subject:"\[Freeipa\-users\] Stuck at CA_UNREACHABLE and NEED_CSR_GEN

Re: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN

2016-05-17 Thread Rob Crittenden


Adam Kaczka wrote:

I found from [root@host pki-ca]# tail -n 100 /var/log/pki-ca/system that
CA chain is missing; so I am thinking I may have to use
|ipa-server-certinstall| to reinstall the two certs.


I really doubt it. I'm not sure what can't be found, maybe one of the 
dogtag devs has an idea.





5135.main - [27/Jan/2016:14:10:14 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2003.main - [27/Jan/2016:14:35:33 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2003.TP-Processor3 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2003.TP-Processor2 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2000.main - [28/Jan/2016:07:43:00 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2000.TP-Processor2 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2000.TP-Processor3 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2085.main - [03/Feb/2016:08:57:05 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2085.TP-Processor2 - [27/Jan/2016:14:05:03 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.


On Mon, May 16, 2016 at 11:45 AM, Adam Kaczka > wrote:

Certmonger cannot communicate with CA; the result of getlist cert shows:

RPC failed at server.  Certificate operation cannot be completed:
Unable to communicate with CMS (Not Found)

After setting time back, from /var/log/pki-ca/debug I get:

[30/Dec/2015:08:10:25][main]: CMS:Caught EBaseException
Certificate object not found
 at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
 at

com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1205)
 at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
 at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
 at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
 at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
 at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
 at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
 at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
 at

org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
 at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
 at

org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425)
 at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4738)
 at

org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
 at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
 at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
 at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
 at

org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
 at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
 at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
 at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
 at

org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
 at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
 at
org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
 at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
 at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
 at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
 at

Re: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN

2016-05-17 Thread Adam Kaczka

I found from [root@host pki-ca]# tail -n 100 /var/log/pki-ca/system that CA
chain is missing; so I am thinking I may have to use ipa-server-certinstall
to reinstall the two certs.

5135.main - [27/Jan/2016:14:10:14 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2003.main - [27/Jan/2016:14:35:33 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2003.TP-Processor3 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2003.TP-Processor2 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2000.main - [28/Jan/2016:07:43:00 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2000.TP-Processor2 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2000.TP-Processor3 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2085.main - [03/Feb/2016:08:57:05 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2085.TP-Processor2 - [27/Jan/2016:14:05:03 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.

On Mon, May 16, 2016 at 11:45 AM, Adam Kaczka  wrote:

> Certmonger cannot communicate with CA; the result of getlist cert shows:
>
> RPC failed at server.  Certificate operation cannot be completed: Unable
> to communicate with CMS (Not Found)
>
> After setting time back, from /var/log/pki-ca/debug I get:
>
> [30/Dec/2015:08:10:25][main]: CMS:Caught EBaseException
> Certificate object not found
> at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
> at
> com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1205)
> at
> com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
> at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
> at
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
> at
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
> at
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
> at
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425)
> at
> org.apache.catalina.core.StandardContext.start(StandardContext.java:4738)
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
> at
> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
> at
> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
> at
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
> at
> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
> at
> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
> at
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
> at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
> at
> org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
> at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
> at
> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
> at
> org.apache.catalina.core.StandardService.start(StandardService.java:516)
> at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
>

Re: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN

2016-05-16 Thread Adam Kaczka

Certmonger cannot communicate with CA; the result of getlist cert shows:

RPC failed at server.  Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)

After setting time back, from /var/log/pki-ca/debug I get:

[30/Dec/2015:08:10:25][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
at
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1205)
at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4738)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at
org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[30/Dec/2015:08:10:25][main]: CMSEngine.shutdown()
[30/Dec/2015:08:10:32][http-9180-1]: according to ccMode, authorization for
servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr:
{2}.
[30/Dec/2015:08:10:32][http-9180-1]: according to ccMode, authorization for
servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr:
{2}.
[30/Dec/2015:08:10:33][TP-Processor2]: according to ccMode, authorization
for servlet: caDisplayBySerial is LDAP based, not XML {1}, use default
authz mgr: {2}.
[30/Dec/2015:08:10:33][TP-Processor3]: according to ccMode, authorization
for servlet: caDisplayBySerial is LDAP based, not XML {1}, use default
authz mgr: {2}.

On Mon, May 16, 2016 at 6:28 AM, Petr Vobornik  wrote:

> On 05/14/2016 12:01 AM, Adam Kaczka wrote:
> > Hi all,
> >
> > I have inherited a IPA system that has an expired cert and the old
> admins have
> > left; I followed (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
> but
> > running into errors when I try to renew the CA certs even after time is
> reset.
> > Also tried the troubleshooting under
> > (http://www.freeipa.org/page/Troubleshooting#Authentication_Errors);
> > specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a >
> /tmp/ra.crt"
> > to add the cert in the database.
> >
> >  From the output of getcert list, I see both CA_UNREACHABLE and
> > NEED_CSR_GEN_PIN.  I followed redhat article here
> > (https://access.redhat.com/solutions/1142913) which verified key file
> password
> > is correct and I have reset time.  However the NEED_CSR_GEN_PIN status
> remains.
> > My company actually has redhat support but when they built this IPA
> whoever
> > built it was using Centos 6 so I am out of luck here.
> >
> > Would really appreciate any help since I am stuck at this

Re: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN

2016-05-16 Thread Petr Vobornik

On 05/14/2016 12:01 AM, Adam Kaczka wrote:
> Hi all,
> 
> I have inherited a IPA system that has an expired cert and the old admins 
> have 
> left; I followed (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but 
> running into errors when I try to renew the CA certs even after time is 
> reset.  
> Also tried the troubleshooting under 
> (http://www.freeipa.org/page/Troubleshooting#Authentication_Errors); 
> specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a > 
> /tmp/ra.crt" 
> to add the cert in the database.
> 
>  From the output of getcert list, I see both CA_UNREACHABLE and 
> NEED_CSR_GEN_PIN.  I followed redhat article here 
> (https://access.redhat.com/solutions/1142913) which verified key file 
> password 
> is correct and I have reset time.  However the NEED_CSR_GEN_PIN status 
> remains.  
> My company actually has redhat support but when they built this IPA whoever 
> built it was using Centos 6 so I am out of luck here.
> 
> Would really appreciate any help since I am stuck at this point?  What else I 
> can do at this point?  e.g. Is generate a new CA cert necessary, etc.?

Hi,

you don't need to renew CA cert, it seems to be valid. But your server
cert is expired. It expired on 2016-03-29.

1. Move date back before this date, e.g., 2016-03-27.
2. Verify that IPA is running `ipactl status`. Maybe restart will be needed.
3. run `getcert list` to see if certmonger can communicate with CA
4. if certmonger doesn't renew the certs automatically, run `getcert
resubmit -i $certid` for the expired cert.

> 
> Version:
> ipa-pki-ca-theme.noarch9.0.3-7.el6
> @base
> ipa-pki-common-theme.noarch  9.0.3-7.el6@base
> ipa-pmincho-fonts.noarch 003.02-3.1.el6 @base
> ipa-python.x86_643.0.0-47.el6.centos.2  
> @updates
> ipa-server.x86_643.0.0-47.el6.centos.2  
> @updates
> ipa-server-selinux.x86_643.0.0-47.el6.centos.2  
> @updates
> 
> Part of error logs from /var/log/pki-ca/debug after I reset clock; I see 
> these 
> errors which I think is relevlant?:
> [27/Dec/2015:14:12:01][main]: SigningUnit init: debug 
> org.mozilla.jss.crypto.ObjectNotFoundException
> Certificate object not found
> [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException
> Certificate object not found
> [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown()
> 
> Result seems to show key file password is correct:
> certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f 
> /etc/dirsrv/slapd-REALM-NET/pwdfile.txt
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key 
> and 
> Certificate Services"
> < 0> rsa     NSS Certificate DB:Server-Cert
> 
> 
> certutil -L -d /var/lib/pki-ca/alias
> 
> Certificate Nickname Trust Attributes
>   
> SSL,S/MIME,JAR/XPI
> 
> ocspSigningCert cert-pki-ca  u,u,u
> subsystemCert cert-pki-cau,u,u
> Server-Cert cert-pki-ca u,u,u
> auditSigningCert cert-pki-ca u,u,Pu
> caSigningCert cert-pki-caCTu,Cu,Cu
> 
> 
> certutil -L -d /etc/httpd/alias
> 
> Certificate Nickname Trust Attributes
>   
> SSL,S/MIME,JAR/XPI
> 
> Server-Cert  u,u,u
> ipaCert u,u,u
> REALM.COM  IPA CA  CT,C,
> 
> 
> certutil -L -d /etc/dirsrv/slapd-REALM-COM
> 
> Certificate Nickname Trust Attributes
>   
> SSL,S/MIME,JAR/XPI
> 
> Server-Cert  u,u,u
> REALM.COM  IPA CA  
> CT,C,C
> 
> 
> Output of getcert list:
> 
> Number of certificates and requests being tracked: 7.
> Request ID '21135214223243':
>  status: CA_UNREACHABLE
>  ca-error: Server at https://host.example.net/ipa/xml failed request, 
> will retry: 4301 (RPC failed at server.  Certificate oper
> ation cannot be completed: Unable to communicate with CMS (Not Found)).
>  stuck: no
>  key pair storage: 
> type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
>  
> Certificate DB',pinfil
> e='/etc/dirsrv/slapd-example-NET//pwdfile.txt'
>  certificate: 
> type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
>  
> Certificate DB'
>  CA: IPA
>  issuer:

[Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN

2016-05-13 Thread Adam Kaczka

Hi all,

I have inherited a IPA system that has an expired cert and the old admins
have left; I followed (
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but running into
errors when I try to renew the CA certs even after time is reset.  Also
tried the troubleshooting under (
http://www.freeipa.org/page/Troubleshooting#Authentication_Errors);
specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a >
/tmp/ra.crt" to add the cert in the database.

>From the output of getcert list, I see both CA_UNREACHABLE and
NEED_CSR_GEN_PIN.  I followed redhat article here (
https://access.redhat.com/solutions/1142913) which verified key file
password is correct and I have reset time.  However the NEED_CSR_GEN_PIN
status remains.  My company actually has redhat support but when they built
this IPA whoever built it was using Centos 6 so I am out of luck here.

Would really appreciate any help since I am stuck at this point?  What else
I can do at this point?  e.g. Is generate a new CA cert necessary, etc.?

Version:
ipa-pki-ca-theme.noarch
9.0.3-7.el6@base
ipa-pki-common-theme.noarch  9.0.3-7.el6
@base
ipa-pmincho-fonts.noarch 003.02-3.1.el6
@base
ipa-python.x86_643.0.0-47.el6.centos.2
@updates
ipa-server.x86_643.0.0-47.el6.centos.2
@updates
ipa-server-selinux.x86_643.0.0-47.el6.centos.2
@updates

Part of error logs from /var/log/pki-ca/debug after I reset clock; I see
these errors which I think is relevlant?:
[27/Dec/2015:14:12:01][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
Certificate object not found
[27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException
Certificate object not found
[27/Dec/2015:14:12:01][main]: CMSEngine.shutdown()

Result seems to show key file password is correct:
certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f
/etc/dirsrv/slapd-REALM-NET/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
and Certificate Services"
< 0> rsa     NSS Certificate DB:Server-Cert


certutil -L -d /var/lib/pki-ca/alias

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-caCTu,Cu,Cu


certutil -L -d /etc/httpd/alias

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

Server-Cert  u,u,u
ipaCert u,u,u
REALM.COM IPA CA  CT,C,


certutil -L -d /etc/dirsrv/slapd-REALM-COM

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

Server-Cert  u,u,u
REALM.COM IPA CA  CT,C,C


Output of getcert list:

Number of certificates and requests being tracked: 7.
Request ID '21135214223243':
status: CA_UNREACHABLE
ca-error: Server at https://host.example.net/ipa/xml failed
request, will retry: 4301 (RPC failed at server.  Certificate oper
ation cannot be completed: Unable to communicate with CMS (Not Found)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfil
e='/etc/dirsrv/slapd-example-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=example.NET
subject: CN=host.example.net,O=example.NET
expires: 2016-03-29 14:09:46 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '21135214223300':
status: CA_UNREACHABLE
ca-error: Server at https://host.example.net/ipa/xml failed
request, will retry: 4301 (RPC failed at server.  Certificate oper
ation cannot be completed: Unable to communicate with CMS (Not Found)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='
/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=example.NET
subject: CN=host.example.net,O=example.NET
expires: 2016-03-29

Re: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN

Re: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN

Re: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN

Re: [Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN

[Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN

5 matches

Site Navigation

Mail list logo

Footer information