Michael Plemmons wrote: > I just realized that I sent the reply directly to Rob and not to the > list. My response is inline
Ok, this is actually good news. I made a similar proposal in another case and I was completely wrong. Flo had the user do something and it totally fixed their auth error, I just can't remember what it was or find the e-mail thread. I'm pretty sure it was this calendar year though. rob > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > * > 614.427.2411 > mike.plemm...@crosschx.com <mailto:mike.plemm...@crosschx.com> > www.crosschx.com <http://www.crosschx.com/> > > On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons > <michael.plemm...@crosschx.com <mailto:michael.plemm...@crosschx.com>> > wrote: > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > * > 614.427.2411 > mike.plemm...@crosschx.com <mailto:mike.plemm...@crosschx.com> > www.crosschx.com <http://www.crosschx.com/> > > On Thu, May 4, 2017 at 9:24 AM, Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: > > Michael Plemmons wrote: > > I realized that I was not very clear in my statement about > testing with > > ldapsearch. I had initially run it without logging in with a > DN. I was > > just running the local ldapsearch -x command. I then tested on > > ipa12.mgmt and ipa11.mgmt logging in with a full DN for the > admin and > > "cn=Directory Manager" from ipa12.mgmt (broken server) and > ipa11.mgmt > > and both ldapsearch command succeeded. > > > > I ran the following from ipa12.mgmt and ipa11.mgmt as a non > root user. > > I also ran the command showing a line count for the output and > the line > > counts for each were the same when run from ipa12.mgmt and > ipa11.mgmt. > > > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com > <http://ipa12.mgmt.crosschx.com> > > <http://ipa12.mgmt.crosschx.com > <http://ipa12.mgmt.crosschx.com>> -D "DN" -w PASSWORD -b > > "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn > > > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com > <http://ipa12.mgmt.crosschx.com> > > <http://ipa12.mgmt.crosschx.com > <http://ipa12.mgmt.crosschx.com>> -D "cn=directory manager" -w > PASSWORD dn > > The CA has its own suffix and replication agreements. Given the auth > error and recent (5 months) renewal of CA credentials I'd check > that the > CA agent authentication entries are correct. > > Against each master with a CA run: > > $ ldapsearch -LLL -x -D 'cn=directory manager' -W -b > uid=ipara,ou=people,o=ipaca description > > The format is 2;serial#,subject,issuer > > Then on each run: > > # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial > > The serial # should match that in the description everywhere. > > rob > > > > On the CA (IPA13.MGMT) I ran the ldapsearch command and see that the > serial number is 7. I then ran the certutil command on all three > servers and the serial number is 7 as well. > > > I also ran the ldapsearch command against the other two servers and > they also showed a serial number of 7. > > > > > > > > > > > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > > * > > 614.427.2411 > > mike.plemm...@crosschx.com <mailto:mike.plemm...@crosschx.com> > <mailto:mike.plemm...@crosschx.com > <mailto:mike.plemm...@crosschx.com>> > > www.crosschx.com <http://www.crosschx.com> > <http://www.crosschx.com/> > > > > On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons > > <michael.plemm...@crosschx.com > <mailto:michael.plemm...@crosschx.com> > <mailto:michael.plemm...@crosschx.com > <mailto:michael.plemm...@crosschx.com>>> > > wrote: > > > > I have a three node IPA cluster. > > > > ipa11.mgmt - was a master over 6 months ago > > ipa13.mgmt - current master > > ipa12.mgmt > > > > ipa13 has agreements with ipa11 and ipa12. ipa11 and > ipa12 do not > > have agreements between each other. > > > > It appears that either ipa12.mgmt lost some level of its > replication > > agreement with ipa13. I saw some level because users / > hosts were > > replicated between all systems but we started seeing DNS > was not > > resolving properly from ipa12. I do not know when this > started. > > > > When looking at replication agreements on ipa12 I did not > see any > > agreement with ipa13. > > > > When I run ipa-replica-manage list all three hosts show > has master. > > > > When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt > is a replica. > > > > When I run ipa-replica-manage ipa12.mgmt nothing returned. > > > > I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt > > ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com> > <http://ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com>> > > ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com> > <http://ipa13.mgmt.crosschx.com > <http://ipa13.mgmt.crosschx.com>> on ipa12.mgmt > > > > I then ran the following > > > > ipa-replica-manage force-sync --from > ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com> > > <http://ipa13.mgmt.crosschx.com > <http://ipa13.mgmt.crosschx.com>> > > > > ipa-replica-manage re-initialize --from > ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com> > > <http://ipa13.mgmt.crosschx.com > <http://ipa13.mgmt.crosschx.com>> > > > > I was still seeing bad DNS returns when dig'ing against > ipa12.mgmt. > > I was able to create user and DNS records and see the > information > > replicated properly across all three nodes. > > > > I then ran ipactl stop on ipa12.mgmt and then ipactl start on > > ipa12.mgmt because I wanted to make sure everything was > running > > fresh after the changes above. While IPA was staring up (DNS > > started) we were able to see valid DNS queries returned but > > pki-tomcat would not start. > > > > I am not sure what I need to do in order to get this > working. I > > have included the output of certutil and getcert below > from all > > three servers as well as the debug output for pki. > > > > > > While the IPA system is coming up I am able to > successfully run > > ldapsearch -x as the root user and see results. I am also > able to > > login with the "cn=Directory Manager" account and see results. > > > > > > The debug log shows the following error. > > > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > ============================================ > > [03/May/2017:21:22:01][localhost-startStop-1]: ===== DEBUG > > SUBSYSTEM INITIALIZED ======= > > [03/May/2017:21:22:01][localhost-startStop-1]: > > ============================================ > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > restart at > > autoShutdown? false > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > autoShutdown crumb file path? > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > about to > > look for cert for auto-shutdown support:auditSigningCert > cert-pki-ca > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > found > > cert:auditSigningCert cert-pki-ca > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > done init > > id=debug > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > initialized debug > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > initSubsystem id=log > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > ready to > > init id=log > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > restart at > > autoShutdown? false > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > autoShutdown crumb file path? > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > about to > > look for cert for auto-shutdown support:auditSigningCert > cert-pki-ca > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > found > > cert:auditSigningCert cert-pki-ca > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > done init > > id=log > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > initialized log > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > initSubsystem id=jss > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > ready to > > init id=jss > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > restart at > > autoShutdown? false > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > autoShutdown crumb file path? > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > about to > > look for cert for auto-shutdown support:auditSigningCert > cert-pki-ca > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > found > > cert:auditSigningCert cert-pki-ca > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > done init > > id=jss > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > initialized jss > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > initSubsystem id=dbs > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > ready to > > init id=dbs > > [03/May/2017:21:22:01][localhost-startStop-1]: > DBSubsystem: init() > > mEnableSerialMgmt=true > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > > LdapBoundConnFactor(DBSubsystem) > > [03/May/2017:21:22:01][localhost-startStop-1]: > LdapBoundConnFactory: > > init > > [03/May/2017:21:22:01][localhost-startStop-1]: > > LdapBoundConnFactory:doCloning true > > [03/May/2017:21:22:01][localhost-startStop-1]: > LdapAuthInfo: init() > > [03/May/2017:21:22:01][localhost-startStop-1]: > LdapAuthInfo: init begins > > [03/May/2017:21:22:01][localhost-startStop-1]: > LdapAuthInfo: init ends > > [03/May/2017:21:22:01][localhost-startStop-1]: init: before > > makeConnection errorIfDown is true > > [03/May/2017:21:22:01][localhost-startStop-1]: makeConnection: > > errorIfDown true > > [03/May/2017:21:22:02][localhost-startStop-1]: > > SSLClientCertificateSelectionCB: Setting desired cert > nickname to: > > subsystemCert cert-pki-ca > > [03/May/2017:21:22:02][localhost-startStop-1]: > LdapJssSSLSocket: set > > client auth cert nickname subsystemCert cert-pki-ca > > [03/May/2017:21:22:02][localhost-startStop-1]: > > SSLClientCertificatSelectionCB: Entering! > > [03/May/2017:21:22:02][localhost-startStop-1]: > > SSLClientCertificateSelectionCB: returning: null > > [03/May/2017:21:22:02][localhost-startStop-1]: SSL > handshake happened > > Could not connect to LDAP server host > ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com> > > <http://ipa12.mgmt.crosschx.com > <http://ipa12.mgmt.crosschx.com>> port 636 Error > > netscape.ldap.LDAPException: Authentication failed (48) > > at > > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) > > at > > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) > > at > > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) > > at > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) > > at > > > > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) > > at > > > > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) > > at > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > > at > > > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > at > javax.servlet.GenericServlet.init(GenericServlet.java:158) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > at > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > > at > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > > at java.security.AccessController.doPrivileged(Native > Method) > > at javax.security.auth.Subject.do > <http://javax.security.auth.Subject.do>AsPrivileged(Subject.java:549) > > at > > > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > > at > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) > > at > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) > > at > > > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270) > > at > > > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195) > > at > > > > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085) > > at > > > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318) > > at > > > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610) > > at > > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) > > at > > > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) > > at > > > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > at > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > at > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > at java.security.AccessController.doPrivileged(Native > Method) > > at > > > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) > > at > > > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) > > at > > > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) > > at > > > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) > > at > > > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > Internal Database Error encountered: Could not connect to LDAP > > server host ipa12.mgmt.crosschx.com > <http://ipa12.mgmt.crosschx.com> <http://ipa12.mgmt.crosschx.com > <http://ipa12.mgmt.crosschx.com>> > > port 636 Error netscape.ldap.LDAPException: Authentication > failed (48) > > at > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676) > > at > > > > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) > > at > > > > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) > > at > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > > at > > > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > at > javax.servlet.GenericServlet.init(GenericServlet.java:158) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > at > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > > at > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > > at java.security.AccessController.doPrivileged(Native > Method) > > at javax.security.auth.Subject.do > <http://javax.security.auth.Subject.do>AsPrivileged(Subject.java:549) > > at > > > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > > at > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) > > at > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) > > at > > > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270) > > at > > > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195) > > at > > > > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085) > > at > > > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318) > > at > > > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610) > > at > > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) > > at > > > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) > > at > > > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > at > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > at > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > at java.security.AccessController.doPrivileged(Native > Method) > > at > > > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) > > at > > > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) > > at > > > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) > > at > > > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) > > at > > > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > [03/May/2017:21:22:02][localhost-startStop-1]: > CMSEngine.shutdown() > > > > > > ============================= > > > > > > IPA11.MGMT > > > > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ > > Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI > Server-Cert > > u,u,u MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> IPA CA CT,C,C > > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ > Certificate > > Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert > > cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu > > ocspSigningCert cert-pki-ca u,u,u subsystemCert > cert-pki-ca u,u,u > > Server-Cert cert-pki-ca u,u,u IPA13.MGMT (root)>certutil -L -d > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname > Trust > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u > MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > > <http://MGMT.CROSSCHX.COM> IPA CA CT,C,C (root)>certutil -L -d > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert > cert-pki-ca > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert > cert-pki-ca u,u,u > > IPA12.MGMT (root)>certutil -L -d > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname > Trust > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u > MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > > <http://MGMT.CROSSCHX.COM> IPA CA C,, (root)>certutil -L -d > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert > cert-pki-ca > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert > cert-pki-ca u,u,u > > ================================================= IPA11.MGMT > > (root)>getcert list Number of certificates and requests being > > tracked: 8. Request ID '20161229155314': status: > MONITORING stuck: > > no key pair storage: > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > Certificate > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > > certificate: > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > Certificate DB' CA: IPA issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=ipa11.mgmt.crosschx.com <http://ipa11.mgmt.crosschx.com> > > <http://ipa11.mgmt.crosschx.com > <http://ipa11.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:52:43 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > post-save > > command: /usr/libexec/ipa/certmonger/restart_dirsrv > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID > > '20161229155652': status: MONITORING stuck: no key pair > storage: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=CA Audit,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> expires: > > 2018-11-12 13:00:29 UTC key usage: > digitalSignature,nonRepudiation > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229155654': > > status: MONITORING stuck: no key pair storage: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM> > > expires: 2018-11-12 13:00:26 UTC key usage: > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: > > id-kp-OCSPSigning pre-save command: > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229155655': > > status: MONITORING stuck: no key pair storage: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM> > > expires: 2018-11-12 13:00:28 UTC key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229155657': > > status: MONITORING stuck: no key pair storage: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> > > <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25 > UTC key > > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save > > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save > command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229155659': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > > Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: > CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=ipa11.mgmt.crosschx.com <http://ipa11.mgmt.crosschx.com> > > <http://ipa11.mgmt.crosschx.com > <http://ipa11.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 15:56:20 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229155921': > > status: MONITORING stuck: no key pair storage: > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' CA: IPA issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=ipa11.mgmt.crosschx.com <http://ipa11.mgmt.crosschx.com> > > <http://ipa11.mgmt.crosschx.com > <http://ipa11.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:52:46 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > post-save > > command: /usr/libexec/ipa/certmonger/restart_httpd track: yes > > auto-renew: yes Request ID '20161229160009': status: > MONITORING > > stuck: no key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> expires: > > 2018-11-12 13:01:34 UTC key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save > command: > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes > auto-renew: yes > > ================================== IPA13.MGMT > (root)>getcert list > > Number of certificates and requests being tracked: 8. > Request ID > > '20161229143449': status: MONITORING stuck: no key pair > storage: > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > Certificate > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > > certificate: > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > Certificate DB' CA: IPA issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com> > > <http://ipa13.mgmt.crosschx.com > <http://ipa13.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 14:34:20 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > post-save > > command: /usr/libexec/ipa/certmonger/restart_dirsrv > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID > > '20161229143826': status: MONITORING stuck: no key pair > storage: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=CA Audit,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> expires: > > 2018-11-12 13:00:29 UTC key usage: > digitalSignature,nonRepudiation > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229143828': > > status: MONITORING stuck: no key pair storage: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM> > > expires: 2018-11-12 13:00:26 UTC key usage: > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: > > id-kp-OCSPSigning pre-save command: > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229143831': > > status: MONITORING stuck: no key pair storage: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM> > > expires: 2018-11-12 13:00:28 UTC key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229143833': > > status: MONITORING stuck: no key pair storage: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> > > <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25 > UTC key > > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save > > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save > command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229143835': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > > Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: > CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com> > > <http://ipa13.mgmt.crosschx.com > <http://ipa13.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 14:37:54 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229144057': > > status: MONITORING stuck: no key pair storage: > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' CA: IPA issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=ipa13.mgmt.crosschx.com <http://ipa13.mgmt.crosschx.com> > > <http://ipa13.mgmt.crosschx.com > <http://ipa13.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 14:34:23 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > post-save > > command: /usr/libexec/ipa/certmonger/restart_httpd track: yes > > auto-renew: yes Request ID '20161229144146': status: > MONITORING > > stuck: no key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> expires: > > 2018-11-12 13:01:34 UTC key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save > command: > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes > auto-renew: yes > > =========================== IPA12.MGMT (root)>getcert list > Number of > > certificates and requests being tracked: 8. Request ID > > '20161229151518': status: MONITORING stuck: no key pair > storage: > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > Certificate > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > > certificate: > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > Certificate DB' CA: IPA issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com> > > <http://ipa12.mgmt.crosschx.com > <http://ipa12.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:14:51 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > post-save > > command: /usr/libexec/ipa/certmonger/restart_dirsrv > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID > > '20161229151850': status: MONITORING stuck: no key pair > storage: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=CA Audit,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> expires: > > 2018-11-12 13:00:29 UTC key usage: > digitalSignature,nonRepudiation > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229151852': > > status: MONITORING stuck: no key pair storage: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM> > > expires: 2018-11-12 13:00:26 UTC key usage: > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: > > id-kp-OCSPSigning pre-save command: > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229151854': > > status: MONITORING stuck: no key pair storage: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> <http://MGMT.CROSSCHX.COM> > > expires: 2018-11-12 13:00:28 UTC key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229151856': > > status: MONITORING stuck: no key pair storage: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> > > <http://MGMT.CROSSCHX.COM> expires: 2036-11-22 13:00:25 > UTC key > > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save > > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save > command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229151858': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > > Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: > CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com> > > <http://ipa12.mgmt.crosschx.com > <http://ipa12.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-19 15:18:16 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229152115': > > status: MONITORING stuck: no key pair storage: > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' CA: IPA issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=ipa12.mgmt.crosschx.com <http://ipa12.mgmt.crosschx.com> > > <http://ipa12.mgmt.crosschx.com > <http://ipa12.mgmt.crosschx.com>>,O=MGMT.CROSSCHX.COM > <http://MGMT.CROSSCHX.COM> > > <http://MGMT.CROSSCHX.COM> expires: 2018-12-30 15:14:54 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > post-save > > command: /usr/libexec/ipa/certmonger/restart_httpd track: yes > > auto-renew: yes Request ID '20161229152204': status: > MONITORING > > stuck: no key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> subject: > > CN=IPA RA,O=MGMT.CROSSCHX.COM <http://MGMT.CROSSCHX.COM> > <http://MGMT.CROSSCHX.COM> expires: > > 2018-11-12 13:01:34 UTC key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save > command: > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes > auto-renew: yes > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > > * > > 614.427.2411 > > mike.plemm...@crosschx.com > <mailto:mike.plemm...@crosschx.com> > <mailto:mike.plemm...@crosschx.com > <mailto:mike.plemm...@crosschx.com>> > > www.crosschx.com <http://www.crosschx.com> > <http://www.crosschx.com/> > > > > > > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
