Re: [Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

[Linov Suresh]

Great! That worked.
Thank you so much Rob. Your help is highly appreciated.

On Thu, Aug 25, 2016 at 3:49 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Linov Suresh wrote:
>
>> I ran  ldapsearch -Y GSSAPI, what we are seeing is IPA server 2, ipa02
>>   is missing on both master and replica servers. Do we need to add IPA
>> server 2, ipa02 on both master and replica?
>>
>
> No, it should replicate. I find it very strange that these are missing. I
> wonder what else wasn't setup when the replica was created.
>
> In any case, this will add the entries:
>
> # ldapmodify -Y GSSAPI
> dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
> changetype: modify
> add: memberPrincipal
> memberPrincipal: HTTP/ipa02.teloip@teloip.net
>
> ^D
>
> # ldapmodify -Y GSAPI
> dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
> hangetype: modify
> add: memberPrincipal
> memberPrincipal: ldap/ipa02.teloip@teloip.net
>
> ^D
>
> rob
>
>>
>> *[root@ipa01 ~]# ldapsearch -Y GSSAPI -H ldap://ipa01.teloip.net
>> <http://ipa01.teloip.net> -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"*
>> SASL/GSSAPI authentication started
>> SASL username: ad...@teloip.net <mailto:ad...@teloip.net>
>> SASL SSF: 56
>> SASL data security layer installed.
>> # extended LDIF
>> #
>> # LDAPv3
>> # base 

Re: [Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

[Linov Suresh]

I ran  ldapsearch -Y GSSAPI, what we are seeing is IPA server 2, ipa02  is
missing on both master and replica servers. Do we need to add IPA server 2,
ipa02 on both master and replica?

*[root@ipa01 ~]# ldapsearch -Y GSSAPI -H ldap://ipa01.teloip.net
 -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"*
SASL/GSSAPI authentication started
SASL username: ad...@teloip.net
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

[Linov Suresh]

Look like our issue is discussed here, and *is **missing one or more
memberPrincipal*.

https://www.redhat.com/archives/freeipa-users/2013-April/msg00228.html

When I tried to add the Principal, I'm getting error,


[root@ipa01 ~]# kadmin.local
Authenticating as principal admin/ad...@teloip.net with password.
kadmin.local:  addprinc -randkey HTTP/ipa02.teloip@teloip.net
WARNING: no policy specified for HTTP/ipa02.teloip@teloip.net;
defaulting to no policy
add_principal: Principal or policy already exists while creating "HTTP/
ipa02.teloip@teloip.net"

[root@ipa01 ~]# kadmin.local
Authenticating as principal admin/ad...@teloip.net with password.
kadmin.local:  addprinc -randkey ldap/ipa02.teloip@teloip.net
WARNING: no policy specified for ldap/ipa02.teloip@teloip.net;
defaulting to no policy
add_principal: Principal or policy already exists while creating "ldap/
ipa02.teloip@teloip.net".

Could you please help us to fix the "*KDC returned error string:
NOT_ALLOWED_TO_DELEGATE*" error?


[root@caer ~]# kadmin.local
Authenticating as principal admin/ad...@teloip.net with password.
kadmin.local:  addprinc -randkey HTTP/neit.teloip@teloip.net
WARNING: no policy specified for HTTP/neit.teloip@teloip.net;
defaulting to no policy
add_principal: Principal or policy already exists while creating "HTTP/
neit.teloip@teloip.net"








On Tue, Aug 16, 2016 at 7:58 AM, Martin Kosek <mko...@redhat.com> wrote:

> On 08/16/2016 09:25 AM, Petr Spacek wrote:
> > On 15.8.2016 20:18, Linov Suresh wrote:
> >> We have IPA replica set up in RHEL 6.4 and is FreeIPA 3.0.0
> >>
> >>
> >> We can only add the clients from IPA Server 01, not from IPA Server 02.
> >> When I tried to add the client from IPA Server 02, getting the error,
> >>
> >>
> >> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
> Error:
> >> Unspecified GSS failure.  Minor code may provide more information (KDC
> >> returned error string: NOT_ALLOWED_TO_DELEGATE)
> >>
> >> SASL/GSSAPI authentication started
> >>
> >> SASL username: vp...@example.net
> >>
> >> SASL SSF: 56
> >>
> >> SASL data security layer installed.
> >>
> >> ldap_modify: No such object (32)
> >>
> >> additional info: Range Check error
> >>
> >> modifying entry "fqdn=cpe-5061747522f9.example.net
> >> ,cn=computers,cn=accounts,dc=example,dc=net"
> >>
> >>
> >> Could you please help us to fix this?
> >
> > We need to see exact steps you did before we can give you any meaningful
> advice.
> >
> > Please have a look at
> > http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
> >
> > It is a very nice document which describes general bug reporting
> procedure and
> > best practices.
> >
> > We will certainly have a look but we need first see the information :-)
> >
>
> Also, using IPA on RHEL-6.4 is discouraged. This is a really old release
> and
> there are known issues (in cert renewals for example). Using at least
> RHEL-6.8
> or, even better, RHEL-7.2 is preferred and would help you avoid known
> issues
> and deficiencies (and the newer FreeIPA versions are way cooler anyway).
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

[Linov Suresh]

We have IPA replica set up in RHEL 6.4 and is FreeIPA 3.0.0


We can only add the clients from IPA Server 01, not from IPA Server 02.
When I tried to add the client from IPA Server 02, getting the error,


ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (KDC
returned error string: NOT_ALLOWED_TO_DELEGATE)

SASL/GSSAPI authentication started

SASL username: vp...@example.net

SASL SSF: 56

SASL data security layer installed.

ldap_modify: No such object (32)

additional info: Range Check error

modifying entry "fqdn=cpe-5061747522f9.example.net
,cn=computers,cn=accounts,dc=example,dc=net"


Could you please help us to fix this?


Appreciate your help in advance,


Linov Suresh.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

[Linov Suresh]

We have FreeIPA 3.0.0 running on CentOS 6.4 and master-ipa01 (configured
with --setup-ca option) and replica- ipa02 (configured without --setup-ca)
option.

We use a script ipa clients to the server, when we tried to add new ipa
clients, we are getting error,

*ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (KDC
returned error string: NOT_ALLOWED_TO_DELEGATE)*

What we have noticed is, memberPrincipal: HTTP/ipa02.teloip@teloip.net
missing on both master and replica servers

IPA Master,

[root@ipa01 ~]# ldapsearch -x -b
cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] Could not find cert: Signing-Cert : File not found

[Linov Suresh]

I was following the same documentation as IPA master for the replica for
the certificate renewal. But was unsuccessful.

Should we use "How do I manually renew Identity Management (IPA)
certificates after they have expired? (Replica IPA Server)" -
https://access.redhat.com/solutions/962373 ?

On Mon, Jul 25, 2016 at 6:17 PM, Linov Suresh <linov.sur...@gmail.com>
wrote:

> We were not sure that Signing-Cert required for LDAP/Apache certificates
> renewal. Thank you very much for your update Rob. We are going to renew the
> certificates without Signing-Cert.
>
> On Mon, Jul 25, 2016 at 6:08 PM, Rob Crittenden <rcrit...@redhat.com>
> wrote:
>
>> Linov Suresh wrote:
>>
>>> We are using CentOS 6.4/FreeIPA 3.0.0
>>>
>>> LDAP/Apache certificates were expired and when we tried to renew, we
>>> found Signing-Cert is missing.
>>>
>>> # certutil -L -d /etc/httpd/alias -n Signing-Cert certutil: Could not
>>> find cert: Signing-Cert : File not found
>>>
>>> How do we recreate Signing-Cert certificate? We use master-master
>>> replica. Please help.
>>>
>>>
>>>
>> Only the initial master got a signing cert IIRC. It was used to sign the
>> Firefox configuration jar. Are you using this? Recent versions of Firefox
>> don't allow this kind of signed jar anymore and it has been dropped
>> upstream.
>>
>> Are you just trying to be thorough or is this causing some real problem?
>>
>> rob
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Replica install fails when using --setup-ca

[Linov Suresh]

I tried to create master replica using the option --setup-ca, it failed,
because of "Your system may be partly configured."

Please note we use different ipa package for master and replica.

master:
[root@caer ~]# rpm -q ipa-server
ipa-server-3.0.0-26.el6_4.2.x86_64

replica:

[root@neit-lab01 ~]# rpm -q ipa-server
ipa-server-3.0.0-50.el6.1.x86_64

*Is this because ipa-server-3.0.0-50 has updates feature "Proxy calls to
/ca/ee/ca/profileSubmit to PKI to enable installation of replicas with
Dogtag 10 PKI (#1083878)"*

If yes, how do we fix it? Your help is appreciated.


[root@neit-lab01 ipa]#* ipa-replica-install --setup-dns --setup-ca
--no-forwarders /var/lib/ipa/replica-info-neit-lab01.teloip.net.gpg*
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'caer.teloip.net':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@teloip.net password:

Execute check on remote master
Check connection from master to remote replica 'neit-lab01.teloip.net':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

Connection from master to replica is OK.

Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30
seconds
  [1/17]: creating certificate server user
  [2/17]: creating pki-ca instance
  [3/17]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
neit-lab01.teloip.net -cs_port 9445 -client_certdb_dir /tmp/tmp-t5u9YQ
-client_certdb_pwd  -preop_pin BAoCQwvMxnG4xLdxOKln -domain_name
IPA -admin_user admin -admin_email root@localhost -admin_password 
-agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET -ldap_host
neit-lab01.teloip.net -ldap_port 7389 -bind_dn cn=Directory Manager
-bind_password  -base_dn o=ipaca -db_name ipaca -key_size 2048
-key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd
 -subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TELOIP.NET
-ca_server_cert_subject_name CN=neit-lab01.teloip.net,O=TELOIP.NET
-ca_audit_signing_cert_subject_name CN=CA Audit,O=TELOIP.NET
-ca_sign_cert_subject_name CN=Certificate Authority,O=TELOIP.NET -external
false -clone true -clone_p12_file ca.p12 -clone_p12_password 
-sd_hostname caer.teloip.net -sd_admin_port 443 -sd_admin_name admin
-sd_admin_password  -clone_start_tls true -clone_uri
https://caer.teloip.net:443' returned non-zero exit status 255

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

Removed the duplicate certificates and and tried to renew the certificates,
we were able to renew the certificates and "*ca-error: Internal error: no
response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true
<http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true>"*."
gone this time.

Thanks for your help. We have a master replica also, *how do we renew the
replica server*?

On Fri, Jul 22, 2016 at 3:36 PM, Linov Suresh <linov.sur...@gmail.com>
wrote:

> Thank you very much Rob.
> Let me remove the duplicate certificates and try to renew the certificates
> again to see if "*ca-error: Internal error: no response to
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true
> <http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true>"*."
> goes away?
>
>
> On Fri, Jul 22, 2016 at 2:45 PM, Rob Crittenden <rcrit...@redhat.com>
> wrote:
>
>> Linov Suresh wrote:
>>
>>> Could you please verify, if we have set correct trust attributes on the
>>> certificates
>>>
>>> *root@caer ~]# certutil -d /var/lib/pki-ca/alias/ -L*
>>>
>>> Certificate Nickname Trust
>>> Attributes
>>>
>>>   SSL,S/MIME,JAR/XPI
>>>
>>> subsystemCert cert-pki-ca   u,u,Pu
>>> ocspSigningCert cert-pki-ca u,u,u
>>> caSigningCert cert-pki-ca CTu,Cu,Cu
>>> subsystemCert cert-pki-ca   u,u,Pu
>>> Server-Cert cert-pki-ca u,u,u
>>> auditSigningCert cert-pki-ca  u,u,Pu
>>> *
>>> *
>>> *[root@caer ~]# certutil -d /etc/httpd/alias/ -L*
>>>
>>> Certificate Nickname Trust
>>> Attributes
>>>
>>>   SSL,S/MIME,JAR/XPI
>>>
>>> ipaCert  u,u,u
>>> Server-Certu,u,u
>>> TELOIP.NET <http://TELOIP.NET> IPA CA
>>>   CT,C,C
>>> ipaCert  u,u,u
>>> Signing-Cert   u,u,u
>>> Server-Certu,u,u
>>>
>>> *[root@caer ~]# certutil -d /etc/dirsrv/slapd-TELOIP-NET/ -L*
>>>
>>> Certificate Nickname Trust
>>> Attributes
>>>
>>>   SSL,S/MIME,JAR/XPI
>>>
>>> Server-Cert  u,u,u
>>> TELOIP.NET <http://TELOIP.NET> IPA CA
>>>   CT,,C
>>> Server-Cert  u,u,u
>>> [root@caer ~]#
>>>
>>> *Please note, there are duplicate certificates in CA, HTTP and LDAP
>>> directory, subsystemCert cert-pki-ca, ipaCert  and Server-Cert. I was
>>> wondering if we need to remove these duplicate certificates? *
>>>
>>
>> Yeah you should remove the duplicate certs, they seem to cause problems
>> with dogtag at least (certmonger _should_ handle this automatically, we'll
>> be looking into it soonish).
>>
>> To remove the duplicate cert:
>>
>> 1. Shutdown the service
>> 2. Back up the NSS database
>> 3. certutil -L -d /path/to/db -n  -a > somefile
>> 4. split somefile into separate files so each file as a BEGIN/END
>> certificate
>> 5. openssl x509 -text -in -infile somefile1..n
>> 6. Pick the one with the most recent issuance date
>> 7. You backed up the NSS database, right?
>> 8. certutil -D -d /path/to/db -n 
>> 9. certutil -A -d /path/to/db -n  -t u,u,u -a -i  somefilex
>> 10. Start the service, watch logs for errors
>>
>> For the trust use whatever the original trust value was.
>>
>> You don't need the P trust flag on the subsystemCert in the CA, only the
>> auditSigningCert.
>>
>> I doubt the duplicated Server-Cert will be a problem. NSS is supposed to
>> deal with this automatically, picking the "most correct" cert to use based
>> on the validity period.
>>
>> rob
>>
>>
>>>
>>> On Fri, Jul 22, 2016 at 9:36 AM, Linov Suresh <linov.sur...@gmail.com
>>> <mailto:linov.sur...@gmail.com>> wrote:
>>>
>>>   

Re: [Freeipa-users] Could not find cert: Signing-Cert : File not found

[Linov Suresh]

We were not sure that Signing-Cert required for LDAP/Apache certificates
renewal. Thank you very much for your update Rob. We are going to renew the
certificates without Signing-Cert.

On Mon, Jul 25, 2016 at 6:08 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Linov Suresh wrote:
>
>> We are using CentOS 6.4/FreeIPA 3.0.0
>>
>> LDAP/Apache certificates were expired and when we tried to renew, we
>> found Signing-Cert is missing.
>>
>> # certutil -L -d /etc/httpd/alias -n Signing-Cert certutil: Could not
>> find cert: Signing-Cert : File not found
>>
>> How do we recreate Signing-Cert certificate? We use master-master
>> replica. Please help.
>>
>>
>>
> Only the initial master got a signing cert IIRC. It was used to sign the
> Firefox configuration jar. Are you using this? Recent versions of Firefox
> don't allow this kind of signed jar anymore and it has been dropped
> upstream.
>
> Are you just trying to be thorough or is this causing some real problem?
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Could not find cert: Signing-Cert : File not found

[Linov Suresh]

We are using CentOS 6.4/FreeIPA 3.0.0

LDAP/Apache certificates were expired and when we tried to renew, we found
Signing-Cert is missing.

# certutil -L -d /etc/httpd/alias -n Signing-Cert certutil: Could not find
cert: Signing-Cert : File not found

How do we recreate Signing-Cert certificate? We use master-master replica.
Please help.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

Thank you very much Rob.
Let me remove the duplicate certificates and try to renew the certificates
again to see if "*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true
<http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true>"*."
goes away?


On Fri, Jul 22, 2016 at 2:45 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Linov Suresh wrote:
>
>> Could you please verify, if we have set correct trust attributes on the
>> certificates
>>
>> *root@caer ~]# certutil -d /var/lib/pki-ca/alias/ -L*
>>
>> Certificate Nickname Trust
>> Attributes
>>
>>   SSL,S/MIME,JAR/XPI
>>
>> subsystemCert cert-pki-ca   u,u,Pu
>> ocspSigningCert cert-pki-ca u,u,u
>> caSigningCert cert-pki-ca CTu,Cu,Cu
>> subsystemCert cert-pki-ca   u,u,Pu
>> Server-Cert cert-pki-ca u,u,u
>> auditSigningCert cert-pki-ca  u,u,Pu
>> *
>> *
>> *[root@caer ~]# certutil -d /etc/httpd/alias/ -L*
>>
>> Certificate Nickname Trust
>> Attributes
>>
>>   SSL,S/MIME,JAR/XPI
>>
>> ipaCert  u,u,u
>> Server-Certu,u,u
>> TELOIP.NET <http://TELOIP.NET> IPA CA
>>   CT,C,C
>> ipaCert  u,u,u
>> Signing-Cert   u,u,u
>> Server-Certu,u,u
>>
>> *[root@caer ~]# certutil -d /etc/dirsrv/slapd-TELOIP-NET/ -L*
>>
>> Certificate Nickname Trust
>> Attributes
>>
>>   SSL,S/MIME,JAR/XPI
>>
>> Server-Cert  u,u,u
>> TELOIP.NET <http://TELOIP.NET> IPA CA
>>   CT,,C
>> Server-Cert  u,u,u
>> [root@caer ~]#
>>
>> *Please note, there are duplicate certificates in CA, HTTP and LDAP
>> directory, subsystemCert cert-pki-ca, ipaCert  and Server-Cert. I was
>> wondering if we need to remove these duplicate certificates? *
>>
>
> Yeah you should remove the duplicate certs, they seem to cause problems
> with dogtag at least (certmonger _should_ handle this automatically, we'll
> be looking into it soonish).
>
> To remove the duplicate cert:
>
> 1. Shutdown the service
> 2. Back up the NSS database
> 3. certutil -L -d /path/to/db -n  -a > somefile
> 4. split somefile into separate files so each file as a BEGIN/END
> certificate
> 5. openssl x509 -text -in -infile somefile1..n
> 6. Pick the one with the most recent issuance date
> 7. You backed up the NSS database, right?
> 8. certutil -D -d /path/to/db -n 
> 9. certutil -A -d /path/to/db -n  -t u,u,u -a -i  somefilex
> 10. Start the service, watch logs for errors
>
> For the trust use whatever the original trust value was.
>
> You don't need the P trust flag on the subsystemCert in the CA, only the
> auditSigningCert.
>
> I doubt the duplicated Server-Cert will be a problem. NSS is supposed to
> deal with this automatically, picking the "most correct" cert to use based
> on the validity period.
>
> rob
>
>
>>
>> On Fri, Jul 22, 2016 at 9:36 AM, Linov Suresh <linov.sur...@gmail.com
>> <mailto:linov.sur...@gmail.com>> wrote:
>>
>> I'm facing another issue now, my kerberos tickets are not renewing,
>>
>> *[root@caer ~]# ipa cert-show 1*
>> ipa: ERROR: Ticket expired
>>
>> *[root@caer ~]# klist*
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: ad...@teloip.net <mailto:ad...@teloip.net>
>>
>> Valid starting ExpiresService principal
>> 07/20/16 14:42:26  07/21/16 14:42:22  krbtgt/teloip@teloip.net
>> <mailto:teloip@teloip.net>
>> 07/20/16 14:42:36  07/21/16 14:42:22
>>   HTTP/caer.teloip@teloip.net <mailto:caer.teloip@teloip.net>
>> 07/21/16 11:40:15  07/21/16 14:42:22
>>   ldap/caer.teloip@teloip.net <mailto:caer.teloip@teloip.net>
>>
>> I need to manually renew the tickets every day,
>>
>> *[root@caer ~]# kinit admin*
>> Password for ad..

Re: [Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

   I agree with you Jakub, I will start separate thread for separate
   issues.


On Fri, Jul 22, 2016 at 10:31 AM, Jakub Hrozek <jhro...@redhat.com> wrote:

> On Fri, Jul 22, 2016 at 09:36:27AM -0400, Linov Suresh wrote:
> > I'm facing another issue now, my kerberos tickets are not renewing,
>
> In general I think it's better to start separate threads about separate
> issues. That way people who only scan the subject lines can see if this
> thread is something they can help with :)
>
> >
> > *[root@caer ~]# ipa cert-show 1*
> > ipa: ERROR: Ticket expired
> >
> > *[root@caer ~]# klist*
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: ad...@teloip.net
> >
> > Valid starting ExpiresService principal
> > 07/20/16 14:42:26  07/21/16 14:42:22  krbtgt/teloip@teloip.net
> > 07/20/16 14:42:36  07/21/16 14:42:22  HTTP/caer.teloip@teloip.net
> > 07/21/16 11:40:15  07/21/16 14:42:22  ldap/caer.teloip@teloip.net
> >
> > I need to manually renew the tickets every day,
> >
> > *[root@caer ~]# kinit admin*
> > Password for ad...@teloip.net:
> > Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 2016
> >
> > *[root@caer ~]# klist *
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: ad...@teloip.net
> >
> > Valid starting ExpiresService principal
> > 07/22/16 09:34:52  07/23/16 09:34:49  krbtgt/teloip@teloip.net
>
> The first thing to keep in mind is that SSSD only renews tickets it
> 'knows about', so tickets that were acquired through SSSD, not directly
> with kinit.
>
> For options about renewing SSSD-acquired tickets, see man sssd-krb5 and
> search for renew.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

Could you please verify, if we have set correct trust attributes on the
certificates

*root@caer ~]# certutil -d /var/lib/pki-ca/alias/ -L*

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

subsystemCert cert-pki-ca   u,u,Pu
ocspSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
subsystemCert cert-pki-ca   u,u,Pu
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca  u,u,Pu

*[root@caer ~]# certutil -d /etc/httpd/alias/ -L*

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

ipaCert  u,u,u
Server-Certu,u,u
TELOIP.NET IPA CA  CT,C,C
ipaCert  u,u,u
Signing-Cert   u,u,u
Server-Certu,u,u

*[root@caer ~]# certutil -d /etc/dirsrv/slapd-TELOIP-NET/ -L*

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

Server-Cert  u,u,u
TELOIP.NET IPA CACT,,C
Server-Cert  u,u,u
[root@caer ~]#

*Please note, there are duplicate certificates in CA, HTTP and LDAP
directory, subsystemCert cert-pki-ca, ipaCert  and Server-Cert. I was
wondering if we need to remove these duplicate certificates? *


On Fri, Jul 22, 2016 at 9:36 AM, Linov Suresh <linov.sur...@gmail.com>
wrote:

> I'm facing another issue now, my kerberos tickets are not renewing,
>
> *[root@caer ~]# ipa cert-show 1*
> ipa: ERROR: Ticket expired
>
> *[root@caer ~]# klist*
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ad...@teloip.net
>
> Valid starting ExpiresService principal
> 07/20/16 14:42:26  07/21/16 14:42:22  krbtgt/teloip@teloip.net
> 07/20/16 14:42:36  07/21/16 14:42:22  HTTP/caer.teloip@teloip.net
> 07/21/16 11:40:15  07/21/16 14:42:22  ldap/caer.teloip@teloip.net
>
> I need to manually renew the tickets every day,
>
> *[root@caer ~]# kinit admin*
> Password for ad...@teloip.net:
> Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 2016
>
> *[root@caer ~]# klist *
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ad...@teloip.net
>
> Valid starting ExpiresService principal
> 07/22/16 09:34:52  07/23/16 09:34:49  krbtgt/teloip@teloip.net
>
>
> On Thu, Jul 21, 2016 at 12:23 PM, Rob Crittenden <rcrit...@redhat.com>
> wrote:
>
>> Linov Suresh wrote:
>>
>>> The httpd_error log doesn't contain the part where `ipa cert-show 1` was
>>> run. If it is from the same time.
>>>
>>> *I am not sure about that, please see httpd_error when `ipa cert-show 1`
>>> was run*
>>>
>>
>> The IPA API log isn't going to show much in this case.
>>
>> Requests to the CA are proxied through IPA. The CA WAR is not running on
>> tomcat so when Apache tries to proxy the request tomcat returns a 404, Not
>> Found.
>>
>> You need to start with the dogtag debug and selftest logs to see what is
>> going on. The logs are pretty verbose and can be challenging to read.
>>
>> rob
>>
>>
>>> [root@caer ~]# *tail -f /var/log/httpd/error_log*
>>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>>> wsgi_dispatch.__call__:
>>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>>> xmlserver_session.__call__:
>>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session cookie_id =
>>> bc2c7ed0eccd840dc266efaf9ece913c
>>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session data in
>>> cache with id=bc2c7ed0eccd840dc266efaf9ece913c
>>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>>> xmlserver_session.__call__: session_id=bc2c7ed0eccd840dc266efaf9ece913c
>>> start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21
>>> expiration_timestamp=2016-07-21T12:18:54
>>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: storing ccache data into
>>> file "/var/run/ipa_memcached/krbcc_13554"
>>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times:
>>> principal=HTTP/caer.teloip@teloip.net
>>> <mailto:caer.teloip@teloip.net>, authtime=07/21/16 10:31:46,
>>> starttime=07/21/16 10:43:26, end

Re: [Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

I'm facing another issue now, my kerberos tickets are not renewing,

*[root@caer ~]# ipa cert-show 1*
ipa: ERROR: Ticket expired

*[root@caer ~]# klist*
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@teloip.net

Valid starting ExpiresService principal
07/20/16 14:42:26  07/21/16 14:42:22  krbtgt/teloip@teloip.net
07/20/16 14:42:36  07/21/16 14:42:22  HTTP/caer.teloip@teloip.net
07/21/16 11:40:15  07/21/16 14:42:22  ldap/caer.teloip@teloip.net

I need to manually renew the tickets every day,

*[root@caer ~]# kinit admin*
Password for ad...@teloip.net:
Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 2016

*[root@caer ~]# klist *
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@teloip.net

Valid starting ExpiresService principal
07/22/16 09:34:52  07/23/16 09:34:49  krbtgt/teloip@teloip.net


On Thu, Jul 21, 2016 at 12:23 PM, Rob Crittenden <rcrit...@redhat.com>
wrote:

> Linov Suresh wrote:
>
>> The httpd_error log doesn't contain the part where `ipa cert-show 1` was
>> run. If it is from the same time.
>>
>> *I am not sure about that, please see httpd_error when `ipa cert-show 1`
>> was run*
>>
>
> The IPA API log isn't going to show much in this case.
>
> Requests to the CA are proxied through IPA. The CA WAR is not running on
> tomcat so when Apache tries to proxy the request tomcat returns a 404, Not
> Found.
>
> You need to start with the dogtag debug and selftest logs to see what is
> going on. The logs are pretty verbose and can be challenging to read.
>
> rob
>
>
>> [root@caer ~]# *tail -f /var/log/httpd/error_log*
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>> wsgi_dispatch.__call__:
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>> xmlserver_session.__call__:
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session cookie_id =
>> bc2c7ed0eccd840dc266efaf9ece913c
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session data in
>> cache with id=bc2c7ed0eccd840dc266efaf9ece913c
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>> xmlserver_session.__call__: session_id=bc2c7ed0eccd840dc266efaf9ece913c
>> start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21
>> expiration_timestamp=2016-07-21T12:18:54
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: storing ccache data into
>> file "/var/run/ipa_memcached/krbcc_13554"
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times:
>> principal=HTTP/caer.teloip@teloip.net
>> <mailto:caer.teloip@teloip.net>, authtime=07/21/16 10:31:46,
>> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44,
>> renew_till=12/31/69 19:00:00
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times:
>> principal=HTTP/caer.teloip@teloip.net
>> <mailto:caer.teloip@teloip.net>, authtime=07/21/16 10:31:46,
>>
>> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44,
>> renew_till=12/31/69 19:00:00
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: KRB5_CCache
>> FILE:/var/run/ipa_memcached/krbcc_13554 endtime=1469197904 (07/22/16
>> 10:31:44)
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>> set_session_expiration_time: duration_type=inactivity_timeout
>> duration=1200 max_age=1469197604 expiration=1469118081.77
>> (2016-07-21T12:21:21)
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI xmlserver.__call__:
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Created connection
>> context.ldap2
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>> WSGIExecutioner.__call__:
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: raw: cert_show(u'1')
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert_show(u'1')
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: IPA: virtual verify
>> retrieve certificate
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>> ipaserver.plugins.dogtag.ra.get_certificate()
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request
>> 'https://caer.teloip.net:443/ca/agent/ca/displayBySerial'
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request post
>> 'xml=true=1'
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: NSSConnection init
>> caer.teloip.net <http://caer.teloip.net>
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Connecting: 10.20.0.75:0
>> <http://10.20.0.75:0>
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>> auth_certificate_callback: check_sig=True is_server=False
>> *.*
>> *.*
>> *.*
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage =
>> SSLServer intend

Re: [Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

ter (certStatus=REVOKED)
[21/Jul/2016:11:58:29][CertStatusUpdateThread]:
getRevokedCertificatesByNotAfterDate: about to call findCertRecordsInList
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
LdapBoundConnFactory::getConn()
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn is connected:
true
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn is connected
true
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: mNumConns now 1
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
findCertRecordsInListRawJumpto with Jumpto 20160721115829Z
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: In DBVirtualList filter
attrs startFrom sortKey pageSize filter: (certStatus=REVOKED) attrs:
[objectclass, certRevokedOn, certRecordId, certRevoInfo, notAfter,
x509cert] pageSize -200 startFrom 20160721115829Z
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 2
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn: mNumConns now 3
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries returning 0
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting Virtual List size: 0
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be empty
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: updateCertStatus done
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting cert checkRanges
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial numbers left in
range: 268369849
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial Number: 71
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers available:
268369849
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: cert checkRanges done
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting request checkRanges
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial numbers left in
range: 9989888
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial Number: 112
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers available:
9989888
[21/Jul/2016:11:58:29][CertStatusUpdateThread]: request checkRanges done
[21/Jul/2016:12:03:28][Timer-0]: CMSEngine: getPasswordStore(): password
store initialized before.
[21/Jul/2016:12:03:28][Timer-0]: CMSEngine: getPasswordStore(): password
store initialized.

On Thu, Jul 21, 2016 at 11:46 AM, Petr Vobornik <pvobo...@redhat.com> wrote:

> On 07/21/2016 05:14 PM, Linov Suresh wrote:
> > I set debug=true in /etc/ipa/default.conf
> >
> > Here are my logs,
>
> The httpd_error log doesn't contain the part where `ipa cert-show 1` was
> run. If it is from the same time. Does `ipa cert-show` communicate with
> the same replica? Could be verified by `ipa -vv cert-show`
>
> But more interesting is:
>
> SelfTestSubsystem: The CRITICAL self test plugin called
> selftests.container.instance.SystemCertsVerification running at startup
> FAILED!
>
> Are you sure that CA is running?
>   # ipactl status
>
> This looks like that self test fail and therefore CA shouldn't start. It
> also says that some of CA cert is not valid. Which one might be seen in
> /var/log/pki-ca/debug but a bigger chunk would be needed.
>
> >
> > *[root@caer ~]# tail -f /var/log/httpd/error_log*
> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: WSGI
> WSGIExecutioner.__call__:
> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: raw: user_show(u'admin',
> > rights=False, all=False, raw=False, version=u'2.46')
> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: user_show(u'admin',
> rights=False,
> > all=False, raw=False, version=u'2.46')
> > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof:
> > entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net
> >
> memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'),
> > ipapython.dn.DN('cn=replication
> > administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'),
> ipapython.dn.DN('cn=add
> > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
> > ipapython.dn.DN('cn=modify replication
> > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
> ipapython.dn.DN('cn=remove
> > replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
> > ipapython.dn.DN('cn=unlock user
> > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'),
> ipapython.dn.DN('cn=manage
> > service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),
> > ipapython.dn.DN('cn=trust
> admins,cn=groups,cn=accounts,dc=teloip,dc=net'),
> > ipapython.dn.DN('cn=host
> enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'),
> > ipapython.dn.DN('cn=manage host
> > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),
> ipapython.dn.DN('cn=enroll a
> > host,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add
> host
> > password,cn=permissions,cn=pbac,dc=telo

Re: [Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

I have restarted the pki-cad and checked if communication with the CA is
working, but no luck,

Debug logs in /var/log/pki-ca do not have anything unusual. Can you think
of anything other than  this?

[root@caer ~]# ipa cert-show 1
  Certificate:
MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP
SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0
MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w
HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV
ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e
tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb
UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe
tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7
5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j
BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG
AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5
MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj
kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y
5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV
nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt
e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK
b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30=
  Subject: CN=Certificate Authority,O=TELOIP.NET
  Issuer: CN=Certificate Authority,O=TELOIP.NET
  Not Before: Wed Dec 14 22:29:56 2011 UTC
  Not After: Sat Dec 14 22:29:56 2019 UTC
  Fingerprint (MD5): c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a
  Fingerprint (SHA1):
ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e
  Serial number (hex): 0x1
  Serial number: 1
[root@caer ~]#


*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true
<http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true>".*





On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Linov Suresh wrote:
>
>> Thanks for your help Rob, I will create a separate thread for IPA
>> replication issue. But we are still getting
>> *
>> *
>> *ca-error: Internal error: no response to
>> "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true
>> ".*
>>
>> Could you please help us to fix this?
>>
>
> I think your CA isn't quite fixed yet. I'd restart pki-cad then do
> something like: ipa cert-show 1
>
> You should get back a cert (doesn't really matter what cert).
>
> Otherwise I'd check the CA debug log somewhere in /var/log/pki
>
> rob
>
>
>>
>> On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden <rcrit...@redhat.com
>> <mailto:rcrit...@redhat.com>> wrote:
>>
>> Glad you got the certificates successfully renewed.
>>
>> Can you open a new e-mail thread on this new problem so we can keep
>> the issues separated?
>>
>> IPA gets little information back when dogtag fails to install. You
>> need to look in /var/log//debug for more information. The
>> exact location depends on the version of IPA.
>>
>> rob
>>
>> Linov Suresh wrote:
>>
>> Great! That worked, and I was successfully renewed the
>> certificates on
>> the IPA server and I was trying to create a IPA replica server
>> and got
>> an error,[root@neit-lab <mailto:root@neit-lab
>> <mailto:root@neit-lab>>~]# ipa-replica-install
>> --setup-ca --setup-dns --no-forwarders --skip-conncheck
>> /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory
>> Manager
>> (existing master) password: Configuring NTP daemon (ntpd) [1/4]:
>> stopping ntpd [2/4]: writing configuration [3/4]: configuring
>> ntpd to
>> start on boot [4/4]: starting ntpd Done configuring NTP daemon
>> (ntpd).
>> Configuring directory server for the CA (pkids): Estimated time 30
>> seconds [1/3]: creating directory server user [2/3]: creating
>> directory
>> server instance [3/3]: restarting directory server Done
>> configuring
>> directory server for the CA (pkids). Configuring certificate
>> server
>> (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating
>> certificate server user [2/17]: creating pki-ca instance [3/17]:
>> configuring certificate server instance ipa : CRIT

[Freeipa-users] IPA Replication failed: Your system may be partly configured. Run ipa-server-install --uninstall to clean up. Configuration of CA failed

[Linov Suresh]

I was trying to replicate our IPA server which is running on CentOS6.4,
FreeIPA 3.0 and I got an error,

*Your system may be partly configured.*
*Run /usr/sbin/ipa-server-install --uninstall to clean up.*

*Configuration of CA failed*

I ran /usr/sbin/ipa-server-install --uninstall couple of times before
installing the replica, but was unsuccessful in creating the replica
server,

[root@neit-lab ~]#* ipa-replica-install  --setup-ca --setup-dns
--no-forwarders  --skip-conncheck
/var/lib/ipa/replica-info-neit-lab.teloip.net.gpg*
Directory Manager (existing master) password:

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-cad): Estimated time 3 minutes 30
seconds
  [1/17]: creating certificate server user
  [2/17]: creating pki-ca instance
  [3/17]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
neit-lab.teloip.net -cs_port 9445 -client_certdb_dir /tmp/tmp-QAXI9A
-client_certdb_pwd  -preop_pin UpMxkDYjV90WLL041tDU -domain_name
IPA -admin_user admin -admin_email root@localhost -admin_password 
-agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET 
 -ldap_host neit-lab.teloip.net -ldap_port 7389 -bind_dn cn=Directory
Manager -bind_password  -base_dn o=ipaca -db_name ipaca -key_size
2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd
 -subsystem_name pki-cad -token_name internal
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
 -ca_subsystem_cert_subject_name CN=CA Subsystem,O=
TELOIP.NET  -ca_ocsp_cert_subject_name CN=OCSP
Subsystem,O=TELOIP.NET  -ca_server_cert_subject_name CN=
neit-lab.teloip.net,O=TELOIP.NET 
-ca_audit_signing_cert_subject_name
CN=CA Audit,O=TELOIP.NET  -ca_sign_cert_subject_name
CN=Certificate Authority,O=TELOIP.NET  -external false
-clone true -clone_p12_file ca.p12 -clone_p12_password 
-sd_hostname caer.teloip.net -sd_admin_port 443 -sd_admin_name admin
-sd_admin_password  -clone_start_tls true -clone_uri
https://caer.teloip.net:443 ' returned non-zero
exit status 255

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed
[root@neit-lab ~]#

Could you please help me?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

Thanks for your help Rob, I will create a separate thread for IPA
replication issue. But we are still getting

*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true
<http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true>".*


   Could you please help us to fix this?


On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden <rcrit...@redhat.com>
wrote:

> Glad you got the certificates successfully renewed.
>
> Can you open a new e-mail thread on this new problem so we can keep the
> issues separated?
>
> IPA gets little information back when dogtag fails to install. You need to
> look in /var/log//debug for more information. The exact location
> depends on the version of IPA.
>
> rob
>
> Linov Suresh wrote:
>
>> Great! That worked, and I was successfully renewed the certificates on
>> the IPA server and I was trying to create a IPA replica server and got
>> an error,[root@neit-lab <mailto:root@neit-lab>~]# ipa-replica-install
>> --setup-ca --setup-dns --no-forwarders --skip-conncheck
>> /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager
>> (existing master) password: Configuring NTP daemon (ntpd) [1/4]:
>> stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to
>> start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd).
>> Configuring directory server for the CA (pkids): Estimated time 30
>> seconds [1/3]: creating directory server user [2/3]: creating directory
>> server instance [3/3]: restarting directory server Done configuring
>> directory server for the CA (pkids). Configuring certificate server
>> (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating
>> certificate server user [2/17]: creating pki-ca instance [3/17]:
>> configuring certificate server instance ipa : CRITICAL failed to
>> configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent
>> ConfigureCA -cs_hostname neit-lab.teloip.net
>> <http://neit-lab.teloip.net> -cs_port 9445 -client_certdb_dir
>> /tmp/tmp-QAXI9A -client_certdb_pwd  -preop_pin
>> UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email
>> root@localhost <mailto:root@localhost>-admin_password 
>> -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
>> -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET <http://TELOIP.NET>
>> -ldap_host neit-lab.teloip.net <http://neit-lab.teloip.net> -ldap_port
>> 7389 -bind_dn cn=Directory Manager -bind_password  -base_dn
>> o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm
>> SHA256withRSA -save_p12 true -backup_pwd  -subsystem_name
>> pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA
>> Subsystem,O=TELOIP.NET <http://TELOIP.NET>
>> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
>> <http://TELOIP.NET> -ca_ocsp_cert_subject_name CN=OCSP
>> Subsystem,O=TELOIP.NET <http://TELOIP.NET> -ca_server_cert_subject_name
>> CN=neit-lab.teloip.net <http://neit-lab.teloip.net>,O=TELOIP.NET
>> <http://TELOIP.NET> -ca_audit_signing_cert_subject_name CN=CA
>> Audit,O=TELOIP.NET <http://TELOIP.NET> -ca_sign_cert_subject_name
>> CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET> -external
>> false -clone true -clone_p12_file ca.p12 -clone_p12_password 
>> -sd_hostname caer.teloip.net <http://caer.teloip.net> -sd_admin_port 443
>> -sd_admin_name admin -sd_admin_password  -clone_start_tls true
>> -clone_uri https://caer.teloip.net:443'
>> <https://caer.teloip.net:443'/>returned non-zero exit status 255 Your
>> system may be partly configured. Run /usr/sbin/ipa-server-install
>> --uninstall to clean up. Configuration of CA failed [root@neit-lab
>> <mailto:root@neit-lab>~]#
>>
>> I did a clean up using /usr/sbin/ipa-server-install --uninstall but it
>> wasn't helpful.Wondering if you can help us on this,
>>
>>
>>
>> On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden <rcrit...@redhat.com
>> <mailto:rcrit...@redhat.com>> wrote:
>>
>> Linov Suresh wrote:
>>
>> I have followed Redhat official documentation,
>> https://access.redhat.com/solutions/643753 for certificate
>> renewal,
>> which says *add: usercertificate. (step 12)*
>> *
>> *
>> While on the other hand FreeIPA official documentaion
>> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to
>> *add:
&g

Re: [Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

Great! That worked, and I was successfully renewed the certificates on the
IPA server and I was trying to create a IPA replica server and got an error,
[root@neit-lab ~]# ipa-replica-install --setup-ca --setup-dns
--no-forwarders --skip-conncheck
/var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager
(existing master) password: Configuring NTP daemon (ntpd) [1/4]: stopping
ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring
directory server for the CA (pkids): Estimated time 30 seconds [1/3]:
creating directory server user [2/3]: creating directory server instance
[3/3]: restarting directory server Done configuring directory server for
the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3
minutes 30 seconds [1/17]: creating certificate server user [2/17]:
creating pki-ca instance [3/17]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl
/usr/bin/pkisilent ConfigureCA -cs_hostname neit-lab.teloip.net -cs_port
9445 -client_certdb_dir /tmp/tmp-QAXI9A -client_certdb_pwd 
-preop_pin UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin
-admin_email root@localhost -admin_password  -agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=TELOIP.NET -ldap_host neit-lab.teloip.net -ldap_port 7389
-bind_dn cn=Directory Manager -bind_password  -base_dn o=ipaca
-db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
-save_p12 true -backup_pwd  -subsystem_name pki-cad -token_name
internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TELOIP.NET
-ca_server_cert_subject_name CN=neit-lab.teloip.net,O=TELOIP.NET
-ca_audit_signing_cert_subject_name CN=CA Audit,O=TELOIP.NET
-ca_sign_cert_subject_name CN=Certificate Authority,O=TELOIP.NET -external
false -clone true -clone_p12_file ca.p12 -clone_p12_password 
-sd_hostname caer.teloip.net -sd_admin_port 443 -sd_admin_name admin
-sd_admin_password  -clone_start_tls true -clone_uri
https://caer.teloip.net:443' returned non-zero exit status 255 Your system
may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to
clean up. Configuration of CA failed [root@neit-lab ~]#

I did a clean up using /usr/sbin/ipa-server-install --uninstall but it
wasn't helpful. Wondering if you can help us on this,




On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden <rcrit...@redhat.com>
wrote:

> Linov Suresh wrote:
>
>> I have followed Redhat official documentation,
>> https://access.redhat.com/solutions/643753 for certificate renewal,
>> which says *add: usercertificate. (step 12)*
>> *
>> *
>> While on the other hand FreeIPA official documentaion
>> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to *add:
>> usercertificate;binary*
>>
>> Just wondering if we need to*add *the certificate? or*replace* the
>> existing certificate and which format do we need to use? *pem* or *der*.
>>
>> We already successfully renewed the certificates about months back, but
>> they were expired about 6 months back and we were not able to renew till
>> now, and is affected our production environment.
>>
>> Pleas help us.
>>
>
> You shouldn't have to mess with these values at all. In 3.0 this is
> handled somewhat automatically.
>
> I'd restart the CA, then certmonger and see if the communication error
> goes away for the CA subservice certificates (the internal error).
>
> # service pki-cad restart
> 
> # service certmonger restart
>
> I find it very strange that the certificates were set to expire yesterday
> but it isn't a show-stopper necessarily assuming you can get the CA back up.
>
> Assuming you can, then go back in time again, this time just a few days
> and try renewing the LDAP and Apache server certs again.
>
> rob
>
>
>> On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh <linov.sur...@gmail.com
>> <mailto:linov.sur...@gmail.com>> wrote:
>>
>> We have cloned and created another virtual server from the template.
>> Surprisingly this server certificates were also expired at the same
>> time as the previous, just lasted for a day.
>> This issue has something to do with the kerberos tickets?
>>
>> I am new to IPA and your help is highly appreciated.
>>
>> On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh
>> <linov.sur...@gmail.com <mailto:linov.sur...@gmail.com>> wrote:
>>
>> *Update: my webserver and LDAP certificates were expired at
>>

Re: [Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

I have followed Redhat official documentation,
https://access.redhat.com/solutions/643753 for certificate renewal, which
says *add: usercertificate. (step 12)*

While on the other hand FreeIPA official documentaion
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to *add:
usercertificate;binary*

Just wondering if we need to* add *the certificate? or* replace* the
existing certificate and which format do we need to use? *pem* or *der*.

We already successfully renewed the certificates about months back, but
they were expired about 6 months back and we were not able to renew till
now, and is affected our production environment.

Pleas help us.

On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh <linov.sur...@gmail.com>
wrote:

> We have cloned and created another virtual server from the template.
> Surprisingly this server certificates were also expired at the same time as
> the previous, just lasted for a day.
> This issue has something to do with the kerberos tickets?
>
> I am new to IPA and your help is highly appreciated.
>
> On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh <linov.sur...@gmail.com>
> wrote:
>
>> *Update: my webserver and LDAP certificates were expired at 2016-07-18
>> 15:54:36 UTC and the certificates are in CA_UNREACHABLE state.*
>>
>>
>> *Could you please help us? *
>>
>> [root@caer tmp]# getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20111214223243':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: -504 (libcurl failed
>> to execute the HTTP POST transaction.  Peer certificate cannot be
>> authenticated with known CA certificates).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=TELOIP.NET
>> subject: CN=caer.teloip.net,O=TELOIP.NET
>>* expires: 2016-07-18 15:54:36 UTC*
>> eku: id-kp-serverAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20111214223300':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: -504 (libcurl failed
>> to execute the HTTP POST transaction.  Peer certificate cannot be
>> authenticated with known CA certificates).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=TELOIP.NET
>> subject: CN=caer.teloip.net,O=TELOIP.NET
>>* expires: 2016-07-18 15:54:52 UTC*
>> eku: id-kp-serverAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20111214223316':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: -504 (libcurl failed
>> to execute the HTTP POST transaction.  Peer certificate cannot be
>> authenticated with known CA certificates).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=TELOIP.NET
>> subject: CN=caer.teloip.net,O=TELOIP.NET
>> *expires: 2016-07-18 15:55:04 UTC*
>> eku: id-kp-serverAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20130519130741':
>> status: MONITORING
>> ca-error: Internal error: no response to "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=61=true=true
>> ".
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> cert-pki-ca',token

Re: [Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

We have cloned and created another virtual server from the template.
Surprisingly this server certificates were also expired at the same time as
the previous, just lasted for a day.
This issue has something to do with the kerberos tickets?

I new to IPA and your help is highly appreciated.

On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh <linov.sur...@gmail.com>
wrote:

> *Update: my webserver and LDAP certificates were expired at 2016-07-18
> 15:54:36 UTC and the certificates are in CA_UNREACHABLE state.*
>
>
> *Could you please help us? *
>
> [root@caer tmp]# getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20111214223243':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed
> to execute the HTTP POST transaction.  Peer certificate cannot be
> authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TELOIP.NET
> subject: CN=caer.teloip.net,O=TELOIP.NET
>* expires: 2016-07-18 15:54:36 UTC*
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223300':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed
> to execute the HTTP POST transaction.  Peer certificate cannot be
> authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TELOIP.NET
> subject: CN=caer.teloip.net,O=TELOIP.NET
>* expires: 2016-07-18 15:54:52 UTC*
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223316':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed
> to execute the HTTP POST transaction.  Peer certificate cannot be
> authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TELOIP.NET
> subject: CN=caer.teloip.net,O=TELOIP.NET
> *expires: 2016-07-18 15:55:04 UTC*
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130519130741':
> status: MONITORING
> ca-error: Internal error: no response to "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=61=true=true
> ".
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET
> subject: CN=CA Audit,O=TELOIP.NET
> expires: 2017-10-13 14:10:49 UTC
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130742':
> status: MONITORING
> ca-error: Internal error: no response to "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true
> ".
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/al

Re: [Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

ficate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=CA Subsystem,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130744':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=64=true=true
".
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=RA Subsystem,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20130519130745':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv "
TELOIP.NET"
track: yes
auto-renew: yes

On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh <linov.sur...@gmail.com>
wrote:

> Yes, PKI is running and I don't see any errors in selftests, I have
> followed https://access.redhat.com/solutions/643753 and restarted the PKI
> in step 10.
>
> The only change which I made was clean up userCertificate;binary before
> adding new userCertificate in LDAP, which is step 12.
>
> [root@caer ~]# /etc/init.d/pki-cad status
> pki-ca (pid 8634) is running...[  OK  ]
> Unsecure Port   = http://caer.teloip.net:9180/ca/ee/ca
> Secure Agent Port   = https://caer.teloip.net:9443/ca/agent/ca
> Secure EE Port  = https://caer.teloip.net:9444/ca/ee/ca
> Secure Admin Port   = https://caer.teloip.net:9445/ca/services
> EE Client Auth Port = https://caer.teloip.net:9446/ca/eeca/ca
> PKI Console Port= pkiconsole https://caer.teloip.net:9445/ca
> Tomcat Port = 9701 (for shutdown)
>
> PKI Instance Name:   pki-ca
>
> PKI Subsystem Type:  Root CA (Security Domain)
>
> Registered PKI Security Domain Information:
>
> ==
> Name:  IPA
> URL:   https://caer.teloip.net:9445
>
> ==
> [root@caer ~]#
> [root@caer ~]# tail -f /var/log/pki-ca/selftests.log
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:
>  loading all self test plugin logger parameters
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:
>  loading all self test plugin instances
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:
>  loading all self test plugin instance parameters
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:
>  loading self test plugins in on-demand order
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:
>  loading self test plugins in startup order
> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: Self
> test plugins have been successfully loaded!
> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: Running
> self test plugins specified to be executed at startup:
> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence:  CA is present
> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SystemCertsVerification:
> system certs verification success
> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: All
> CRITICAL self test plugins ran SUCCESSFULLY at startup!
>
> Your help is high

Re: [Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

Yes, PKI is running and I don't see any errors in selftests, I have
followed https://access.redhat.com/solutions/643753 and restarted the PKI
in step 10.

The only change which I made was clean up userCertificate;binary before
adding new userCertificate in LDAP, which is step 12.

[root@caer ~]# /etc/init.d/pki-cad status
pki-ca (pid 8634) is running...[  OK  ]
Unsecure Port   = http://caer.teloip.net:9180/ca/ee/ca
Secure Agent Port   = https://caer.teloip.net:9443/ca/agent/ca
Secure EE Port  = https://caer.teloip.net:9444/ca/ee/ca
Secure Admin Port   = https://caer.teloip.net:9445/ca/services
EE Client Auth Port = https://caer.teloip.net:9446/ca/eeca/ca
PKI Console Port= pkiconsole https://caer.teloip.net:9445/ca
Tomcat Port = 9701 (for shutdown)

PKI Instance Name:   pki-ca

PKI Subsystem Type:  Root CA (Security Domain)

Registered PKI Security Domain Information:

==
Name:  IPA
URL:   https://caer.teloip.net:9445

==
[root@caer ~]#
[root@caer ~]# tail -f /var/log/pki-ca/selftests.log
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:  loading
all self test plugin logger parameters
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:  loading
all self test plugin instances
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:  loading
all self test plugin instance parameters
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:  loading
self test plugins in on-demand order
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:  loading
self test plugins in startup order
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: Self
test plugins have been successfully loaded!
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: Running
self test plugins specified to be executed at startup:
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence:  CA is present
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SystemCertsVerification:
system certs verification success
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: All
CRITICAL self test plugins ran SUCCESSFULLY at startup!

Your help is highly appreciated!


   Linov Suresh

   70 Forest Manor Rd.
   Toronto
   ON M2J 0A9
   Mobile: +1 647 406 9438
   Linkedin: ca.linkedin.com/in/linov/
   Website: http://mylinuxthoughts.blogspot.com


On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik <pvobo...@redhat.com> wrote:

> On 07/18/2016 05:45 AM, Linov Suresh wrote:
> > Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and
> > certmonger. Look like certificates were renewed. But I'm getting a
> different
> > error now,
> >
> > *ca-error: Internal error: no response to
> > "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=62=true=true
> ".*
>
> Is PKI running? When you change the time, does restart of IPA help?
>
> >
> > [root@caer ~]# getcert list
> > Number of certificates and requests being tracked: 8.
> > Request ID '20111214223243':
> >  status: MONITORING
> >  stuck: no
> >  key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
> >  certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> > Certificate DB'
> >  CA: IPA
> >  issuer: CN=Certificate Authority,O=TELOIP.NET <
> http://TELOIP.NET>
> >  subject: CN=caer.teloip.net <http://caer.teloip.net>,O=
> TELOIP.NET
> > <http://TELOIP.NET>
> >  expires: 2016-07-18 15:54:36 UTC
> >  eku: id-kp-serverAuth
> >  pre-save command:
> >  post-save command:
> >  track: yes
> >  auto-renew: yes
> > Request ID '20111214223300':
> >  status: MONITORING
> >  stuck: no
> >  key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> >  certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB'
> >  CA: IPA
> >  issuer: CN=Certificate Authority,O=TELOIP.NET <
> http://TELOIP.NET>
> >  subject: CN=caer.teloip.net <http://caer.teloip.net>,O=
> TELOIP.NET
> > <http://TELOIP.NET&

[Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

mCert 
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=CA Subsystem,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"
   track: yes
auto-renew: yes
Request ID '20130519130744':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=RA Subsystem,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20130519130745':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes

Note:
I'm seeing two blobs in ipaCert, not sure this is because we already renewed 
the certificate about 18 months back.
[root@caer ~]# certutil -L -d /etc/httpd/alias -n ipaCert -a
-BEGIN CERTIFICATE-
MIIDbzCCAlegAwIBAgIBQDANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP
SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUxMDI0
MTQwOTQ5WhcNMTcxMDEzMTQwOTQ5WjAsMRMwEQYDVQQKEwpURUxPSVAuTkVUMRUw
EwYDVQQDEwxSQSBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDVI16akCv85Wgl3L+vF0hOb0G7NItC4bt77wsSqUCp6CRQQXyEt3NR/QuV
Ta/NPnHKLRDGVUHXxbhWNpC6e/gxrAC6aO3/XyqRWJG6WHqC4jMepz9vaeeYwTx1
MvH4JQMJtPY745Mu8cbL6xgPVJV2G2gaQyoJWnelPbmCAudF8WDZXXnMGR7zXv1U
2e9R+b0QgLrOUklWv+hW6tqgbhZONaITPcEA8byiXTizIa+vfICkSMZW6qYLpvh6
IEXMZ+CxkhGN101HiyrHKNIBUeXoCvIf1s6fTzJHIFgCpeDS2gymj8hbmSEItRfz
OK9xD3+3bP+ttgw3rxPKiKqCKNr/AgMBAAGjgZIwgY8wHwYDVR0jBBgwFoAUx5/Z
pwOfXZQ5KNwC42cBW+Y+bGIwPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFo
dHRwOi8vY2Flci50ZWxvaXAubmV0OjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTw
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOC
AQEAGxNLz7EQsdqTEzy1zf1KtpBKLEGdsst2OhzfAuPWQk/ZSVQHyaAgjOirUngG
1ZUmdPhsi+O9UVobLL/yBOnM6HUAsFG+kzk3Tkkfry2+U9goIZgri+LyPuZhK5A1
tczTcBinbSBF0XjJXCt6o3dq1BAf0Z/JazxV9NNDXoV0JHL6gHbZ66rN/ohBeSPB
uQSyLhFqZvVXbKw3sIahu9hfwfa+GBoJ7oQ/3sRXGE1iVbxaV8nOjHRbBAgOxgCU
XOZ3MshXy3eqMpoyFBcA7F9tKfFrHShL/VSk1W2xugXNQW7e+9vATLGLnmPRslLy
3fN5HM3Wmhjoya3C6rxXPpgGbQ==
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIDcTCCAlmgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP
SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0
MjIzMTUzWhcNMTMxMjAzMjIzMTUzWjAsMRMwEQYDVQQKEwpURUxPSVAuTkVUMRUw
EwYDVQQDEwxSQSBTdWJzeXN0ZW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDVI16akCv85Wgl3L+vF0hOb0G7NItC4bt77wsSqUCp6CRQQXyEt3NR/QuV
Ta/NPnHKLRDGVUHXxbhWNpC6e/gxrAC6aO3/XyqRWJG6WHqC4jMepz9vaeeYwTx1
MvH4JQMJtPY745Mu8cbL6xgPVJV2G2gaQyoJWnelPbmCAudF8WDZXXnMGR7zXv1U
2e9R+b0QgLrOUklWv+hW6tqgbhZONaITPcEA8byiXTizIa+vfICkSMZW6qYLpvh6
IEXMZ+CxkhGN101HiyrHKNIBUeXoCvIf1s6fTzJHIFgCpeDS2gymj8hbmSEItRfz
OK9xD3+3bP+ttgw3rxPKiKqCKNr/AgMBAAGjgZQwgZEwHwYDVR0jBBgwFoAUx5/Z
pwOfXZQ5KNwC42cBW+Y+bGIwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNo
dHRwOi8vY2Flci50ZWxvaXAubmV0OjkxODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMC
BPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUA
A4IBAQCSH1Qf7pIWL4krYbMvvPqoQddy4A1Rgc4pglhQwVb7UhzFuPoD+IcVk8LJ
KCA8mlWKpBw9vnCsbaIB1oIs7aFEvFJVb9G2TUJ/gzcbMlPfDJ1CdoBJgN/QDfqA
Az3k3av4U5rJc59KG5taV3nKcSRtLT2qiW939fgDWbUkAoyALlDg+v5kNgPVEvb0
oGBMypFL9LW6CcQJycde8nB6XnBPMFaPrJu4l1pThS7OfBFIwewpd72+JstiaIv5
tKMdREWFwZuiQ9NVX5E9pzTwgbi/9WbKSZgNl58L16zgwnZ0pnndDcNf/FXwwRKP
wm1YBfh+UyydiHHl/swLyV84vOXr
-END CERTIFICATE-

Your help is highly appreciated.

Regards,
Linov Suresh.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130744':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=64=true=true
".
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=RA Subsystem,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20130519130745':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv "
TELOIP.NET"
track: yes
auto-renew: yes
[root@caer ~]#

Your help is highly appreciated!





On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Linov Suresh wrote:
>
>> I logged into my IPA master, and found that the cert had expired again,
>> we renewed these certificates about 18 months ago.
>>
>> Our environment is CentOS 6.4 and IPA 3.0.0-26.
>>
>>
>>   I followed the Redhat documentation,How do I manually renew Identity
>>   Management (IPA) certificates after they have expired? (Master IPA
>>   Server), https://access.redhat.com/solutions/643753 but no luck.
>>
>>
>> I have also changed the directive "NSSEnforceValidCerts off" in
>> /etc/httpd/conf.d/nss.conf and the value of nsslapd-validate-cert is warn.
>>
>> ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w ***
>> -b  cn=config | grep  nsslapd-validate-cert
>>
>> nsslapd-validate-cert: warn
>>
>> Here is my getcert list,
>>
>> [root@caer ~]# getcert list
>>
>
> It looks like your CA subsystem certificates all renewed successfully it
> is just the webserver and LDAP certificates that need renewing so that's
> good.
>
> What I'd do is go back in time again to say Jan 20, 2016 and restart
> certmonger. That should make it retry the renewals.
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA certificates expired, please help!

[Linov Suresh]

   I logged into my IPA master, and found that the cert had expired again,
   we renewed these certificates about 18 months ago.



   Our environment is CentOS 6.4 and IPA 3.0.0-26.


   I followed the Redhat documentation, How do I manually renew Identity
   Management (IPA) certificates after they have expired? (Master IPA Server),
   https://access.redhat.com/solutions/643753 but no luck.

   I have also changed "NSSEnforceValidCerts off" in
/etc/httpd/conf.d/nss.conf and the value of nsslapd-validate-cert is
warn.



   ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w
*** -b  cn=config | grep  nsslapd-validate-cert

   nsslapd-validate-cert: warn



   Here is my getcert list,



   [root@caer ~]# getcert list

   Number of certificates and requests being tracked: 8.

   Request ID '20111214223243':

   status: CA_UNREACHABLE

   ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction.  Peer certificate cannot
be authenticated with known CA certificates).

   stuck: yes

   key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'

   certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB'

   CA: IPA

   issuer: CN=Certificate Authority,O=TELOIP.NET

   subject: CN=caer.teloip.net,O=TELOIP.NET

   expires: 2016-01-29 14:09:46 UTC

   eku: id-kp-serverAuth

   pre-save command:

   post-save command:

   track: yes

   auto-renew: yes

   Request ID '20111214223300':

   status: CA_UNREACHABLE

   ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction.  Peer certificate cannot
be authenticated with known CA certificates).

   stuck: yes

   key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'

   certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'

   CA: IPA

   issuer: CN=Certificate Authority,O=TELOIP.NET

   subject: CN=caer.teloip.net,O=TELOIP.NET

   expires: 2016-01-29 14:09:45 UTC

   eku: id-kp-serverAuth

   pre-save command:

   post-save command:

   track: yes

   auto-renew: yes

   Request ID '20111214223316':

   status: CA_UNREACHABLE

   ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction.  Peer certificate cannot
be authenticated with known CA certificates).

   stuck: yes

   key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'

   certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'

   CA: IPA

   issuer: CN=Certificate Authority,O=TELOIP.NET

   subject: CN=caer.teloip.net,O=TELOIP.NET

   expires: 2016-01-29 14:09:45 UTC

   eku: id-kp-serverAuth

   pre-save command:

   post-save command:

   track: yes

   auto-renew: yes

   Request ID '20130519130741':

   status: MONITORING

   stuck: no

   key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'

   certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'

   CA: dogtag-ipa-renew-agent

   issuer: CN=Certificate Authority,O=TELOIP.NET

   subject: CN=CA Audit,O=TELOIP.NET

   expires: 2017-10-13 14:10:49 UTC

   pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad

   post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"

   track: yes

   auto-renew: yes

   Request ID '20130519130742':

   status: MONITORING

   stuck: no

   key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'

   certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'

   CA: dogtag-ipa-renew-agent

   issuer: CN=Certificate Authority,O=TELOIP.NET

   subject: CN=OCSP Subsystem,O=TELOIP.NET

   expires: 2017-10-13 14:09:49 UTC

   eku: id-kp-OCSPSigning

   pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad

   post-save command: