Mm. Actually, I'm not so sure. Am I not interpreting the "getcert list"
results correctly? When it says CA_UNREACHABLE because the cert expired, isn't
that the CA Cert?
Number of certificates and requests being tracked: 9.
Request ID '20201114211025':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=IPA RA,O=[domain.com]
expires: 2022-11-04 14:10:27 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20201114211106':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-11 14:11:49 MST
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211107':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-11 14:11:53 MST
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211108':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-04 14:11:32 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211109':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-11 14:11:50 MST
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211110':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=localhost
expires: 2022-11-04 14:11:40 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20201114211316':
status: CA_UNREACHABLE
ca-error: Server at https://ipa01.[domain.com]/ipa/xml failed request,
will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: SSL certificate problem: certificate has expired).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-SIMPLYWS-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-SIMPLYWS-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-SIMPLYWS-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=ipa01.[domain.com],O=[domain.com]
expires: 2022-11-15 14:13:16 MST
dns: ipa01.[domain.com]
principal name: ldap/ipa01.[domain.com]@[domain.com]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_dirsrv SIMPLYWS-COM
track: yes
auto-renew: yes
Request ID '20201114211418':
status: CA_UNREACHABLE
ca-error: Server at https://ipa01.[domain.com]/ipa/xml failed request,
will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: SSL certificate problem: certificate has expired).
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa01.[domain.com]-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=ipa01.[domain.com],O=[domain.com]
expires: 2022-11-15 14:14:22 MST
dns: ipa01.[domain.com]
principal name: HTTP/ipa01.[domain.com]@[domain.com]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20201114211427':
status: CA_UNREACHABLE
ca-error: Server at https://ipa01.[domain.com]/ipa/xml failed request,
will retry: -504 (libcurl failed to execute the HTTP POST transaction,
explaining: SSL certificate problem: certificate has expired).
stuck: no
key pair storage: type=FILE,location='/var/lib/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/lib/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=[domain.com]
subject: CN=ipa01.[domain.com],O=[domain.com]
expires: 2022-11-15 14:14:27 MST
principal name: krbtgt/[domain.com]@[domain.com]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command:
post-save command: /usr/lib/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
