subject:"Re\: \[Freeipa\-users\] IPA certificates expired, please help\!"

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-26 Thread Rob Crittenden

Linov Suresh wrote:

Removed the duplicate certificates and and tried to renew the
certificates, we were able to renew the certificates and "*ca-error:
Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true"*.;
gone this time.

Thanks for your help. We have a master replica also, *how do we renew
the replica server*?

Pretty much the same way: go back in time.

If you have a CA on this other master then it can fetch the subsystem
certs directly from LDAP so that should pretty much work no matter what
the current date is.

For the certs for 389-ds and Apache you'll probably need to go back in
time to when they are still valid.

rob

On Fri, Jul 22, 2016 at 3:36 PM, Linov Suresh > wrote:

Thank you very much Rob.
Let me remove the duplicate certificates and try to renew the
certificates again to see if "*ca-error: Internal error: no response
to

"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true"*.;
goes away?

On Fri, Jul 22, 2016 at 2:45 PM, Rob Crittenden > wrote:

Linov Suresh wrote:

Could you please verify, if we have set correct trust
attributes on the
certificates

*root@caer ~]# certutil -d /var/lib/pki-ca/alias/ -L*

Certificate Nickname
Trust
Attributes

SSL,S/MIME,JAR/XPI

subsystemCert cert-pki-ca
u,u,Pu
ocspSigningCert cert-pki-ca
u,u,u
caSigningCert cert-pki-ca
CTu,Cu,Cu
subsystemCert cert-pki-ca
u,u,Pu
Server-Cert cert-pki-ca
u,u,u
auditSigningCert cert-pki-ca
u,u,Pu
*
*
*[root@caer ~]# certutil -d /etc/httpd/alias/ -L*

Certificate Nickname
Trust
Attributes

SSL,S/MIME,JAR/XPI

ipaCert
u,u,u
Server-Certu,u,u
TELOIP.NET IPA CA
CT,C,C
ipaCert
u,u,u
Signing-Cert u,u,u
Server-Certu,u,u

*[root@caer ~]# certutil -d /etc/dirsrv/slapd-TELOIP-NET/ -L*

Certificate Nickname
Trust
Attributes

SSL,S/MIME,JAR/XPI

Server-Cert
u,u,u
TELOIP.NET IPA CA
CT,,C
Server-Cert
u,u,u
[root@caer ~]#

*Please note, there are duplicate certificates in CA, HTTP
and LDAP
directory, subsystemCert cert-pki-ca, ipaCert and
Server-Cert. I was
wondering if we need to remove these duplicate certificates? *

Yeah you should remove the duplicate certs, they seem to cause
problems with dogtag at least (certmonger _should_ handle this
automatically, we'll be looking into it soonish).

To remove the duplicate cert:

1. Shutdown the service
2. Back up the NSS database
3. certutil -L -d /path/to/db -n -a > somefile
4. split somefile into separate files so each file as a
BEGIN/END certificate
5. openssl x509 -text -in -infile somefile1..n
6. Pick the one with the most recent issuance date
7. You backed up the NSS database, right?
8. certutil -D -d /path/to/db -n
9. certutil -A -d /path/to/db -n -t u,u,u -a -i
somefilex
10. Start the service, watch logs for errors

For the trust use whatever the original trust value was.

You don't need the P trust flag on the subsystemCert in the CA,
only the auditSigningCert.

I doubt the duplicated Server-Cert will be a problem. NSS is
supposed to deal with this automatically, picking the "most
correct" cert to use based on the validity period.

rob

On Fri, Jul 22, 2016 at 9:36 AM, Linov Suresh

>> wrote:

I'm facing another issue now, my kerberos tickets are
not renewing,

*[root@caer ~]# ipa cert-show 1*
ipa: ERROR: Ticket expired

*[root@caer ~]# klist*
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@teloip.net

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-26 Thread Linov Suresh

Removed the duplicate certificates and and tried to renew the certificates,
we were able to renew the certificates and "*ca-error: Internal error: no
response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true
"*."
gone this time.

Thanks for your help. We have a master replica also, *how do we renew the
replica server*?

On Fri, Jul 22, 2016 at 3:36 PM, Linov Suresh 
wrote:

> Thank you very much Rob.
> Let me remove the duplicate certificates and try to renew the certificates
> again to see if "*ca-error: Internal error: no response to
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true
> "*."
> goes away?
>
>
> On Fri, Jul 22, 2016 at 2:45 PM, Rob Crittenden 
> wrote:
>
>> Linov Suresh wrote:
>>
>>> Could you please verify, if we have set correct trust attributes on the
>>> certificates
>>>
>>> *root@caer ~]# certutil -d /var/lib/pki-ca/alias/ -L*
>>>
>>> Certificate Nickname Trust
>>> Attributes
>>>
>>>   SSL,S/MIME,JAR/XPI
>>>
>>> subsystemCert cert-pki-ca   u,u,Pu
>>> ocspSigningCert cert-pki-ca u,u,u
>>> caSigningCert cert-pki-ca CTu,Cu,Cu
>>> subsystemCert cert-pki-ca   u,u,Pu
>>> Server-Cert cert-pki-ca u,u,u
>>> auditSigningCert cert-pki-ca  u,u,Pu
>>> *
>>> *
>>> *[root@caer ~]# certutil -d /etc/httpd/alias/ -L*
>>>
>>> Certificate Nickname Trust
>>> Attributes
>>>
>>>   SSL,S/MIME,JAR/XPI
>>>
>>> ipaCert  u,u,u
>>> Server-Certu,u,u
>>> TELOIP.NET  IPA CA
>>>   CT,C,C
>>> ipaCert  u,u,u
>>> Signing-Cert   u,u,u
>>> Server-Certu,u,u
>>>
>>> *[root@caer ~]# certutil -d /etc/dirsrv/slapd-TELOIP-NET/ -L*
>>>
>>> Certificate Nickname Trust
>>> Attributes
>>>
>>>   SSL,S/MIME,JAR/XPI
>>>
>>> Server-Cert  u,u,u
>>> TELOIP.NET  IPA CA
>>>   CT,,C
>>> Server-Cert  u,u,u
>>> [root@caer ~]#
>>>
>>> *Please note, there are duplicate certificates in CA, HTTP and LDAP
>>> directory, subsystemCert cert-pki-ca, ipaCert  and Server-Cert. I was
>>> wondering if we need to remove these duplicate certificates? *
>>>
>>
>> Yeah you should remove the duplicate certs, they seem to cause problems
>> with dogtag at least (certmonger _should_ handle this automatically, we'll
>> be looking into it soonish).
>>
>> To remove the duplicate cert:
>>
>> 1. Shutdown the service
>> 2. Back up the NSS database
>> 3. certutil -L -d /path/to/db -n  -a > somefile
>> 4. split somefile into separate files so each file as a BEGIN/END
>> certificate
>> 5. openssl x509 -text -in -infile somefile1..n
>> 6. Pick the one with the most recent issuance date
>> 7. You backed up the NSS database, right?
>> 8. certutil -D -d /path/to/db -n 
>> 9. certutil -A -d /path/to/db -n  -t u,u,u -a -i  somefilex
>> 10. Start the service, watch logs for errors
>>
>> For the trust use whatever the original trust value was.
>>
>> You don't need the P trust flag on the subsystemCert in the CA, only the
>> auditSigningCert.
>>
>> I doubt the duplicated Server-Cert will be a problem. NSS is supposed to
>> deal with this automatically, picking the "most correct" cert to use based
>> on the validity period.
>>
>> rob
>>
>>
>>>
>>> On Fri, Jul 22, 2016 at 9:36 AM, Linov Suresh >> > wrote:
>>>
>>> I'm facing another issue now, my kerberos tickets are not renewing,
>>>
>>> *[root@caer ~]# ipa cert-show 1*
>>> ipa: ERROR: Ticket expired
>>>
>>> *[root@caer ~]# klist*
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: ad...@teloip.net 
>>>
>>> Valid starting ExpiresService principal
>>> 07/20/16 14:42:26  07/21/16 14:42:22  krbtgt/teloip@teloip.net
>>> 
>>> 07/20/16 14:42:36  07/21/16 14:42:22
>>>   HTTP/caer.teloip@teloip.net >> >
>>> 07/21/16 11:40:15  07/21/16 14:42:22
>>>   ldap/caer.teloip@teloip.net >> >
>>>
>>> I need to manually renew the tickets every day,
>>>
>>> *[root@caer ~]# kinit

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-22 Thread Linov Suresh

Thank you very much Rob.
Let me remove the duplicate certificates and try to renew the certificates
again to see if "*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true
"*."
goes away?


On Fri, Jul 22, 2016 at 2:45 PM, Rob Crittenden  wrote:

> Linov Suresh wrote:
>
>> Could you please verify, if we have set correct trust attributes on the
>> certificates
>>
>> *root@caer ~]# certutil -d /var/lib/pki-ca/alias/ -L*
>>
>> Certificate Nickname Trust
>> Attributes
>>
>>   SSL,S/MIME,JAR/XPI
>>
>> subsystemCert cert-pki-ca   u,u,Pu
>> ocspSigningCert cert-pki-ca u,u,u
>> caSigningCert cert-pki-ca CTu,Cu,Cu
>> subsystemCert cert-pki-ca   u,u,Pu
>> Server-Cert cert-pki-ca u,u,u
>> auditSigningCert cert-pki-ca  u,u,Pu
>> *
>> *
>> *[root@caer ~]# certutil -d /etc/httpd/alias/ -L*
>>
>> Certificate Nickname Trust
>> Attributes
>>
>>   SSL,S/MIME,JAR/XPI
>>
>> ipaCert  u,u,u
>> Server-Certu,u,u
>> TELOIP.NET  IPA CA
>>   CT,C,C
>> ipaCert  u,u,u
>> Signing-Cert   u,u,u
>> Server-Certu,u,u
>>
>> *[root@caer ~]# certutil -d /etc/dirsrv/slapd-TELOIP-NET/ -L*
>>
>> Certificate Nickname Trust
>> Attributes
>>
>>   SSL,S/MIME,JAR/XPI
>>
>> Server-Cert  u,u,u
>> TELOIP.NET  IPA CA
>>   CT,,C
>> Server-Cert  u,u,u
>> [root@caer ~]#
>>
>> *Please note, there are duplicate certificates in CA, HTTP and LDAP
>> directory, subsystemCert cert-pki-ca, ipaCert  and Server-Cert. I was
>> wondering if we need to remove these duplicate certificates? *
>>
>
> Yeah you should remove the duplicate certs, they seem to cause problems
> with dogtag at least (certmonger _should_ handle this automatically, we'll
> be looking into it soonish).
>
> To remove the duplicate cert:
>
> 1. Shutdown the service
> 2. Back up the NSS database
> 3. certutil -L -d /path/to/db -n  -a > somefile
> 4. split somefile into separate files so each file as a BEGIN/END
> certificate
> 5. openssl x509 -text -in -infile somefile1..n
> 6. Pick the one with the most recent issuance date
> 7. You backed up the NSS database, right?
> 8. certutil -D -d /path/to/db -n 
> 9. certutil -A -d /path/to/db -n  -t u,u,u -a -i  somefilex
> 10. Start the service, watch logs for errors
>
> For the trust use whatever the original trust value was.
>
> You don't need the P trust flag on the subsystemCert in the CA, only the
> auditSigningCert.
>
> I doubt the duplicated Server-Cert will be a problem. NSS is supposed to
> deal with this automatically, picking the "most correct" cert to use based
> on the validity period.
>
> rob
>
>
>>
>> On Fri, Jul 22, 2016 at 9:36 AM, Linov Suresh > > wrote:
>>
>> I'm facing another issue now, my kerberos tickets are not renewing,
>>
>> *[root@caer ~]# ipa cert-show 1*
>> ipa: ERROR: Ticket expired
>>
>> *[root@caer ~]# klist*
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: ad...@teloip.net 
>>
>> Valid starting ExpiresService principal
>> 07/20/16 14:42:26  07/21/16 14:42:22  krbtgt/teloip@teloip.net
>> 
>> 07/20/16 14:42:36  07/21/16 14:42:22
>>   HTTP/caer.teloip@teloip.net 
>> 07/21/16 11:40:15  07/21/16 14:42:22
>>   ldap/caer.teloip@teloip.net 
>>
>> I need to manually renew the tickets every day,
>>
>> *[root@caer ~]# kinit admin*
>> Password for ad...@teloip.net :
>> Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15
>> 2016
>>
>> *[root@caer ~]# klist *
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: ad...@teloip.net 
>>
>> Valid starting ExpiresService principal
>> 07/22/16 09:34:52  07/23/16 09:34:49  krbtgt/teloip@teloip.net
>> 
>>
>>
>> On Thu, Jul 21, 2016 at 12:23 PM, Rob Crittenden
>> > wrote:
>>
>> Linov Suresh wrote:
>>
>> The httpd_error log

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-22 Thread Rob Crittenden


Linov Suresh wrote:

Could you please verify, if we have set correct trust attributes on the
certificates

*root@caer ~]# certutil -d /var/lib/pki-ca/alias/ -L*

Certificate Nickname Trust
Attributes

  SSL,S/MIME,JAR/XPI

subsystemCert cert-pki-ca   u,u,Pu
ocspSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
subsystemCert cert-pki-ca   u,u,Pu
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca  u,u,Pu
*
*
*[root@caer ~]# certutil -d /etc/httpd/alias/ -L*

Certificate Nickname Trust
Attributes

  SSL,S/MIME,JAR/XPI

ipaCert  u,u,u
Server-Certu,u,u
TELOIP.NET  IPA CA
  CT,C,C
ipaCert  u,u,u
Signing-Cert   u,u,u
Server-Certu,u,u

*[root@caer ~]# certutil -d /etc/dirsrv/slapd-TELOIP-NET/ -L*

Certificate Nickname Trust
Attributes

  SSL,S/MIME,JAR/XPI

Server-Cert  u,u,u
TELOIP.NET  IPA CA
  CT,,C
Server-Cert  u,u,u
[root@caer ~]#

*Please note, there are duplicate certificates in CA, HTTP and LDAP
directory, subsystemCert cert-pki-ca, ipaCert  and Server-Cert. I was
wondering if we need to remove these duplicate certificates? *


Yeah you should remove the duplicate certs, they seem to cause problems 
with dogtag at least (certmonger _should_ handle this automatically, 
we'll be looking into it soonish).


To remove the duplicate cert:

1. Shutdown the service
2. Back up the NSS database
3. certutil -L -d /path/to/db -n  -a > somefile
4. split somefile into separate files so each file as a BEGIN/END 
certificate

5. openssl x509 -text -in -infile somefile1..n
6. Pick the one with the most recent issuance date
7. You backed up the NSS database, right?
8. certutil -D -d /path/to/db -n 
9. certutil -A -d /path/to/db -n  -t u,u,u -a -i  somefilex
10. Start the service, watch logs for errors

For the trust use whatever the original trust value was.

You don't need the P trust flag on the subsystemCert in the CA, only the 
auditSigningCert.


I doubt the duplicated Server-Cert will be a problem. NSS is supposed to 
deal with this automatically, picking the "most correct" cert to use 
based on the validity period.


rob




On Fri, Jul 22, 2016 at 9:36 AM, Linov Suresh > wrote:

I'm facing another issue now, my kerberos tickets are not renewing,

*[root@caer ~]# ipa cert-show 1*
ipa: ERROR: Ticket expired

*[root@caer ~]# klist*
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@teloip.net 

Valid starting ExpiresService principal
07/20/16 14:42:26  07/21/16 14:42:22  krbtgt/teloip@teloip.net

07/20/16 14:42:36  07/21/16 14:42:22
  HTTP/caer.teloip@teloip.net 
07/21/16 11:40:15  07/21/16 14:42:22
  ldap/caer.teloip@teloip.net 

I need to manually renew the tickets every day,

*[root@caer ~]# kinit admin*
Password for ad...@teloip.net :
Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 2016

*[root@caer ~]# klist *
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@teloip.net 

Valid starting ExpiresService principal
07/22/16 09:34:52  07/23/16 09:34:49  krbtgt/teloip@teloip.net



On Thu, Jul 21, 2016 at 12:23 PM, Rob Crittenden
> wrote:

Linov Suresh wrote:

The httpd_error log doesn't contain the part where `ipa
cert-show 1` was
run. If it is from the same time.

*I am not sure about that, please see httpd_error when `ipa
cert-show 1`
was run*


The IPA API log isn't going to show much in this case.

Requests to the CA are proxied through IPA. The CA WAR is not
running on tomcat so when Apache tries to proxy the request
tomcat returns a 404, Not Found.

You need to start with the dogtag debug and selftest logs to see
what is going on. The logs are pretty verbose and can be
challenging to read.

rob


[root@caer ~]# *tail -f /var/log/httpd/error_log*
[Thu

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-22 Thread Linov Suresh

   I agree with you Jakub, I will start separate thread for separate
   issues.


On Fri, Jul 22, 2016 at 10:31 AM, Jakub Hrozek  wrote:

> On Fri, Jul 22, 2016 at 09:36:27AM -0400, Linov Suresh wrote:
> > I'm facing another issue now, my kerberos tickets are not renewing,
>
> In general I think it's better to start separate threads about separate
> issues. That way people who only scan the subject lines can see if this
> thread is something they can help with :)
>
> >
> > *[root@caer ~]# ipa cert-show 1*
> > ipa: ERROR: Ticket expired
> >
> > *[root@caer ~]# klist*
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: ad...@teloip.net
> >
> > Valid starting ExpiresService principal
> > 07/20/16 14:42:26  07/21/16 14:42:22  krbtgt/teloip@teloip.net
> > 07/20/16 14:42:36  07/21/16 14:42:22  HTTP/caer.teloip@teloip.net
> > 07/21/16 11:40:15  07/21/16 14:42:22  ldap/caer.teloip@teloip.net
> >
> > I need to manually renew the tickets every day,
> >
> > *[root@caer ~]# kinit admin*
> > Password for ad...@teloip.net:
> > Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 2016
> >
> > *[root@caer ~]# klist *
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: ad...@teloip.net
> >
> > Valid starting ExpiresService principal
> > 07/22/16 09:34:52  07/23/16 09:34:49  krbtgt/teloip@teloip.net
>
> The first thing to keep in mind is that SSSD only renews tickets it
> 'knows about', so tickets that were acquired through SSSD, not directly
> with kinit.
>
> For options about renewing SSSD-acquired tickets, see man sssd-krb5 and
> search for renew.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-22 Thread Jakub Hrozek

On Fri, Jul 22, 2016 at 09:36:27AM -0400, Linov Suresh wrote:
> I'm facing another issue now, my kerberos tickets are not renewing,

In general I think it's better to start separate threads about separate
issues. That way people who only scan the subject lines can see if this
thread is something they can help with :)

> 
> *[root@caer ~]# ipa cert-show 1*
> ipa: ERROR: Ticket expired
> 
> *[root@caer ~]# klist*
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ad...@teloip.net
> 
> Valid starting ExpiresService principal
> 07/20/16 14:42:26  07/21/16 14:42:22  krbtgt/teloip@teloip.net
> 07/20/16 14:42:36  07/21/16 14:42:22  HTTP/caer.teloip@teloip.net
> 07/21/16 11:40:15  07/21/16 14:42:22  ldap/caer.teloip@teloip.net
> 
> I need to manually renew the tickets every day,
> 
> *[root@caer ~]# kinit admin*
> Password for ad...@teloip.net:
> Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 2016
> 
> *[root@caer ~]# klist *
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ad...@teloip.net
> 
> Valid starting ExpiresService principal
> 07/22/16 09:34:52  07/23/16 09:34:49  krbtgt/teloip@teloip.net

The first thing to keep in mind is that SSSD only renews tickets it
'knows about', so tickets that were acquired through SSSD, not directly
with kinit.

For options about renewing SSSD-acquired tickets, see man sssd-krb5 and
search for renew.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-22 Thread Linov Suresh

Could you please verify, if we have set correct trust attributes on the
certificates

*root@caer ~]# certutil -d /var/lib/pki-ca/alias/ -L*

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

subsystemCert cert-pki-ca   u,u,Pu
ocspSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
subsystemCert cert-pki-ca   u,u,Pu
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca  u,u,Pu

*[root@caer ~]# certutil -d /etc/httpd/alias/ -L*

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

ipaCert  u,u,u
Server-Certu,u,u
TELOIP.NET IPA CA  CT,C,C
ipaCert  u,u,u
Signing-Cert   u,u,u
Server-Certu,u,u

*[root@caer ~]# certutil -d /etc/dirsrv/slapd-TELOIP-NET/ -L*

Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

Server-Cert  u,u,u
TELOIP.NET IPA CACT,,C
Server-Cert  u,u,u
[root@caer ~]#

*Please note, there are duplicate certificates in CA, HTTP and LDAP
directory, subsystemCert cert-pki-ca, ipaCert  and Server-Cert. I was
wondering if we need to remove these duplicate certificates? *


On Fri, Jul 22, 2016 at 9:36 AM, Linov Suresh 
wrote:

> I'm facing another issue now, my kerberos tickets are not renewing,
>
> *[root@caer ~]# ipa cert-show 1*
> ipa: ERROR: Ticket expired
>
> *[root@caer ~]# klist*
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ad...@teloip.net
>
> Valid starting ExpiresService principal
> 07/20/16 14:42:26  07/21/16 14:42:22  krbtgt/teloip@teloip.net
> 07/20/16 14:42:36  07/21/16 14:42:22  HTTP/caer.teloip@teloip.net
> 07/21/16 11:40:15  07/21/16 14:42:22  ldap/caer.teloip@teloip.net
>
> I need to manually renew the tickets every day,
>
> *[root@caer ~]# kinit admin*
> Password for ad...@teloip.net:
> Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 2016
>
> *[root@caer ~]# klist *
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ad...@teloip.net
>
> Valid starting ExpiresService principal
> 07/22/16 09:34:52  07/23/16 09:34:49  krbtgt/teloip@teloip.net
>
>
> On Thu, Jul 21, 2016 at 12:23 PM, Rob Crittenden 
> wrote:
>
>> Linov Suresh wrote:
>>
>>> The httpd_error log doesn't contain the part where `ipa cert-show 1` was
>>> run. If it is from the same time.
>>>
>>> *I am not sure about that, please see httpd_error when `ipa cert-show 1`
>>> was run*
>>>
>>
>> The IPA API log isn't going to show much in this case.
>>
>> Requests to the CA are proxied through IPA. The CA WAR is not running on
>> tomcat so when Apache tries to proxy the request tomcat returns a 404, Not
>> Found.
>>
>> You need to start with the dogtag debug and selftest logs to see what is
>> going on. The logs are pretty verbose and can be challenging to read.
>>
>> rob
>>
>>
>>> [root@caer ~]# *tail -f /var/log/httpd/error_log*
>>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>>> wsgi_dispatch.__call__:
>>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>>> xmlserver_session.__call__:
>>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session cookie_id =
>>> bc2c7ed0eccd840dc266efaf9ece913c
>>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session data in
>>> cache with id=bc2c7ed0eccd840dc266efaf9ece913c
>>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>>> xmlserver_session.__call__: session_id=bc2c7ed0eccd840dc266efaf9ece913c
>>> start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21
>>> expiration_timestamp=2016-07-21T12:18:54
>>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: storing ccache data into
>>> file "/var/run/ipa_memcached/krbcc_13554"
>>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times:
>>> principal=HTTP/caer.teloip@teloip.net
>>> , authtime=07/21/16 10:31:46,
>>> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44,
>>> renew_till=12/31/69 19:00:00
>>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times:
>>> principal=HTTP/caer.teloip@teloip.net
>>> , authtime=07/21/16 10:31:46,
>>>
>>> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44,
>>> renew_till=12/31/69 19:00:00
>>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: KRB5_CCache
>>>

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-22 Thread Linov Suresh

I'm facing another issue now, my kerberos tickets are not renewing,

*[root@caer ~]# ipa cert-show 1*
ipa: ERROR: Ticket expired

*[root@caer ~]# klist*
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@teloip.net

Valid starting ExpiresService principal
07/20/16 14:42:26  07/21/16 14:42:22  krbtgt/teloip@teloip.net
07/20/16 14:42:36  07/21/16 14:42:22  HTTP/caer.teloip@teloip.net
07/21/16 11:40:15  07/21/16 14:42:22  ldap/caer.teloip@teloip.net

I need to manually renew the tickets every day,

*[root@caer ~]# kinit admin*
Password for ad...@teloip.net:
Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 2016

*[root@caer ~]# klist *
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@teloip.net

Valid starting ExpiresService principal
07/22/16 09:34:52  07/23/16 09:34:49  krbtgt/teloip@teloip.net


On Thu, Jul 21, 2016 at 12:23 PM, Rob Crittenden 
wrote:

> Linov Suresh wrote:
>
>> The httpd_error log doesn't contain the part where `ipa cert-show 1` was
>> run. If it is from the same time.
>>
>> *I am not sure about that, please see httpd_error when `ipa cert-show 1`
>> was run*
>>
>
> The IPA API log isn't going to show much in this case.
>
> Requests to the CA are proxied through IPA. The CA WAR is not running on
> tomcat so when Apache tries to proxy the request tomcat returns a 404, Not
> Found.
>
> You need to start with the dogtag debug and selftest logs to see what is
> going on. The logs are pretty verbose and can be challenging to read.
>
> rob
>
>
>> [root@caer ~]# *tail -f /var/log/httpd/error_log*
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>> wsgi_dispatch.__call__:
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>> xmlserver_session.__call__:
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session cookie_id =
>> bc2c7ed0eccd840dc266efaf9ece913c
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session data in
>> cache with id=bc2c7ed0eccd840dc266efaf9ece913c
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>> xmlserver_session.__call__: session_id=bc2c7ed0eccd840dc266efaf9ece913c
>> start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21
>> expiration_timestamp=2016-07-21T12:18:54
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: storing ccache data into
>> file "/var/run/ipa_memcached/krbcc_13554"
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times:
>> principal=HTTP/caer.teloip@teloip.net
>> , authtime=07/21/16 10:31:46,
>> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44,
>> renew_till=12/31/69 19:00:00
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times:
>> principal=HTTP/caer.teloip@teloip.net
>> , authtime=07/21/16 10:31:46,
>>
>> starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44,
>> renew_till=12/31/69 19:00:00
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: KRB5_CCache
>> FILE:/var/run/ipa_memcached/krbcc_13554 endtime=1469197904 (07/22/16
>> 10:31:44)
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>> set_session_expiration_time: duration_type=inactivity_timeout
>> duration=1200 max_age=1469197604 expiration=1469118081.77
>> (2016-07-21T12:21:21)
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI xmlserver.__call__:
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Created connection
>> context.ldap2
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
>> WSGIExecutioner.__call__:
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: raw: cert_show(u'1')
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert_show(u'1')
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: IPA: virtual verify
>> retrieve certificate
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>> ipaserver.plugins.dogtag.ra.get_certificate()
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request
>> 'https://caer.teloip.net:443/ca/agent/ca/displayBySerial'
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request post
>> 'xml=true=1'
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: NSSConnection init
>> caer.teloip.net 
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Connecting: 10.20.0.75:0
>> 
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>> auth_certificate_callback: check_sig=True is_server=False
>> *.*
>> *.*
>> *.*
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage =
>> SSLServer intended_usage = SSLServer
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid True for
>> "CN=caer.teloip.net ,O=TELOIP.NET
>> "
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake complete, peer
>> = 10.20.0.75:443 
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
>> auth_certificate_callback: check_sig=True is_server=False
>> *.*
>> *.*
>> *.*
>> [Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-21 Thread Rob Crittenden


Linov Suresh wrote:

The httpd_error log doesn't contain the part where `ipa cert-show 1` was
run. If it is from the same time.

*I am not sure about that, please see httpd_error when `ipa cert-show 1`
was run*


The IPA API log isn't going to show much in this case.

Requests to the CA are proxied through IPA. The CA WAR is not running on 
tomcat so when Apache tries to proxy the request tomcat returns a 404, 
Not Found.


You need to start with the dogtag debug and selftest logs to see what is 
going on. The logs are pretty verbose and can be challenging to read.


rob



[root@caer ~]# *tail -f /var/log/httpd/error_log*
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
xmlserver_session.__call__:
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session cookie_id =
bc2c7ed0eccd840dc266efaf9ece913c
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session data in
cache with id=bc2c7ed0eccd840dc266efaf9ece913c
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
xmlserver_session.__call__: session_id=bc2c7ed0eccd840dc266efaf9ece913c
start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21
expiration_timestamp=2016-07-21T12:18:54
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: storing ccache data into
file "/var/run/ipa_memcached/krbcc_13554"
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times:
principal=HTTP/caer.teloip@teloip.net
, authtime=07/21/16 10:31:46,
starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44,
renew_till=12/31/69 19:00:00
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times:
principal=HTTP/caer.teloip@teloip.net
, authtime=07/21/16 10:31:46,
starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44,
renew_till=12/31/69 19:00:00
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: KRB5_CCache
FILE:/var/run/ipa_memcached/krbcc_13554 endtime=1469197904 (07/22/16
10:31:44)
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
set_session_expiration_time: duration_type=inactivity_timeout
duration=1200 max_age=1469197604 expiration=1469118081.77
(2016-07-21T12:21:21)
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI xmlserver.__call__:
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Created connection
context.ldap2
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
WSGIExecutioner.__call__:
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: raw: cert_show(u'1')
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert_show(u'1')
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: IPA: virtual verify
retrieve certificate
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
ipaserver.plugins.dogtag.ra.get_certificate()
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request
'https://caer.teloip.net:443/ca/agent/ca/displayBySerial'
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request post
'xml=true=1'
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: NSSConnection init
caer.teloip.net 
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Connecting: 10.20.0.75:0

[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
auth_certificate_callback: check_sig=True is_server=False
*.*
*.*
*.*
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage =
SSLServer intended_usage = SSLServer
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid True for
"CN=caer.teloip.net ,O=TELOIP.NET
"
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake complete, peer
= 10.20.0.75:443 
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
auth_certificate_callback: check_sig=True is_server=False
*.*
*.*
*.*
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage =
SSLServer intended_usage = SSLServer
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid True for
"CN=caer.teloip.net ,O=TELOIP.NET
"
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake complete, peer
= 10.20.0.75:443 
[Thu Jul 21 12:01:21 2016] [error] ipa: ERROR:
ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate
with CMS (Not Found)
[Thu Jul 21 12:01:21 2016] [error] ipa: INFO: ad...@teloip.net
: cert_show(u'1'): CertificateOperationError
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: response:
CertificateOperationError: Certificate operation cannot be completed:
Unable to communicate with CMS (Not Found)
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Destroyed connection
context.ldap2
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: reading ccache data from
file "/var/run/ipa_memcached/krbcc_13554"
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: store session:
session_id=bc2c7ed0eccd840dc266efaf9ece913c
start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21
expiration_timestamp=2016-07-21T12:21:21


Does `ipa cert-show` communicate with

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-21 Thread Linov Suresh

The httpd_error log doesn't contain the part where `ipa cert-show 1` was
run. If it is from the same time.

*I am not sure about that, please see httpd_error when `ipa cert-show 1`
was run*

[root@caer ~]# *tail -f /var/log/httpd/error_log*
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
xmlserver_session.__call__:
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session cookie_id =
bc2c7ed0eccd840dc266efaf9ece913c
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: found session data in cache
with id=bc2c7ed0eccd840dc266efaf9ece913c
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: xmlserver_session.__call__:
session_id=bc2c7ed0eccd840dc266efaf9ece913c
start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21
expiration_timestamp=2016-07-21T12:18:54
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: storing ccache data into
file "/var/run/ipa_memcached/krbcc_13554"
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times:
principal=HTTP/caer.teloip@teloip.net, authtime=07/21/16 10:31:46,
starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44, renew_till=12/31/69
19:00:00
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: get_credential_times:
principal=HTTP/caer.teloip@teloip.net, authtime=07/21/16 10:31:46,
starttime=07/21/16 10:43:26, endtime=07/22/16 10:31:44, renew_till=12/31/69
19:00:00
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: KRB5_CCache
FILE:/var/run/ipa_memcached/krbcc_13554 endtime=1469197904 (07/22/16
10:31:44)
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: set_session_expiration_time:
duration_type=inactivity_timeout duration=1200 max_age=1469197604
expiration=1469118081.77 (2016-07-21T12:21:21)
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI xmlserver.__call__:
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Created connection
context.ldap2
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI
WSGIExecutioner.__call__:
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: raw: cert_show(u'1')
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert_show(u'1')
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: IPA: virtual verify retrieve
certificate
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG:
ipaserver.plugins.dogtag.ra.get_certificate()
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request '
https://caer.teloip.net:443/ca/agent/ca/displayBySerial'
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: https_request post
'xml=true=1'
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: NSSConnection init
caer.teloip.net
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Connecting: 10.20.0.75:0
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: auth_certificate_callback:
check_sig=True is_server=False
*.*
*.*
*.*
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage = SSLServer
intended_usage = SSLServer
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid True for "CN=
caer.teloip.net,O=TELOIP.NET"
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake complete, peer =
10.20.0.75:443
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: auth_certificate_callback:
check_sig=True is_server=False
*.*
*.*
*.*
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: approved_usage = SSLServer
intended_usage = SSLServer
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: cert valid True for "CN=
caer.teloip.net,O=TELOIP.NET"
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: handshake complete, peer =
10.20.0.75:443
[Thu Jul 21 12:01:21 2016] [error] ipa: ERROR:
ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with
CMS (Not Found)
[Thu Jul 21 12:01:21 2016] [error] ipa: INFO: ad...@teloip.net:
cert_show(u'1'): CertificateOperationError
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: response:
CertificateOperationError: Certificate operation cannot be completed:
Unable to communicate with CMS (Not Found)
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: Destroyed connection
context.ldap2
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: reading ccache data from
file "/var/run/ipa_memcached/krbcc_13554"
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: store session:
session_id=bc2c7ed0eccd840dc266efaf9ece913c
start_timestamp=2016-07-21T11:58:54 access_timestamp=2016-07-21T12:01:21
expiration_timestamp=2016-07-21T12:21:21


Does `ipa cert-show` communicate with the same replica? Could be verified
by `ipa -vv cert-show`

*It's asking for the serial number of the certificate. If I give 64 (serial
number of ipaCert ), I get ipa: ERROR: Certificate operation cannot be
completed: Unable to communicate with CMS (Not Found)*

*[root@caer ~]# ipa -vv cert-show*
ipa: DEBUG: importing all plugin modules in
'/usr/lib/python2.6/site-packages/ipalib/plugins'...
*.*
*.*
*.*
ipa: DEBUG: stdout=ipa_session=bc2c7ed0eccd840dc266efaf9ece913c; Domain=
caer.teloip.net; Path=/ipa; Expires=Thu, 21 Jul 2016 16:25:32 GMT; Secure;
HttpOnly
ipa: DEBUG: stderr=
ipa: DEBUG: found session_cookie in persistent storage for principal '

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-21 Thread Petr Vobornik

On 07/21/2016 05:14 PM, Linov Suresh wrote:
> I set debug=true in /etc/ipa/default.conf
> 
> Here are my logs,

The httpd_error log doesn't contain the part where `ipa cert-show 1` was
run. If it is from the same time. Does `ipa cert-show` communicate with
the same replica? Could be verified by `ipa -vv cert-show`

But more interesting is:

SelfTestSubsystem: The CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup
FAILED!

Are you sure that CA is running?
  # ipactl status

This looks like that self test fail and therefore CA shouldn't start. It
also says that some of CA cert is not valid. Which one might be seen in
/var/log/pki-ca/debug but a bigger chunk would be needed.

> 
> *[root@caer ~]# tail -f /var/log/httpd/error_log*
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: WSGI WSGIExecutioner.__call__:
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: raw: user_show(u'admin', 
> rights=False, all=False, raw=False, version=u'2.46')
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: user_show(u'admin', 
> rights=False, 
> all=False, raw=False, version=u'2.46')
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: 
> entry_dn=uid=admin,cn=users,cn=accounts,dc=teloip,dc=net 
> memberof=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'),
>  
> ipapython.dn.DN('cn=replication 
> administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), 
> ipapython.dn.DN('cn=add 
> replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), 
> ipapython.dn.DN('cn=modify replication 
> agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), 
> ipapython.dn.DN('cn=remove 
> replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), 
> ipapython.dn.DN('cn=unlock user 
> accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), 
> ipapython.dn.DN('cn=manage 
> service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), 
> ipapython.dn.DN('cn=trust admins,cn=groups,cn=accounts,dc=teloip,dc=net'), 
> ipapython.dn.DN('cn=host enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), 
> ipapython.dn.DN('cn=manage host 
> keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=enroll 
> a 
> host,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add host 
> password,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add 
> krbprincipalname to a host,cn=permissions,cn=pbac,dc=teloip,dc=net')]
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: get_memberof: result 
> direct=[ipapython.dn.DN('cn=admins,cn=groups,cn=accounts,dc=teloip,dc=net'), 
> ipapython.dn.DN('cn=trust admins,cn=groups,cn=accounts,dc=teloip,dc=net')] 
> indirect=[ipapython.dn.DN('cn=replication 
> administrators,cn=privileges,cn=pbac,dc=teloip,dc=net'), 
> ipapython.dn.DN('cn=add 
> replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), 
> ipapython.dn.DN('cn=modify replication 
> agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), 
> ipapython.dn.DN('cn=remove 
> replication agreements,cn=permissions,cn=pbac,dc=teloip,dc=net'), 
> ipapython.dn.DN('cn=unlock user 
> accounts,cn=permissions,cn=pbac,dc=teloip,dc=net'), 
> ipapython.dn.DN('cn=manage 
> service keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), 
> ipapython.dn.DN('cn=host enrollment,cn=privileges,cn=pbac,dc=teloip,dc=net'), 
> ipapython.dn.DN('cn=manage host 
> keytab,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=enroll 
> a 
> host,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add host 
> password,cn=permissions,cn=pbac,dc=teloip,dc=net'), ipapython.dn.DN('cn=add 
> krbprincipalname to a host,cn=permissions,cn=pbac,dc=teloip,dc=net')]
> [Thu Jul 21 11:00:38 2016] [error] ipa: INFO: ad...@teloip.net 
> : user_show(u'admin', rights=False, all=False, 
> raw=False, version=u'2.46'): SUCCESS
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: response: entries returned 1
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: Destroyed connection 
> context.ldap2
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: reading ccache data from file 
> "/var/run/ipa_memcached/krbcc_13554"
> [Thu Jul 21 11:00:38 2016] [error] ipa: DEBUG: store session: 
> session_id=10c5de02f8ae0f3969b96ef0f2e3a96d 
> start_timestamp=2016-07-21T10:43:26 
> access_timestamp=2016-07-21T11:00:38 expiration_timestamp=2016-07-21T11:20:38
> 
> *[root@caer ~]# tail -f /var/log/pki-ca/debug*
> [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: curReqId: 
> 9990001
> [21/Jul/2016:11:08:29][CertStatusUpdateThread]: getElementAt: 1 mTop 107
> [21/Jul/2016:11:08:29][CertStatusUpdateThread]: reverse direction getting 
> index 4
> [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: curReqId: 112
> [21/Jul/2016:11:08:29][CertStatusUpdateThread]: RequestQueue: 
> getLastRequestId : 
> returning value 112
> [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Repository:  mLastSerialNo: 
> 112
> [21/Jul/2016:11:08:29][CertStatusUpdateThread]: Serial numbers left in

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-21 Thread Petr Vobornik

On 07/20/2016 09:41 PM, Linov Suresh wrote:
> I have restarted the pki-cad and checked if communication with the CA is 
> working, but no luck,
> 
> Debug logs in /var/log/pki-ca do not have anything unusual. Can you think of 
> anything other than  this?

/var/log/httpd/error_log when /etc/ipa.conf is set to debug=true
https://www.freeipa.org/page/Troubleshooting#ipa_command_crashes_or_returns_no_data

/var/log/pki-ca/debug
/var/log/pki-ca/transactions
/var/log/pki-ca/selftest.log

> 
> [root@caer ~]# ipa cert-show 1
>Certificate: 
> MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP
> SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0
> MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w
> HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA
> A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV
> ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e
> tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb
> UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe
> tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7
> 5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j
> BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
> HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG
> AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5
> MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj
> kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y
> 5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV
> nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt
> e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK
> b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30=
>Subject: CN=Certificate Authority,O=TELOIP.NET 
>Issuer: CN=Certificate Authority,O=TELOIP.NET 
>Not Before: Wed Dec 14 22:29:56 2011 UTC
>Not After: Sat Dec 14 22:29:56 2019 UTC
>Fingerprint (MD5): c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a
>Fingerprint (SHA1): 
> ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e
>Serial number (hex): 0x1
>Serial number: 1
> [root@caer ~]#
> 
> *ca-error: Internal error: no response to 
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true;.
> *
> 
> 
> 
> On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden  > wrote:
> 
> Linov Suresh wrote:
> 
> Thanks for your help Rob, I will create a separate thread for IPA
> replication issue. But we are still getting
> *
> *
> *ca-error: Internal error: no response to
> 
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true".*
> 
>  Could you please help us to fix this?
> 
> 
> I think your CA isn't quite fixed yet. I'd restart pki-cad then do 
> something
> like: ipa cert-show 1
> 
> You should get back a cert (doesn't really matter what cert).
> 
> Otherwise I'd check the CA debug log somewhere in /var/log/pki
> 
> rob
> 
> 
> 
> On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden  
> >> wrote:
> 
>  Glad you got the certificates successfully renewed.
> 
>  Can you open a new e-mail thread on this new problem so we can 
> keep
>  the issues separated?
> 
>  IPA gets little information back when dogtag fails to install. 
> You
>  need to look in /var/log//debug for more information. 
> The
>  exact location depends on the version of IPA.
> 
>  rob
> 
>  Linov Suresh wrote:
> 
>  Great! That worked, and I was successfully renewed the
>  certificates on
>  the IPA server and I was trying to create a IPA replica 
> server
>  and got
>  an error,[root@neit-lab  
>  >>~]#
> ipa-replica-install
>  --setup-ca --setup-dns --no-forwarders --skip-conncheck
>  /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory 
> Manager
>  (existing master) password: Configuring NTP daemon (ntpd) 
> [1/4]:
>  stopping ntpd [2/4]: writing configuration [3/4]: configuring
>  ntpd to
>  start on boot [4/4]: starting ntpd Done configuring NTP 
> daemon
>  (ntpd).
>  Configuring directory server for the CA (pkids): Estimated 
> time 30
>  seconds [1/3]: creating directory server user [2/3]: creating
>

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-20 Thread Linov Suresh

I have restarted the pki-cad and checked if communication with the CA is
working, but no luck,

Debug logs in /var/log/pki-ca do not have anything unusual. Can you think
of anything other than  this?

[root@caer ~]# ipa cert-show 1
  Certificate:
MIIDizCCAnOgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKEwpURUxP
SVAuTkVUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTExMjE0
MjIyOTU2WhcNMTkxMjE0MjIyOTU2WjA1MRMwEQYDVQQKEwpURUxPSVAuTkVUMR4w
HAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDegJ5XVR0JSc76s9FPkkkuug3PtZi5Ysad0Dr1I5ngjTOV
ctm/P7buk2g8LxBSXLO+7Rq7PTtTD5AJ7vQjrv2RtoYTPdRebAuukTKd6RhtYa5e
tX7z0DBjQ8g9Erqf9GzLxlQqim8ZvscATBhf6MLb5cXA/pWHYuE2j0OlnrSNWqsb
UgwMsM73RlsNACsvLUk4iJY0wuxj4L/0EBQWUPGr8qBk3QBST4LDnInuvvGsAFNe
tyebENMRWnEaDFYKPapACrtKAl3hQNDB7dVGk64Dd7paXss9F8vgVnofgFpjiJs7
5DNtKhKxzFQyanINU+uuIVs/CNIO3jV9I26ems2zAgMBAAGjgaUwgaIwHwYDVR0j
BBgwFoAUx5/ZpwOfXZQ5KNwC42cBW+Y+bGIwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMef2acDn12UOSjcAuNnAVvmPmxiMD8GCCsG
AQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2NhZXIudGVsb2lwLm5ldDo5
MTgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAHGElN0OcepokvNIN8f4mvTj
kL9wcuZwbbX9gZGdKSZf5Redp4tsJW8EJCy8yu9F5U+Ym3RcvJBiby9gHCVVbW+y
5IgziiJ3kd4UlVJCDVKtbdq62bODcatFsMH8wJSMW6Cw096RyfGgu2qSyXzdZ2xV
nMovO3+Eaz2n0x4ZvaEj9Ixym/KI+QPCAL7gPkK36X4JYgM3CXUCYCN/QJY/psFt
e+121ubSZX5u3Yntux4KziJ3cx9wZ74iKff1BOVxOCi0JyLn2k15bvBXGvxxgmhK
b8YUVbDJDb9oWSbixl/TQI9PZysXYIvBNJM8h+HRKIJksKGQhKOERzrYoqABt30=
  Subject: CN=Certificate Authority,O=TELOIP.NET
  Issuer: CN=Certificate Authority,O=TELOIP.NET
  Not Before: Wed Dec 14 22:29:56 2011 UTC
  Not After: Sat Dec 14 22:29:56 2019 UTC
  Fingerprint (MD5): c9:27:1d:84:4c:2c:97:38:a4:7b:9a:c0:78:3e:7f:7a
  Fingerprint (SHA1):
ce:d7:11:84:70:dd:cb:4e:e2:08:f5:c0:ac:ff:b3:c5:bb:81:77:7e
  Serial number (hex): 0x1
  Serial number: 1
[root@caer ~]#


*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true
".*





On Wed, Jul 20, 2016 at 2:22 PM, Rob Crittenden  wrote:

> Linov Suresh wrote:
>
>> Thanks for your help Rob, I will create a separate thread for IPA
>> replication issue. But we are still getting
>> *
>> *
>> *ca-error: Internal error: no response to
>> "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true
>> ".*
>>
>> Could you please help us to fix this?
>>
>
> I think your CA isn't quite fixed yet. I'd restart pki-cad then do
> something like: ipa cert-show 1
>
> You should get back a cert (doesn't really matter what cert).
>
> Otherwise I'd check the CA debug log somewhere in /var/log/pki
>
> rob
>
>
>>
>> On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden > > wrote:
>>
>> Glad you got the certificates successfully renewed.
>>
>> Can you open a new e-mail thread on this new problem so we can keep
>> the issues separated?
>>
>> IPA gets little information back when dogtag fails to install. You
>> need to look in /var/log//debug for more information. The
>> exact location depends on the version of IPA.
>>
>> rob
>>
>> Linov Suresh wrote:
>>
>> Great! That worked, and I was successfully renewed the
>> certificates on
>> the IPA server and I was trying to create a IPA replica server
>> and got
>> an error,[root@neit-lab > >~]# ipa-replica-install
>> --setup-ca --setup-dns --no-forwarders --skip-conncheck
>> /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory
>> Manager
>> (existing master) password: Configuring NTP daemon (ntpd) [1/4]:
>> stopping ntpd [2/4]: writing configuration [3/4]: configuring
>> ntpd to
>> start on boot [4/4]: starting ntpd Done configuring NTP daemon
>> (ntpd).
>> Configuring directory server for the CA (pkids): Estimated time 30
>> seconds [1/3]: creating directory server user [2/3]: creating
>> directory
>> server instance [3/3]: restarting directory server Done
>> configuring
>> directory server for the CA (pkids). Configuring certificate
>> server
>> (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating
>> certificate server user [2/17]: creating pki-ca instance [3/17]:
>> configuring certificate server instance ipa : CRITICAL failed to
>> configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent
>> ConfigureCA -cs_hostname neit-lab.teloip.net
>> 
>>  -cs_port 9445 -client_certdb_dir
>> /tmp/tmp-QAXI9A -client_certdb_pwd  -preop_pin
>> UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin
>> -admin_email
>>

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-20 Thread Rob Crittenden


Linov Suresh wrote:

Thanks for your help Rob, I will create a separate thread for IPA
replication issue. But we are still getting
*
*
*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true".*

Could you please help us to fix this?


I think your CA isn't quite fixed yet. I'd restart pki-cad then do 
something like: ipa cert-show 1


You should get back a cert (doesn't really matter what cert).

Otherwise I'd check the CA debug log somewhere in /var/log/pki

rob




On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden > wrote:

Glad you got the certificates successfully renewed.

Can you open a new e-mail thread on this new problem so we can keep
the issues separated?

IPA gets little information back when dogtag fails to install. You
need to look in /var/log//debug for more information. The
exact location depends on the version of IPA.

rob

Linov Suresh wrote:

Great! That worked, and I was successfully renewed the
certificates on
the IPA server and I was trying to create a IPA replica server
and got
an error,[root@neit-lab >~]# ipa-replica-install
--setup-ca --setup-dns --no-forwarders --skip-conncheck
/var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager
(existing master) password: Configuring NTP daemon (ntpd) [1/4]:
stopping ntpd [2/4]: writing configuration [3/4]: configuring
ntpd to
start on boot [4/4]: starting ntpd Done configuring NTP daemon
(ntpd).
Configuring directory server for the CA (pkids): Estimated time 30
seconds [1/3]: creating directory server user [2/3]: creating
directory
server instance [3/3]: restarting directory server Done configuring
directory server for the CA (pkids). Configuring certificate server
(pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating
certificate server user [2/17]: creating pki-ca instance [3/17]:
configuring certificate server instance ipa : CRITICAL failed to
configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent
ConfigureCA -cs_hostname neit-lab.teloip.net

 -cs_port 9445 -client_certdb_dir
/tmp/tmp-QAXI9A -client_certdb_pwd  -preop_pin
UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email
root@localhost >-admin_password 
-agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET
 
-ldap_host neit-lab.teloip.net 
 -ldap_port
7389 -bind_dn cn=Directory Manager -bind_password  -base_dn
o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm
SHA256withRSA -save_p12 true -backup_pwd  -subsystem_name
pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA
Subsystem,O=TELOIP.NET  
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET

 -ca_ocsp_cert_subject_name CN=OCSP
Subsystem,O=TELOIP.NET  
-ca_server_cert_subject_name
CN=neit-lab.teloip.net 
,O=TELOIP.NET 
 -ca_audit_signing_cert_subject_name CN=CA
Audit,O=TELOIP.NET  
-ca_sign_cert_subject_name
CN=Certificate Authority,O=TELOIP.NET 
 -external
false -clone true -clone_p12_file ca.p12 -clone_p12_password

-sd_hostname caer.teloip.net 
 -sd_admin_port 443
-sd_admin_name admin -sd_admin_password 
-clone_start_tls true
-clone_uri https://caer.teloip.net:443'
returned non-zero exit status 255
Your
system may be partly configured. Run /usr/sbin/ipa-server-install
--uninstall to clean up. Configuration of CA failed [root@neit-lab
>~]#

I did a clean up using /usr/sbin/ipa-server-install --uninstall
but it
wasn't helpful.Wondering if you can help us on this,



On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-20 Thread Linov Suresh

Thanks for your help Rob, I will create a separate thread for IPA
replication issue. But we are still getting

*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true
".*


   Could you please help us to fix this?


On Wed, Jul 20, 2016 at 10:08 AM, Rob Crittenden 
wrote:

> Glad you got the certificates successfully renewed.
>
> Can you open a new e-mail thread on this new problem so we can keep the
> issues separated?
>
> IPA gets little information back when dogtag fails to install. You need to
> look in /var/log//debug for more information. The exact location
> depends on the version of IPA.
>
> rob
>
> Linov Suresh wrote:
>
>> Great! That worked, and I was successfully renewed the certificates on
>> the IPA server and I was trying to create a IPA replica server and got
>> an error,[root@neit-lab ~]# ipa-replica-install
>> --setup-ca --setup-dns --no-forwarders --skip-conncheck
>> /var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager
>> (existing master) password: Configuring NTP daemon (ntpd) [1/4]:
>> stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to
>> start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd).
>> Configuring directory server for the CA (pkids): Estimated time 30
>> seconds [1/3]: creating directory server user [2/3]: creating directory
>> server instance [3/3]: restarting directory server Done configuring
>> directory server for the CA (pkids). Configuring certificate server
>> (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating
>> certificate server user [2/17]: creating pki-ca instance [3/17]:
>> configuring certificate server instance ipa : CRITICAL failed to
>> configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent
>> ConfigureCA -cs_hostname neit-lab.teloip.net
>>  -cs_port 9445 -client_certdb_dir
>> /tmp/tmp-QAXI9A -client_certdb_pwd  -preop_pin
>> UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email
>> root@localhost -admin_password 
>> -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
>> -agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET 
>> -ldap_host neit-lab.teloip.net  -ldap_port
>> 7389 -bind_dn cn=Directory Manager -bind_password  -base_dn
>> o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm
>> SHA256withRSA -save_p12 true -backup_pwd  -subsystem_name
>> pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA
>> Subsystem,O=TELOIP.NET 
>> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
>>  -ca_ocsp_cert_subject_name CN=OCSP
>> Subsystem,O=TELOIP.NET  -ca_server_cert_subject_name
>> CN=neit-lab.teloip.net ,O=TELOIP.NET
>>  -ca_audit_signing_cert_subject_name CN=CA
>> Audit,O=TELOIP.NET  -ca_sign_cert_subject_name
>> CN=Certificate Authority,O=TELOIP.NET  -external
>> false -clone true -clone_p12_file ca.p12 -clone_p12_password 
>> -sd_hostname caer.teloip.net  -sd_admin_port 443
>> -sd_admin_name admin -sd_admin_password  -clone_start_tls true
>> -clone_uri https://caer.teloip.net:443'
>> returned non-zero exit status 255 Your
>> system may be partly configured. Run /usr/sbin/ipa-server-install
>> --uninstall to clean up. Configuration of CA failed [root@neit-lab
>> ~]#
>>
>> I did a clean up using /usr/sbin/ipa-server-install --uninstall but it
>> wasn't helpful.Wondering if you can help us on this,
>>
>>
>>
>> On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden > > wrote:
>>
>> Linov Suresh wrote:
>>
>> I have followed Redhat official documentation,
>> https://access.redhat.com/solutions/643753 for certificate
>> renewal,
>> which says *add: usercertificate. (step 12)*
>> *
>> *
>> While on the other hand FreeIPA official documentaion
>> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to
>> *add:
>> usercertificate;binary*
>>
>> Just wondering if we need to*add *the certificate? or*replace* the
>> existing certificate and which format do we need to use? *pem*
>> or *der*.
>>
>> We already successfully renewed the certificates about months
>> back, but
>> they were expired about 6 months back and we were not able to
>> renew till
>> now, and is affected our production environment.
>>
>> Pleas help us.
>>
>>
>> You shouldn't have to mess with these values at

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-20 Thread Rob Crittenden


Glad you got the certificates successfully renewed.

Can you open a new e-mail thread on this new problem so we can keep the 
issues separated?


IPA gets little information back when dogtag fails to install. You need 
to look in /var/log//debug for more information. The exact 
location depends on the version of IPA.


rob

Linov Suresh wrote:

Great! That worked, and I was successfully renewed the certificates on
the IPA server and I was trying to create a IPA replica server and got
an error,[root@neit-lab ~]# ipa-replica-install
--setup-ca --setup-dns --no-forwarders --skip-conncheck
/var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager
(existing master) password: Configuring NTP daemon (ntpd) [1/4]:
stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to
start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30
seconds [1/3]: creating directory server user [2/3]: creating directory
server instance [3/3]: restarting directory server Done configuring
directory server for the CA (pkids). Configuring certificate server
(pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating
certificate server user [2/17]: creating pki-ca instance [3/17]:
configuring certificate server instance ipa : CRITICAL failed to
configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent
ConfigureCA -cs_hostname neit-lab.teloip.net
 -cs_port 9445 -client_certdb_dir
/tmp/tmp-QAXI9A -client_certdb_pwd  -preop_pin
UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin -admin_email
root@localhost -admin_password 
-agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject CN=ipa-ca-agent,O=TELOIP.NET 
-ldap_host neit-lab.teloip.net  -ldap_port
7389 -bind_dn cn=Directory Manager -bind_password  -base_dn
o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm
SHA256withRSA -save_p12 true -backup_pwd  -subsystem_name
pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA
Subsystem,O=TELOIP.NET 
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
 -ca_ocsp_cert_subject_name CN=OCSP
Subsystem,O=TELOIP.NET  -ca_server_cert_subject_name
CN=neit-lab.teloip.net ,O=TELOIP.NET
 -ca_audit_signing_cert_subject_name CN=CA
Audit,O=TELOIP.NET  -ca_sign_cert_subject_name
CN=Certificate Authority,O=TELOIP.NET  -external
false -clone true -clone_p12_file ca.p12 -clone_p12_password 
-sd_hostname caer.teloip.net  -sd_admin_port 443
-sd_admin_name admin -sd_admin_password  -clone_start_tls true
-clone_uri https://caer.teloip.net:443'
returned non-zero exit status 255 Your
system may be partly configured. Run /usr/sbin/ipa-server-install
--uninstall to clean up. Configuration of CA failed [root@neit-lab
~]#

I did a clean up using /usr/sbin/ipa-server-install --uninstall but it
wasn't helpful.Wondering if you can help us on this,



On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden > wrote:

Linov Suresh wrote:

I have followed Redhat official documentation,
https://access.redhat.com/solutions/643753 for certificate renewal,
which says *add: usercertificate. (step 12)*
*
*
While on the other hand FreeIPA official documentaion
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to
*add:
usercertificate;binary*

Just wondering if we need to*add *the certificate? or*replace* the
existing certificate and which format do we need to use? *pem*
or *der*.

We already successfully renewed the certificates about months
back, but
they were expired about 6 months back and we were not able to
renew till
now, and is affected our production environment.

Pleas help us.


You shouldn't have to mess with these values at all. In 3.0 this is
handled somewhat automatically.

I'd restart the CA, then certmonger and see if the communication
error goes away for the CA subservice certificates (the internal error).

# service pki-cad restart

# service certmonger restart

I find it very strange that the certificates were set to expire
yesterday but it isn't a show-stopper necessarily assuming you can
get the CA back up.

Assuming you can, then go back in time again, this time just a few
days and try renewing the LDAP and Apache server certs again.

rob


On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-19 Thread Linov Suresh

Great! That worked, and I was successfully renewed the certificates on the
IPA server and I was trying to create a IPA replica server and got an error,
[root@neit-lab ~]# ipa-replica-install --setup-ca --setup-dns
--no-forwarders --skip-conncheck
/var/lib/ipa/replica-info-neit-lab.teloip.net.gpg Directory Manager
(existing master) password: Configuring NTP daemon (ntpd) [1/4]: stopping
ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring
directory server for the CA (pkids): Estimated time 30 seconds [1/3]:
creating directory server user [2/3]: creating directory server instance
[3/3]: restarting directory server Done configuring directory server for
the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3
minutes 30 seconds [1/17]: creating certificate server user [2/17]:
creating pki-ca instance [3/17]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl
/usr/bin/pkisilent ConfigureCA -cs_hostname neit-lab.teloip.net -cs_port
9445 -client_certdb_dir /tmp/tmp-QAXI9A -client_certdb_pwd 
-preop_pin UpMxkDYjV90WLL041tDU -domain_name IPA -admin_user admin
-admin_email root@localhost -admin_password  -agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=TELOIP.NET -ldap_host neit-lab.teloip.net -ldap_port 7389
-bind_dn cn=Directory Manager -bind_password  -base_dn o=ipaca
-db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
-save_p12 true -backup_pwd  -subsystem_name pki-cad -token_name
internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
-ca_subsystem_cert_subject_name CN=CA Subsystem,O=TELOIP.NET
-ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TELOIP.NET
-ca_server_cert_subject_name CN=neit-lab.teloip.net,O=TELOIP.NET
-ca_audit_signing_cert_subject_name CN=CA Audit,O=TELOIP.NET
-ca_sign_cert_subject_name CN=Certificate Authority,O=TELOIP.NET -external
false -clone true -clone_p12_file ca.p12 -clone_p12_password 
-sd_hostname caer.teloip.net -sd_admin_port 443 -sd_admin_name admin
-sd_admin_password  -clone_start_tls true -clone_uri
https://caer.teloip.net:443' returned non-zero exit status 255 Your system
may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to
clean up. Configuration of CA failed [root@neit-lab ~]#

I did a clean up using /usr/sbin/ipa-server-install --uninstall but it
wasn't helpful. Wondering if you can help us on this,




On Tue, Jul 19, 2016 at 10:50 AM, Rob Crittenden 
wrote:

> Linov Suresh wrote:
>
>> I have followed Redhat official documentation,
>> https://access.redhat.com/solutions/643753 for certificate renewal,
>> which says *add: usercertificate. (step 12)*
>> *
>> *
>> While on the other hand FreeIPA official documentaion
>> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to *add:
>> usercertificate;binary*
>>
>> Just wondering if we need to*add *the certificate? or*replace* the
>> existing certificate and which format do we need to use? *pem* or *der*.
>>
>> We already successfully renewed the certificates about months back, but
>> they were expired about 6 months back and we were not able to renew till
>> now, and is affected our production environment.
>>
>> Pleas help us.
>>
>
> You shouldn't have to mess with these values at all. In 3.0 this is
> handled somewhat automatically.
>
> I'd restart the CA, then certmonger and see if the communication error
> goes away for the CA subservice certificates (the internal error).
>
> # service pki-cad restart
> 
> # service certmonger restart
>
> I find it very strange that the certificates were set to expire yesterday
> but it isn't a show-stopper necessarily assuming you can get the CA back up.
>
> Assuming you can, then go back in time again, this time just a few days
> and try renewing the LDAP and Apache server certs again.
>
> rob
>
>
>> On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh > > wrote:
>>
>> We have cloned and created another virtual server from the template.
>> Surprisingly this server certificates were also expired at the same
>> time as the previous, just lasted for a day.
>> This issue has something to do with the kerberos tickets?
>>
>> I am new to IPA and your help is highly appreciated.
>>
>> On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh
>> > wrote:
>>
>> *Update: my webserver and LDAP certificates were expired at
>> 2016-07-18 15:54:36 UTC and the certificates are in
>> CA_UNREACHABLE state.*
>> *
>> *
>> *Could you please help us?
>> *
>>
>> [root@caer tmp]# getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-19 Thread Rob Crittenden


Linov Suresh wrote:

I have followed Redhat official documentation,
https://access.redhat.com/solutions/643753 for certificate renewal,
which says *add: usercertificate. (step 12)*
*
*
While on the other hand FreeIPA official documentaion
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to *add:
usercertificate;binary*

Just wondering if we need to*add *the certificate? or*replace* the
existing certificate and which format do we need to use? *pem* or *der*.

We already successfully renewed the certificates about months back, but
they were expired about 6 months back and we were not able to renew till
now, and is affected our production environment.

Pleas help us.


You shouldn't have to mess with these values at all. In 3.0 this is 
handled somewhat automatically.


I'd restart the CA, then certmonger and see if the communication error 
goes away for the CA subservice certificates (the internal error).


# service pki-cad restart

# service certmonger restart

I find it very strange that the certificates were set to expire 
yesterday but it isn't a show-stopper necessarily assuming you can get 
the CA back up.


Assuming you can, then go back in time again, this time just a few days 
and try renewing the LDAP and Apache server certs again.


rob



On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh > wrote:

We have cloned and created another virtual server from the template.
Surprisingly this server certificates were also expired at the same
time as the previous, just lasted for a day.
This issue has something to do with the kerberos tickets?

I am new to IPA and your help is highly appreciated.

On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh
> wrote:

*Update: my webserver and LDAP certificates were expired at
2016-07-18 15:54:36 UTC and the certificates are in
CA_UNREACHABLE state.*
*
*
*Could you please help us?
*

[root@caer tmp]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
 status: CA_UNREACHABLE
 ca-error: Server failed request, will retry: -504
(libcurl failed to execute the HTTP POST transaction.  Peer
certificate cannot be authenticated with known CA certificates).
 stuck: yes
 key pair storage:

type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
 certificate:

type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=TELOIP.NET

 subject: CN=caer.teloip.net
,O=TELOIP.NET 
*expires: 2016-07-18 15:54:36 UTC*
 eku: id-kp-serverAuth
 pre-save command:
 post-save command:
 track: yes
 auto-renew: yes
Request ID '20111214223300':
 status: CA_UNREACHABLE
 ca-error: Server failed request, will retry: -504
(libcurl failed to execute the HTTP POST transaction.  Peer
certificate cannot be authenticated with known CA certificates).
 stuck: yes
 key pair storage:

type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
 certificate:

type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
 CA: IPA
 issuer: CN=Certificate Authority,O=TELOIP.NET

 subject: CN=caer.teloip.net
,O=TELOIP.NET 
*expires: 2016-07-18 15:54:52 UTC*
 eku: id-kp-serverAuth
 pre-save command:
 post-save command:
 track: yes
 auto-renew: yes
Request ID '20111214223316':
 status: CA_UNREACHABLE
 ca-error: Server failed request, will retry: -504
(libcurl failed to execute the HTTP POST transaction.  Peer
certificate cannot be authenticated with known CA certificates).
 stuck: yes
 key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-19 Thread Linov Suresh

I have followed Redhat official documentation,
https://access.redhat.com/solutions/643753 for certificate renewal, which
says *add: usercertificate. (step 12)*

While on the other hand FreeIPA official documentaion
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to *add:
usercertificate;binary*

Just wondering if we need to* add *the certificate? or* replace* the
existing certificate and which format do we need to use? *pem* or *der*.

We already successfully renewed the certificates about months back, but
they were expired about 6 months back and we were not able to renew till
now, and is affected our production environment.

Pleas help us.

On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh 
wrote:

> We have cloned and created another virtual server from the template.
> Surprisingly this server certificates were also expired at the same time as
> the previous, just lasted for a day.
> This issue has something to do with the kerberos tickets?
>
> I am new to IPA and your help is highly appreciated.
>
> On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh 
> wrote:
>
>> *Update: my webserver and LDAP certificates were expired at 2016-07-18
>> 15:54:36 UTC and the certificates are in CA_UNREACHABLE state.*
>>
>>
>> *Could you please help us? *
>>
>> [root@caer tmp]# getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20111214223243':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: -504 (libcurl failed
>> to execute the HTTP POST transaction.  Peer certificate cannot be
>> authenticated with known CA certificates).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=TELOIP.NET
>> subject: CN=caer.teloip.net,O=TELOIP.NET
>>* expires: 2016-07-18 15:54:36 UTC*
>> eku: id-kp-serverAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20111214223300':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: -504 (libcurl failed
>> to execute the HTTP POST transaction.  Peer certificate cannot be
>> authenticated with known CA certificates).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=TELOIP.NET
>> subject: CN=caer.teloip.net,O=TELOIP.NET
>>* expires: 2016-07-18 15:54:52 UTC*
>> eku: id-kp-serverAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20111214223316':
>> status: CA_UNREACHABLE
>> ca-error: Server failed request, will retry: -504 (libcurl failed
>> to execute the HTTP POST transaction.  Peer certificate cannot be
>> authenticated with known CA certificates).
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=TELOIP.NET
>> subject: CN=caer.teloip.net,O=TELOIP.NET
>> *expires: 2016-07-18 15:55:04 UTC*
>> eku: id-kp-serverAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20130519130741':
>> status: MONITORING
>> ca-error: Internal error: no response to "
>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=61=true=true
>> ".
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
>> certificate:
>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=TELOIP.NET
>> subject: CN=CA Audit,O=TELOIP.NET
>> expires: 2017-10-13 14:10:49 UTC
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "auditSigningCert

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-19 Thread Linov Suresh

We have cloned and created another virtual server from the template.
Surprisingly this server certificates were also expired at the same time as
the previous, just lasted for a day.
This issue has something to do with the kerberos tickets?

I new to IPA and your help is highly appreciated.

On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh 
wrote:

> *Update: my webserver and LDAP certificates were expired at 2016-07-18
> 15:54:36 UTC and the certificates are in CA_UNREACHABLE state.*
>
>
> *Could you please help us? *
>
> [root@caer tmp]# getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20111214223243':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed
> to execute the HTTP POST transaction.  Peer certificate cannot be
> authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TELOIP.NET
> subject: CN=caer.teloip.net,O=TELOIP.NET
>* expires: 2016-07-18 15:54:36 UTC*
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223300':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed
> to execute the HTTP POST transaction.  Peer certificate cannot be
> authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TELOIP.NET
> subject: CN=caer.teloip.net,O=TELOIP.NET
>* expires: 2016-07-18 15:54:52 UTC*
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20111214223316':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed
> to execute the HTTP POST transaction.  Peer certificate cannot be
> authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TELOIP.NET
> subject: CN=caer.teloip.net,O=TELOIP.NET
> *expires: 2016-07-18 15:55:04 UTC*
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130519130741':
> status: MONITORING
> ca-error: Internal error: no response to "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=61=true=true
> ".
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET
> subject: CN=CA Audit,O=TELOIP.NET
> expires: 2017-10-13 14:10:49 UTC
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130742':
> status: MONITORING
> ca-error: Internal error: no response to "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true
> ".
> stuck: no
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=TELOIP.NET
> subject: CN=OCSP Subsystem,O=TELOIP.NET
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-OCSPSigning
> pre-save command:

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-18 Thread Linov Suresh

*Update: my webserver and LDAP certificates were expired at 2016-07-18
15:54:36 UTC and the certificates are in CA_UNREACHABLE state.*


*Could you please help us? *

[root@caer tmp]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed
to execute the HTTP POST transaction.  Peer certificate cannot be
authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
   * expires: 2016-07-18 15:54:36 UTC*
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223300':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed
to execute the HTTP POST transaction.  Peer certificate cannot be
authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
   * expires: 2016-07-18 15:54:52 UTC*
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223316':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed
to execute the HTTP POST transaction.  Peer certificate cannot be
authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
*expires: 2016-07-18 15:55:04 UTC*
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130519130741':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=61=true=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=CA Audit,O=TELOIP.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130742':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=OCSP Subsystem,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130743':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=62=true=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-18 Thread Linov Suresh

Yes, PKI is running and I don't see any errors in selftests, I have
followed https://access.redhat.com/solutions/643753 and restarted the PKI
in step 10.

The only change which I made was clean up userCertificate;binary before
adding new userCertificate in LDAP, which is step 12.

[root@caer ~]# /etc/init.d/pki-cad status
pki-ca (pid 8634) is running...[  OK  ]
Unsecure Port   = http://caer.teloip.net:9180/ca/ee/ca
Secure Agent Port   = https://caer.teloip.net:9443/ca/agent/ca
Secure EE Port  = https://caer.teloip.net:9444/ca/ee/ca
Secure Admin Port   = https://caer.teloip.net:9445/ca/services
EE Client Auth Port = https://caer.teloip.net:9446/ca/eeca/ca
PKI Console Port= pkiconsole https://caer.teloip.net:9445/ca
Tomcat Port = 9701 (for shutdown)

PKI Instance Name:   pki-ca

PKI Subsystem Type:  Root CA (Security Domain)

Registered PKI Security Domain Information:

==
Name:  IPA
URL:   https://caer.teloip.net:9445

==
[root@caer ~]#
[root@caer ~]# tail -f /var/log/pki-ca/selftests.log
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:  loading
all self test plugin logger parameters
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:  loading
all self test plugin instances
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:  loading
all self test plugin instance parameters
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:  loading
self test plugins in on-demand order
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem:  loading
self test plugins in startup order
8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: Self
test plugins have been successfully loaded!
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: Running
self test plugins specified to be executed at startup:
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence:  CA is present
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SystemCertsVerification:
system certs verification success
8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: All
CRITICAL self test plugins ran SUCCESSFULLY at startup!

Your help is highly appreciated!


   Linov Suresh

   70 Forest Manor Rd.
   Toronto
   ON M2J 0A9
   Mobile: +1 647 406 9438
   Linkedin: ca.linkedin.com/in/linov/
   Website: http://mylinuxthoughts.blogspot.com


On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik  wrote:

> On 07/18/2016 05:45 AM, Linov Suresh wrote:
> > Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and
> > certmonger. Look like certificates were renewed. But I'm getting a
> different
> > error now,
> >
> > *ca-error: Internal error: no response to
> > "
> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=62=true=true
> ".*
>
> Is PKI running? When you change the time, does restart of IPA help?
>
> >
> > [root@caer ~]# getcert list
> > Number of certificates and requests being tracked: 8.
> > Request ID '20111214223243':
> >  status: MONITORING
> >  stuck: no
> >  key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
> >  certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
> > Certificate DB'
> >  CA: IPA
> >  issuer: CN=Certificate Authority,O=TELOIP.NET <
> http://TELOIP.NET>
> >  subject: CN=caer.teloip.net ,O=
> TELOIP.NET
> > 
> >  expires: 2016-07-18 15:54:36 UTC
> >  eku: id-kp-serverAuth
> >  pre-save command:
> >  post-save command:
> >  track: yes
> >  auto-renew: yes
> > Request ID '20111214223300':
> >  status: MONITORING
> >  stuck: no
> >  key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> >  certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB'
> >  CA: IPA
> >  issuer: CN=Certificate Authority,O=TELOIP.NET <
> http://TELOIP.NET>
> >  subject: CN=caer.teloip.net ,O=
> TELOIP.NET
> > 
> >  expires: 2016-07-18 15:54:52 UTC
> >  eku: id-kp-serverAuth
> >  pre-save command:
> >  post-save command:
> >  track: yes
> >  auto-renew: yes
> > Request ID '20111214223316':
> >  status: MONITORING
> >  stuck: no
> >  key pair storage:
> >

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-18 Thread Petr Vobornik

On 07/18/2016 05:45 AM, Linov Suresh wrote:
> Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and 
> certmonger. Look like certificates were renewed. But I'm getting a different 
> error now,
> 
> *ca-error: Internal error: no response to 
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=62=true=true".*

Is PKI running? When you change the time, does restart of IPA help?

> 
> [root@caer ~]# getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20111214223243':
>  status: MONITORING
>  stuck: no
>  key pair storage: 
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>  
> Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
>  certificate: 
> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
>  
> Certificate DB'
>  CA: IPA
>  issuer: CN=Certificate Authority,O=TELOIP.NET 
>  subject: CN=caer.teloip.net ,O=TELOIP.NET 
> 
>  expires: 2016-07-18 15:54:36 UTC
>  eku: id-kp-serverAuth
>  pre-save command:
>  post-save command:
>  track: yes
>  auto-renew: yes
> Request ID '20111214223300':
>  status: MONITORING
>  stuck: no
>  key pair storage: 
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>  Certificate 
> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>  certificate: 
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>  Certificate 
> DB'
>  CA: IPA
>  issuer: CN=Certificate Authority,O=TELOIP.NET 
>  subject: CN=caer.teloip.net ,O=TELOIP.NET 
> 
>  expires: 2016-07-18 15:54:52 UTC
>  eku: id-kp-serverAuth
>  pre-save command:
>  post-save command:
>  track: yes
>  auto-renew: yes
> Request ID '20111214223316':
>  status: MONITORING
>  stuck: no
>  key pair storage: 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>  certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
> Certificate DB'
>  CA: IPA
>  issuer: CN=Certificate Authority,O=TELOIP.NET 
>  subject: CN=caer.teloip.net ,O=TELOIP.NET 
> 
>  expires: 2016-07-18 15:55:04 UTC
>  eku: id-kp-serverAuth
>  pre-save command:
>  post-save command:
>  track: yes
>  auto-renew: yes
> Request ID '20130519130741':
>  status: MONITORING
>  ca-error: Internal error: no response to 
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=61=true=true;.
>  stuck: no
>  key pair storage: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
>  certificate: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>  CA: dogtag-ipa-renew-agent
>  issuer: CN=Certificate Authority,O=TELOIP.NET 
>  subject: CN=CA Audit,O=TELOIP.NET 
>  expires: 2017-10-13 14:10:49 UTC
>  pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>  post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
> "auditSigningCert cert-pki-ca"
>  track: yes
>  auto-renew: yes
> Request ID '20130519130742':
>  status: MONITORING
>  ca-error: Internal error: no response to 
> "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true;.
>  stuck: no
>  key pair storage: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
>  certificate: 
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert 
> cert-pki-ca',token='NSS Certificate DB'
>  CA: dogtag-ipa-renew-agent
>  issuer: CN=Certificate Authority,O=TELOIP.NET 
>  subject: CN=OCSP Subsystem,O=TELOIP.NET 
>  expires: 2017-10-13 14:09:49 UTC
>  eku: id-kp-OCSPSigning
>  pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>  post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
> "ocspSigningCert cert-pki-ca"
>  track: yes
>  auto-renew: yes
> Request ID '20130519130743':
>  status: MONITORING
>  ca-error: Internal error: no response to 
>

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-17 Thread Linov Suresh

Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and
certmonger. Look like certificates were renewed. But I'm getting a
different error now,

*ca-error: Internal error: no response to
"http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=62=true=true
".*

[root@caer ~]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
expires: 2016-07-18 15:54:36 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223300':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
expires: 2016-07-18 15:54:52 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223316':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=caer.teloip.net,O=TELOIP.NET
expires: 2016-07-18 15:55:04 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130519130741':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=61=true=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=CA Audit,O=TELOIP.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130742':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=OCSP Subsystem,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130743':
status: MONITORING
ca-error: Internal error: no response to "
http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=62=true=true
".
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=TELOIP.NET
subject: CN=CA Subsystem,O=TELOIP.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:

Re: [Freeipa-users] IPA certificates expired, please help!

2016-07-15 Thread Rob Crittenden


Linov Suresh wrote:

I logged into my IPA master, and found that the cert had expired again,
we renewed these certificates about 18 months ago.

Our environment is CentOS 6.4 and IPA 3.0.0-26.


  I followed the Redhat documentation,How do I manually renew Identity
  Management (IPA) certificates after they have expired? (Master IPA
  Server), https://access.redhat.com/solutions/643753 but no luck.


I have also changed the directive "NSSEnforceValidCerts off" in
/etc/httpd/conf.d/nss.conf and the value of nsslapd-validate-cert is warn.

ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w ***
-b  cn=config | grep  nsslapd-validate-cert

nsslapd-validate-cert: warn

Here is my getcert list,

[root@caer ~]# getcert list


It looks like your CA subsystem certificates all renewed successfully it 
is just the webserver and LDAP certificates that need renewing so that's 
good.


What I'd do is go back in time again to say Jan 20, 2016 and restart 
certmonger. That should make it retry the renewals.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

Re: [Freeipa-users] IPA certificates expired, please help!

25 matches

Site Navigation

Mail list logo

Footer information