Hi,

Checked AVCs first. Selinux is always a burden on our Fedora Clients.

Certmonger is still trying.

Does it make sense to make some timetravel for certificate renewal with the Renewal master, even if the renewal didn't work when the certificates where still valid?




On 30.01.2018 16:42, Rob Crittenden via FreeIPA-users wrote:
Christof Schulze via FreeIPA-users wrote:
Hi,

Here may be the problem, all are masters, the idm1 I am working on is
the CA renewal master (checked ldap and config-show).

IPA masters: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de
IPA CA servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de
IPA NTP servers: idm1.ww8kd.fau.de, idm2.ww8kd.fau.de, idm3.ww8kd.fau.de
IPA CA renewal master: idm1.ww8kd.fau.de

But when checking the different points on the side linked by you. I can
see:
All off them have
         ca.crl.MasterCRL.enableCRLUpdates=false
         ca.crl.MasterCRL.enableCRLCache=false

And all of them have the RewriteRule in the
/etc/httpd/conf.d/ipa-pki-proxy.conf.

I remember years ago the original idm1 got roasted by some electrical
surge. And I think it got cloned by one of the others (documentation
would be king).

So all of them are clones and we don't have a CRL generation master.

The renewed "auditSigningCert cert-pki-ca" on the master didn't get
replicated to the others.

Can I just promote idm1 to become CRL generation master by setting
         ca.crl.MasterCRL.enableCRLUpdates=true
         ca.crl.MasterCRL.enableCRLCache=true

Yes but that won't affect renewal.

And how to get new certificates?

As Flo suggested, check syslog for certmonger messages. Look for AVCs.

Look at the output of getcert list to see what the status and errors are.

rob



And Thanks for your patience.


On 30.01.2018 14:26, Florence Blanc-Renaud wrote:
On 01/30/2018 02:02 PM, Christof Schulze via FreeIPA-users wrote:
Hi,

Now the roof is on fire, all certificates are synced on all masters
since a long time ago.

The not renewing certificates in /etc/pki/pki-tomcat/alias have now
expired
       "subsystemCert cert-pki-ca" , "ocspSigningCert cert-pki-ca" ,
       "/var/lib/ipa/ra-agent.pem"

The "auditSigningCert cert-pki-ca" certificate is the only one which
has been renewed. (Old Serial Number: 5 (0x5), New Serial Number:
536739845 (0x1ffe0005) valid till 2020)

The userCertificate in (uid=ipara,ou=people,o=ipaca) and the IPA RA
certificate in /var/lib/ipa/ra-agent.pem are matching and expired.


pki-tomcat can no longer access the ldap.

      slapi_ldap_bind - Error: could not send startTLS request: error
-1 (Can't contact LDAP server) errno 107 (Transport endpoint is not
connected)


Is there some way this situation can be solved?
Hi,

you need first to identify who is your renewal master and start
repairing this machine. You can use ipa config-show or a direct
ldapsearch as described here
(https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Identifying_current_first_master)
to find the renewal master.

On the renewal master, check if the certificates have been properly
renewed. If it is not the case, you will need to chase the failure by
checking SE linux AVCs or errors in the journal produced by certmonger.
The renewal master really needs to be repaired first, as it is the
source containing some certs that will later be downloaded by the
other masters.

Flo


Thanks

Christof Schulze



Request ID '20171206120336':
      status: MONITORING
      stuck: no
      key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
      certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
      CA: dogtag-ipa-ca-renew-agent
      issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some
Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
      subject: CN=CA Audit,O=XXXKD.FAU.DE,OU=Some Institute (XXX) -
FAU,C=DE,E=g...@example.com,L=FUERTH
      expires: 2020-01-19 13:22:53 UTC
      key usage: digitalSignature,nonRepudiation
      pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
      post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
      track: yes
      auto-renew: yes
Request ID '20171206120337':
      status: MONITORING
      stuck: no
      key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
      certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
      CA: dogtag-ipa-ca-renew-agent
      issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some
Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
      subject: CN=OCSP Subsystem,O=XXXKD.FAU.DE,OU=Some Institute
(XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
      expires: 2018-01-29 12:00:44 UTC
      key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
      eku: id-kp-OCSPSigning
      pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
      post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
      track: yes
      auto-renew: yes
Request ID '20171206120338':
      status: MONITORING
      stuck: no
      key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
      certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
      CA: dogtag-ipa-ca-renew-agent
      issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some
Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
      subject: CN=CA Subsystem,O=XXXKD.FAU.DE,OU=Some Institute (XXX)
- FAU,C=DE,E=g...@example.com,L=FUERTH
      expires: 2018-01-29 12:00:44 UTC
      key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
      eku: id-kp-serverAuth,id-kp-clientAuth
      pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
      post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
      track: yes
      auto-renew: yes
Request ID '20171206120340':
      status: MONITORING
      stuck: no
      key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
      certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
      CA: dogtag-ipa-ca-renew-agent
      issuer: CN=Certificate Authority,O=XXXKD.FAU.DE,OU=Some
Institute (XXX) - FAU,C=DE,E=g...@example.com,L=FUERTH
      subject: CN=IPA RA,O=XXXKD.FAU.DE,OU=Some Institute (XXX) -
FAU,C=DE,E=g...@example.com,L=FUERTH
      expires: 2018-01-29 12:01:11 UTC
      key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
      eku: id-kp-serverAuth,id-kp-clientAuth
      pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
      post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
      track: yes
      auto-renew: yes


On 30.01.2018 00:40, Fraser Tweedale via FreeIPA-users wrote:
On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via
FreeIPA-users wrote:
Hi,

some certificates on our freeipa-cluster (3 servers) are have been not
renewed till now, 2 hours before expiring. Can this be a problem?

Some of the certificates, the ones expiring  show "ca-error:
Invalid cookie:
'' in the "getcert list" output, what makes me nervous.

We also have the problem when certmonger can not reach the CA
CA_UNREACHABLE
after restarting a freeipa-server. But when we restart the
certmonger.server
after everything being up again everything looks good.

Maybe you can give me some advice what to check and which logs you
else
would need.


Thanks

Christof Schulze

Hi Christof,

Yes, it is a problem.  They should have been renewed before now.
The errors in `getcert list' output show that there has been a
problem.

First, check that all certificates are valid, all certificates have
been synced across all masters using `ipa-certupdate` on each
master.  You should also check that the userCertificate attribute in
entry:

    uid=ipara,ou=people,o=ipaca

matches the actual IPA RA certificate in /var/lib/ipa/ra-agent.pem

Also check that your topology has correct renewal master
configuration.  ldapsearch cn=masters,cn=ipa,cn=etc,dc=ipa,dc=local
with filter (&(cn=CA)(ipaConfigString=caRenewalMaster)).  It should
return exactly one entry and it must be a valid, active master.

HTH,
Fraser




_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org



--
Christof Schulze

Institute of Materials Simulation (WW8)
Department of Materials Science
Friedrich-Alexander-University Erlangen-Nürnberg
Dr.-Mack-Str. 77,
90762 Fürth, Germany

Tel: 0911/65078-65069
Email: christof.schu...@ww.uni-erlangen.de
journalctl -u certmonger.service

Jan 29 20:43:46 idm1.ww8kd.fau.de certmonger[13223]: Certificate in file "/var/lib/ipa/ra-agent.pem" is no longer valid.
Jan 29 20:43:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13225]: Forwarding request to dogtag-ipa-renew-agent
Jan 29 20:43:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13225]: dogtag-ipa-renew-agent returned 2

.... repeating till...

Jan 29 20:45:10 idm1.ww8kd.fau.de certmonger[13328]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid.
Jan 29 20:45:13 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13330]: Forwarding request to dogtag-ipa-renew-agent

.... repeating till...

Jan 29 20:53:36 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13943]: dogtag-ipa-renew-agent returned 2
Jan 29 20:53:47 idm1.ww8kd.fau.de certmonger[13954]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid.
Jan 29 20:53:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13956]: Forwarding request to dogtag-ipa-renew-agent
Jan 29 20:53:49 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[13956]: dogtag-ipa-renew-agent returned 2

.... repeating till...

Jan 29 20:55:57 idm1.ww8kd.fau.de certmonger[14110]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no longer valid.
Jan 29 20:55:59 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[14112]: Forwarding request to dogtag-ipa-renew-agent
Jan 29 20:55:59 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[14112]: dogtag-ipa-renew-agent returned 2

.... repeating

Then suddenly:

Jan 30 16:09:31 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27370]: Traceback (most recent call last):
                                                                             File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module>
                                                                               sys.exit(main())
                                                                             File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main
                                                                               kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
                                                                             File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab
                                                                               cred = gssapi.Credentials(name=name, store=store, usage='initiate')
                                                                             File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__
                                                                               store=store)
                                                                             File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire
                                                                               usage)
                                                                             File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732)
                                                                           GSSError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE'
Jan 30 16:09:31 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:31 [15905] Internal error
Jan 30 16:09:50 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27500]: Traceback (most recent call last):
                                                                             File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module>
                                                                               sys.exit(main())
                                                                             File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main
                                                                               kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
                                                                             File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab
                                                                               cred = gssapi.Credentials(name=name, store=store, usage='initiate')
                                                                             File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__
                                                                               store=store)
                                                                             File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire
                                                                               usage)
                                                                             File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732)
                                                                           GSSError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE'
Jan 30 16:09:50 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:50 [15905] Internal error
Jan 30 16:09:51 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[27509]: Traceback (most recent call last):
                                                                             File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 540, in <module>
                                                                               sys.exit(main())
                                                                             File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 514, in main
                                                                               kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
                                                                             File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 43, in kinit_keytab
                                                                               cred = gssapi.Credentials(name=name, store=store, usage='initiate')
                                                                             File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__
                                                                               store=store)
                                                                             File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire
                                                                               usage)
                                                                             File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred_store.c:1732)
                                                                           GSSError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'WW8KD.FAU.DE'
Jan 30 16:09:51 idm1.ww8kd.fau.de certmonger[15905]: 2018-01-30 16:09:51 [15905] Internal error
Jan 30 16:15:03 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[28056]: Forwarding request to dogtag-ipa-renew-agent
Jan 30 16:15:03 idm1.ww8kd.fau.de dogtag-ipa-ca-renew-agent-submit[28056]: dogtag-ipa-renew-agent returned 2

.... repeating till end...
an 30 17:10:18 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" 
in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no 
longer valid.
Jan 30 17:10:20 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to 
dogtag-ipa-renew-agent
Jan 30 17:10:20 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent 
returned 2
Jan 30 17:10:24 idm1 server: Jan 30, 2018 5:10:24 PM 
org.apache.catalina.core.ContainerBase backgroundProcess
Jan 30 17:10:24 idm1 server: WARNING: Exception processing realm 
com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process
Jan 30 17:10:24 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem 
unavailable
Jan 30 17:10:24 idm1 server: at 
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
Jan 30 17:10:24 idm1 server: at 
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
Jan 30 17:10:24 idm1 server: at 
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
Jan 30 17:10:24 idm1 server: at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
Jan 30 17:10:24 idm1 server: at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
Jan 30 17:10:24 idm1 server: at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
Jan 30 17:10:24 idm1 server: at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
Jan 30 17:10:24 idm1 server: at java.lang.Thread.run(Thread.java:748)
Jan 30 17:10:26 idm1 certmonger: Certificate in file 
"/var/lib/ipa/ra-agent.pem" is no longer valid.
Jan 30 17:10:28 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to 
dogtag-ipa-renew-agent
Jan 30 17:10:28 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent 
returned 2
Jan 30 17:10:34 idm1 server: Jan 30, 2018 5:10:34 PM 
org.apache.catalina.core.ContainerBase backgroundProcess
Jan 30 17:10:34 idm1 server: WARNING: Exception processing realm 
com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process
Jan 30 17:10:34 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem 
unavailable
Jan 30 17:10:34 idm1 server: at 
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
Jan 30 17:10:34 idm1 server: at 
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
Jan 30 17:10:34 idm1 server: at 
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
Jan 30 17:10:34 idm1 server: at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
Jan 30 17:10:34 idm1 server: at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
Jan 30 17:10:34 idm1 server: at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
Jan 30 17:10:34 idm1 server: at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
Jan 30 17:10:34 idm1 server: at java.lang.Thread.run(Thread.java:748)
Jan 30 17:10:44 idm1 server: Jan 30, 2018 5:10:44 PM 
org.apache.catalina.core.ContainerBase backgroundProcess
Jan 30 17:10:44 idm1 server: WARNING: Exception processing realm 
com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process
Jan 30 17:10:44 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem 
unavailable
Jan 30 17:10:44 idm1 server: at 
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
Jan 30 17:10:44 idm1 server: at 
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
Jan 30 17:10:44 idm1 server: at 
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
Jan 30 17:10:44 idm1 server: at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
Jan 30 17:10:44 idm1 server: at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
Jan 30 17:10:44 idm1 server: at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
Jan 30 17:10:44 idm1 server: at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
Jan 30 17:10:44 idm1 server: at java.lang.Thread.run(Thread.java:748)
Jan 30 17:10:44 idm1 certmonger: Certificate named "ocspSigningCert 
cert-pki-ca" in token "NSS Certificate DB" in database 
"/etc/pki/pki-tomcat/alias" is no longer valid.
Jan 30 17:10:46 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to 
dogtag-ipa-renew-agent
Jan 30 17:10:46 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent 
returned 2
Jan 30 17:10:50 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" 
in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" is no 
longer valid.
Jan 30 17:10:53 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to 
dogtag-ipa-renew-agent
Jan 30 17:10:53 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent 
returned 2
Jan 30 17:10:54 idm1 server: Jan 30, 2018 5:10:54 PM 
org.apache.catalina.core.ContainerBase backgroundProcess
Jan 30 17:10:54 idm1 server: WARNING: Exception processing realm 
com.netscape.cms.tomcat.ProxyRealm@3a9d3f72 background process
Jan 30 17:10:54 idm1 server: javax.ws.rs.ServiceUnavailableException: Subsystem 
unavailable
Jan 30 17:10:54 idm1 server: at 
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
Jan 30 17:10:54 idm1 server: at 
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
Jan 30 17:10:54 idm1 server: at 
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
Jan 30 17:10:54 idm1 server: at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
Jan 30 17:10:54 idm1 server: at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
Jan 30 17:10:54 idm1 server: at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
Jan 30 17:10:54 idm1 server: at 
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
Jan 30 17:10:54 idm1 server: at java.lang.Thread.run(Thread.java:748)
Jan 30 17:10:58 idm1 certmonger: Certificate in file 
"/var/lib/ipa/ra-agent.pem" is no longer valid.
Jan 30 17:11:01 idm1 dogtag-ipa-ca-renew-agent-submit: Forwarding request to 
dogtag-ipa-renew-agent
Jan 30 17:11:01 idm1 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent 
returned 2
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to