>>> > > status: MONITORING stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>>>> SigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB',pin set
>>>> certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>>>> SigningCert
>>>> > > cert-pki-ca',token='NSS Certificate DB' CA:
>>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM>
>>>> > > <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25
>>>> > UTC key
>>>> > > usage: digitalSignature,nonRepudiatio
>>>> n,keyCertSign,cRLSign
>>>> > pre-save
>>>> > > command: /usr/libexec/ipa/certmonger/stop_pkicad
>>>> post-save
>>>> > command:
>>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> "caSigningCert
>>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>>> > '20161229151858':
>>>> > > status: MONITORING stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>>>> rver-Cert
>>>> > cert-pki-ca',token='NSS
>>>> > > Certificate DB',pin set certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>>>> rver-Cert
>>>> > cert-pki-ca',token='NSS
>>>> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer:
>>>> > CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=ipa12.mgmt.crosschx.com <
>>>> http://ipa12.mgmt.crosschx.com>
>>>> > > <http://ipa12.mgmt.crosschx.com
>>>> > <http://ipa12.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM>
>>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 15:18:16
>>>> > UTC key
>>>> > > usage:
>>>> > >
>>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>>> ment
>>>> > > eku: id-kp-serverAuth,id-kp-clientA
>>>> uth,id-kp-emailProtection
>>>> > > pre-save command: /usr/libexec/ipa/certmonger/st
>>>> op_pkicad
>>>> > post-save
>>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> > "Server-Cert
>>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID
>>>> > '20161229152115':
>>>> > > status: MONITORING stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>>> ',token='NSS
>>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> > certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>>> ',token='NSS
>>>> > > Certificate DB' CA: IPA issuer: CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=ipa12.mgmt.crosschx.com <
>>>> http://ipa12.mgmt.crosschx.com>
>>>> > > <http://ipa12.mgmt.crosschx.com
>>>> > <http://ipa12.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM
>>>> > <http://MGMT.CROSSCHX.COM>
>>>> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:14:54
>>>> > UTC key
>>>> > > usage:
>>>> > >
>>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>>> ment
>>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save
>>>> command:
>>>> > post-save
>>>> > > command: /usr/libexec/ipa/certmonger/restart_httpd
>>>> track: yes
>>>> > > auto-renew: yes Request ID '20161229152204': status:
>>>> > MONITORING
>>>> > > stuck: no key pair storage:
>>>> > >
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to
>>>> ken='NSS
>>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> > certificate:
>>>> > >
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to
>>>> ken='NSS
>>>> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer:
>>>> > CN=Certificate
>>>> > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> subject:
>>>> > > CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM
>>>> >
>>>> > <http://MGMT.CROSSCHX.COM> expires:
>>>> > > 2018-11-12 13:01:34 UTC key usage:
>>>> > >
>>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher
>>>> ment
>>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save
>>>> command:
>>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save
>>>> > command:
>>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes
>>>> > auto-renew: yes
>>>> > >
>>>> > >
>>>> > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX
>>>> > > *
>>>> > > 614.427.2411
>>>> > > mike.plemmons at crosschx.com
>>>> > <mailto:mike.plemmons at crosschx.com>
>>>> > <mailto:mike.plemmons at crosschx.com
>>>> > <mailto:mike.plemmons at crosschx.com>>
>>>> > > www.crosschx.com <http://www.crosschx.com>
>>>> > <http://www.crosschx.com/>
>>>> > >
>>>> > >
>>>> > >
>>>> > >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170515/4d171730/attachment.htm>
More information about the Freeipa-users
mailing list