We have cloned and created another virtual server from the template. Surprisingly this server certificates were also expired at the same time as the previous, just lasted for a day. This issue has something to do with the kerberos tickets?
I new to IPA and your help is highly appreciated. On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh <linov.sur...@gmail.com> wrote: > *Update: my webserver and LDAP certificates were expired at 2016-07-18 > 15:54:36 UTC and the certificates are in CA_UNREACHABLE state.* > > > *Could you please help us? * > > [root@caer tmp]# getcert list > Number of certificates and requests being tracked: 8. > Request ID '20111214223243': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl failed > to execute the HTTP POST transaction. Peer certificate cannot be > authenticated with known CA certificates). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=caer.teloip.net,O=TELOIP.NET > * expires: 2016-07-18 15:54:36 UTC* > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl failed > to execute the HTTP POST transaction. Peer certificate cannot be > authenticated with known CA certificates). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=caer.teloip.net,O=TELOIP.NET > * expires: 2016-07-18 15:54:52 UTC* > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl failed > to execute the HTTP POST transaction. Peer certificate cannot be > authenticated with known CA certificates). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=caer.teloip.net,O=TELOIP.NET > *expires: 2016-07-18 15:55:04 UTC* > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: MONITORING > ca-error: Internal error: no response to " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=CA Audit,O=TELOIP.NET > expires: 2017-10-13 14:10:49 UTC > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: MONITORING > ca-error: Internal error: no response to " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=OCSP Subsystem,O=TELOIP.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: MONITORING > ca-error: Internal error: no response to " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=CA Subsystem,O=TELOIP.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no response to " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=RA Subsystem,O=TELOIP.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20130519130745': > status: MONITORING > ca-error: Internal error: no response to " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=TELOIP.NET > subject: CN=caer.teloip.net,O=TELOIP.NET > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv " > TELOIP.NET" > track: yes > auto-renew: yes > > On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh <linov.sur...@gmail.com> > wrote: > >> Yes, PKI is running and I don't see any errors in selftests, I have >> followed https://access.redhat.com/solutions/643753 and restarted the >> PKI in step 10. >> >> The only change which I made was clean up userCertificate;binary before >> adding new userCertificate in LDAP, which is step 12. >> >> [root@caer ~]# /etc/init.d/pki-cad status >> pki-ca (pid 8634) is running... [ OK ] >> Unsecure Port = http://caer.teloip.net:9180/ca/ee/ca >> Secure Agent Port = https://caer.teloip.net:9443/ca/agent/ca >> Secure EE Port = https://caer.teloip.net:9444/ca/ee/ca >> Secure Admin Port = https://caer.teloip.net:9445/ca/services >> EE Client Auth Port = https://caer.teloip.net:9446/ca/eeca/ca >> PKI Console Port = pkiconsole https://caer.teloip.net:9445/ca >> Tomcat Port = 9701 (for shutdown) >> >> PKI Instance Name: pki-ca >> >> PKI Subsystem Type: Root CA (Security Domain) >> >> Registered PKI Security Domain Information: >> >> ========================================================================== >> Name: IPA >> URL: https://caer.teloip.net:9445 >> >> ========================================================================== >> [root@caer ~]# >> [root@caer ~]# tail -f /var/log/pki-ca/selftests.log >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >> loading all self test plugin logger parameters >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >> loading all self test plugin instances >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >> loading all self test plugin instance parameters >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >> loading self test plugins in on-demand order >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >> loading self test plugins in startup order >> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: Self >> test plugins have been successfully loaded! >> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: >> Running self test plugins specified to be executed at startup: >> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence: CA is present >> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SystemCertsVerification: >> system certs verification success >> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: All >> CRITICAL self test plugins ran SUCCESSFULLY at startup! >> >> Your help is highly appreciated! >> >> >> Linov Suresh >> >> 70 Forest Manor Rd. >> Toronto >> ON M2J 0A9 >> Mobile: +1 647 406 9438 >> Linkedin: ca.linkedin.com/in/linov/ >> Website: http://mylinuxthoughts.blogspot.com >> >> >> On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik <pvobo...@redhat.com> >> wrote: >> >>> On 07/18/2016 05:45 AM, Linov Suresh wrote: >>> > Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA >>> and >>> > certmonger. Look like certificates were renewed. But I'm getting a >>> different >>> > error now, >>> > >>> > *ca-error: Internal error: no response to >>> > " >>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >>> ".* >>> >>> Is PKI running? When you change the time, does restart of IPA help? >>> >>> > >>> > [root@caer ~]# getcert list >>> > Number of certificates and requests being tracked: 8. >>> > Request ID '20111214223243': >>> > status: MONITORING >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >>> > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >>> > Certificate DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>> http://TELOIP.NET> >>> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O= >>> TELOIP.NET >>> > <http://TELOIP.NET> >>> > expires: 2016-07-18 15:54:36 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20111214223300': >>> > status: MONITORING >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> Certificate >>> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> Certificate >>> > DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>> http://TELOIP.NET> >>> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O= >>> TELOIP.NET >>> > <http://TELOIP.NET> >>> > expires: 2016-07-18 15:54:52 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20111214223316': >>> > status: MONITORING >>> > stuck: no >>> > key pair storage: >>> > >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > Certificate DB' >>> > CA: IPA >>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>> http://TELOIP.NET> >>> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O= >>> TELOIP.NET >>> > <http://TELOIP.NET> >>> > expires: 2016-07-18 15:55:04 UTC >>> > eku: id-kp-serverAuth >>> > pre-save command: >>> > post-save command: >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130741': >>> > status: MONITORING >>> > ca-error: Internal error: no response to >>> > " >>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >>> ". >>> > stuck: no >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>> http://TELOIP.NET> >>> > subject: CN=CA Audit,O=TELOIP.NET <http://TELOIP.NET> >>> > expires: 2017-10-13 14:10:49 UTC >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "auditSigningCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130742': >>> > status: MONITORING >>> > ca-error: Internal error: no response to >>> > " >>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >>> ". >>> > stuck: no >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>> http://TELOIP.NET> >>> > subject: CN=OCSP Subsystem,O=TELOIP.NET <http://TELOIP.NET> >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-OCSPSigning >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "ocspSigningCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130743': >>> > status: MONITORING >>> > ca-error: Internal error: no response to >>> > " >>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >>> ". >>> > stuck: no >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>> http://TELOIP.NET> >>> > subject: CN=CA Subsystem,O=TELOIP.NET <http://TELOIP.NET> >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>> > "subsystemCert cert-pki-ca" >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130744': >>> > status: MONITORING >>> > ca-error: Internal error: no response to >>> > " >>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >>> ". >>> > stuck: no >>> > key pair storage: >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate >>> > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>> http://TELOIP.NET> >>> > subject: CN=RA Subsystem,O=TELOIP.NET <http://TELOIP.NET> >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: >>> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>> > track: yes >>> > auto-renew: yes >>> > Request ID '20130519130745': >>> > status: MONITORING >>> > ca-error: Internal error: no response to >>> > " >>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >>> ". >>> > stuck: no >>> > key pair storage: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >>> > certificate: >>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> > cert-pki-ca',token='NSS Certificate DB' >>> > CA: dogtag-ipa-renew-agent >>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>> http://TELOIP.NET> >>> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O= >>> TELOIP.NET >>> > <http://TELOIP.NET> >>> > expires: 2017-10-13 14:09:49 UTC >>> > eku: id-kp-serverAuth,id-kp-clientAuth >>> > pre-save command: >>> > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv " >>> TELOIP.NET >>> > <http://TELOIP.NET>" >>> > track: yes >>> > auto-renew: yes >>> > [root@caer ~]# >>> > >>> > Your help is highly appreciated! >>> > >>> > >>> > >>> > On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden <rcrit...@redhat.com >>> > <mailto:rcrit...@redhat.com>> wrote: >>> > >>> > Linov Suresh wrote: >>> > >>> > I logged into my IPA master, and found that the cert had >>> expired again, >>> > we renewed these certificates about 18 months ago. >>> > >>> > Our environment is CentOS 6.4 and IPA 3.0.0-26. >>> > >>> > >>> > I followed the Redhat documentation,How do I manually renew >>> Identity >>> > Management (IPA) certificates after they have expired? >>> (Master IPA >>> > Server), https://access.redhat.com/solutions/643753 but no >>> luck. >>> > >>> > >>> > I have also changed the directive "NSSEnforceValidCerts off" in >>> > /etc/httpd/conf.d/nss.conf and the value of >>> nsslapd-validate-cert is warn. >>> > >>> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' >>> -w ******* >>> > -b cn=config | grep nsslapd-validate-cert >>> > >>> > nsslapd-validate-cert: warn >>> > >>> > Here is my getcert list, >>> > >>> > [root@caer ~]# getcert list >>> > >>> > >>> > It looks like your CA subsystem certificates all renewed >>> successfully it is >>> > just the webserver and LDAP certificates that need renewing so >>> that's good. >>> > >>> > What I'd do is go back in time again to say Jan 20, 2016 and >>> restart >>> > certmonger. That should make it retry the renewals. >>> > >>> > rob >>> > >>> > >>> > >>> > >>> >>> >>> >>> -- >>> Petr Vobornik >>> >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project