Re: [Freeipa-users] regenerate certificate

Thu, 21 Jul 2016 08:50:49 -0700 

mohammad sereshki wrote:

dear
thanks, but would you please check below and let me know what is your
idea?I checked your command but it did not work.



The Not Found suggests that the CA is not up. I'd try restarting the 
pki-cad process to see if that helps.


A simple test that communication is working is: ipa cert-show 1

The output isn't important as long as it isn't an error.

rob





Number of certificates and requests being tracked: 8.
Request ID '20140817123525':
         status: MONITORING
         ca-error: Unable to determine principal name for signing request.
         stuck: no
         key paCOM storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=EXAMPLE.COM
         subject: CN=IPA RA,O=EXAMPLE.COM
         expCOMes: 2018-06-30 07:56:06 UTC
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command:
         post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
         track: yes
         auto-renew: yes
Request ID '20140817123534':
         status: CA_UNREACHABLE
         ca-error: Server failed request, will retry: 4301 (RPC failed
at server.  Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)).
         stuck: yes
         key paCOM storage:
type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt'
         certificate:
type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
Certificate DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=EXAMPLE.COM
         subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
         expCOMes: 2016-08-17 12:35:34 UTC
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command:
         post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv
EXAMPLE.-COM
         track: yes
         auto-renew: yes
Request ID '20140817123602':
         status: CA_UNREACHABLE
         ca-error: Server failed request, will retry: 4301 (RPC failed
at server.  Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)).
         stuck: yes
         key paCOM storage:
type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt'
         certificate:
type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=EXAMPLE.COM
         subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
         expCOMes: 2016-08-17 12:36:02 UTC
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command:
         post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv
PKI-IPA
         track: yes
         auto-renew: yes
Request ID '20140817123752':
         status: CA_UNREACHABLE
         ca-error: Server failed request, will retry: 4301 (RPC failed
at server.  Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)).
         stuck: yes
         key paCOM storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=EXAMPLE.COM
         subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
         expCOMes: 2016-08-17 12:37:51 UTC
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command:
         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
         track: yes
         auto-renew: yes
You have new mail in /var/spool/mail/root


------------------------------------------------------------------------
*From:* Florence Blanc-Renaud <f...@redhat.com>
*To:* mohammad sereshki <mohammadseres...@yahoo.com>; Freeipa-users
<freeipa-users@redhat.com>
*Sent:* Thursday, July 21, 2016 11:30 AM
*Subject:* Re: [Freeipa-users] regenerate certificate

On 07/20/2016 10:04 PM, mohammad sereshki wrote:
 > hi
 > I check my IPA server which is version ipa-server-3.0.0-25 , command
 > "ipa-get-cert list" show, my certificate will be expired in next 20 days,
 > I do not know how to regenerate them
 > but command "getcert list" shows epirtion certificates are related just
 > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,  has enough
 > time .
 > would you please help me to know how to regenerate CA:IPA certificates?
 >
 > Best Regards
 >
 >
 >

Hi Mohammad,

the certificates issued by IPA CA are normally tracked by certmonger and
automatically renewed when they are near their expiration date. To make
sure that your certificates are tracked, you can issue

$ ipa-getcert list

and check the "status:" field for each certificate. It should display
"MONITORING".

If you want to manually renew them, you must note their request ID and
use the command
$ ipa-getcert resubmit -i $REQUEST_ID

Hope this helps,
Flo.







--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






















					Reply via email to