mohammad sereshki wrote:
hi
it is result of command, seems issue is another thing


  ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)

Which means that the CA still isn't up. You're going to need to look at the dogtag logs in /var/log/pki*. debug is probably the place to start.

rob




------------------------------------------------------------------------
*From:* Rob Crittenden <rcrit...@redhat.com>
*To:* mohammad sereshki <mohammadseres...@yahoo.com>; Florence
Blanc-Renaud <f...@redhat.com>; Freeipa-users <freeipa-users@redhat.com>
*Sent:* Thursday, July 21, 2016 8:08 PM
*Subject:* Re: [Freeipa-users] regenerate certificate

mohammad sereshki wrote:
 > dear
 > thanks, but would you please check below and let me know what is your
 > idea?I checked your command but it did not work.

The Not Found suggests that the CA is not up. I'd try restarting the
pki-cad process to see if that helps.

A simple test that communication is working is: ipa cert-show 1

The output isn't important as long as it isn't an error.

rob


 >
 >
 >
 > Number of certificates and requests being tracked: 8.
 > Request ID '20140817123525':
 >          status: MONITORING
 >          ca-error: Unable to determine principal name for signing
request.
 >          stuck: no
 >          key paCOM storage:
 > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
 > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 >          certificate:
 > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
 > Certificate DB'
 >          CA: IPA
 >          issuer: CN=Certificate Authority,O=EXAMPLE.COM
 >          subject: CN=IPA RA,O=EXAMPLE.COM
 >          expCOMes: 2018-06-30 07:56:06 UTC
 >          eku: id-kp-serverAuth,id-kp-clientAuth
 >          pre-save command:
 >          post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
 >          track: yes
 >          auto-renew: yes
 > Request ID '20140817123534':
 >          status: CA_UNREACHABLE
 >          ca-error: Server failed request, will retry: 4301 (RPC failed
 > at server.  Certificate operation cannot be completed: Unable to
 > communicate with CMS (Not Found)).
 >          stuck: yes
 >          key paCOM storage:
 >
type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
 > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt'
 >          certificate:
 >
type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
 > Certificate DB'
 >          CA: IPA
 >          issuer: CN=Certificate Authority,O=EXAMPLE.COM
 >          subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
 >          expCOMes: 2016-08-17 12:35:34 UTC
 >          eku: id-kp-serverAuth,id-kp-clientAuth
 >          pre-save command:
 >          post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv
 > EXAMPLE.-COM
 >          track: yes
 >          auto-renew: yes
 > Request ID '20140817123602':
 >          status: CA_UNREACHABLE
 >          ca-error: Server failed request, will retry: 4301 (RPC failed
 > at server.  Certificate operation cannot be completed: Unable to
 > communicate with CMS (Not Found)).
 >          stuck: yes
 >          key paCOM storage:
 >
type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt'
 >          certificate:
 >
type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 > Certificate DB'
 >          CA: IPA
 >          issuer: CN=Certificate Authority,O=EXAMPLE.COM
 >          subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
 >          expCOMes: 2016-08-17 12:36:02 UTC
 >          eku: id-kp-serverAuth,id-kp-clientAuth
 >          pre-save command:
 >          post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv
 > PKI-IPA
 >          track: yes
 >          auto-renew: yes
 > Request ID '20140817123752':
 >          status: CA_UNREACHABLE
 >          ca-error: Server failed request, will retry: 4301 (RPC failed
 > at server.  Certificate operation cannot be completed: Unable to
 > communicate with CMS (Not Found)).
 >          stuck: yes
 >          key paCOM storage:
 > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
 > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 >          certificate:
 > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
 > Certificate DB'
 >          CA: IPA
 >          issuer: CN=Certificate Authority,O=EXAMPLE.COM
 >          subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
 >          expCOMes: 2016-08-17 12:37:51 UTC
 >          eku: id-kp-serverAuth,id-kp-clientAuth
 >          pre-save command:
 >          post-save command: /usr/lib64/ipa/certmonger/restart_httpd
 >          track: yes
 >          auto-renew: yes
 > You have new mail in /var/spool/mail/root
 >
 >
 > ------------------------------------------------------------------------
 > *From:* Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>>
 > *To:* mohammad sereshki <mohammadseres...@yahoo.com
<mailto:mohammadseres...@yahoo.com>>; Freeipa-users
 > <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>
 > *Sent:* Thursday, July 21, 2016 11:30 AM
 > *Subject:* Re: [Freeipa-users] regenerate certificate
 >
 > On 07/20/2016 10:04 PM, mohammad sereshki wrote:
 >  > hi
 >  > I check my IPA server which is version ipa-server-3.0.0-25 , command
 >  > "ipa-get-cert list" show, my certificate will be expired in next
20 days,
 >  > I do not know how to regenerate them
 >  > but command "getcert list" shows epirtion certificates are related
just
 >  > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,  has
enough
 >  > time .
 >  > would you please help me to know how to regenerate CA:IPA
certificates?
 >  >
 >  > Best Regards
 >  >
 >  >
 >  >
 >
 > Hi Mohammad,
 >
 > the certificates issued by IPA CA are normally tracked by certmonger and
 > automatically renewed when they are near their expiration date. To make
 > sure that your certificates are tracked, you can issue
 >
 > $ ipa-getcert list
 >
 > and check the "status:" field for each certificate. It should display
 > "MONITORING".
 >
 > If you want to manually renew them, you must note their request ID and
 > use the command
 > $ ipa-getcert resubmit -i $REQUEST_ID
 >
 > Hope this helps,
 > Flo.
 >
 >
 >
 >
 >




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to