Hello,
[root@srv01 lib]# certutil -L -d /etc/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
subsystemCert cert-pki-ca u,u,u
Certificate Authority - EXAMPLE.COM CTu,Cu,Cu
ocspSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
[root@ds01 lib]# certutil -L -d /etc/pki/pki-tomcat/alias -n 'Certificate
Authority - EXAMPLE.COM' | grep -i after
Not After : Thu Aug 03 19:28:18 2034
Is "Certificate Authority - EXAMPLE.COM" valid entry here? this Not After date
is of our older CA certificate, which we was replaced couple years ago.
can this entry be deleted?
the "caSigningCert cert-pki-ca" is the current CA with valid dates.
thank you for your help.
Rgwards,
Bhavin
________________________________
From: Bhavin Vaidya via FreeIPA-users <[email protected]>
Sent: Monday, March 23, 2020 1:28 PM
To: Florence Blanc-Renaud <[email protected]>; FreeIPA users list
<[email protected]>
Cc: Bhavin Vaidya <[email protected]>
Subject: [Freeipa-users] Re: Expired Certificates, rolling back time didn't help
Hello,
We carried out following steps, but certificates will still not renew.
stop ntpd
fall back to 2018-05-11 (Mar 11th, 2018)
ipactl stop
started all but ntpd service manually
systemctl restart certomonger
Waited for more than an hour, but certificates still didn't get update. Now our
other IPA server's some certiicated also expired.
I'm seeing 2 IPA certificates in following output, as earlier we had issue with
loosing master CA server and we retain older certificate it seems.
Can this be an issue?
[root@srv01 log]# /usr/bin/certutil -d /etc/httpd/alias/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
EXAMPLE.COM IPA CA-0 CT,C,C
EXAMPLE.COM IPA CA CT,C,C
[root@srv01 log]#
[root@srv01 ~]# certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert CTu,Cu,Cu
EXAMPLE.COM IPA CA CT,C,C
[root@srv01 ~]#
thank you for your support.
regards,
Bhavin
________________________________
From: Florence Blanc-Renaud <[email protected]>
Sent: Tuesday, March 17, 2020 4:26 AM
To: FreeIPA users list <[email protected]>
Cc: Bhavin Vaidya <[email protected]>
Subject: Re: [Freeipa-users] Re: Expired Certificates, rolling back time didn't
help
On 3/17/20 11:44 AM, Bhavin Vaidya via FreeIPA-users wrote:
> Hello Flo,
>
> thank you for your response.
>
> [root@srv01 ~]# ipa config-show | grep renewal
> IPA CA renewal master: srv01.arteris.com
>
> We followed following step, but Certificates will not renew.
>
> Stopped NTP and went back to 2018-05-11
> systemctl restart certmonger.service
>
> no luck, so we did
>
> Stopped NTP and went back to 2018-05-11
> systemctl restart certmonger.service
> stopped FreeIPA - ipactl stop
> Started services manually as per this RedHat doc
> <https://access.redhat.com/solutions/3146271>.
> getcert list ---- shows either SUBMITTING, CA_UNREACHABLE or
> NEED_TO_SUBMIT
>
Hi,
you need to wait a while for certmonger to renew all the certs. As the
new output shows, some progress was made: the LDAP certificate was renewed.
You can try:
getcert resubmit -i 20180315021503
then wait for the RA cert to move to MONITORING and do the same for each
cert that needs to be renewed (resubmit, wait for the cert to move to
MONITORING, etc...).
flo
> [root@srv01 ~]# getcert list
>
> Number of certificates and requests being tracked: 8.
>
> Request ID '20180228053337':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
>
> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
>
> CA: SelfSign
>
> issuer: CN=srv01.example.com,O=EXAMPLE.COM
>
> subject: CN=srv01.example.com,O=EXAMPLE.COM
>
> expires: 2021-01-11 21:56:57 UTC
>
> principal name: krbtgt/[email protected]
> <mailto:krbtgt/[email protected]>
>
> certificate template/profile: KDCs_PKINIT_Certs
>
> pre-save command:
>
> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20180315021457':
>
> status: SUBMITTING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-ca-renew-agent
>
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>
> subject: CN=CA Audit,O=EXAMPLE.COM
>
> expires: 2020-02-25 04:27:49 UTC
>
> key usage: digitalSignature,nonRepudiation
>
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20180315021500':
>
> status: SUBMITTING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS
> Certificate DB',pin set
>
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS
> Certificate DB'
>
> CA: dogtag-ipa-ca-renew-agent
>
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>
> subject: CN=OCSP Subsystem,O=EXAMPLE.COM
>
> expires: 2020-02-25 04:28:38 UTC
>
> eku: id-kp-OCSPSigning
>
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20180315021501':
>
> status: SUBMITTING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-ca-renew-agent
>
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>
> subject: CN=CA Subsystem,O=EXAMPLE.COM
>
> expires: 2020-02-25 04:31:47 UTC
>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20180315021502':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-ca-renew-agent-reuse
>
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>
> subject: CN=Certificate Authority,O=EXAMPLE.COM
>
> expires: 2038-03-07 03:47:46 UTC
>
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "caSigningCert cert-pki-ca"
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20180315021503':
>
> status: CA_UNREACHABLE
>
> ca-error: Error 28 connecting to
> https://srv01.example.com:8443/ca/agent/ca/profileReview: Timeout was
> reached.
>
> stuck: no
>
> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>
> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>
> CA: dogtag-ipa-ca-renew-agent
>
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>
> subject: CN=IPA RA,O=EXAMPLE.COM
>
> expires: 2018-06-15 23:15:23 UTC
>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>
> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20180315021505':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>
> subject: CN=srv01.example.com,O=EXAMPLE.COM
>
> expires: 2020-05-12 01:41:53 UTC
>
> principal name: ldap/[email protected]
> <mailto:ldap/[email protected]>
>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20180315021510':
>
> status: NEED_TO_SUBMIT
>
> ca-error: Server at https://srv01.example.com/ipa/xmlfailed request,
> will retry: -504 (libcurl failed to execute the HTTP POST transaction,
> explaining:Peer's Certificate has expired.).
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>
> subject: CN=srv01.example.com,O=EXAMPLE.COM
>
> expires: 2020-03-07 08:49:51 UTC
>
> principal name: HTTP/[email protected]
> <mailto:HTTP/[email protected]>
>
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>
> track: yes
>
> auto-renew: yes
>
>
>
> Thank you and with regards,
> Bhavin
>
>
>
> ------------------------------------------------------------------------
> *From:* Florence Blanc-Renaud <[email protected]>
> *Sent:* Tuesday, March 17, 2020 1:17 AM
> *To:* FreeIPA users list <[email protected]>
> *Cc:* Bhavin Vaidya <[email protected]>
> *Subject:* Re: [Freeipa-users] Expired Certificates, rolling back time
> didn't help
> On 3/16/20 11:44 PM, Bhavin Vaidya via FreeIPA-users wrote:
>> Hello,
>>
>> We had similar issue 2 yrs back, and resurface as it didn't auto-renew.
>> Went back in time to 2016-06-11 as well as 2020-02-20, restarted
>> "certmonger", didn't update.
>>
> Hi,
>
> you need to check first which server is your renewal master:
>
> $ kinit admin
>
> $ ipa config-show | grep renewal
>
>
> The output should display the name of the renewal master. This host is
> the first server that needs to be fixed.
>
>
> In the getcert list output that you provided, we can see that:
>
> - the PKI certificates shared between the servers expired on 2020-02-25
> (auditSigningCert cert-pki-ca, ocspSigningCert cert-pki-ca,
> subsystemCert cert-ki-ca)
>
> - the CA cert is still valid
>
> - the RA cert expired on 2018-06-15
>
> - the HTTP and LDAP server certs expired on 2020-03-07
>
>
> You need to carefully pick the date you go back in time: at that given
> date, all the certs must be valid (not expired yet but *already valid*).
> From your output, the date needs to be before 2018-06-15 but after
> 2018-03-08 (=the validFrom date for the PKI certs).
>
>
> HTH,
>
> flo
>
>> FreeIPA Master:*CentOS 7.4.1708, FreeIPA Version: **4.5.0,
>> API_VERSION: 2.228*
>>
>> whileipactl start, it will not start pki-tomcat with
>> message,pki-tomcatd Service: STOPPED.
>>
>> Referring toRob's blog
>> <https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-authenticated-with-given-ca-certificates/>
>>
>> [root@srv01 ~]# curl --cacert /etc/ipa/ca.crt
>> -v[https://%60hostname%60:8443/ca/ww/ca/getCertChain]https://`hostname`:8443/ca/ww/ca/getCertChain
>>
>> * About to connect() to srv01.example.com port 8443 (#0)
>>
>> *Trying 192.168.10.146...
>>
>> * Connected to srv01.example.com (192.168.10.146) port 8443 (#0)
>>
>> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>>
>> *CAfile: /etc/ipa/ca.crt
>>
>> CApath: none
>>
>> * Server certificate:
>>
>> *subject: CN=srv01.example.com,O=EXAMPLE.COM
>>
>> *start date: Dec 26 21:02:44 2016 GMT
>>
>> *expire date: Dec 16 21:02:44 2018 GMT
>>
>> *common name: srv01.example.com
>>
>> *issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
>>
>> * Peer's certificate issuer has been marked as not trusted by the user.
>>
>> * Closing connection 0
>>
>> curl: (60) Peer's certificate issuer has been marked as not trusted by
>> the user.
>>
>> More details here:http://curl.haxx.se/docs/sslcerts.html
>>
>> curl performs SSL certificate verification by default, using a "bundle"
>>
>> of Certificate Authority (CA) public keys (CA certs). If the
>> defaultbundle file isn't adequate, you can specify an alternate
>> fileusing the --cacert option.
>>
>> If this HTTPS server uses a certificate signed by a CA represented
>> inthe bundle, the certificate verification probably failed due to
>> aproblem with the certificate (it might be expired, or the name
>> mightnot match the domain name in the URL).
>>
>> If you'd like to turn off curl's verification of the certificate,
>> usethe -k (or --insecure) option.
>>
>>
>> While, CA cert check asper
>> <https://www.freeipa.org/page/V4/CA_certificate_renewal>,
>>
>> [root@srv01 ~]# getcert list -d /etc/pki/pki-tomcat/alias -n
>> 'caSigningCert cert-pki-ca'
>>
>> Number of certificates and requests being tracked: 8.
>>
>> Request ID '20180315021502':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>> cert-pki-ca',token='NSS
>> Certificate DB',pin set
>>
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>> cert-pki-ca',token='NSS
>> Certificate DB'
>>
>> CA: dogtag-ipa-ca-renew-agent
>>
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> subject: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> expires: 2038-03-07 03:47:46 UTC
>>
>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "caSigningCert cert-pki-ca"
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> We also have few others certificates, which are not renewed.
>>
>>
>> [root@srv01 ~]# getcert list
>>
>> Number of certificates and requests being tracked: 8.
>>
>> Request ID '20180228053337':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
>>
>> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
>>
>> CA: SelfSign
>>
>> issuer: CN=srv01.example.com,O=EXAMPLE.COM
>>
>> subject: CN=srv01.example.com,O=EXAMPLE.COM
>>
>> expires: 2021-01-11 21:56:57 UTC
>>
>> principal name:krbtgt/[email protected]
>> <mailto:krbtgt/[email protected]>
>>
>> certificate template/profile: KDCs_PKINIT_Certs
>>
>> pre-save command:
>>
>> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20180315021457':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>>
>> CA: dogtag-ipa-ca-renew-agent
>>
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> subject: CN=CA Audit,O=EXAMPLE.COM
>>
>> expires: 2020-02-25 04:27:49 UTC
>>
>> key usage: digitalSignature,nonRepudiation
>>
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20180315021500':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>>
>> CA: dogtag-ipa-ca-renew-agent
>>
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM
>>
>> expires: 2020-02-25 04:28:38 UTC
>>
>> eku: id-kp-OCSPSigning
>>
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert cert-pki-ca"
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20180315021501':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS
>> Certificate DB',pin set
>>
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS
>> Certificate DB'
>>
>> CA: dogtag-ipa-ca-renew-agent
>>
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> subject: CN=CA Subsystem,O=EXAMPLE.COM
>>
>> expires: 2020-02-25 04:31:47 UTC
>>
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "subsystemCert cert-pki-ca"
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20180315021502':
>>
>> status: MONITORING
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>> cert-pki-ca',token='NSS
>> Certificate DB',pin set
>>
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>> cert-pki-ca',token='NSS
>> Certificate DB'
>>
>> CA: dogtag-ipa-ca-renew-agent
>>
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> subject: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> expires: 2038-03-07 03:47:46 UTC
>>
>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "caSigningCert cert-pki-ca"
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20180315021503':
>>
>> status: CA_UNREACHABLE
>>
>> ca-error: Error 60 connecting
>> tohttps://srv01.example.com:8443/ca/agent/ca/profileReview: Peer
>> certificate cannot be authenticated with given CA certificates.
>>
>> stuck: no
>>
>> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>>
>> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>>
>> CA: dogtag-ipa-ca-renew-agent
>>
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> subject: CN=IPA RA,O=EXAMPLE.COM
>>
>> expires: 2018-06-15 23:15:23 UTC
>>
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>>
>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20180315021505':
>>
>> status: CA_UNREACHABLE
>>
>> ca-error: Server athttps://srv01.example.com/ipa/xmlfailed request,
>> will retry: 4016 (RPC failed at server.Failed to authenticate to CA
>> REST API).
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwd
>>
>> file.txt'
>>
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
>> Certificate DB'
>>
>> CA: IPA
>>
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> subject: CN=srv01.example.com,O=EXAMPLE.COM
>>
>> expires: 2020-03-07 08:49:36 UTC
>>
>> principal name:ldap/[email protected]
>> <mailto:ldap/[email protected]>
>>
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command:
>>
>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM
>>
>> track: yes
>>
>> auto-renew: yes
>>
>> Request ID '20180315021510':
>>
>> status: CA_UNREACHABLE
>>
>> ca-error: Server athttps://srv01.example.com/ipa/xmlfailed request,
>> will retry: 4016 (RPC failed at server.Failed to authenticate to CA
>> REST API).
>>
>> stuck: no
>>
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>>
>> CA: IPA
>>
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>
>> subject: CN=srv01.example.com,O=EXAMPLE.COM
>>
>> expires: 2020-03-07 08:49:51 UTC
>>
>> principal name:HTTP/[email protected]
>> <mailto:HTTP/[email protected]>
>>
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>
>> eku: id-kp-serverAuth,id-kp-clientAuth
>>
>> pre-save command:
>>
>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>>
>> track: yes
>>
>> auto-renew: yes
>>
>>
>> thank you for your help.
>> Bhavin
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list [email protected]
>> <mailto:[email protected]>
>> To unsubscribe send an email [email protected]
>> <mailto:[email protected]>
>> Fedora Code of
>> Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List
>> Archives:https://lists.fedorahosted.org/archives/list/[email protected]
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
