Great! That worked, and I was successfully renewed the certificates on
the IPA server and I was trying to create a IPA replica server and got
an error,[root@neit-lab <mailto:root@neit-lab>~]# ipa-replica-install
--setup-ca --setup-dns --no-forwarders --skip-conncheck
/var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager
(existing master) password: Configuring NTP daemon (ntpd) [1/4]:
stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to
start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30
seconds [1/3]: creating directory server user [2/3]: creating directory
server instance [3/3]: restarting directory server Done configuring
directory server for the CA (pkids). Configuring certificate server
(pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating
certificate server user [2/17]: creating pki-ca instance [3/17]:
configuring certificate server instance ipa : CRITICAL failed to
configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent
ConfigureCA -cs_hostname neit-lab.teloip.net
<http://neit-lab.teloip.net> -cs_port 9445 -client_certdb_dir
/tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin
UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email
root@localhost <mailto:root@localhost>-admin_password XXXXXXXX
-agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET <http://TELOIP.NET>
-ldap_host neit-lab.teloip.net <http://neit-lab.teloip.net> -ldap_port
7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn
o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm
SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name
pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA
Subsystem,O=TELOIP.NET <http://TELOIP.NET>
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
<http://TELOIP.NET> -ca_ocsp_cert_subject_name CN=OCSP
Subsystem,O=TELOIP.NET <http://TELOIP.NET> -ca_server_cert_subject_name
CN=neit-lab.teloip.net <http://neit-lab.teloip.net>,O=TELOIP.NET
<http://TELOIP.NET> -ca_audit_signing_cert_subject_name CN=CA
Audit,O=TELOIP.NET <http://TELOIP.NET> -ca_sign_cert_subject_name
CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET> -external
false -clone true -clone_p12_file ca.p12 -clone_p12_password XXXXXXXX
-sd_hostname caer.teloip.net <http://caer.teloip.net> -sd_admin_port 443
-sd_admin_name admin -sd_admin_password XXXXXXXX -clone_start_tls true
-clone_uri https://caer.teloip.net:443'
<https://caer.teloip.net:443'/>returned non-zero exit status 255 Your
system may be partly configured. Run /usr/sbin/ipa-server-install
--uninstall to clean up. Configuration of CA failed [root@neit-lab
<mailto:root@neit-lab>~]#
I did a clean up using /usr/sbin/ipa-server-install --uninstall but it
wasn't helpful.Wondering if you can help us on this,
On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:
Linov Suresh wrote:
I have followed Redhat official documentation,
https://access.redhat.com/solutions/643753 for certificate renewal,
which says *add: usercertificate. (step 12)*
*
*
While on the other hand FreeIPA official documentaion
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to
*add:
usercertificate;binary*
Just wondering if we need to*add *the certificate? or*replace* the
existing certificate and which format do we need to use? *pem*
or *der*.
We already successfully renewed the certificates about months
back, but
they were expired about 6 months back and we were not able to
renew till
now, and is affected our production environment.
Pleas help us.
You shouldn't have to mess with these values at all. In 3.0 this is
handled somewhat automatically.
I'd restart the CA, then certmonger and see if the communication
error goes away for the CA subservice certificates (the internal error).
# service pki-cad restart
<pause a bit>
# service certmonger restart
I find it very strange that the certificates were set to expire
yesterday but it isn't a show-stopper necessarily assuming you can
get the CA back up.
Assuming you can, then go back in time again, this time just a few
days and try renewing the LDAP and Apache server certs again.
rob
On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh
<linov.sur...@gmail.com <mailto:linov.sur...@gmail.com>
<mailto:linov.sur...@gmail.com <mailto:linov.sur...@gmail.com>>>
wrote:
We have cloned and created another virtual server from the
template.
Surprisingly this server certificates were also expired at
the same
time as the previous, just lasted for a day.
This issue has something to do with the kerberos tickets?
I am new to IPA and your help is highly appreciated.
On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh
<linov.sur...@gmail.com <mailto:linov.sur...@gmail.com>
<mailto:linov.sur...@gmail.com <mailto:linov.sur...@gmail.com>>>
wrote:
*Update: my webserver and LDAP certificates were expired at
2016-07-18 15:54:36 UTC and the certificates are in
CA_UNREACHABLE state.*
*
*
*Could you please help us?
*
[root@caer tmp]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504
(libcurl failed to execute the HTTP POST transaction. Peer
certificate cannot be authenticated with known CA
certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET>
subject: CN=caer.teloip.net
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
*expires: 2016-07-18 15:54:36 UTC*
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223300':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504
(libcurl failed to execute the HTTP POST transaction. Peer
certificate cannot be authenticated with known CA
certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET>
subject: CN=caer.teloip.net
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
*expires: 2016-07-18 15:54:52 UTC*
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223316':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504
(libcurl failed to execute the HTTP POST transaction. Peer
certificate cannot be authenticated with known CA
certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET>
subject: CN=caer.teloip.net
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
*expires: 2016-07-18 15:55:04 UTC*
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130519130741':
status: MONITORING
ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET>
subject: CN=CA Audit,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
expires: 2017-10-13 14:10:49 UTC
pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130742':
status: MONITORING
ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET>
subject: CN=OCSP Subsystem,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130743':
status: MONITORING
ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET>
subject: CN=CA Subsystem,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130744':
status: MONITORING
ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET>
subject: CN=RA Subsystem,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
/usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20130519130745':
status: MONITORING
ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS
Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET>
subject: CN=caer.teloip.net
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv "TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET>"
track: yes
auto-renew: yes
On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh
<linov.sur...@gmail.com <mailto:linov.sur...@gmail.com>
<mailto:linov.sur...@gmail.com <mailto:linov.sur...@gmail.com>>>
wrote:
Yes, PKI is running and I don't see any errors in
selftests,
I have followed
https://access.redhat.com/solutions/643753
and restarted the PKI in step 10.
The only change which I made was clean
up userCertificate;binary before adding new
userCertificatein LDAP, which is step 12.
[root@caer ~]# /etc/init.d/pki-cad status
pki-ca (pid 8634) is running...
[
OK ]
Unsecure Port =
http://caer.teloip.net:9180/ca/ee/ca
Secure Agent Port =
https://caer.teloip.net:9443/ca/agent/ca
Secure EE Port =
https://caer.teloip.net:9444/ca/ee/ca
Secure Admin Port =
https://caer.teloip.net:9445/ca/services
EE Client Auth Port =
https://caer.teloip.net:9446/ca/eeca/ca
PKI Console Port = pkiconsole
https://caer.teloip.net:9445/ca
Tomcat Port = 9701 (for shutdown)
PKI Instance Name: pki-ca
PKI Subsystem Type: Root CA (Security Domain)
Registered PKI Security Domain Information:
==========================================================================
Name: IPA
URL: https://caer.teloip.net:9445
==========================================================================
[root@caer ~]#
[root@caer ~]# tail -f /var/log/pki-ca/selftests.log
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
SelfTestSubsystem: loading all self test plugin logger
parameters
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
SelfTestSubsystem: loading all self test plugin
instances
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
SelfTestSubsystem: loading all self test plugin
instance
parameters
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
SelfTestSubsystem: loading self test plugins in
on-demand order
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
SelfTestSubsystem: loading self test plugins in
startup order
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1]
SelfTestSubsystem: Self test plugins have been
successfully
loaded!
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]
SelfTestSubsystem: Running self test plugins
specified to be
executed at startup:
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]
CAPresence:
CA is present
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]
SystemCertsVerification: system certs verification
success
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1]
SelfTestSubsystem: All CRITICAL self test plugins ran
SUCCESSFULLY at startup!
Your help is highly appreciated!
Linov Suresh
70 Forest Manor Rd.
Toronto
ON M2J 0A9
Mobile: +1 647 406 9438
<tel:%2B1%20647%20406%209438> <tel:%2B1%20647%20406%209438>
Linkedin: ca.linkedin.com/in/linov/
<http://ca.linkedin.com/in/linov/>
<http://ca.linkedin.com/in/linov/>
Website: http://mylinuxthoughts.blogspot.com
On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik
<pvobo...@redhat.com <mailto:pvobo...@redhat.com>
<mailto:pvobo...@redhat.com <mailto:pvobo...@redhat.com>>> wrote:
On 07/18/2016 05:45 AM, Linov Suresh wrote:
> Thanks for the update Rob. I went back to Jan
20, 2016, restarted CA and
> certmonger. Look like certificates were
renewed. But I'm getting a different
> error now,
>
> *ca-error: Internal error: no response to
>
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".*
Is PKI running? When you change the time, does
restart
of IPA help?
>
> [root@caer ~]# getcert list
> Number of certificates and requests being
tracked: 8.
> Request ID '20111214223243':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate
DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=caer.teloip.net
<http://caer.teloip.net>
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> expires: 2016-07-18 15:54:36 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223300':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
>
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
> DB'
> CA: IPA
> issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=caer.teloip.net
<http://caer.teloip.net>
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> expires: 2016-07-18 15:54:52 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223316':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=caer.teloip.net
<http://caer.teloip.net>
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> expires: 2016-07-18 15:55:04 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130519130741':
> status: MONITORING
> ca-error: Internal error: no response to
>
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";.
> stuck: no
> key pair storage:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate
DB',pin='297100916664'
> certificate:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=CA Audit,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:10:49 UTC
> pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130742':
> status: MONITORING
> ca-error: Internal error: no response to
>
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";.
> stuck: no
> key pair storage:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate
DB',pin='297100916664'
> certificate:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=OCSP
Subsystem,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-OCSPSigning
> pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130743':
> status: MONITORING
> ca-error: Internal error: no response to
>
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true";.
> stuck: no
> key pair storage:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate
DB',pin='297100916664'
> certificate:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=CA
Subsystem,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130744':
> status: MONITORING
> ca-error: Internal error: no response to
>
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true";.
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=RA
Subsystem,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
/usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> Request ID '20130519130745':
> status: MONITORING
> ca-error: Internal error: no response to
>
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
> stuck: no
> key pair storage:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate
DB',pin='297100916664'
> certificate:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=caer.teloip.net
<http://caer.teloip.net>
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv "TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>"
> track: yes
> auto-renew: yes
> [root@caer ~]#
>
> Your help is highly appreciated!
>
>
>
> On Fri, Jul 15, 2016 at 5:08 PM, Rob
Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
> <mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>>> wrote:
>
> Linov Suresh wrote:
>
> I logged into my IPA master, and
found that
the cert had expired again,
> we renewed these certificates about
18 months
ago.
>
> Our environment is CentOS 6.4 and
IPA 3.0.0-26.
>
>
> I followed the Redhat
documentation,How do
I manually renew Identity
> Management (IPA) certificates
after they
have expired? (Master IPA
> Server),
https://access.redhat.com/solutions/643753 but no luck.
>
>
> I have also changed the directive
"NSSEnforceValidCerts off" in
> /etc/httpd/conf.d/nss.conf and the
value of
nsslapd-validate-cert is warn.
>
> ldapsearch -x -h localhost -p 7389 -D
'cn=directory manager' -w *******
> -b cn=config | grep
nsslapd-validate-cert
>
> nsslapd-validate-cert: warn
>
> Here is my getcert list,
>
> [root@caer ~]# getcert list
>
>
> It looks like your CA subsystem
certificates all
renewed successfully it is
> just the webserver and LDAP certificates
that
need renewing so that's good.
>
> What I'd do is go back in time again to
say Jan
20, 2016 and restart
> certmonger. That should make it retry
the renewals.
>
> rob
>
>
>
>
--
Petr Vobornik
