Anthony Cheng wrote:
Small update, I found an article on the RH solution library
(https://access.redhat.com/solutions/2020223) that has the same error
code that I am getting and I followed the steps with certutil to update
the cert attributes but it is still not working.  The article is listed
as "Solution in Progress".

[root@test ~]# getcert list | more

Number of certificates and requests being tracked: 7.

Request ID '20111214223243':

status: CA_UNREACHABLE

ca-error: Server failed request, will retry: 4301 (RPC failed at
server.Certificate operation cannot be comp

leted: Unable to communicate with CMS (Not Found)).

Not Found means the CA didn't start. You need to examine the debug and selftest logs to determine why.

rob


stuck: yes

key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certifi

cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt'

certificate:
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certificate

DB'

CA: IPA

issuer: CN=Certificate Authority,O=SAMPLE.NET <http://SAMPLE.NET>

subject: CN=caer.SAMPLE.net <http://caer.SAMPLE.net>,O=SAMPLE.NET
<http://SAMPLE.NET>

expires: 2016-01-29 14:09:46 UTC

eku: id-kp-serverAuth

pre-save command:

post-save command:

track: yes

auto-renew: yes



On Mon, May 2, 2016 at 5:35 PM Anthony Cheng
<anthony.wan.ch...@gmail.com <mailto:anthony.wan.ch...@gmail.com>> wrote:

    On Mon, May 2, 2016 at 9:54 AM Rob Crittenden <rcrit...@redhat.com
    <mailto:rcrit...@redhat.com>> wrote:

        Anthony Cheng wrote:
         > On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden
        <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
         > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:
         >
         >     Anthony Cheng wrote:
         >      > OK so I made process on my cert renew issue; I was
        able to get kinit
         >      > working so I can follow the rest of the steps here
         >      > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
         >      >
         >      > However, after using
         >      >
         >      > ldapmodify -x -h localhost -p 7389 -D 'cn=directory
        manager' -w
         >     password
         >      >
         >      > and restarting apache (/sbin/service httpd restart),
        resubmitting 3
         >      > certs (ipa-getcert resubmit -i <ID>) and restarting
        IPA (resubmit
         >     -i <ID>)
         >      > (/sbin/service ipa restart), I still see:
         >      >
         >      > [root@test ~]# ipa-getcert list | more
         >      > Number of certificates and requests being tracked: 8.
         >      > Request ID '20111214223243':
         >      >          status: CA_UNREACHABLE
         >      >          ca-error: Server failed request, will retry:
        4301 (RPC
         >     failed
         >      > at server.  Certificate operation cannot be compl
         >      > eted: Unable to communicate with CMS (Not Found)).
         >
         >     IPA proxies requests to the CA through Apache. This means
        that while
         >     tomcat started ok it didn't load the dogtag CA
        application, hence the
         >     Not Found.
         >
         >     Check the CA debug and selftest logs to see why it failed
        to start
         >     properly.
         >
         >     [ snip ]
         >
         > Actually after a reboot that error went away and I just get
        this error
         > instead "ca-error: Server failed request, will retry: -504
        (libcurl
         > failed to execute the HTTP POST transaction. Peer certificate
        cannot be
         > auth enticated with known CA certificates)." from "getcert list"
         >
         > Result of service ipa restart is interesting since it shows
        today's time
         > when I already changed date/time/disable NTP so somehow the
        system still
         > know today's time.
         >
         > PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert:
         > CERT_VerifyCertificateNow: verify certificate failed for cert
         > Server-Cert of family cn=RSA,cn=encryption,cn=config
        (Netscape Portable
         > Runtime error -8181 - Peer's Certificate has expired.)

        Hard to say. I'd confirm that there is no time syncing service
        running,
        ntp or otherwise.


    I found out why the time kept changing; it was due to the fact that
    it has VM tools installed (i didn't configure this box) so it
    automatically sync time during bootup.

    I did still see this error message:

    ca-error: Server failed request, will retry: 4301 (RPC failed at
    server. Certificate operation cannot be completed: Unable to
    communicate with CMS (Not Found))

    I tried the step http://www.freeipa.org/page/Troubleshooting with

    certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt
    openssl x509 -text -in /tmp/ra.crt
    certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt
    service httpd restart

    So that I can get rid of one of the CA cert that is expired (kept
    the 1st one) but still getting same error

    What exactly is CMS and why is it not found?


    I did notice that the selftest log is empty with a different time:

    -rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11
    /var/log/pki-ca/selftests.log

    [root@test ~]# clock Wed 27 Jan 2016 03:33:00 PM UTC -0.046800 seconds


    Here are some debug log after reboot:

    [root@test pki-ca]# tail -n 100 catalina.out

    INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>

    Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start

    INFO: Jk running ID=0 time=1/23config=null

    Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start

    INFO: Server startup in 1722 ms

    Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause

    INFO: Pausing Coyote HTTP/1.1 on http-9180

    Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause

    INFO: Pausing Coyote HTTP/1.1 on http-9443

    Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause

    INFO: Pausing Coyote HTTP/1.1 on http-9445

    Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause

    INFO: Pausing Coyote HTTP/1.1 on http-9444

    Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause

    INFO: Pausing Coyote HTTP/1.1 on http-9446

    Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop

    INFO: Stopping service Catalina

    Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
    clearReferencesThreads

    SEVERE: A web application appears to have started a thread named
    [Timer-0] but has failed to stop it. This is very like

    ly to create a memory leak.

    Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
    clearReferencesThreads

    SEVERE: A web application appears to have started a thread named
    [/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu

    t has failed to stop it. This is very likely to create a memory leak.

    Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
    clearReferencesThreads

    SEVERE: A web application appears to have started a thread named
    [/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6]

    but has failed to stop it. This is very likely to create a memory leak.

    Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
    clearReferencesThreads

    SEVERE: A web application appears to have started a thread named
    [/var/lib/pki-ca/logs/system.flush-6] but has failed t

    o stop it. This is very likely to create a memory leak.

    Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
    clearReferencesThreads

    SEVERE: A web application appears to have started a thread named
    [/var/lib/pki-ca/logs/system.rollover-8] but has faile

    d to stop it. This is very likely to create a memory leak.

    Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
    clearReferencesThreads

    SEVERE: A web application appears to have started a thread named
    [/var/lib/pki-ca/logs/transactions.flush-9] but has fa

    iled to stop it. This is very likely to create a memory leak.

    Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
    clearReferencesThreads

    SEVERE: A web application appears to have started a thread named
    [/var/lib/pki-ca/logs/transactions.rollover-10] but ha

    s failed to stop it. This is very likely to create a memory leak.

    Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
    clearReferencesThreads

    SEVERE: A web application appears to have started a thread named
    [LDAPConnThread-2 ldap://test.sample.net:7389
    <http://test.sample.net:7389>] but has failed to stop it. This is
    very likely to create a memory leak.

    Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
    clearReferencesThreads

    SEVERE: A web application appears to have started a thread named
    [LDAPConnThread-3 ldap://test.sample.net:7389
    <http://test.sample.net:7389>] but has failed to stop it. This is
    very likely to create a memory leak.

    Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
    clearReferencesThreads

    SEVERE: A web application appears to have started a thread named
    [LDAPConnThread-4 ldap://test.sample.net:7389
    <http://test.sample.net:7389>] but has failed to stop it. This is
    very likely to create a memory leak.

    Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
    clearThreadLocalMap

    SEVERE: A web application created a ThreadLocal with key of type
    [null] (value [com.netscape.cmscore.util.Debug$1@228b677f]) and a
    value of type [java.text.SimpleDateFormat] (value
    [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when
    the web application was stopped. To prevent a memory leak, the
    ThreadLocal has been forcibly removed.

    Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
    clearThreadLocalMap

    SEVERE: A web application created a ThreadLocal with key of type
    [null] (value [com.netscape.cmscore.util.Debug$1@228b677f]) and a
    value of type [java.text.SimpleDateFormat] (value
    [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when
    the web application was stopped. To prevent a memory leak, the
    ThreadLocal has been forcibly removed.

    Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy

    INFO: Stopping Coyote HTTP/1.1 on http-9180

    Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy

    INFO: Stopping Coyote HTTP/1.1 on http-9443

    Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy

    INFO: Stopping Coyote HTTP/1.1 on http-9445

    Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy

    INFO: Stopping Coyote HTTP/1.1 on http-9444

    Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy

    INFO: Stopping Coyote HTTP/1.1 on http-9446

    Jan 27, 2016 2:57:36 PM
    org.apache.catalina.core.AprLifecycleListener init

    INFO: The APR based Apache Tomcat Native library which allows
    optimal performance in production environments was not found on the
    java.library.path:
    
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib

    Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init

    INFO: Initializing Coyote HTTP/1.1 on http-9180

    Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
    unsupported by NSS. This is probably O.K. unless ECC support has
    been installed.

    Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
    unsupported by NSS. This is probably O.K. unless ECC support has
    been installed.

    Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init

    INFO: Initializing Coyote HTTP/1.1 on http-9443

    Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
    unsupported by NSS. This is probably O.K. unless ECC support has
    been installed.

    Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
    unsupported by NSS. This is probably O.K. unless ECC support has
    been installed.

    Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init

    INFO: Initializing Coyote HTTP/1.1 on http-9445

    Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
    unsupported by NSS. This is probably O.K. unless ECC support has
    been installed.

    Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
    unsupported by NSS. This is probably O.K. unless ECC support has
    been installed.

    Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init

    INFO: Initializing Coyote HTTP/1.1 on http-9444

    Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
    unsupported by NSS. This is probably O.K. unless ECC support has
    been installed.

    Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
    unsupported by NSS. This is probably O.K. unless ECC support has
    been installed.

    Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init

    INFO: Initializing Coyote HTTP/1.1 on http-9446

    Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load

    INFO: Initialization processed in 2198 ms

    Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start

    INFO: Starting service Catalina

    Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start

    INFO: Starting Servlet Engine: Apache Tomcat/6.0.24

    Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig
    deployDirectory

    INFO: Deploying web application directory ROOT

    Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig
    deployDirectory

    INFO: Deploying web application directory ca

    64-bit osutil library loaded

    64-bit osutil library loaded

    Certificate object not found

    Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start

    INFO: Starting Coyote HTTP/1.1 on http-9180

    Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start

    INFO: Starting Coyote HTTP/1.1 on http-9443

    Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start

    INFO: Starting Coyote HTTP/1.1 on http-9445

    Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start

    INFO: Starting Coyote HTTP/1.1 on http-9444

    Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start

    INFO: Starting Coyote HTTP/1.1 on http-9446

    Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init

    INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>

    Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start

    INFO: Jk running ID=0 time=0/40config=null

    Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start

    INFO: Server startup in 2592 ms

    [root@test pki-ca]# tail -n 100 debug

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    subjectAltNameExtDefaultImpl Subject Alternative Name Extension
    Default Subject Alternative Name Extension Default
    com.netscape.cms.profile.def.SubjectAltNameExtDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    userValidityDefaultImpl User Supplied Validity Default User Supplied
    Validity Default com.netscape.cms.profile.def.UserValidityDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    userSubjectNameDefaultImpl User Supplied Subject Name Default User
    Supplied Subject Name Default
    com.netscape.cms.profile.def.UserSubjectNameDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    subjectDirAttributesExtDefaultImpl Subject Directory Attributes
    Extension Default Subject Directory Attributes Extension Default
    com.netscape.cms.profile.def.SubjectDirAttributesExtDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    certificateVersionDefaultImpl Certificate Version Default
    Certificate Version Default
    com.netscape.cms.profile.def.CertificateVersionDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default
    Extended Key Usage Extension Default
    com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    policyConstraintsExtDefaultImpl Policy Constraints Extension Default
    Policy Constraints Extension Default
    com.netscape.cms.profile.def.PolicyConstraintsExtDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    crlDistributionPointsExtDefaultImpl CRL Distribution Points
    Extension Default CRL Distribution Points Extension Default
    com.netscape.cms.profile.def.CRLDistributionPointsExtDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    certificatePoliciesExtDefaultImpl Certificate Policies Extension
    Default Certificate Policies Extension Default
    com.netscape.cms.profile.def.CertificatePoliciesExtDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    validityDefaultImpl Validity Default Validty Default
    com.netscape.cms.profile.def.ValidityDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    privateKeyPeriodExtDefaultImpl Private Key Period Ext Default
    Private Key Period Ext Default
    com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    noDefaultImpl No Default No Default
    com.netscape.cms.profile.def.NoDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    imageDefaultImpl Image Default Image Default
    com.netscape.cms.profile.def.ImageDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    subjectInfoAccessExtDefaultImpl Subject Info Access Extension
    Default Subject Info Access Extension Default
    com.netscape.cms.profile.def.SubjectInfoAccessExtDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    autoAssignDefaultImpl Auto Request Assignment Default Auto Request
    Assignment Default com.netscape.cms.profile.def.AutoAssignDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    policyMappingsExtDefaultImpl Policy Mappings Extension Default
    Policy Mappings Extension Default
    com.netscape.cms.profile.def.PolicyMappingsExtDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    caValidityDefaultImpl CA Certificate Validity Default CA Certificate
    Validty Default com.netscape.cms.profile.def.CAValidityDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    userExtensionDefaultImpl User Supplied Extension Default User
    Supplied Extension Default
    com.netscape.cms.profile.def.UserExtensionDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default
    Netscape Certificate Type Extension Default
    com.netscape.cms.profile.def.NSCertTypeExtDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default
    Token Supplied Subject Name Default
    com.netscape.cms.profile.def.AuthTokenSubjectNameDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    subjectNameDefaultImpl Subject Name Default Subject Name Default
    com.netscape.cms.profile.def.SubjectNameDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    userSigningAlgDefaultImpl User Supplied Signing Alg Default User
    Supplied Signing Alg Default
    com.netscape.cms.profile.def.UserSigningAlgDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default
    Subject Key Identifier Default
    com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default
    Inhibit Any-Policy Extension Default
    com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    nsTokenDeviceKeySubjectNameDefaultImpl
    nsTokenDeviceKeySubjectNameDefault
    nsTokenDeviceKeySubjectNameDefaultImpl
    com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape
    Comment Extension Default
    com.netscape.cms.profile.def.NSCCommentExtDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm
    Default com.netscape.cms.profile.def.SigningAlgDefault

    [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
    nameConstraintsExtDefaultImpl Name Constraints Extension Default
    Name Constraints Extension Default
    com.netscape.cms.profile.def.NameConstraintsExtDefault

    [27/Jan/2016:15:30:43][main]: added plugin profileUpdater
    subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for
    Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater

    [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry

    [27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry

    [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap

    [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap

    [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap

    [27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap

    [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name

    [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name

    [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name

    [27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name

    [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request

    [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request

    [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request

    [27/Jan/2016:15:30:43][main]: CMSEngine: initialized request

    [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca

    [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca

    [27/Jan/2016:15:30:43][main]: CertificateAuthority init

    [27/Jan/2016:15:30:43][main]: Cert Repot inited

    [27/Jan/2016:15:30:43][main]: CRL Repot inited

    [27/Jan/2016:15:30:43][main]: Replica Repot inited

    [27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname
    caSigningCert cert-pki-ca

    [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token
    by name

    [27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert
    cert-pki-ca' with serial number: 1

    [27/Jan/2016:15:30:43][main]: converted to x509CertImpl

    [27/Jan/2016:15:30:43][main]: Got private key from cert

    [27/Jan/2016:15:30:43][main]: Got public key from cert

    [27/Jan/2016:15:30:43][main]: got signing algorithm
    RSASignatureWithSHA256Digest

    [27/Jan/2016:15:30:43][main]: CA signing unit inited

    [27/Jan/2016:15:30:43][main]: cachainNum= 0

    [27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS.

    [27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname
    ca.ocsp_signing.cert

    [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token
    by name

    [27/Jan/2016:15:30:43][main]: SigningUnit init: debug
    org.mozilla.jss.crypto.ObjectNotFoundException

    [27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException

    Certificate object not found

    at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)

    at
    
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)

    at
    com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)

    at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)

    at
    com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)

    at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)

    at com.netscape.certsrv.apps.CMS.init(CMS.java:153)

    at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)

    at
    com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)

    at
    
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)

    at
    org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)

    at
    
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)

    at
    org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)

    at
    
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)

    at
    org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)

    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)

    at
    org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)

    at
    
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)

    at
    org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)

    at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)

    at
    org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)

    at
    
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)

    at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)

    at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)

    at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)

    at
    org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)

    at
    org.apache.catalina.core.StandardService.start(StandardService.java:516)

    at
    org.apache.catalina.core.StandardServer.start(StandardServer.java:710)

    at org.apache.catalina.startup.Catalina.start(Catalina.java:593)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at
    
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

    at
    
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

    at java.lang.reflect.Method.invoke(Method.java:616)

    at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)

    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)

    [27/Jan/2016:15:30:43][main]: CMSEngine.shutdown()




      >

         >      > Would really greatly appreciate any help on this.
         >      >
         >      > Also I noticed after I do ldapmodify of
        usercertificate binary
         >     data with
         >      >
         >      > add: usercertificate;binary
         >      > usercertificate;binary: !@#$@!#$#@$
         >
         >     You really pasted in binary? Or was this base64-encoded data?
         >
         >     I wonder if there is a problem in the wiki. If this is
        really a binary
         >     value you should start with a DER-encoded cert and load
        it using
         >     something like:
         >
         >     dn: uid=ipara,ou=people,o=ipaca
         >     changetype: modify
         >     add: usercertificate;binary
         >     usercertificate;binary:< file:///path/to/cert.der
         >
         >     You can use something like openssl x509 to switch between
        PEM and DER
         >     formats.
         >
         >     I have a vague memory that dogtag can deal with a
        multi-valued
         >     usercertificate attribute.
         >
         >     rob
         >
         >
         > Yes the wiki stated binary, the result of:
         > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
         > uid=ipara,ou=People,o=ipaca -W
         >
         > shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...
         >
         > But the actual data is from a PEM though.

        Ok. So I looked at my CA data and it doesn't use the binary
        subtype, so
        my entries look like:

        userCertificate:: MIID....

        It might make a difference if dogtag is looking for the subtype
        or not.

        rob

         >
         >      >
         >      > Then I re-run
         >      >
         >      > ldapsearch -x -h localhost -p 7389 -D 'cn=directory
        manager' -W
         >     -b uid=ipara,ou=People,o=ipaca
         >      >
         >      > I see 2 entries for usercertificate;binary (before
        modify there
         >     was only
         >      > 1) but they are duplicate and NOT from data that I
        added.  That seems
         >      > incorrect to me.
         >      >
         >      >
         >      > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
         >      > <anthony.wan.ch...@gmail.com
        <mailto:anthony.wan.ch...@gmail.com>
        <mailto:anthony.wan.ch...@gmail.com
        <mailto:anthony.wan.ch...@gmail.com>>
         >     <mailto:anthony.wan.ch...@gmail.com
        <mailto:anthony.wan.ch...@gmail.com>
         >     <mailto:anthony.wan.ch...@gmail.com
        <mailto:anthony.wan.ch...@gmail.com>>>> wrote:
         >      >
         >      >     klist is actually empty; kinit admin fails.
        Sounds like then
         >      >     getcert resubmit has a dependency on kerberoes.  I
        can get a
         >     backup
         >      >     image that has a valid ticket but it is only good
        for 1 day (and
         >      >     dated pasted the cert expire).
         >      >
         >      >     Also I had asked awhile back about whether there
        is dependency on
         >      >     DIRSRV to renew the cert; didn't get any response
        but I suspect
         >      >     there is a dependency.
         >      >
         >      >     Regarding the clock skew, I found out from
        /var/log/message that
         >      >     shows me this so it may be from named:
         >      >
         >      >     Jan 28 14:10:42 test named[2911]: Failed to init
        credentials
         >     (Clock
         >      >     skew too great)
         >      >     Jan 28 14:10:42 test named[2911]: loading
        configuration: failure
         >      >     Jan 28 14:10:42 test named[2911]: exiting (due to
        fatal error)
         >      >     Jan 28 14:10:44 test ns-slapd: GSSAPI Error:
        Unspecified GSS
         >      >     failure.  Minor code may provide more information
        (Creden
         >      >     tials cache file '/tmp/krb5cc_496' not found)
         >      >
         >      >     I don't have a krb5cc_496 file (since klist is
        empty), so
         >     sounds to
         >      >     me I need to get a kerberoes ticket before going any
         >     further.  Also
         >      >     is the file /etc/krb5.keytab access/modification time
         >     important?  I
         >      >     had changed time back to before the cert
        expiration date and
         >     reboot
         >      >     and try renew but the error message about clock
        skew is still
         >      >     there.  That seems strange.
         >      >
         >      >     Lastly, as a absolute last resort, can I
        regenerate a new cert
         >      >     myself?
         >      >
         >
        
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
         >      >
         >      >     [root@test /]# klist
         >      >     klist: No credentials cache found (ticket cache
         >     FILE:/tmp/krb5cc_0)
         >      >     [root@test /]# service ipa start
         >      >     Starting Directory Service
         >      >     Starting dirsrv:
         >      >          PKI-IPA...
         >       [  OK  ]
         >      >          sample-NET...
         >     [  OK  ]
         >      >     Starting KDC Service
         >      >     Starting Kerberos 5 KDC:
                  [
         >     OK  ]
         >      >     Starting KPASSWD Service
         >      >     Starting Kerberos 5 Admin Server:
                 [
         >     OK  ]
         >      >     Starting DNS Service
         >      >     Starting named:
         >     [FAILED]
         >      >     Failed to start DNS Service
         >      >     Shutting down
         >      >     Stopping Kerberos 5 KDC:
                  [
         >     OK  ]
         >      >     Stopping Kerberos 5 Admin Server:
                 [
         >     OK  ]
         >      >     Stopping named:
                 [
         >     OK  ]
         >      >     Stopping httpd:
                 [
         >     OK  ]
         >      >     Stopping pki-ca:
                  [
         >     OK  ]
         >      >     Shutting down dirsrv:
         >      >          PKI-IPA...
         >       [  OK  ]
         >      >          sample-NET...
         >     [  OK  ]
         >      >     Aborting ipactl
         >      >     [root@test /]# klist
         >      >     klist: No credentials cache found (ticket cache
         >     FILE:/tmp/krb5cc_0)
         >      >     [root@test /]# service ipa status
         >      >     Directory Service: STOPPED
         >      >     Failed to get list of services to probe status:
         >      >     Directory Server is stopped
         >      >
         >      >     On Thu, Apr 28, 2016 at 3:21 AM David Kupka
         >     <dku...@redhat.com <mailto:dku...@redhat.com>
        <mailto:dku...@redhat.com <mailto:dku...@redhat.com>>
         >      >     <mailto:dku...@redhat.com
        <mailto:dku...@redhat.com> <mailto:dku...@redhat.com
        <mailto:dku...@redhat.com>>>> wrote:
         >      >
         >      >         On 27/04/16 21:54, Anthony Cheng wrote:
         >      >          > Hi list,
         >      >          >
         >      >          > I am trying to renew expired certificates
        following the
         >      >         manual renewal procedure
         >      >          > here
         >     (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
         >      >         but even with
         >      >          > resetting the system/hardware clock to a
        time before
         >     expires,
         >      >         I am getting the
         >      >          > error "ca-error: Error setting up ccache
        for local "host"
         >      >         service using default
         >      >          > keytab: Clock skew too great."
         >      >          >
         >      >          > With NTP disable and clock reset why would
        it complain
         >     about
         >      >         clock skew and how
         >      >          > does it even know about the current time?
         >      >          >
         >      >          > [root@test certs]# getcert list
         >      >          > Number of certificates and requests being
        tracked: 8.
         >      >          > Request ID '20111214223243':
         >      >          >          status: MONITORING
         >      >          >          ca-error: Error setting up ccache
        for local
         >     "host"
         >      >         service using
         >      >          > default keytab: Clock skew too great.
         >      >          >          stuck: no
         >      >          >          key pair storage:
         >      >          >
         >      >
         >
          
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
         >      >          > Certificate
         >      >
          DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
         >      >          >          certificate:
         >      >          >
         >      >
         >
          
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
         >      >          > Certificate DB'
         >      >          >          CA: IPA
         >      >          >          issuer: CN=Certificate
        Authority,O=sample.NET
         >      >          >          subject: CN=test.sample.net
        <http://test.sample.net>
         >     <http://test.sample.net> <http://test.sample.net>
         >      >         <http://test.sample.net>,O=sample.NET
         >      >          >          expires: 2016-01-29 14:09:46 UTC
         >      >          >          eku: id-kp-serverAuth
         >      >          >          pre-save command:
         >      >          >          post-save command:
         >      >          >          track: yes
         >      >          >          auto-renew: yes
         >      >          > Request ID '20111214223300':
         >      >          >          status: MONITORING
         >      >          >          ca-error: Error setting up ccache
        for local
         >     "host"
         >      >         service using
         >      >          > default keytab: Clock skew too great.
         >      >          >          stuck: no
         >      >          >          key pair storage:
         >      >          >
         >      >
         >
          
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
         >      >         Certificate
         >      >          >
        DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
         >      >          >          certificate:
         >      >          >
         >      >
         >
          
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
         >      >         Certificate
         >      >          > DB'
         >      >          >          CA: IPA
         >      >          >          issuer: CN=Certificate
        Authority,O=sample.NET
         >      >          >          subject: CN=test.sample.net
        <http://test.sample.net>
         >     <http://test.sample.net> <http://test.sample.net>
         >      >         <http://test.sample.net>,O=sample.NET
         >      >          >          expires: 2016-01-29 14:09:45 UTC
         >      >          >          eku: id-kp-serverAuth
         >      >          >          pre-save command:
         >      >          >          post-save command:
         >      >          >          track: yes
         >      >          >          auto-renew: yes
         >      >          > Request ID '20111214223316':
         >      >          >          status: MONITORING
         >      >          >          ca-error: Error setting up ccache
        for local
         >     "host"
         >      >         service using
         >      >          > default keytab: Clock skew too great.
         >      >          >          stuck: no
         >      >          >          key pair storage:
         >      >          >
         >      >
         >
          
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
         >      >          > Certificate
        DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         >      >          >          certificate:
         >      >          >
         >      >
         >
          
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
         >      >          > Certificate DB'
         >      >          >          CA: IPA
         >      >          >          issuer: CN=Certificate
        Authority,O=sample.NET
         >      >          >          subject: CN=test.sample.net
        <http://test.sample.net>
         >     <http://test.sample.net> <http://test.sample.net>
         >      >         <http://test.sample.net>,O=sample.NET
         >      >          >          expires: 2016-01-29 14:09:45 UTC
         >      >          >          eku: id-kp-serverAuth
         >      >          >          pre-save command:
         >      >          >          post-save command:
         >      >          >          track: yes
         >      >          >          auto-renew: yes
         >      >          > Request ID '20130519130741':
         >      >          >          status: NEED_CSR_GEN_PIN
         >      >          >          ca-error: Internal error: no
        response to
         >      >          >
         >      >
         >
          
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";.
         >      >          >          stuck: yes
         >      >          >          key pair storage:
         >      >          >
         >      >
         >
          type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
         >      >          > cert-pki-ca',token='NSS Certificate
        DB',pin='297100916664
         >      >          > '
         >      >          >          certificate:
         >      >          >
         >      >
         >
          type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
         >      >          > cert-pki-ca',token='NSS Certificate DB'
         >      >          >          CA: dogtag-ipa-renew-agent
         >      >          >          issuer: CN=Certificate
        Authority,O=sample.NET
         >      >          >          subject: CN=CA Audit,O=sample.NET
         >      >          >          expires: 2017-10-13 14:10:49 UTC
         >      >          >          pre-save command:
         >     /usr/lib64/ipa/certmonger/stop_pkicad
         >      >          >          post-save command:
         >      >         /usr/lib64/ipa/certmonger/renew_ca_cert
         >      >          > "auditSigningCert cert-pki-ca"
         >      >          >          track: yes
         >      >          >          auto-renew: yes
         >      >          > Request ID '20130519130742':
         >      >          >          status: NEED_CSR_GEN_PIN
         >      >          >          ca-error: Internal error: no
        response to
         >      >          >
         >      >
         >
          
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";.
         >      >          >          stuck: yes
         >      >          >          key pair storage:
         >      >          >
         >      >
         >
          type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
         >      >          > cert-pki-ca',token='NSS Certificate
        DB',pin='297100916664
         >      >          > '
         >      >          >          certificate:
         >      >          >
         >      >
         >
          type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
         >      >          > cert-pki-ca',token='NSS Certificate DB'
         >      >          >          CA: dogtag-ipa-renew-agent
         >      >          >          issuer: CN=Certificate
        Authority,O=sample.NET
         >      >          >          subject: CN=OCSP
        Subsystem,O=sample.NET
         >      >          >          expires: 2017-10-13 14:09:49 UTC
         >      >          >          eku: id-kp-OCSPSigning
         >      >          >          pre-save command:
         >     /usr/lib64/ipa/certmonger/stop_pkicad
         >      >          >          post-save command:
         >      >         /usr/lib64/ipa/certmonger/renew_ca_cert
         >      >          > "ocspSigningCert cert-pki-ca"
         >      >          >          track: yes
         >      >          >          auto-renew: yes
         >      >          > Request ID '20130519130743':
         >      >          >          status: NEED_CSR_GEN_PIN
         >      >          >          ca-error: Internal error: no
        response to
         >      >          >
         >      >
         >
          
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true";.
         >      >          >          stuck: yes
         >      >          >          key pair storage:
         >      >          >
         >      >
         >
          type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
         >      >          > cert-pki-ca',token='NSS Certificate
        DB',pin='297100916664
         >      >          > '
         >      >          >          certificate:
         >      >          >
         >      >
         >
          type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
         >      >          > cert-pki-ca',token='NSS Certificate DB'
         >      >          >          CA: dogtag-ipa-renew-agent
         >      >          >          issuer: CN=Certificate
        Authority,O=sample.NET
         >      >          >          subject: CN=CA Subsystem,O=sample.NET
         >      >          >          expires: 2017-10-13 14:09:49 UTC
         >      >          >          eku: id-kp-serverAuth,id-kp-clientAuth
         >      >          >          pre-save command:
         >     /usr/lib64/ipa/certmonger/stop_pkicad
         >      >          >          post-save command:
         >      >         /usr/lib64/ipa/certmonger/renew_ca_cert
         >      >          > "subsystemCert cert-pki-ca"
         >      >          >          track: yes
         >      >          >          auto-renew: yes
         >      >          > Request ID '20130519130744':
         >      >          >          status: MONITORING
         >      >          >          ca-error: Internal error: no
        response to
         >      >          >
         >      >
         >
          
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true";.
         >      >          >          stuck: no
         >      >          >          key pair storage:
         >      >          >
         >      >
         >
          type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
         >      >         Certificate
         >      >          > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         >      >          >          certificate:
         >      >          >
         >      >
         >
          type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
         >      >         Certificate DB'
         >      >          >          CA: dogtag-ipa-renew-agent
         >      >          >          issuer: CN=Certificate
        Authority,O=sample.NET
         >      >          >          subject: CN=RA Subsystem,O=sample.NET
         >      >          >          expires: 2017-10-13 14:09:49 UTC
         >      >          >          eku: id-kp-serverAuth,id-kp-clientAuth
         >      >          >          pre-save command:
         >      >          >          post-save command:
         >      >         /usr/lib64/ipa/certmonger/renew_ra_cert
         >      >          >          track: yes
         >      >          >          auto-renew: yes
         >      >          > Request ID '20130519130745':
         >      >          >          status: NEED_CSR_GEN_PIN
         >      >          >          ca-error: Internal error: no
        response to
         >      >          >
         >      >
         >
          
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
         >      >          >          stuck: yes
         >      >          >          key pair storage:
         >      >          >
         >
          type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
         >      >          > cert-pki-ca',token='NSS Certificate
        DB',pin='297100916664
         >      >          > '
         >      >          >          certificate:
         >      >          >
         >
          type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
         >      >          > cert-pki-ca',token='NSS Certificate DB'
         >      >          >          CA: dogtag-ipa-renew-agent
         >      >          >          issuer: CN=Certificate
        Authority,O=sample.NET
         >      >          >          subject: CN=test.sample.net
        <http://test.sample.net>
         >     <http://test.sample.net> <http://test.sample.net>
         >      >         <http://test.sample.net>,O=sample.NET
         >      >          >          expires: 2017-10-13 14:09:49 UTC
         >      >          >          eku: id-kp-serverAuth,id-kp-clientAuth
         >      >          >          pre-save command:
         >      >          >          post-save command:
         >      >          >          track: yes
         >      >          >          auto-renew: yes[root@test certs]#
        getcert list
         >      >          > Number of certificates and requests being
        tracked: 8.
         >      >          > Request ID '20111214223243':
         >      >          >          status: MONITORING
         >      >          >          ca-error: Error setting up ccache
        for local
         >     "host"
         >      >         service using
         >      >          > default keytab: Clock skew too great.
         >      >          >          stuck: no
         >      >          >          key pair storage:
         >      >          >
         >      >
         >
          
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
         >      >          > Certificate
         >      >
          DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
         >      >          >          certificate:
         >      >          >
         >      >
         >
          
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
         >      >          > Certificate DB'
         >      >          >          CA: IPA
         >      >          >          issuer: CN=Certificate
        Authority,O=sample.NET
         >      >          >          subject: CN=test.sample.net
        <http://test.sample.net>
         >     <http://test.sample.net> <http://test.sample.net>
         >      >         <http://test.sample.net>,O=sample.NET
         >      >          >          expires: 2016-01-29 14:09:46 UTC
         >      >          >          eku: id-kp-serverAuth
         >      >          >          pre-save command:
         >      >          >          post-save command:
         >      >          >          track: yes
         >      >          >          auto-renew: yes
         >      >          > Request ID '20111214223300':
         >      >          >          status: MONITORING
         >      >          >          ca-error: Error setting up ccache
        for local
         >     "host"
         >      >         service using
         >      >          > default keytab: Clock skew too great.
         >      >          >          stuck: no
         >      >          >          key pair storage:
         >      >          >
         >      >
         >
          
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
         >      >         Certificate
         >      >          >
        DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
         >      >          >          certificate:
         >      >          >
         >      >
         >
          
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
         >      >         Certificate
         >      >          > DB'
         >      >          >          CA: IPA
         >      >          >          issuer: CN=Certificate
        Authority,O=sample.NET
         >      >          >          subject: CN=test.sample.net
        <http://test.sample.net>
         >     <http://test.sample.net> <http://test.sample.net>
         >      >         <http://test.sample.net>,O=sample.NET
         >      >          >          expires: 2016-01-29 14:09:45 UTC
         >      >          >          eku: id-kp-serverAuth
         >      >          >          pre-save command:
         >      >          >          post-save command:
         >      >          >          track: yes
         >      >          >          auto-renew: yes
         >      >          > Request ID '20111214223316':
         >      >          >          status: MONITORING
         >      >          >          ca-error: Error setting up ccache
        for local
         >     "host"
         >      >         service using
         >      >          > default keytab: Clock skew too great.
         >      >          >          stuck: no
         >      >          >          key pair storage:
         >      >          >
         >      >
         >
          
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
         >      >          > Certificate
        DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         >      >          >          certificate:
         >      >          >
         >      >
         >
          
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
         >      >          > Certificate DB'
         >      >          >          CA: IPA
         >      >          >          issuer: CN=Certificate
        Authority,O=sample.NET
         >      >          >          subject: CN=test.sample.net
        <http://test.sample.net>
         >     <http://test.sample.net> <http://test.sample.net>
         >      >         <http://test.sample.net>,O=sample.NET
         >      >          >          expires: 2016-01-29 14:09:45 UTC
         >      >          >          eku: id-kp-serverAuth
         >      >          >          pre-save command:
         >      >          >          post-save command:
         >      >          >          track: yes
         >      >          >          auto-renew: yes
         >      >          > Request ID '20130519130741':
         >      >          >          status: NEED_CSR_GEN_PIN
         >      >          >          ca-error: Internal error: no
        response to
         >      >          >
         >      >
         >
          
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";.
         >      >          >          stuck: yes
         >      >          >          key pair storage:
         >      >          >
         >      >
         >
          type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
         >      >          > cert-pki-ca',token='NSS Certificate
        DB',pin='297100916664
         >      >          > '
         >      >          >          certificate:
         >      >          >
         >      >
         >
          type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
         >      >          > cert-pki-ca',token='NSS Certificate DB'
         >      >          >          CA: dogtag-ipa-renew-agent
         >      >          >          issuer: CN=Certificate
        Authority,O=sample.NET
         >      >          >          subject: CN=CA Audit,O=sample.NET
         >      >          >          expires: 2017-10-13 14:10:49 UTC
         >      >          >          pre-save command:
         >     /usr/lib64/ipa/certmonger/stop_pkicad
         >      >          >          post-save command:
         >      >         /usr/lib64/ipa/certmonger/renew_ca_cert
         >      >          > "auditSigningCert cert-pki-ca"
         >      >          >          track: yes
         >      >          >          auto-renew: yes
         >      >          > Request ID '20130519130742':
         >      >          >          status: NEED_CSR_GEN_PIN
         >      >          >          ca-error: Internal error: no
        response to
         >      >          >
         >      >
         >
          
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";.
         >      >          >          stuck: yes
         >      >          >          key pair storage:
         >      >          >
         >      >
         >
          type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
         >      >          > cert-pki-ca',token='NSS Certificate
        DB',pin='297100916664
         >      >          > '
         >      >          >          certificate:
         >      >          >
         >      >
         >
          type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
         >      >          > cert-pki-ca',token='NSS Certificate DB'
         >      >          >          CA: dogtag-ipa-renew-agent
         >      >          >          issuer: CN=Certificate
        Authority,O=sample.NET
         >      >          >          subject: CN=OCSP
        Subsystem,O=sample.NET
         >      >          >          expires: 2017-10-13 14:09:49 UTC
         >      >          >          eku: id-kp-OCSPSigning
         >      >          >          pre-save command:
         >     /usr/lib64/ipa/certmonger/stop_pkicad
         >      >          >          post-save command:
         >      >         /usr/lib64/ipa/certmonger/renew_ca_cert
         >      >          > "ocspSigningCert cert-pki-ca"
         >      >          >          track: yes
         >      >          >          auto-renew: yes
         >      >          > Request ID '20130519130743':
         >      >          >          status: NEED_CSR_GEN_PIN
         >      >          >          ca-error: Internal error: no
        response to
         >      >          >
         >      >
         >
          
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true";.
         >      >          >          stuck: yes
         >      >          >          key pair storage:
         >      >          >
         >      >
         >
          type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
         >      >          > cert-pki-ca',token='NSS Certificate
        DB',pin='297100916664
         >      >          > '
         >      >          >          certificate:
         >      >          >
         >      >
         >
          type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
         >      >          > cert-pki-ca',token='NSS Certificate DB'
         >      >          >          CA: dogtag-ipa-renew-agent
         >      >          >          issuer: CN=Certificate
        Authority,O=sample.NET
         >      >          >          subject: CN=CA Subsystem,O=sample.NET
         >      >          >          expires: 2017-10-13 14:09:49 UTC
         >      >          >          eku: id-kp-serverAuth,id-kp-clientAuth
         >      >          >          pre-save command:
         >     /usr/lib64/ipa/certmonger/stop_pkicad
         >      >          >          post-save command:
         >      >         /usr/lib64/ipa/certmonger/renew_ca_cert
         >      >          > "subsystemCert cert-pki-ca"
         >      >          >          track: yes
         >      >          >          auto-renew: yes
         >      >          > Request ID '20130519130744':
         >      >          >          status: MONITORING
         >      >          >          ca-error: Internal error: no
        response to
         >      >          >
         >      >
         >
          
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true";.
         >      >          >          stuck: no
         >      >          >          key pair storage:
         >      >          >
         >      >
         >
          type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
         >      >         Certificate
         >      >          > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         >      >          >          certificate:
         >      >          >
         >      >
         >
          type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
         >      >         Certificate DB'
         >      >          >          CA: dogtag-ipa-renew-agent
         >      >          >          issuer: CN=Certificate
        Authority,O=sample.NET
         >      >          >          subject: CN=RA Subsystem,O=sample.NET
         >      >          >          expires: 2017-10-13 14:09:49 UTC
         >      >          >          eku: id-kp-serverAuth,id-kp-clientAuth
         >      >          >          pre-save command:
         >      >          >          post-save command:
         >      >         /usr/lib64/ipa/certmonger/renew_ra_cert
         >      >          >          track: yes
         >      >          >          auto-renew: yes
         >      >          > Request ID '20130519130745':
         >      >          >          status: NEED_CSR_GEN_PIN
         >      >          >          ca-error: Internal error: no
        response to
         >      >          >
         >      >
         >
          
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
         >      >          >          stuck: yes
         >      >          >          key pair storage:
         >      >          >
         >
          type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
         >      >          > cert-pki-ca',token='NSS Certificate
        DB',pin='297100916664
         >      >          > '
         >      >          >          certificate:
         >      >          >
         >
          type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
         >      >          > cert-pki-ca',token='NSS Certificate DB'
         >      >          >          CA: dogtag-ipa-renew-agent
         >      >          >          issuer: CN=Certificate
        Authority,O=sample.NET
         >      >          >          subject: CN=test.sample.net
        <http://test.sample.net>
         >     <http://test.sample.net> <http://test.sample.net>
         >      >         <http://test.sample.net>,O=sample.NET
         >      >          >          expires: 2017-10-13 14:09:49 UTC
         >      >          >          eku: id-kp-serverAuth,id-kp-clientAuth
         >      >          >          pre-save command:
         >      >          >          post-save command:
         >      >          >          track: yes
         >      >          >          auto-renew: yes
         >      >          > --
         >      >          >
         >      >          > Thanks, Anthony
         >      >          >
         >      >          >
         >      >          >
         >      >
         >      >         Hello Anthony!
         >      >
         >      >         After stopping NTP (or other time
        synchronizing service)
         >     and setting
         >      >         time manually server really don't have a way
        to determine
         >     that
         >      >         its time
         >      >         differs from the real one.
         >      >
         >      >         I think this might be issue with Kerberos
        ticket. You can
         >     show
         >      >         content
         >      >         of root's ticket cache using klist. If there
        is anything
         >     clean
         >      >         it with
         >      >         kdestroy and try to resubmit the request again.
         >      >
         >      >         --
         >      >         David Kupka
         >      >
         >      >     --
         >      >
         >      >     Thanks, Anthony
         >      >
         >      > --
         >      >
         >      > Thanks, Anthony
         >      >
         >      >
         >      >
         >
         > --
         >
         > Thanks, Anthony
         >

    --

    Thanks, Anthony

--

Thanks, Anthony


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to