More updates; it turns out that there were some duplicate and expired
certificates as well as incorrect trust attributes; (e.g. seeing 2
instances of Server-Cert from certutil -L -d /etc/httpd/alias).  So I
deleted the duplicate cert and re-add certificate w/ valid date and
fix cert trust attributes along the way.

So it went from this

[root@test ~]# certutil -L -d /etc/httpd/alias

Certificate Nickname                                         Trust Attributes

SSL,S/MIME,JAR/XPI

Server-Cert                                                     u,u,u
ipaCert                                                           u,u,u
sample.NET IPA CA                                          CT,C,C
ipaCert                                                           u,u,u
Signing-Cert                                                    u,u,u
Server-Cert                                                     u,u,u

to this

[root@test ~]# certutil -L -d /etc/httpd/alias

Certificate Nickname                                         Trust Attributes

SSL,S/MIME,JAR/XPI

ipaCert                                                            u,u,u
Server-Cert                                                     u,u,u
sample.NET IPA CA                                          CT,C,C
Signing-Cert                                                    u,u,u

And also re-try resubmit/restart processes but unfortunately error
persists ( ca-error: Server failed request, will retry: 4301 (RPC
failed at server.  Certificate operation cannot be completed : Unable
to communicate with CMS (Not Found)).)

Currently I am on the process to recreate this problem on RHEL 6 to
try to get RH support on this.

Thanks, Anthony


On Wed, May 4, 2016 at 10:34 AM, Anthony Cheng
<anthony.wan.ch...@gmail.com> wrote:
> On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden <rcrit...@redhat.com> wrote:
>> Anthony Cheng wrote:
>>>
>>> Small update, I found an article on the RH solution library
>>> (https://access.redhat.com/solutions/2020223) that has the same error
>>> code that I am getting and I followed the steps with certutil to update
>>> the cert attributes but it is still not working.  The article is listed
>>> as "Solution in Progress".
>>>
>>> [root@test ~]# getcert list | more
>>>
>>> Number of certificates and requests being tracked: 7.
>>>
>>> Request ID '20111214223243':
>>>
>>> status: CA_UNREACHABLE
>>>
>>> ca-error: Server failed request, will retry: 4301 (RPC failed at
>>> server.Certificate operation cannot be comp
>>>
>>> leted: Unable to communicate with CMS (Not Found)).
>>
>>
>> Not Found means the CA didn't start. You need to examine the debug and
>> selftest logs to determine why.
>>
>> rob
>
> selftests.log is empty; there are entries for other time but not for
> the test to when I set the clock to renew certs.
>
> [root@test pki-ca]# clock
> Fri 29 Jan 2016 08:19:54 AM UTC  -0.960583 seconds
> [root@test pki-ca]#
> [root@test pki-ca]#
>
> [root@test pki-ca]# ll * | grep self
> -rw-r-----. 1 pkiuser pkiuser         0 Nov 23 14:11 selftests.log
> -rw-r-----. 1 pkiuser pkiuser      1206 Apr  7  2015
> selftests.log.20150407143526
> -rw-r-----. 1 pkiuser pkiuser      3673 Jun 30  2015
> selftests.log.20150630163924
> -rw-r-----. 1 pkiuser pkiuser      1217 Aug 31 20:07
> selftests.log.20150831160735
> -rw-r-----. 1 pkiuser pkiuser      3798 Oct 24 14:12
> selftests.log.20151024101159
>
> From debug log I see some error messages:
>
> [28/Jan/2016:21:09:03][main]: SigningUnit init: debug
> org.mozilla.jss.crypto.ObjectNotFoundException
> [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
> Certificate object not found
>         at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
>
> Full log:
>
> [28/Jan/2016:21:07:30][main]: CMSEngine.shutdown()
> [28/Jan/2016:21:09:02][main]: ============================================
> [28/Jan/2016:21:09:02][main]: =====  DEBUG SUBSYSTEM INITIALIZED   =======
> [28/Jan/2016:21:09:02][main]: ============================================
> [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug
> [28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug
> [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log
> [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> AUDIT_LOG_STARTUP
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> AUDIT_LOG_SHUTDOWN
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CONFIG_CERT_POLICY
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CONFIG_CERT_PROFILE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CONFIG_CRL_PROFILE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CONFIG_OCSP_PROFILE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ROLE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ACL
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CONFIG_SIGNED_AUDIT
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CONFIG_ENCRYPTION
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CONFIG_TRUSTED_PUBLIC_KEY
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_DRM
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> SELFTESTS_EXECUTION
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: 
> AUDIT_LOG_DELETE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: 
> LOG_PATH_CHANGE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> PRIVATE_KEY_ARCHIVE_REQUEST
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> KEY_RECOVERY_REQUEST
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> KEY_RECOVERY_REQUEST_ASYNC
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> KEY_RECOVERY_AGENT_LOGIN
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> KEY_RECOVERY_REQUEST_PROCESSED
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> KEY_GEN_ASYMMETRIC
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> NON_PROFILE_CERT_REQUEST
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> PROFILE_CERT_REQUEST
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CERT_REQUEST_PROCESSED
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CERT_STATUS_CHANGE_REQUEST
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CERT_STATUS_CHANGE_REQUEST_PROCESSED
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_SUCCESS
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_FAIL
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: INTER_BOUNDARY
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_FAIL
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_SUCCESS
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CERT_PROFILE_APPROVAL
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> PROOF_OF_POSSESSION
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_RETRIEVAL
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_VALIDATION
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CMC_SIGNED_REQUEST_SIG_VERIFY
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> SERVER_SIDE_KEYGEN_REQUEST
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> COMPUTE_SESSION_KEY_REQUEST
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> DIVERSIFY_KEY_REQUEST
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> ENCRYPT_DATA_REQUEST
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> OCSP_ADD_CA_REQUEST
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> OCSP_ADD_CA_REQUEST_PROCESSED
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> OCSP_REMOVE_CA_REQUEST
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> COMPUTE_RANDOM_DATA_REQUEST
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
> [28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
> CIMC_CERT_VERIFICATION
> [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=log
> [28/Jan/2016:21:09:02][main]: CMSEngine: initialized log
> [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=os
> [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=os
> [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=os
> [28/Jan/2016:21:09:02][main]: CMSEngine: initialized os
> [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=jss
> [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=jss
> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_rc4_40_md5
> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_rc2_40_md5
> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_des_sha
> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_rc4_128_md5
> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_3des_sha
> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_fips_des_sha
> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_fips_3des_sha
> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
> cipher fortezza
> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
> cipher fortezza_rc4_128_sha
> [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
> cipher rsa_null_md5
> [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=jss
> [28/Jan/2016:21:09:02][main]: CMSEngine: initialized jss
> [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=dbs
> [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=dbs
> [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init
> [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true
> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init()
> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins
> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal
> LDAP Database
> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory 
> cache
> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password not in memory
> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: try
> to get it from password store
> [28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password
> store initialized before.
> [28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password
> store initialized.
> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore:
> about to get from passwored store: Internal LDAP Da
> tabase
> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore:
> password store available
> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore:
> password for Internal LDAP Database not found, tryi
> ng internaldb
> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: password ok: store in memory cache
> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init ends
> [28/Jan/2016:21:09:02][main]: init: before makeConnection errorIfDown is true
> [28/Jan/2016:21:09:02][main]: makeConnection: errorIfDown true
> [28/Jan/2016:21:09:02][main]: Established LDAP connection using basic
> authentication to host test.sample.net port 738
> 9 as cn=Directory Manager
> [28/Jan/2016:21:09:02][main]: initializing with mininum 3 and maximum
> 15 connections to host test.sample.net port 738
> 9, secure connection, false, authentication type 1
> [28/Jan/2016:21:09:02][main]: increasing minimum connections by 3
> [28/Jan/2016:21:09:02][main]: new total available connections 3
> [28/Jan/2016:21:09:02][main]: new number of connections 3
> [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=dbs
> [28/Jan/2016:21:09:02][main]: CMSEngine: initialized dbs
> [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=usrgrp
> [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=usrgrp
> [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init
> [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true
> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init()
> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins
> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal
> LDAP Database
> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory 
> cache
> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: got password from memory
> [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password found for prompt.
> [28/Jan/2016:21:09:03][main]: LdapAuthInfo: password ok: store in memory cache
> [28/Jan/2016:21:09:03][main]: LdapAuthInfo: init ends
> [28/Jan/2016:21:09:03][main]: init: before makeConnection errorIfDown is false
> [28/Jan/2016:21:09:03][main]: makeConnection: errorIfDown false
> [28/Jan/2016:21:09:03][main]: Established LDAP connection using basic
> authentication to host test.sample.net port 738
> 9 as cn=Directory Manager
> [28/Jan/2016:21:09:03][main]: initializing with mininum 3 and maximum
> 15 connections to host test.sample.net port 738
> 9, secure connection, false, authentication type 1
> [28/Jan/2016:21:09:03][main]: increasing minimum connections by 3
> [28/Jan/2016:21:09:03][main]: new total available connections 3
> [28/Jan/2016:21:09:03][main]: new number of connections 3
> [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=usrgrp
> [28/Jan/2016:21:09:03][main]: CMSEngine: initialized usrgrp
> [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=registry
> [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=registry
> [28/Jan/2016:21:09:03][main]: RegistrySubsystem: start init
> [28/Jan/2016:21:09:03][main]: added plugin profileOutput
> pkcs7OutputImpl PKCS7 Output PKCS7 Output com.netscape.cms.p
> rofile.output.PKCS7Output
> [28/Jan/2016:21:09:03][main]: added plugin profileOutput
> cmmfOutputImpl CMMF Response Output CMMF Response Output com
> .netscape.cms.profile.output.CMMFOutput
> [28/Jan/2016:21:09:03][main]: added plugin profileOutput
> certOutputImpl Certificate Output Certificate Output com.net
> scape.cms.profile.output.CertOutput
> [28/Jan/2016:21:09:03][main]: added plugin profileOutput
> nsNKeyOutputImpl nsNKeyOutputImpl nsNKeyOutputImpl com.netsc
> ape.cms.profile.output.nsNKeyOutput
> [28/Jan/2016:21:09:03][main]: added plugin profileInput
> submitterInfoInputImpl Submitter Information Input Submitter
> Information Input com.netscape.cms.profile.input.SubmitterInfoInput
> [28/Jan/2016:21:09:03][main]: added plugin profileInput
> serialNumRenewInputImpl Certificate Renewal Request Serial Nu
> mber Input Certificate Renewal Request Serial Number Input
> com.netscape.cms.profile.input.SerialNumRenewInput
> [28/Jan/2016:21:09:03][main]: added plugin profileInput
> dualKeyGenInputImpl Dual Key Generation Input Dual Key Genera
> tion Input com.netscape.cms.profile.input.DualKeyGenInput
> [28/Jan/2016:21:09:03][main]: added plugin profileInput
> nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl nsNKeyCertReqIn
> putImpl com.netscape.cms.profile.input.nsNKeyCertReqInput
> [28/Jan/2016:21:09:03][main]: added plugin profileInput
> fileSigningInputImpl File Signing Input File Signing Input co
> m.netscape.cms.profile.input.FileSigningInput
> [28/Jan/2016:21:09:03][main]: added plugin profileInput
> certReqInputImpl Certificate Request Input Certificate Reques
> t Input com.netscape.cms.profile.input.CertReqInput
> [28/Jan/2016:21:09:03][main]: added plugin profileInput
> cmcCertReqInputImpl CMC Certificate Request Input CMC Certifi
> cate Request Input com.netscape.cms.profile.input.CMCCertReqInput
> [28/Jan/2016:21:09:03][main]: added plugin profileInput
> nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl nsHKeyCertReqIn
> putImpl com.netscape.cms.profile.input.nsHKeyCertReqInput
> [28/Jan/2016:21:09:03][main]: added plugin profileInput
> subjectDNInputImpl Subject DN Input Subject DN Input com.nets
> cape.cms.profile.input.SubjectDNInput
> [28/Jan/2016:21:09:03][main]: added plugin profileInput
> keyGenInputImpl Key Generation Input Key Generation Input com
> .netscape.cms.profile.input.KeyGenInput
> [28/Jan/2016:21:09:03][main]: added plugin profileInput
> genericInputImpl Generic Input Generic Input com.netscape.cms
> .profile.input.GenericInput
> [28/Jan/2016:21:09:03][main]: added plugin profileInput imageInputImpl
> Image Input Image Input com.netscape.cms.profi
> le.input.ImageInput
> [28/Jan/2016:21:09:03][main]: added plugin profileInput
> subjectNameInputImpl Subject Name Input Subject Name Input co
> m.netscape.cms.profile.input.SubjectNameInput
> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
> basicConstraintsExtConstraintImpl Basic Constraints Exten
> sion Constraint Basic Constraints Extension Constraint
> com.netscape.cms.profile.constraint.BasicConstraintsExtConstra
> int
> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
> noConstraintImpl No Constraint No Constraint com.netscape
> .cms.profile.constraint.NoConstraint
> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
> signingAlgConstraintImpl Signing Algorithm Constraint Sig
> ning Algorithm Constraint
> com.netscape.cms.profile.constraint.SigningAlgConstraint
> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
> extendedKeyUsageExtConstraintImpl Extended Key Usage Exte
> nsion Constraint Extended Key Usage Extension Constraint
> com.netscape.cms.profile.constraint.ExtendedKeyUsageExtConst
> raint
> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
> extensionConstraintImpl Extension Constraint Extension Co
> nstraint com.netscape.cms.profile.constraint.ExtensionConstraint
> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
> subjectNameConstraintImpl Subject Name Constraint Subject
>  Name Constraint com.netscape.cms.profile.constraint.SubjectNameConstraint
> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
> uniqueSubjectNameConstraintImpl Unique Subject Name Const
> raint Unique Subject Name Constraint
> com.netscape.cms.profile.constraint.UniqueSubjectNameConstraint
> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
> keyUsageExtConstraintImpl Key Usage Extension Constraint
> Key Usage Extension Constraint
> com.netscape.cms.profile.constraint.KeyUsageExtConstraint
> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
> renewGracePeriodConstraintImpl Renewal Grace Period Const
> raint Renewal Grace Period Constraint
> com.netscape.cms.profile.constraint.RenewGracePeriodConstraint
> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
> keyConstraintImpl Key Constraint Key Constraint com.netsc
> ape.cms.profile.constraint.KeyConstraint
> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
> nsCertTypeExtConstraintImpl Netscape Certificate Type Ext
> ension Constraint Netscape Certificate Type Extension Constraint
> com.netscape.cms.profile.constraint.NSCertTypeExtCon
> straint
> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
> validityConstraintImpl Validity Constraint Validity Const
> raint com.netscape.cms.profile.constraint.ValidityConstraint
> [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
> uniqueKeyConstraintImpl Unique Public Key Constraint Uniq
> ue Public Key Constraint 
> com.netscape.cms.profile.constraint.UniqueKeyConstraint
> [28/Jan/2016:21:09:03][main]: added plugin profile caEnrollImpl
> Generic Certificate Enrollment Profile Certificate Au
> thority Generic Certificate Enrollment Profile
> com.netscape.cms.profile.common.CAEnrollProfile
> [28/Jan/2016:21:09:03][main]: added plugin profile
> caUserCertEnrollImpl User Certificate Enrollment Profile Certifica
> te Authority User Certificate Enrollment Profile
> com.netscape.cms.profile.common.UserCertCAEnrollProfile
> [28/Jan/2016:21:09:03][main]: added plugin profile
> caServerCertEnrollImpl Server Certificate Enrollment Profile Certi
> ficate Authority Server Certificate Enrollment Profile
> com.netscape.cms.profile.common.ServerCertCAEnrollProfile
> [28/Jan/2016:21:09:03][main]: added plugin profile caCACertEnrollImpl
> CA Certificate Enrollment Profile Certificate A
> uthority CA Certificate Enrollment Profile
> com.netscape.cms.profile.common.CACertCAEnrollProfile
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> userKeyDefaultImpl User Supplied Key Default User Supplied K
> ey Default com.netscape.cms.profile.def.UserKeyDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> freshestCRLExtDefaultImpl Freshest CRL Extension Default Fre
> shest CRL Extension Default com.netscape.cms.profile.def.FreshestCRLExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> authInfoAccessExtDefaultImpl Authority Info Access Extension
>  Default Authority Info Access Extension Default
> com.netscape.cms.profile.def.AuthInfoAccessExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> nsTokenUserKeySubjectNameDefaultImpl nsTokenUserKeySubjectNa
> meDefault nsTokenUserKeySubjectNameDefaultImpl
> com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> genericExtDefaultImpl Generic Extension Generic Extension co
> m.netscape.cms.profile.def.GenericExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> authorityKeyIdentifierExtDefaultImpl Authority Key Identifie
> r Extension Default Authority Key Identifier Extension Default
> com.netscape.cms.profile.def.AuthorityKeyIdentifierExt
> Default
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> issuerAltNameExtDefaultImpl Issuer Alternative Name Extensio
> n Default Issuer Alternative Name Extension Default
> com.netscape.cms.profile.def.IssuerAltNameExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> basicConstraintsExtDefaultImpl Basic Constraints Extension D
> efault Basic Constraints Extension Default
> com.netscape.cms.profile.def.BasicConstraintsExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> keyUsageExtDefaultImpl Key Usage Extension Default Key Usage
>  Extension Default com.netscape.cms.profile.def.KeyUsageExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> ocspNoCheckExtDefaultImpl OCSP No Check Extension Default OC
> SP No Check Extension Default 
> com.netscape.cms.profile.def.OCSPNoCheckExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> subjectAltNameExtDefaultImpl Subject Alternative Name Extens
> ion Default Subject Alternative Name Extension Default
> com.netscape.cms.profile.def.SubjectAltNameExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> userValidityDefaultImpl User Supplied Validity Default User
> Supplied Validity Default com.netscape.cms.profile.def.UserValidityDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> userSubjectNameDefaultImpl User Supplied Subject Name Defaul
> t User Supplied Subject Name Default
> com.netscape.cms.profile.def.UserSubjectNameDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> subjectDirAttributesExtDefaultImpl Subject Directory Attribu
> tes Extension Default Subject Directory Attributes Extension Default
> com.netscape.cms.profile.def.SubjectDirAttribute
> sExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> certificateVersionDefaultImpl Certificate Version Default Ce
> rtificate Version Default 
> com.netscape.cms.profile.def.CertificateVersionDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> extendedKeyUsageExtDefaultImpl Extended Key Usage Extension
> Default Extended Key Usage Extension Default
> com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> policyConstraintsExtDefaultImpl Policy Constraints Extension
>  Default Policy Constraints Extension Default
> com.netscape.cms.profile.def.PolicyConstraintsExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> crlDistributionPointsExtDefaultImpl CRL Distribution Points
> Extension Default CRL Distribution Points Extension Default
> com.netscape.cms.profile.def.CRLDistributionPointsExtDefa
> ult
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> certificatePoliciesExtDefaultImpl Certificate Policies Exten
> sion Default Certificate Policies Extension Default
> com.netscape.cms.profile.def.CertificatePoliciesExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> validityDefaultImpl Validity Default Validty Default com.net
> scape.cms.profile.def.ValidityDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> privateKeyPeriodExtDefaultImpl Private Key Period Ext Defaul
> t Private Key Period Ext Default
> com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy noDefaultImpl
> No Default No Default com.netscape.cms.profile
> .def.NoDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> imageDefaultImpl Image Default Image Default com.netscape.cm
> s.profile.def.ImageDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> subjectInfoAccessExtDefaultImpl Subject Info Access Extensio
> n Default Subject Info Access Extension Default
> com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> autoAssignDefaultImpl Auto Request Assignment Default Auto R
> equest Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> policyMappingsExtDefaultImpl Policy Mappings Extension Defau
> lt Policy Mappings Extension Default
> com.netscape.cms.profile.def.PolicyMappingsExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> caValidityDefaultImpl CA Certificate Validity Default CA Cer
> tificate Validty Default com.netscape.cms.profile.def.CAValidityDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> userExtensionDefaultImpl User Supplied Extension Default Use
> r Supplied Extension Default com.netscape.cms.profile.def.UserExtensionDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> nsCertTypeExtDefaultImpl Netscape Certificate Type Extension
>  Default Netscape Certificate Type Extension Default
> com.netscape.cms.profile.def.NSCertTypeExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> authTokenSubjectNameDefaultImpl Token Supplied Subject Name
> Default Token Supplied Subject Name Default
> com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> subjectNameDefaultImpl Subject Name Default Subject Name Def
> ault com.netscape.cms.profile.def.SubjectNameDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> userSigningAlgDefaultImpl User Supplied Signing Alg Default
> User Supplied Signing Alg Default
> com.netscape.cms.profile.def.UserSigningAlgDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> subjectKeyIdentifierExtDefaultImpl Subject Key Identifier De
> fault Subject Key Identifier Default
> com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension
> Default Inhibit Any-Policy Extension Default
> com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubje
> ctNameDefault nsTokenDeviceKeySubjectNameDefaultImpl
> com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> nscCommentExtDefaultImpl Netscape Comment Extension Default
> Netscape Comment Extension Default
> com.netscape.cms.profile.def.NSCCommentExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> signingAlgDefaultImpl Signing Algorithm Default Signing Algo
> rithm Default com.netscape.cms.profile.def.SigningAlgDefault
> [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
> nameConstraintsExtDefaultImpl Name Constraints Extension Def
> ault Name Constraints Extension Default
> com.netscape.cms.profile.def.NameConstraintsExtDefault
> [28/Jan/2016:21:09:03][main]: added plugin profileUpdater
> subsystemGroupUpdaterImpl Updater for Subsystem Group Updat
> er for Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater
> [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=registry
> [28/Jan/2016:21:09:03][main]: CMSEngine: initialized registry
> [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=oidmap
> [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=oidmap
> [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=oidmap
> [28/Jan/2016:21:09:03][main]: CMSEngine: initialized oidmap
> [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=X500Name
> [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=X500Name
> [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=X500Name
> [28/Jan/2016:21:09:03][main]: CMSEngine: initialized X500Name
> [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=request
> [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=request
> [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=request
> [28/Jan/2016:21:09:03][main]: CMSEngine: initialized request
> [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=ca
> [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=ca
> [28/Jan/2016:21:09:03][main]: CertificateAuthority init
> [28/Jan/2016:21:09:03][main]: Cert Repot inited
> [28/Jan/2016:21:09:03][main]: CRL Repot inited
> [28/Jan/2016:21:09:03][main]: Replica Repot inited
> [28/Jan/2016:21:09:03][main]: ca.signing Signing Unit nickname
> caSigningCert cert-pki-ca
> [28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name
> [28/Jan/2016:21:09:03][main]: Found cert by nickname: 'caSigningCert
> cert-pki-ca' with serial number: 1
> [28/Jan/2016:21:09:03][main]: converted to x509CertImpl
> [28/Jan/2016:21:09:03][main]: Got private key from cert
> [28/Jan/2016:21:09:03][main]: Got public key from cert
> [28/Jan/2016:21:09:03][main]: got signing algorithm 
> RSASignatureWithSHA256Digest
> [28/Jan/2016:21:09:03][main]: CA signing unit inited
> [28/Jan/2016:21:09:03][main]: cachainNum= 0
> [28/Jan/2016:21:09:03][main]: in init - got CA chain from JSS.
> [28/Jan/2016:21:09:03][main]: ca.ocsp_signing Signing Unit nickname
> ca.ocsp_signing.cert
> [28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name
> [28/Jan/2016:21:09:03][main]: SigningUnit init: debug
> org.mozilla.jss.crypto.ObjectNotFoundException
> [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
> Certificate object not found
>         at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
>         at 
> com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)
>         at 
> com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
>         at 
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
>         at 
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
>         at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
>         at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
>         at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
>         at 
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
>         at 
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
>         at 
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
>         at 
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
>         at 
> org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
>         at 
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
>         at 
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
>         at 
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
>         at 
> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
>         at 
> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
>         at 
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
>         at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
>         at 
> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
>         at 
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
>         at 
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
>         at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
>         at 
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
>         at 
> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
>         at 
> org.apache.catalina.core.StandardService.start(StandardService.java:516)
>         at 
> org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
>         at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:616)
>         at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
>         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
> [28/Jan/2016:21:09:03][main]: CMSEngine.shutdown()
> [28/Jan/2016:21:14:02][Timer-0]: CMSEngine: getPasswordStore():
> password store initialized before.
> [28/Jan/2016:21:14:02][Timer-0]: CMSEngine: getPasswordStore():
> password store initialized.
> [28/Jan/2016:21:19:02][Timer-0]: CMSEngine: getPasswordStore():
> password store initialized before.
> [28/Jan/2016:21:19:02][Timer-0]: CMSEngine: getPasswordStore():
> password store initialized.
>
>
>
>
>>
>>>
>>> stuck: yes
>>>
>>> key pair storage:
>>>
>>> type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
>>> Certifi
>>>
>>> cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt'
>>>
>>> certificate:
>>>
>>> type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
>>> Certificate
>>>
>>> DB'
>>>
>>> CA: IPA
>>>
>>> issuer: CN=Certificate Authority,O=SAMPLE.NET <http://SAMPLE.NET>
>>>
>>> subject: CN=caer.SAMPLE.net <http://caer.SAMPLE.net>,O=SAMPLE.NET
>>> <http://SAMPLE.NET>
>>>
>>> expires: 2016-01-29 14:09:46 UTC
>>>
>>> eku: id-kp-serverAuth
>>>
>>> pre-save command:
>>>
>>> post-save command:
>>>
>>> track: yes
>>>
>>> auto-renew: yes
>>>
>>>
>>>
>>> On Mon, May 2, 2016 at 5:35 PM Anthony Cheng
>>> <anthony.wan.ch...@gmail.com <mailto:anthony.wan.ch...@gmail.com>> wrote:
>>>
>>>     On Mon, May 2, 2016 at 9:54 AM Rob Crittenden <rcrit...@redhat.com
>>>     <mailto:rcrit...@redhat.com>> wrote:
>>>
>>>         Anthony Cheng wrote:
>>>          > On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden
>>>         <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
>>>          > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>
>>> wrote:
>>>          >
>>>          >     Anthony Cheng wrote:
>>>          >      > OK so I made process on my cert renew issue; I was
>>>         able to get kinit
>>>          >      > working so I can follow the rest of the steps here
>>>          >      > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
>>>          >      >
>>>          >      > However, after using
>>>          >      >
>>>          >      > ldapmodify -x -h localhost -p 7389 -D 'cn=directory
>>>         manager' -w
>>>          >     password
>>>          >      >
>>>          >      > and restarting apache (/sbin/service httpd restart),
>>>         resubmitting 3
>>>          >      > certs (ipa-getcert resubmit -i <ID>) and restarting
>>>         IPA (resubmit
>>>          >     -i <ID>)
>>>          >      > (/sbin/service ipa restart), I still see:
>>>          >      >
>>>          >      > [root@test ~]# ipa-getcert list | more
>>>          >      > Number of certificates and requests being tracked: 8.
>>>          >      > Request ID '20111214223243':
>>>          >      >          status: CA_UNREACHABLE
>>>          >      >          ca-error: Server failed request, will retry:
>>>         4301 (RPC
>>>          >     failed
>>>          >      > at server.  Certificate operation cannot be compl
>>>          >      > eted: Unable to communicate with CMS (Not Found)).
>>>          >
>>>          >     IPA proxies requests to the CA through Apache. This means
>>>         that while
>>>          >     tomcat started ok it didn't load the dogtag CA
>>>         application, hence the
>>>          >     Not Found.
>>>          >
>>>          >     Check the CA debug and selftest logs to see why it failed
>>>         to start
>>>          >     properly.
>>>          >
>>>          >     [ snip ]
>>>          >
>>>          > Actually after a reboot that error went away and I just get
>>>         this error
>>>          > instead "ca-error: Server failed request, will retry: -504
>>>         (libcurl
>>>          > failed to execute the HTTP POST transaction. Peer certificate
>>>         cannot be
>>>          > auth enticated with known CA certificates)." from "getcert
>>> list"
>>>          >
>>>          > Result of service ipa restart is interesting since it shows
>>>         today's time
>>>          > when I already changed date/time/disable NTP so somehow the
>>>         system still
>>>          > know today's time.
>>>          >
>>>          > PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert:
>>>          > CERT_VerifyCertificateNow: verify certificate failed for cert
>>>          > Server-Cert of family cn=RSA,cn=encryption,cn=config
>>>         (Netscape Portable
>>>          > Runtime error -8181 - Peer's Certificate has expired.)
>>>
>>>         Hard to say. I'd confirm that there is no time syncing service
>>>         running,
>>>         ntp or otherwise.
>>>
>>>
>>>     I found out why the time kept changing; it was due to the fact that
>>>     it has VM tools installed (i didn't configure this box) so it
>>>     automatically sync time during bootup.
>>>
>>>     I did still see this error message:
>>>
>>>     ca-error: Server failed request, will retry: 4301 (RPC failed at
>>>     server. Certificate operation cannot be completed: Unable to
>>>     communicate with CMS (Not Found))
>>>
>>>     I tried the step http://www.freeipa.org/page/Troubleshooting with
>>>
>>>     certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt
>>>     openssl x509 -text -in /tmp/ra.crt
>>>     certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt
>>>     service httpd restart
>>>
>>>     So that I can get rid of one of the CA cert that is expired (kept
>>>     the 1st one) but still getting same error
>>>
>>>     What exactly is CMS and why is it not found?
>>>
>>>
>>>     I did notice that the selftest log is empty with a different time:
>>>
>>>     -rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11
>>>     /var/log/pki-ca/selftests.log
>>>
>>>     [root@test ~]# clock Wed 27 Jan 2016 03:33:00 PM UTC -0.046800 seconds
>>>
>>>
>>>     Here are some debug log after reboot:
>>>
>>>     [root@test pki-ca]# tail -n 100 catalina.out
>>>
>>>     INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
>>>
>>>     Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start
>>>
>>>     INFO: Jk running ID=0 time=1/23config=null
>>>
>>>     Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start
>>>
>>>     INFO: Server startup in 1722 ms
>>>
>>>     Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>>>
>>>     INFO: Pausing Coyote HTTP/1.1 on http-9180
>>>
>>>     Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>>>
>>>     INFO: Pausing Coyote HTTP/1.1 on http-9443
>>>
>>>     Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>>>
>>>     INFO: Pausing Coyote HTTP/1.1 on http-9445
>>>
>>>     Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>>>
>>>     INFO: Pausing Coyote HTTP/1.1 on http-9444
>>>
>>>     Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
>>>
>>>     INFO: Pausing Coyote HTTP/1.1 on http-9446
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop
>>>
>>>     INFO: Stopping service Catalina
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>     clearReferencesThreads
>>>
>>>     SEVERE: A web application appears to have started a thread named
>>>     [Timer-0] but has failed to stop it. This is very like
>>>
>>>     ly to create a memory leak.
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>     clearReferencesThreads
>>>
>>>     SEVERE: A web application appears to have started a thread named
>>>     [/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu
>>>
>>>     t has failed to stop it. This is very likely to create a memory leak.
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>     clearReferencesThreads
>>>
>>>     SEVERE: A web application appears to have started a thread named
>>>     [/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6]
>>>
>>>     but has failed to stop it. This is very likely to create a memory
>>> leak.
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>     clearReferencesThreads
>>>
>>>     SEVERE: A web application appears to have started a thread named
>>>     [/var/lib/pki-ca/logs/system.flush-6] but has failed t
>>>
>>>     o stop it. This is very likely to create a memory leak.
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>     clearReferencesThreads
>>>
>>>     SEVERE: A web application appears to have started a thread named
>>>     [/var/lib/pki-ca/logs/system.rollover-8] but has faile
>>>
>>>     d to stop it. This is very likely to create a memory leak.
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>     clearReferencesThreads
>>>
>>>     SEVERE: A web application appears to have started a thread named
>>>     [/var/lib/pki-ca/logs/transactions.flush-9] but has fa
>>>
>>>     iled to stop it. This is very likely to create a memory leak.
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>     clearReferencesThreads
>>>
>>>     SEVERE: A web application appears to have started a thread named
>>>     [/var/lib/pki-ca/logs/transactions.rollover-10] but ha
>>>
>>>     s failed to stop it. This is very likely to create a memory leak.
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>     clearReferencesThreads
>>>
>>>     SEVERE: A web application appears to have started a thread named
>>>     [LDAPConnThread-2 ldap://test.sample.net:7389
>>>     <http://test.sample.net:7389>] but has failed to stop it. This is
>>>     very likely to create a memory leak.
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>     clearReferencesThreads
>>>
>>>     SEVERE: A web application appears to have started a thread named
>>>     [LDAPConnThread-3 ldap://test.sample.net:7389
>>>     <http://test.sample.net:7389>] but has failed to stop it. This is
>>>     very likely to create a memory leak.
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>     clearReferencesThreads
>>>
>>>     SEVERE: A web application appears to have started a thread named
>>>     [LDAPConnThread-4 ldap://test.sample.net:7389
>>>     <http://test.sample.net:7389>] but has failed to stop it. This is
>>>     very likely to create a memory leak.
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>     clearThreadLocalMap
>>>
>>>     SEVERE: A web application created a ThreadLocal with key of type
>>>     [null] (value [com.netscape.cmscore.util.Debug$1@228b677f]) and a
>>>     value of type [java.text.SimpleDateFormat] (value
>>>     [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when
>>>     the web application was stopped. To prevent a memory leak, the
>>>     ThreadLocal has been forcibly removed.
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
>>>     clearThreadLocalMap
>>>
>>>     SEVERE: A web application created a ThreadLocal with key of type
>>>     [null] (value [com.netscape.cmscore.util.Debug$1@228b677f]) and a
>>>     value of type [java.text.SimpleDateFormat] (value
>>>     [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when
>>>     the web application was stopped. To prevent a memory leak, the
>>>     ThreadLocal has been forcibly removed.
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
>>> destroy
>>>
>>>     INFO: Stopping Coyote HTTP/1.1 on http-9180
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
>>> destroy
>>>
>>>     INFO: Stopping Coyote HTTP/1.1 on http-9443
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
>>> destroy
>>>
>>>     INFO: Stopping Coyote HTTP/1.1 on http-9445
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
>>> destroy
>>>
>>>     INFO: Stopping Coyote HTTP/1.1 on http-9444
>>>
>>>     Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol
>>> destroy
>>>
>>>     INFO: Stopping Coyote HTTP/1.1 on http-9446
>>>
>>>     Jan 27, 2016 2:57:36 PM
>>>     org.apache.catalina.core.AprLifecycleListener init
>>>
>>>     INFO: The APR based Apache Tomcat Native library which allows
>>>     optimal performance in production environments was not found on the
>>>     java.library.path:
>>>
>>> /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
>>>
>>>     Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>>>
>>>     INFO: Initializing Coyote HTTP/1.1 on http-9180
>>>
>>>     Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
>>>     unsupported by NSS. This is probably O.K. unless ECC support has
>>>     been installed.
>>>
>>>     Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
>>>     unsupported by NSS. This is probably O.K. unless ECC support has
>>>     been installed.
>>>
>>>     Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>>>
>>>     INFO: Initializing Coyote HTTP/1.1 on http-9443
>>>
>>>     Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
>>>     unsupported by NSS. This is probably O.K. unless ECC support has
>>>     been installed.
>>>
>>>     Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
>>>     unsupported by NSS. This is probably O.K. unless ECC support has
>>>     been installed.
>>>
>>>     Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>>>
>>>     INFO: Initializing Coyote HTTP/1.1 on http-9445
>>>
>>>     Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
>>>     unsupported by NSS. This is probably O.K. unless ECC support has
>>>     been installed.
>>>
>>>     Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
>>>     unsupported by NSS. This is probably O.K. unless ECC support has
>>>     been installed.
>>>
>>>     Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>>>
>>>     INFO: Initializing Coyote HTTP/1.1 on http-9444
>>>
>>>     Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
>>>     unsupported by NSS. This is probably O.K. unless ECC support has
>>>     been installed.
>>>
>>>     Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
>>>     unsupported by NSS. This is probably O.K. unless ECC support has
>>>     been installed.
>>>
>>>     Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
>>>
>>>     INFO: Initializing Coyote HTTP/1.1 on http-9446
>>>
>>>     Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load
>>>
>>>     INFO: Initialization processed in 2198 ms
>>>
>>>     Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start
>>>
>>>     INFO: Starting service Catalina
>>>
>>>     Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start
>>>
>>>     INFO: Starting Servlet Engine: Apache Tomcat/6.0.24
>>>
>>>     Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig
>>>     deployDirectory
>>>
>>>     INFO: Deploying web application directory ROOT
>>>
>>>     Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig
>>>     deployDirectory
>>>
>>>     INFO: Deploying web application directory ca
>>>
>>>     64-bit osutil library loaded
>>>
>>>     64-bit osutil library loaded
>>>
>>>     Certificate object not found
>>>
>>>     Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>>>
>>>     INFO: Starting Coyote HTTP/1.1 on http-9180
>>>
>>>     Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>>>
>>>     INFO: Starting Coyote HTTP/1.1 on http-9443
>>>
>>>     Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>>>
>>>     INFO: Starting Coyote HTTP/1.1 on http-9445
>>>
>>>     Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>>>
>>>     INFO: Starting Coyote HTTP/1.1 on http-9444
>>>
>>>     Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
>>>
>>>     INFO: Starting Coyote HTTP/1.1 on http-9446
>>>
>>>     Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init
>>>
>>>     INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
>>>
>>>     Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start
>>>
>>>     INFO: Jk running ID=0 time=0/40config=null
>>>
>>>     Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start
>>>
>>>     INFO: Server startup in 2592 ms
>>>
>>>     [root@test pki-ca]# tail -n 100 debug
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     subjectAltNameExtDefaultImpl Subject Alternative Name Extension
>>>     Default Subject Alternative Name Extension Default
>>>     com.netscape.cms.profile.def.SubjectAltNameExtDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     userValidityDefaultImpl User Supplied Validity Default User Supplied
>>>     Validity Default com.netscape.cms.profile.def.UserValidityDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     userSubjectNameDefaultImpl User Supplied Subject Name Default User
>>>     Supplied Subject Name Default
>>>     com.netscape.cms.profile.def.UserSubjectNameDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     subjectDirAttributesExtDefaultImpl Subject Directory Attributes
>>>     Extension Default Subject Directory Attributes Extension Default
>>>     com.netscape.cms.profile.def.SubjectDirAttributesExtDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     certificateVersionDefaultImpl Certificate Version Default
>>>     Certificate Version Default
>>>     com.netscape.cms.profile.def.CertificateVersionDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default
>>>     Extended Key Usage Extension Default
>>>     com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     policyConstraintsExtDefaultImpl Policy Constraints Extension Default
>>>     Policy Constraints Extension Default
>>>     com.netscape.cms.profile.def.PolicyConstraintsExtDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     crlDistributionPointsExtDefaultImpl CRL Distribution Points
>>>     Extension Default CRL Distribution Points Extension Default
>>>     com.netscape.cms.profile.def.CRLDistributionPointsExtDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     certificatePoliciesExtDefaultImpl Certificate Policies Extension
>>>     Default Certificate Policies Extension Default
>>>     com.netscape.cms.profile.def.CertificatePoliciesExtDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     validityDefaultImpl Validity Default Validty Default
>>>     com.netscape.cms.profile.def.ValidityDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     privateKeyPeriodExtDefaultImpl Private Key Period Ext Default
>>>     Private Key Period Ext Default
>>>     com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     noDefaultImpl No Default No Default
>>>     com.netscape.cms.profile.def.NoDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     imageDefaultImpl Image Default Image Default
>>>     com.netscape.cms.profile.def.ImageDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     subjectInfoAccessExtDefaultImpl Subject Info Access Extension
>>>     Default Subject Info Access Extension Default
>>>     com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     autoAssignDefaultImpl Auto Request Assignment Default Auto Request
>>>     Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     policyMappingsExtDefaultImpl Policy Mappings Extension Default
>>>     Policy Mappings Extension Default
>>>     com.netscape.cms.profile.def.PolicyMappingsExtDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     caValidityDefaultImpl CA Certificate Validity Default CA Certificate
>>>     Validty Default com.netscape.cms.profile.def.CAValidityDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     userExtensionDefaultImpl User Supplied Extension Default User
>>>     Supplied Extension Default
>>>     com.netscape.cms.profile.def.UserExtensionDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default
>>>     Netscape Certificate Type Extension Default
>>>     com.netscape.cms.profile.def.NSCertTypeExtDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default
>>>     Token Supplied Subject Name Default
>>>     com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     subjectNameDefaultImpl Subject Name Default Subject Name Default
>>>     com.netscape.cms.profile.def.SubjectNameDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     userSigningAlgDefaultImpl User Supplied Signing Alg Default User
>>>     Supplied Signing Alg Default
>>>     com.netscape.cms.profile.def.UserSigningAlgDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default
>>>     Subject Key Identifier Default
>>>     com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default
>>>     Inhibit Any-Policy Extension Default
>>>     com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     nsTokenDeviceKeySubjectNameDefaultImpl
>>>     nsTokenDeviceKeySubjectNameDefault
>>>     nsTokenDeviceKeySubjectNameDefaultImpl
>>>     com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape
>>>     Comment Extension Default
>>>     com.netscape.cms.profile.def.NSCCommentExtDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm
>>>     Default com.netscape.cms.profile.def.SigningAlgDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
>>>     nameConstraintsExtDefaultImpl Name Constraints Extension Default
>>>     Name Constraints Extension Default
>>>     com.netscape.cms.profile.def.NameConstraintsExtDefault
>>>
>>>     [27/Jan/2016:15:30:43][main]: added plugin profileUpdater
>>>     subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for
>>>     Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMSEngine: initialized request
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca
>>>
>>>     [27/Jan/2016:15:30:43][main]: CertificateAuthority init
>>>
>>>     [27/Jan/2016:15:30:43][main]: Cert Repot inited
>>>
>>>     [27/Jan/2016:15:30:43][main]: CRL Repot inited
>>>
>>>     [27/Jan/2016:15:30:43][main]: Replica Repot inited
>>>
>>>     [27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname
>>>     caSigningCert cert-pki-ca
>>>
>>>     [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token
>>>     by name
>>>
>>>     [27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert
>>>     cert-pki-ca' with serial number: 1
>>>
>>>     [27/Jan/2016:15:30:43][main]: converted to x509CertImpl
>>>
>>>     [27/Jan/2016:15:30:43][main]: Got private key from cert
>>>
>>>     [27/Jan/2016:15:30:43][main]: Got public key from cert
>>>
>>>     [27/Jan/2016:15:30:43][main]: got signing algorithm
>>>     RSASignatureWithSHA256Digest
>>>
>>>     [27/Jan/2016:15:30:43][main]: CA signing unit inited
>>>
>>>     [27/Jan/2016:15:30:43][main]: cachainNum= 0
>>>
>>>     [27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS.
>>>
>>>     [27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname
>>>     ca.ocsp_signing.cert
>>>
>>>     [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token
>>>     by name
>>>
>>>     [27/Jan/2016:15:30:43][main]: SigningUnit init: debug
>>>     org.mozilla.jss.crypto.ObjectNotFoundException
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException
>>>
>>>     Certificate object not found
>>>
>>>     at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
>>>
>>>     at
>>>
>>> com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)
>>>
>>>     at
>>>
>>> com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
>>>
>>>     at
>>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
>>>
>>>     at
>>>     com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
>>>
>>>     at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
>>>
>>>     at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
>>>
>>>     at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
>>>
>>>     at
>>>
>>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
>>>
>>>     at
>>>
>>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
>>>
>>>     at
>>>
>>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
>>>
>>>     at
>>>
>>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
>>>
>>>     at
>>>
>>> org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
>>>
>>>     at
>>>
>>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
>>>
>>>     at
>>>
>>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
>>>
>>>     at
>>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
>>>
>>>     at
>>>
>>> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
>>>
>>>     at
>>>
>>> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
>>>
>>>     at
>>>     org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
>>>
>>>     at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
>>>
>>>     at
>>>
>>> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
>>>
>>>     at
>>>
>>> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
>>>
>>>     at
>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
>>>
>>>     at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
>>>
>>>     at
>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
>>>
>>>     at
>>>     org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
>>>
>>>     at
>>>
>>> org.apache.catalina.core.StandardService.start(StandardService.java:516)
>>>
>>>     at
>>>     org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
>>>
>>>     at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
>>>
>>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>
>>>     at
>>>
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>>
>>>     at
>>>
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>
>>>     at java.lang.reflect.Method.invoke(Method.java:616)
>>>
>>>     at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
>>>
>>>     at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
>>>
>>>     [27/Jan/2016:15:30:43][main]: CMSEngine.shutdown()
>>>
>>>
>>>
>>>
>>>       >
>>>
>>>          >      > Would really greatly appreciate any help on this.
>>>          >      >
>>>          >      > Also I noticed after I do ldapmodify of
>>>         usercertificate binary
>>>          >     data with
>>>          >      >
>>>          >      > add: usercertificate;binary
>>>          >      > usercertificate;binary: !@#$@!#$#@$
>>>          >
>>>          >     You really pasted in binary? Or was this base64-encoded
>>> data?
>>>          >
>>>          >     I wonder if there is a problem in the wiki. If this is
>>>         really a binary
>>>          >     value you should start with a DER-encoded cert and load
>>>         it using
>>>          >     something like:
>>>          >
>>>          >     dn: uid=ipara,ou=people,o=ipaca
>>>          >     changetype: modify
>>>          >     add: usercertificate;binary
>>>          >     usercertificate;binary:< file:///path/to/cert.der
>>>          >
>>>          >     You can use something like openssl x509 to switch between
>>>         PEM and DER
>>>          >     formats.
>>>          >
>>>          >     I have a vague memory that dogtag can deal with a
>>>         multi-valued
>>>          >     usercertificate attribute.
>>>          >
>>>          >     rob
>>>          >
>>>          >
>>>          > Yes the wiki stated binary, the result of:
>>>          > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
>>>          > uid=ipara,ou=People,o=ipaca -W
>>>          >
>>>          > shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...
>>>          >
>>>          > But the actual data is from a PEM though.
>>>
>>>         Ok. So I looked at my CA data and it doesn't use the binary
>>>         subtype, so
>>>         my entries look like:
>>>
>>>         userCertificate:: MIID....
>>>
>>>         It might make a difference if dogtag is looking for the subtype
>>>         or not.
>>>
>>>         rob
>>>
>>>          >
>>>          >      >
>>>          >      > Then I re-run
>>>          >      >
>>>          >      > ldapsearch -x -h localhost -p 7389 -D 'cn=directory
>>>         manager' -W
>>>          >     -b uid=ipara,ou=People,o=ipaca
>>>          >      >
>>>          >      > I see 2 entries for usercertificate;binary (before
>>>         modify there
>>>          >     was only
>>>          >      > 1) but they are duplicate and NOT from data that I
>>>         added.  That seems
>>>          >      > incorrect to me.
>>>          >      >
>>>          >      >
>>>          >      > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
>>>          >      > <anthony.wan.ch...@gmail.com
>>>         <mailto:anthony.wan.ch...@gmail.com>
>>>         <mailto:anthony.wan.ch...@gmail.com
>>>         <mailto:anthony.wan.ch...@gmail.com>>
>>>          >     <mailto:anthony.wan.ch...@gmail.com
>>>         <mailto:anthony.wan.ch...@gmail.com>
>>>          >     <mailto:anthony.wan.ch...@gmail.com
>>>         <mailto:anthony.wan.ch...@gmail.com>>>> wrote:
>>>          >      >
>>>          >      >     klist is actually empty; kinit admin fails.
>>>         Sounds like then
>>>          >      >     getcert resubmit has a dependency on kerberoes.  I
>>>         can get a
>>>          >     backup
>>>          >      >     image that has a valid ticket but it is only good
>>>         for 1 day (and
>>>          >      >     dated pasted the cert expire).
>>>          >      >
>>>          >      >     Also I had asked awhile back about whether there
>>>         is dependency on
>>>          >      >     DIRSRV to renew the cert; didn't get any response
>>>         but I suspect
>>>          >      >     there is a dependency.
>>>          >      >
>>>          >      >     Regarding the clock skew, I found out from
>>>         /var/log/message that
>>>          >      >     shows me this so it may be from named:
>>>          >      >
>>>          >      >     Jan 28 14:10:42 test named[2911]: Failed to init
>>>         credentials
>>>          >     (Clock
>>>          >      >     skew too great)
>>>          >      >     Jan 28 14:10:42 test named[2911]: loading
>>>         configuration: failure
>>>          >      >     Jan 28 14:10:42 test named[2911]: exiting (due to
>>>         fatal error)
>>>          >      >     Jan 28 14:10:44 test ns-slapd: GSSAPI Error:
>>>         Unspecified GSS
>>>          >      >     failure.  Minor code may provide more information
>>>         (Creden
>>>          >      >     tials cache file '/tmp/krb5cc_496' not found)
>>>          >      >
>>>          >      >     I don't have a krb5cc_496 file (since klist is
>>>         empty), so
>>>          >     sounds to
>>>          >      >     me I need to get a kerberoes ticket before going any
>>>          >     further.  Also
>>>          >      >     is the file /etc/krb5.keytab access/modification
>>> time
>>>          >     important?  I
>>>          >      >     had changed time back to before the cert
>>>         expiration date and
>>>          >     reboot
>>>          >      >     and try renew but the error message about clock
>>>         skew is still
>>>          >      >     there.  That seems strange.
>>>          >      >
>>>          >      >     Lastly, as a absolute last resort, can I
>>>         regenerate a new cert
>>>          >      >     myself?
>>>          >      >
>>>          >
>>>
>>> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
>>>          >      >
>>>          >      >     [root@test /]# klist
>>>          >      >     klist: No credentials cache found (ticket cache
>>>          >     FILE:/tmp/krb5cc_0)
>>>          >      >     [root@test /]# service ipa start
>>>          >      >     Starting Directory Service
>>>          >      >     Starting dirsrv:
>>>          >      >          PKI-IPA...
>>>          >       [  OK  ]
>>>          >      >          sample-NET...
>>>          >     [  OK  ]
>>>          >      >     Starting KDC Service
>>>          >      >     Starting Kerberos 5 KDC:
>>>                   [
>>>          >     OK  ]
>>>          >      >     Starting KPASSWD Service
>>>          >      >     Starting Kerberos 5 Admin Server:
>>>                  [
>>>          >     OK  ]
>>>          >      >     Starting DNS Service
>>>          >      >     Starting named:
>>>          >     [FAILED]
>>>          >      >     Failed to start DNS Service
>>>          >      >     Shutting down
>>>          >      >     Stopping Kerberos 5 KDC:
>>>                   [
>>>          >     OK  ]
>>>          >      >     Stopping Kerberos 5 Admin Server:
>>>                  [
>>>          >     OK  ]
>>>          >      >     Stopping named:
>>>                  [
>>>          >     OK  ]
>>>          >      >     Stopping httpd:
>>>                  [
>>>          >     OK  ]
>>>          >      >     Stopping pki-ca:
>>>                   [
>>>          >     OK  ]
>>>          >      >     Shutting down dirsrv:
>>>          >      >          PKI-IPA...
>>>          >       [  OK  ]
>>>          >      >          sample-NET...
>>>          >     [  OK  ]
>>>          >      >     Aborting ipactl
>>>          >      >     [root@test /]# klist
>>>          >      >     klist: No credentials cache found (ticket cache
>>>          >     FILE:/tmp/krb5cc_0)
>>>          >      >     [root@test /]# service ipa status
>>>          >      >     Directory Service: STOPPED
>>>          >      >     Failed to get list of services to probe status:
>>>          >      >     Directory Server is stopped
>>>          >      >
>>>          >      >     On Thu, Apr 28, 2016 at 3:21 AM David Kupka
>>>          >     <dku...@redhat.com <mailto:dku...@redhat.com>
>>>         <mailto:dku...@redhat.com <mailto:dku...@redhat.com>>
>>>          >      >     <mailto:dku...@redhat.com
>>>         <mailto:dku...@redhat.com> <mailto:dku...@redhat.com
>>>         <mailto:dku...@redhat.com>>>> wrote:
>>>          >      >
>>>          >      >         On 27/04/16 21:54, Anthony Cheng wrote:
>>>          >      >          > Hi list,
>>>          >      >          >
>>>          >      >          > I am trying to renew expired certificates
>>>         following the
>>>          >      >         manual renewal procedure
>>>          >      >          > here
>>>          >     (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
>>>          >      >         but even with
>>>          >      >          > resetting the system/hardware clock to a
>>>         time before
>>>          >     expires,
>>>          >      >         I am getting the
>>>          >      >          > error "ca-error: Error setting up ccache
>>>         for local "host"
>>>          >      >         service using default
>>>          >      >          > keytab: Clock skew too great."
>>>          >      >          >
>>>          >      >          > With NTP disable and clock reset why would
>>>         it complain
>>>          >     about
>>>          >      >         clock skew and how
>>>          >      >          > does it even know about the current time?
>>>          >      >          >
>>>          >      >          > [root@test certs]# getcert list
>>>          >      >          > Number of certificates and requests being
>>>         tracked: 8.
>>>          >      >          > Request ID '20111214223243':
>>>          >      >          >          status: MONITORING
>>>          >      >          >          ca-error: Error setting up ccache
>>>         for local
>>>          >     "host"
>>>          >      >         service using
>>>          >      >          > default keytab: Clock skew too great.
>>>          >      >          >          stuck: no
>>>          >      >          >          key pair storage:
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
>>>          >      >          > Certificate
>>>          >      >
>>>           DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
>>>          >      >          >          certificate:
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
>>>          >      >          > Certificate DB'
>>>          >      >          >          CA: IPA
>>>          >      >          >          issuer: CN=Certificate
>>>         Authority,O=sample.NET
>>>          >      >          >          subject: CN=test.sample.net
>>>         <http://test.sample.net>
>>>          >     <http://test.sample.net> <http://test.sample.net>
>>>          >      >         <http://test.sample.net>,O=sample.NET
>>>          >      >          >          expires: 2016-01-29 14:09:46 UTC
>>>          >      >          >          eku: id-kp-serverAuth
>>>          >      >          >          pre-save command:
>>>          >      >          >          post-save command:
>>>          >      >          >          track: yes
>>>          >      >          >          auto-renew: yes
>>>          >      >          > Request ID '20111214223300':
>>>          >      >          >          status: MONITORING
>>>          >      >          >          ca-error: Error setting up ccache
>>>         for local
>>>          >     "host"
>>>          >      >         service using
>>>          >      >          > default keytab: Clock skew too great.
>>>          >      >          >          stuck: no
>>>          >      >          >          key pair storage:
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>>          >      >         Certificate
>>>          >      >          >
>>>         DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>>>          >      >          >          certificate:
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>>>          >      >         Certificate
>>>          >      >          > DB'
>>>          >      >          >          CA: IPA
>>>          >      >          >          issuer: CN=Certificate
>>>         Authority,O=sample.NET
>>>          >      >          >          subject: CN=test.sample.net
>>>         <http://test.sample.net>
>>>          >     <http://test.sample.net> <http://test.sample.net>
>>>          >      >         <http://test.sample.net>,O=sample.NET
>>>          >      >          >          expires: 2016-01-29 14:09:45 UTC
>>>          >      >          >          eku: id-kp-serverAuth
>>>          >      >          >          pre-save command:
>>>          >      >          >          post-save command:
>>>          >      >          >          track: yes
>>>          >      >          >          auto-renew: yes
>>>          >      >          > Request ID '20111214223316':
>>>          >      >          >          status: MONITORING
>>>          >      >          >          ca-error: Error setting up ccache
>>>         for local
>>>          >     "host"
>>>          >      >         service using
>>>          >      >          > default keytab: Clock skew too great.
>>>          >      >          >          stuck: no
>>>          >      >          >          key pair storage:
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>>          >      >          > Certificate
>>>         DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>          >      >          >          certificate:
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>>>          >      >          > Certificate DB'
>>>          >      >          >          CA: IPA
>>>          >      >          >          issuer: CN=Certificate
>>>         Authority,O=sample.NET
>>>          >      >          >          subject: CN=test.sample.net
>>>         <http://test.sample.net>
>>>          >     <http://test.sample.net> <http://test.sample.net>
>>>          >      >         <http://test.sample.net>,O=sample.NET
>>>          >      >          >          expires: 2016-01-29 14:09:45 UTC
>>>          >      >          >          eku: id-kp-serverAuth
>>>          >      >          >          pre-save command:
>>>          >      >          >          post-save command:
>>>          >      >          >          track: yes
>>>          >      >          >          auto-renew: yes
>>>          >      >          > Request ID '20130519130741':
>>>          >      >          >          status: NEED_CSR_GEN_PIN
>>>          >      >          >          ca-error: Internal error: no
>>>         response to
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";.
>>>          >      >          >          stuck: yes
>>>          >      >          >          key pair storage:
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>>>          >      >          > cert-pki-ca',token='NSS Certificate
>>>         DB',pin='297100916664
>>>          >      >          > '
>>>          >      >          >          certificate:
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>>>          >      >          > cert-pki-ca',token='NSS Certificate DB'
>>>          >      >          >          CA: dogtag-ipa-renew-agent
>>>          >      >          >          issuer: CN=Certificate
>>>         Authority,O=sample.NET
>>>          >      >          >          subject: CN=CA Audit,O=sample.NET
>>>          >      >          >          expires: 2017-10-13 14:10:49 UTC
>>>          >      >          >          pre-save command:
>>>          >     /usr/lib64/ipa/certmonger/stop_pkicad
>>>          >      >          >          post-save command:
>>>          >      >         /usr/lib64/ipa/certmonger/renew_ca_cert
>>>          >      >          > "auditSigningCert cert-pki-ca"
>>>          >      >          >          track: yes
>>>          >      >          >          auto-renew: yes
>>>          >      >          > Request ID '20130519130742':
>>>          >      >          >          status: NEED_CSR_GEN_PIN
>>>          >      >          >          ca-error: Internal error: no
>>>         response to
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";.
>>>          >      >          >          stuck: yes
>>>          >      >          >          key pair storage:
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>>>          >      >          > cert-pki-ca',token='NSS Certificate
>>>         DB',pin='297100916664
>>>          >      >          > '
>>>          >      >          >          certificate:
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>>>          >      >          > cert-pki-ca',token='NSS Certificate DB'
>>>          >      >          >          CA: dogtag-ipa-renew-agent
>>>          >      >          >          issuer: CN=Certificate
>>>         Authority,O=sample.NET
>>>          >      >          >          subject: CN=OCSP
>>>         Subsystem,O=sample.NET
>>>          >      >          >          expires: 2017-10-13 14:09:49 UTC
>>>          >      >          >          eku: id-kp-OCSPSigning
>>>          >      >          >          pre-save command:
>>>          >     /usr/lib64/ipa/certmonger/stop_pkicad
>>>          >      >          >          post-save command:
>>>          >      >         /usr/lib64/ipa/certmonger/renew_ca_cert
>>>          >      >          > "ocspSigningCert cert-pki-ca"
>>>          >      >          >          track: yes
>>>          >      >          >          auto-renew: yes
>>>          >      >          > Request ID '20130519130743':
>>>          >      >          >          status: NEED_CSR_GEN_PIN
>>>          >      >          >          ca-error: Internal error: no
>>>         response to
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true";.
>>>          >      >          >          stuck: yes
>>>          >      >          >          key pair storage:
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>>          >      >          > cert-pki-ca',token='NSS Certificate
>>>         DB',pin='297100916664
>>>          >      >          > '
>>>          >      >          >          certificate:
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>>          >      >          > cert-pki-ca',token='NSS Certificate DB'
>>>          >      >          >          CA: dogtag-ipa-renew-agent
>>>          >      >          >          issuer: CN=Certificate
>>>         Authority,O=sample.NET
>>>          >      >          >          subject: CN=CA
>>> Subsystem,O=sample.NET
>>>          >      >          >          expires: 2017-10-13 14:09:49 UTC
>>>          >      >          >          eku:
>>> id-kp-serverAuth,id-kp-clientAuth
>>>          >      >          >          pre-save command:
>>>          >     /usr/lib64/ipa/certmonger/stop_pkicad
>>>          >      >          >          post-save command:
>>>          >      >         /usr/lib64/ipa/certmonger/renew_ca_cert
>>>          >      >          > "subsystemCert cert-pki-ca"
>>>          >      >          >          track: yes
>>>          >      >          >          auto-renew: yes
>>>          >      >          > Request ID '20130519130744':
>>>          >      >          >          status: MONITORING
>>>          >      >          >          ca-error: Internal error: no
>>>         response to
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true";.
>>>          >      >          >          stuck: no
>>>          >      >          >          key pair storage:
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>>          >      >         Certificate
>>>          >      >          > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>          >      >          >          certificate:
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>>          >      >         Certificate DB'
>>>          >      >          >          CA: dogtag-ipa-renew-agent
>>>          >      >          >          issuer: CN=Certificate
>>>         Authority,O=sample.NET
>>>          >      >          >          subject: CN=RA
>>> Subsystem,O=sample.NET
>>>          >      >          >          expires: 2017-10-13 14:09:49 UTC
>>>          >      >          >          eku:
>>> id-kp-serverAuth,id-kp-clientAuth
>>>          >      >          >          pre-save command:
>>>          >      >          >          post-save command:
>>>          >      >         /usr/lib64/ipa/certmonger/renew_ra_cert
>>>          >      >          >          track: yes
>>>          >      >          >          auto-renew: yes
>>>          >      >          > Request ID '20130519130745':
>>>          >      >          >          status: NEED_CSR_GEN_PIN
>>>          >      >          >          ca-error: Internal error: no
>>>         response to
>>>          >      >          >
>>>          >      >
>>>          >
>>>
>>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
>>>          >      >          >          stuck: yes
>>>          >      >          >          key pair storage:
>>>          >      >          >
>>>          >
>>>
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>>>          >      >          > cert-pki-ca',token='NSS Certificate
>>>         DB',pin='297100916664
>>>          >      >          > '
>>>          >      >          >          certificate:
>>>          >      >          >
>>>          >
>>>
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to