Re: [Freeipa-users] regenerate certificate
and this is for catalina.out SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1@39139da8]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web appli cation was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. Jul 21, 2016 11:10:10 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1@39139da8]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web appli cation was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9180 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9443 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9445 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9444 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9446 Exception in thread "Timer-0" java.lang.NullPointerException at com.netscape.certsrv.apps.CMS.getConfigStore(CMS.java:771) at com.netscape.cms.servlet.csadmin.LDAPSecurityDomainSessionTable.getSessionIds(LDAPSecurityDomainSessionTable.java:156) at com.netscape.cms.servlet.csadmin.SessionTimer.run(SessionTimer.java:33) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) Jul 21, 2016 11:10:43 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib Jul 21, 2016 11:10:43 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-9180 Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. : From: mohammad sereshki To: Rob Crittenden ; Florence Blanc-Renaud ; Freeipa-users Sent: Thursday, July 21, 2016 11:36 PM Subject: Re: [Freeipa-users] regenerate certificate and below is for selftests.log 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] CAPresence: CA is present 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SystemCertsVerification: system certs verification failure 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Initializing self test plugins: 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading all self test plugin instances 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] CAPresence: CA is present 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SystemCertsVerification: system certs verification failure 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! (END) From: mohammad sereshki To: Rob Crittenden ; Florence Blanc-Renaud ; Freeipa-users Sent: Thursday, July 21, 2016 11:34 PM Subject: Re: [Freeipa-users] regenerate certificate hiI find below in debug file under /var/log/pki-cawhat is your comment? 21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization for servlet: caDisplayBy
Re: [Freeipa-users] regenerate certificate
and below is for selftests.log
3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: Running
self test plugins specified to be executed at startup:
3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] CAPresence: CA is present
3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SystemCertsVerification:
system certs verification failure
3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup FAILED!
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:
Initializing self test plugins:
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading
all self test plugin logger parameters
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading
all self test plugin instances
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading
all self test plugin instance parameters
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading
self test plugins in on-demand order
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading
self test plugins in startup order
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Self test
plugins have been successfully loaded!
1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: Running
self test plugins specified to be executed at startup:
1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] CAPresence: CA is present
1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SystemCertsVerification:
system certs verification failure
1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup FAILED!
(END)
From: mohammad sereshki
To: Rob Crittenden ; Florence Blanc-Renaud
; Freeipa-users
Sent: Thursday, July 21, 2016 11:34 PM
Subject: Re: [Freeipa-users] regenerate certificate
hiI find below in debug file under /var/log/pki-cawhat is your comment?
21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization for
servlet: caDisplayBySerial is LD
AP based, not XML {1}, use default authz mgr: {2}.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[21/Jul/2016:23:20:45][CertStatusUpdateThread]: About to start updateCertStatus
[21/Jul/2016:23:20:45][CertStatusUpdateThread]: Starting updateCertStatus
(entered lock)
From: Rob Crittenden
To: mohammad sereshki ; Florence Blanc-Renaud
; Freeipa-users
Sent: Thursday, July 21, 2016 11:21 PM
Subject: Re: [Freeipa-users] regenerate certificate
mohammad sereshki wrote:
> hi
> would you please explain more
> ?
Your CA (dogtag) is not running. The CA is written in java and deployed
as a WAR in tomcat. If something goes wrong during initialization the CA
will exit but tomcat will not.
Requests to the CA are returning 404 Not Found because the application
is not running in dogtag.
You need to look at the logs in /var/log/pki-ca to see what is going on.
I'd start with selftests.log then move onto catalina.out and debug.
rob
>
>
>
> *From:* Rob Crittenden
> *To:* mohammad sereshki ; Florence
> Blanc-Renaud ; Freeipa-users
> *Sent:* Thursday, July 21, 2016 11:09 PM
> *Subject:* Re: [Freeipa-users] regenerate certificate
>
> mohammad sereshki wrote:
> > hi
> > it is result of command, seems issue is another thing
> >
> >
> > ipa cert-show 1
> > ipa: ERROR: Certificate operation cannot be completed: Unable to
> > communicate with CMS (Not Found)
>
> Which means that the CA still isn't up. You're going to need to look at
> the dogtag logs in /var/log/pki*. debug is probably the place to start.
>
> rob
>
> >
> >
> >
> >
> > *From:* Rob Crittenden mailto:rcrit...@redhat.com>>
> > *To:* mohammad sereshki <mailto:mohammadseres...@yahoo.com>>; Florence
> > Blanc-Renaud mailto:f
Re: [Freeipa-users] regenerate certificate
hiI find below in debug file under /var/log/pki-cawhat is your comment?
21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization for
servlet: caDisplayBySerial is LD
AP based, not XML {1}, use default authz mgr: {2}.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[21/Jul/2016:23:20:45][CertStatusUpdateThread]: About to start updateCertStatus
[21/Jul/2016:23:20:45][CertStatusUpdateThread]: Starting updateCertStatus
(entered lock)
From: Rob Crittenden
To: mohammad sereshki ; Florence Blanc-Renaud
; Freeipa-users
Sent: Thursday, July 21, 2016 11:21 PM
Subject: Re: [Freeipa-users] regenerate certificate
mohammad sereshki wrote:
> hi
> would you please explain more
> ?
Your CA (dogtag) is not running. The CA is written in java and deployed
as a WAR in tomcat. If something goes wrong during initialization the CA
will exit but tomcat will not.
Requests to the CA are returning 404 Not Found because the application
is not running in dogtag.
You need to look at the logs in /var/log/pki-ca to see what is going on.
I'd start with selftests.log then move onto catalina.out and debug.
rob
>
>
>
> *From:* Rob Crittenden
> *To:* mohammad sereshki ; Florence
> Blanc-Renaud ; Freeipa-users
> *Sent:* Thursday, July 21, 2016 11:09 PM
> *Subject:* Re: [Freeipa-users] regenerate certificate
>
> mohammad sereshki wrote:
> > hi
> > it is result of command, seems issue is another thing
> >
> >
> > ipa cert-show 1
> > ipa: ERROR: Certificate operation cannot be completed: Unable to
> > communicate with CMS (Not Found)
>
> Which means that the CA still isn't up. You're going to need to look at
> the dogtag logs in /var/log/pki*. debug is probably the place to start.
>
> rob
>
> >
> >
> >
> >
> > *From:* Rob Crittenden mailto:rcrit...@redhat.com>>
> > *To:* mohammad sereshki <mailto:mohammadseres...@yahoo.com>>; Florence
> > Blanc-Renaud mailto:f...@redhat.com>>; Freeipa-users
> mailto:freeipa-users@redhat.com>>
> > *Sent:* Thursday, July 21, 2016 8:08 PM
> > *Subject:* Re: [Freeipa-users] regenerate certificate
> >
> > mohammad sereshki wrote:
> > > dear
> > > thanks, but would you please check below and let me know what is your
> > > idea?I checked your command but it did not work.
> >
> > The Not Found suggests that the CA is not up. I'd try restarting the
> > pki-cad process to see if that helps.
> >
> > A simple test that communication is working is: ipa cert-show 1
> >
> > The output isn't important as long as it isn't an error.
> >
> > rob
> >
> >
> > >
> > >
> > >
> > > Number of certificates and requests being tracked: 8.
> > > Request ID '20140817123525':
> > > status: MONITORING
> > > ca-error: Unable to determine principal name for signing
> > request.
> > > stuck: no
> > > key paCOM storage:
> > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > > subject: CN=IPA RA,O=EXAMPLE.COM
> > > expCOMes: 2018-06-30 07:56:06 UTC
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> > > track: y
Re: [Freeipa-users] regenerate certificate
mohammad sereshki wrote: hi would you please explain more ? Your CA (dogtag) is not running. The CA is written in java and deployed as a WAR in tomcat. If something goes wrong during initialization the CA will exit but tomcat will not. Requests to the CA are returning 404 Not Found because the application is not running in dogtag. You need to look at the logs in /var/log/pki-ca to see what is going on. I'd start with selftests.log then move onto catalina.out and debug. rob *From:* Rob Crittenden *To:* mohammad sereshki ; Florence Blanc-Renaud ; Freeipa-users *Sent:* Thursday, July 21, 2016 11:09 PM *Subject:* Re: [Freeipa-users] regenerate certificate mohammad sereshki wrote: > hi > it is result of command, seems issue is another thing > > > ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) Which means that the CA still isn't up. You're going to need to look at the dogtag logs in /var/log/pki*. debug is probably the place to start. rob > > > > > *From:* Rob Crittenden mailto:rcrit...@redhat.com>> > *To:* mohammad sereshki mailto:mohammadseres...@yahoo.com>>; Florence > Blanc-Renaud mailto:f...@redhat.com>>; Freeipa-users mailto:freeipa-users@redhat.com>> > *Sent:* Thursday, July 21, 2016 8:08 PM > *Subject:* Re: [Freeipa-users] regenerate certificate > > mohammad sereshki wrote: > > dear > > thanks, but would you please check below and let me know what is your > > idea?I checked your command but it did not work. > > The Not Found suggests that the CA is not up. I'd try restarting the > pki-cad process to see if that helps. > > A simple test that communication is working is: ipa cert-show 1 > > The output isn't important as long as it isn't an error. > > rob > > > > > > > > > > Number of certificates and requests being tracked: 8. > > Request ID '20140817123525': > > status: MONITORING > > ca-error: Unable to determine principal name for signing > request. > > stuck: no > > key paCOM storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=IPA RA,O=EXAMPLE.COM > > expCOMes: 2018-06-30 07:56:06 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20140817123534': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > > at server. Certificate operation cannot be completed: Unable to > > communicate with CMS (Not Found)). > > stuck: yes > > key paCOM storage: > > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > > expCOMes: 2016-08-17 12:35:34 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > > EXAMPLE.-COM > > track: yes > > auto-renew: yes > > Request ID '20140817123602': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > > at server. Certificate operation cannot be completed: Unable to > > communicate with CMS (Not Found)). > > stuck: yes > > key paCOM storage: > > > type=NSSDB,
Re: [Freeipa-users] regenerate certificate
hiwould you please explain more? From: Rob Crittenden To: mohammad sereshki ; Florence Blanc-Renaud ; Freeipa-users Sent: Thursday, July 21, 2016 11:09 PM Subject: Re: [Freeipa-users] regenerate certificate mohammad sereshki wrote: > hi > it is result of command, seems issue is another thing > > > ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) Which means that the CA still isn't up. You're going to need to look at the dogtag logs in /var/log/pki*. debug is probably the place to start. rob > > > > > *From:* Rob Crittenden > *To:* mohammad sereshki ; Florence > Blanc-Renaud ; Freeipa-users > *Sent:* Thursday, July 21, 2016 8:08 PM > *Subject:* Re: [Freeipa-users] regenerate certificate > > mohammad sereshki wrote: > > dear > > thanks, but would you please check below and let me know what is your > > idea?I checked your command but it did not work. > > The Not Found suggests that the CA is not up. I'd try restarting the > pki-cad process to see if that helps. > > A simple test that communication is working is: ipa cert-show 1 > > The output isn't important as long as it isn't an error. > > rob > > > > > > > > > > Number of certificates and requests being tracked: 8. > > Request ID '20140817123525': > > status: MONITORING > > ca-error: Unable to determine principal name for signing > request. > > stuck: no > > key paCOM storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=IPA RA,O=EXAMPLE.COM > > expCOMes: 2018-06-30 07:56:06 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20140817123534': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > > at server. Certificate operation cannot be completed: Unable to > > communicate with CMS (Not Found)). > > stuck: yes > > key paCOM storage: > > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > > expCOMes: 2016-08-17 12:35:34 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > > EXAMPLE.-COM > > track: yes > > auto-renew: yes > > Request ID '20140817123602': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > > at server. Certificate operation cannot be completed: Unable to > > communicate with CMS (Not Found)). > > stuck: yes > > key paCOM storage: > > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > > expCOMes: 2016-08-17 12:36:02 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/re
Re: [Freeipa-users] regenerate certificate
mohammad sereshki wrote: hi it is result of command, seems issue is another thing ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) Which means that the CA still isn't up. You're going to need to look at the dogtag logs in /var/log/pki*. debug is probably the place to start. rob *From:* Rob Crittenden *To:* mohammad sereshki ; Florence Blanc-Renaud ; Freeipa-users *Sent:* Thursday, July 21, 2016 8:08 PM *Subject:* Re: [Freeipa-users] regenerate certificate mohammad sereshki wrote: > dear > thanks, but would you please check below and let me know what is your > idea?I checked your command but it did not work. The Not Found suggests that the CA is not up. I'd try restarting the pki-cad process to see if that helps. A simple test that communication is working is: ipa cert-show 1 The output isn't important as long as it isn't an error. rob > > > > Number of certificates and requests being tracked: 8. > Request ID '20140817123525': > status: MONITORING > ca-error: Unable to determine principal name for signing request. > stuck: no > key paCOM storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=IPA RA,O=EXAMPLE.COM > expCOMes: 2018-06-30 07:56:06 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20140817123534': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found)). > stuck: yes > key paCOM storage: > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > expCOMes: 2016-08-17 12:35:34 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > EXAMPLE.-COM > track: yes > auto-renew: yes > Request ID '20140817123602': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found)). > stuck: yes > key paCOM storage: > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > expCOMes: 2016-08-17 12:36:02 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > PKI-IPA > track: yes > auto-renew: yes > Request ID '20140817123752': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found)). > stuck: yes > key paCOM storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token=&#x
Re: [Freeipa-users] regenerate certificate
hiit is result of command, seems issue is another thing ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) From: Rob Crittenden To: mohammad sereshki ; Florence Blanc-Renaud ; Freeipa-users Sent: Thursday, July 21, 2016 8:08 PM Subject: Re: [Freeipa-users] regenerate certificate mohammad sereshki wrote: > dear > thanks, but would you please check below and let me know what is your > idea?I checked your command but it did not work. The Not Found suggests that the CA is not up. I'd try restarting the pki-cad process to see if that helps. A simple test that communication is working is: ipa cert-show 1 The output isn't important as long as it isn't an error. rob > > > > Number of certificates and requests being tracked: 8. > Request ID '20140817123525': > status: MONITORING > ca-error: Unable to determine principal name for signing request. > stuck: no > key paCOM storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=IPA RA,O=EXAMPLE.COM > expCOMes: 2018-06-30 07:56:06 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20140817123534': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found)). > stuck: yes > key paCOM storage: > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > expCOMes: 2016-08-17 12:35:34 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > EXAMPLE.-COM > track: yes > auto-renew: yes > Request ID '20140817123602': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found)). > stuck: yes > key paCOM storage: > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > expCOMes: 2016-08-17 12:36:02 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > PKI-IPA > track: yes > auto-renew: yes > Request ID '20140817123752': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found)). > stuck: yes > key paCOM storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > expCOMes: 2016-08-17 12:37:51 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save com
Re: [Freeipa-users] regenerate certificate
mohammad sereshki wrote: dear thanks, but would you please check below and let me know what is your idea?I checked your command but it did not work. The Not Found suggests that the CA is not up. I'd try restarting the pki-cad process to see if that helps. A simple test that communication is working is: ipa cert-show 1 The output isn't important as long as it isn't an error. rob Number of certificates and requests being tracked: 8. Request ID '20140817123525': status: MONITORING ca-error: Unable to determine principal name for signing request. stuck: no key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expCOMes: 2018-06-30 07:56:06 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20140817123534': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: yes key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM expCOMes: 2016-08-17 12:35:34 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv EXAMPLE.-COM track: yes auto-renew: yes Request ID '20140817123602': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: yes key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM expCOMes: 2016-08-17 12:36:02 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv PKI-IPA track: yes auto-renew: yes Request ID '20140817123752': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: yes key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM expCOMes: 2016-08-17 12:37:51 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes You have new mail in /var/spool/mail/root *From:* Florence Blanc-Renaud *To:* mohammad sereshki ; Freeipa-users *Sent:* Thursday, July 21, 2016 11:30 AM *Subject:* Re: [Freeipa-users] regenerate certificate On 07/20/2016 10:04 PM, mohammad sereshki wrote: > hi > I check my IPA server which is version ipa-server-3.0.0-25 , command > "ipa-get-cert list" show, my certificate will be expired in next 20 days, > I do not know how to regenerate them > but command "getcert list" shows epirtion certificates are related just > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-age
Re: [Freeipa-users] regenerate certificate
dear thanks, but would you please check below and let me know what is your idea?I checked your command but it did not work. Number of certificates and requests being tracked: 8. Request ID '20140817123525': status: MONITORING ca-error: Unable to determine principal name for signing request. stuck: no key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expCOMes: 2018-06-30 07:56:06 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20140817123534': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: yes key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM expCOMes: 2016-08-17 12:35:34 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv EXAMPLE.-COM track: yes auto-renew: yes Request ID '20140817123602': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: yes key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM expCOMes: 2016-08-17 12:36:02 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv PKI-IPA track: yes auto-renew: yes Request ID '20140817123752': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: yes key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM expCOMes: 2016-08-17 12:37:51 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes You have new mail in /var/spool/mail/root From: Florence Blanc-Renaud To: mohammad sereshki ; Freeipa-users Sent: Thursday, July 21, 2016 11:30 AM Subject: Re: [Freeipa-users] regenerate certificate On 07/20/2016 10:04 PM, mohammad sereshki wrote: > hi > I check my IPA server which is version ipa-server-3.0.0-25 , command > "ipa-get-cert list" show, my certificate will be expired in next 20 days, > I do not know how to regenerate them > but command "getcert list" shows epirtion certificates are related just > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" , has enough > time . > would you please help me to know how to regenerate CA:IPA certificates? > > Best Regards > > > Hi Mohammad, the certificates issued by IPA CA are normally tracked by certmonger and automatically renewed when they are near their expiration date. To make sure that your certificates are tracked, you can issue $ ipa-getcert list
Re: [Freeipa-users] regenerate certificate
On 07/20/2016 10:04 PM, mohammad sereshki wrote: hi I check my IPA server which is version ipa-server-3.0.0-25 , command "ipa-get-cert list" show, my certificate will be expired in next 20 days, I do not know how to regenerate them but command "getcert list" shows epirtion certificates are related just to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" , has enough time . would you please help me to know how to regenerate CA:IPA certificates? Best Regards Hi Mohammad, the certificates issued by IPA CA are normally tracked by certmonger and automatically renewed when they are near their expiration date. To make sure that your certificates are tracked, you can issue $ ipa-getcert list and check the "status:" field for each certificate. It should display "MONITORING". If you want to manually renew them, you must note their request ID and use the command $ ipa-getcert resubmit -i $REQUEST_ID Hope this helps, Flo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] regenerate certificate
hiI check my IPA server which is version ipa-server-3.0.0-25 , command "ipa-get-cert list" show, my certificate will be expired in next 20 days, I do not know how to regenerate thembut command "getcert list" shows epirtion certificates are related just to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" , has enough time .would you please help me to know how to regenerate CA:IPA certificates? Best Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
