<div dir="ltr">Thank you John.  I had tried that but you did give me some things to look at.<div><br></div><div>I was able to get 2 of the certificates to renew by setting the date back in time, a services restart, and issuing 'ipa-getcert resubmit -i <request id>'  This renewed the following 'Server-Cert' and  'ipaCert' but did not 'auditSigningCert cert-pki-ca' 'ocspSigningCert cert-pki-ca' or 'subsystemCert cert-pki-ca'</div><div><br></div><div>The admin web interface now gives 'ipa error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)'</div><div><br></div><div>listing the certs shows an error along the lines of</div><div><br></div><div>Internal error: no response to "<a href="http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true">http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true</a>".</div><div><br></div><div>If any of these are useful. </div><div><br></div><div>messages:</div><div><div>Jun  5 15:38:05 spider01o certmonger: Internal error: no response to "<a href="http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true">http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true</a>".</div></div><div><br></div><div>httpd/error:</div><div>[Fri Jun 05 14:32:26 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Not Found)<br></div><div><br></div><div>selftests.log:</div><div><div>8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SystemCertsVerification: system certs verification failure</div><div>8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!</div></div><div><br></div><div><div>$ ipactl status</div><div>Directory Service: RUNNING</div><div>KDC Service: RUNNING</div><div>KPASSWD Service: RUNNING</div><div>DNS Service: RUNNING</div><div>MEMCACHE Service: RUNNING</div><div>HTTP Service: RUNNING</div><div>CA Service: RUNNING</div><div><br></div><div>$ certutil -L -d /var/lib/pki-ca/alias</div><div><br></div><div>Certificate Nickname                                         Trust Attributes</div><div>                                                             SSL,S/MIME,JAR/XPI</div><div><br></div><div>ocspSigningCert cert-pki-ca                                  u,u,u</div><div>subsystemCert cert-pki-ca                                    u,u,u</div><div>Server-Cert cert-pki-ca                                      u,u,u</div><div>caSigningCert cert-pki-ca                                    CTu,u,u</div><div>auditSigningCert cert-pki-ca                                 u,u,Pu</div></div><div><br></div><div><div>$ getcert list</div><div>Number of certificates and requests being tracked: 9.</div><div>Request ID '20131204194012':</div><div><span class="" style="white-space:pre">     </span>status: MONITORING</div><div><span class="" style="white-space:pre"> </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">   </span>certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">        </span>CA: IPA</div><div><span class="" style="white-space:pre">    </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=spider01o,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">   </span>expires: 2017-05-28 18:03:59 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span class="" style="white-space:pre">        </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span class="" style="white-space:pre">     </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div><div>Request ID '20141114162346':</div><div><span class="" style="white-space:pre"> </span>status: MONITORING</div><div><span class="" style="white-space:pre"> </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'</div><div><span class="" style="white-space:pre">        </span>certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">     </span>CA: IPA</div><div><span class="" style="white-space:pre">    </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=<a href="http://spider01o.iglass.net">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>expires: 2016-11-14 16:22:37 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span class="" style="white-space:pre">        </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span class="" style="white-space:pre">     </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div><div>Request ID '20141114162434':</div><div><span class="" style="white-space:pre"> </span>status: MONITORING</div><div><span class="" style="white-space:pre"> </span>ca-error: Internal error: no response to "<a href="http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true">http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true</a>".</div><div><span class="" style="white-space:pre">    </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='x'</div><div><span class="" style="white-space:pre">        </span>certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">     </span>CA: dogtag-ipa-renew-agent</div><div><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=<a href="http://spider01o.iglass.net">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>expires: 2016-11-03 16:24:27 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span class="" style="white-space:pre">        </span>eku: id-kp-serverAuth</div><div><span class="" style="white-space:pre">      </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div><div>Request ID '20141114162522':</div><div><span class="" style="white-space:pre"> </span>status: MONITORING</div><div><span class="" style="white-space:pre"> </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt'</div><div><span class="" style="white-space:pre">  </span>certificate: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">  </span>CA: IPA</div><div><span class="" style="white-space:pre">    </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=<a href="http://spider01o.iglass.net">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>expires: 2016-11-14 16:22:36 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span class="" style="white-space:pre">        </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span class="" style="white-space:pre">     </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div><div>Request ID '20141114162610':</div><div><span class="" style="white-space:pre"> </span>status: MONITORING</div><div><span class="" style="white-space:pre"> </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div><div><span class="" style="white-space:pre">  </span>certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">      </span>CA: IPA</div><div><span class="" style="white-space:pre">    </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=<a href="http://spider01o.iglass.net">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>expires: 2016-11-14 16:22:42 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span class="" style="white-space:pre">        </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span class="" style="white-space:pre">     </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div><div>Request ID '20150604181945':</div><div><span class="" style="white-space:pre"> </span>status: MONITORING</div><div><span class="" style="white-space:pre"> </span>ca-error: Internal error: no response to "<a href="http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true">http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true</a>".</div><div><span class="" style="white-space:pre">      </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='x'</div><div><span class="" style="white-space:pre">   </span>certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">        </span>CA: dogtag-ipa-renew-agent</div><div><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=CA Audit,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">    </span>expires: 2015-05-31 18:48:55 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation</div><div><span class="" style="white-space:pre"> </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div><div>Request ID '20150604181956':</div><div><span class="" style="white-space:pre"> </span>status: MONITORING</div><div><span class="" style="white-space:pre"> </span>ca-error: Internal error: no response to "<a href="http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=2&renewal=true&xml=true">http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=2&renewal=true&xml=true</a>".</div><div><span class="" style="white-space:pre">      </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='x'</div><div><span class="" style="white-space:pre">    </span>certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre"> </span>CA: dogtag-ipa-renew-agent</div><div><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=OCSP Subsystem,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">      </span>expires: 2015-05-31 18:48:54 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign</div><div><span class="" style="white-space:pre">     </span>eku: id-kp-OCSPSigning</div><div><span class="" style="white-space:pre">     </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div><div>Request ID '20150604182006':</div><div><span class="" style="white-space:pre"> </span>status: MONITORING</div><div><span class="" style="white-space:pre"> </span>ca-error: Internal error: no response to "<a href="http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=4&renewal=true&xml=true">http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=4&renewal=true&xml=true</a>".</div><div><span class="" style="white-space:pre">      </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='x'</div><div><span class="" style="white-space:pre">      </span>certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">   </span>CA: dogtag-ipa-renew-agent</div><div><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=CA Subsystem,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>expires: 2015-05-31 18:48:54 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span class="" style="white-space:pre">        </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span class="" style="white-space:pre">     </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div><div>Request ID '20150604182012':</div><div><span class="" style="white-space:pre"> </span>status: MONITORING</div><div><span class="" style="white-space:pre"> </span>stuck: no</div><div><span class="" style="white-space:pre">  </span>key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div><div><span class="" style="white-space:pre">      </span>certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'</div><div><span class="" style="white-space:pre">  </span>CA: dogtag-ipa-renew-agent</div><div><span class="" style="white-space:pre"> </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">        </span>subject: CN=IPA RA,O=<a href="http://IGLASS.NET">IGLASS.NET</a></div><div><span class="" style="white-space:pre">      </span>expires: 2017-05-25 13:58:36 UTC</div><div><span class="" style="white-space:pre">   </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span class="" style="white-space:pre">        </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span class="" style="white-space:pre">     </span>pre-save command: </div><div><span class="" style="white-space:pre">        </span>post-save command: </div><div><span class="" style="white-space:pre">       </span>track: yes</div><div><span class="" style="white-space:pre"> </span>auto-renew: yes</div></div><div><br></div><div>thanks again. -Marc</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jun 5, 2015 at 1:03 PM, John Desantis <span dir="ltr"><<a href="mailto:desantis@mail.usf.edu" target="_blank">desantis@mail.usf.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Marc,<br>
<br>
I experienced a similar issue earlier this year.<br>
<br>
Try restarting certmonger after temporarily changing the date back on<br>
the master.  In our case that service had failed miserably and it<br>
didn't allow FreeIPA to renew the certificates properly.<br>
<br>
Our replicas however were hit with a bug [1] during this process.  We<br>
applied the patched code and followed the same process and all was<br>
well.<br>
<br>
John DeSantis<br>
<br>
[1] <a href="https://fedorahosted.org/freeipa/ticket/4064" target="_blank">https://fedorahosted.org/freeipa/ticket/4064</a><br>
<div class="HOEnZb"><div class="h5"><br>
<br>
2015-06-05 11:12 GMT-04:00 Marc Wiatrowski <<a href="mailto:wia@iglass.net">wia@iglass.net</a>>:<br>
> hello,<br>
><br>
> I've got a problem with expired certificates in my ipa/IdM setup.  I believe<br>
> the root issue to be from the fact that when everything was first setup<br>
> about a year ago and everything was replicated from a first ipa server which<br>
> no longer exists.  There are currently 3 ipa servers but none of them are<br>
> the original.<br>
><br>
> Couple days ago I started getting errors similar to<br>
> '(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your<br>
> certificate as expired' through the web management interface.  After<br>
> investigating with 'getcert list' I found that several certificates expired<br>
> at 2015-05-31 18:48:55 UTC.<br>
><br>
> I found<br>
> <a href="http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master" target="_blank">http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master</a> and<br>
> followed the procedure for ipa <4.0 and everything seemed to go as expected.<br>
> However this did not fix my issue.<br>
><br>
> With more searching it looked like once the certificates are expired the<br>
> auto renew will not work.  Finding<br>
> <a href="https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0" target="_blank">https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0</a><br>
> to try to manually renew I am stuck at the the beginning with 'Give the CSR<br>
> to your external CA.'  I don't believe we had our certificates externally<br>
> signed.  They are whatever the original install put in place.  Setting the<br>
> date back in time reeks havoc on our environment so I'm reluctant to leave<br>
> it for to long.  I can get what I believe is the original CSR from<br>
> /etc/pki-ca/CS.cfg but unsure what to do next or if this is even the road I<br>
> should be going down.<br>
><br>
> Things seem to be working for the most part except trying to make updates.<br>
> Any help on what to do next, somewhere else to look, or if I'm going in the<br>
> right direction would be greatly appreciated.<br>
><br>
> thanks,<br>
> Marc<br>
><br>
> Info:<br>
> CentOS 6.5 with some current updates including<br>
> ipa-server-3.0.0-42.el6.centos.i686<br>
> certmonger-0.75.13-1.el6.i686<br>
><br>
> $ getcert list-cas<br>
> CA 'SelfSign':<br>
> is-default: no<br>
> ca-type: INTERNAL:SELF<br>
> next-serial-number: 01<br>
> CA 'IPA':<br>
> is-default: no<br>
> ca-type: EXTERNAL<br>
> helper-location: /usr/libexec/certmonger/ipa-submit<br>
> CA 'certmaster':<br>
> is-default: no<br>
> ca-type: EXTERNAL<br>
> helper-location: /usr/libexec/certmonger/certmaster-submit<br>
> CA 'dogtag-ipa-renew-agent':<br>
> is-default: no<br>
> ca-type: EXTERNAL<br>
> helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit<br>
> CA 'local':<br>
> is-default: no<br>
> ca-type: EXTERNAL<br>
> helper-location: /usr/libexec/certmonger/local-submit<br>
> CA 'dogtag-ipa-retrieve-agent-submit':<br>
> is-default: no<br>
> ca-type: EXTERNAL<br>
> helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit<br>
><br>
> $ getcert list<br>
> Number of certificates and requests being tracked: 9.<br>
> Request ID '20131204194012':<br>
> status: MONITORING<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS<br>
> Certificate DB'<br>
> certificate:<br>
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS<br>
> Certificate DB'<br>
> CA: IPA<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=spider01o,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2015-12-05 19:40:13 UTC<br>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
> eku: id-kp-serverAuth,id-kp-clientAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20141114162346':<br>
> status: MONITORING<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'<br>
> certificate:<br>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
> Certificate DB'<br>
> CA: IPA<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=<a href="http://spider01o.iglass.net" target="_blank">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2016-11-14 16:22:37 UTC<br>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
> eku: id-kp-serverAuth,id-kp-clientAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20141114162434':<br>
> status: MONITORING<br>
> ca-error: Internal error: no response to<br>
> "<a href="http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true" target="_blank">http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true</a>".<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br>
> cert-pki-ca',token='NSS Certificate DB',pin='x'<br>
> certificate:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
> CA: dogtag-ipa-renew-agent<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=<a href="http://spider01o.iglass.net" target="_blank">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2016-11-03 16:24:27 UTC<br>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
> eku: id-kp-serverAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20141114162522':<br>
> status: MONITORING<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS<br>
> Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt'<br>
> certificate:<br>
> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS<br>
> Certificate DB'<br>
> CA: IPA<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=<a href="http://spider01o.iglass.net" target="_blank">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2016-11-14 16:22:36 UTC<br>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
> eku: id-kp-serverAuth,id-kp-clientAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20141114162610':<br>
> status: MONITORING<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
> certificate:<br>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> Certificate DB'<br>
> CA: IPA<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=<a href="http://spider01o.iglass.net" target="_blank">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2016-11-14 16:22:42 UTC<br>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
> eku: id-kp-serverAuth,id-kp-clientAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20150604181945':<br>
> status: CA_UNREACHABLE<br>
> ca-error: Error 35 connecting to<br>
> <a href="https://spider01o.iglass.net:9443/ca/agent/ca/profileReview" target="_blank">https://spider01o.iglass.net:9443/ca/agent/ca/profileReview</a>: SSL connect<br>
> error.<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB',pin='x'<br>
> certificate:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
> CA: dogtag-ipa-renew-agent<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=CA Audit,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2015-05-31 18:48:55 UTC<br>
> key usage: digitalSignature,nonRepudiation<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20150604181956':<br>
> status: CA_UNREACHABLE<br>
> ca-error: Error 35 connecting to<br>
> <a href="https://spider01o.iglass.net:9443/ca/agent/ca/profileReview" target="_blank">https://spider01o.iglass.net:9443/ca/agent/ca/profileReview</a>: SSL connect<br>
> error.<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB',pin='x'<br>
> certificate:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
> CA: dogtag-ipa-renew-agent<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=OCSP Subsystem,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2015-05-31 18:48:54 UTC<br>
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign<br>
> eku: id-kp-OCSPSigning<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20150604182006':<br>
> status: CA_UNREACHABLE<br>
> ca-error: Error 35 connecting to<br>
> <a href="https://spider01o.iglass.net:9443/ca/agent/ca/profileReview" target="_blank">https://spider01o.iglass.net:9443/ca/agent/ca/profileReview</a>: SSL connect<br>
> error.<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
> cert-pki-ca',token='NSS Certificate DB',pin='x'<br>
> certificate:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
> CA: dogtag-ipa-renew-agent<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=CA Subsystem,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2015-05-31 18:48:54 UTC<br>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
> eku: id-kp-serverAuth,id-kp-clientAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20150604182012':<br>
> status: CA_UNREACHABLE<br>
> ca-error: Error 35 connecting to<br>
> <a href="https://spider01o.iglass.net:9443/ca/agent/ca/profileReview" target="_blank">https://spider01o.iglass.net:9443/ca/agent/ca/profileReview</a>: SSL connect<br>
> error.<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
> certificate:<br>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
> Certificate DB'<br>
> CA: dogtag-ipa-renew-agent<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=IPA RA,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2015-05-31 18:49:37 UTC<br>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
> eku: id-kp-serverAuth,id-kp-clientAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
><br>
><br>
</div></div><span class="HOEnZb"><font color="#888888">> --<br>
> Manage your subscription for the Freeipa-users mailing list:<br>
> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br>
</font></span></blockquote></div><br></div>