mohammad sereshki wrote:
dear thanks, but would you please check below and let me know what is your idea?I checked your command but it did not work.
The Not Found suggests that the CA is not up. I'd try restarting the pki-cad process to see if that helps.
A simple test that communication is working is: ipa cert-show 1 The output isn't important as long as it isn't an error. rob
Number of certificates and requests being tracked: 8. Request ID '20140817123525': status: MONITORING ca-error: Unable to determine principal name for signing request. stuck: no key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expCOMes: 2018-06-30 07:56:06 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20140817123534': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: yes key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM expCOMes: 2016-08-17 12:35:34 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv EXAMPLE.-COM track: yes auto-renew: yes Request ID '20140817123602': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: yes key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM expCOMes: 2016-08-17 12:36:02 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv PKI-IPA track: yes auto-renew: yes Request ID '20140817123752': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: yes key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM expCOMes: 2016-08-17 12:37:51 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes You have new mail in /var/spool/mail/root ------------------------------------------------------------------------ *From:* Florence Blanc-Renaud <f...@redhat.com> *To:* mohammad sereshki <mohammadseres...@yahoo.com>; Freeipa-users <freeipa-users@redhat.com> *Sent:* Thursday, July 21, 2016 11:30 AM *Subject:* Re: [Freeipa-users] regenerate certificate On 07/20/2016 10:04 PM, mohammad sereshki wrote: > hi > I check my IPA server which is version ipa-server-3.0.0-25 , command > "ipa-get-cert list" show, my certificate will be expired in next 20 days, > I do not know how to regenerate them > but command "getcert list" shows epirtion certificates are related just > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" , has enough > time . > would you please help me to know how to regenerate CA:IPA certificates? > > Best Regards > > > Hi Mohammad, the certificates issued by IPA CA are normally tracked by certmonger and automatically renewed when they are near their expiration date. To make sure that your certificates are tracked, you can issue $ ipa-getcert list and check the "status:" field for each certificate. It should display "MONITORING". If you want to manually renew them, you must note their request ID and use the command $ ipa-getcert resubmit -i $REQUEST_ID Hope this helps, Flo.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project