I have restarted the pki-cad and checked if communication with the CA is working, but no luck,
Debug logs in /var/log/pki-ca do not have anything unusual. Can you think of anything other than this? [root@caer ~]# ipa cert-show 1 Certificate: MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0 MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5 MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30= Subject: CN=Certificate Authority,O=TELOIP.NET Issuer: CN=Certificate Authority,O=TELOIP.NET Not Before: Wed Dec 14 22:29:56 2011 UTC Not After: Sat Dec 14 22:29:56 2019 UTC Fingerprint (MD5): c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a Fingerprint (SHA1): ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e Serial number (hex): 0x1 Serial number: 1 [root@caer ~]# *ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true <http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true>".* On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Linov Suresh wrote: > >> Thanks for your help Rob, I will create a separate thread for IPA >> replication issue. But we are still getting >> * >> * >> *ca-error: Internal error: no response to >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ".* >> >> Could you please help us to fix this? >> > > I think your CA isn't quite fixed yet. I'd restart pki-cad then do > something like: ipa cert-show 1 > > You should get back a cert (doesn't really matter what cert). > > Otherwise I'd check the CA debug log somewhere in /var/log/pki > > rob > > >> >> On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >> >> Glad you got the certificates successfully renewed. >> >> Can you open a new e-mail thread on this new problem so we can keep >> the issues separated? >> >> IPA gets little information back when dogtag fails to install. You >> need to look in /var/log/<something>/debug for more information. The >> exact location depends on the version of IPA. >> >> rob >> >> Linov Suresh wrote: >> >> Great! That worked, and I was successfully renewed the >> certificates on >> the IPA server and I was trying to create a IPA replica server >> and got >> an error,[root@neit-lab <mailto:root@neit-lab >> <mailto:root@neit-lab>>~]# ipa-replica-install >> --setup-ca --setup-dns --no-forwarders --skip-conncheck >> /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory >> Manager >> (existing master) password: Configuring NTP daemon (ntpd) [1/4]: >> stopping ntpd [2/4]: writing configuration [3/4]: configuring >> ntpd to >> start on boot [4/4]: starting ntpd Done configuring NTP daemon >> (ntpd). >> Configuring directory server for the CA (pkids): Estimated time 30 >> seconds [1/3]: creating directory server user [2/3]: creating >> directory >> server instance [3/3]: restarting directory server Done >> configuring >> directory server for the CA (pkids). Configuring certificate >> server >> (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating >> certificate server user [2/17]: creating pki-ca instance [3/17]: >> configuring certificate server instance ipa : CRITICAL failed to >> configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent >> ConfigureCA -cs_hostname neit-lab.teloip.net >> <http://neit-lab.teloip.net> >> <http://neit-lab.teloip.net> -cs_port 9445 -client_certdb_dir >> /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin >> UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin >> -admin_email >> root@localhost <mailto:root@localhost >> <mailto:root@localhost>>-admin_password XXXXXXXX >> -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa >> -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET >> <http://TELOIP.NET> <http://TELOIP.NET> >> -ldap_host neit-lab.teloip.net <http://neit-lab.teloip.net> >> <http://neit-lab.teloip.net> -ldap_port >> 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX >> -base_dn >> o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm >> SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name >> pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA >> Subsystem,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET> >> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET >> <http://TELOIP.NET> >> <http://TELOIP.NET> -ca_ocsp_cert_subject_name CN=OCSP >> Subsystem,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET> >> -ca_server_cert_subject_name >> CN=neit-lab.teloip.net <http://neit-lab.teloip.net> >> <http://neit-lab.teloip.net>,O=TELOIP.NET <http://TELOIP.NET> >> <http://TELOIP.NET> -ca_audit_signing_cert_subject_name CN=CA >> Audit,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET> >> -ca_sign_cert_subject_name >> CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET> >> <http://TELOIP.NET> -external >> false -clone true -clone_p12_file ca.p12 -clone_p12_password >> XXXXXXXX >> -sd_hostname caer.teloip.net <http://caer.teloip.net> >> <http://caer.teloip.net> -sd_admin_port 443 >> -sd_admin_name admin -sd_admin_password XXXXXXXX >> -clone_start_tls true >> -clone_uri https://caer.teloip.net:443' >> <https://caer.teloip.net:443'/>returned non-zero exit status 255 >> Your >> system may be partly configured. Run /usr/sbin/ipa-server-install >> --uninstall to clean up. Configuration of CA failed [root@neit-lab >> <mailto:root@neit-lab <mailto:root@neit-lab>>~]# >> >> I did a clean up using /usr/sbin/ipa-server-install --uninstall >> but it >> wasn't helpful.Wondering if you can help us on this, >> >> >> >> On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden >> <rcrit...@redhat.com <mailto:rcrit...@redhat.com> >> <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote: >> >> Linov Suresh wrote: >> >> I have followed Redhat official documentation, >> https://access.redhat.com/solutions/643753 for certificate >> renewal, >> which says *add: usercertificate. (step 12)* >> * >> * >> While on the other hand FreeIPA official documentaion >> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to >> *add: >> usercertificate;binary* >> >> Just wondering if we need to*add *the certificate? >> or*replace* the >> existing certificate and which format do we need to >> use? *pem* >> or *der*. >> >> We already successfully renewed the certificates about >> months >> back, but >> they were expired about 6 months back and we were not >> able to >> renew till >> now, and is affected our production environment. >> >> Pleas help us. >> >> >> You shouldn't have to mess with these values at all. In 3.0 >> this is >> handled somewhat automatically. >> >> I'd restart the CA, then certmonger and see if the >> communication >> error goes away for the CA subservice certificates (the >> internal error). >> >> # service pki-cad restart >> <pause a bit> >> # service certmonger restart >> >> I find it very strange that the certificates were set to >> expire >> yesterday but it isn't a show-stopper necessarily assuming >> you can >> get the CA back up. >> >> Assuming you can, then go back in time again, this time >> just a few >> days and try renewing the LDAP and Apache server certs again. >> >> rob >> >> >> On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh >> <linov.sur...@gmail.com <mailto:linov.sur...@gmail.com> >> <mailto:linov.sur...@gmail.com <mailto:linov.sur...@gmail.com>> >> <mailto:linov.sur...@gmail.com >> <mailto:linov.sur...@gmail.com> <mailto:linov.sur...@gmail.com >> <mailto:linov.sur...@gmail.com>>>> >> wrote: >> >> We have cloned and created another virtual server >> from the >> template. >> Surprisingly this server certificates were also >> expired at >> the same >> time as the previous, just lasted for a day. >> This issue has something to do with the kerberos >> tickets? >> >> I am new to IPA and your help is highly appreciated. >> >> On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh >> <linov.sur...@gmail.com >> <mailto:linov.sur...@gmail.com> <mailto:linov.sur...@gmail.com >> <mailto:linov.sur...@gmail.com>> >> <mailto:linov.sur...@gmail.com >> <mailto:linov.sur...@gmail.com> <mailto:linov.sur...@gmail.com >> <mailto:linov.sur...@gmail.com>>>> >> wrote: >> >> *Update: my webserver and LDAP certificates >> were expired at >> 2016-07-18 15:54:36 UTC and the certificates >> are in >> CA_UNREACHABLE state.* >> * >> * >> *Could you please help us? >> * >> >> [root@caer tmp]# getcert list >> Number of certificates and requests being >> tracked: 8. >> Request ID '20111214223243': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will >> retry: -504 >> (libcurl failed to execute the HTTP POST >> transaction. Peer >> certificate cannot be authenticated with known >> CA >> certificates). >> stuck: yes >> key pair storage: >> >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> Certificate >> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >> certificate: >> >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate >> Authority,O=TELOIP.NET <http://TELOIP.NET> >> <http://TELOIP.NET> >> <http://TELOIP.NET> >> subject: CN=caer.teloip.net >> <http://caer.teloip.net> >> <http://caer.teloip.net> >> <http://caer.teloip.net>,O=TELOIP.NET >> <http://TELOIP.NET> >> <http://TELOIP.NET> <http://TELOIP.NET> >> *expires: 2016-07-18 15:54:36 UTC* >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20111214223300': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will >> retry: -504 >> (libcurl failed to execute the HTTP POST >> transaction. Peer >> certificate cannot be authenticated with known >> CA >> certificates). >> stuck: yes >> key pair storage: >> >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> certificate: >> >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate >> Authority,O=TELOIP.NET <http://TELOIP.NET> >> <http://TELOIP.NET> >> <http://TELOIP.NET> >> subject: CN=caer.teloip.net >> <http://caer.teloip.net> >> <http://caer.teloip.net> >> <http://caer.teloip.net>,O=TELOIP.NET >> <http://TELOIP.NET> >> <http://TELOIP.NET> <http://TELOIP.NET> >> *expires: 2016-07-18 15:54:52 UTC* >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20111214223316': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will >> retry: -504 >> (libcurl failed to execute the HTTP POST >> transaction. Peer >> certificate cannot be authenticated with known >> CA >> certificates). >> stuck: yes >> key pair storage: >> >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate >> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate >> Authority,O=TELOIP.NET <http://TELOIP.NET> >> <http://TELOIP.NET> >> <http://TELOIP.NET> >> subject: CN=caer.teloip.net >> <http://caer.teloip.net> >> <http://caer.teloip.net> >> <http://caer.teloip.net>,O=TELOIP.NET >> <http://TELOIP.NET> >> <http://TELOIP.NET> <http://TELOIP.NET> >> *expires: 2016-07-18 15:55:04 UTC* >> >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20130519130741': >> status: MONITORING >> ca-error: Internal error: no response >> to >> >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664' >> certificate: >> >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate >> Authority,O=TELOIP.NET <http://TELOIP.NET> >> <http://TELOIP.NET> >> <http://TELOIP.NET> >> subject: CN=CA Audit,O=TELOIP.NET >> <http://TELOIP.NET> >> <http://TELOIP.NET> <http://TELOIP.NET> >> expires: 2017-10-13 14:10:49 UTC >> pre-save command: >> /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: >> /usr/lib64/ipa/certmonger/renew_ca_cert >> "auditSigningCert >> cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130742': >> status: MONITORING >> ca-error: Internal error: no response >> to >> >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664' >> certificate: >> >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate >> Authority,O=TELOIP.NET <http://TELOIP.NET> >> <http://TELOIP.NET> >> <http://TELOIP.NET> >> subject: CN=OCSP >> Subsystem,O=TELOIP.NET <http://TELOIP.NET> >> <http://TELOIP.NET> <http://TELOIP.NET> >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-OCSPSigning >> pre-save command: >> /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: >> /usr/lib64/ipa/certmonger/renew_ca_cert >> "ocspSigningCert >> cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130743': >> status: MONITORING >> ca-error: Internal error: no response >> to >> >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate >> DB',pin='297100916664' >> certificate: >> >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate >> Authority,O=TELOIP.NET <http://TELOIP.NET> >> <http://TELOIP.NET> >> <http://TELOIP.NET> >> subject: CN=CA Subsystem,O=TELOIP.NET >> <http://TELOIP.NET> >> <http://TELOIP.NET> <http://TELOIP.NET> >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: >> /usr/lib64/ipa/certmonger/renew_ca_cert >> "subsystemCert >> cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130744': >> status: MONITORING >> ca-error: Internal error: no response >> to >> >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate >> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> >> >> >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate >> Authority,O=TELOIP.NET <http://TELOIP.NET> >> <http://TELOIP.NET> >> <http://TELOIP.NET> >> subject: CN=RA Subsystem,O=TELOIP.NET >> <http://TELOIP.NET> >> <http://TELOIP.NET> <http://TELOIP.NET> >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> Request ID '20130519130745': >> status: MONITORING >> ca-error: Internal error: no response >> to >> >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS >> Certificate DB',pin='297100916664' >> certificate: >> >> >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate >> Authority,O=TELOIP.NET <http://TELOIP.NET> >> <http://TELOIP.NET> >> <http://TELOIP.NET> >> subject: CN=caer.teloip.net >> <http://caer.teloip.net> >> <http://caer.teloip.net> >> <http://caer.teloip.net>,O=TELOIP.NET >> <http://TELOIP.NET> >> <http://TELOIP.NET> <http://TELOIP.NET> >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> /usr/lib64/ipa/certmonger/restart_dirsrv >> "TELOIP.NET <http://TELOIP.NET> >> <http://TELOIP.NET> >> <http://TELOIP.NET>" >> track: yes >> auto-renew: yes >> >> On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh >> <linov.sur...@gmail.com >> <mailto:linov.sur...@gmail.com> <mailto:linov.sur...@gmail.com >> <mailto:linov.sur...@gmail.com>> >> <mailto:linov.sur...@gmail.com >> <mailto:linov.sur...@gmail.com> <mailto:linov.sur...@gmail.com >> <mailto:linov.sur...@gmail.com>>>> >> wrote: >> >> Yes, PKI is running and I don't see any >> errors in >> selftests, >> I have followed >> https://access.redhat.com/solutions/643753 >> and restarted the PKI in step 10. >> >> The only change which I made was clean >> up userCertificate;binary before adding new >> userCertificatein LDAP, which is step 12. >> >> >> [root@caer ~]# /etc/init.d/pki-cad status >> pki-ca (pid 8634) is running... >> [ >> OK ] >> Unsecure Port = >> http://caer.teloip.net:9180/ca/ee/ca >> Secure Agent Port = >> https://caer.teloip.net:9443/ca/agent/ca >> Secure EE Port = >> https://caer.teloip.net:9444/ca/ee/ca >> Secure Admin Port = >> https://caer.teloip.net:9445/ca/services >> EE Client Auth Port = >> https://caer.teloip.net:9446/ca/eeca/ca >> PKI Console Port = pkiconsole >> https://caer.teloip.net:9445/ca >> Tomcat Port = 9701 (for >> shutdown) >> >> PKI Instance Name: pki-ca >> >> PKI Subsystem Type: Root CA >> (Security Domain) >> >> Registered PKI Security Domain >> Information: >> >> >> >> >> ========================================================================== >> Name: IPA >> URL: https://caer.teloip.net:9445 >> >> >> >> >> ========================================================================== >> [root@caer ~]# >> [root@caer ~]# tail -f >> /var/log/pki-ca/selftests.log >> 8634.main - [18/Jul/2016:11:46:20 EDT] >> [20] [1] >> SelfTestSubsystem: loading all self test >> plugin logger >> parameters >> 8634.main - [18/Jul/2016:11:46:20 EDT] >> [20] [1] >> SelfTestSubsystem: loading all self test >> plugin >> instances >> 8634.main - [18/Jul/2016:11:46:20 EDT] >> [20] [1] >> SelfTestSubsystem: loading all self test >> plugin >> instance >> parameters >> 8634.main - [18/Jul/2016:11:46:20 EDT] >> [20] [1] >> SelfTestSubsystem: loading self test >> plugins in >> on-demand order >> 8634.main - [18/Jul/2016:11:46:20 EDT] >> [20] [1] >> SelfTestSubsystem: loading self test >> plugins in >> startup order >> 8634.main - [18/Jul/2016:11:46:20 EDT] >> [20] [1] >> SelfTestSubsystem: Self test plugins have >> been >> successfully >> loaded! >> 8634.main - [18/Jul/2016:11:46:21 EDT] >> [20] [1] >> SelfTestSubsystem: Running self test plugins >> specified to be >> executed at startup: >> 8634.main - [18/Jul/2016:11:46:21 EDT] >> [20] [1] >> CAPresence: >> CA is present >> 8634.main - [18/Jul/2016:11:46:21 EDT] >> [20] [1] >> SystemCertsVerification: system certs >> verification >> success >> 8634.main - [18/Jul/2016:11:46:21 EDT] >> [20] [1] >> SelfTestSubsystem: All CRITICAL self test >> plugins ran >> SUCCESSFULLY at startup! >> >> Your help is highly appreciated! >> >> Linov Suresh >> >> 70 Forest Manor Rd. >> Toronto >> ON M2J 0A9 >> Mobile: +1 647 406 9438 >> <tel:%2B1%20647%20406%209438> >> <tel:%2B1%20647%20406%209438> >> <tel:%2B1%20647%20406%209438> >> Linkedin: ca.linkedin.com/in/linov/ >> <http://ca.linkedin.com/in/linov/> >> <http://ca.linkedin.com/in/linov/> >> <http://ca.linkedin.com/in/linov/> >> Website: >> http://mylinuxthoughts.blogspot.com >> >> >> On Mon, Jul 18, 2016 at 10:50 AM, Petr >> Vobornik >> <pvobo...@redhat.com >> <mailto:pvobo...@redhat.com> <mailto:pvobo...@redhat.com >> <mailto:pvobo...@redhat.com>> >> <mailto:pvobo...@redhat.com >> <mailto:pvobo...@redhat.com> <mailto:pvobo...@redhat.com >> <mailto:pvobo...@redhat.com>>>> wrote: >> >> On 07/18/2016 05:45 AM, Linov Suresh >> wrote: >> > Thanks for the update Rob. I went >> back to Jan >> 20, 2016, restarted CA and >> > certmonger. Look like certificates >> were >> renewed. But I'm getting a different >> > error now, >> > >> > *ca-error: Internal error: no >> response to >> > >> >> >> " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ".* >> >> Is PKI running? When you change the >> time, does >> restart >> of IPA help? >> >> > >> > [root@caer ~]# getcert list >> > Number of certificates and requests >> being >> tracked: 8. >> > Request ID '20111214223243': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> > Certificate >> DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >> > certificate: >> > >> >> >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate >> Authority,O=TELOIP.NET >> <http://TELOIP.NET> <http://TELOIP.NET> >> <http://TELOIP.NET> >> <http://TELOIP.NET> >> > subject: >> CN=caer.teloip.net <http://caer.teloip.net> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project