On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Anthony Cheng wrote:
>>
>> Small update, I found an article on the RH solution library
>> (https://access.redhat.com/solutions/2020223) that has the same error
>> code that I am getting and I followed the steps with certutil to update
>> the cert attributes but it is still not working.  The article is listed
>> as "Solution in Progress".
>>
>> [root@test ~]# getcert list | more
>>
>> Number of certificates and requests being tracked: 7.
>>
>> Request ID '20111214223243':
>>
>> status: CA_UNREACHABLE
>>
>> ca-error: Server failed request, will retry: 4301 (RPC failed at
>> server.Certificate operation cannot be comp
>>
>> leted: Unable to communicate with CMS (Not Found)).
>
>
> Not Found means the CA didn't start. You need to examine the debug and
> selftest logs to determine why.
>
> rob

selftests.log is empty; there are entries for other time but not for
the test to when I set the clock to renew certs.

[root@test pki-ca]# clock
Fri 29 Jan 2016 08:19:54 AM UTC  -0.960583 seconds
[root@test pki-ca]#
[root@test pki-ca]#

[root@test pki-ca]# ll * | grep self
-rw-r-----. 1 pkiuser pkiuser         0 Nov 23 14:11 selftests.log
-rw-r-----. 1 pkiuser pkiuser      1206 Apr  7  2015
selftests.log.20150407143526
-rw-r-----. 1 pkiuser pkiuser      3673 Jun 30  2015
selftests.log.20150630163924
-rw-r-----. 1 pkiuser pkiuser      1217 Aug 31 20:07
selftests.log.20150831160735
-rw-r-----. 1 pkiuser pkiuser      3798 Oct 24 14:12
selftests.log.20151024101159

>From debug log I see some error messages:

[28/Jan/2016:21:09:03][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
Certificate object not found
        at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)

Full log:

[28/Jan/2016:21:07:30][main]: CMSEngine.shutdown()
[28/Jan/2016:21:09:02][main]: ============================================
[28/Jan/2016:21:09:02][main]: =====  DEBUG SUBSYSTEM INITIALIZED   =======
[28/Jan/2016:21:09:02][main]: ============================================
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
AUDIT_LOG_STARTUP
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
AUDIT_LOG_SHUTDOWN
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CERT_POLICY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CERT_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CRL_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_OCSP_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ROLE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ACL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_SIGNED_AUDIT
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_ENCRYPTION
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_TRUSTED_PUBLIC_KEY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_DRM
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
SELFTESTS_EXECUTION
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUDIT_LOG_DELETE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: LOG_PATH_CHANGE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PRIVATE_KEY_ARCHIVE_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST_ASYNC
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_AGENT_LOGIN
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST_PROCESSED
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_GEN_ASYMMETRIC
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
NON_PROFILE_CERT_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PROFILE_CERT_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CERT_REQUEST_PROCESSED
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CERT_STATUS_CHANGE_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CERT_STATUS_CHANGE_REQUEST_PROCESSED
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_FAIL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: INTER_BOUNDARY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_FAIL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CERT_PROFILE_APPROVAL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PROOF_OF_POSSESSION
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_RETRIEVAL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_VALIDATION
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CMC_SIGNED_REQUEST_SIG_VERIFY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
SERVER_SIDE_KEYGEN_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
COMPUTE_SESSION_KEY_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
DIVERSIFY_KEY_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
ENCRYPT_DATA_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
OCSP_ADD_CA_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
OCSP_ADD_CA_REQUEST_PROCESSED
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
OCSP_REMOVE_CA_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
COMPUTE_RANDOM_DATA_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CIMC_CERT_VERIFICATION
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=log
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized log
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=os
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=os
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=os
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized os
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=jss
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=jss
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_rc4_40_md5
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_rc2_40_md5
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_des_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_rc4_128_md5
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_3des_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_fips_des_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_fips_3des_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher fortezza
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher fortezza_rc4_128_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_null_md5
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=jss
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized jss
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=dbs
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=dbs
[28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init
[28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init()
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal
LDAP Database
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory cache
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password not in memory
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: try
to get it from password store
[28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password
store initialized before.
[28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password
store initialized.
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore:
about to get from passwored store: Internal LDAP Da
tabase
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore:
password store available
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore:
password for Internal LDAP Database not found, tryi
ng internaldb
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: password ok: store in memory cache
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init ends
[28/Jan/2016:21:09:02][main]: init: before makeConnection errorIfDown is true
[28/Jan/2016:21:09:02][main]: makeConnection: errorIfDown true
[28/Jan/2016:21:09:02][main]: Established LDAP connection using basic
authentication to host test.sample.net port 738
9 as cn=Directory Manager
[28/Jan/2016:21:09:02][main]: initializing with mininum 3 and maximum
15 connections to host test.sample.net port 738
9, secure connection, false, authentication type 1
[28/Jan/2016:21:09:02][main]: increasing minimum connections by 3
[28/Jan/2016:21:09:02][main]: new total available connections 3
[28/Jan/2016:21:09:02][main]: new number of connections 3
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=dbs
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized dbs
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=usrgrp
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=usrgrp
[28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init
[28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init()
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal
LDAP Database
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory cache
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: got password from memory
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password found for prompt.
[28/Jan/2016:21:09:03][main]: LdapAuthInfo: password ok: store in memory cache
[28/Jan/2016:21:09:03][main]: LdapAuthInfo: init ends
[28/Jan/2016:21:09:03][main]: init: before makeConnection errorIfDown is false
[28/Jan/2016:21:09:03][main]: makeConnection: errorIfDown false
[28/Jan/2016:21:09:03][main]: Established LDAP connection using basic
authentication to host test.sample.net port 738
9 as cn=Directory Manager
[28/Jan/2016:21:09:03][main]: initializing with mininum 3 and maximum
15 connections to host test.sample.net port 738
9, secure connection, false, authentication type 1
[28/Jan/2016:21:09:03][main]: increasing minimum connections by 3
[28/Jan/2016:21:09:03][main]: new total available connections 3
[28/Jan/2016:21:09:03][main]: new number of connections 3
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=usrgrp
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized usrgrp
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=registry
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=registry
[28/Jan/2016:21:09:03][main]: RegistrySubsystem: start init
[28/Jan/2016:21:09:03][main]: added plugin profileOutput
pkcs7OutputImpl PKCS7 Output PKCS7 Output com.netscape.cms.p
rofile.output.PKCS7Output
[28/Jan/2016:21:09:03][main]: added plugin profileOutput
cmmfOutputImpl CMMF Response Output CMMF Response Output com
.netscape.cms.profile.output.CMMFOutput
[28/Jan/2016:21:09:03][main]: added plugin profileOutput
certOutputImpl Certificate Output Certificate Output com.net
scape.cms.profile.output.CertOutput
[28/Jan/2016:21:09:03][main]: added plugin profileOutput
nsNKeyOutputImpl nsNKeyOutputImpl nsNKeyOutputImpl com.netsc
ape.cms.profile.output.nsNKeyOutput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
submitterInfoInputImpl Submitter Information Input Submitter
Information Input com.netscape.cms.profile.input.SubmitterInfoInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
serialNumRenewInputImpl Certificate Renewal Request Serial Nu
mber Input Certificate Renewal Request Serial Number Input
com.netscape.cms.profile.input.SerialNumRenewInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
dualKeyGenInputImpl Dual Key Generation Input Dual Key Genera
tion Input com.netscape.cms.profile.input.DualKeyGenInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl nsNKeyCertReqIn
putImpl com.netscape.cms.profile.input.nsNKeyCertReqInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
fileSigningInputImpl File Signing Input File Signing Input co
m.netscape.cms.profile.input.FileSigningInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
certReqInputImpl Certificate Request Input Certificate Reques
t Input com.netscape.cms.profile.input.CertReqInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
cmcCertReqInputImpl CMC Certificate Request Input CMC Certifi
cate Request Input com.netscape.cms.profile.input.CMCCertReqInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl nsHKeyCertReqIn
putImpl com.netscape.cms.profile.input.nsHKeyCertReqInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
subjectDNInputImpl Subject DN Input Subject DN Input com.nets
cape.cms.profile.input.SubjectDNInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
keyGenInputImpl Key Generation Input Key Generation Input com
.netscape.cms.profile.input.KeyGenInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
genericInputImpl Generic Input Generic Input com.netscape.cms
.profile.input.GenericInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput imageInputImpl
Image Input Image Input com.netscape.cms.profi
le.input.ImageInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
subjectNameInputImpl Subject Name Input Subject Name Input co
m.netscape.cms.profile.input.SubjectNameInput
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
basicConstraintsExtConstraintImpl Basic Constraints Exten
sion Constraint Basic Constraints Extension Constraint
com.netscape.cms.profile.constraint.BasicConstraintsExtConstra
int
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
noConstraintImpl No Constraint No Constraint com.netscape
.cms.profile.constraint.NoConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
signingAlgConstraintImpl Signing Algorithm Constraint Sig
ning Algorithm Constraint
com.netscape.cms.profile.constraint.SigningAlgConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
extendedKeyUsageExtConstraintImpl Extended Key Usage Exte
nsion Constraint Extended Key Usage Extension Constraint
com.netscape.cms.profile.constraint.ExtendedKeyUsageExtConst
raint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
extensionConstraintImpl Extension Constraint Extension Co
nstraint com.netscape.cms.profile.constraint.ExtensionConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
subjectNameConstraintImpl Subject Name Constraint Subject
 Name Constraint com.netscape.cms.profile.constraint.SubjectNameConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
uniqueSubjectNameConstraintImpl Unique Subject Name Const
raint Unique Subject Name Constraint
com.netscape.cms.profile.constraint.UniqueSubjectNameConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
keyUsageExtConstraintImpl Key Usage Extension Constraint
Key Usage Extension Constraint
com.netscape.cms.profile.constraint.KeyUsageExtConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
renewGracePeriodConstraintImpl Renewal Grace Period Const
raint Renewal Grace Period Constraint
com.netscape.cms.profile.constraint.RenewGracePeriodConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
keyConstraintImpl Key Constraint Key Constraint com.netsc
ape.cms.profile.constraint.KeyConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
nsCertTypeExtConstraintImpl Netscape Certificate Type Ext
ension Constraint Netscape Certificate Type Extension Constraint
com.netscape.cms.profile.constraint.NSCertTypeExtCon
straint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
validityConstraintImpl Validity Constraint Validity Const
raint com.netscape.cms.profile.constraint.ValidityConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
uniqueKeyConstraintImpl Unique Public Key Constraint Uniq
ue Public Key Constraint com.netscape.cms.profile.constraint.UniqueKeyConstraint
[28/Jan/2016:21:09:03][main]: added plugin profile caEnrollImpl
Generic Certificate Enrollment Profile Certificate Au
thority Generic Certificate Enrollment Profile
com.netscape.cms.profile.common.CAEnrollProfile
[28/Jan/2016:21:09:03][main]: added plugin profile
caUserCertEnrollImpl User Certificate Enrollment Profile Certifica
te Authority User Certificate Enrollment Profile
com.netscape.cms.profile.common.UserCertCAEnrollProfile
[28/Jan/2016:21:09:03][main]: added plugin profile
caServerCertEnrollImpl Server Certificate Enrollment Profile Certi
ficate Authority Server Certificate Enrollment Profile
com.netscape.cms.profile.common.ServerCertCAEnrollProfile
[28/Jan/2016:21:09:03][main]: added plugin profile caCACertEnrollImpl
CA Certificate Enrollment Profile Certificate A
uthority CA Certificate Enrollment Profile
com.netscape.cms.profile.common.CACertCAEnrollProfile
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userKeyDefaultImpl User Supplied Key Default User Supplied K
ey Default com.netscape.cms.profile.def.UserKeyDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
freshestCRLExtDefaultImpl Freshest CRL Extension Default Fre
shest CRL Extension Default com.netscape.cms.profile.def.FreshestCRLExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
authInfoAccessExtDefaultImpl Authority Info Access Extension
 Default Authority Info Access Extension Default
com.netscape.cms.profile.def.AuthInfoAccessExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nsTokenUserKeySubjectNameDefaultImpl nsTokenUserKeySubjectNa
meDefault nsTokenUserKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
genericExtDefaultImpl Generic Extension Generic Extension co
m.netscape.cms.profile.def.GenericExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
authorityKeyIdentifierExtDefaultImpl Authority Key Identifie
r Extension Default Authority Key Identifier Extension Default
com.netscape.cms.profile.def.AuthorityKeyIdentifierExt
Default
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
issuerAltNameExtDefaultImpl Issuer Alternative Name Extensio
n Default Issuer Alternative Name Extension Default
com.netscape.cms.profile.def.IssuerAltNameExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
basicConstraintsExtDefaultImpl Basic Constraints Extension D
efault Basic Constraints Extension Default
com.netscape.cms.profile.def.BasicConstraintsExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
keyUsageExtDefaultImpl Key Usage Extension Default Key Usage
 Extension Default com.netscape.cms.profile.def.KeyUsageExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
ocspNoCheckExtDefaultImpl OCSP No Check Extension Default OC
SP No Check Extension Default com.netscape.cms.profile.def.OCSPNoCheckExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectAltNameExtDefaultImpl Subject Alternative Name Extens
ion Default Subject Alternative Name Extension Default
com.netscape.cms.profile.def.SubjectAltNameExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userValidityDefaultImpl User Supplied Validity Default User
Supplied Validity Default com.netscape.cms.profile.def.UserValidityDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userSubjectNameDefaultImpl User Supplied Subject Name Defaul
t User Supplied Subject Name Default
com.netscape.cms.profile.def.UserSubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectDirAttributesExtDefaultImpl Subject Directory Attribu
tes Extension Default Subject Directory Attributes Extension Default
com.netscape.cms.profile.def.SubjectDirAttribute
sExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
certificateVersionDefaultImpl Certificate Version Default Ce
rtificate Version Default com.netscape.cms.profile.def.CertificateVersionDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
extendedKeyUsageExtDefaultImpl Extended Key Usage Extension
Default Extended Key Usage Extension Default
com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
policyConstraintsExtDefaultImpl Policy Constraints Extension
 Default Policy Constraints Extension Default
com.netscape.cms.profile.def.PolicyConstraintsExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
crlDistributionPointsExtDefaultImpl CRL Distribution Points
Extension Default CRL Distribution Points Extension Default
com.netscape.cms.profile.def.CRLDistributionPointsExtDefa
ult
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
certificatePoliciesExtDefaultImpl Certificate Policies Exten
sion Default Certificate Policies Extension Default
com.netscape.cms.profile.def.CertificatePoliciesExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
validityDefaultImpl Validity Default Validty Default com.net
scape.cms.profile.def.ValidityDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
privateKeyPeriodExtDefaultImpl Private Key Period Ext Defaul
t Private Key Period Ext Default
com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy noDefaultImpl
No Default No Default com.netscape.cms.profile
.def.NoDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
imageDefaultImpl Image Default Image Default com.netscape.cm
s.profile.def.ImageDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectInfoAccessExtDefaultImpl Subject Info Access Extensio
n Default Subject Info Access Extension Default
com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
autoAssignDefaultImpl Auto Request Assignment Default Auto R
equest Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
policyMappingsExtDefaultImpl Policy Mappings Extension Defau
lt Policy Mappings Extension Default
com.netscape.cms.profile.def.PolicyMappingsExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
caValidityDefaultImpl CA Certificate Validity Default CA Cer
tificate Validty Default com.netscape.cms.profile.def.CAValidityDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userExtensionDefaultImpl User Supplied Extension Default Use
r Supplied Extension Default com.netscape.cms.profile.def.UserExtensionDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nsCertTypeExtDefaultImpl Netscape Certificate Type Extension
 Default Netscape Certificate Type Extension Default
com.netscape.cms.profile.def.NSCertTypeExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
authTokenSubjectNameDefaultImpl Token Supplied Subject Name
Default Token Supplied Subject Name Default
com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectNameDefaultImpl Subject Name Default Subject Name Def
ault com.netscape.cms.profile.def.SubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userSigningAlgDefaultImpl User Supplied Signing Alg Default
User Supplied Signing Alg Default
com.netscape.cms.profile.def.UserSigningAlgDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectKeyIdentifierExtDefaultImpl Subject Key Identifier De
fault Subject Key Identifier Default
com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension
Default Inhibit Any-Policy Extension Default
com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubje
ctNameDefault nsTokenDeviceKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nscCommentExtDefaultImpl Netscape Comment Extension Default
Netscape Comment Extension Default
com.netscape.cms.profile.def.NSCCommentExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
signingAlgDefaultImpl Signing Algorithm Default Signing Algo
rithm Default com.netscape.cms.profile.def.SigningAlgDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nameConstraintsExtDefaultImpl Name Constraints Extension Def
ault Name Constraints Extension Default
com.netscape.cms.profile.def.NameConstraintsExtDefault
[28/Jan/2016:21:09:03][main]: added plugin profileUpdater
subsystemGroupUpdaterImpl Updater for Subsystem Group Updat
er for Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=registry
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized registry
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=oidmap
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=oidmap
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=oidmap
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized oidmap
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=X500Name
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=X500Name
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=X500Name
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized X500Name
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=request
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=request
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=request
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized request
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=ca
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=ca
[28/Jan/2016:21:09:03][main]: CertificateAuthority init
[28/Jan/2016:21:09:03][main]: Cert Repot inited
[28/Jan/2016:21:09:03][main]: CRL Repot inited
[28/Jan/2016:21:09:03][main]: Replica Repot inited
[28/Jan/2016:21:09:03][main]: ca.signing Signing Unit nickname
caSigningCert cert-pki-ca
[28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name
[28/Jan/2016:21:09:03][main]: Found cert by nickname: 'caSigningCert
cert-pki-ca' with serial number: 1
[28/Jan/2016:21:09:03][main]: converted to x509CertImpl
[28/Jan/2016:21:09:03][main]: Got private key from cert
[28/Jan/2016:21:09:03][main]: Got public key from cert
[28/Jan/2016:21:09:03][main]: got signing algorithm RSASignatureWithSHA256Digest
[28/Jan/2016:21:09:03][main]: CA signing unit inited
[28/Jan/2016:21:09:03][main]: cachainNum= 0
[28/Jan/2016:21:09:03][main]: in init - got CA chain from JSS.
[28/Jan/2016:21:09:03][main]: ca.ocsp_signing Signing Unit nickname
ca.ocsp_signing.cert
[28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name
[28/Jan/2016:21:09:03][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
Certificate object not found
        at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
        at 
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)
        at 
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
        at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
        at 
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
        at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
        at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
        at 
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
        at 
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
        at 
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
        at 
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
        at 
org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
        at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
        at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
        at 
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
        at 
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
        at 
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
        at 
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
        at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
        at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
        at 
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
        at 
org.apache.catalina.core.StandardService.start(StandardService.java:516)
        at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[28/Jan/2016:21:09:03][main]: CMSEngine.shutdown()
[28/Jan/2016:21:14:02][Timer-0]: CMSEngine: getPasswordStore():
password store initialized before.
[28/Jan/2016:21:14:02][Timer-0]: CMSEngine: getPasswordStore():
password store initialized.
[28/Jan/2016:21:19:02][Timer-0]: CMSEngine: getPasswordStore():
password store initialized before.
[28/Jan/2016:21:19:02][Timer-0]: CMSEngine: getPasswordStore():
password store initialized.




>
>>
>> stuck: yes
>>
>> key pair storage:
>>
>> type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
>> Certifi
>>
>> cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt'
>>
>> certificate:
>>
>> type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
>> Certificate
>>
>> DB'
>>
>> CA: IPA
>>
>> issuer: CN=Certificate Authority,O=SAMPLE.NET <http://SAMPLE.NET>
>>
>> subject: CN=caer.SAMPLE.net <http://caer.SAMPLE.net>,O=SAMPLE.NET
>> <http://SAMPLE.NET>
>>
>> expires: 2016-01-29 14:09:46 UTC
>>
>> eku: id-kp-serverAuth
>>
>> pre-save command:
>>
>> post-save command:
>>
>> track: yes
>>
>> auto-renew: yes
>>
>>
>>
>> On Mon, May 2, 2016 at 5:35 PM Anthony Cheng
>> <anthony.wan.ch...@gmail.com <mailto:anthony.wan.ch...@gmail.com>> wrote:
>>
>>     On Mon, May 2, 2016 at 9:54 AM Rob Crittenden <rcrit...@redhat.com
>>     <mailto:rcrit...@redhat.com>> wrote:
>>
>>         Anthony Cheng wrote:
>>          > On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden
>>         <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
>>          > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>
>> wrote:
>>          >
>>          >     Anthony Cheng wrote:
>>          >      > OK so I made process on my cert renew issue; I was
>>         able to get kinit
>>          >      > working so I can follow the rest of the steps here
>>          >      > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
>>          >      >
>>          >      > However, after using
>>          >      >
>>          >      > ldapmodify -x -h localhost -p 7389 -D 'cn=directory
>>         manager' -w
>>          >     password
>>          >      >
>>          >      > and restarting apache (/sbin/service httpd restart),
>>         resubmitting 3
>>          >      > certs (ipa-getcert resubmit -i <ID>) and restarting
>>         IPA (resubmit
>>          >     -i <ID>)
>>          >      > (/sbin/service ipa restart), I still see:
>>          >      >
>>          >      > [root@test ~]# ipa-getcert list | more
>>          >      > Number of certificates and requests being tracked: 8.
>>          >      > Request ID '20111214223243':
>>          >      >          status: CA_UNREACHABLE
>>          >      >          ca-error: Server failed request, will retry:
>>         4301 (RPC
>>          >     failed
>>          >      > at server.  Certificate operation cannot be compl
>>          >      > eted: Unable to communicate with CMS (Not Found)).
>>          >
>>          >     IPA proxies requests to the CA through Apache. This means
>>         that while
>>          >     tomcat started ok it didn't load the dogtag CA
>>         application, hence the
>>          >     Not Found.
>>          >
>>          >     Check the CA debug and selftest logs to see why it failed
>>         to start
>>          >     properly.
>>          >
>>          >     [ snip ]
>>          >
>>          > Actually after a reboot that error went away and I just get
>>         this error
>>          > instead "ca-error: Server failed request, will retry: -504
>>         (libcurl
>>          > failed to execute the HTTP POST transaction. Peer certificate
>>         cannot be
>>          > auth enticated with known CA certificates)." from "getcert
>> list"
>>          >
>>          > Result of service ipa restart is interesting since it shows
>>         today's time
>>          > when I already changed date/time/disable NTP so somehow the
>>         system still
>>          > know today's time.
>>          >
>>          > PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert:
>>          > CERT_VerifyCertificateNow: verify certificate failed for cert
>>          > Server-Cert of family cn=RSA,cn=encryption,cn=config
>>         (Netscape Portable
>>          > Runtime error -8181 - Peer's Certificate has expired.)
>>
>>         Hard to say. I'd confirm that there is no time syncing service
>>         running,
>>         ntp or otherwise.
>>
>>
>>     I found out why the time kept changing; it was due to the fact that
>>     it has VM tools installed (i didn't configure this box) so it
>>     automatically sync time during bootup.
>>
>>     I did still see this error message:
>>
>>     ca-error: Server failed request, will retry: 4301 (RPC failed at
>>     server. Certificate operation cannot be completed: Unable to
>>     communicate with CMS (Not Found))
>>
>>     I tried the step http://www.freeipa.org/page/Troubleshooting with
>>
>>     certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt
>>     openssl x509 -text -in /tmp/ra.crt
>>     certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt
>>     service httpd restart
>>
>>     So that I can get rid of one of the CA cert that is expired (kept
>>     the 1st one) but still getting same error
>>
>>     What exactly is CMS and why is it not found?
>>
>>
>>     I did notice that the selftest log is empty with a different time:
>>
>>     -rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11
>>     /var/log/pki-ca/selftests.log
>>
>>     [root@test ~]# clock Wed 27 Jan 2016 03:33:00 PM UTC -0.046800 seconds
>>
>>
>>     Here are some debug log after reboot:
>>
>>     [root@test pki-ca]# tail -n 100 catalina.out
>>
>>     INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
>>
>>     Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start
>>
>>     INFO: Jk running ID=0 time=1/23config=null
>>
>>     Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start
>>
>>     INFO: Server startup in 1722 ms
>>
>>     Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>>
>>     INFO: Pausing Coyote HTTP/1.1 on http-9180
>>
>>     Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>>
>>     INFO: Pausing Coyote HTTP/1.1 on http-9443
>>
>>     Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>>
>>     INFO: Pausing Coyote HTTP/1.1 on http-9445
>>
>>     Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>>
>>     INFO: Pausing Coyote HTTP/1.1 on http-9444
>>
>>     Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>>
>>     INFO: Pausing Coyote HTTP/1.1 on http-9446
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop
>>
>>     INFO: Stopping service Catalina
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>     clearReferencesThreads
>>
>>     SEVERE: A web application appears to have started a thread named
>>     [Timer-0] but has failed to stop it. This is very like
>>
>>     ly to create a memory leak.
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>     clearReferencesThreads
>>
>>     SEVERE: A web application appears to have started a thread named
>>     [/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu
>>
>>     t has failed to stop it. This is very likely to create a memory leak.
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>     clearReferencesThreads
>>
>>     SEVERE: A web application appears to have started a thread named
>>     [/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6]
>>
>>     but has failed to stop it. This is very likely to create a memory
>> leak.
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>     clearReferencesThreads
>>
>>     SEVERE: A web application appears to have started a thread named
>>     [/var/lib/pki-ca/logs/system.flush-6] but has failed t
>>
>>     o stop it. This is very likely to create a memory leak.
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>     clearReferencesThreads
>>
>>     SEVERE: A web application appears to have started a thread named
>>     [/var/lib/pki-ca/logs/system.rollover-8] but has faile
>>
>>     d to stop it. This is very likely to create a memory leak.
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>     clearReferencesThreads
>>
>>     SEVERE: A web application appears to have started a thread named
>>     [/var/lib/pki-ca/logs/transactions.flush-9] but has fa
>>
>>     iled to stop it. This is very likely to create a memory leak.
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>     clearReferencesThreads
>>
>>     SEVERE: A web application appears to have started a thread named
>>     [/var/lib/pki-ca/logs/transactions.rollover-10] but ha
>>
>>     s failed to stop it. This is very likely to create a memory leak.
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>     clearReferencesThreads
>>
>>     SEVERE: A web application appears to have started a thread named
>>     [LDAPConnThread-2 ldap://test.sample.net:7389
>>     <http://test.sample.net:7389>] but has failed to stop it. This is
>>     very likely to create a memory leak.
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>     clearReferencesThreads
>>
>>     SEVERE: A web application appears to have started a thread named
>>     [LDAPConnThread-3 ldap://test.sample.net:7389
>>     <http://test.sample.net:7389>] but has failed to stop it. This is
>>     very likely to create a memory leak.
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>     clearReferencesThreads
>>
>>     SEVERE: A web application appears to have started a thread named
>>     [LDAPConnThread-4 ldap://test.sample.net:7389
>>     <http://test.sample.net:7389>] but has failed to stop it. This is
>>     very likely to create a memory leak.
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>     clearThreadLocalMap
>>
>>     SEVERE: A web application created a ThreadLocal with key of type
>>     [null] (value [com.netscape.cmscore.util.Debug$1@228b677f]) and a
>>     value of type [java.text.SimpleDateFormat] (value
>>     [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when
>>     the web application was stopped. To prevent a memory leak, the
>>     ThreadLocal has been forcibly removed.
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>     clearThreadLocalMap
>>
>>     SEVERE: A web application created a ThreadLocal with key of type
>>     [null] (value [com.netscape.cmscore.util.Debug$1@228b677f]) and a
>>     value of type [java.text.SimpleDateFormat] (value
>>     [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when
>>     the web application was stopped. To prevent a memory leak, the
>>     ThreadLocal has been forcibly removed.
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
>> destroy
>>
>>     INFO: Stopping Coyote HTTP/1.1 on http-9180
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
>> destroy
>>
>>     INFO: Stopping Coyote HTTP/1.1 on http-9443
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
>> destroy
>>
>>     INFO: Stopping Coyote HTTP/1.1 on http-9445
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
>> destroy
>>
>>     INFO: Stopping Coyote HTTP/1.1 on http-9444
>>
>>     Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
>> destroy
>>
>>     INFO: Stopping Coyote HTTP/1.1 on http-9446
>>
>>     Jan 27, 2016 2:57:36 PM
>>     org.apache.catalina.core.AprLifecycleListener init
>>
>>     INFO: The APR based Apache Tomcat Native library which allows
>>     optimal performance in production environments was not found on the
>>     java.library.path:
>>
>> /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
>>
>>     Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>>
>>     INFO: Initializing Coyote HTTP/1.1 on http-9180
>>
>>     Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
>>     unsupported by NSS. This is probably O.K. unless ECC support has
>>     been installed.
>>
>>     Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
>>     unsupported by NSS. This is probably O.K. unless ECC support has
>>     been installed.
>>
>>     Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>>
>>     INFO: Initializing Coyote HTTP/1.1 on http-9443
>>
>>     Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
>>     unsupported by NSS. This is probably O.K. unless ECC support has
>>     been installed.
>>
>>     Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
>>     unsupported by NSS. This is probably O.K. unless ECC support has
>>     been installed.
>>
>>     Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>>
>>     INFO: Initializing Coyote HTTP/1.1 on http-9445
>>
>>     Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
>>     unsupported by NSS. This is probably O.K. unless ECC support has
>>     been installed.
>>
>>     Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
>>     unsupported by NSS. This is probably O.K. unless ECC support has
>>     been installed.
>>
>>     Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>>
>>     INFO: Initializing Coyote HTTP/1.1 on http-9444
>>
>>     Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
>>     unsupported by NSS. This is probably O.K. unless ECC support has
>>     been installed.
>>
>>     Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
>>     unsupported by NSS. This is probably O.K. unless ECC support has
>>     been installed.
>>
>>     Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>>
>>     INFO: Initializing Coyote HTTP/1.1 on http-9446
>>
>>     Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load
>>
>>     INFO: Initialization processed in 2198 ms
>>
>>     Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start
>>
>>     INFO: Starting service Catalina
>>
>>     Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start
>>
>>     INFO: Starting Servlet Engine: Apache Tomcat/6.0.24
>>
>>     Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig
>>     deployDirectory
>>
>>     INFO: Deploying web application directory ROOT
>>
>>     Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig
>>     deployDirectory
>>
>>     INFO: Deploying web application directory ca
>>
>>     64-bit osutil library loaded
>>
>>     64-bit osutil library loaded
>>
>>     Certificate object not found
>>
>>     Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>>
>>     INFO: Starting Coyote HTTP/1.1 on http-9180
>>
>>     Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>>
>>     INFO: Starting Coyote HTTP/1.1 on http-9443
>>
>>     Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>>
>>     INFO: Starting Coyote HTTP/1.1 on http-9445
>>
>>     Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>>
>>     INFO: Starting Coyote HTTP/1.1 on http-9444
>>
>>     Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>>
>>     INFO: Starting Coyote HTTP/1.1 on http-9446
>>
>>     Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init
>>
>>     INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
>>
>>     Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start
>>
>>     INFO: Jk running ID=0 time=0/40config=null
>>
>>     Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start
>>
>>     INFO: Server startup in 2592 ms
>>
>>     [root@test pki-ca]# tail -n 100 debug
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     subjectAltNameExtDefaultImpl Subject Alternative Name Extension
>>     Default Subject Alternative Name Extension Default
>>     com.netscape.cms.profile.def.SubjectAltNameExtDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     userValidityDefaultImpl User Supplied Validity Default User Supplied
>>     Validity Default com.netscape.cms.profile.def.UserValidityDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     userSubjectNameDefaultImpl User Supplied Subject Name Default User
>>     Supplied Subject Name Default
>>     com.netscape.cms.profile.def.UserSubjectNameDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     subjectDirAttributesExtDefaultImpl Subject Directory Attributes
>>     Extension Default Subject Directory Attributes Extension Default
>>     com.netscape.cms.profile.def.SubjectDirAttributesExtDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     certificateVersionDefaultImpl Certificate Version Default
>>     Certificate Version Default
>>     com.netscape.cms.profile.def.CertificateVersionDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default
>>     Extended Key Usage Extension Default
>>     com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     policyConstraintsExtDefaultImpl Policy Constraints Extension Default
>>     Policy Constraints Extension Default
>>     com.netscape.cms.profile.def.PolicyConstraintsExtDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     crlDistributionPointsExtDefaultImpl CRL Distribution Points
>>     Extension Default CRL Distribution Points Extension Default
>>     com.netscape.cms.profile.def.CRLDistributionPointsExtDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     certificatePoliciesExtDefaultImpl Certificate Policies Extension
>>     Default Certificate Policies Extension Default
>>     com.netscape.cms.profile.def.CertificatePoliciesExtDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     validityDefaultImpl Validity Default Validty Default
>>     com.netscape.cms.profile.def.ValidityDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     privateKeyPeriodExtDefaultImpl Private Key Period Ext Default
>>     Private Key Period Ext Default
>>     com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     noDefaultImpl No Default No Default
>>     com.netscape.cms.profile.def.NoDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     imageDefaultImpl Image Default Image Default
>>     com.netscape.cms.profile.def.ImageDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     subjectInfoAccessExtDefaultImpl Subject Info Access Extension
>>     Default Subject Info Access Extension Default
>>     com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     autoAssignDefaultImpl Auto Request Assignment Default Auto Request
>>     Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     policyMappingsExtDefaultImpl Policy Mappings Extension Default
>>     Policy Mappings Extension Default
>>     com.netscape.cms.profile.def.PolicyMappingsExtDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     caValidityDefaultImpl CA Certificate Validity Default CA Certificate
>>     Validty Default com.netscape.cms.profile.def.CAValidityDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     userExtensionDefaultImpl User Supplied Extension Default User
>>     Supplied Extension Default
>>     com.netscape.cms.profile.def.UserExtensionDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default
>>     Netscape Certificate Type Extension Default
>>     com.netscape.cms.profile.def.NSCertTypeExtDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default
>>     Token Supplied Subject Name Default
>>     com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     subjectNameDefaultImpl Subject Name Default Subject Name Default
>>     com.netscape.cms.profile.def.SubjectNameDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     userSigningAlgDefaultImpl User Supplied Signing Alg Default User
>>     Supplied Signing Alg Default
>>     com.netscape.cms.profile.def.UserSigningAlgDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default
>>     Subject Key Identifier Default
>>     com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default
>>     Inhibit Any-Policy Extension Default
>>     com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     nsTokenDeviceKeySubjectNameDefaultImpl
>>     nsTokenDeviceKeySubjectNameDefault
>>     nsTokenDeviceKeySubjectNameDefaultImpl
>>     com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape
>>     Comment Extension Default
>>     com.netscape.cms.profile.def.NSCCommentExtDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm
>>     Default com.netscape.cms.profile.def.SigningAlgDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>     nameConstraintsExtDefaultImpl Name Constraints Extension Default
>>     Name Constraints Extension Default
>>     com.netscape.cms.profile.def.NameConstraintsExtDefault
>>
>>     [27/Jan/2016:15:30:43][main]: added plugin profileUpdater
>>     subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for
>>     Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater
>>
>>     [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry
>>
>>     [27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry
>>
>>     [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap
>>
>>     [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap
>>
>>     [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap
>>
>>     [27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap
>>
>>     [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name
>>
>>     [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name
>>
>>     [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name
>>
>>     [27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name
>>
>>     [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request
>>
>>     [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request
>>
>>     [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request
>>
>>     [27/Jan/2016:15:30:43][main]: CMSEngine: initialized request
>>
>>     [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca
>>
>>     [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca
>>
>>     [27/Jan/2016:15:30:43][main]: CertificateAuthority init
>>
>>     [27/Jan/2016:15:30:43][main]: Cert Repot inited
>>
>>     [27/Jan/2016:15:30:43][main]: CRL Repot inited
>>
>>     [27/Jan/2016:15:30:43][main]: Replica Repot inited
>>
>>     [27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname
>>     caSigningCert cert-pki-ca
>>
>>     [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token
>>     by name
>>
>>     [27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert
>>     cert-pki-ca' with serial number: 1
>>
>>     [27/Jan/2016:15:30:43][main]: converted to x509CertImpl
>>
>>     [27/Jan/2016:15:30:43][main]: Got private key from cert
>>
>>     [27/Jan/2016:15:30:43][main]: Got public key from cert
>>
>>     [27/Jan/2016:15:30:43][main]: got signing algorithm
>>     RSASignatureWithSHA256Digest
>>
>>     [27/Jan/2016:15:30:43][main]: CA signing unit inited
>>
>>     [27/Jan/2016:15:30:43][main]: cachainNum= 0
>>
>>     [27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS.
>>
>>     [27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname
>>     ca.ocsp_signing.cert
>>
>>     [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token
>>     by name
>>
>>     [27/Jan/2016:15:30:43][main]: SigningUnit init: debug
>>     org.mozilla.jss.crypto.ObjectNotFoundException
>>
>>     [27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException
>>
>>     Certificate object not found
>>
>>     at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
>>
>>     at
>>
>> com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)
>>
>>     at
>>
>> com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
>>
>>     at
>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
>>
>>     at
>>     com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
>>
>>     at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
>>
>>     at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
>>
>>     at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
>>
>>     at
>>
>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
>>
>>     at
>>
>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
>>
>>     at
>>
>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
>>
>>     at
>>
>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
>>
>>     at
>>
>> org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
>>
>>     at
>>
>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
>>
>>     at
>>
>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
>>
>>     at
>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
>>
>>     at
>>
>> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
>>
>>     at
>>
>> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
>>
>>     at
>>     org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
>>
>>     at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
>>
>>     at
>>
>> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
>>
>>     at
>>
>> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
>>
>>     at
>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
>>
>>     at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
>>
>>     at
>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
>>
>>     at
>>     org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
>>
>>     at
>>
>> org.apache.catalina.core.StandardService.start(StandardService.java:516)
>>
>>     at
>>     org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
>>
>>     at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
>>
>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>
>>     at
>>
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>
>>     at
>>
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>
>>     at java.lang.reflect.Method.invoke(Method.java:616)
>>
>>     at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
>>
>>     at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
>>
>>     [27/Jan/2016:15:30:43][main]: CMSEngine.shutdown()
>>
>>
>>
>>
>>       >
>>
>>          >      > Would really greatly appreciate any help on this.
>>          >      >
>>          >      > Also I noticed after I do ldapmodify of
>>         usercertificate binary
>>          >     data with
>>          >      >
>>          >      > add: usercertificate;binary
>>          >      > usercertificate;binary: !@#$@!#$#@$
>>          >
>>          >     You really pasted in binary? Or was this base64-encoded
>> data?
>>          >
>>          >     I wonder if there is a problem in the wiki. If this is
>>         really a binary
>>          >     value you should start with a DER-encoded cert and load
>>         it using
>>          >     something like:
>>          >
>>          >     dn: uid=ipara,ou=people,o=ipaca
>>          >     changetype: modify
>>          >     add: usercertificate;binary
>>          >     usercertificate;binary:< file:///path/to/cert.der
>>          >
>>          >     You can use something like openssl x509 to switch between
>>         PEM and DER
>>          >     formats.
>>          >
>>          >     I have a vague memory that dogtag can deal with a
>>         multi-valued
>>          >     usercertificate attribute.
>>          >
>>          >     rob
>>          >
>>          >
>>          > Yes the wiki stated binary, the result of:
>>          > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
>>          > uid=ipara,ou=People,o=ipaca -W
>>          >
>>          > shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...
>>          >
>>          > But the actual data is from a PEM though.
>>
>>         Ok. So I looked at my CA data and it doesn't use the binary
>>         subtype, so
>>         my entries look like:
>>
>>         userCertificate:: MIID....
>>
>>         It might make a difference if dogtag is looking for the subtype
>>         or not.
>>
>>         rob
>>
>>          >
>>          >      >
>>          >      > Then I re-run
>>          >      >
>>          >      > ldapsearch -x -h localhost -p 7389 -D 'cn=directory
>>         manager' -W
>>          >     -b uid=ipara,ou=People,o=ipaca
>>          >      >
>>          >      > I see 2 entries for usercertificate;binary (before
>>         modify there
>>          >     was only
>>          >      > 1) but they are duplicate and NOT from data that I
>>         added.  That seems
>>          >      > incorrect to me.
>>          >      >
>>          >      >
>>          >      > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
>>          >      > <anthony.wan.ch...@gmail.com
>>         <mailto:anthony.wan.ch...@gmail.com>
>>         <mailto:anthony.wan.ch...@gmail.com
>>         <mailto:anthony.wan.ch...@gmail.com>>
>>          >     <mailto:anthony.wan.ch...@gmail.com
>>         <mailto:anthony.wan.ch...@gmail.com>
>>          >     <mailto:anthony.wan.ch...@gmail.com
>>         <mailto:anthony.wan.ch...@gmail.com>>>> wrote:
>>          >      >
>>          >      >     klist is actually empty; kinit admin fails.
>>         Sounds like then
>>          >      >     getcert resubmit has a dependency on kerberoes.  I
>>         can get a
>>          >     backup
>>          >      >     image that has a valid ticket but it is only good
>>         for 1 day (and
>>          >      >     dated pasted the cert expire).
>>          >      >
>>          >      >     Also I had asked awhile back about whether there
>>         is dependency on
>>          >      >     DIRSRV to renew the cert; didn't get any response
>>         but I suspect
>>          >      >     there is a dependency.
>>          >      >
>>          >      >     Regarding the clock skew, I found out from
>>         /var/log/message that
>>          >      >     shows me this so it may be from named:
>>          >      >
>>          >      >     Jan 28 14:10:42 test named[2911]: Failed to init
>>         credentials
>>          >     (Clock
>>          >      >     skew too great)
>>          >      >     Jan 28 14:10:42 test named[2911]: loading
>>         configuration: failure
>>          >      >     Jan 28 14:10:42 test named[2911]: exiting (due to
>>         fatal error)
>>          >      >     Jan 28 14:10:44 test ns-slapd: GSSAPI Error:
>>         Unspecified GSS
>>          >      >     failure.  Minor code may provide more information
>>         (Creden
>>          >      >     tials cache file '/tmp/krb5cc_496' not found)
>>          >      >
>>          >      >     I don't have a krb5cc_496 file (since klist is
>>         empty), so
>>          >     sounds to
>>          >      >     me I need to get a kerberoes ticket before going any
>>          >     further.  Also
>>          >      >     is the file /etc/krb5.keytab access/modification
>> time
>>          >     important?  I
>>          >      >     had changed time back to before the cert
>>         expiration date and
>>          >     reboot
>>          >      >     and try renew but the error message about clock
>>         skew is still
>>          >      >     there.  That seems strange.
>>          >      >
>>          >      >     Lastly, as a absolute last resort, can I
>>         regenerate a new cert
>>          >      >     myself?
>>          >      >
>>          >
>>
>> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
>>          >      >
>>          >      >     [root@test /]# klist
>>          >      >     klist: No credentials cache found (ticket cache
>>          >     FILE:/tmp/krb5cc_0)
>>          >      >     [root@test /]# service ipa start
>>          >      >     Starting Directory Service
>>          >      >     Starting dirsrv:
>>          >      >          PKI-IPA...
>>          >       [  OK  ]
>>          >      >          sample-NET...
>>          >     [  OK  ]
>>          >      >     Starting KDC Service
>>          >      >     Starting Kerberos 5 KDC:
>>                   [
>>          >     OK  ]
>>          >      >     Starting KPASSWD Service
>>          >      >     Starting Kerberos 5 Admin Server:
>>                  [
>>          >     OK  ]
>>          >      >     Starting DNS Service
>>          >      >     Starting named:
>>          >     [FAILED]
>>          >      >     Failed to start DNS Service
>>          >      >     Shutting down
>>          >      >     Stopping Kerberos 5 KDC:
>>                   [
>>          >     OK  ]
>>          >      >     Stopping Kerberos 5 Admin Server:
>>                  [
>>          >     OK  ]
>>          >      >     Stopping named:
>>                  [
>>          >     OK  ]
>>          >      >     Stopping httpd:
>>                  [
>>          >     OK  ]
>>          >      >     Stopping pki-ca:
>>                   [
>>          >     OK  ]
>>          >      >     Shutting down dirsrv:
>>          >      >          PKI-IPA...
>>          >       [  OK  ]
>>          >      >          sample-NET...
>>          >     [  OK  ]
>>          >      >     Aborting ipactl
>>          >      >     [root@test /]# klist
>>          >      >     klist: No credentials cache found (ticket cache
>>          >     FILE:/tmp/krb5cc_0)
>>          >      >     [root@test /]# service ipa status
>>          >      >     Directory Service: STOPPED
>>          >      >     Failed to get list of services to probe status:
>>          >      >     Directory Server is stopped
>>          >      >
>>          >      >     On Thu, Apr 28, 2016 at 3:21 AM David Kupka
>>          >     <dku...@redhat.com <mailto:dku...@redhat.com>
>>         <mailto:dku...@redhat.com <mailto:dku...@redhat.com>>
>>          >      >     <mailto:dku...@redhat.com
>>         <mailto:dku...@redhat.com> <mailto:dku...@redhat.com
>>         <mailto:dku...@redhat.com>>>> wrote:
>>          >      >
>>          >      >         On 27/04/16 21:54, Anthony Cheng wrote:
>>          >      >          > Hi list,
>>          >      >          >
>>          >      >          > I am trying to renew expired certificates
>>         following the
>>          >      >         manual renewal procedure
>>          >      >          > here
>>          >     (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
>>          >      >         but even with
>>          >      >          > resetting the system/hardware clock to a
>>         time before
>>          >     expires,
>>          >      >         I am getting the
>>          >      >          > error "ca-error: Error setting up ccache
>>         for local "host"
>>          >      >         service using default
>>          >      >          > keytab: Clock skew too great."
>>          >      >          >
>>          >      >          > With NTP disable and clock reset why would
>>         it complain
>>          >     about
>>          >      >         clock skew and how
>>          >      >          > does it even know about the current time?
>>          >      >          >
>>          >      >          > [root@test certs]# getcert list
>>          >      >          > Number of certificates and requests being
>>         tracked: 8.
>>          >      >          > Request ID '20111214223243':
>>          >      >          >          status: MONITORING
>>          >      >          >          ca-error: Error setting up ccache
>>         for local
>>          >     "host"
>>          >      >         service using
>>          >      >          > default keytab: Clock skew too great.
>>          >      >          >          stuck: no
>>          >      >          >          key pair storage:
>>          >      >          >
>>          >      >
>>          >
>>
>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
>>          >      >          > Certificate
>>          >      >
>>           DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
>>          >      >          >          certificate:
>>          >      >          >
>>          >      >
>>          >
>>
>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
>>          >      >          > Certificate DB'
>>          >      >          >          CA: IPA
>>          >      >          >          issuer: CN=Certificate
>>         Authority,O=sample.NET
>>          >      >          >          subject: CN=test.sample.net
>>         <http://test.sample.net>
>>          >     <http://test.sample.net> <http://test.sample.net>
>>          >      >         <http://test.sample.net>,O=sample.NET
>>          >      >          >          expires: 2016-01-29 14:09:46 UTC
>>          >      >          >          eku: id-kp-serverAuth
>>          >      >          >          pre-save command:
>>          >      >          >          post-save command:
>>          >      >          >          track: yes
>>          >      >          >          auto-renew: yes
>>          >      >          > Request ID '20111214223300':
>>          >      >          >          status: MONITORING
>>          >      >          >          ca-error: Error setting up ccache
>>         for local
>>          >     "host"
>>          >      >         service using
>>          >      >          > default keytab: Clock skew too great.
>>          >      >          >          stuck: no
>>          >      >          >          key pair storage:
>>          >      >          >
>>          >      >
>>          >
>>
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>          >      >         Certificate
>>          >      >          >
>>         DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>>          >      >          >          certificate:
>>          >      >          >
>>          >      >
>>          >
>>
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>          >      >         Certificate
>>          >      >          > DB'
>>          >      >          >          CA: IPA
>>          >      >          >          issuer: CN=Certificate
>>         Authority,O=sample.NET
>>          >      >          >          subject: CN=test.sample.net
>>         <http://test.sample.net>
>>          >     <http://test.sample.net> <http://test.sample.net>
>>          >      >         <http://test.sample.net>,O=sample.NET
>>          >      >          >          expires: 2016-01-29 14:09:45 UTC
>>          >      >          >          eku: id-kp-serverAuth
>>          >      >          >          pre-save command:
>>          >      >          >          post-save command:
>>          >      >          >          track: yes
>>          >      >          >          auto-renew: yes
>>          >      >          > Request ID '20111214223316':
>>          >      >          >          status: MONITORING
>>          >      >          >          ca-error: Error setting up ccache
>>         for local
>>          >     "host"
>>          >      >         service using
>>          >      >          > default keytab: Clock skew too great.
>>          >      >          >          stuck: no
>>          >      >          >          key pair storage:
>>          >      >          >
>>          >      >
>>          >
>>
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>          >      >          > Certificate
>>         DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>          >      >          >          certificate:
>>          >      >          >
>>          >      >
>>          >
>>
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>          >      >          > Certificate DB'
>>          >      >          >          CA: IPA
>>          >      >          >          issuer: CN=Certificate
>>         Authority,O=sample.NET
>>          >      >          >          subject: CN=test.sample.net
>>         <http://test.sample.net>
>>          >     <http://test.sample.net> <http://test.sample.net>
>>          >      >         <http://test.sample.net>,O=sample.NET
>>          >      >          >          expires: 2016-01-29 14:09:45 UTC
>>          >      >          >          eku: id-kp-serverAuth
>>          >      >          >          pre-save command:
>>          >      >          >          post-save command:
>>          >      >          >          track: yes
>>          >      >          >          auto-renew: yes
>>          >      >          > Request ID '20130519130741':
>>          >      >          >          status: NEED_CSR_GEN_PIN
>>          >      >          >          ca-error: Internal error: no
>>         response to
>>          >      >          >
>>          >      >
>>          >
>>
>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";.
>>          >      >          >          stuck: yes
>>          >      >          >          key pair storage:
>>          >      >          >
>>          >      >
>>          >
>>
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>>          >      >          > cert-pki-ca',token='NSS Certificate
>>         DB',pin='297100916664
>>          >      >          > '
>>          >      >          >          certificate:
>>          >      >          >
>>          >      >
>>          >
>>
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>>          >      >          > cert-pki-ca',token='NSS Certificate DB'
>>          >      >          >          CA: dogtag-ipa-renew-agent
>>          >      >          >          issuer: CN=Certificate
>>         Authority,O=sample.NET
>>          >      >          >          subject: CN=CA Audit,O=sample.NET
>>          >      >          >          expires: 2017-10-13 14:10:49 UTC
>>          >      >          >          pre-save command:
>>          >     /usr/lib64/ipa/certmonger/stop_pkicad
>>          >      >          >          post-save command:
>>          >      >         /usr/lib64/ipa/certmonger/renew_ca_cert
>>          >      >          > "auditSigningCert cert-pki-ca"
>>          >      >          >          track: yes
>>          >      >          >          auto-renew: yes
>>          >      >          > Request ID '20130519130742':
>>          >      >          >          status: NEED_CSR_GEN_PIN
>>          >      >          >          ca-error: Internal error: no
>>         response to
>>          >      >          >
>>          >      >
>>          >
>>
>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";.
>>          >      >          >          stuck: yes
>>          >      >          >          key pair storage:
>>          >      >          >
>>          >      >
>>          >
>>
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>>          >      >          > cert-pki-ca',token='NSS Certificate
>>         DB',pin='297100916664
>>          >      >          > '
>>          >      >          >          certificate:
>>          >      >          >
>>          >      >
>>          >
>>
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>>          >      >          > cert-pki-ca',token='NSS Certificate DB'
>>          >      >          >          CA: dogtag-ipa-renew-agent
>>          >      >          >          issuer: CN=Certificate
>>         Authority,O=sample.NET
>>          >      >          >          subject: CN=OCSP
>>         Subsystem,O=sample.NET
>>          >      >          >          expires: 2017-10-13 14:09:49 UTC
>>          >      >          >          eku: id-kp-OCSPSigning
>>          >      >          >          pre-save command:
>>          >     /usr/lib64/ipa/certmonger/stop_pkicad
>>          >      >          >          post-save command:
>>          >      >         /usr/lib64/ipa/certmonger/renew_ca_cert
>>          >      >          > "ocspSigningCert cert-pki-ca"
>>          >      >          >          track: yes
>>          >      >          >          auto-renew: yes
>>          >      >          > Request ID '20130519130743':
>>          >      >          >          status: NEED_CSR_GEN_PIN
>>          >      >          >          ca-error: Internal error: no
>>         response to
>>          >      >          >
>>          >      >
>>          >
>>
>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true";.
>>          >      >          >          stuck: yes
>>          >      >          >          key pair storage:
>>          >      >          >
>>          >      >
>>          >
>>
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>          >      >          > cert-pki-ca',token='NSS Certificate
>>         DB',pin='297100916664
>>          >      >          > '
>>          >      >          >          certificate:
>>          >      >          >
>>          >      >
>>          >
>>
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>          >      >          > cert-pki-ca',token='NSS Certificate DB'
>>          >      >          >          CA: dogtag-ipa-renew-agent
>>          >      >          >          issuer: CN=Certificate
>>         Authority,O=sample.NET
>>          >      >          >          subject: CN=CA
>> Subsystem,O=sample.NET
>>          >      >          >          expires: 2017-10-13 14:09:49 UTC
>>          >      >          >          eku:
>> id-kp-serverAuth,id-kp-clientAuth
>>          >      >          >          pre-save command:
>>          >     /usr/lib64/ipa/certmonger/stop_pkicad
>>          >      >          >          post-save command:
>>          >      >         /usr/lib64/ipa/certmonger/renew_ca_cert
>>          >      >          > "subsystemCert cert-pki-ca"
>>          >      >          >          track: yes
>>          >      >          >          auto-renew: yes
>>          >      >          > Request ID '20130519130744':
>>          >      >          >          status: MONITORING
>>          >      >          >          ca-error: Internal error: no
>>         response to
>>          >      >          >
>>          >      >
>>          >
>>
>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true";.
>>          >      >          >          stuck: no
>>          >      >          >          key pair storage:
>>          >      >          >
>>          >      >
>>          >
>>
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>          >      >         Certificate
>>          >      >          > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>          >      >          >          certificate:
>>          >      >          >
>>          >      >
>>          >
>>
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>          >      >         Certificate DB'
>>          >      >          >          CA: dogtag-ipa-renew-agent
>>          >      >          >          issuer: CN=Certificate
>>         Authority,O=sample.NET
>>          >      >          >          subject: CN=RA
>> Subsystem,O=sample.NET
>>          >      >          >          expires: 2017-10-13 14:09:49 UTC
>>          >      >          >          eku:
>> id-kp-serverAuth,id-kp-clientAuth
>>          >      >          >          pre-save command:
>>          >      >          >          post-save command:
>>          >      >         /usr/lib64/ipa/certmonger/renew_ra_cert
>>          >      >          >          track: yes
>>          >      >          >          auto-renew: yes
>>          >      >          > Request ID '20130519130745':
>>          >      >          >          status: NEED_CSR_GEN_PIN
>>          >      >          >          ca-error: Internal error: no
>>         response to
>>          >      >          >
>>          >      >
>>          >
>>
>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
>>          >      >          >          stuck: yes
>>          >      >          >          key pair storage:
>>          >      >          >
>>          >
>>
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>>          >      >          > cert-pki-ca',token='NSS Certificate
>>         DB',pin='297100916664
>>          >      >          > '
>>          >      >          >          certificate:
>>          >      >          >
>>          >
>>
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to