Re: [Freeipa-users] IPA certificates expired, please help!

Linov Suresh wrote: Removed the duplicate certificates and and tried to renew the certificates, we were able to renew the certificates and "*ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true"*.; gone this time.

Re: [Freeipa-users] IPA certificates expired, please help!

Removed the duplicate certificates and and tried to renew the certificates, we were able to renew the certificates and "*ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true

Re: [Freeipa-users] IPA certificates expired, please help!

Thank you very much Rob. Let me remove the duplicate certificates and try to renew the certificates again to see if "*ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true

Re: [Freeipa-users] IPA certificates expired, please help!

Linov Suresh wrote: Could you please verify, if we have set correct trust attributes on the certificates *root@caer ~]# certutil -d /var/lib/pki-ca/alias/ -L* Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI subsystemCert cert-pki-ca

Re: [Freeipa-users] IPA certificates expired, please help!

I agree with you Jakub, I will start separate thread for separate issues. On Fri, Jul 22, 2016 at 10:31 AM, Jakub Hrozek wrote: > On Fri, Jul 22, 2016 at 09:36:27AM -0400, Linov Suresh wrote: > > I'm facing another issue now, my kerberos tickets are not renewing, > >

Re: [Freeipa-users] IPA certificates expired, please help!

On Fri, Jul 22, 2016 at 09:36:27AM -0400, Linov Suresh wrote: > I'm facing another issue now, my kerberos tickets are not renewing, In general I think it's better to start separate threads about separate issues. That way people who only scan the subject lines can see if this thread is something

Re: [Freeipa-users] IPA certificates expired, please help!

Could you please verify, if we have set correct trust attributes on the certificates *root@caer ~]# certutil -d /var/lib/pki-ca/alias/ -L* Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI subsystemCert cert-pki-ca

Re: [Freeipa-users] IPA certificates expired, please help!

I'm facing another issue now, my kerberos tickets are not renewing, *[root@caer ~]# ipa cert-show 1* ipa: ERROR: Ticket expired *[root@caer ~]# klist* Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@teloip.net Valid starting ExpiresService principal 07/20/16 14:42:26

Re: [Freeipa-users] IPA certificates expired, please help!

Linov Suresh wrote: The httpd_error log doesn't contain the part where `ipa cert-show 1` was run. If it is from the same time. *I am not sure about that, please see httpd_error when `ipa cert-show 1` was run* The IPA API log isn't going to show much in this case. Requests to the CA are

Re: [Freeipa-users] IPA certificates expired, please help!

The httpd_error log doesn't contain the part where `ipa cert-show 1` was run. If it is from the same time. *I am not sure about that, please see httpd_error when `ipa cert-show 1` was run* [root@caer ~]# *tail -f /var/log/httpd/error_log* [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI

Re: [Freeipa-users] IPA certificates expired, please help!

On 07/21/2016 05:14 PM, Linov Suresh wrote: > I set debug=true in /etc/ipa/default.conf > > Here are my logs, The httpd_error log doesn't contain the part where `ipa cert-show 1` was run. If it is from the same time. Does `ipa cert-show` communicate with the same replica? Could be verified by

Re: [Freeipa-users] IPA certificates expired, please help!

On 07/20/2016 09:41 PM, Linov Suresh wrote: > I have restarted the pki-cad and checked if communication with the CA is > working, but no luck, > > Debug logs in /var/log/pki-ca do not have anything unusual. Can you think of > anything other than this? /var/log/httpd/error_log when

Re: [Freeipa-users] IPA certificates expired, please help!

I have restarted the pki-cad and checked if communication with the CA is working, but no luck, Debug logs in /var/log/pki-ca do not have anything unusual. Can you think of anything other than this? [root@caer ~]# ipa cert-show 1 Certificate:

Re: [Freeipa-users] IPA certificates expired, please help!

Linov Suresh wrote: Thanks for your help Rob, I will create a separate thread for IPA replication issue. But we are still getting * * *ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true".* Could you please

Re: [Freeipa-users] IPA certificates expired, please help!

Thanks for your help Rob, I will create a separate thread for IPA replication issue. But we are still getting *ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true

Re: [Freeipa-users] IPA certificates expired, please help!

Glad you got the certificates successfully renewed. Can you open a new e-mail thread on this new problem so we can keep the issues separated? IPA gets little information back when dogtag fails to install. You need to look in /var/log//debug for more information. The exact location depends

Re: [Freeipa-users] IPA certificates expired, please help!

Great! That worked, and I was successfully renewed the certificates on the IPA server and I was trying to create a IPA replica server and got an error, [root@neit-lab ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders --skip-conncheck /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg

Re: [Freeipa-users] IPA certificates expired, please help!

Linov Suresh wrote: I have followed Redhat official documentation, https://access.redhat.com/solutions/643753 for certificate renewal, which says *add: usercertificate. (step 12)* * * While on the other hand FreeIPA official documentaion http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ,

Re: [Freeipa-users] IPA certificates expired, please help!

I have followed Redhat official documentation, https://access.redhat.com/solutions/643753 for certificate renewal, which says *add: usercertificate. (step 12)* While on the other hand FreeIPA official documentaion http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to *add:

Re: [Freeipa-users] IPA certificates expired, please help!

We have cloned and created another virtual server from the template. Surprisingly this server certificates were also expired at the same time as the previous, just lasted for a day. This issue has something to do with the kerberos tickets? I new to IPA and your help is highly appreciated. On

Re: [Freeipa-users] IPA certificates expired, please help!

*Update: my webserver and LDAP certificates were expired at 2016-07-18 15:54:36 UTC and the certificates are in CA_UNREACHABLE state.* *Could you please help us? * [root@caer tmp]# getcert list Number of certificates and requests being tracked: 8. Request ID '20111214223243': status:

Re: [Freeipa-users] IPA certificates expired, please help!

Yes, PKI is running and I don't see any errors in selftests, I have followed https://access.redhat.com/solutions/643753 and restarted the PKI in step 10. The only change which I made was clean up userCertificate;binary before adding new userCertificate in LDAP, which is step 12. [root@caer ~]#

Re: [Freeipa-users] IPA certificates expired, please help!

On 07/18/2016 05:45 AM, Linov Suresh wrote: > Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and > certmonger. Look like certificates were renewed. But I'm getting a different > error now, > > *ca-error: Internal error: no response to >

Re: [Freeipa-users] IPA certificates expired, please help!

Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and certmonger. Look like certificates were renewed. But I'm getting a different error now, *ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=62=true=true

Re: [Freeipa-users] IPA certificates expired, please help!

Linov Suresh wrote: I logged into my IPA master, and found that the cert had expired again, we renewed these certificates about 18 months ago. Our environment is CentOS 6.4 and IPA 3.0.0-26. I followed the Redhat documentation,How do I manually renew Identity Management (IPA) certificates