<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>I'm afraid that because you moved time back, the dogtag
certificates are before VALIDITY time now.</p>
<p>Can you find CA debug log, /var/log/pki/pki-tomcat/ca/debug.log
(not sure about the path). There should be exact certificate and
reason why cert validation failed</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 14.09.2016 19:42, bahan w wrote:<br>
</div>
<blockquote
cite="mid:CAMJtubK6jPUWpJtY1cvL25mvGq_aDoYAUJiCqnJHNZze+u6qJg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Here is what I found :<br>
<br>
</div>
<div>In the catalina.out :<br>
###<br>
May 27, 2016 10:51:35 AM
org.apache.catalina.core.StandardWrapperValve invoke<br>
SEVERE: Servlet.service() for servlet caDisplayBySerial-agent
threw exception<br>
java.io.IOException: CS server is not ready to serve.<br>
at
com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:441)<br>
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)<br>
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)<br>
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)<br>
at
com.netscape.cms.servlet.filter.AgentRequestFilter.doFilter(AgentRequestFilter.java:124)<br>
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)<br>
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)<br>
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)<br>
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)<br>
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)<br>
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)<br>
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)<br>
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)<br>
at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)<br>
at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)<br>
at
org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769)<br>
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698)<br>
at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891)<br>
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)<br>
at java.lang.Thread.run(Thread.java:722)<br>
###<br>
</div>
<div><br>
</div>
In the selftests.log in /var/log/pki-ca :<br>
<div>###<br>
24196.main - [27/May/2016:10:50:27 CEST] [20] [1]
SelfTestSubsystem: Initializing self test plugins:<br>
24196.main - [27/May/2016:10:50:27 CEST] [20] [1]
SelfTestSubsystem: loading all self test plugin logger
parameters<br>
24196.main - [27/May/2016:10:50:27 CEST] [20] [1]
SelfTestSubsystem: loading all self test plugin instances<br>
24196.main - [27/May/2016:10:50:27 CEST] [20] [1]
SelfTestSubsystem: loading all self test plugin instance
parameters<br>
24196.main - [27/May/2016:10:50:27 CEST] [20] [1]
SelfTestSubsystem: loading self test plugins in on-demand
order<br>
24196.main - [27/May/2016:10:50:27 CEST] [20] [1]
SelfTestSubsystem: loading self test plugins in startup order<br>
24196.main - [27/May/2016:10:50:27 CEST] [20] [1]
SelfTestSubsystem: Self test plugins have been successfully
loaded!<br>
24196.main - [27/May/2016:10:50:28 CEST] [20] [1]
SelfTestSubsystem: Running self test plugins specified to be
executed at startup:<br>
24196.main - [27/May/2016:10:50:28 CEST] [20] [1] CAPresence:
CA is present<br>
24196.main - [27/May/2016:10:50:28 CEST] [20] [1]
SystemCertsVerification: system certs verification failure<br>
24196.main - [27/May/2016:10:50:28 CEST] [20] [1]
SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemC<br>
ertsVerification running at startup FAILED!<br>
###<br>
<br>
</div>
<div>But nothing else.<br>
<br>
</div>
<div>Best regards.<br>
<br>
</div>
<div>Bahan<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 14, 2016 at 7:27 PM, bahan
w <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bahanw042014@gmail.com" target="_blank">bahanw042014@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>I tried also the following commands :<br>
###<br>
# ipa cert-show 1<br>
ipa: ERROR: Certificate operation cannot be
completed: Unable to communicate with CMS (Not
Found)<br>
<br>
# service ipa status<br>
Directory Service: RUNNING<br>
KDC Service: RUNNING<br>
KPASSWD Service: RUNNING<br>
MEMCACHE Service: RUNNING<br>
HTTP Service: RUNNING<br>
CA Service: RUNNING<br>
###<br>
<br>
</div>
I'm checking the /var/log/pki-ca logs to see if I find
something.<br>
<br>
</div>
Best regards.<span class="HOEnZb"><font color="#888888"><br>
<br>
</font></span></div>
<span class="HOEnZb"><font color="#888888">Bahan<br>
</font></span></div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 14, 2016 at 7:02
PM, bahan w <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:bahanw042014@gmail.com"
target="_blank">bahanw042014@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>Sorry Martin,<br>
<br>
</div>
This is not the first time I
forgot to add back freeipa
users.<br>
</div>
I have problems with gmail,
again sorry.<br>
<br>
</div>
Indeed I figured out that I had to
restart the ipa server.<br>
</div>
So I tried to restart ipa server.<br>
</div>
But it was not working yet.<br>
<br>
</div>
So I thought it was maybe due to the
configuration I performed in the
nss.conf.<br>
</div>
So I rollbacked this conf and restarted
ipa-server.<br>
</div>
Then I retried your commands but it is still
the same error.<br>
<br>
###<span><br>
Request ID '20140528064145':<br>
status: CA_UNREACHABLE<br>
</span> ca-error: Server failed
request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be
completed: Unable to communicate with CMS
(Not Found)).<span><br>
stuck: yes<br>
key pair storage:
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=<IPA SERVER
HOST>,O=<MYREALM><br>
expires: 2016-05-28 06:41:44 UTC<br>
eku:
id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save command:<br>
post-save command:
/usr/lib64/ipa/certmonger/rest<wbr>art_httpd<br>
track: yes<br>
auto-renew: yes<br>
###<br>
<br>
</span></div>
<div>Do you know what is the CMS ?<br>
###<br>
(RPC failed at server. Certificate
operation cannot be completed: Unable to
communicate with CMS (Not Found)).<br>
###<br>
</div>
<div><br>
</div>
Best regards.<span><font color="#888888"><br>
<br>
</font></span></div>
<span><font color="#888888">Bahan<br>
<div>
<div><br>
<br>
<div>
<div>
<div>
<div><br>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</font></span></div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 14,
2016 at 6:46 PM, Martin Basti <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com"
target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>did you restart IPA when you moved
time? Is there are more detailed
error description in output of
getcert list?<br>
</p>
<div>
<div> <br>
<div>On 14.09.2016 18:45, bahan w
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>I set the
date-time when the
certificates were
valid :<br>
###<br>
# date -s
'2016-05-27
10:00:00'<br>
Fri May 27 10:00:00
CEST 2016<br>
<br>
# date<br>
Fri May 27 10:00:02
CEST 2016<br>
###<br>
<br>
</div>
Then I try to renew
them :<br>
###<br>
# getcert resubmit -i
20140528063919<br>
Resubmitting
"20140528063919" to
"IPA".<br>
<br>
# getcert resubmit -i
20140528064145<br>
Resubmitting
"20140528064145" to
"IPA".<br>
<br>
# getcert resubmit -i
20140528063953<br>
Resubmitting
"20140528063953" to
"IPA".<br>
###<br>
<br>
</div>
But when I do the
getcert list after, the
result is the same.<br>
<br>
</div>
<div>I guess it is because
of this ?<br>
CA_UNREACHABLE<br>
</div>
<div><br>
</div>
Any idea ?<br>
<br>
</div>
Best regards.<br>
<br>
</div>
Bahan<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Wed, Sep 14, 2016 at 6:38
PM, bahan w <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:bahanw042014@gmail.com"
target="_blank">bahanw042014@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>Ok, I managed
to restart the
IPA service by
adding this line
in the file
/etc/httpd/conf.d/nss.conf
:<br>
###<br>
NSSEnforceValidCerts off<br>
###<br>
<br>
</div>
But when I do the
getcert now I got
the following
result :
<div>
<div><br>
###<br>
# getcert list<br>
Number of
certificates
and requests
being tracked:
8.<br>
Request ID
'20140528063903':<br>
status:
MONITORING<br>
stuck:
no<br>
key
pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='auditS<wbr>igningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='auditS<wbr>igningCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA:
dogtag-ipa-renew-agent<br>
issuer:
CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=CA
Audit,O=<MYREALM><br>
expires:
2018-04-09
11:39:16 UTC<br>
pre-save
command:
/usr/lib64/ipa/certmonger/stop<wbr>_pkicad<br>
post-save
command:
/usr/lib64/ipa/certmonger/rene<wbr>w_ca_cert
"auditSigningCert cert-pki-ca"<br>
track:
yes<br>
auto-renew:
yes<br>
Request ID
'20140528063904':<br>
status:
MONITORING<br>
stuck:
no<br>
key
pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='ocspSi<wbr>gningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='ocspSi<wbr>gningCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA:
dogtag-ipa-renew-agent<br>
issuer:
CN=Certificate
Authority,O=<MYREALM><br>
subject:
CN=OCSP
Subsystem,O=<MYREALM><br>
expires:
2018-04-09
11:38:16 UTC<br>
eku:
id-kp-OCSPSigning<br>
pre-save
command:
/usr/lib64/ipa/certmonger/stop<wbr>_pkicad<br>
post-save
command:
/usr/lib64/ipa/certmonger/rene<wbr>w_ca_cert
"ocspSigningCert cert-pki-ca"<br>
track:
yes<br>
auto-renew:
yes<br>
Request ID
'20140528063905':<br>
status:
MONITORING<br>
stuck:
no<br>
key
pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='subsys<wbr>temCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='subsys<wbr>temCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA:
dogtag-ipa-renew-agent<br>
issuer:
CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=CA
Subsystem,O=<MYREALM><br>
expires:
2018-04-09
11:38:16 UTC<br>
eku:
id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save
command:
/usr/lib64/ipa/certmonger/stop<wbr>_pkicad<br>
post-save
command:
/usr/lib64/ipa/certmonger/rene<wbr>w_ca_cert
"subsystemCert
cert-pki-ca"<br>
track:
yes<br>
auto-renew:
yes<br>
Request ID
'20140528063906':<br>
status:
MONITORING<br>
stuck:
no<br>
key
pair storage:
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS
Certificate
DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS
Certificate
DB'<br>
CA:
dogtag-ipa-renew-agent<br>
issuer:
CN=Certificate
Authority,O=<MYREALM><br>
subject:
CN=IPA
RA,O=<MYREALM><br>
expires:
2018-04-09
11:38:16 UTC<br>
eku:
id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save
command:<br>
post-save
command:
/usr/lib64/ipa/certmonger/rene<wbr>w_ra_cert<br>
track:
yes<br>
auto-renew:
yes<br>
Request ID
'20140528063907':<br>
status:
MONITORING<br>
stuck:
no<br>
key
pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='Server<wbr>-Cert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='Server<wbr>-Cert
cert-pki-ca',token='NSS Certificate DB'<br>
CA:
dogtag-ipa-renew-agent<br>
issuer:
CN=Certificate
Authority,O=<MYREALM><br>
subject:
CN=<IPA
SERVER
HOST>,O=<MYREALM><br>
expires:
2018-04-09
11:38:16 UTC<br>
eku:
id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save
command:<br>
post-save
command:<br>
track:
yes<br>
auto-renew:
yes<br>
Request ID
'20140528063919':<br>
</div>
</div>
status:
CA_UNREACHABLE<br>
ca-error:
Server failed
request, will
retry: -504
(libcurl failed to
execute the HTTP
POST transaction.
Peer certificate
cannot be
authenticated with
known CA
certificates).<br>
stuck: yes<span><br>
key pair
storage:
type=NSSDB,location='/etc/dirs<wbr>rv/slapd-<MYREALM>',nickname='<wbr>Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd<wbr>-<MYREALM>/pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/dirs<wbr>rv/slapd-<MYREALM>',nickname='<wbr>Server-Cert',token='NSS
Certificate DB'<br>
CA: IPA<br>
issuer:
CN=Certificate
Authority,O=<MYREALM><br>
subject:
CN=<IPA
SERVER
HOST>,O=<MYREALM><br>
expires:
2016-05-28
06:39:18 UTC<br>
eku:
id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save
command:<br>
post-save
command:
/usr/lib64/ipa/certmonger/rest<wbr>art_dirsrv
<MYREALM><br>
track:
yes<br>
auto-renew: yes<br>
Request ID
'20140528063953':<br>
</span>
status:
CA_UNREACHABLE<br>
ca-error:
Server failed
request, will
retry: -504
(libcurl failed to
execute the HTTP
POST transaction.
Peer certificate
cannot be
authenticated with
known CA
certificates).<br>
stuck: yes<span><br>
key pair
storage:
type=NSSDB,location='/etc/dirs<wbr>rv/slapd-PKI-IPA',nickname='Se<wbr>rver-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd<wbr>-PKI-IPA/pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/dirs<wbr>rv/slapd-PKI-IPA',nickname='Se<wbr>rver-Cert',token='NSS
Certificate DB'<br>
CA: IPA<br>
issuer:
CN=Certificate
Authority,O=<MYREALM><br>
subject:
CN=<IPA
SERVER
HOST>,O=<MYREALM><br>
expires:
2016-05-28
06:39:52 UTC<br>
eku:
id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save
command:<br>
post-save
command:
/usr/lib64/ipa/certmonger/rest<wbr>art_dirsrv
PKI-IPA<br>
track:
yes<br>
auto-renew: yes<br>
Request ID
'20140528064145':<br>
</span>
status:
CA_UNREACHABLE<br>
ca-error:
Server failed
request, will
retry: -504
(libcurl failed to
execute the HTTP
POST transaction.
Peer certificate
cannot be
authenticated with
known CA
certificates).<br>
stuck: yes<span><br>
key pair
storage:
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS
Certificate
DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS
Certificate DB'<br>
CA: IPA<br>
issuer:
CN=Certificate
Authority,O=<MYREALM><br>
subject:
CN=<IPA
SERVER
HOST>,O=<MYREALM><br>
expires:
2016-05-28
06:41:44 UTC<br>
eku:
id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save
command:<br>
post-save
command:
/usr/lib64/ipa/certmonger/rest<wbr>art_httpd<br>
track:
yes<br>
auto-renew: yes<br>
###<br>
<br>
</span></div>
Indeed, the entries
outdated are the
following :<br>
</div>
- for
/etc/dirsrv/slapd-<MYREALM>
: 20140528063919<br>
- for
/etc/dirsrv/slapd-PKI-IPA
: 20140528063953<br>
</div>
- for httpd ? :
20140528064145<br>
<br>
<div>
<div>
<div>
<div>Best regards.<span><font
color="#888888"><br>
<br>
</font></span></div>
<span><font
color="#888888">
<div>Bahan<br>
</div>
</font></span></div>
</div>
</div>
</div>
<div>
<div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Wed, Sep 14, 2016
at 6:28 PM, bahan
w <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:bahanw042014@gmail.com"
target="_blank">bahanw042014@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>Ok :D <br>
<br>
Because to
perform the
getcert list
command, I
need to have
all the ipa
services
running right
?<br>
<br>
</div>
<div>Here is
the result of
the command
with the ipa
services down.<br>
</div>
<div>###<br>
# getcert
list<br>
Number of
certificates
and requests
being tracked:
8.<br>
Request ID
'20140528063903':<br>
status:
MONITORING<br>
stuck:
no<br>
key
pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='auditS<wbr>igningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='auditS<wbr>igningCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA:
dogtag-ipa-renew-agent<br>
issuer:
CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=CA
Audit,O=<MYREALM><br>
expires:
2018-04-09
11:39:16 UTC<br>
pre-save
command:
/usr/lib64/ipa/certmonger/stop<wbr>_pkicad<br>
post-save
command:
/usr/lib64/ipa/certmonger/rene<wbr>w_ca_cert
"auditSigningCert cert-pki-ca"<br>
track:
yes<br>
auto-renew:
yes<br>
Request ID
'20140528063904':<br>
status:
MONITORING<br>
stuck:
no<br>
key
pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='ocspSi<wbr>gningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='ocspSi<wbr>gningCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA:
dogtag-ipa-renew-agent<br>
issuer:
CN=Certificate
Authority,O=<MYREALM><br>
subject:
CN=OCSP
Subsystem,O=<MYREALM><br>
expires:
2018-04-09
11:38:16 UTC<br>
eku:
id-kp-OCSPSigning<br>
pre-save
command:
/usr/lib64/ipa/certmonger/stop<wbr>_pkicad<br>
post-save
command:
/usr/lib64/ipa/certmonger/rene<wbr>w_ca_cert
"ocspSigningCert cert-pki-ca"<br>
track:
yes<br>
auto-renew:
yes<br>
Request ID
'20140528063905':<br>
status:
MONITORING<br>
stuck:
no<br>
key
pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='subsys<wbr>temCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='subsys<wbr>temCert
cert-pki-ca',token='NSS Certificate DB'<br>
CA:
dogtag-ipa-renew-agent<br>
issuer:
CN=Certificate
Authority,O=<MYREALM><br>
subject: CN=CA
Subsystem,O=<MYREALM><br>
expires:
2018-04-09
11:38:16 UTC<br>
eku:
id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save
command:
/usr/lib64/ipa/certmonger/stop<wbr>_pkicad<br>
post-save
command:
/usr/lib64/ipa/certmonger/rene<wbr>w_ca_cert
"subsystemCert
cert-pki-ca"<br>
track:
yes<br>
auto-renew:
yes<br>
Request ID
'20140528063906':<br>
status:
MONITORING<br>
stuck:
no<br>
key
pair storage:
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS
Certificate
DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS
Certificate
DB'<br>
CA:
dogtag-ipa-renew-agent<br>
issuer:
CN=Certificate
Authority,O=<MYREALM><br>
subject:
CN=IPA
RA,O=<MYREALM><br>
expires:
2018-04-09
11:38:16 UTC<br>
eku:
id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save
command:<br>
post-save
command:
/usr/lib64/ipa/certmonger/rene<wbr>w_ra_cert<br>
track:
yes<br>
auto-renew:
yes<br>
Request ID
'20140528063907':<br>
status:
MONITORING<br>
stuck:
no<br>
key
pair storage:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='Server<wbr>-Cert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'<br>
certificate:
type=NSSDB,location='/var/lib/<wbr>pki-ca/alias',nickname='Server<wbr>-Cert
cert-pki-ca',token='NSS Certificate DB'<br>
CA:
dogtag-ipa-renew-agent<br>
issuer:
CN=Certificate
Authority,O=<MYREALM><br>
subject:
CN=<IPA
SERVER
HOST>,O=<MYREALM><br>
expires:
2018-04-09
11:38:16 UTC<br>
eku:
id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save
command:<br>
post-save
command:<br>
track:
yes<br>
auto-renew:
yes<br>
Request ID
'20140528063919':<br>
status:
MONITORING<br>
ca-error:
Error setting
up ccache for
local "host"
service using
default
keytab: Cannot
contact any
KDC for realm
'<MYREALM>'.<br>
stuck:
no<br>
key
pair storage:
type=NSSDB,location='/etc/dirs<wbr>rv/slapd-<MYREALM>',nickname='<wbr>Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd<wbr>-<MYREALM>/pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/dirs<wbr>rv/slapd-<MYREALM>',nickname='<wbr>Server-Cert',token='NSS
Certificate
DB'<br>
CA:
IPA<br>
issuer:
CN=Certificate
Authority,O=<MYREALM><br>
subject:
CN=<IPA
SERVER
HOST>,O=<MYREALM><br>
expires:
2016-05-28
06:39:18 UTC<br>
eku:
id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save
command:<br>
post-save
command:
/usr/lib64/ipa/certmonger/rest<wbr>art_dirsrv
<MYREALM><br>
track:
yes<br>
auto-renew:
yes<br>
Request ID
'20140528063953':<br>
status:
MONITORING<br>
ca-error:
Error setting
up ccache for
local "host"
service using
default
keytab: Cannot
contact any
KDC for realm
'<MYREALM>'.<br>
stuck:
no<br>
key
pair storage:
type=NSSDB,location='/etc/dirs<wbr>rv/slapd-PKI-IPA',nickname='Se<wbr>rver-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd<wbr>-PKI-IPA/pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/dirs<wbr>rv/slapd-PKI-IPA',nickname='Se<wbr>rver-Cert',token='NSS
Certificate
DB'<br>
CA:
IPA<br>
issuer:
CN=Certificate
Authority,O=<MYREALM><br>
subject:
CN=<IPA
SERVER
HOST>,O=<MYREALM><br>
expires:
2016-05-28
06:39:52 UTC<br>
eku:
id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save
command:<br>
post-save
command:
/usr/lib64/ipa/certmonger/rest<wbr>art_dirsrv
PKI-IPA<br>
track:
yes<br>
auto-renew:
yes<br>
Request ID
'20140528064145':<br>
status:
MONITORING<br>
ca-error:
Error setting
up ccache for
local "host"
service using
default
keytab: Cannot
contact any
KDC for realm
'<MYREALM>'.<br>
stuck:
no<br>
key
pair storage:
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS
Certificate
DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
certificate:
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS
Certificate
DB'<br>
CA:
IPA<br>
issuer:
CN=Certificate
Authority,O=<MYREALM><br>
subject:
CN=<IPA
SERVER
HOST>,O=<MYREALM><br>
expires:
2016-05-28
06:41:44 UTC<br>
eku:
id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save
command:<br>
post-save
command:
/usr/lib64/ipa/certmonger/rest<wbr>art_httpd<br>
track:
yes<br>
auto-renew:
yes<br>
###<br>
<br>
</div>
Best regards.<span><font
color="#888888"><br>
<br>
</font></span></div>
<span><font
color="#888888">
<div>Bahan<br>
</div>
</font></span></div>
<div>
<div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Wed, Sep 14,
2016 at 6:21
PM, Martin
Basti <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div
bgcolor="#FFFFFF"
text="#000000">
<p><br>
</p>
<p>Then you
have to start
services
manually, I
don't know if
the same steps
will work with
IPA 3.0.0, I
don't
remember, but
you can try :)<br>
</p>
<div>
<div> <br>
<div>On
14.09.2016
18:18, bahan w
wrote:<br>
</div>
<blockquote
type="cite">
<div dir="ltr">
<div>Oh I
forgot to add
that my
version of ipa
is quite old :<br>
###<br>
# rpm -qa |
grep
ipa-server<br>
ipa-server-3.0.0-25.el6.x86_64<br>
###<br>
<br>
</div>
When I try the
command you
gave me I got
the following
error :<br>
###<br>
<div># ipactl
start --force<br>
Usage: ipactl
start|stop|restart|status<br>
<br>
<br>
ipactl: error:
no such
option:
--force<br>
###<br>
<br>
</div>
<div>Best
regards.<br>
<br>
</div>
<div>Bahan<br>
</div>
</div>
</blockquote>
<blockquote
type="cite">
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Wed, Sep 14,
2016 at 6:14
PM, Martin
Basti <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div
bgcolor="#FFFFFF"
text="#000000">
<div>
<div>
<p><br>
</p>
<br>
<div>On
14.09.2016
17:59, bahan w
wrote:<br>
</div>
<blockquote
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Hello !<br>
<br>
</div>
I send you
this mail
because I
cannot restart
my test IPA
server.<br>
<br>
</div>
When I try to
start it with
service ipa
start, I got
the following
error message
:<br>
###<br>
# service ipa
start<br>
Starting
Directory
Service<br>
Starting
dirsrv:<br>
<MYREALM>...[14/Sep/2016:17:57<wbr>:23
+0200] - SSL
alert:
CERT_VerifyCertificateNow:
verify
certificate
failed for
cert
Server-Cert of
family
cn=RSA,cn=encryption,cn=config
(Netscape
Portable
Runtime error
-8181 - Peer's
Certificate
has expired.)<br>
<wbr> [ OK ]<br>
PKI-IPA...[14/Sep/2016:17:57:3<wbr>3
+0200] - SSL
alert:
CERT_VerifyCertificateNow:
verify
certificate
failed for
cert
Server-Cert of
family
cn=RSA,cn=encryption,cn=config
(Netscape
Portable
Runtime error
-8181 - Peer's
Certificate
has expired.)<br>
<wbr> [ OK ]<br>
Starting KDC
Service<br>
Starting
Kerberos 5
KDC: <wbr>
[ OK ]<br>
Starting
KPASSWD
Service<br>
Starting
Kerberos 5
Admin
Server: <wbr>
[ OK ]<br>
Starting
MEMCACHE
Service<br>
Starting
ipa_memcached: <wbr>
[ OK ]<br>
Starting HTTP
Service<br>
Starting
httpd: <wbr>
[FAILED]<br>
Failed to
start HTTP
Service<br>
Shutting down<br>
Stopping
Kerberos 5
KDC: <wbr>
[ OK ]<br>
Stopping
Kerberos 5
Admin
Server: <wbr>
[ OK ]<br>
Stopping
ipa_memcached: <wbr>
[ OK ]<br>
Stopping
httpd: <wbr>
[FAILED]<br>
Stopping
pki-ca: <wbr>
[ OK ]<br>
Shutting down
dirsrv:<br>
<MYREALM>... <wbr>
[ OK ]<br>
PKI-IPA... <wbr>
[ OK ]<br>
Aborting
ipactl<br>
<br>
# service ipa
status<br>
Directory
Service:
STOPPED<br>
Failed to get
list of
services to
probe status:<br>
Directory
Server is
stopped<br>
###<br>
<br>
</div>
<div>Do you
know how to
renew the SSL
certificate
used for the
IPA Server ?<br>
<br>
</div>
<div>Best
regards.<br>
<br>
</div>
<div>Bahan<br>
</div>
<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div>
</div>
Hello,<br>
<br>
please run<br>
<br>
# ipactl start
--force<br>
# getcert list
(to detect
which
certificate is
outdated, I
suspect DS
cert (or to
get more info
why it has not
been renewed))<br>
<br>
If getcert
does work (I'm
not sure if ti
is able to
work without
httpd), you
probable need
to move time
back to past
where cert is
valid, start
IPA and try
again.<br>
<br>
Please find ID
outdated
certificate
and try
resubmit it
(CA and DS
must be
running)<br>
<br>
# getcert
resubmit -i
20160914122036
(use you ID :)
)<br>
<br>
This should
renew cert,
check status
with getcert
list<br>
<br>
Move time back
to future (if
needed)<br>
<br>
Try to restart
IPA<br>
<br>
Martin^2<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>