I realized that I was not very clear in my statement about testing with ldapsearch. I had initially run it without logging in with a DN. I was just running the local ldapsearch -x command. I then tested on ipa12.mgmt and ipa11.mgmt logging in with a full DN for the admin and "cn=Directory Manager" from ipa12.mgmt (broken server) and ipa11.mgmt and both ldapsearch command succeeded.
I ran the following from ipa12.mgmt and ipa11.mgmt as a non root user. I also ran the command showing a line count for the output and the line counts for each were the same when run from ipa12.mgmt and ipa11.mgmt. ldapsearch -LLL -h ipa12.mgmt.crosschx.com -D "DN" -w PASSWORD -b "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn ldapsearch -LLL -h ipa12.mgmt.crosschx.com -D "cn=directory manager" -w PASSWORD dn *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemm...@crosschx.com www.crosschx.com On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons < michael.plemm...@crosschx.com> wrote: > I have a three node IPA cluster. > > ipa11.mgmt - was a master over 6 months ago > ipa13.mgmt - current master > ipa12.mgmt > > ipa13 has agreements with ipa11 and ipa12. ipa11 and ipa12 do not have > agreements between each other. > > It appears that either ipa12.mgmt lost some level of its replication > agreement with ipa13. I saw some level because users / hosts were > replicated between all systems but we started seeing DNS was not resolving > properly from ipa12. I do not know when this started. > > When looking at replication agreements on ipa12 I did not see any > agreement with ipa13. > > When I run ipa-replica-manage list all three hosts show has master. > > When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt is a replica. > > When I run ipa-replica-manage ipa12.mgmt nothing returned. > > I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt > ipa12.mgmt.crosschx.com ipa13.mgmt.crosschx.com on ipa12.mgmt > > I then ran the following > > ipa-replica-manage force-sync --from ipa13.mgmt.crosschx.com > > ipa-replica-manage re-initialize --from ipa13.mgmt.crosschx.com > > I was still seeing bad DNS returns when dig'ing against ipa12.mgmt. I was > able to create user and DNS records and see the information replicated > properly across all three nodes. > > I then ran ipactl stop on ipa12.mgmt and then ipactl start on ipa12.mgmt > because I wanted to make sure everything was running fresh after the > changes above. While IPA was staring up (DNS started) we were able to see > valid DNS queries returned but pki-tomcat would not start. > > I am not sure what I need to do in order to get this working. I have > included the output of certutil and getcert below from all three servers as > well as the debug output for pki. > > > While the IPA system is coming up I am able to successfully run ldapsearch > -x as the root user and see results. I am also able to login with the > "cn=Directory Manager" account and see results. > > > The debug log shows the following error. > > > [03/May/2017:21:22:01][localhost-startStop-1]: > ============================================ > [03/May/2017:21:22:01][localhost-startStop-1]: ===== DEBUG SUBSYSTEM > INITIALIZED ======= > [03/May/2017:21:22:01][localhost-startStop-1]: > ============================================ > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at > autoShutdown? false > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown > crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look > for cert for auto-shutdown support:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found > cert:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init > id=debug > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized > debug > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem > id=log > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init > id=log > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at > autoShutdown? false > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown > crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look > for cert for auto-shutdown support:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found > cert:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init id=log > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized log > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem > id=jss > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init > id=jss > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at > autoShutdown? false > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown > crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look > for cert for auto-shutdown support:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found > cert:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init id=jss > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized jss > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem > id=dbs > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init > id=dbs > [03/May/2017:21:22:01][localhost-startStop-1]: DBSubsystem: init() > mEnableSerialMgmt=true > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > LdapBoundConnFactor(DBSubsystem) > [03/May/2017:21:22:01][localhost-startStop-1]: LdapBoundConnFactory: init > [03/May/2017:21:22:01][localhost-startStop-1]: > LdapBoundConnFactory:doCloning true > [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init() > [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init begins > [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init ends > [03/May/2017:21:22:01][localhost-startStop-1]: init: before > makeConnection errorIfDown is true > [03/May/2017:21:22:01][localhost-startStop-1]: makeConnection: > errorIfDown true > [03/May/2017:21:22:02][localhost-startStop-1]: > SSLClientCertificateSelectionCB: Setting desired cert nickname to: > subsystemCert cert-pki-ca > [03/May/2017:21:22:02][localhost-startStop-1]: LdapJssSSLSocket: set > client auth cert nickname subsystemCert cert-pki-ca > [03/May/2017:21:22:02][localhost-startStop-1]: > SSLClientCertificatSelectionCB: Entering! > [03/May/2017:21:22:02][localhost-startStop-1]: > SSLClientCertificateSelectionCB: returning: null > [03/May/2017:21:22:02][localhost-startStop-1]: SSL handshake happened > Could not connect to LDAP server host ipa12.mgmt.crosschx.com port 636 > Error netscape.ldap.LDAPException: Authentication failed (48) > at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection( > LdapBoundConnFactory.java:205) > at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init( > LdapBoundConnFactory.java:166) > at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init( > LdapBoundConnFactory.java:130) > at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) > at com.netscape.cmscore.apps.CMSEngine.initSubsystem( > CMSEngine.java:1169) > at com.netscape.cmscore.apps.CMSEngine.initSubsystems( > CMSEngine.java:1075) > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > at com.netscape.cms.servlet.base.CMSStartServlet.init( > CMSStartServlet.java:114) > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.catalina.security.SecurityUtil$1.run( > SecurityUtil.java:288) > at org.apache.catalina.security.SecurityUtil$1.run( > SecurityUtil.java:285) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > at org.apache.catalina.security.SecurityUtil.execute( > SecurityUtil.java:320) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege( > SecurityUtil.java:175) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege( > SecurityUtil.java:124) > at org.apache.catalina.core.StandardWrapper.initServlet( > StandardWrapper.java:1270) > at org.apache.catalina.core.StandardWrapper.loadServlet( > StandardWrapper.java:1195) > at org.apache.catalina.core.StandardWrapper.load( > StandardWrapper.java:1085) > at org.apache.catalina.core.StandardContext.loadOnStartup( > StandardContext.java:5318) > at org.apache.catalina.core.StandardContext.startInternal( > StandardContext.java:5610) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) > at org.apache.catalina.core.ContainerBase.addChildInternal( > ContainerBase.java:899) > at org.apache.catalina.core.ContainerBase.access$000( > ContainerBase.java:133) > at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run( > ContainerBase.java:156) > at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run( > ContainerBase.java:145) > at java.security.AccessController.doPrivileged(Native Method) > at org.apache.catalina.core.ContainerBase.addChild( > ContainerBase.java:873) > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) > at org.apache.catalina.startup.HostConfig.deployDescriptor( > HostConfig.java:679) > at org.apache.catalina.startup.HostConfig$DeployDescriptor. > run(HostConfig.java:1966) > at java.util.concurrent.Executors$RunnableAdapter. > call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Internal Database Error encountered: Could not connect to LDAP server host > ipa12.mgmt.crosschx.com port 636 Error netscape.ldap.LDAPException: > Authentication failed (48) > at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676) > at com.netscape.cmscore.apps.CMSEngine.initSubsystem( > CMSEngine.java:1169) > at com.netscape.cmscore.apps.CMSEngine.initSubsystems( > CMSEngine.java:1075) > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > at com.netscape.cms.servlet.base.CMSStartServlet.init( > CMSStartServlet.java:114) > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.catalina.security.SecurityUtil$1.run( > SecurityUtil.java:288) > at org.apache.catalina.security.SecurityUtil$1.run( > SecurityUtil.java:285) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > at org.apache.catalina.security.SecurityUtil.execute( > SecurityUtil.java:320) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege( > SecurityUtil.java:175) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege( > SecurityUtil.java:124) > at org.apache.catalina.core.StandardWrapper.initServlet( > StandardWrapper.java:1270) > at org.apache.catalina.core.StandardWrapper.loadServlet( > StandardWrapper.java:1195) > at org.apache.catalina.core.StandardWrapper.load( > StandardWrapper.java:1085) > at org.apache.catalina.core.StandardContext.loadOnStartup( > StandardContext.java:5318) > at org.apache.catalina.core.StandardContext.startInternal( > StandardContext.java:5610) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) > at org.apache.catalina.core.ContainerBase.addChildInternal( > ContainerBase.java:899) > at org.apache.catalina.core.ContainerBase.access$000( > ContainerBase.java:133) > at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run( > ContainerBase.java:156) > at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run( > ContainerBase.java:145) > at java.security.AccessController.doPrivileged(Native Method) > at org.apache.catalina.core.ContainerBase.addChild( > ContainerBase.java:873) > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) > at org.apache.catalina.startup.HostConfig.deployDescriptor( > HostConfig.java:679) > at org.apache.catalina.startup.HostConfig$DeployDescriptor. > run(HostConfig.java:1966) > at java.util.concurrent.Executors$RunnableAdapter. > call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > [03/May/2017:21:22:02][localhost-startStop-1]: CMSEngine.shutdown() > > > ============================= > > > IPA11.MGMT > > > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert > u,u,uMGMT.CROSSCHX.COM IPA CA CT,C,C > > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > caSigningCert cert-pki-ca CTu,Cu,Cu > auditSigningCert cert-pki-ca u,u,Pu > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > > > > > > IPA13.MGMT > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert > u,u,uMGMT.CROSSCHX.COM IPA CA CT,C,C > > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > caSigningCert cert-pki-ca CTu,Cu,Cu > auditSigningCert cert-pki-ca u,u,Pu > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > > > > > IPA12.MGMT > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert > u,u,uMGMT.CROSSCHX.COM IPA CA C,, > > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > caSigningCert cert-pki-ca CTu,Cu,Cu > auditSigningCert cert-pki-ca u,u,Pu > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > > ================================================= > > IPA11.MGMT > (root)>getcert list > Number of certificates and requests being tracked: 8. > Request ID '20161229155314': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 15:52:43 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv > MGMT-CROSSCHX-COM > track: yes > auto-renew: yes > Request ID '20161229155652': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=CA Audit,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:29 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229155654': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:26 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229155655': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:28 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229155657': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > expires: 2036-11-22 13:00:25 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229155659': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-19 15:56:20 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229155921': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 15:52:46 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20161229160009': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=IPA RA,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:01:34 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > > > > > ================================== > > IPA13.MGMT > > (root)>getcert list > Number of certificates and requests being tracked: 8. > Request ID '20161229143449': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 14:34:20 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv > MGMT-CROSSCHX-COM > track: yes > auto-renew: yes > Request ID '20161229143826': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=CA Audit,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:29 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229143828': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:26 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229143831': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:28 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229143833': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > expires: 2036-11-22 13:00:25 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229143835': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-19 14:37:54 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229144057': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 14:34:23 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20161229144146': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=IPA RA,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:01:34 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > > > > =========================== > > IPA12.MGMT > > (root)>getcert list > Number of certificates and requests being tracked: 8. > Request ID '20161229151518': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 15:14:51 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv > MGMT-CROSSCHX-COM > track: yes > auto-renew: yes > Request ID '20161229151850': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=CA Audit,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:29 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229151852': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:26 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229151854': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:28 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229151856': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > expires: 2036-11-22 13:00:25 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229151858': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-19 15:18:16 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229152115': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 15:14:54 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20161229152204': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=IPA RA,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:01:34 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* > 614.427.2411 > mike.plemm...@crosschx.com > www.crosschx.com >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
