<p dir="ltr">Marc,</p>
<p dir="ltr">Unfortunately, I've never had to promote a replica to become the CA master in our environment. </p>
<p dir="ltr">Is the host that's reporting the error the URL of the old master or the replica?  Did you check the CS.cfg to see if the replica certificate is present vs. the old master? </p>
<p dir="ltr">John DeSantis <br>
</p>
<div class="gmail_quote">On Jun 5, 2015 3:49 PM, "Marc Wiatrowski" <<a href="mailto:wia@iglass.net">wia@iglass.net</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thank you John.  I had tried that but you did give me some things to look at.<div><br></div><div>I was able to get 2 of the certificates to renew by setting the date back in time, a services restart, and issuing 'ipa-getcert resubmit -i <request id>'  This renewed the following 'Server-Cert' and  'ipaCert' but did not 'auditSigningCert cert-pki-ca' 'ocspSigningCert cert-pki-ca' or 'subsystemCert cert-pki-ca'</div><div><br></div><div>The admin web interface now gives 'ipa error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)'</div><div><br></div><div>listing the certs shows an error along the lines of</div><div><br></div><div>Internal error: no response to "<a href="http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true" target="_blank">http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true</a>".</div><div><br></div><div>If any of these are useful. </div><div><br></div><div>messages:</div><div><div>Jun  5 15:38:05 spider01o certmonger: Internal error: no response to "<a href="http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true" target="_blank">http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true</a>".</div></div><div><br></div><div>httpd/error:</div><div>[Fri Jun 05 14:32:26 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Not Found)<br></div><div><br></div><div>selftests.log:</div><div><div>8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SystemCertsVerification: system certs verification failure</div><div>8371.main - [05/Jun/2015:15:19:17 EDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!</div></div><div><br></div><div><div>$ ipactl status</div><div>Directory Service: RUNNING</div><div>KDC Service: RUNNING</div><div>KPASSWD Service: RUNNING</div><div>DNS Service: RUNNING</div><div>MEMCACHE Service: RUNNING</div><div>HTTP Service: RUNNING</div><div>CA Service: RUNNING</div><div><br></div><div>$ certutil -L -d /var/lib/pki-ca/alias</div><div><br></div><div>Certificate Nickname                                         Trust Attributes</div><div>                                                             SSL,S/MIME,JAR/XPI</div><div><br></div><div>ocspSigningCert cert-pki-ca                                  u,u,u</div><div>subsystemCert cert-pki-ca                                    u,u,u</div><div>Server-Cert cert-pki-ca                                      u,u,u</div><div>caSigningCert cert-pki-ca                                    CTu,u,u</div><div>auditSigningCert cert-pki-ca                                 u,u,Pu</div></div><div><br></div><div><div>$ getcert list</div><div>Number of certificates and requests being tracked: 9.</div><div>Request ID '20131204194012':</div><div><span style="white-space:pre-wrap">    </span>status: MONITORING</div><div><span style="white-space:pre-wrap">       </span>stuck: no</div><div><span style="white-space:pre-wrap">        </span>key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB'</div><div><span style="white-space:pre-wrap"> </span>certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB'</div><div><span style="white-space:pre-wrap">      </span>CA: IPA</div><div><span style="white-space:pre-wrap">  </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">    </span>subject: CN=spider01o,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">       </span>expires: 2017-05-28 18:03:59 UTC</div><div><span style="white-space:pre-wrap"> </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span style="white-space:pre-wrap">      </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span style="white-space:pre-wrap">   </span>pre-save command: </div><div><span style="white-space:pre-wrap">      </span>post-save command: </div><div><span style="white-space:pre-wrap">     </span>track: yes</div><div><span style="white-space:pre-wrap">       </span>auto-renew: yes</div><div>Request ID '20141114162346':</div><div><span style="white-space:pre-wrap">       </span>status: MONITORING</div><div><span style="white-space:pre-wrap">       </span>stuck: no</div><div><span style="white-space:pre-wrap">        </span>key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'</div><div><span style="white-space:pre-wrap">      </span>certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'</div><div><span style="white-space:pre-wrap">   </span>CA: IPA</div><div><span style="white-space:pre-wrap">  </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">    </span>subject: CN=<a href="http://spider01o.iglass.net" target="_blank">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">  </span>expires: 2016-11-14 16:22:37 UTC</div><div><span style="white-space:pre-wrap"> </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span style="white-space:pre-wrap">      </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span style="white-space:pre-wrap">   </span>pre-save command: </div><div><span style="white-space:pre-wrap">      </span>post-save command: </div><div><span style="white-space:pre-wrap">     </span>track: yes</div><div><span style="white-space:pre-wrap">       </span>auto-renew: yes</div><div>Request ID '20141114162434':</div><div><span style="white-space:pre-wrap">       </span>status: MONITORING</div><div><span style="white-space:pre-wrap">       </span>ca-error: Internal error: no response to "<a href="http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true" target="_blank">http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true</a>".</div><div><span style="white-space:pre-wrap">        </span>stuck: no</div><div><span style="white-space:pre-wrap">        </span>key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='x'</div><div><span style="white-space:pre-wrap">      </span>certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'</div><div><span style="white-space:pre-wrap">   </span>CA: dogtag-ipa-renew-agent</div><div><span style="white-space:pre-wrap">       </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">    </span>subject: CN=<a href="http://spider01o.iglass.net" target="_blank">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">  </span>expires: 2016-11-03 16:24:27 UTC</div><div><span style="white-space:pre-wrap"> </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span style="white-space:pre-wrap">      </span>eku: id-kp-serverAuth</div><div><span style="white-space:pre-wrap">    </span>pre-save command: </div><div><span style="white-space:pre-wrap">      </span>post-save command: </div><div><span style="white-space:pre-wrap">     </span>track: yes</div><div><span style="white-space:pre-wrap">       </span>auto-renew: yes</div><div>Request ID '20141114162522':</div><div><span style="white-space:pre-wrap">       </span>status: MONITORING</div><div><span style="white-space:pre-wrap">       </span>stuck: no</div><div><span style="white-space:pre-wrap">        </span>key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt'</div><div><span style="white-space:pre-wrap">        </span>certificate: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB'</div><div><span style="white-space:pre-wrap">        </span>CA: IPA</div><div><span style="white-space:pre-wrap">  </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">    </span>subject: CN=<a href="http://spider01o.iglass.net" target="_blank">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">  </span>expires: 2016-11-14 16:22:36 UTC</div><div><span style="white-space:pre-wrap"> </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span style="white-space:pre-wrap">      </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span style="white-space:pre-wrap">   </span>pre-save command: </div><div><span style="white-space:pre-wrap">      </span>post-save command: </div><div><span style="white-space:pre-wrap">     </span>track: yes</div><div><span style="white-space:pre-wrap">       </span>auto-renew: yes</div><div>Request ID '20141114162610':</div><div><span style="white-space:pre-wrap">       </span>status: MONITORING</div><div><span style="white-space:pre-wrap">       </span>stuck: no</div><div><span style="white-space:pre-wrap">        </span>key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div><div><span style="white-space:pre-wrap">        </span>certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'</div><div><span style="white-space:pre-wrap">    </span>CA: IPA</div><div><span style="white-space:pre-wrap">  </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">    </span>subject: CN=<a href="http://spider01o.iglass.net" target="_blank">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">  </span>expires: 2016-11-14 16:22:42 UTC</div><div><span style="white-space:pre-wrap"> </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span style="white-space:pre-wrap">      </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span style="white-space:pre-wrap">   </span>pre-save command: </div><div><span style="white-space:pre-wrap">      </span>post-save command: </div><div><span style="white-space:pre-wrap">     </span>track: yes</div><div><span style="white-space:pre-wrap">       </span>auto-renew: yes</div><div>Request ID '20150604181945':</div><div><span style="white-space:pre-wrap">       </span>status: MONITORING</div><div><span style="white-space:pre-wrap">       </span>ca-error: Internal error: no response to "<a href="http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true" target="_blank">http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true</a>".</div><div><span style="white-space:pre-wrap">  </span>stuck: no</div><div><span style="white-space:pre-wrap">        </span>key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='x'</div><div><span style="white-space:pre-wrap"> </span>certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'</div><div><span style="white-space:pre-wrap">      </span>CA: dogtag-ipa-renew-agent</div><div><span style="white-space:pre-wrap">       </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">    </span>subject: CN=CA Audit,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">        </span>expires: 2015-05-31 18:48:55 UTC</div><div><span style="white-space:pre-wrap"> </span>key usage: digitalSignature,nonRepudiation</div><div><span style="white-space:pre-wrap">       </span>pre-save command: </div><div><span style="white-space:pre-wrap">      </span>post-save command: </div><div><span style="white-space:pre-wrap">     </span>track: yes</div><div><span style="white-space:pre-wrap">       </span>auto-renew: yes</div><div>Request ID '20150604181956':</div><div><span style="white-space:pre-wrap">       </span>status: MONITORING</div><div><span style="white-space:pre-wrap">       </span>ca-error: Internal error: no response to "<a href="http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=2&renewal=true&xml=true" target="_blank">http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=2&renewal=true&xml=true</a>".</div><div><span style="white-space:pre-wrap">  </span>stuck: no</div><div><span style="white-space:pre-wrap">        </span>key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='x'</div><div><span style="white-space:pre-wrap">  </span>certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'</div><div><span style="white-space:pre-wrap">       </span>CA: dogtag-ipa-renew-agent</div><div><span style="white-space:pre-wrap">       </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">    </span>subject: CN=OCSP Subsystem,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">  </span>expires: 2015-05-31 18:48:54 UTC</div><div><span style="white-space:pre-wrap"> </span>key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign</div><div><span style="white-space:pre-wrap">   </span>eku: id-kp-OCSPSigning</div><div><span style="white-space:pre-wrap">   </span>pre-save command: </div><div><span style="white-space:pre-wrap">      </span>post-save command: </div><div><span style="white-space:pre-wrap">     </span>track: yes</div><div><span style="white-space:pre-wrap">       </span>auto-renew: yes</div><div>Request ID '20150604182006':</div><div><span style="white-space:pre-wrap">       </span>status: MONITORING</div><div><span style="white-space:pre-wrap">       </span>ca-error: Internal error: no response to "<a href="http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=4&renewal=true&xml=true" target="_blank">http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=4&renewal=true&xml=true</a>".</div><div><span style="white-space:pre-wrap">  </span>stuck: no</div><div><span style="white-space:pre-wrap">        </span>key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='x'</div><div><span style="white-space:pre-wrap">    </span>certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'</div><div><span style="white-space:pre-wrap"> </span>CA: dogtag-ipa-renew-agent</div><div><span style="white-space:pre-wrap">       </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">    </span>subject: CN=CA Subsystem,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">    </span>expires: 2015-05-31 18:48:54 UTC</div><div><span style="white-space:pre-wrap"> </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span style="white-space:pre-wrap">      </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span style="white-space:pre-wrap">   </span>pre-save command: </div><div><span style="white-space:pre-wrap">      </span>post-save command: </div><div><span style="white-space:pre-wrap">     </span>track: yes</div><div><span style="white-space:pre-wrap">       </span>auto-renew: yes</div><div>Request ID '20150604182012':</div><div><span style="white-space:pre-wrap">       </span>status: MONITORING</div><div><span style="white-space:pre-wrap">       </span>stuck: no</div><div><span style="white-space:pre-wrap">        </span>key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'</div><div><span style="white-space:pre-wrap">    </span>certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'</div><div><span style="white-space:pre-wrap">        </span>CA: dogtag-ipa-renew-agent</div><div><span style="white-space:pre-wrap">       </span>issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">    </span>subject: CN=IPA RA,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a></div><div><span style="white-space:pre-wrap">  </span>expires: 2017-05-25 13:58:36 UTC</div><div><span style="white-space:pre-wrap"> </span>key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment</div><div><span style="white-space:pre-wrap">      </span>eku: id-kp-serverAuth,id-kp-clientAuth</div><div><span style="white-space:pre-wrap">   </span>pre-save command: </div><div><span style="white-space:pre-wrap">      </span>post-save command: </div><div><span style="white-space:pre-wrap">     </span>track: yes</div><div><span style="white-space:pre-wrap">       </span>auto-renew: yes</div></div><div><br></div><div>thanks again. -Marc</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jun 5, 2015 at 1:03 PM, John Desantis <span dir="ltr"><<a href="mailto:desantis@mail.usf.edu" target="_blank">desantis@mail.usf.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Marc,<br>
<br>
I experienced a similar issue earlier this year.<br>
<br>
Try restarting certmonger after temporarily changing the date back on<br>
the master.  In our case that service had failed miserably and it<br>
didn't allow FreeIPA to renew the certificates properly.<br>
<br>
Our replicas however were hit with a bug [1] during this process.  We<br>
applied the patched code and followed the same process and all was<br>
well.<br>
<br>
John DeSantis<br>
<br>
[1] <a href="https://fedorahosted.org/freeipa/ticket/4064" target="_blank">https://fedorahosted.org/freeipa/ticket/4064</a><br>
<div><div><br>
<br>
2015-06-05 11:12 GMT-04:00 Marc Wiatrowski <<a href="mailto:wia@iglass.net" target="_blank">wia@iglass.net</a>>:<br>
> hello,<br>
><br>
> I've got a problem with expired certificates in my ipa/IdM setup.  I believe<br>
> the root issue to be from the fact that when everything was first setup<br>
> about a year ago and everything was replicated from a first ipa server which<br>
> no longer exists.  There are currently 3 ipa servers but none of them are<br>
> the original.<br>
><br>
> Couple days ago I started getting errors similar to<br>
> '(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your<br>
> certificate as expired' through the web management interface.  After<br>
> investigating with 'getcert list' I found that several certificates expired<br>
> at 2015-05-31 18:48:55 UTC.<br>
><br>
> I found<br>
> <a href="http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master" target="_blank">http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master</a> and<br>
> followed the procedure for ipa <4.0 and everything seemed to go as expected.<br>
> However this did not fix my issue.<br>
><br>
> With more searching it looked like once the certificates are expired the<br>
> auto renew will not work.  Finding<br>
> <a href="https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0" target="_blank">https://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0</a><br>
> to try to manually renew I am stuck at the the beginning with 'Give the CSR<br>
> to your external CA.'  I don't believe we had our certificates externally<br>
> signed.  They are whatever the original install put in place.  Setting the<br>
> date back in time reeks havoc on our environment so I'm reluctant to leave<br>
> it for to long.  I can get what I believe is the original CSR from<br>
> /etc/pki-ca/CS.cfg but unsure what to do next or if this is even the road I<br>
> should be going down.<br>
><br>
> Things seem to be working for the most part except trying to make updates.<br>
> Any help on what to do next, somewhere else to look, or if I'm going in the<br>
> right direction would be greatly appreciated.<br>
><br>
> thanks,<br>
> Marc<br>
><br>
> Info:<br>
> CentOS 6.5 with some current updates including<br>
> ipa-server-3.0.0-42.el6.centos.i686<br>
> certmonger-0.75.13-1.el6.i686<br>
><br>
> $ getcert list-cas<br>
> CA 'SelfSign':<br>
> is-default: no<br>
> ca-type: INTERNAL:SELF<br>
> next-serial-number: 01<br>
> CA 'IPA':<br>
> is-default: no<br>
> ca-type: EXTERNAL<br>
> helper-location: /usr/libexec/certmonger/ipa-submit<br>
> CA 'certmaster':<br>
> is-default: no<br>
> ca-type: EXTERNAL<br>
> helper-location: /usr/libexec/certmonger/certmaster-submit<br>
> CA 'dogtag-ipa-renew-agent':<br>
> is-default: no<br>
> ca-type: EXTERNAL<br>
> helper-location: /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit<br>
> CA 'local':<br>
> is-default: no<br>
> ca-type: EXTERNAL<br>
> helper-location: /usr/libexec/certmonger/local-submit<br>
> CA 'dogtag-ipa-retrieve-agent-submit':<br>
> is-default: no<br>
> ca-type: EXTERNAL<br>
> helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit<br>
><br>
> $ getcert list<br>
> Number of certificates and requests being tracked: 9.<br>
> Request ID '20131204194012':<br>
> status: MONITORING<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS<br>
> Certificate DB'<br>
> certificate:<br>
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS<br>
> Certificate DB'<br>
> CA: IPA<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=spider01o,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2015-12-05 19:40:13 UTC<br>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
> eku: id-kp-serverAuth,id-kp-clientAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20141114162346':<br>
> status: MONITORING<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'<br>
> certificate:<br>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS<br>
> Certificate DB'<br>
> CA: IPA<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=<a href="http://spider01o.iglass.net" target="_blank">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2016-11-14 16:22:37 UTC<br>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
> eku: id-kp-serverAuth,id-kp-clientAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20141114162434':<br>
> status: MONITORING<br>
> ca-error: Internal error: no response to<br>
> "<a href="http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true" target="_blank">http://spider01o.iglass.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=1073545218&renewal=true&xml=true</a>".<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br>
> cert-pki-ca',token='NSS Certificate DB',pin='x'<br>
> certificate:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
> CA: dogtag-ipa-renew-agent<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=<a href="http://spider01o.iglass.net" target="_blank">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2016-11-03 16:24:27 UTC<br>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
> eku: id-kp-serverAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20141114162522':<br>
> status: MONITORING<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS<br>
> Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt'<br>
> certificate:<br>
> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS<br>
> Certificate DB'<br>
> CA: IPA<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=<a href="http://spider01o.iglass.net" target="_blank">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2016-11-14 16:22:36 UTC<br>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
> eku: id-kp-serverAuth,id-kp-clientAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20141114162610':<br>
> status: MONITORING<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
> certificate:<br>
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>
> Certificate DB'<br>
> CA: IPA<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=<a href="http://spider01o.iglass.net" target="_blank">spider01o.iglass.net</a>,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2016-11-14 16:22:42 UTC<br>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
> eku: id-kp-serverAuth,id-kp-clientAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20150604181945':<br>
> status: CA_UNREACHABLE<br>
> ca-error: Error 35 connecting to<br>
> <a href="https://spider01o.iglass.net:9443/ca/agent/ca/profileReview" target="_blank">https://spider01o.iglass.net:9443/ca/agent/ca/profileReview</a>: SSL connect<br>
> error.<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB',pin='x'<br>
> certificate:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
> CA: dogtag-ipa-renew-agent<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=CA Audit,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2015-05-31 18:48:55 UTC<br>
> key usage: digitalSignature,nonRepudiation<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20150604181956':<br>
> status: CA_UNREACHABLE<br>
> ca-error: Error 35 connecting to<br>
> <a href="https://spider01o.iglass.net:9443/ca/agent/ca/profileReview" target="_blank">https://spider01o.iglass.net:9443/ca/agent/ca/profileReview</a>: SSL connect<br>
> error.<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB',pin='x'<br>
> certificate:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
> CA: dogtag-ipa-renew-agent<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=OCSP Subsystem,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2015-05-31 18:48:54 UTC<br>
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign<br>
> eku: id-kp-OCSPSigning<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20150604182006':<br>
> status: CA_UNREACHABLE<br>
> ca-error: Error 35 connecting to<br>
> <a href="https://spider01o.iglass.net:9443/ca/agent/ca/profileReview" target="_blank">https://spider01o.iglass.net:9443/ca/agent/ca/profileReview</a>: SSL connect<br>
> error.<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
> cert-pki-ca',token='NSS Certificate DB',pin='x'<br>
> certificate:<br>
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert<br>
> cert-pki-ca',token='NSS Certificate DB'<br>
> CA: dogtag-ipa-renew-agent<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=CA Subsystem,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2015-05-31 18:48:54 UTC<br>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
> eku: id-kp-serverAuth,id-kp-clientAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
> Request ID '20150604182012':<br>
> status: CA_UNREACHABLE<br>
> ca-error: Error 35 connecting to<br>
> <a href="https://spider01o.iglass.net:9443/ca/agent/ca/profileReview" target="_blank">https://spider01o.iglass.net:9443/ca/agent/ca/profileReview</a>: SSL connect<br>
> error.<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>
> certificate:<br>
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>
> Certificate DB'<br>
> CA: dogtag-ipa-renew-agent<br>
> issuer: CN=Certificate Authority,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> subject: CN=IPA RA,O=<a href="http://IGLASS.NET" target="_blank">IGLASS.NET</a><br>
> expires: 2015-05-31 18:49:37 UTC<br>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>
> eku: id-kp-serverAuth,id-kp-clientAuth<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
><br>
><br>
</div></div><span><font color="#888888">> --<br>
> Manage your subscription for the Freeipa-users mailing list:<br>
> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br>
</font></span></blockquote></div><br></div>
</blockquote></div>