Thank you very much Rob.
Let me remove the duplicate certificates and try to renew the certificates
again to see if "*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
<http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true>"*."
goes away?


On Fri, Jul 22, 2016 at 2:45 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Linov Suresh wrote:
>
>> Could you please verify, if we have set correct trust attributes on the
>> certificates
>>
>> *root@caer ~]# certutil -d /var/lib/pki-ca/alias/ -L*
>>
>> Certificate Nickname                                         Trust
>> Attributes
>>
>>   SSL,S/MIME,JAR/XPI
>>
>> subsystemCert cert-pki-ca                                   u,u,Pu
>> ocspSigningCert cert-pki-ca                                 u,u,u
>> caSigningCert cert-pki-ca                                     CTu,Cu,Cu
>> subsystemCert cert-pki-ca                                   u,u,Pu
>> Server-Cert cert-pki-ca                                         u,u,u
>> auditSigningCert cert-pki-ca                                  u,u,Pu
>> *
>> *
>> *[root@caer ~]# certutil -d /etc/httpd/alias/ -L*
>>
>> Certificate Nickname                                         Trust
>> Attributes
>>
>>   SSL,S/MIME,JAR/XPI
>>
>> ipaCert                                                      u,u,u
>> Server-Cert                                                u,u,u
>> TELOIP.NET <http://TELOIP.NET> IPA CA
>>   CT,C,C
>> ipaCert                                                      u,u,u
>> Signing-Cert                                               u,u,u
>> Server-Cert                                                u,u,u
>>
>> *[root@caer ~]# certutil -d /etc/dirsrv/slapd-TELOIP-NET/ -L*
>>
>> Certificate Nickname                                         Trust
>> Attributes
>>
>>   SSL,S/MIME,JAR/XPI
>>
>> Server-Cert                                                  u,u,u
>> TELOIP.NET <http://TELOIP.NET> IPA CA
>>   CT,,C
>> Server-Cert                                                  u,u,u
>> [root@caer ~]#
>>
>> *Please note, there are duplicate certificates in CA, HTTP and LDAP
>> directory, subsystemCert cert-pki-ca, ipaCert  and Server-Cert. I was
>> wondering if we need to remove these duplicate certificates? *
>>
>
> Yeah you should remove the duplicate certs, they seem to cause problems
> with dogtag at least (certmonger _should_ handle this automatically, we'll
> be looking into it soonish).
>
> To remove the duplicate cert:
>
> 1. Shutdown the service
> 2. Back up the NSS database
> 3. certutil -L -d /path/to/db -n <nickname> -a > somefile
> 4. split somefile into separate files so each file as a BEGIN/END
> certificate
> 5. openssl x509 -text -in -infile somefile1..n
> 6. Pick the one with the most recent issuance date
> 7. You backed up the NSS database, right?
> 8. certutil -D -d /path/to/db -n <nickname>
> 9. certutil -A -d /path/to/db -n <nickname> -t u,u,u -a -i  somefilex
> 10. Start the service, watch logs for errors
>
> For the trust use whatever the original trust value was.
>
> You don't need the P trust flag on the subsystemCert in the CA, only the
> auditSigningCert.
>
> I doubt the duplicated Server-Cert will be a problem. NSS is supposed to
> deal with this automatically, picking the "most correct" cert to use based
> on the validity period.
>
> rob
>
>
>>
>> On Fri, Jul 22, 2016 at 9:36 AM, Linov Suresh <linov.sur...@gmail.com
>> <mailto:linov.sur...@gmail.com>> wrote:
>>
>>     I'm facing another issue now, my kerberos tickets are not renewing,
>>
>>     *[root@caer ~]# ipa cert-show 1*
>>     ipa: ERROR: Ticket expired
>>
>>     *[root@caer ~]# klist*
>>     Ticket cache: FILE:/tmp/krb5cc_0
>>     Default principal: ad...@teloip.net <mailto:ad...@teloip.net>
>>
>>     Valid starting     Expires            Service principal
>>     07/20/16 14:42:26  07/21/16 14:42:22  krbtgt/teloip....@teloip.net
>>     <mailto:teloip....@teloip.net>
>>     07/20/16 14:42:36  07/21/16 14:42:22
>>       HTTP/caer.teloip....@teloip.net <mailto:caer.teloip....@teloip.net>
>>     07/21/16 11:40:15  07/21/16 14:42:22
>>       ldap/caer.teloip....@teloip.net <mailto:caer.teloip....@teloip.net>
>>
>>     I need to manually renew the tickets every day,
>>
>>     *[root@caer ~]# kinit admin*
>>     Password for ad...@teloip.net <mailto:ad...@teloip.net>:
>>     Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15
>> 2016
>>
>>     *[root@caer ~]# klist *
>>     Ticket cache: FILE:/tmp/krb5cc_0
>>     Default principal: ad...@teloip.net <mailto:ad...@teloip.net>
>>
>>     Valid starting     Expires            Service principal
>>     07/22/16 09:34:52  07/23/16 09:34:49  krbtgt/teloip....@teloip.net
>>     <mailto:teloip....@teloip.net>
>>
>>
>>     On Thu, Jul 21, 2016 at 12:23 PM, Rob Crittenden
>>     <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote:
>>
>>         Linov Suresh wrote:
>>
>>             The httpd_error log doesn't contain the part where `ipa
>>             cert-show 1` was
>>             run. If it is from the same time.
>>
>>             *I am not sure about that, please see httpd_error when `ipa
>>             cert-show 1`
>>             was run*
>>
>>
>>         The IPA API log isn't going to show much in this case.
>>
>>         Requests to the CA are proxied through IPA. The CA WAR is not
>>         running on tomcat so when Apache tries to proxy the request
>>         tomcat returns a 404, Not Found.
>>
>>         You need to start with the dogtag debug and selftest logs to see
>>         what is going on. The logs are pretty verbose and can be
>>         challenging to read.
>>
>>         rob
>>
>>
>>             [root@caer ~]# *tail -f /var/log/httpd/error_log*
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>>             wsgi_dispatch.__call__:
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>>             xmlserver_session.__call__:
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session
>>             cookie_id =
>>             bc2c7ed0eccd840dc266efaf9ece913c
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session
>>             data in
>>             cache with id=bc2c7ed0eccd840dc266efaf9ece913c
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>>             xmlserver_session.__call__:
>>             session_id=bc2c7ed0eccd840dc266efaf9ece913c
>>             start_timestamp=2016-07-21T11:58:54
>>             access_timestamp=2016-07-21T12:01:21
>>             expiration_timestamp=2016-07-21T12:18:54
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: storing
>>             ccache data into
>>             file "/var/run/ipa_memcached/krbcc_13554"
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>>             get_credential_times:
>>             principal=HTTP/caer.teloip....@teloip.net
>>             <mailto:caer.teloip....@teloip.net>
>>             <mailto:caer.teloip....@teloip.net
>>             <mailto:caer.teloip....@teloip.net>>, authtime=07/21/16
>>             10:31:46,
>>             starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44,
>>             renew_till=12/31/69 19:00:00
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>>             get_credential_times:
>>             principal=HTTP/caer.teloip....@teloip.net
>>             <mailto:caer.teloip....@teloip.net>
>>             <mailto:caer.teloip....@teloip.net
>>             <mailto:caer.teloip....@teloip.net>>, authtime=07/21/16
>>             10:31:46,
>>
>>             starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44,
>>             renew_till=12/31/69 19:00:00
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: KRB5_CCache
>>             FILE:/var/run/ipa_memcached/krbcc_13554 endtime=1469197904
>>             (07/22/16
>>             10:31:44)
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>>             set_session_expiration_time: duration_type=inactivity_timeout
>>             duration=1200 max_age=1469197604 expiration=1469118081.77
>>             (2016-07-21T12:21:21)
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>>             xmlserver.__call__:
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Created
>>             connection
>>             context.ldap2
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>>             WSGIExecutioner.__call__:
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: raw:
>>             cert_show(u'1')
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert_show(u'1')
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: IPA: virtual
>>             verify
>>             retrieve certificate
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>>             ipaserver.plugins.dogtag.ra.get_certificate()
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request
>>             'https://caer.teloip.net:443/ca/agent/ca/displayBySerial'
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request
>>             post
>>             'xml=true&serialNumber=1'
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: NSSConnection
>>             init
>>             caer.teloip.net <http://caer.teloip.net>
>>             <http://caer.teloip.net>
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Connecting:
>>             10.20.0.75:0 <http://10.20.0.75:0>
>>             <http://10.20.0.75:0>
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>>             auth_certificate_callback: check_sig=True is_server=False
>>             *.*
>>             *.*
>>             *.*
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage
>> =
>>             SSLServer intended_usage = SSLServer
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid
>>             True for
>>             "CN=caer.teloip.net <http://caer.teloip.net>
>>             <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
>>             <http://TELOIP.NET>"
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake
>>             complete, peer
>>             = 10.20.0.75:443 <http://10.20.0.75:443> <
>> http://10.20.0.75:443>
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>>             auth_certificate_callback: check_sig=True is_server=False
>>             *.*
>>             *.*
>>             *.*
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage
>> =
>>             SSLServer intended_usage = SSLServer
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid
>>             True for
>>             "CN=caer.teloip.net <http://caer.teloip.net>
>>             <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
>>             <http://TELOIP.NET>"
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake
>>             complete, peer
>>             = 10.20.0.75:443 <http://10.20.0.75:443> <
>> http://10.20.0.75:443>
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: ERROR:
>>             ipaserver.plugins.dogtag.ra.get_certificate(): Unable to
>>             communicate
>>             with CMS (Not Found)
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: INFO:
>>             ad...@teloip.net <mailto:ad...@teloip.net>
>>             <mailto:ad...@teloip.net <mailto:ad...@teloip.net>>:
>>             cert_show(u'1'): CertificateOperationError
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: response:
>>             CertificateOperationError: Certificate operation cannot be
>>             completed:
>>             Unable to communicate with CMS (Not Found)
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Destroyed
>>             connection
>>             context.ldap2
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: reading
>>             ccache data from
>>             file "/var/run/ipa_memcached/krbcc_13554"
>>             [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: store session:
>>             session_id=bc2c7ed0eccd840dc266efaf9ece913c
>>             start_timestamp=2016-07-21T11:58:54
>>             access_timestamp=2016-07-21T12:01:21
>>             expiration_timestamp=2016-07-21T12:21:21
>>
>>
>>             Does `ipa cert-show` communicate with the same replica? Could
>> be
>>             verified by `ipa -vv cert-show`
>>
>>             *It's asking for the serial number of the certificate. If I
>>             give 64
>>             (serial number of ipaCert ), I get ipa: ERROR: Certificate
>>             operation
>>             cannot be completed: Unable to communicate with CMS (Not
>> Found)*
>>
>>             *[root@caer ~]# ipa -vv cert-show*
>>             ipa: DEBUG: importing all plugin modules in
>>             '/usr/lib/python2.6/site-packages/ipalib/plugins'...
>>             *.*
>>             *.*
>>             *.*
>>             ipa: DEBUG:
>> stdout=ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;
>>             Domain=caer.teloip.net <http://caer.teloip.net>
>>             <http://caer.teloip.net>; Path=/ipa; Expires=Thu,
>>             21 Jul 2016 16:25:32 GMT; Secure; HttpOnly
>>             ipa: DEBUG: stderr=
>>             ipa: DEBUG: found session_cookie in persistent storage for
>>             principal
>>             'ad...@teloip.net <mailto:ad...@teloip.net>
>>             <mailto:ad...@teloip.net <mailto:ad...@teloip.net>>', cookie:
>>             'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;
>>             Domain=caer.teloip.net <http://caer.teloip.net>
>>             <http://caer.teloip.net>; Path=/ipa; Expires=Thu, 21 Jul
>>             2016 16:25:32
>>             GMT; Secure; HttpOnly'
>>             ipa: DEBUG: setting session_cookie into context
>>             'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;'
>>             ipa: INFO: trying https://caer.teloip.net/ipa/session/xml
>>             ipa: DEBUG: Created connection context.xmlclient
>>             Serial number: 64
>>             ipa: DEBUG: raw: cert_show(u'64')
>>             ipa: DEBUG: cert_show(u'64')
>>             ipa: INFO: Forwarding 'cert_show' to server
>>             u'https://caer.teloip.net/ipa/session/xml'
>>             ipa: DEBUG: NSSConnection init caer.teloip.net
>>             <http://caer.teloip.net> <http://caer.teloip.net>
>>             ipa: DEBUG: Connecting: 10.20.0.75:0 <http://10.20.0.75:0>
>>             <http://10.20.0.75:0>
>>             send: u'POST /ipa/session/xml HTTP/1.0\r\nHost:
>>             caer.teloip.net <http://caer.teloip.net>
>>             <http://caer.teloip.net>\r\nAccept-Language:
>> en-us\r\nReferer:
>>             https://caer.teloip.net/ipa/xml\r\nCookie
>>             <https://caer.teloip.net/ipa/xml%5Cr%5CnCookie>:
>>             ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;\r\nUser-Agent:
>>             xmlrpclib.py/1.0.1 <http://xmlrpclib.py/1.0.1>
>>             <http://xmlrpclib.py/1.0.1> (by www.pythonware.com
>>             <http://www.pythonware.com>
>>             <http://www.pythonware.com>)\r\nContent-Type:
>>             text/xml\r\nContent-Length: 268\r\n\r\n'
>>             ipa: DEBUG: auth_certificate_callback: check_sig=True
>>             is_server=False
>>             *.*
>>             *.*
>>             *.*
>>             ipa: DEBUG: approved_usage = SSLServer intended_usage =
>>             SSLServer
>>             ipa: DEBUG: cert valid True for "CN=caer.teloip.net
>>             <http://caer.teloip.net>
>>             <http://caer.teloip.net>,O=TELOIP.NET <http://TELOIP.NET>
>>             <http://TELOIP.NET>"
>>             ipa: DEBUG: handshake complete, peer = 10.20.0.75:443
>>             <http://10.20.0.75:443>
>>             <http://10.20.0.75:443>
>>             send: "<?xml version='1.0'
>>
>> encoding='UTF-8'?>\n<methodCall>\n<methodName>cert_show</methodName>\n<params>\n<param>\n<value><array><data>\n<value><string>64</string></value>\n</data></array></value>\n</param>\n<param>\n<value><struct>\n</struct></value>\n</param>\n</params>\n</methodCall>\n"
>>             reply: 'HTTP/1.1 200 Success\r\n'
>>             header: Date: Thu, 21 Jul 2016 16:05:40 GMT
>>             header: Server: Apache/2.2.15 (CentOS)
>>             header: Set-Cookie:
>>             ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;
>>             Domain=caer.teloip.net <http://caer.teloip.net>
>>             <http://caer.teloip.net>; Path=/ipa; Expires=Thu,
>>             21 Jul 2016 16:25:40 GMT; Secure; HttpOnly
>>             header: Connection: close
>>             header: Content-Type: text/xml; charset=utf-8
>>             ipa: DEBUG: received Set-Cookie
>>             'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;
>>             Domain=caer.teloip.net <http://caer.teloip.net>
>>             <http://caer.teloip.net>; Path=/ipa; Expires=Thu, 21 Jul
>>             2016 16:25:40
>>             GMT; Secure; HttpOnly'
>>             ipa: DEBUG: storing cookie
>>             'ipa_session=bc2c7ed0eccd840dc266efaf9ece913c;
>>             Domain=caer.teloip.net <http://caer.teloip.net>
>>             <http://caer.teloip.net>; Path=/ipa; Expires=Thu, 21 Jul
>>             2016 16:25:40
>>             GMT; Secure; HttpOnly' for principal ad...@teloip.net
>>             <mailto:ad...@teloip.net>
>>             <mailto:ad...@teloip.net <mailto:ad...@teloip.net>>
>>             ipa: DEBUG: args=keyctl search @s user
>>             ipa_session_cookie:ad...@teloip.net
>>             <mailto:ipa_session_cookie%3aad...@teloip.net>
>>             <mailto:ipa_session_cookie%3aad...@teloip.net
>>             <mailto:ipa_session_cookie%253aad...@teloip.net>>
>>             ipa: DEBUG: stdout=457971704
>>
>>             ipa: DEBUG: stderr=
>>             ipa: DEBUG: args=keyctl search @s user
>>             ipa_session_cookie:ad...@teloip.net
>>             <mailto:ipa_session_cookie%3aad...@teloip.net>
>>             <mailto:ipa_session_cookie%3aad...@teloip.net
>>             <mailto:ipa_session_cookie%253aad...@teloip.net>>
>>             ipa: DEBUG: stdout=457971704
>>
>>             ipa: DEBUG: stderr=
>>             ipa: DEBUG: args=keyctl pupdate 457971704
>>             ipa: DEBUG: stdout=
>>             ipa: DEBUG: stderr=
>>             body: "<?xml version='1.0'
>>
>> encoding='UTF-8'?>\n<methodResponse>\n<fault>\n<value><struct>\n<member>\n<name>faultCode</name>\n<value><int>4301</int></value>\n</member>\n<member>\n<name>faultString</name>\n<value><string>Certificate
>>             operation cannot be completed: Unable to communicate with
>>             CMS (Not
>>
>> Found)</string></value>\n</member>\n</struct></value>\n</fault>\n</methodResponse>\n"
>>             ipa: DEBUG: Caught fault 4301 from server
>>             https://caer.teloip.net/ipa/session/xml: Certificate
>>             operation cannot be
>>             completed: Unable to communicate with CMS (Not Found)
>>             ipa: DEBUG: Destroyed connection context.xmlclient
>>             ipa: ERROR: Certificate operation cannot be completed: Unable
>> to
>>             communicate with CMS (Not Found)
>>             [root@caer ~]#
>>
>>
>>             But more interesting is: SelfTestSubsystem: The CRITICAL
>>             self test
>>             plugin called
>>             selftests.container.instance.SystemCertsVerification
>>             running at startup FAILED!
>>
>>             Are you sure that CA is running?
>>                 # ipactl status
>>             *Yes, CA is runnig, *
>>
>>             *[root@caer ~]# ipactl status*
>>             Directory Service: RUNNING
>>             KDC Service: RUNNING
>>             KPASSWD Service: RUNNING
>>             DNS Service: RUNNING
>>             MEMCACHE Service: RUNNING
>>             HTTP Service: RUNNING
>>             CA Service: RUNNING
>>
>>             This looks like that self test fail and therefore CA
>>             shouldn't start. It
>>             also says that some of CA cert is not valid. Which one might
>>             be seen in
>>             /var/log/pki-ca/debug but a bigger chunk would be needed.
>>
>>             *[root@caer ~]# tail -100 /var/log/pki-ca/debug *
>>
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn: conn
>> is
>>             connected true
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getConn:
>>             mNumConns now 1
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In
>>             findCertRecordsInListRawJumpto with Jumpto 20160721114829Z
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: In
>>             DBVirtualList filter
>>             attrs startFrom sortKey pageSize filter:
>>             (certStatus=REVOKED) attrs:
>>             [objectclass, certRevokedOn, certRecordId, certRevoInfo,
>>             notAfter,
>>             x509cert] pageSize -200 startFrom 20160721114829Z
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn:
>>             mNumConns now 2
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: returnConn:
>>             mNumConns now 3
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: getEntries
>>             returning 0
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: mTop 0
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Getting
>>             Virtual List size: 0
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: index may be
>>             empty
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]:
>>             updateCertStatus done
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting
>>             cert checkRanges
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial
>>             numbers left in
>>             range: 268369849
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial
>>             Number: 71
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers
>>             available: 268369849
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: cert
>>             checkRanges done
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Starting
>>             request checkRanges
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial
>>             numbers left in
>>             range: 9989888
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Last Serial
>>             Number: 112
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: Serial Numbers
>>             available: 9989888
>>             [21/Jul/2016:11:48:29][CertStatusUpdateThread]: request
>>             checkRanges done
>>             [21/Jul/2016:11:53:28][Timer-0]: CMSEngine:
>>             getPasswordStore(): password
>>             store initialized before.
>>             [21/Jul/2016:11:53:28][Timer-0]: CMSEngine:
>>             getPasswordStore(): password
>>             store initialized.
>>             [21/Jul/2016:11:58:28][Timer-0]: CMSEngine:
>>             getPasswordStore(): password
>>             store initialized before.
>>             [21/Jul/2016:11:58:28][Timer-0]: CMSEngine:
>>             getPasswordStore(): password
>>             store initialized.
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: About to start
>>             updateCertStatus
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting
>>             updateCertStatus (entered lock)
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>>             updateCertStatus()
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>>             LdapBoundConnFactory::getConn()
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn
>>             is connected:
>>             true
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn
>> is
>>             connected true
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:
>>             mNumConns now 2
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>>             getInvalidCertificatesByNotBeforeDate filter
>>             (certStatus=INVALID)
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>>             getInvalidCertificatesByNotBeforeDate: about to call
>>             findCertRecordsInList
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>>             LdapBoundConnFactory::getConn()
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn
>>             is connected:
>>             true
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn
>> is
>>             connected true
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:
>>             mNumConns now 1
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>>             findCertRecordsInListRawJumpto with Jumpto 20160721115829Z
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>>             DBVirtualList filter
>>             attrs startFrom sortKey pageSize filter:
>>             (certStatus=INVALID) attrs:
>>             [objectclass, certRecordId, x509cert] pageSize -200 startFrom
>>             20160721115829Z
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:
>>             mNumConns now 2
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>>             getInvalidCertsByNotBeforeDate finally.
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:
>>             mNumConns now 3
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries
>>             returning 0
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting
>>             Virtual List size: 0
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be
>>             empty
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>>             LdapBoundConnFactory::getConn()
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn
>>             is connected:
>>             true
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn
>> is
>>             connected true
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:
>>             mNumConns now 2
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>>             getValidCertsByNotAfterDate filter (certStatus=VALID)
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>>             LdapBoundConnFactory::getConn()
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn
>>             is connected:
>>             true
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn
>> is
>>             connected true
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:
>>             mNumConns now 1
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>>             findCertRecordsInListRawJumpto with Jumpto 20160721115829Z
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>>             DBVirtualList filter
>>             attrs startFrom sortKey pageSize filter: (certStatus=VALID)
>>             attrs:
>>             [objectclass, certRecordId, x509cert] pageSize -200 startFrom
>>             20160721115829Z
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:
>>             mNumConns now 2
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:
>>             mNumConns now 3
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries
>>             returning 1
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting
>>             Virtual List
>>             size: 14
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>>             transidValidCertificates: list size: 14
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>>             transitValidCertificates: ltSize 1
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>>             getElementAt: 0 mTop 0
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: reverse
>>             direction
>>             getting index 0
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Record does
>> not
>>             qualify,notAfter Thu Jan 12 09:11:48 EST 2017 date Thu Jul
>>             21 11:58:29
>>             EDT 2016
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>>             transitCertList EXPIRED
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>>             LdapBoundConnFactory::getConn()
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn
>>             is connected:
>>             true
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn
>> is
>>             connected true
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:
>>             mNumConns now 2
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>>             getRevokedCertificatesByNotAfterDate filter
>> (certStatus=REVOKED)
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>>             getRevokedCertificatesByNotAfterDate: about to call
>>             findCertRecordsInList
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>>             LdapBoundConnFactory::getConn()
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: masterConn
>>             is connected:
>>             true
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn: conn
>> is
>>             connected true
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getConn:
>>             mNumConns now 1
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>>             findCertRecordsInListRawJumpto with Jumpto 20160721115829Z
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: In
>>             DBVirtualList filter
>>             attrs startFrom sortKey pageSize filter:
>>             (certStatus=REVOKED) attrs:
>>             [objectclass, certRevokedOn, certRecordId, certRevoInfo,
>>             notAfter,
>>             x509cert] pageSize -200 startFrom 20160721115829Z
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:
>>             mNumConns now 2
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: returnConn:
>>             mNumConns now 3
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: getEntries
>>             returning 0
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: mTop 0
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Getting
>>             Virtual List size: 0
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: index may be
>>             empty
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]:
>>             updateCertStatus done
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting
>>             cert checkRanges
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial
>>             numbers left in
>>             range: 268369849
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial
>>             Number: 71
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers
>>             available: 268369849
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: cert
>>             checkRanges done
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Starting
>>             request checkRanges
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial
>>             numbers left in
>>             range: 9989888
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Last Serial
>>             Number: 112
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: Serial Numbers
>>             available: 9989888
>>             [21/Jul/2016:11:58:29][CertStatusUpdateThread]: request
>>             checkRanges done
>>             [21/Jul/2016:12:03:28][Timer-0]: CMSEngine:
>>             getPasswordStore(): password
>>             store initialized before.
>>             [21/Jul/2016:12:03:28][Timer-0]: CMSEngine:
>>             getPasswordStore(): password
>>             store initialized.
>>
>>             On Thu, Jul 21, 2016 at 11:46 AM, Petr Vobornik
>>             <pvobo...@redhat.com <mailto:pvobo...@redhat.com>
>>             <mailto:pvobo...@redhat.com <mailto:pvobo...@redhat.com>>>
>>             wrote:
>>
>>                  On 07/21/2016 05:14 PM, Linov Suresh wrote:
>>                  > I set debug=true in /etc/ipa/default.conf
>>                  >
>>                  > Here are my logs,
>>
>>                  The httpd_error log doesn't contain the part where `ipa
>>             cert-show 1` was
>>                  run. If it is from the same time. Does `ipa cert-show`
>>             communicate with
>>                  the same replica? Could be verified by `ipa -vv
>> cert-show`
>>
>>                  But more interesting is:
>>
>>                  SelfTestSubsystem: The CRITICAL self test plugin called
>>                  selftests.container.instance.SystemCertsVerification
>>             running at startup
>>                  FAILED!
>>
>>                  Are you sure that CA is running?
>>                     # ipactl status
>>
>>                  This looks like that self test fail and therefore CA
>>             shouldn't start. It
>>                  also says that some of CA cert is not valid. Which one
>>             might be seen in
>>                  /var/log/pki-ca/debug but a bigger chunk would be needed.
>>
>>                   >
>>                   > *[root@caer ~]# tail -f /var/log/httpd/error_log*
>>                   > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: WSGI
>>                  WSGIExecutioner.__call__:
>>                   > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: raw:
>>                  user_show(u'admin',
>>                   > rights=False, all=False, raw=False, version=u'2.46')
>>                   > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:
>>                  user_show(u'admin', rights=False,
>>                   > all=False, raw=False, version=u'2.46')
>>                   > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:
>>             get_memberof:
>>                   >
>> entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net
>>                   >
>>
>>
>> memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'),
>>                   > ipapython.dn.DN('cn=replication
>>                   >
>> administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'),
>>                  ipapython.dn.DN('cn=add
>>                   > replication
>>             agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>>                   > ipapython.dn.DN('cn=modify replication
>>                   > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>>                  ipapython.dn.DN('cn=remove
>>                   > replication
>>             agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>>                   > ipapython.dn.DN('cn=unlock user
>>                   > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>>                  ipapython.dn.DN('cn=manage
>>                   > service
>>             keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>>                   > ipapython.dn.DN('cn=trust
>>                  admins,cn=groups,cn=accounts,dc=teloip,dc=net'),
>>                   > ipapython.dn.DN('cn=host
>>                  enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'),
>>                   > ipapython.dn.DN('cn=manage host
>>                   > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>>                  ipapython.dn.DN('cn=enroll a
>>                   > host,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>>                  ipapython.dn.DN('cn=add host
>>                   > password,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>>                  ipapython.dn.DN('cn=add
>>                   > krbprincipalname to a
>>             host,cn=permissions,cn=pbac,dc=teloip,dc=net')]
>>                   > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:
>>             get_memberof: result
>>                   >
>>
>>
>> direct=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'),
>>                   > ipapython.dn.DN('cn=trust
>>                  admins,cn=groups,cn=accounts,dc=teloip,dc=net')]
>>                   > indirect=[ipapython.dn.DN('cn=replication
>>                   >
>> administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'),
>>                  ipapython.dn.DN('cn=add
>>                   > replication
>>             agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>>                   > ipapython.dn.DN('cn=modify replication
>>                   > agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>>                  ipapython.dn.DN('cn=remove
>>                   > replication
>>             agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>>                   > ipapython.dn.DN('cn=unlock user
>>                   > accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>>                  ipapython.dn.DN('cn=manage
>>                   > service
>>             keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>>                   > ipapython.dn.DN('cn=host
>>                  enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'),
>>                   > ipapython.dn.DN('cn=manage host
>>                   > keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>>                  ipapython.dn.DN('cn=enroll a
>>                   > host,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>>                  ipapython.dn.DN('cn=add host
>>                   > password,cn=permissions,cn=pbac,dc=teloip,dc=net'),
>>                  ipapython.dn.DN('cn=add
>>                   > krbprincipalname to a
>>             host,cn=permissions,cn=pbac,dc=teloip,dc=net')]
>>                   > [Thu Jul 21 11:00:38 2016] [error] ipa: INFO:
>>             ad...@teloip.net <mailto:ad...@teloip.net>
>>                  <mailto:ad...@teloip.net <mailto:ad...@teloip.net>>
>>                   > <mailto:ad...@teloip.net <mailto:ad...@teloip.net>
>>             <mailto:ad...@teloip.net <mailto:ad...@teloip.net>>>:
>>
>>                  user_show(u'admin', rights=False, all=False,
>>                  > raw=False, version=u'2.46'): SUCCESS
>>                  > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:
>>             response: entries returned 1
>>                  > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:
>>             Destroyed connection context.ldap2
>>                  > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG:
>>             reading ccache data from file
>>                  > "/var/run/ipa_memcached/krbcc_13554"
>>                  > [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: store
>>             session:
>>                  > session_id=10c5de02f8ae0f3969b96ef0f2e3a96d
>>             start_timestamp=2016-07-21T10:43:26
>>                  > access_timestamp=2016-07-21T11:00:38
>>             expiration_timestamp=2016-07-21T11:20:38
>>                  >
>>                   > *[root@caer ~]# tail -f /var/log/pki-ca/debug*
>>                  > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>>             RequestQueue: curReqId: 9990001
>>                  > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>>             getElementAt: 1 mTop 107
>>                  > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>>             reverse direction getting index 4
>>                  > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>>             RequestQueue: curReqId: 112
>>                  > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>>             RequestQueue: getLastRequestId :
>>                  > returning value 112
>>                  > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>>             Repository:  mLastSerialNo: 112
>>                  > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>>             Serial numbers left in range:
>>                  > 9989888
>>                  > [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Last
>>             Serial Number: 112
>>                  > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>>             Serial Numbers available: 9989888
>>                  > [21/Jul/2016:11:08:29][CertStatusUpdateThread]:
>>             request checkRanges done
>>                  >
>>                   > *[root@caer ~]# tail -f /var/log/pki-ca/transactions*
>>                   > 6563.CRLIssuingPoint-MasterCRL -
>>             [20/Jul/2016:17:00:00 EDT] [20]
>>                  [1] CRL Update
>>                   > completed. CRL ID: MasterCRL CRL Number: 8,912 last
>>             update time:
>>                  7/20/16 5:00 PM
>>                   > next update time: 7/20/16 9:00 PM Number of entries
>>             in the CRL:
>>                  11 time: 25  CRL
>>                   > time: 25  delta CRL time: 0
>>             (0,0,0,0,0,0,0,8,17,0,0,25,25)
>>                   > 6563.CRLIssuingPoint-MasterCRL -
>>             [20/Jul/2016:21:00:00 EDT] [20]
>>                  [1] CRL update
>>                   > started.  CRL ID: MasterCRL  CRL Number: 8,913
>>             Delta CRL
>>                  Enabled: false  CRL
>>                   > Cache Enabled: true  Cache Recovery Enabled: true
>>             Cache Cleared:
>>                  false  Cache:
>>                   > 11,0,0,0
>>                   > 6563.CRLIssuingPoint-MasterCRL -
>>             [20/Jul/2016:21:00:00 EDT] [20]
>>                  [1] CRL Update
>>                   > completed. CRL ID: MasterCRL CRL Number: 8,913 last
>>             update time:
>>                  7/20/16 9:00 PM
>>                   > next update time: 7/21/16 1:00 AM Number of entries
>>             in the CRL:
>>                  11 time: 11  CRL
>>                   > time: 11  delta CRL time: 0
>>             (0,0,0,0,0,0,0,6,5,0,0,11,11)
>>                   > 6563.CRLIssuingPoint-MasterCRL -
>>             [21/Jul/2016:01:00:00 EDT] [20]
>>                  [1] CRL update
>>                   > started.  CRL ID: MasterCRL  CRL Number: 8,914
>>             Delta CRL
>>                  Enabled: false  CRL
>>                   > Cache Enabled: true  Cache Recovery Enabled: true
>>             Cache Cleared:
>>                  false  Cache:
>>                   > 11,0,0,0
>>                   > 6563.CRLIssuingPoint-MasterCRL -
>>             [21/Jul/2016:01:00:00 EDT] [20]
>>                  [1] CRL Update
>>                   > completed. CRL ID: MasterCRL CRL Number: 8,914 last
>>             update time:
>>                  7/21/16 1:00 AM
>>                   > next update time: 7/21/16 5:00 AM Number of entries
>>             in the CRL:
>>                  11 time: 13  CRL
>>                   > time: 13  delta CRL time: 0
>>             (0,0,0,0,0,0,0,6,7,0,0,13,13)
>>                   > 6563.CRLIssuingPoint-MasterCRL -
>>             [21/Jul/2016:05:00:00 EDT] [20]
>>                  [1] CRL update
>>                   > started.  CRL ID: MasterCRL  CRL Number: 8,915
>>             Delta CRL
>>                  Enabled: false  CRL
>>                   > Cache Enabled: true  Cache Recovery Enabled: true
>>             Cache Cleared:
>>                  false  Cache:
>>                   > 11,0,0,0
>>                   > 6563.CRLIssuingPoint-MasterCRL -
>>             [21/Jul/2016:05:00:00 EDT] [20]
>>                  [1] CRL Update
>>                   > completed. CRL ID: MasterCRL CRL Number: 8,915 last
>>             update time:
>>                  7/21/16 5:00 AM
>>                   > next update time: 7/21/16 9:00 AM Number of entries
>>             in the CRL:
>>                  11 time: 16  CRL
>>                   > time: 16  delta CRL time: 0
>>             (0,0,0,0,0,0,0,8,8,0,0,16,16)
>>                   > 6563.CRLIssuingPoint-MasterCRL -
>>             [21/Jul/2016:09:00:00 EDT] [20]
>>                  [1] CRL update
>>                   > started.  CRL ID: MasterCRL  CRL Number: 8,916
>>             Delta CRL
>>                  Enabled: false  CRL
>>                   > Cache Enabled: true  Cache Recovery Enabled: true
>>             Cache Cleared:
>>                  false  Cache:
>>                   > 11,0,0,0
>>                   > 6563.CRLIssuingPoint-MasterCRL -
>>             [21/Jul/2016:09:00:00 EDT] [20]
>>                  [1] CRL Update
>>                   > completed. CRL ID: MasterCRL CRL Number: 8,916 last
>>             update time:
>>                  7/21/16 9:00 AM
>>                   > next update time: 7/21/16 1:00 PM Number of entries
>>             in the CRL:
>>                  11 time: 13  CRL
>>                   > time: 13  delta CRL time: 0
>>             (0,0,0,0,0,0,0,6,7,0,0,13,13)
>>                   > 10657.http-9443-2 - [21/Jul/2016:10:28:19 EDT] [20]
>>             [1] renewal
>>                  reqID 112
>>                   > fromAgent userID: ipara authenticated by
>>             certUserDBAuthMgr is
>>                  completed DN
>>                   > requested: CN=CA Audit,O=TELOIP.NET
>>             <http://TELOIP.NET> <http://TELOIP.NET>
>>                  <http://TELOIP.NET> cert issued serial
>>                   > number: 0x47 time: 39
>>                   >
>>                   > *[root@caer ~]# tail -f
>> /var/log/pki-ca/selftests.log*
>>                  > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]
>>             SelfTestSubsystem:  loading all
>>                  > self test plugin logger parameters
>>                  > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]
>>             SelfTestSubsystem:  loading all
>>                  > self test plugin instances
>>                  > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]
>>             SelfTestSubsystem:  loading all
>>                  > self test plugin instance parameters
>>                  > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]
>>             SelfTestSubsystem:  loading
>>                  > self test plugins in on-demand order
>>                  > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]
>>             SelfTestSubsystem:  loading
>>                  > self test plugins in startup order
>>                  > 14116.main - [21/Jul/2016:10:58:29 EDT] [20] [1]
>>             SelfTestSubsystem: Self test
>>                  > plugins have been successfully loaded!
>>                  > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1]
>>             SelfTestSubsystem: Running self
>>                  > test plugins specified to be executed at startup:
>>                  > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1]
>>             CAPresence:  CA is present
>>                  > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1]
>>             SystemCertsVerification: system
>>                  > certs verification failure
>>                  > 14116.main - [21/Jul/2016:10:58:30 EDT] [20] [1]
>>             SelfTestSubsystem: The CRITICAL
>>                  > self test plugin called
>>             selftests.container.instance.SystemCertsVerification
>>                  > running at startup FAILED!
>>                  >
>>                   > But intrestingly, [root@caer ~]# ipa cert-show 1
>>             returns "*ipa:
>>                  ERROR:
>>                  > Certificate operation cannot be completed: Unable to
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to