*Update: my webserver and LDAP certificates were expired at 2016-07-18 15:54:36 UTC and the certificates are in CA_UNREACHABLE state.*
*Could you please help us? * [root@caer tmp]# getcert list Number of certificates and requests being tracked: 8. Request ID '20111214223243': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET * expires: 2016-07-18 15:54:36 UTC* eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223300': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET * expires: 2016-07-18 15:54:52 UTC* eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223316': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates). stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET *expires: 2016-07-18 15:55:04 UTC* eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130519130741': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=CA Audit,O=TELOIP.NET expires: 2017-10-13 14:10:49 UTC pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130742': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=OCSP Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130743': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=CA Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130744': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=RA Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20130519130745': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv " TELOIP.NET" track: yes auto-renew: yes On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh <linov.sur...@gmail.com> wrote: > Yes, PKI is running and I don't see any errors in selftests, I have > followed https://access.redhat.com/solutions/643753 and restarted the PKI > in step 10. > > The only change which I made was clean up userCertificate;binary before > adding new userCertificate in LDAP, which is step 12. > > [root@caer ~]# /etc/init.d/pki-cad status > pki-ca (pid 8634) is running... [ OK ] > Unsecure Port = http://caer.teloip.net:9180/ca/ee/ca > Secure Agent Port = https://caer.teloip.net:9443/ca/agent/ca > Secure EE Port = https://caer.teloip.net:9444/ca/ee/ca > Secure Admin Port = https://caer.teloip.net:9445/ca/services > EE Client Auth Port = https://caer.teloip.net:9446/ca/eeca/ca > PKI Console Port = pkiconsole https://caer.teloip.net:9445/ca > Tomcat Port = 9701 (for shutdown) > > PKI Instance Name: pki-ca > > PKI Subsystem Type: Root CA (Security Domain) > > Registered PKI Security Domain Information: > > ========================================================================== > Name: IPA > URL: https://caer.teloip.net:9445 > > ========================================================================== > [root@caer ~]# > [root@caer ~]# tail -f /var/log/pki-ca/selftests.log > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: > loading all self test plugin logger parameters > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: > loading all self test plugin instances > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: > loading all self test plugin instance parameters > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: > loading self test plugins in on-demand order > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: > loading self test plugins in startup order > 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: Self > test plugins have been successfully loaded! > 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: Running > self test plugins specified to be executed at startup: > 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence: CA is present > 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SystemCertsVerification: > system certs verification success > 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: All > CRITICAL self test plugins ran SUCCESSFULLY at startup! > > Your help is highly appreciated! > > > Linov Suresh > > 70 Forest Manor Rd. > Toronto > ON M2J 0A9 > Mobile: +1 647 406 9438 > Linkedin: ca.linkedin.com/in/linov/ > Website: http://mylinuxthoughts.blogspot.com > > > On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik <pvobo...@redhat.com> > wrote: > >> On 07/18/2016 05:45 AM, Linov Suresh wrote: >> > Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and >> > certmonger. Look like certificates were renewed. But I'm getting a >> different >> > error now, >> > >> > *ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ".* >> >> Is PKI running? When you change the time, does restart of IPA help? >> >> > >> > [root@caer ~]# getcert list >> > Number of certificates and requests being tracked: 8. >> > Request ID '20111214223243': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O= >> TELOIP.NET >> > <http://TELOIP.NET> >> > expires: 2016-07-18 15:54:36 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223300': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> > certificate: >> > >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate >> > DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O= >> TELOIP.NET >> > <http://TELOIP.NET> >> > expires: 2016-07-18 15:54:52 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20111214223316': >> > status: MONITORING >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O= >> TELOIP.NET >> > <http://TELOIP.NET> >> > expires: 2016-07-18 15:55:04 UTC >> > eku: id-kp-serverAuth >> > pre-save command: >> > post-save command: >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130741': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > subject: CN=CA Audit,O=TELOIP.NET <http://TELOIP.NET> >> > expires: 2017-10-13 14:10:49 UTC >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "auditSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130742': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > subject: CN=OCSP Subsystem,O=TELOIP.NET <http://TELOIP.NET> >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-OCSPSigning >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "ocspSigningCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130743': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > subject: CN=CA Subsystem,O=TELOIP.NET <http://TELOIP.NET> >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> > "subsystemCert cert-pki-ca" >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130744': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate >> > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > subject: CN=RA Subsystem,O=TELOIP.NET <http://TELOIP.NET> >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> > track: yes >> > auto-renew: yes >> > Request ID '20130519130745': >> > status: MONITORING >> > ca-error: Internal error: no response to >> > " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> > certificate: >> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> > cert-pki-ca',token='NSS Certificate DB' >> > CA: dogtag-ipa-renew-agent >> > issuer: CN=Certificate Authority,O=TELOIP.NET < >> http://TELOIP.NET> >> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O= >> TELOIP.NET >> > <http://TELOIP.NET> >> > expires: 2017-10-13 14:09:49 UTC >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv " >> TELOIP.NET >> > <http://TELOIP.NET>" >> > track: yes >> > auto-renew: yes >> > [root@caer ~]# >> > >> > Your help is highly appreciated! >> > >> > >> > >> > On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden <rcrit...@redhat.com >> > <mailto:rcrit...@redhat.com>> wrote: >> > >> > Linov Suresh wrote: >> > >> > I logged into my IPA master, and found that the cert had >> expired again, >> > we renewed these certificates about 18 months ago. >> > >> > Our environment is CentOS 6.4 and IPA 3.0.0-26. >> > >> > >> > I followed the Redhat documentation,How do I manually renew >> Identity >> > Management (IPA) certificates after they have expired? >> (Master IPA >> > Server), https://access.redhat.com/solutions/643753 but no >> luck. >> > >> > >> > I have also changed the directive "NSSEnforceValidCerts off" in >> > /etc/httpd/conf.d/nss.conf and the value of >> nsslapd-validate-cert is warn. >> > >> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w >> ******* >> > -b cn=config | grep nsslapd-validate-cert >> > >> > nsslapd-validate-cert: warn >> > >> > Here is my getcert list, >> > >> > [root@caer ~]# getcert list >> > >> > >> > It looks like your CA subsystem certificates all renewed >> successfully it is >> > just the webserver and LDAP certificates that need renewing so >> that's good. >> > >> > What I'd do is go back in time again to say Jan 20, 2016 and restart >> > certmonger. That should make it retry the renewals. >> > >> > rob >> > >> > >> > >> > >> >> >> >> -- >> Petr Vobornik >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project