Yes, PKI is running and I don't see any errors in selftests, I have followed https://access.redhat.com/solutions/643753 and restarted the PKI in step 10.
The only change which I made was clean up userCertificate;binary before adding new userCertificate in LDAP, which is step 12. [root@caer ~]# /etc/init.d/pki-cad status pki-ca (pid 8634) is running... [ OK ] Unsecure Port = http://caer.teloip.net:9180/ca/ee/ca Secure Agent Port = https://caer.teloip.net:9443/ca/agent/ca Secure EE Port = https://caer.teloip.net:9444/ca/ee/ca Secure Admin Port = https://caer.teloip.net:9445/ca/services EE Client Auth Port = https://caer.teloip.net:9446/ca/eeca/ca PKI Console Port = pkiconsole https://caer.teloip.net:9445/ca Tomcat Port = 9701 (for shutdown) PKI Instance Name: pki-ca PKI Subsystem Type: Root CA (Security Domain) Registered PKI Security Domain Information: ========================================================================== Name: IPA URL: https://caer.teloip.net:9445 ========================================================================== [root@caer ~]# [root@caer ~]# tail -f /var/log/pki-ca/selftests.log 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: loading all self test plugin instances 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence: CA is present 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SystemCertsVerification: system certs verification success 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at startup! Your help is highly appreciated! Linov Suresh 70 Forest Manor Rd. Toronto ON M2J 0A9 Mobile: +1 647 406 9438 Linkedin: ca.linkedin.com/in/linov/ Website: http://mylinuxthoughts.blogspot.com On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik <pvobo...@redhat.com> wrote: > On 07/18/2016 05:45 AM, Linov Suresh wrote: > > Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and > > certmonger. Look like certificates were renewed. But I'm getting a > different > > error now, > > > > *ca-error: Internal error: no response to > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ".* > > Is PKI running? When you change the time, does restart of IPA help? > > > > > [root@caer ~]# getcert list > > Number of certificates and requests being tracked: 8. > > Request ID '20111214223243': > > status: MONITORING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > subject: CN=caer.teloip.net <http://caer.teloip.net>,O= > TELOIP.NET > > <http://TELOIP.NET> > > expires: 2016-07-18 15:54:36 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223300': > > status: MONITORING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > > DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > subject: CN=caer.teloip.net <http://caer.teloip.net>,O= > TELOIP.NET > > <http://TELOIP.NET> > > expires: 2016-07-18 15:54:52 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20111214223316': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > subject: CN=caer.teloip.net <http://caer.teloip.net>,O= > TELOIP.NET > > <http://TELOIP.NET> > > expires: 2016-07-18 15:55:04 UTC > > eku: id-kp-serverAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130519130741': > > status: MONITORING > > ca-error: Internal error: no response to > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > subject: CN=CA Audit,O=TELOIP.NET <http://TELOIP.NET> > > expires: 2017-10-13 14:10:49 UTC > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130742': > > status: MONITORING > > ca-error: Internal error: no response to > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > subject: CN=OCSP Subsystem,O=TELOIP.NET <http://TELOIP.NET> > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130743': > > status: MONITORING > > ca-error: Internal error: no response to > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > subject: CN=CA Subsystem,O=TELOIP.NET <http://TELOIP.NET> > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130519130744': > > status: MONITORING > > ca-error: Internal error: no response to > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > subject: CN=RA Subsystem,O=TELOIP.NET <http://TELOIP.NET> > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > > track: yes > > auto-renew: yes > > Request ID '20130519130745': > > status: MONITORING > > ca-error: Internal error: no response to > > " > http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true > ". > > stuck: no > > key pair storage: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' > > certificate: > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=TELOIP.NET < > http://TELOIP.NET> > > subject: CN=caer.teloip.net <http://caer.teloip.net>,O= > TELOIP.NET > > <http://TELOIP.NET> > > expires: 2017-10-13 14:09:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv " > TELOIP.NET > > <http://TELOIP.NET>" > > track: yes > > auto-renew: yes > > [root@caer ~]# > > > > Your help is highly appreciated! > > > > > > > > On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden <rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>> wrote: > > > > Linov Suresh wrote: > > > > I logged into my IPA master, and found that the cert had expired > again, > > we renewed these certificates about 18 months ago. > > > > Our environment is CentOS 6.4 and IPA 3.0.0-26. > > > > > > I followed the Redhat documentation,How do I manually renew > Identity > > Management (IPA) certificates after they have expired? > (Master IPA > > Server), https://access.redhat.com/solutions/643753 but no > luck. > > > > > > I have also changed the directive "NSSEnforceValidCerts off" in > > /etc/httpd/conf.d/nss.conf and the value of > nsslapd-validate-cert is warn. > > > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w > ******* > > -b cn=config | grep nsslapd-validate-cert > > > > nsslapd-validate-cert: warn > > > > Here is my getcert list, > > > > [root@caer ~]# getcert list > > > > > > It looks like your CA subsystem certificates all renewed > successfully it is > > just the webserver and LDAP certificates that need renewing so > that's good. > > > > What I'd do is go back in time again to say Jan 20, 2016 and restart > > certmonger. That should make it retry the renewals. > > > > rob > > > > > > > > > > > > -- > Petr Vobornik >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project