Linov Suresh wrote:
Removed the duplicate certificates and and tried to renew the
certificates, we were able to renew the certificates and "*ca-error:
Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true"*.;
gone this time.
Removed the duplicate certificates and and tried to renew the certificates,
we were able to renew the certificates and "*ca-error: Internal error: no
response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true
Thank you very much Rob.
Let me remove the duplicate certificates and try to renew the certificates
again to see if "*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true
Linov Suresh wrote:
Could you please verify, if we have set correct trust attributes on the
certificates
*root@caer ~]# certutil -d /var/lib/pki-ca/alias/ -L*
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
subsystemCert cert-pki-ca
I agree with you Jakub, I will start separate thread for separate
issues.
On Fri, Jul 22, 2016 at 10:31 AM, Jakub Hrozek wrote:
> On Fri, Jul 22, 2016 at 09:36:27AM -0400, Linov Suresh wrote:
> > I'm facing another issue now, my kerberos tickets are not renewing,
>
>
On Fri, Jul 22, 2016 at 09:36:27AM -0400, Linov Suresh wrote:
> I'm facing another issue now, my kerberos tickets are not renewing,
In general I think it's better to start separate threads about separate
issues. That way people who only scan the subject lines can see if this
thread is something
Could you please verify, if we have set correct trust attributes on the
certificates
*root@caer ~]# certutil -d /var/lib/pki-ca/alias/ -L*
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
subsystemCert cert-pki-ca
I'm facing another issue now, my kerberos tickets are not renewing,
*[root@caer ~]# ipa cert-show 1*
ipa: ERROR: Ticket expired
*[root@caer ~]# klist*
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@teloip.net
Valid starting ExpiresService principal
07/20/16 14:42:26
Linov Suresh wrote:
The httpd_error log doesn't contain the part where `ipa cert-show 1` was
run. If it is from the same time.
*I am not sure about that, please see httpd_error when `ipa cert-show 1`
was run*
The IPA API log isn't going to show much in this case.
Requests to the CA are
The httpd_error log doesn't contain the part where `ipa cert-show 1` was
run. If it is from the same time.
*I am not sure about that, please see httpd_error when `ipa cert-show 1`
was run*
[root@caer ~]# *tail -f /var/log/httpd/error_log*
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
On 07/21/2016 05:14 PM, Linov Suresh wrote:
> I set debug=true in /etc/ipa/default.conf
>
> Here are my logs,
The httpd_error log doesn't contain the part where `ipa cert-show 1` was
run. If it is from the same time. Does `ipa cert-show` communicate with
the same replica? Could be verified by
On 07/20/2016 09:41 PM, Linov Suresh wrote:
> I have restarted the pki-cad and checked if communication with the CA is
> working, but no luck,
>
> Debug logs in /var/log/pki-ca do not have anything unusual. Can you think of
> anything other than this?
/var/log/httpd/error_log when
I have restarted the pki-cad and checked if communication with the CA is
working, but no luck,
Debug logs in /var/log/pki-ca do not have anything unusual. Can you think
of anything other than this?
[root@caer ~]# ipa cert-show 1
Certificate:
Linov Suresh wrote:
Thanks for your help Rob, I will create a separate thread for IPA
replication issue. But we are still getting
*
*
*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true".*
Could you please
Thanks for your help Rob, I will create a separate thread for IPA
replication issue. But we are still getting
*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true
Glad you got the certificates successfully renewed.
Can you open a new e-mail thread on this new problem so we can keep the
issues separated?
IPA gets little information back when dogtag fails to install. You need
to look in /var/log//debug for more information. The exact
location depends
Great! That worked, and I was successfully renewed the certificates on the
IPA server and I was trying to create a IPA replica server and got an error,
[root@neit-lab ~]# ipa-replica-install --setup-ca --setup-dns
--no-forwarders --skip-conncheck
/var/lib/ipa/replica-info-neit-lab.teloip.net.gpg
Linov Suresh wrote:
I have followed Redhat official documentation,
https://access.redhat.com/solutions/643753 for certificate renewal,
which says *add: usercertificate. (step 12)*
*
*
While on the other hand FreeIPA official documentaion
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ,
I have followed Redhat official documentation,
https://access.redhat.com/solutions/643753 for certificate renewal, which
says *add: usercertificate. (step 12)*
While on the other hand FreeIPA official documentaion
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to *add:
We have cloned and created another virtual server from the template.
Surprisingly this server certificates were also expired at the same time as
the previous, just lasted for a day.
This issue has something to do with the kerberos tickets?
I new to IPA and your help is highly appreciated.
On
*Update: my webserver and LDAP certificates were expired at 2016-07-18
15:54:36 UTC and the certificates are in CA_UNREACHABLE state.*
*Could you please help us? *
[root@caer tmp]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
status:
Yes, PKI is running and I don't see any errors in selftests, I have
followed https://access.redhat.com/solutions/643753 and restarted the PKI
in step 10.
The only change which I made was clean up userCertificate;binary before
adding new userCertificate in LDAP, which is step 12.
[root@caer ~]#
On 07/18/2016 05:45 AM, Linov Suresh wrote:
> Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and
> certmonger. Look like certificates were renewed. But I'm getting a different
> error now,
>
> *ca-error: Internal error: no response to
>
Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and
certmonger. Look like certificates were renewed. But I'm getting a
different error now,
*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=62=true=true
Linov Suresh wrote:
I logged into my IPA master, and found that the cert had expired again,
we renewed these certificates about 18 months ago.
Our environment is CentOS 6.4 and IPA 3.0.0-26.
I followed the Redhat documentation,How do I manually renew Identity
Management (IPA) certificates
25 matches
Mail list logo