Hi Rob,

1.  I have made snapshots for this system for test, so NSS databases has been 
backed up.

2.  For the pki-cad service, I can't find it in my system, it shows there is no 
such service. 
but there is one service failed as below:

root@ecnshlx3039-test2(SH):requests #systemctl status pki-cad@pki-ca.service
pki-cad@pki-ca.service - PKI Certificate Authority Server pki-ca
          Loaded: loaded (/lib/systemd/system/pki-cad@.service; enabled)
          Active: failed (Result: exit-code) since Wed, 01 Jun 2016 06:28:53 
+0200; 23min ago
         Process: 2675 ExecStop=/usr/bin/pkicontrol stop ca %i (code=exited, 
status=1/FAILURE)
         Process: 2525 ExecStart=/usr/bin/pkicontrol start ca %i (code=exited, 
status=0/SUCCESS)
        Main PID: 2593 (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/pki-cad@.service/pki-ca

Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: 
pam_unix(runuser-l:session): session opened for user pkius...d=0)
Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: 
pam_unix(runuser-l:session): session closed for user pkiuser
Jun 01 06:28:52 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: 
pam_unix(runuser-l:session): session opened for user pkius...d=0)
Jun 01 06:28:53 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: 
pam_unix(runuser-l:session): session closed for user pkiuser

I can't start it normally, even the log just said:
Jun  1 06:54:39 ecnshlx3039-test2 systemd[1]: pki-cad@pki-ca.service: control 
process exited, code=exited status=1
Jun  1 06:54:39 ecnshlx3039-test2 systemd[1]: Unit pki-cad@pki-ca.service 
entered failed state.

I will google more to try to start it firstly.


3.  About the source of the output for getcert list:

root@ecnshlx3039-test2(SH):requests #ll
total 64
-rw-------. 1 root root 5698 Jun  1 06:06 20120704140859         
-rw-------. 1 root root 5695 Jun  1 06:06 20120704140922
-rw-------. 1 root root 5654 Jun  1 06:06 20120704141150
-rw-------. 1 root root 5107 Jun  1 06:39 20140605220249
-rw-------. 1 root root 4982 Jun  1 06:39 20160601043748   
-rw-------. 1 root root 5144 Jun  1 06:39 20160601043749
-rw-------. 1 root root 5186 Jun  1 06:39 20160601043750
-rw-------. 1 root root 5126 Jun  1 06:39 20160601043751
root@ecnshlx3039-test2(SH):requests #
root@ecnshlx3039-test2(SH):requests #grep post_certsave_command *
20120704140859:post_certsave_command=/usr/lib64/ipa/certmonger/restart_dirsrv 
DRUTT-COM
20120704141150:post_certsave_command=/usr/lib64/ipa/certmonger/restart_httpd
root@ecnshlx3039-test2(SH):requests #grep pre_certsave_command *
root@ecnshlx3039-test2(SH):requests #

there are just two statements.

And this is the detail info for ipaCert:
root@ecnshlx3039-test2(SH):requests #cat 20140605220249
id=20140605220249
key_type=RSA
key_gen_type=RSA
key_size=2048
key_gen_size=2048
key_storage_type=NSSDB
key_storage_location=/etc/httpd/alias
key_token=NSS Certificate DB
key_nickname=ipaCert
key_pin_file=/etc/httpd/alias/pwdfile.txt
key_pubkey=3082010A02820101009B12FED4488180E1141CCF9264B5718E8B6FE8F6B5B5001819D49F722342500142D1169B601CD427FB68B08AE8272C4FC50B1730B665A2DB1AF3D1A31C09B8DFBCCC183AD0E87AED4A0B66B5806A3FA6C0807C747C1BA0A2D6B5756F5FB55BC96FD3BFAD8EC61C48C987B1F6CC42418A1500DF309097C1B6BA73C116C2BFCA005A0EF879BC16773A9AD66B9A0EDD802AFF32023927C4B071B17FD5F9EA8D760B2FC1CBCDE2336A141F8D1EA861B182815B8690D6956AA7BC2F342D928C8768ECA9CF43482595494E138295D5C6EC0E13B70BD533091D2C5AAF09563E37C0F0907443BA3291B7F0A0E1ABB0443FE0DE319EBD86D4FB47F89E941C55D84026BB0D0203010001
cert_storage_type=NSSDB
cert_storage_location=/etc/httpd/alias
cert_token=NSS Certificate DB
cert_nickname=ipaCert
cert_issuer=CN=Certificate Authority,O=DRUTT.COM
cert_serial=07
cert_subject=CN=IPA RA,O=DRUTT.COM
cert_spki=30820122300d06092a864886f70d01010105000382010f003082010a02820101009b12fed4488180e1141ccf9264b5718e8b6fe8f6b5b5001819d49f722342500142d1169b601cd427fb68b08ae8272c4fc50b1730b665a2db1af3d1a31c09b8dfbccc183ad0e87aed4a0b66b5806a3fa6c0807c747c1ba0a2d6b5756f5fb55bc96fd3bfad8ec61c48c987b1f6cc42418a1500df309097c1b6ba73c116c2bfca005a0ef879bc16773a9ad66b9a0edd802aff32023927c4b071b17fd5f9ea8d760b2fc1cbcde2336a141f8d1ea861b182815b8690d6956aa7bc2f342d928c8768eca9cf43482595494e138295d5c6ec0e13b70bd533091d2c5aaf09563e37c0f0907443ba3291b7f0a0e1abb0443fe0de319ebd86d4fb47f89e941c55d84026bb0d0203010001
cert_not_before=20120704140850
cert_not_after=20140624140850
cert_ku=1111
cert_eku=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
last_need_notify_check=20160601044851
last_need_enroll_check=20160601044851
template_subject=CN=IPA RA,O=DRUTT.COM
template_ku=1111
template_eku=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
csr=-----BEGIN NEW CERTIFICATE REQUEST-----
 MIICxTCCAa0CAQAwJTESMBAGA1UEChMJRFJVVFQuQ09NMQ8wDQYDVQQDEwZJUEEg
 UkEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbEv7USIGA4RQcz5Jk
 tXGOi2/o9rW1ABgZ1J9yI0JQAULRFptgHNQn+2iwiugnLE/FCxcwtmWi2xrz0aMc
 CbjfvMwYOtDoeu1KC2a1gGo/psCAfHR8G6Ci1rV1b1+1W8lv07+tjsYcSMmHsfbM
 QkGKFQDfMJCXwba6c8EWwr/KAFoO+Hm8Fnc6mtZrmg7dgCr/MgI5J8SwcbF/1fnq
 jXYLL8HLzeIzahQfjR6oYbGCgVuGkNaVaqe8LzQtkoyHaOypz0NIJZVJThOCldXG
 7A4TtwvVMwkdLFqvCVY+N8DwkHRDujKRt/Cg4auwRD/g3jGevYbU+0f4npQcVdhA
 JrsNAgMBAAGgWzAWBgkqhkiG9w0BCRQxCRMHaXBhQ2VydDBBBgkqhkiG9w0BCQ4x
 NDAyMA4GA1UdDwEBAAQEAwIE8DAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAQYIKwYB
 BQUHAwIwDQYJKoZIhvcNAQELBQADggEBAGJ4eO2RyDJoeH/Z4J/LYKN77wnyLSV5
 Mkh95m3xdtweXIdymZvhsz7im3TxvPdAKj1Rs/j4Ux61vYbmGO66Y/b0TAbNJ5U9
 px4Fj9UvfRXUYr/hyuA/Boo/hp2uvjBzhADSwrJare/cDcYGHsIcKVvXh1bbc0MO
 1/c4ZqOSuMjYhR1dVKduCeY6CV3b+hK04lNjeMK+ENBxPNVD8v1ortYW6J9ihRXt
 ndJQmP6w6LVb8Qal9mRqMcGgJ076pQtmbeyiTR8JfnzkBUi4dHt1Wq0FlzeiyZ9R
 VVZ2KQYxA1X5Oo+WYbvWqQJM8hPx9HoHCo+qHrnDs08DeXwAGEC4FvU=
 -----END NEW CERTIFICATE REQUEST-----
spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbEv7USIGA4RQcz5JktXGOi2/o9rW1ABgZ1J9yI0JQAULRFptgHNQn+2iwiugnLE/FCxcwtmWi2xrz0aMcCbjfvMwYOtDoeu1KC2a1gGo/psCAfHR8G6Ci1rV1b1+1W8lv07+tjsYcSMmHsfbMQkGKFQDfMJCXwba6c8EWwr/KAFoO+Hm8Fnc6mtZrmg7dgCr/MgI5J8SwcbF/1fnqjXYLL8HLzeIzahQfjR6oYbGCgVuGkNaVaqe8LzQtkoyHaOypz0NIJZVJThOCldXG7A4TtwvVMwkdLFqvCVY+N8DwkHRDujKRt/Cg4auwRD/g3jGevYbU+0f4npQcVdhAJrsNAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEAf4U/QkjxcliN+yXQuBpwobq6hPBmm2chMRpbCcGS86LxkrHLQtrBhxSyPSge+L+JQJAmwljrZz8oBZtevKOaRg/o9NSHOD2EHMiPMvQBty9SpVYedLuIe1EHfHH1dulq4bGK9SVD6lwGZskzPkJrWGaLogA+O3OrP7vUXX0OTGje6B1nwiL76jol8vz30tae35JLIYjcq3rAxI2ChCRCl0elmfsaN+sUEPxCFyeODUouQ/YGOY+564k5kNLpjryCvRr3H/LBnZn7JOnC+DQTzHfbdXtA8EewfbYJeAfHFPDMnYbaQKBAEwQMTQVIpYrHoy/oELajczzt4qgLvzDJbA==
state=MONITORING
autorenew=1
monitor=1
ca_name=dogtag-ipa-renew-agent
submitted=20160601044851
cert=-----BEGIN CERTIFICATE-----
 MIIDZjCCAk6gAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKEwlEUlVU
 VC5DT00xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMjA3MDQx
 NDA4NTBaFw0xNDA2MjQxNDA4NTBaMCUxEjAQBgNVBAoTCURSVVRULkNPTTEPMA0G
 A1UEAxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxL+
 1EiBgOEUHM+SZLVxjotv6Pa1tQAYGdSfciNCUAFC0RabYBzUJ/tosIroJyxPxQsX
 MLZlotsa89GjHAm437zMGDrQ6HrtSgtmtYBqP6bAgHx0fBugota1dW9ftVvJb9O/
 rY7GHEjJh7H2zEJBihUA3zCQl8G2unPBFsK/ygBaDvh5vBZ3OprWa5oO3YAq/zIC
 OSfEsHGxf9X56o12Cy/By83iM2oUH40eqGGxgoFbhpDWlWqnvC80LZKMh2jsqc9D
 SCWVSU4TgpXVxuwOE7cL1TMJHSxarwlWPjfA8JB0Q7oykbfwoOGrsEQ/4N4xnr2G
 1PtH+J6UHFXYQCa7DQIDAQABo4GRMIGOMB8GA1UdIwQYMBaAFDvMAkWhLf4hHZUr
 O2IVSc64Y+C4MDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0cDovL2lw
 YTEuZHJ1dHQuY29tOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQW
 MBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAYoxpty9C
 P4utdPQ4gGpQA/kLZquiGIWh7ELxEH43x42eu6wgubM7IBJ/nFyWsOYCnx3Znlv+
 8aJduxQHq3zavhFpONqm+XRQ5aSofwgVru9fyR6AGBFaJ/2D3O1q1IAClzhMPLeM
 4fbC48Gv9C2cohtmS6UNOuttBDPelowPaq7IfayEYg0fEpSFCn1fYOd0JcnvzRBP
 EAboP231OWs/71CAqM4OimsSiDWtTITUadR7ZMe4ZyZ3kLesXbmJtteGklCpZbFc
 TB27ZyiUAebxerGwcH7YgyOk5vQccQYC/nDg7NQMAQsqv4cJ2aeAmhyAWdmB3ctR
 8NlRKYsmFG3nZw==
 -----END CERTIFICATE-----

==========================================================================================================

4.  "getcert list" result:

root@ecnshlx3039-test2(SH):requests #getcert list
Number of certificates and requests being tracked: 8.
Request ID '20120704140859':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 4301 (RPC failed at 
server.  Certificate operation cannot be completed: Failure decoding 
Certificate Signing Request).
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-Cert',token='NSS
 Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=DRUTT.COM
        subject: CN=ipa1.drutt.com,O=DRUTT.COM
        expires: 2016-06-05 22:03:17 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv DRUTT-COM
        track: yes
        auto-renew: yes
Request ID '20120704140922':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 907 (RPC failed at server. 
 cannot connect to 'https://ipa1.drutt.com:443/ca/agent/ca/displayBySerial': 
[Errno -8053] (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in 
use.).
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=DRUTT.COM
        subject: CN=ipa1.drutt.com,O=DRUTT.COM
        expires: 2016-06-05 22:03:17 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20120704141150':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 4301 (RPC failed at 
server.  Certificate operation cannot be completed: Failure decoding 
Certificate Signing Request).
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=DRUTT.COM
        subject: CN=ipa1.drutt.com,O=DRUTT.COM
        expires: 2016-06-05 22:03:17 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes
Request ID '20140605220249':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=DRUTT.COM
        subject: CN=IPA RA,O=DRUTT.COM
        expires: 2014-06-24 14:08:50 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20160601043748':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin='565569846212'
        certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=DRUTT.COM
        subject: CN=CA Audit,O=DRUTT.COM
        expires: 2014-06-24 14:08:42 UTC
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20160601043749':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin='565569846212'
        certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=DRUTT.COM
        subject: CN=OCSP Subsystem,O=DRUTT.COM
        expires: 2014-06-24 14:08:41 UTC
        eku: id-kp-OCSPSigning
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20160601043750':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin='565569846212'
        certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=DRUTT.COM
        subject: CN=CA Subsystem,O=DRUTT.COM
        expires: 2014-06-24 14:08:41 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20160601043751':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin='565569846212'
        certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=DRUTT.COM
        subject: CN=ipa1.drutt.com,O=DRUTT.COM
        expires: 2014-06-24 14:08:41 UTC
        eku: id-kp-serverAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes


thanks,
BR//Kay

-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Wednesday, June 01, 2016 11:56 AM
To: Kay Zhou Y; freeipa-users@redhat.com
Cc: Doris Hongmei; Xionglin Gu
Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue

Kay Zhou Y wrote:
> Hi Rob,
>
> The status for ipaCert is MONITORING no matter before or after resubmit this 
> request ID, as below:
>
> Request ID '20140605220249':
>          status: MONITORING
>          stuck: no
>          key pair storage: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>          certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate DB'
>          CA: dogtag-ipa-renew-agent
>          issuer: CN=Certificate Authority,O=DRUTT.COM
>          subject: CN=IPA RA,O=DRUTT.COM
>          expires: 2014-06-24 14:08:50 UTC
>          eku: id-kp-serverAuth,id-kp-clientAuth
>          pre-save command:
>          post-save command:
>          track: yes
>          auto-renew: yes
>
> I have restarted ipa service before renewal since there is no pki-cad service 
> in our env.

Oh. So unfortunately the version of certmonger you have has a bug where the 
pre/post commands weren't displayed (it was only a display issue). 
If you look in /var/lib/certmonger/requests/<id> you can find the source for 
this output. See what the pre/post save command is for any of the CA subsystem 
certs and I guess perhaps ipaCert. I need to see how they are configured to do 
the renewal.

Maybe my memory is failing but I'd have sworn the CA process name was pki-cad. 
ipactl restart will restart the world. Given that the certs are expired you 
need to restart things when you go back in time. I saw that you are tracking 
the subsystem certs on this master so the CA must be installed.

> I have tried so many times for this processes, and I even want to recreate 
> the ipaCert, but it failed.

Before you go poking too manually into things I'd strongly recommend backing up 
the NSS databases first. You could easily break something.

> The references I used as below, but both of them are not available for 
> my issue:( http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
> http://www.freeipa.org/page/PKI
>
> and if it's feasible we modify the expiration date for these certs manually 
> or recreate it directly ?

You can't change any attributes of a certificate without re-issuing it. 
You can't issue a new cert without the CA up and I suspect it isn't up.

The cert may be in MONITORING when you go back in time because really, it's 
fine as long as it isn't expired, so MONITORING is a-ok.

rob

>
> Thanks,
> BR//Kay
> -----Original Message-----
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Tuesday, May 31, 2016 11:10 PM
> To: Kay Zhou Y; freeipa-users@redhat.com
> Cc: Doris Hongmei; Xionglin Gu
> Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue
>
> Kay Zhou Y wrote:
>> Hi Rob,
>>
>> Thanks  for your reply.
>>
>> And about your suggestion, actually I have done it. but it just renew the 
>> two 389-ds certs and Apache certs.
>> Since the ipaCert and subsystem certs are expired at 20140624, so I must 
>> roll back time before it. then begin to renew, but after I done this:
>>
>> "Let's force renewal on all of the certificates:
>> # for line in `getcert list | grep Request | cut -d "'" -f2`; do 
>> getcert resubmit -i $line; done ..."
>>
>> According to the wiki, 
>> (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ). The CA 
>> subsystem c


ertificates will be renewed. But it did not.
>
> Ok, what state are the certificates in? When you go back in time are you 
> restarting the pki-cad service before attempting to do the renewal?
>
>> Finally after I finish all action mentioned in the wiki page, I still can't 
>> renew ipaCert and other four CA subsystem certificates.
>> And the two 389-ds and apache certs will still expired after the date 
>> 20160623 ( expire date of ipaCert 20140624 + two years).
>>
>> If there is any other guide or doc about the ipaCert and CA subsystem 
>> certificates?
>
> Not really for IPA 2.x
>
> rob
>
>
>> Thanks a lot for your support!
>
>
>>
>> Thanks,
>> BR//Kay
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcrit...@redhat.com]
>> Sent: Friday, May 27, 2016 11:41 PM
>> To: Kay Zhou Y; freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue
>>
>> Kay Zhou Y wrote:
>>> Hi,
>>>
>>> This is Kay.
>>>
>>> I am not sure if the email address is correct, and I am really 
>>> appreciate if there is any help for my issue. it's baffling for few 
>>> days, and the expire date is coming soon.. L
>>>
>>> There is a IPA 2.2 environment, and three "Server-Cert"(two 389-ds 
>>> and the Apache certs) will be expired at 2016-06-05 22:03:17 UTC.
>>>
>>> Two years ago, these certs were renewed by other guys according to 
>>> this
>>> document: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>>>
>>> and it was successful then the certificates has been renewed until 20160605.
>>>
>>> But recently I want to renew it again since the expire date is coming.
>>> Then I follow the above guide, however things not go well.
>>
>> The problem looks to be because the IPA RA cert (ipaCert) isn't 
>> matching what dogtag expects. See the wiki page starting at
>>
>> "For ipaCert, stored in /etc/httpd/alias you have another job to do..."
>>
>> You'll want to be sure that description correctly matches the certificate in 
>> the Apache database and confirm that the usercertificate value in LDAP 
>> matches the cert being presented.
>>
>> rob
>>
>>>
>>> As below, it's the 8 certs which certmonger are tracking:
>>>
>>> root@ecnshlx3039-test2(SH):~ #getcert list
>>>
>>> Number of certificates and requests being tracked: 8.
>>>
>>> Request ID '20120704140859':
>>>
>>>            status: CA_UNREACHABLE
>>>
>>>            ca-error: Server failed request, will retry: 4301 (RPC 
>>> failed at server.  Certificate operation cannot be completed:
>>> EXCEPTION                                        (Invalid Credential.)).
>>>
>>>            stuck: yes
>>>
>>>            key pair storage:
>>> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-C
>>> e
>>> r
>>> t',token='NSS
>>> Certificate DB',pinfile='
>>> /etc/dirsrv/slapd-DRUTT-COM/pwdfile.txt'
>>>
>>>            certificate:
>>> type=NSSDB,location='/etc/dirsrv/slapd-DRUTT-COM',nickname='Server-C
>>> e
>>> r
>>> t',token='NSS
>>> Certificate DB'
>>>
>>>            CA: IPA
>>>
>>>            issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>>            subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>>
>>>            expires: 2016-06-05 22:03:17 UTC
>>>
>>>            eku: id-kp-serverAuth,id-kp-clientAuth
>>>
>>>            pre-save command:
>>>
>>>            post-save command: 
>>> /usr/lib64/ipa/certmonger/restart_dirsrv
>>> DRUTT-COM
>>>
>>>            track: yes
>>>
>>>            auto-renew: yes
>>>
>>> Request ID '20120704140922':
>>>
>>>            status: CA_UNREACHABLE
>>>
>>>            ca-error: Server failed request, will retry: 4301 (RPC 
>>> failed at server.  Certificate operation cannot be completed:
>>> EXCEPTION                                        (Invalid Credential.)).
>>>
>>>            stuck: yes
>>>
>>>            key pair storage:
>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
>>> ,token='NSS
>>> Certificate DB',pinfile='/e
>>> tc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>>>
>>>            certificate:
>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert'
>>> ,token='NSS
>>> Certificate DB'
>>>
>>>            CA: IPA
>>>
>>>            issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>>            subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>>
>>>            expires: 2016-06-05 22:03:17 UTC
>>>
>>>            eku: id-kp-serverAuth,id-kp-clientAuth
>>>
>>>            pre-save command:
>>>
>>>            post-save command:
>>>
>>>            track: yes
>>>
>>>            auto-renew: yes
>>>
>>> Request ID '20120704141150':
>>>
>>>            status: CA_UNREACHABLE
>>>
>>>            ca-error: Server failed request, will retry: 4301 (RPC 
>>> failed at server.  Certificate operation cannot be completed:
>>> EXCEPTION                                        (Invalid Credential.)).
>>>
>>>            stuck: yes
>>>
>>>            key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='
>>> N
>>> SS
>>> Certificate
>>> DB',pinfile='/etc/httpd/
>>> alias/pwdfile.txt'
>>>
>>>            certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='
>>> N
>>> SS
>>> Certificate DB'
>>>
>>>            CA: IPA
>>>
>>>            issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>>            subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>>
>>>            expires: 2016-06-05 22:03:17 UTC
>>>
>>>            eku: id-kp-serverAuth,id-kp-clientAuth
>>>
>>>            pre-save command:
>>>
>>>            post-save command: 
>>> /usr/lib64/ipa/certmonger/restart_httpd
>>>
>>>            track: yes
>>>
>>>            auto-renew: yes
>>>
>>> Request ID '20140605220249':
>>>
>>>            status: MONITORING
>>>
>>>            stuck: no
>>>
>>>            key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate
>>> DB',pinfile='/etc/httpd/alia
>>> s/pwdfile.txt'
>>>
>>>            certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB'
>>>
>>>            CA: dogtag-ipa-renew-agent
>>>
>>>            issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>>            subject: CN=IPA RA,O=DRUTT.COM
>>>
>>>            expires: 2014-06-24 14:08:50 UTC
>>>
>>>            eku: id-kp-serverAuth,id-kp-clientAuth
>>>
>>>            pre-save command:
>>>
>>>            post-save command:
>>>
>>>            track: yes
>>>
>>>            auto-renew: yes
>>>
>>> Request ID '20160527075219':
>>>
>>>            status: MONITORING
>>>
>>>            stuck: no
>>>
>>>            key pair storage:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCe
>>> r
>>> t
>>> cert-pki-ca',token='NSS Certificate
>>> DB                                       ',pin='565569846212'
>>>
>>>            certificate:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCe
>>> r t cert-pki-ca',token='NSS Certificate DB'
>>>
>>>            CA: dogtag-ipa-renew-agent
>>>
>>>            issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>>            subject: CN=CA Audit,O=DRUTT.COM
>>>
>>>            expires: 2014-06-24 14:08:42 UTC
>>>
>>>            pre-save command:
>>>
>>>            post-save command:
>>>
>>>            track: yes
>>>
>>>            auto-renew: yes
>>>
>>> Request ID '20160527075220':
>>>
>>>            status: MONITORING
>>>
>>>            stuck: no
>>>
>>>            key pair storage:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCer
>>> t
>>> cert-pki-ca',token='NSS Certificate
>>> DB'                                       ,pin='565569846212'
>>>
>>>            certificate:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCer
>>> t cert-pki-ca',token='NSS Certificate DB'
>>>
>>>            CA: dogtag-ipa-renew-agent
>>>
>>>            issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>>            subject: CN=OCSP Subsystem,O=DRUTT.COM
>>>
>>>            expires: 2014-06-24 14:08:41 UTC
>>>
>>>            eku: id-kp-OCSPSigning
>>>
>>>            pre-save command:
>>>
>>>            post-save command:
>>>
>>>            track: yes
>>>
>>>            auto-renew: yes
>>>
>>> Request ID '20160527075221':
>>>
>>>            status: MONITORING
>>>
>>>            stuck: no
>>>
>>>            key pair storage:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>> cert-pki-ca',token='NSS Certificate
>>> DB',p                                       in='565569846212'
>>>
>>>            certificate:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>>> cert-pki-ca',token='NSS Certificate DB'
>>>
>>>            CA: dogtag-ipa-renew-agent
>>>
>>>            issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>>            subject: CN=CA Subsystem,O=DRUTT.COM
>>>
>>>            expires: 2014-06-24 14:08:41 UTC
>>>
>>>            eku: id-kp-serverAuth,id-kp-clientAuth
>>>
>>>            pre-save command:
>>>
>>>            post-save command:
>>>
>>>            track: yes
>>>
>>>            auto-renew: yes
>>>
>>> Request ID '20160527075222':
>>>
>>>            status: MONITORING
>>>
>>>            stuck: no
>>>
>>>            key pair storage:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>>> cert-pki-ca',token='NSS Certificate
>>> DB',pin                                       ='565569846212'
>>>
>>>            certificate:
>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>>> cert-pki-ca',token='NSS Certificate DB'
>>>
>>>            CA: dogtag-ipa-renew-agent
>>>
>>>            issuer: CN=Certificate Authority,O=DRUTT.COM
>>>
>>>            subject: CN=ipa1.drutt.com,O=DRUTT.COM
>>>
>>>            expires: 2014-06-24 14:08:41 UTC
>>>
>>>            eku: id-kp-serverAuth
>>>
>>>            pre-save command:
>>>
>>>            post-save command:
>>>
>>>            track: yes
>>>
>>>            auto-renew: yes
>>>
>>> Follow all the steps in the guide, the result is just first three 
>>> certificates are renewed to 20160622 if I set system time to 
>>> 20140623(which the four CA subsystem certs and CA cert are valid).
>>>
>>> But other five are not renewed at all (the four CA subsystem certs 
>>> and CA cert). there is no error information during these steps.
>>>
>>> I google a lot but still found nothing could resolve it. and then I 
>>> found there was a similar thread:
>>> https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.
>>> h
>>> t
>>> ml
>>>
>>> But unfortunately the solution is not available for my issue either.
>>>
>>> Since I am not familiar with Freeipa, so it bothers me so much.
>>>
>>> Any help will be really appreciate. Thansks in advance!
>>>
>>> Thanks,
>>>
>>> BR//Kay
>>>
>>>
>>>
>>
>


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to