On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:
Glad you got the certificates successfully renewed.
Can you open a new e-mail thread on this new problem so we can keep
the issues separated?
IPA gets little information back when dogtag fails to install. You
need to look in /var/log/<something>/debug for more information. The
exact location depends on the version of IPA.
rob
Linov Suresh wrote:
Great! That worked, and I was successfully renewed the
certificates on
the IPA server and I was trying to create a IPA replica server
and got
an error,[root@neit-lab <mailto:root@neit-lab
<mailto:root@neit-lab>>~]# ipa-replica-install
--setup-ca --setup-dns --no-forwarders --skip-conncheck
/var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager
(existing master) password: Configuring NTP daemon (ntpd) [1/4]:
stopping ntpd [2/4]: writing configuration [3/4]: configuring
ntpd to
start on boot [4/4]: starting ntpd Done configuring NTP daemon
(ntpd).
Configuring directory server for the CA (pkids): Estimated time 30
seconds [1/3]: creating directory server user [2/3]: creating
directory
server instance [3/3]: restarting directory server Done configuring
directory server for the CA (pkids). Configuring certificate server
(pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating
certificate server user [2/17]: creating pki-ca instance [3/17]:
configuring certificate server instance ipa : CRITICAL failed to
configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent
ConfigureCA -cs_hostname neit-lab.teloip.net
<http://neit-lab.teloip.net>
<http://neit-lab.teloip.net> -cs_port 9445 -client_certdb_dir
/tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin
UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email
root@localhost <mailto:root@localhost
<mailto:root@localhost>>-admin_password XXXXXXXX
-agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
-ldap_host neit-lab.teloip.net <http://neit-lab.teloip.net>
<http://neit-lab.teloip.net> -ldap_port
7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn
o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm
SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name
pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA
Subsystem,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET> -ca_ocsp_cert_subject_name CN=OCSP
Subsystem,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
-ca_server_cert_subject_name
CN=neit-lab.teloip.net <http://neit-lab.teloip.net>
<http://neit-lab.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET> -ca_audit_signing_cert_subject_name CN=CA
Audit,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET>
-ca_sign_cert_subject_name
CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET> -external
false -clone true -clone_p12_file ca.p12 -clone_p12_password
XXXXXXXX
-sd_hostname caer.teloip.net <http://caer.teloip.net>
<http://caer.teloip.net> -sd_admin_port 443
-sd_admin_name admin -sd_admin_password XXXXXXXX
-clone_start_tls true
-clone_uri https://caer.teloip.net:443'
<https://caer.teloip.net:443'/>returned non-zero exit status 255
Your
system may be partly configured. Run /usr/sbin/ipa-server-install
--uninstall to clean up. Configuration of CA failed [root@neit-lab
<mailto:root@neit-lab <mailto:root@neit-lab>>~]#
I did a clean up using /usr/sbin/ipa-server-install --uninstall
but it
wasn't helpful.Wondering if you can help us on this,
On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden
<rcrit...@redhat.com <mailto:rcrit...@redhat.com>
<mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:
Linov Suresh wrote:
I have followed Redhat official documentation,
https://access.redhat.com/solutions/643753 for certificate renewal,
which says *add: usercertificate. (step 12)*
*
*
While on the other hand FreeIPA official documentaion
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to
*add:
usercertificate;binary*
Just wondering if we need to*add *the certificate?
or*replace* the
existing certificate and which format do we need to
use? *pem*
or *der*.
We already successfully renewed the certificates about
months
back, but
they were expired about 6 months back and we were not
able to
renew till
now, and is affected our production environment.
Pleas help us.
You shouldn't have to mess with these values at all. In 3.0
this is
handled somewhat automatically.
I'd restart the CA, then certmonger and see if the
communication
error goes away for the CA subservice certificates (the
internal error).
# service pki-cad restart
<pause a bit>
# service certmonger restart
I find it very strange that the certificates were set to expire
yesterday but it isn't a show-stopper necessarily assuming
you can
get the CA back up.
Assuming you can, then go back in time again, this time
just a few
days and try renewing the LDAP and Apache server certs again.
rob
On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh
<linov.sur...@gmail.com <mailto:linov.sur...@gmail.com>
<mailto:linov.sur...@gmail.com <mailto:linov.sur...@gmail.com>>
<mailto:linov.sur...@gmail.com
<mailto:linov.sur...@gmail.com> <mailto:linov.sur...@gmail.com
<mailto:linov.sur...@gmail.com>>>>
wrote:
We have cloned and created another virtual server
from the
template.
Surprisingly this server certificates were also
expired at
the same
time as the previous, just lasted for a day.
This issue has something to do with the kerberos
tickets?
I am new to IPA and your help is highly appreciated.
On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh
<linov.sur...@gmail.com
<mailto:linov.sur...@gmail.com> <mailto:linov.sur...@gmail.com
<mailto:linov.sur...@gmail.com>>
<mailto:linov.sur...@gmail.com
<mailto:linov.sur...@gmail.com> <mailto:linov.sur...@gmail.com
<mailto:linov.sur...@gmail.com>>>>
wrote:
*Update: my webserver and LDAP certificates
were expired at
2016-07-18 15:54:36 UTC and the certificates
are in
CA_UNREACHABLE state.*
*
*
*Could you please help us?
*
[root@caer tmp]# getcert list
Number of certificates and requests being
tracked: 8.
Request ID '20111214223243':
status: CA_UNREACHABLE
ca-error: Server failed request, will
retry: -504
(libcurl failed to execute the HTTP POST
transaction. Peer
certificate cannot be authenticated with known CA
certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
subject: CN=caer.teloip.net
<http://caer.teloip.net>
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET> <http://TELOIP.NET>
*expires: 2016-07-18 15:54:36 UTC*
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223300':
status: CA_UNREACHABLE
ca-error: Server failed request, will
retry: -504
(libcurl failed to execute the HTTP POST
transaction. Peer
certificate cannot be authenticated with known CA
certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
subject: CN=caer.teloip.net
<http://caer.teloip.net>
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET> <http://TELOIP.NET>
*expires: 2016-07-18 15:54:52 UTC*
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223316':
status: CA_UNREACHABLE
ca-error: Server failed request, will
retry: -504
(libcurl failed to execute the HTTP POST
transaction. Peer
certificate cannot be authenticated with known CA
certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
subject: CN=caer.teloip.net
<http://caer.teloip.net>
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET> <http://TELOIP.NET>
*expires: 2016-07-18 15:55:04 UTC*
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130519130741':
status: MONITORING
ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
subject: CN=CA Audit,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET> <http://TELOIP.NET>
expires: 2017-10-13 14:10:49 UTC
pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130742':
status: MONITORING
ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
subject: CN=OCSP
Subsystem,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET> <http://TELOIP.NET>
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130743':
status: MONITORING
ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
subject: CN=CA Subsystem,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET> <http://TELOIP.NET>
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130744':
status: MONITORING
ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
subject: CN=RA Subsystem,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET> <http://TELOIP.NET>
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
/usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20130519130745':
status: MONITORING
ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";.
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS
Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
subject: CN=caer.teloip.net
<http://caer.teloip.net>
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET> <http://TELOIP.NET>
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv
"TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>"
track: yes
auto-renew: yes
On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh
<linov.sur...@gmail.com
<mailto:linov.sur...@gmail.com> <mailto:linov.sur...@gmail.com
<mailto:linov.sur...@gmail.com>>
<mailto:linov.sur...@gmail.com
<mailto:linov.sur...@gmail.com> <mailto:linov.sur...@gmail.com
<mailto:linov.sur...@gmail.com>>>>
wrote:
Yes, PKI is running and I don't see any
errors in
selftests,
I have followed
https://access.redhat.com/solutions/643753
and restarted the PKI in step 10.
The only change which I made was clean
up userCertificate;binary before adding new
userCertificatein LDAP, which is step 12.
[root@caer ~]# /etc/init.d/pki-cad status
pki-ca (pid 8634) is running...
[
OK ]
Unsecure Port =
http://caer.teloip.net:9180/ca/ee/ca
Secure Agent Port =
https://caer.teloip.net:9443/ca/agent/ca
Secure EE Port =
https://caer.teloip.net:9444/ca/ee/ca
Secure Admin Port =
https://caer.teloip.net:9445/ca/services
EE Client Auth Port =
https://caer.teloip.net:9446/ca/eeca/ca
PKI Console Port = pkiconsole
https://caer.teloip.net:9445/ca
Tomcat Port = 9701 (for shutdown)
PKI Instance Name: pki-ca
PKI Subsystem Type: Root CA
(Security Domain)
Registered PKI Security Domain
Information:
==========================================================================
Name: IPA
URL: https://caer.teloip.net:9445
==========================================================================
[root@caer ~]#
[root@caer ~]# tail -f
/var/log/pki-ca/selftests.log
8634.main - [18/Jul/2016:11:46:20 EDT]
[20] [1]
SelfTestSubsystem: loading all self test
plugin logger
parameters
8634.main - [18/Jul/2016:11:46:20 EDT]
[20] [1]
SelfTestSubsystem: loading all self test
plugin
instances
8634.main - [18/Jul/2016:11:46:20 EDT]
[20] [1]
SelfTestSubsystem: loading all self test
plugin
instance
parameters
8634.main - [18/Jul/2016:11:46:20 EDT]
[20] [1]
SelfTestSubsystem: loading self test
plugins in
on-demand order
8634.main - [18/Jul/2016:11:46:20 EDT]
[20] [1]
SelfTestSubsystem: loading self test
plugins in
startup order
8634.main - [18/Jul/2016:11:46:20 EDT]
[20] [1]
SelfTestSubsystem: Self test plugins have been
successfully
loaded!
8634.main - [18/Jul/2016:11:46:21 EDT]
[20] [1]
SelfTestSubsystem: Running self test plugins
specified to be
executed at startup:
8634.main - [18/Jul/2016:11:46:21 EDT]
[20] [1]
CAPresence:
CA is present
8634.main - [18/Jul/2016:11:46:21 EDT]
[20] [1]
SystemCertsVerification: system certs
verification
success
8634.main - [18/Jul/2016:11:46:21 EDT]
[20] [1]
SelfTestSubsystem: All CRITICAL self test
plugins ran
SUCCESSFULLY at startup!
Your help is highly appreciated!
Linov Suresh
70 Forest Manor Rd.
Toronto
ON M2J 0A9
Mobile: +1 647 406 9438
<tel:%2B1%20647%20406%209438>
<tel:%2B1%20647%20406%209438> <tel:%2B1%20647%20406%209438>
Linkedin: ca.linkedin.com/in/linov/
<http://ca.linkedin.com/in/linov/>
<http://ca.linkedin.com/in/linov/>
<http://ca.linkedin.com/in/linov/>
Website:
http://mylinuxthoughts.blogspot.com
On Mon, Jul 18, 2016 at 10:50 AM, Petr
Vobornik
<pvobo...@redhat.com
<mailto:pvobo...@redhat.com> <mailto:pvobo...@redhat.com
<mailto:pvobo...@redhat.com>>
<mailto:pvobo...@redhat.com
<mailto:pvobo...@redhat.com> <mailto:pvobo...@redhat.com
<mailto:pvobo...@redhat.com>>>> wrote:
On 07/18/2016 05:45 AM, Linov Suresh
wrote:
> Thanks for the update Rob. I went
back to Jan
20, 2016, restarted CA and
> certmonger. Look like certificates were
renewed. But I'm getting a different
> error now,
>
> *ca-error: Internal error: no
response to
>
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".*
Is PKI running? When you change the
time, does
restart
of IPA help?
>
> [root@caer ~]# getcert list
> Number of certificates and requests
being
tracked: 8.
> Request ID '20111214223243':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate
DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate
Authority,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
> subject:
CN=caer.teloip.net <http://caer.teloip.net>
<http://caer.teloip.net>
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> expires: 2016-07-18
15:54:36 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223300':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
>
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
> DB'
> CA: IPA
> issuer: CN=Certificate
Authority,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
> subject:
CN=caer.teloip.net <http://caer.teloip.net>
<http://caer.teloip.net>
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> expires: 2016-07-18
15:54:52 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223316':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate
Authority,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
> subject:
CN=caer.teloip.net <http://caer.teloip.net>
<http://caer.teloip.net>
<http://caer.teloip.net>
<http://caer.teloip.net>,O=TELOIP.NET
<http://TELOIP.NET>
<http://TELOIP.NET> <http://TELOIP.NET>
> <http://TELOIP.NET>
> expires: 2016-07-18
15:55:04 UTC
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130519130741':
> status: MONITORING
> ca-error: Internal error:
no response to
>
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";.
> stuck: no
> key pair storage:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate
DB',pin='297100916664'
> certificate:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate
Authority,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=CA
Audit,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13
14:10:49 UTC
> pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130742':
> status: MONITORING
> ca-error: Internal error:
no response to
>
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";.
> stuck: no
> key pair storage:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate
DB',pin='297100916664'
> certificate:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate
Authority,O=TELOIP.NET
<http://TELOIP.NET> <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET>
> subject: CN=OCSP
Subsystem,O=TELOIP.NET <http://TELOIP.NET>
<http://TELOIP.NET>
<http://TELOIP.NET> <http://TELOIP.NET>
> expires: 2017-10-13
14:09:49 UTC
> eku: id-kp-OCSPSigning
> pre-save command:
/usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130743':
