On 07/20/2016 09:41 PM, Linov Suresh wrote: > I have restarted the pki-cad and checked if communication with the CA is > working, but no luck, > > Debug logs in /var/log/pki-ca do not have anything unusual. Can you think of > anything other than this?
/var/log/httpd/error_log when /etc/ipa.conf is set to debug=true https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data /var/log/pki-ca/debug /var/log/pki-ca/transactions /var/log/pki-ca/selftest.log > > [root@caer ~]# ipa cert-show 1 > Certificate: > MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP > SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0 > MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w > HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA > A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV > ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e > tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb > UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe > tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7 > 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j > BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV > HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG > AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5 > MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj > kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y > 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV > nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt > e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK > b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30= > Subject: CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET> > Issuer: CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET> > Not Before: Wed Dec 14 22:29:56 2011 UTC > Not After: Sat Dec 14 22:29:56 2019 UTC > Fingerprint (MD5): c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a > Fingerprint (SHA1): > ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e > Serial number (hex): 0x1 > Serial number: 1 > [root@caer ~]# > > *ca-error: Internal error: no response to > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > * > > > > On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: > > Linov Suresh wrote: > > Thanks for your help Rob, I will create a separate thread for IPA > replication issue. But we are still getting > * > * > *ca-error: Internal error: no response to > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".* > > Could you please help us to fix this? > > > I think your CA isn't quite fixed yet. I'd restart pki-cad then do > something > like: ipa cert-show 1 > > You should get back a cert (doesn't really matter what cert). > > Otherwise I'd check the CA debug log somewhere in /var/log/pki > > rob > > > > On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote: > > Glad you got the certificates successfully renewed. > > Can you open a new e-mail thread on this new problem so we can > keep > the issues separated? > > IPA gets little information back when dogtag fails to install. > You > need to look in /var/log/<something>/debug for more information. > The > exact location depends on the version of IPA. > > rob > > Linov Suresh wrote: > > Great! That worked, and I was successfully renewed the > certificates on > the IPA server and I was trying to create a IPA replica > server > and got > an error,[root@neit-lab <mailto:root@neit-lab > <mailto:root@neit-lab> > <mailto:root@neit-lab <mailto:root@neit-lab>>>~]# > ipa-replica-install > --setup-ca --setup-dns --no-forwarders --skip-conncheck > /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory > Manager > (existing master) password: Configuring NTP daemon (ntpd) > [1/4]: > stopping ntpd [2/4]: writing configuration [3/4]: configuring > ntpd to > start on boot [4/4]: starting ntpd Done configuring NTP > daemon > (ntpd). > Configuring directory server for the CA (pkids): Estimated > time 30 > seconds [1/3]: creating directory server user [2/3]: creating > directory > server instance [3/3]: restarting directory server Done > configuring > directory server for the CA (pkids). Configuring certificate > server > (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: > creating > certificate server user [2/17]: creating pki-ca instance > [3/17]: > configuring certificate server instance ipa : CRITICAL > failed to > configure ca instance Command '/usr/bin/perl > /usr/bin/pkisilent > ConfigureCA -cs_hostname neit-lab.teloip.net > <http://neit-lab.teloip.net> > <http://neit-lab.teloip.net> > <http://neit-lab.teloip.net> -cs_port 9445 -client_certdb_dir > /tmp/tmp-QAXI9A -client_certdb_pwd XXXXXXXX -preop_pin > UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin > -admin_email > root@localhost <mailto:root@localhost <mailto:root@localhost> > <mailto:root@localhost > <mailto:root@localhost>>>-admin_password > XXXXXXXX > -agent_name ipa-ca-agent -agent_key_size 2048 > -agent_key_type rsa > -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET > <http://TELOIP.NET> > <http://TELOIP.NET> <http://TELOIP.NET> > -ldap_host neit-lab.teloip.net <http://neit-lab.teloip.net> > <http://neit-lab.teloip.net> > <http://neit-lab.teloip.net> -ldap_port > 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX > -base_dn > o=ipaca -db_name ipaca -key_size 2048 -key_type rsa > -key_algorithm > SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX > -subsystem_name > pki-cad -token_name internal -ca_subsystem_cert_subject_name > CN=CA > Subsystem,O=TELOIP.NET <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET > <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> -ca_ocsp_cert_subject_name CN=OCSP > Subsystem,O=TELOIP.NET <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > -ca_server_cert_subject_name > CN=neit-lab.teloip.net <http://neit-lab.teloip.net> > <http://neit-lab.teloip.net> > <http://neit-lab.teloip.net>,O=TELOIP.NET <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> -ca_audit_signing_cert_subject_name CN=CA > Audit,O=TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET> > <http://TELOIP.NET> > -ca_sign_cert_subject_name > CN=Certificate Authority,O=TELOIP.NET <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> -external > false -clone true -clone_p12_file ca.p12 -clone_p12_password > XXXXXXXX > -sd_hostname caer.teloip.net <http://caer.teloip.net> > <http://caer.teloip.net> > <http://caer.teloip.net> -sd_admin_port 443 > -sd_admin_name admin -sd_admin_password XXXXXXXX > -clone_start_tls true > -clone_uri https://caer.teloip.net:443' > <https://caer.teloip.net:443'/>returned non-zero exit status > 255 > Your > system may be partly configured. Run > /usr/sbin/ipa-server-install > --uninstall to clean up. Configuration of CA failed > [root@neit-lab > <mailto:root@neit-lab <mailto:root@neit-lab> > <mailto:root@neit-lab <mailto:root@neit-lab>>>~]# > > I did a clean up using /usr/sbin/ipa-server-install > --uninstall > but it > wasn't helpful.Wondering if you can help us on this, > > > > On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden > <rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>> wrote: > > Linov Suresh wrote: > > I have followed Redhat official documentation, > https://access.redhat.com/solutions/643753 for certificate renewal, > which says *add: usercertificate. (step 12)* > * > * > While on the other hand FreeIPA official > documentaion > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to > *add: > usercertificate;binary* > > Just wondering if we need to*add *the certificate? > or*replace* the > existing certificate and which format do we need to > use? *pem* > or *der*. > > We already successfully renewed the certificates > about > months > back, but > they were expired about 6 months back and we were > not > able to > renew till > now, and is affected our production environment. > > Pleas help us. > > > You shouldn't have to mess with these values at all. In > 3.0 > this is > handled somewhat automatically. > > I'd restart the CA, then certmonger and see if the > communication > error goes away for the CA subservice certificates (the > internal error). > > # service pki-cad restart > <pause a bit> > # service certmonger restart > > I find it very strange that the certificates were set to > expire > yesterday but it isn't a show-stopper necessarily > assuming > you can > get the CA back up. > > Assuming you can, then go back in time again, this time > just a few > days and try renewing the LDAP and Apache server certs > again. > > rob > > > On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh > <linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com> <mailto:linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com>> > <mailto:linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com> > <mailto:linov.sur...@gmail.com <mailto:linov.sur...@gmail.com>>> > <mailto:linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com> > <mailto:linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com>> > <mailto:linov.sur...@gmail.com <mailto:linov.sur...@gmail.com> > <mailto:linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com>>>>> > wrote: > > We have cloned and created another virtual > server > from the > template. > Surprisingly this server certificates were also > expired at > the same > time as the previous, just lasted for a day. > This issue has something to do with the > kerberos > tickets? > > I am new to IPA and your help is highly > appreciated. > > On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh > <linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com> > <mailto:linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com>> > <mailto:linov.sur...@gmail.com <mailto:linov.sur...@gmail.com> > <mailto:linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com>>> > <mailto:linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com> > <mailto:linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com>> > <mailto:linov.sur...@gmail.com <mailto:linov.sur...@gmail.com> > <mailto:linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com>>>>> > wrote: > > *Update: my webserver and LDAP certificates > were expired at > 2016-07-18 15:54:36 UTC and the > certificates > are in > CA_UNREACHABLE state.* > * > * > *Could you please help us? > * > > [root@caer tmp]# getcert list > Number of certificates and requests being > tracked: 8. > Request ID '20111214223243': > status: CA_UNREACHABLE > ca-error: Server failed request, > will > retry: -504 > (libcurl failed to execute the HTTP POST > transaction. Peer > certificate cannot be authenticated with > known CA > certificates). > stuck: yes > key pair storage: > > > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > Certificate > > DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' > certificate: > > > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate > Authority,O=TELOIP.NET <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > subject: CN=caer.teloip.net > <http://caer.teloip.net> > <http://caer.teloip.net> > <http://caer.teloip.net> > <http://caer.teloip.net>,O=TELOIP.NET > <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> <http://TELOIP.NET> > *expires: 2016-07-18 15:54:36 UTC* > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223300': > status: CA_UNREACHABLE > ca-error: Server failed request, > will > retry: -504 > (libcurl failed to execute the HTTP POST > transaction. Peer > certificate cannot be authenticated with > known CA > certificates). > stuck: yes > key pair storage: > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' > certificate: > > > > > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate > Authority,O=TELOIP.NET <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > subject: CN=caer.teloip.net > <http://caer.teloip.net> > <http://caer.teloip.net> > <http://caer.teloip.net> > <http://caer.teloip.net>,O=TELOIP.NET > <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> <http://TELOIP.NET> > *expires: 2016-07-18 15:54:52 UTC* > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20111214223316': > status: CA_UNREACHABLE > ca-error: Server failed request, > will > retry: -504 > (libcurl failed to execute the HTTP POST > transaction. Peer > certificate cannot be authenticated with > known CA > certificates). > stuck: yes > key pair storage: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate > Authority,O=TELOIP.NET <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > subject: CN=caer.teloip.net > <http://caer.teloip.net> > <http://caer.teloip.net> > <http://caer.teloip.net> > <http://caer.teloip.net>,O=TELOIP.NET > <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> <http://TELOIP.NET> > *expires: 2016-07-18 15:55:04 UTC* > > eku: id-kp-serverAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130519130741': > status: MONITORING > ca-error: Internal error: no > response to > > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true". > stuck: no > key pair storage: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664' > certificate: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate > Authority,O=TELOIP.NET <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > subject: CN=CA Audit,O=TELOIP.NET > <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> <http://TELOIP.NET> > expires: 2017-10-13 14:10:49 UTC > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130742': > status: MONITORING > ca-error: Internal error: no > response to > > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true". > stuck: no > key pair storage: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664' > certificate: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate > Authority,O=TELOIP.NET <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > subject: CN=OCSP > Subsystem,O=TELOIP.NET <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> <http://TELOIP.NET> > expires: 2017-10-13 14:09:49 UTC > eku: id-kp-OCSPSigning > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130743': > status: MONITORING > ca-error: Internal error: no > response to > > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true". > stuck: no > key pair storage: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate > DB',pin='297100916664' > certificate: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate > Authority,O=TELOIP.NET <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > subject: CN=CA > Subsystem,O=TELOIP.NET <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> <http://TELOIP.NET> > expires: 2017-10-13 14:09:49 UTC > eku: > id-kp-serverAuth,id-kp-clientAuth > pre-save command: > /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: > /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20130519130744': > status: MONITORING > ca-error: Internal error: no > response to > > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true". > stuck: no > key pair storage: > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate > Authority,O=TELOIP.NET <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > subject: CN=RA > Subsystem,O=TELOIP.NET <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> <http://TELOIP.NET> > expires: 2017-10-13 14:09:49 UTC > eku: > id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20130519130745': > status: MONITORING > ca-error: Internal error: no > response to > > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true". > stuck: no > key pair storage: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > Certificate DB',pin='297100916664' > certificate: > > > > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate > Authority,O=TELOIP.NET <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > subject: CN=caer.teloip.net > <http://caer.teloip.net> > <http://caer.teloip.net> > <http://caer.teloip.net> > <http://caer.teloip.net>,O=TELOIP.NET > <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> <http://TELOIP.NET> > expires: 2017-10-13 14:09:49 UTC > eku: > id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > /usr/lib64/ipa/certmonger/restart_dirsrv > "TELOIP.NET <http://TELOIP.NET> <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET>" > track: yes > auto-renew: yes > > On Mon, Jul 18, 2016 at 12:00 PM, Linov > Suresh > <linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com> > <mailto:linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com>> > <mailto:linov.sur...@gmail.com <mailto:linov.sur...@gmail.com> > <mailto:linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com>>> > <mailto:linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com> > <mailto:linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com>> > <mailto:linov.sur...@gmail.com <mailto:linov.sur...@gmail.com> > <mailto:linov.sur...@gmail.com > <mailto:linov.sur...@gmail.com>>>>> > wrote: > > Yes, PKI is running and I don't see any > errors in > selftests, > I have followed > https://access.redhat.com/solutions/643753 > and restarted the PKI in step 10. > > The only change which I made was clean > up userCertificate;binary before > adding new > userCertificatein LDAP, which is step > 12. > > > [root@caer ~]# /etc/init.d/pki-cad > status > pki-ca (pid 8634) is running... > [ > OK ] > Unsecure Port = > http://caer.teloip.net:9180/ca/ee/ca > Secure Agent Port = > https://caer.teloip.net:9443/ca/agent/ca > Secure EE Port = > https://caer.teloip.net:9444/ca/ee/ca > Secure Admin Port = > https://caer.teloip.net:9445/ca/services > EE Client Auth Port = > https://caer.teloip.net:9446/ca/eeca/ca > PKI Console Port = pkiconsole > https://caer.teloip.net:9445/ca > Tomcat Port = 9701 (for > shutdown) > > PKI Instance Name: pki-ca > > PKI Subsystem Type: Root CA > (Security Domain) > > Registered PKI Security Domain > Information: > > > > > > ========================================================================== > Name: IPA > URL: https://caer.teloip.net:9445 > > > > > > ========================================================================== > [root@caer ~]# > [root@caer ~]# tail -f > /var/log/pki-ca/selftests.log > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: loading all self > test > plugin logger > parameters > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: loading all self > test > plugin > instances > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: loading all self > test > plugin > instance > parameters > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: loading self test > plugins in > on-demand order > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: loading self test > plugins in > startup order > 8634.main - [18/Jul/2016:11:46:20 EDT] > [20] [1] > SelfTestSubsystem: Self test plugins > have > been > successfully > loaded! > 8634.main - [18/Jul/2016:11:46:21 EDT] > [20] [1] > SelfTestSubsystem: Running self test > plugins > specified to be > executed at startup: > 8634.main - [18/Jul/2016:11:46:21 EDT] > [20] [1] > CAPresence: > CA is present > 8634.main - [18/Jul/2016:11:46:21 EDT] > [20] [1] > SystemCertsVerification: system certs > verification > success > 8634.main - [18/Jul/2016:11:46:21 EDT] > [20] [1] > SelfTestSubsystem: All CRITICAL self > test > plugins ran > SUCCESSFULLY at startup! > > Your help is highly appreciated! > > Linov Suresh > > 70 Forest Manor Rd. > Toronto > ON M2J 0A9 > Mobile: +1 647 406 9438 > <tel:%2B1%20647%20406%209438> > <tel:%2B1%20647%20406%209438> > <tel:%2B1%20647%20406%209438> > <tel:%2B1%20647%20406%209438> > Linkedin: ca.linkedin.com/in/linov/ > <http://ca.linkedin.com/in/linov/> > <http://ca.linkedin.com/in/linov/> > <http://ca.linkedin.com/in/linov/> > <http://ca.linkedin.com/in/linov/> > Website: > http://mylinuxthoughts.blogspot.com > > > On Mon, Jul 18, 2016 at 10:50 AM, Petr > Vobornik > <pvobo...@redhat.com > <mailto:pvobo...@redhat.com> > <mailto:pvobo...@redhat.com <mailto:pvobo...@redhat.com>> > <mailto:pvobo...@redhat.com <mailto:pvobo...@redhat.com> > <mailto:pvobo...@redhat.com <mailto:pvobo...@redhat.com>>> > <mailto:pvobo...@redhat.com > <mailto:pvobo...@redhat.com> > <mailto:pvobo...@redhat.com <mailto:pvobo...@redhat.com>> > <mailto:pvobo...@redhat.com <mailto:pvobo...@redhat.com> > <mailto:pvobo...@redhat.com <mailto:pvobo...@redhat.com>>>>> > wrote: > > On 07/18/2016 05:45 AM, Linov > Suresh > wrote: > > Thanks for the update Rob. I went > back to Jan > 20, 2016, restarted CA and > > certmonger. Look like > certificates were > renewed. But I'm getting a different > > error now, > > > > *ca-error: Internal error: no > response to > > > > > > > "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".* > > Is PKI running? When you change the > time, does > restart > of IPA help? > > > > > [root@caer ~]# getcert list > > Number of certificates and > requests > being > tracked: 8. > > Request ID '20111214223243': > > status: MONITORING > > stuck: no > > key pair storage: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > Certificate > > DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' > > certificate: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate > Authority,O=TELOIP.NET > <http://TELOIP.NET> > <http://TELOIP.NET> <http://TELOIP.NET> > <http://TELOIP.NET> > <http://TELOIP.NET> > > subject: > CN=caer.teloip.net <http://caer.teloip.net> > <http://caer.teloip.net> > > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project