Hi Rob, 1. I have made snapshots for this system for test, so NSS databases has been backed up.
2. For the pki-cad service, I can't find it in my system, it shows there is no such service. but there is one service failed as below: root@ecnshlx3039-test2(SH):requests #systemctl status [email protected] [email protected] - PKI Certificate Authority Server pki-ca Loaded: loaded (/lib/systemd/system/[email protected]; enabled) Active: failed (Result: exit-code) since Wed, 01 Jun 2016 06:28:53 +0200; 23min ago Process: 2675 ExecStop=/usr/bin/pkicontrol stop ca %i (code=exited, status=1/FAILURE) Process: 2525 ExecStart=/usr/bin/pkicontrol start ca %i (code=exited, status=0/SUCCESS) Main PID: 2593 (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/[email protected]/pki-ca Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: pam_unix(runuser-l:session): session closed for user pkiuser Jun 01 06:28:52 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun 01 06:28:53 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: pam_unix(runuser-l:session): session closed for user pkiuser I can't start it normally, even the log just said: Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: [email protected]: control process exited, code=exited status=1 Jun 1 06:54:39 ecnshlx3039-test2 systemd[1]: Unit [email protected] entered failed state. I will google more to try to start it firstly. 3. About the source of the output for getcert list: root@ecnshlx3039-test2(SH):requests #ll total 64 -rw-------. 1 root root 5698 Jun 1 06:06 20120704140859 -rw-------. 1 root root 5695 Jun 1 06:06 20120704140922 -rw-------. 1 root root 5654 Jun 1 06:06 20120704141150 -rw-------. 1 root root 5107 Jun 1 06:39 20140605220249 -rw-------. 1 root root 4982 Jun 1 06:39 20160601043748 -rw-------. 1 root root 5144 Jun 1 06:39 20160601043749 -rw-------. 1 root root 5186 Jun 1 06:39 20160601043750 -rw-------. 1 root root 5126 Jun 1 06:39 20160601043751 root@ecnshlx3039-test2(SH):requests # root@ecnshlx3039-test2(SH):requests #grep post_certsave_command * 20120704140859:post_certsave_command=/usr/lib64/ipa/certmonger/restart_dirsrv DRUTT-COM 20120704141150:post_certsave_command=/usr/lib64/ipa/certmonger/restart_httpd root@ecnshlx3039-test2(SH):requests #grep pre_certsave_command * root@ecnshlx3039-test2(SH):requests # there are just two statements. And this is the detail info for ipaCert: root@ecnshlx3039-test2(SH):requests #cat 20140605220249 id=20140605220249 key_type=RSA key_gen_type=RSA key_size=2048 key_gen_size=2048 key_storage_type=NSSDB key_storage_location=/etc/httpd/alias key_token=NSS Certificate DB key_nickname=ipaCert key_pin_file=/etc/httpd/alias/pwdfile.txt key_pubkey=3082010A02820101009B12FED4488180E1141CCF9264B5718E8B6FE8F6B5B5001819D49F722342500142D1169B601CD427FB68B08AE8272C4FC50B1730B665A2DB1AF3D1A31C09B8DFBCCC183AD0E87AED4A0B66B5806A3FA6C0807C747C1BA0A2D6B5756F5FB55BC96FD3BFAD8EC61C48C987B1F6CC42418A1500DF309097C1B6BA73C116C2BFCA005A0EF879BC16773A9AD66B9A0EDD802AFF32023927C4B071B17FD5F9EA8D760B2FC1CBCDE2336A141F8D1EA861B182815B8690D6956AA7BC2F342D928C8768ECA9CF43482595494E138295D5C6EC0E13B70BD533091D2C5AAF09563E37C0F0907443BA3291B7F0A0E1ABB0443FE0DE319EBD86D4FB47F89E941C55D84026BB0D0203010001 cert_storage_type=NSSDB cert_storage_location=/etc/httpd/alias cert_token=NSS Certificate DB cert_nickname=ipaCert cert_issuer=CN=Certificate Authority,O=DRUTT.COM cert_serial=07 cert_subject=CN=IPA RA,O=DRUTT.COM cert_spki=30820122300d06092a864886f70d01010105000382010f003082010a02820101009b12fed4488180e1141ccf9264b5718e8b6fe8f6b5b5001819d49f722342500142d1169b601cd427fb68b08ae8272c4fc50b1730b665a2db1af3d1a31c09b8dfbccc183ad0e87aed4a0b66b5806a3fa6c0807c747c1ba0a2d6b5756f5fb55bc96fd3bfad8ec61c48c987b1f6cc42418a1500df309097c1b6ba73c116c2bfca005a0ef879bc16773a9ad66b9a0edd802aff32023927c4b071b17fd5f9ea8d760b2fc1cbcde2336a141f8d1ea861b182815b8690d6956aa7bc2f342d928c8768eca9cf43482595494e138295d5c6ec0e13b70bd533091d2c5aaf09563e37c0f0907443ba3291b7f0a0e1abb0443fe0de319ebd86d4fb47f89e941c55d84026bb0d0203010001 cert_not_before=20120704140850 cert_not_after=20140624140850 cert_ku=1111 cert_eku=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 last_need_notify_check=20160601044851 last_need_enroll_check=20160601044851 template_subject=CN=IPA RA,O=DRUTT.COM template_ku=1111 template_eku=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 csr=-----BEGIN NEW CERTIFICATE REQUEST----- MIICxTCCAa0CAQAwJTESMBAGA1UEChMJRFJVVFQuQ09NMQ8wDQYDVQQDEwZJUEEg UkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbEv7USIGA4RQcz5Jk tXGOi2/o9rW1ABgZ1J9yI0JQAULRFptgHNQn+2iwiugnLE/FCxcwtmWi2xrz0aMc CbjfvMwYOtDoeu1KC2a1gGo/psCAfHR8G6Ci1rV1b1+1W8lv07+tjsYcSMmHsfbM QkGKFQDfMJCXwba6c8EWwr/KAFoO+Hm8Fnc6mtZrmg7dgCr/MgI5J8SwcbF/1fnq jXYLL8HLzeIzahQfjR6oYbGCgVuGkNaVaqe8LzQtkoyHaOypz0NIJZVJThOCldXG 7A4TtwvVMwkdLFqvCVY+N8DwkHRDujKRt/Cg4auwRD/g3jGevYbU+0f4npQcVdhA JrsNAgMBAAGgWzAWBgkqhkiG9w0BCRQxCRMHaXBhQ2VydDBBBgkqhkiG9w0BCQ4x NDAyMA4GA1UdDwEBAAQEAwIE8DAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAQYIKwYB BQUHAwIwDQYJKoZIhvcNAQELBQADggEBAGJ4eO2RyDJoeH/Z4J/LYKN77wnyLSV5 Mkh95m3xdtweXIdymZvhsz7im3TxvPdAKj1Rs/j4Ux61vYbmGO66Y/b0TAbNJ5U9 px4Fj9UvfRXUYr/hyuA/Boo/hp2uvjBzhADSwrJare/cDcYGHsIcKVvXh1bbc0MO 1/c4ZqOSuMjYhR1dVKduCeY6CV3b+hK04lNjeMK+ENBxPNVD8v1ortYW6J9ihRXt ndJQmP6w6LVb8Qal9mRqMcGgJ076pQtmbeyiTR8JfnzkBUi4dHt1Wq0FlzeiyZ9R VVZ2KQYxA1X5Oo+WYbvWqQJM8hPx9HoHCo+qHrnDs08DeXwAGEC4FvU= -----END NEW CERTIFICATE REQUEST----- spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbEv7USIGA4RQcz5JktXGOi2/o9rW1ABgZ1J9yI0JQAULRFptgHNQn+2iwiugnLE/FCxcwtmWi2xrz0aMcCbjfvMwYOtDoeu1KC2a1gGo/psCAfHR8G6Ci1rV1b1+1W8lv07+tjsYcSMmHsfbMQkGKFQDfMJCXwba6c8EWwr/KAFoO+Hm8Fnc6mtZrmg7dgCr/MgI5J8SwcbF/1fnqjXYLL8HLzeIzahQfjR6oYbGCgVuGkNaVaqe8LzQtkoyHaOypz0NIJZVJThOCldXG7A4TtwvVMwkdLFqvCVY+N8DwkHRDujKRt/Cg4auwRD/g3jGevYbU+0f4npQcVdhAJrsNAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEAf4U/QkjxcliN+yXQuBpwobq6hPBmm2chMRpbCcGS86LxkrHLQtrBhxSyPSge+L+JQJAmwljrZz8oBZtevKOaRg/o9NSHOD2EHMiPMvQBty9SpVYedLuIe1EHfHH1dulq4bGK9SVD6lwGZskzPkJrWGaLogA+O3OrP7vUXX0OTGje6B1nwiL76jol8vz30tae35JLIYjcq3rAxI2ChCRCl0elmfsaN+sUEPxCFyeODUouQ/YGOY+564k5kNLpjryCvRr3H/LBnZn7JOnC+DQTzHfbdXtA8EewfbYJeAfHFPDMnYbaQKBAEwQMTQVIpYrHoy/oELajczzt4qgLvzDJbA== state=MONITORING autorenew=1 monitor=1 ca_name=dogtag-ipa-renew-agent submitted=20160601044851 cert=-----BEGIN CERTIFICATE----- MIIDZjCCAk6gAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKEwlEUlVU VC5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMjA3MDQx NDA4NTBaFw0xNDA2MjQxNDA4NTBaMCUxEjAQBgNVBAoTCURSVVRULkNPTTEPMA0G A1UEAxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxL+ 1EiBgOEUHM+SZLVxjotv6Pa1tQAYGdSfciNCUAFC0RabYBzUJ/tosIroJyxPxQsX MLZlotsa89GjHAm437zMGDrQ6HrtSgtmtYBqP6bAgHx0fBugota1dW9ftVvJb9O/ rY7GHEjJh7H2zEJBihUA3zCQl8G2unPBFsK/ygBaDvh5vBZ3OprWa5oO3YAq/zIC OSfEsHGxf9X56o12Cy/By83iM2oUH40eqGGxgoFbhpDWlWqnvC80LZKMh2jsqc9D SCWVSU4TgpXVxuwOE7cL1TMJHSxarwlWPjfA8JB0Q7oykbfwoOGrsEQ/4N4xnr2G 1PtH+J6UHFXYQCa7DQIDAQABo4GRMIGOMB8GA1UdIwQYMBaAFDvMAkWhLf4hHZUr O2IVSc64Y+C4MDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0cDovL2lw YTEuZHJ1dHQuY29tOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAYoxpty9C P4utdPQ4gGpQA/kLZquiGIWh7ELxEH43x42eu6wgubM7IBJ/nFyWsOYCnx3Znlv+ 8aJduxQHq3zavhFpONqm+XRQ5aSofwgVru9fyR6AGBFaJ/2D3O1q1IAClzhMPLeM 4fbC48Gv9C2cohtmS6UNOuttBDPelowPaq7IfayEYg0fEpSFCn1fYOd0JcnvzRBP EAboP231OWs/71CAqM4OimsSiDWtTITUadR7ZMe4ZyZ3kLesXbmJtteGklCpZbFc TB27ZyiUAebxerGwcH7YgyOk5vQccQYC/nDg7NQMAQsqv4cJ2aeAmhyAWdmB3ctR 8NlRKYsmFG3nZw== -----END CERTIFICATE----- ========================================================================================================== 4. "getcert list" result: root@ecnshlx3039-test2(SH):requests #getcert list Number of certificates and requests being tracked: 8. Request ID '20120704140859': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=ipa1.drutt.com,O=DRUTT.COM expires: 2016-06-05 22:03:17 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DRUTT-COM track: yes auto-renew: yes Request ID '20120704140922': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://ipa1.drutt.com:443/ca/agent/ca/displayBySerial': [Errno -8053] (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=ipa1.drutt.com,O=DRUTT.COM expires: 2016-06-05 22:03:17 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20120704141150': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Failure decoding Certificate Signing Request). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=ipa1.drutt.com,O=DRUTT.COM expires: 2016-06-05 22:03:17 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20140605220249': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=IPA RA,O=DRUTT.COM expires: 2014-06-24 14:08:50 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160601043748': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='565569846212' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=CA Audit,O=DRUTT.COM expires: 2014-06-24 14:08:42 UTC pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160601043749': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='565569846212' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=OCSP Subsystem,O=DRUTT.COM expires: 2014-06-24 14:08:41 UTC eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160601043750': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='565569846212' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=CA Subsystem,O=DRUTT.COM expires: 2014-06-24 14:08:41 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160601043751': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='565569846212' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DRUTT.COM subject: CN=ipa1.drutt.com,O=DRUTT.COM expires: 2014-06-24 14:08:41 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes thanks, BR//Kay -----Original Message----- From: Rob Crittenden [mailto:[email protected]] Sent: Wednesday, June 01, 2016 11:56 AM To: Kay Zhou Y; [email protected] Cc: Doris Hongmei; Xionglin Gu Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue Kay Zhou Y wrote: > Hi Rob, > > The status for ipaCert is MONITORING no matter before or after resubmit this > request ID, as below: > > Request ID '20140605220249': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=DRUTT.COM > subject: CN=IPA RA,O=DRUTT.COM > expires: 2014-06-24 14:08:50 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > I have restarted ipa service before renewal since there is no pki-cad service > in our env. Oh. So unfortunately the version of certmonger you have has a bug where the pre/post commands weren't displayed (it was only a display issue). If you look in /var/lib/certmonger/requests/<id> you can find the source for this output. See what the pre/post save command is for any of the CA subsystem certs and I guess perhaps ipaCert. I need to see how they are configured to do the renewal. Maybe my memory is failing but I'd have sworn the CA process name was pki-cad. ipactl restart will restart the world. Given that the certs are expired you need to restart things when you go back in time. I saw that you are tracking the subsystem certs on this master so the CA must be installed. > I have tried so many times for this processes, and I even want to recreate > the ipaCert, but it failed. Before you go poking too manually into things I'd strongly recommend backing up the NSS databases first. You could easily break something. > The references I used as below, but both of them are not available for > my issue:( http://www.freeipa.org/page/Howto/CA_Certificate_Renewal > http://www.freeipa.org/page/PKI > > and if it's feasible we modify the expiration date for these certs manually > or recreate it directly ? You can't change any attributes of a certificate without re-issuing it. You can't issue a new cert without the CA up and I suspect it isn't up. The cert may be in MONITORING when you go back in time because really, it's fine as long as it isn't expired, so MONITORING is a-ok. rob > > Thanks, > BR//Kay > -----Original Message----- > From: Rob Crittenden [mailto:[email protected]] > Sent: Tuesday, May 31, 2016 11:10 PM > To: Kay Zhou Y; [email protected] > Cc: Doris Hongmei; Xionglin Gu > Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue > > Kay Zhou Y wrote: >> Hi Rob, >> >> Thanks for your reply. >> >> And about your suggestion, actually I have done it. but it just renew the >> two 389-ds certs and Apache certs. >> Since the ipaCert and subsystem certs are expired at 20140624, so I must >> roll back time before it. then begin to renew, but after I done this: >> >> "Let's force renewal on all of the certificates: >> # for line in `getcert list | grep Request | cut -d "'" -f2`; do >> getcert resubmit -i $line; done ..." >> >> According to the wiki, >> (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ). The CA >> subsystem c ertificates will be renewed. But it did not. > > Ok, what state are the certificates in? When you go back in time are you > restarting the pki-cad service before attempting to do the renewal? > >> Finally after I finish all action mentioned in the wiki page, I still can't >> renew ipaCert and other four CA subsystem certificates. >> And the two 389-ds and apache certs will still expired after the date >> 20160623 ( expire date of ipaCert 20140624 + two years). >> >> If there is any other guide or doc about the ipaCert and CA subsystem >> certificates? > > Not really for IPA 2.x > > rob > > >> Thanks a lot for your support! > > >> >> Thanks, >> BR//Kay >> >> -----Original Message----- >> From: Rob Crittenden [mailto:[email protected]] >> Sent: Friday, May 27, 2016 11:41 PM >> To: Kay Zhou Y; [email protected] >> Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue >> >> Kay Zhou Y wrote: >>> Hi, >>> >>> This is Kay. >>> >>> I am not sure if the email address is correct, and I am really >>> appreciate if there is any help for my issue. it's baffling for few >>> days, and the expire date is coming soon.. L >>> >>> There is a IPA 2.2 environment, and three "Server-Cert"(two 389-ds >>> and the Apache certs) will be expired at 2016-06-05 22:03:17 UTC. >>> >>> Two years ago, these certs were renewed by other guys according to >>> this >>> document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal >>> >>> and it was successful then the certificates has been renewed until 20160605. >>> >>> But recently I want to renew it again since the expire date is coming. >>> Then I follow the above guide, however things not go well. >> >> The problem looks to be because the IPA RA cert (ipaCert) isn't >> matching what dogtag expects. See the wiki page starting at >> >> "For ipaCert, stored in /etc/httpd/alias you have another job to do..." >> >> You'll want to be sure that description correctly matches the certificate in >> the Apache database and confirm that the usercertificate value in LDAP >> matches the cert being presented. >> >> rob >> >>> >>> As below, it's the 8 certs which certmonger are tracking: >>> >>> root@ecnshlx3039-test2(SH):~ #getcert list >>> >>> Number of certificates and requests being tracked: 8. >>> >>> Request ID '20120704140859': >>> >>> status: CA_UNREACHABLE >>> >>> ca-error: Server failed request, will retry: 4301 (RPC >>> failed at server. Certificate operation cannot be completed: >>> EXCEPTION (Invalid Credential.)). >>> >>> stuck: yes >>> >>> key pair storage: >>> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-C >>> e >>> r >>> t',token='NSS >>> Certificate DB',pinfile=' >>> /etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt' >>> >>> certificate: >>> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-C >>> e >>> r >>> t',token='NSS >>> Certificate DB' >>> >>> CA: IPA >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=ipa1.drutt.com,O=DRUTT.COM >>> >>> expires: 2016-06-05 22:03:17 UTC >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: >>> /usr/lib64/ipa/certmonger/restart_dirsrv >>> DRUTT-COM >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20120704140922': >>> >>> status: CA_UNREACHABLE >>> >>> ca-error: Server failed request, will retry: 4301 (RPC >>> failed at server. Certificate operation cannot be completed: >>> EXCEPTION (Invalid Credential.)). >>> >>> stuck: yes >>> >>> key pair storage: >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' >>> ,token='NSS >>> Certificate DB',pinfile='/e >>> tc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >>> >>> certificate: >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' >>> ,token='NSS >>> Certificate DB' >>> >>> CA: IPA >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=ipa1.drutt.com,O=DRUTT.COM >>> >>> expires: 2016-06-05 22:03:17 UTC >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20120704141150': >>> >>> status: CA_UNREACHABLE >>> >>> ca-error: Server failed request, will retry: 4301 (RPC >>> failed at server. Certificate operation cannot be completed: >>> EXCEPTION (Invalid Credential.)). >>> >>> stuck: yes >>> >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token=' >>> N >>> SS >>> Certificate >>> DB',pinfile='/etc/httpd/ >>> alias/pwdfile.txt' >>> >>> certificate: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token=' >>> N >>> SS >>> Certificate DB' >>> >>> CA: IPA >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=ipa1.drutt.com,O=DRUTT.COM >>> >>> expires: 2016-06-05 22:03:17 UTC >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: >>> /usr/lib64/ipa/certmonger/restart_httpd >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20140605220249': >>> >>> status: MONITORING >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate >>> DB',pinfile='/etc/httpd/alia >>> s/pwdfile.txt' >>> >>> certificate: >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> Certificate DB' >>> >>> CA: dogtag-ipa-renew-agent >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=IPA RA,O=DRUTT.COM >>> >>> expires: 2014-06-24 14:08:50 UTC >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20160527075219': >>> >>> status: MONITORING >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCe >>> r >>> t >>> cert-pki-ca',token='NSS Certificate >>> DB ',pin='565569846212' >>> >>> certificate: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCe >>> r t cert-pki-ca',token='NSS Certificate DB' >>> >>> CA: dogtag-ipa-renew-agent >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=CA Audit,O=DRUTT.COM >>> >>> expires: 2014-06-24 14:08:42 UTC >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20160527075220': >>> >>> status: MONITORING >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCer >>> t >>> cert-pki-ca',token='NSS Certificate >>> DB' ,pin='565569846212' >>> >>> certificate: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCer >>> t cert-pki-ca',token='NSS Certificate DB' >>> >>> CA: dogtag-ipa-renew-agent >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=OCSP Subsystem,O=DRUTT.COM >>> >>> expires: 2014-06-24 14:08:41 UTC >>> >>> eku: id-kp-OCSPSigning >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20160527075221': >>> >>> status: MONITORING >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> cert-pki-ca',token='NSS Certificate >>> DB',p in='565569846212' >>> >>> certificate: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> cert-pki-ca',token='NSS Certificate DB' >>> >>> CA: dogtag-ipa-renew-agent >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=CA Subsystem,O=DRUTT.COM >>> >>> expires: 2014-06-24 14:08:41 UTC >>> >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Request ID '20160527075222': >>> >>> status: MONITORING >>> >>> stuck: no >>> >>> key pair storage: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> cert-pki-ca',token='NSS Certificate >>> DB',pin ='565569846212' >>> >>> certificate: >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> cert-pki-ca',token='NSS Certificate DB' >>> >>> CA: dogtag-ipa-renew-agent >>> >>> issuer: CN=Certificate Authority,O=DRUTT.COM >>> >>> subject: CN=ipa1.drutt.com,O=DRUTT.COM >>> >>> expires: 2014-06-24 14:08:41 UTC >>> >>> eku: id-kp-serverAuth >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> Follow all the steps in the guide, the result is just first three >>> certificates are renewed to 20160622 if I set system time to >>> 20140623(which the four CA subsystem certs and CA cert are valid). >>> >>> But other five are not renewed at all (the four CA subsystem certs >>> and CA cert). there is no error information during these steps. >>> >>> I google a lot but still found nothing could resolve it. and then I >>> found there was a similar thread: >>> https://www.redhat.com/archives/freeipa-users/2015-October/msg00174. >>> h >>> t >>> ml >>> >>> But unfortunately the solution is not available for my issue either. >>> >>> Since I am not familiar with Freeipa, so it bothers me so much. >>> >>> Any help will be really appreciate. Thansks in advance! >>> >>> Thanks, >>> >>> BR//Kay >>> >>> >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
