mohammad sereshki wrote:
hi
would you please explain more
?

Your CA (dogtag) is not running. The CA is written in java and deployed as a WAR in tomcat. If something goes wrong during initialization the CA will exit but tomcat will not.

Requests to the CA are returning 404 Not Found because the application is not running in dogtag.

You need to look at the logs in /var/log/pki-ca to see what is going on.

I'd start with selftests.log then move onto catalina.out and debug.

rob



------------------------------------------------------------------------
*From:* Rob Crittenden <rcrit...@redhat.com>
*To:* mohammad sereshki <mohammadseres...@yahoo.com>; Florence
Blanc-Renaud <f...@redhat.com>; Freeipa-users <freeipa-users@redhat.com>
*Sent:* Thursday, July 21, 2016 11:09 PM
*Subject:* Re: [Freeipa-users] regenerate certificate

mohammad sereshki wrote:
 > hi
 > it is result of command, seems issue is another thing
 >
 >
 >  ipa cert-show 1
 > ipa: ERROR: Certificate operation cannot be completed: Unable to
 > communicate with CMS (Not Found)

Which means that the CA still isn't up. You're going to need to look at
the dogtag logs in /var/log/pki*. debug is probably the place to start.

rob

 >
 >
 >
 > ------------------------------------------------------------------------
 > *From:* Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
 > *To:* mohammad sereshki <mohammadseres...@yahoo.com
<mailto:mohammadseres...@yahoo.com>>; Florence
 > Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>>; Freeipa-users
<freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>
 > *Sent:* Thursday, July 21, 2016 8:08 PM
 > *Subject:* Re: [Freeipa-users] regenerate certificate
 >
 > mohammad sereshki wrote:
 >  > dear
 >  > thanks, but would you please check below and let me know what is your
 >  > idea?I checked your command but it did not work.
 >
 > The Not Found suggests that the CA is not up. I'd try restarting the
 > pki-cad process to see if that helps.
 >
 > A simple test that communication is working is: ipa cert-show 1
 >
 > The output isn't important as long as it isn't an error.
 >
 > rob
 >
 >
 >  >
 >  >
 >  >
 >  > Number of certificates and requests being tracked: 8.
 >  > Request ID '20140817123525':
 >  >          status: MONITORING
 >  >          ca-error: Unable to determine principal name for signing
 > request.
 >  >          stuck: no
 >  >          key paCOM storage:
 >  > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
 >  > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 >  >          certificate:
 >  > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
 >  > Certificate DB'
 >  >          CA: IPA
 >  >          issuer: CN=Certificate Authority,O=EXAMPLE.COM
 >  >          subject: CN=IPA RA,O=EXAMPLE.COM
 >  >          expCOMes: 2018-06-30 07:56:06 UTC
 >  >          eku: id-kp-serverAuth,id-kp-clientAuth
 >  >          pre-save command:
 >  >          post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
 >  >          track: yes
 >  >          auto-renew: yes
 >  > Request ID '20140817123534':
 >  >          status: CA_UNREACHABLE
 >  >          ca-error: Server failed request, will retry: 4301 (RPC failed
 >  > at server.  Certificate operation cannot be completed: Unable to
 >  > communicate with CMS (Not Found)).
 >  >          stuck: yes
 >  >          key paCOM storage:
 >  >
 >
type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
 >  > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt'
 >  >          certificate:
 >  >
 >
type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
 >  > Certificate DB'
 >  >          CA: IPA
 >  >          issuer: CN=Certificate Authority,O=EXAMPLE.COM
 >  >          subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
 >  >          expCOMes: 2016-08-17 12:35:34 UTC
 >  >          eku: id-kp-serverAuth,id-kp-clientAuth
 >  >          pre-save command:
 >  >          post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv
 >  > EXAMPLE.-COM
 >  >          track: yes
 >  >          auto-renew: yes
 >  > Request ID '20140817123602':
 >  >          status: CA_UNREACHABLE
 >  >          ca-error: Server failed request, will retry: 4301 (RPC failed
 >  > at server.  Certificate operation cannot be completed: Unable to
 >  > communicate with CMS (Not Found)).
 >  >          stuck: yes
 >  >          key paCOM storage:
 >  >
 >
type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 >  > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt'
 >  >          certificate:
 >  >
 >
type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 >  > Certificate DB'
 >  >          CA: IPA
 >  >          issuer: CN=Certificate Authority,O=EXAMPLE.COM
 >  >          subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
 >  >          expCOMes: 2016-08-17 12:36:02 UTC
 >  >          eku: id-kp-serverAuth,id-kp-clientAuth
 >  >          pre-save command:
 >  >          post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv
 >  > PKI-IPA
 >  >          track: yes
 >  >          auto-renew: yes
 >  > Request ID '20140817123752':
 >  >          status: CA_UNREACHABLE
 >  >          ca-error: Server failed request, will retry: 4301 (RPC failed
 >  > at server.  Certificate operation cannot be completed: Unable to
 >  > communicate with CMS (Not Found)).
 >  >          stuck: yes
 >  >          key paCOM storage:
 >  >
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
 >  > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 >  >          certificate:
 >  >
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
 >  > Certificate DB'
 >  >          CA: IPA
 >  >          issuer: CN=Certificate Authority,O=EXAMPLE.COM
 >  >          subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
 >  >          expCOMes: 2016-08-17 12:37:51 UTC
 >  >          eku: id-kp-serverAuth,id-kp-clientAuth
 >  >          pre-save command:
 >  >          post-save command: /usr/lib64/ipa/certmonger/restart_httpd
 >  >          track: yes
 >  >          auto-renew: yes
 >  > You have new mail in /var/spool/mail/root
 >  >
 >  >
 >  >
------------------------------------------------------------------------
 >  > *From:* Florence Blanc-Renaud <f...@redhat.com
<mailto:f...@redhat.com> <mailto:f...@redhat.com <mailto:f...@redhat.com>>>
 >  > *To:* mohammad sereshki <mohammadseres...@yahoo.com
<mailto:mohammadseres...@yahoo.com>
 > <mailto:mohammadseres...@yahoo.com
<mailto:mohammadseres...@yahoo.com>>>; Freeipa-users
 >  > <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
<mailto:freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>>

 >  > *Sent:* Thursday, July 21, 2016 11:30 AM
 >  > *Subject:* Re: [Freeipa-users] regenerate certificate
 >  >
 >  > On 07/20/2016 10:04 PM, mohammad sereshki wrote:
 >  >  > hi
 >  >  > I check my IPA server which is version ipa-server-3.0.0-25 ,
command
 >  >  > "ipa-get-cert list" show, my certificate will be expired in next
 > 20 days,
 >  >  > I do not know how to regenerate them
 >  >  > but command "getcert list" shows epirtion certificates are related
 > just
 >  >  > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,  has
 > enough
 >  >  > time .
 >  >  > would you please help me to know how to regenerate CA:IPA
 > certificates?
 >  >  >
 >  >  > Best Regards
 >  >  >
 >  >  >
 >  >  >
 >  >
 >  > Hi Mohammad,
 >  >
 >  > the certificates issued by IPA CA are normally tracked by
certmonger and
 >  > automatically renewed when they are near their expiration date. To
make
 >  > sure that your certificates are tracked, you can issue
 >  >
 >  > $ ipa-getcert list
 >  >
 >  > and check the "status:" field for each certificate. It should display
 >  > "MONITORING".
 >  >
 >  > If you want to manually renew them, you must note their request ID and
 >  > use the command
 >  > $ ipa-getcert resubmit -i $REQUEST_ID
 >  >
 >  > Hope this helps,
 >  > Flo.
 >  >
 >  >
 >  >
 >  >
 >  >
 >
 >
 >




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to