On 10/18/2016 11:22 PM, Bertrand Rétif wrote:

I had an issue with pki-tomcat.
I had serveral certificate that was expired and pki-tomcat did not start

I set the dateon the server before certificate expiration and then
pki-tomcat starts properly.
Then I try to resubmit the certificate, but I get below error:
  "Profile caServerCert Not Found"

Do you have any idea how I could fix this issue.

Please find below output of commands:

# getcert resubmit -i 20160108170324

# getcert list -i 20160108170324
Number of certificates and requests being tracked: 7.
Request ID '20160108170324':
    status: MONITORING
    ca-error: Server at
"http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"; replied:
Profile caServerCert Not Found
    stuck: no
    key pair storage:
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
Certificate DB'
    CA: dogtag-ipa-ca-renew-agent
    issuer: CN=Certificate Authority,O=A.SKINFRA.EU
    subject: CN=IPA RA,O=A.SKINFRA.EU
    expires: 2016-06-28 15:25:11 UTC
    key usage:
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
    post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
    track: yes
    auto-renew: yes

Thanksby advance for your help.

Hi Betrand,

what version of FreeIPA and Dogtag are you running?

Also perform the following search on the IPA master and post the result:

ldapsearch -D "cn=Directory Manager" -W -b 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)'

Martin^3 Babinsky

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to