Discussion:
ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.
(too old to reply)
Anthony Cheng
2016-04-27 19:54:57 UTC
Permalink
Hi list,

I am trying to renew expired certificates following the manual renewal
procedure here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but
even with resetting the system/hardware clock to a time before expires, I
am getting the error "ca-error: Error setting up ccache for local "host"
service using default keytab: Clock skew too great."

With NTP disable and clock reset why would it complain about clock skew and
how does it even know about the current time?

[***@test certs]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223300':
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223316':
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130519130741':
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130742':
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130743':
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130744':
status: MONITORING
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20130519130745':
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes[***@test certs]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223300':
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223316':
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130519130741':
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130742':
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130743':
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20130519130744':
status: MONITORING
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20130519130745':
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
stuck: yes
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
--
Thanks, Anthony
David Kupka
2016-04-28 07:21:08 UTC
Permalink
Post by Anthony Cheng
Hi list,
I am trying to renew expired certificates following the manual renewal procedure
here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even with
resetting the system/hardware clock to a time before expires, I am getting the
error "ca-error: Error setting up ccache for local "host" service using default
keytab: Clock skew too great."
With NTP disable and clock reset why would it complain about clock skew and how
does it even know about the current time?
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
auto-renew: yes
--
Thanks, Anthony
Hello Anthony!

After stopping NTP (or other time synchronizing service) and setting
time manually server really don't have a way to determine that its time
differs from the real one.

I think this might be issue with Kerberos ticket. You can show content
of root's ticket cache using klist. If there is anything clean it with
kdestroy and try to resubmit the request again.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Anthony Cheng
2016-04-28 13:20:52 UTC
Permalink
klist is actually empty; kinit admin fails. Sounds like then getcert
resubmit has a dependency on kerberoes. I can get a backup image that has
a valid ticket but it is only good for 1 day (and dated pasted the cert
expire).

Also I had asked awhile back about whether there is dependency on DIRSRV to
renew the cert; didn't get any response but I suspect there is a dependency.

Regarding the clock skew, I found out from /var/log/message that shows me
this so it may be from named:

Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock skew
too great)
Jan 28 14:10:42 test named[2911]: loading configuration: failure
Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Creden
tials cache file '/tmp/krb5cc_496' not found)

I don't have a krb5cc_496 file (since klist is empty), so sounds to me I
need to get a kerberoes ticket before going any further. Also is the file
/etc/krb5.keytab access/modification time important? I had changed time
back to before the cert expiration date and reboot and try renew but the
error message about clock skew is still there. That seems strange.

Lastly, as a absolute last resort, can I regenerate a new cert myself?
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html

[***@test /]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
[***@test /]# service ipa start
Starting Directory Service
Starting dirsrv:
PKI-IPA... [ OK ]
sample-NET... [ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting DNS Service
Starting named: [FAILED]
Failed to start DNS Service
Shutting down
Stopping Kerberos 5 KDC: [ OK ]
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping named: [ OK ]
Stopping httpd: [ OK ]
Stopping pki-ca: [ OK ]
Shutting down dirsrv:
PKI-IPA... [ OK ]
sample-NET... [ OK ]
Aborting ipactl
[***@test /]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
[***@test /]# service ipa status
Directory Service: STOPPED
Failed to get list of services to probe status:
Directory Server is stopped
Post by Anthony Cheng
Post by Anthony Cheng
Hi list,
I am trying to renew expired certificates following the manual renewal
procedure
Post by Anthony Cheng
here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even
with
Post by Anthony Cheng
resetting the system/hardware clock to a time before expires, I am
getting the
Post by Anthony Cheng
error "ca-error: Error setting up ccache for local "host" service using
default
Post by Anthony Cheng
keytab: Clock skew too great."
With NTP disable and clock reset why would it complain about clock skew
and how
Post by Anthony Cheng
does it even know about the current time?
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
auto-renew: yes
--
Thanks, Anthony
Hello Anthony!
After stopping NTP (or other time synchronizing service) and setting
time manually server really don't have a way to determine that its time
differs from the real one.
I think this might be issue with Kerberos ticket. You can show content
of root's ticket cache using klist. If there is anything clean it with
kdestroy and try to resubmit the request again.
--
David Kupka
--
Thanks, Anthony
Anthony Cheng
2016-04-29 20:51:00 UTC
Permalink
OK so I made process on my cert renew issue; I was able to get kinit
working so I can follow the rest of the steps here (
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)

However, after using

ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password

and restarting apache (/sbin/service httpd restart), resubmitting 3 certs
(ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit -i <ID>)
(/sbin/service ipa restart), I still see:

[***@test ~]# ipa-getcert list | more
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certific
ate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate D
B'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223300':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20111214223316':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinf
ile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes


Here are other relevant output:

***@test ~]# /sbin/service ipa restart
Restarting Directory Service
Shutting down dirsrv:
PKI-IPA... [ OK ]
sample-NET... [ OK ]
Starting dirsrv:
PKI-IPA... [ OK ]
sample-NET... [ OK ]
Restarting KDC Service
Stopping Kerberos 5 KDC: [ OK ]
Starting Kerberos 5 KDC: [ OK ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server: [ OK ]
Starting Kerberos 5 Admin Server: [ OK ]
Restarting DNS Service
Stopping named: . [ OK ]
Starting named: [ OK ]
Restarting MEMCACHE Service
Stopping ipa_memcached: [ OK ]
Starting ipa_memcached: [ OK ]
Restarting HTTP Service
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Restarting CA Service
Stopping pki-ca: [ OK ]
Starting pki-ca: [ OK ]

[***@test ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@sample.NET

Valid starting Expires Service principal
01/28/16 14:05:01 01/29/16 14:05:01 krbtgt/***@sample.NET
01/28/16 14:08:48 01/29/16 14:05:01 HTTP/***@sample.NET

[***@test ~]# ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)

[***@caer ~]# /sbin/service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]


Would really greatly appreciate any help on this.

Also I noticed after I do ldapmodify of usercertificate binary data with

add: usercertificate;binary
usercertificate;binary: !@#$@!#$#@$

Then I re-run

ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b
uid=ipara,ou=People,o=ipaca

I see 2 entries for usercertificate;binary (before modify there was only 1)
but they are duplicate and NOT from data that I added. That seems
incorrect to me.
Post by Anthony Cheng
klist is actually empty; kinit admin fails. Sounds like then getcert
resubmit has a dependency on kerberoes. I can get a backup image that has
a valid ticket but it is only good for 1 day (and dated pasted the cert
expire).
Also I had asked awhile back about whether there is dependency on DIRSRV
to renew the cert; didn't get any response but I suspect there is a
dependency.
Regarding the clock skew, I found out from /var/log/message that shows me
Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock skew
too great)
Jan 28 14:10:42 test named[2911]: loading configuration: failure
Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Creden
tials cache file '/tmp/krb5cc_496' not found)
I don't have a krb5cc_496 file (since klist is empty), so sounds to me I
need to get a kerberoes ticket before going any further. Also is the file
/etc/krb5.keytab access/modification time important? I had changed time
back to before the cert expiration date and reboot and try renew but the
error message about clock skew is still there. That seems strange.
Lastly, as a absolute last resort, can I regenerate a new cert myself?
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Starting Directory Service
PKI-IPA... [ OK ]
sample-NET... [ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting DNS Service
Starting named: [FAILED]
Failed to start DNS Service
Shutting down
Stopping Kerberos 5 KDC: [ OK ]
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping named: [ OK ]
Stopping httpd: [ OK ]
Stopping pki-ca: [ OK ]
PKI-IPA... [ OK ]
sample-NET... [ OK ]
Aborting ipactl
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Directory Service: STOPPED
Directory Server is stopped
Post by Anthony Cheng
Post by Anthony Cheng
Hi list,
I am trying to renew expired certificates following the manual renewal
procedure
Post by Anthony Cheng
here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but even
with
Post by Anthony Cheng
resetting the system/hardware clock to a time before expires, I am
getting the
Post by Anthony Cheng
error "ca-error: Error setting up ccache for local "host" service using
default
Post by Anthony Cheng
keytab: Clock skew too great."
With NTP disable and clock reset why would it complain about clock skew
and how
Post by Anthony Cheng
does it even know about the current time?
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local "host" service
using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service
using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service
using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local "host" service
using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service
using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service
using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
auto-renew: yes
--
Thanks, Anthony
Hello Anthony!
After stopping NTP (or other time synchronizing service) and setting
time manually server really don't have a way to determine that its time
differs from the real one.
I think this might be issue with Kerberos ticket. You can show content
of root's ticket cache using klist. If there is anything clean it with
kdestroy and try to resubmit the request again.
--
David Kupka
--
Thanks, Anthony
--
Thanks, Anthony
Anthony Cheng
2016-04-29 22:34:37 UTC
Permalink
I make further progress, I managed to get it to be in NEED_TO_SUBMIT state
again after a reboot and this time klist and clock looks good. However
getting this error while restarting IPA,

Starting dirsrv:
PKI-IPA...[29/Apr/2016:21:41:48 +0000] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8181 - Peer's Certificate has expired.)

The error time is different than the time I changed to; after search for
all files on the computer and found some files that has that time:
var/log/dirsrv/slapd-SAMPLE-NET/access.rotationinfo
/var/tmp/DNS_25

I changed access time on them and restart and got the correct time in error
log:
Starting dirsrv:
PKI-IPA...[28/Sep/2014:14:58:15 +0000] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8181 - Peer's Certificate has expired.)
[ OK ]
sample-NET...[28/Sep/2014:14:58:16 +0000] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8181 - Peer's Certificate has expired.)

In looking at server cert, there is actually 2 and one is expired no matter
what time I set it to due to a time lapse between them; seems to indicate
that I need to remove one of them:

[***@test ~]# certutil -L -d /etc/httpd/alias -n Server-Cert | grep
'Issuer\|Not\|Subject\|Name'
Issuer: "CN=Certificate Authority,O=sample.NET"
Not Before: Sun Aug 02 14:09:45 2015
Not After : Fri Jan 29 14:09:45 2016
Subject: "CN=test.sample.net,O=sample.NET"
Subject Public Key Info:
Name: Certificate Authority Key Identifier
Name: Authority Information Access
Name: Certificate Key Usage
Name: Extended Key Usage
Name: Certificate Subject Key ID
Issuer: "CN=Certificate Authority,O=sample.NET"
Not Before: Sat May 03 00:20:37 2014
Not After : Thu Oct 30 00:20:37 2014
Subject: "CN=test.sample.net,O=sample.NET"
Subject Public Key Info:
Name: Certificate Authority Key Identifier
Name: Authority Information Access
Name: Certificate Key Usage
Name: Extended Key Usage
Name: Certificate Subject Key ID
Post by Anthony Cheng
OK so I made process on my cert renew issue; I was able to get kinit
working so I can follow the rest of the steps here (
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
However, after using
ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password
and restarting apache (/sbin/service httpd restart), resubmitting 3 certs
(ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit -i <ID>)
Number of certificates and requests being tracked: 8.
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
stuck: yes
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certific
ate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate D
B'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
stuck: yes
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
stuck: yes
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinf
ile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
Restarting Directory Service
PKI-IPA... [ OK ]
sample-NET... [ OK ]
PKI-IPA... [ OK ]
sample-NET... [ OK ]
Restarting KDC Service
Stopping Kerberos 5 KDC: [ OK ]
Starting Kerberos 5 KDC: [ OK ]
Restarting KPASSWD Service
Stopping Kerberos 5 Admin Server: [ OK ]
Starting Kerberos 5 Admin Server: [ OK ]
Restarting DNS Service
Stopping named: . [ OK ]
Starting named: [ OK ]
Restarting MEMCACHE Service
Stopping ipa_memcached: [ OK ]
Starting ipa_memcached: [ OK ]
Restarting HTTP Service
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Restarting CA Service
Stopping pki-ca: [ OK ]
Starting pki-ca: [ OK ]
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Would really greatly appreciate any help on this.
Also I noticed after I do ldapmodify of usercertificate binary data with
add: usercertificate;binary
Then I re-run
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca
I see 2 entries for usercertificate;binary (before modify there was only
1) but they are duplicate and NOT from data that I added. That seems
incorrect to me.
Post by Anthony Cheng
klist is actually empty; kinit admin fails. Sounds like then getcert
resubmit has a dependency on kerberoes. I can get a backup image that has
a valid ticket but it is only good for 1 day (and dated pasted the cert
expire).
Also I had asked awhile back about whether there is dependency on DIRSRV
to renew the cert; didn't get any response but I suspect there is a
dependency.
Regarding the clock skew, I found out from /var/log/message that shows me
Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock skew
too great)
Jan 28 14:10:42 test named[2911]: loading configuration: failure
Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Creden
tials cache file '/tmp/krb5cc_496' not found)
I don't have a krb5cc_496 file (since klist is empty), so sounds to me I
need to get a kerberoes ticket before going any further. Also is the file
/etc/krb5.keytab access/modification time important? I had changed time
back to before the cert expiration date and reboot and try renew but the
error message about clock skew is still there. That seems strange.
Lastly, as a absolute last resort, can I regenerate a new cert myself?
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Starting Directory Service
PKI-IPA... [ OK ]
sample-NET... [ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting DNS Service
Starting named: [FAILED]
Failed to start DNS Service
Shutting down
Stopping Kerberos 5 KDC: [ OK ]
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping named: [ OK ]
Stopping httpd: [ OK ]
Stopping pki-ca: [ OK ]
PKI-IPA... [ OK ]
sample-NET... [ OK ]
Aborting ipactl
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Directory Service: STOPPED
Directory Server is stopped
Post by Anthony Cheng
Post by Anthony Cheng
Hi list,
I am trying to renew expired certificates following the manual renewal
procedure
Post by Anthony Cheng
here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but
even with
Post by Anthony Cheng
resetting the system/hardware clock to a time before expires, I am
getting the
Post by Anthony Cheng
error "ca-error: Error setting up ccache for local "host" service
using default
Post by Anthony Cheng
keytab: Clock skew too great."
With NTP disable and clock reset why would it complain about clock
skew and how
Post by Anthony Cheng
does it even know about the current time?
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local "host" service
using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service
using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service
using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local "host" service
using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service
using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service
using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net
,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
auto-renew: yes
--
Thanks, Anthony
Hello Anthony!
After stopping NTP (or other time synchronizing service) and setting
time manually server really don't have a way to determine that its time
differs from the real one.
I think this might be issue with Kerberos ticket. You can show content
of root's ticket cache using klist. If there is anything clean it with
kdestroy and try to resubmit the request again.
--
David Kupka
--
Thanks, Anthony
--
Thanks, Anthony
--
Thanks, Anthony
Rob Crittenden
2016-04-30 14:08:10 UTC
Permalink
Post by Anthony Cheng
OK so I made process on my cert renew issue; I was able to get kinit
working so I can follow the rest of the steps here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
However, after using
ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password
and restarting apache (/sbin/service httpd restart), resubmitting 3
certs (ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit -i <ID>)
Number of certificates and requests being tracked: 8.
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed
at server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
IPA proxies requests to the CA through Apache. This means that while
tomcat started ok it didn't load the dogtag CA application, hence the
Not Found.

Check the CA debug and selftest logs to see why it failed to start properly.

[ snip ]
Post by Anthony Cheng
Would really greatly appreciate any help on this.
Also I noticed after I do ldapmodify of usercertificate binary data with
add: usercertificate;binary
You really pasted in binary? Or was this base64-encoded data?

I wonder if there is a problem in the wiki. If this is really a binary
value you should start with a DER-encoded cert and load it using
something like:

dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate;binary
usercertificate;binary:< file:///path/to/cert.der

You can use something like openssl x509 to switch between PEM and DER
formats.

I have a vague memory that dogtag can deal with a multi-valued
usercertificate attribute.

rob
Post by Anthony Cheng
Then I re-run
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca
I see 2 entries for usercertificate;binary (before modify there was only
1) but they are duplicate and NOT from data that I added. That seems
incorrect to me.
On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
klist is actually empty; kinit admin fails. Sounds like then
getcert resubmit has a dependency on kerberoes. I can get a backup
image that has a valid ticket but it is only good for 1 day (and
dated pasted the cert expire).
Also I had asked awhile back about whether there is dependency on
DIRSRV to renew the cert; didn't get any response but I suspect
there is a dependency.
Regarding the clock skew, I found out from /var/log/message that
Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock
skew too great)
Jan 28 14:10:42 test named[2911]: loading configuration: failure
Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Creden
tials cache file '/tmp/krb5cc_496' not found)
I don't have a krb5cc_496 file (since klist is empty), so sounds to
me I need to get a kerberoes ticket before going any further. Also
is the file /etc/krb5.keytab access/modification time important? I
had changed time back to before the cert expiration date and reboot
and try renew but the error message about clock skew is still
there. That seems strange.
Lastly, as a absolute last resort, can I regenerate a new cert myself?
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Starting Directory Service
PKI-IPA... [ OK ]
sample-NET... [ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting DNS Service
Starting named: [FAILED]
Failed to start DNS Service
Shutting down
Stopping Kerberos 5 KDC: [ OK ]
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping named: [ OK ]
Stopping httpd: [ OK ]
Stopping pki-ca: [ OK ]
PKI-IPA... [ OK ]
sample-NET... [ OK ]
Aborting ipactl
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Directory Service: STOPPED
Directory Server is stopped
Post by Anthony Cheng
Hi list,
I am trying to renew expired certificates following the
manual renewal procedure
Post by Anthony Cheng
here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
but even with
Post by Anthony Cheng
resetting the system/hardware clock to a time before expires,
I am getting the
Post by Anthony Cheng
error "ca-error: Error setting up ccache for local "host"
service using default
Post by Anthony Cheng
keytab: Clock skew too great."
With NTP disable and clock reset why would it complain about
clock skew and how
Post by Anthony Cheng
does it even know about the current time?
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local "host"
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host"
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host"
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/renew_ra_cert
Post by Anthony Cheng
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local "host"
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host"
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host"
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/renew_ra_cert
Post by Anthony Cheng
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
auto-renew: yes
--
Thanks, Anthony
Hello Anthony!
After stopping NTP (or other time synchronizing service) and setting
time manually server really don't have a way to determine that its time
differs from the real one.
I think this might be issue with Kerberos ticket. You can show content
of root's ticket cache using klist. If there is anything clean it with
kdestroy and try to resubmit the request again.
--
David Kupka
--
Thanks, Anthony
--
Thanks, Anthony
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Anthony Cheng
2016-05-02 13:07:20 UTC
Permalink
Post by Rob Crittenden
Post by Anthony Cheng
OK so I made process on my cert renew issue; I was able to get kinit
working so I can follow the rest of the steps here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
However, after using
ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password
and restarting apache (/sbin/service httpd restart), resubmitting 3
certs (ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit -i
<ID>)
Post by Anthony Cheng
Number of certificates and requests being tracked: 8.
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed
at server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
IPA proxies requests to the CA through Apache. This means that while
tomcat started ok it didn't load the dogtag CA application, hence the
Not Found.
Check the CA debug and selftest logs to see why it failed to start properly.
[ snip ]
Actually after a reboot that error went away and I just get this error
instead "ca-error: Server failed request, will retry: -504 (libcurl failed
to execute the HTTP POST transaction. Peer certificate cannot be auth
enticated with known CA certificates)." from "getcert list"

Result of service ipa restart is interesting since it shows today's time
when I already changed date/time/disable NTP so somehow the system still
know today's time.

PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8181 - Peer's Certificate has expired.)
Post by Rob Crittenden
Post by Anthony Cheng
Would really greatly appreciate any help on this.
Also I noticed after I do ldapmodify of usercertificate binary data with
add: usercertificate;binary
You really pasted in binary? Or was this base64-encoded data?
I wonder if there is a problem in the wiki. If this is really a binary
value you should start with a DER-encoded cert and load it using
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate;binary
usercertificate;binary:< file:///path/to/cert.der
You can use something like openssl x509 to switch between PEM and DER
formats.
I have a vague memory that dogtag can deal with a multi-valued
usercertificate attribute.
rob
Yes the wiki stated binary, the result of:
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
uid=ipara,ou=People,o=ipaca -W

shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...

But the actual data is from a PEM though.
Post by Rob Crittenden
Post by Anthony Cheng
Then I re-run
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b
uid=ipara,ou=People,o=ipaca
Post by Anthony Cheng
I see 2 entries for usercertificate;binary (before modify there was only
1) but they are duplicate and NOT from data that I added. That seems
incorrect to me.
On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
klist is actually empty; kinit admin fails. Sounds like then
getcert resubmit has a dependency on kerberoes. I can get a backup
image that has a valid ticket but it is only good for 1 day (and
dated pasted the cert expire).
Also I had asked awhile back about whether there is dependency on
DIRSRV to renew the cert; didn't get any response but I suspect
there is a dependency.
Regarding the clock skew, I found out from /var/log/message that
Jan 28 14:10:42 test named[2911]: Failed to init credentials (Clock
skew too great)
Jan 28 14:10:42 test named[2911]: loading configuration: failure
Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Creden
tials cache file '/tmp/krb5cc_496' not found)
I don't have a krb5cc_496 file (since klist is empty), so sounds to
me I need to get a kerberoes ticket before going any further. Also
is the file /etc/krb5.keytab access/modification time important? I
had changed time back to before the cert expiration date and reboot
and try renew but the error message about clock skew is still
there. That seems strange.
Lastly, as a absolute last resort, can I regenerate a new cert myself?
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
Post by Anthony Cheng
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Starting Directory Service
PKI-IPA... [ OK ]
sample-NET... [ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting DNS Service
Starting named: [FAILED]
Failed to start DNS Service
Shutting down
Stopping Kerberos 5 KDC: [ OK ]
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping named: [ OK ]
Stopping httpd: [ OK ]
Stopping pki-ca: [ OK ]
PKI-IPA... [ OK ]
sample-NET... [ OK ]
Aborting ipactl
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Directory Service: STOPPED
Directory Server is stopped
Post by Anthony Cheng
Hi list,
I am trying to renew expired certificates following the
manual renewal procedure
Post by Anthony Cheng
here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
but even with
Post by Anthony Cheng
resetting the system/hardware clock to a time before expires,
I am getting the
Post by Anthony Cheng
error "ca-error: Error setting up ccache for local "host"
service using default
Post by Anthony Cheng
keytab: Clock skew too great."
With NTP disable and clock reset why would it complain about
clock skew and how
Post by Anthony Cheng
does it even know about the current time?
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local "host"
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host"
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host"
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/renew_ra_cert
Post by Anthony Cheng
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local "host"
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host"
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host"
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/renew_ra_cert
Post by Anthony Cheng
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net <http://test.sample.net>
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
auto-renew: yes
--
Thanks, Anthony
Hello Anthony!
After stopping NTP (or other time synchronizing service) and
setting
Post by Anthony Cheng
time manually server really don't have a way to determine that its time
differs from the real one.
I think this might be issue with Kerberos ticket. You can show content
of root's ticket cache using klist. If there is anything clean it with
kdestroy and try to resubmit the request again.
--
David Kupka
--
Thanks, Anthony
--
Thanks, Anthony
--
Thanks, Anthony
Rob Crittenden
2016-05-02 13:54:22 UTC
Permalink
Post by Anthony Cheng
Post by Anthony Cheng
OK so I made process on my cert renew issue; I was able to get kinit
working so I can follow the rest of the steps here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
However, after using
ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w
password
Post by Anthony Cheng
and restarting apache (/sbin/service httpd restart), resubmitting 3
certs (ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit
-i <ID>)
Post by Anthony Cheng
Number of certificates and requests being tracked: 8.
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC
failed
Post by Anthony Cheng
at server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
IPA proxies requests to the CA through Apache. This means that while
tomcat started ok it didn't load the dogtag CA application, hence the
Not Found.
Check the CA debug and selftest logs to see why it failed to start properly.
[ snip ]
Actually after a reboot that error went away and I just get this error
instead "ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction. Peer certificate cannot be
auth enticated with known CA certificates)." from "getcert list"
Result of service ipa restart is interesting since it shows today's time
when I already changed date/time/disable NTP so somehow the system still
know today's time.
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.)
Hard to say. I'd confirm that there is no time syncing service running,
ntp or otherwise.
Post by Anthony Cheng
Post by Anthony Cheng
Would really greatly appreciate any help on this.
Also I noticed after I do ldapmodify of usercertificate binary
data with
Post by Anthony Cheng
add: usercertificate;binary
You really pasted in binary? Or was this base64-encoded data?
I wonder if there is a problem in the wiki. If this is really a binary
value you should start with a DER-encoded cert and load it using
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate;binary
usercertificate;binary:< file:///path/to/cert.der
You can use something like openssl x509 to switch between PEM and DER
formats.
I have a vague memory that dogtag can deal with a multi-valued
usercertificate attribute.
rob
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
uid=ipara,ou=People,o=ipaca -W
shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...
But the actual data is from a PEM though.
Ok. So I looked at my CA data and it doesn't use the binary subtype, so
my entries look like:

userCertificate:: MIID....

It might make a difference if dogtag is looking for the subtype or not.

rob
Post by Anthony Cheng
Post by Anthony Cheng
Then I re-run
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W
-b uid=ipara,ou=People,o=ipaca
Post by Anthony Cheng
I see 2 entries for usercertificate;binary (before modify there
was only
Post by Anthony Cheng
1) but they are duplicate and NOT from data that I added. That seems
incorrect to me.
On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
klist is actually empty; kinit admin fails. Sounds like then
getcert resubmit has a dependency on kerberoes. I can get a
backup
Post by Anthony Cheng
image that has a valid ticket but it is only good for 1 day (and
dated pasted the cert expire).
Also I had asked awhile back about whether there is dependency on
DIRSRV to renew the cert; didn't get any response but I suspect
there is a dependency.
Regarding the clock skew, I found out from /var/log/message that
Jan 28 14:10:42 test named[2911]: Failed to init credentials
(Clock
Post by Anthony Cheng
skew too great)
Jan 28 14:10:42 test named[2911]: loading configuration: failure
Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Creden
tials cache file '/tmp/krb5cc_496' not found)
I don't have a krb5cc_496 file (since klist is empty), so
sounds to
Post by Anthony Cheng
me I need to get a kerberoes ticket before going any
further. Also
Post by Anthony Cheng
is the file /etc/krb5.keytab access/modification time
important? I
Post by Anthony Cheng
had changed time back to before the cert expiration date and
reboot
Post by Anthony Cheng
and try renew but the error message about clock skew is still
there. That seems strange.
Lastly, as a absolute last resort, can I regenerate a new cert
myself?
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
Post by Anthony Cheng
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_0)
Post by Anthony Cheng
Starting Directory Service
PKI-IPA...
[ OK ]
Post by Anthony Cheng
sample-NET...
[ OK ]
Post by Anthony Cheng
Starting KDC Service
Starting Kerberos 5 KDC: [
OK ]
Post by Anthony Cheng
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [
OK ]
Post by Anthony Cheng
Starting DNS Service
[FAILED]
Post by Anthony Cheng
Failed to start DNS Service
Shutting down
Stopping Kerberos 5 KDC: [
OK ]
Post by Anthony Cheng
Stopping Kerberos 5 Admin Server: [
OK ]
Post by Anthony Cheng
Stopping named: [
OK ]
Post by Anthony Cheng
Stopping httpd: [
OK ]
Post by Anthony Cheng
Stopping pki-ca: [
OK ]
Post by Anthony Cheng
PKI-IPA...
[ OK ]
Post by Anthony Cheng
sample-NET...
[ OK ]
Post by Anthony Cheng
Aborting ipactl
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_0)
Post by Anthony Cheng
Directory Service: STOPPED
Directory Server is stopped
On Thu, Apr 28, 2016 at 3:21 AM David Kupka
Post by Anthony Cheng
Hi list,
I am trying to renew expired certificates following the
manual renewal procedure
Post by Anthony Cheng
here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
Post by Anthony Cheng
but even with
Post by Anthony Cheng
resetting the system/hardware clock to a time before
expires,
Post by Anthony Cheng
I am getting the
Post by Anthony Cheng
error "ca-error: Error setting up ccache for local "host"
service using default
Post by Anthony Cheng
keytab: Clock skew too great."
With NTP disable and clock reset why would it complain
about
Post by Anthony Cheng
clock skew and how
Post by Anthony Cheng
does it even know about the current time?
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/renew_ra_cert
Post by Anthony Cheng
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/renew_ra_cert
Post by Anthony Cheng
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
auto-renew: yes
--
Thanks, Anthony
Hello Anthony!
After stopping NTP (or other time synchronizing service)
and setting
Post by Anthony Cheng
time manually server really don't have a way to determine
that
Post by Anthony Cheng
its time
differs from the real one.
I think this might be issue with Kerberos ticket. You can
show
Post by Anthony Cheng
content
of root's ticket cache using klist. If there is anything
clean
Post by Anthony Cheng
it with
kdestroy and try to resubmit the request again.
--
David Kupka
--
Thanks, Anthony
--
Thanks, Anthony
--
Thanks, Anthony
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Anthony Cheng
2016-05-02 21:35:57 UTC
Permalink
Post by Rob Crittenden
Post by Anthony Cheng
Post by Anthony Cheng
OK so I made process on my cert renew issue; I was able to get
kinit
Post by Anthony Cheng
Post by Anthony Cheng
working so I can follow the rest of the steps here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
However, after using
ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w
password
Post by Anthony Cheng
and restarting apache (/sbin/service httpd restart), resubmitting
3
Post by Anthony Cheng
Post by Anthony Cheng
certs (ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit
-i <ID>)
Post by Anthony Cheng
Number of certificates and requests being tracked: 8.
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC
failed
Post by Anthony Cheng
at server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
IPA proxies requests to the CA through Apache. This means that while
tomcat started ok it didn't load the dogtag CA application, hence the
Not Found.
Check the CA debug and selftest logs to see why it failed to start properly.
[ snip ]
Actually after a reboot that error went away and I just get this error
instead "ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction. Peer certificate cannot be
auth enticated with known CA certificates)." from "getcert list"
Result of service ipa restart is interesting since it shows today's time
when I already changed date/time/disable NTP so somehow the system still
know today's time.
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.)
Hard to say. I'd confirm that there is no time syncing service running,
ntp or otherwise.
I found out why the time kept changing; it was due to the fact that it has
VM tools installed (i didn't configure this box) so it automatically sync
time during bootup.

I did still see this error message:

ca-error: Server failed request, will retry: 4301 (RPC failed at server.
Certificate operation cannot be completed: Unable to communicate with CMS
(Not Found))

I tried the step http://www.freeipa.org/page/Troubleshooting with

certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt
openssl x509 -text -in /tmp/ra.crt
certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt
service httpd restart

So that I can get rid of one of the CA cert that is expired (kept the 1st
one) but still getting same error

What exactly is CMS and why is it not found?


I did notice that the selftest log is empty with a different time:

-rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 /var/log/pki-ca/selftests.log

[***@test ~]# clock Wed 27 Jan 2016 03:33:00 PM UTC -0.046800 seconds


Here are some debug log after reboot:

[***@test pki-ca]# tail -n 100 catalina.out

INFO: JK: ajp13 listening on /0.0.0.0:9447

Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start

INFO: Jk running ID=0 time=1/23 config=null

Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start

INFO: Server startup in 1722 ms

Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause

INFO: Pausing Coyote HTTP/1.1 on http-9180

Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause

INFO: Pausing Coyote HTTP/1.1 on http-9443

Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause

INFO: Pausing Coyote HTTP/1.1 on http-9445

Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause

INFO: Pausing Coyote HTTP/1.1 on http-9444

Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause

INFO: Pausing Coyote HTTP/1.1 on http-9446

Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop

INFO: Stopping service Catalina

Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads

SEVERE: A web application appears to have started a thread named [Timer-0]
but has failed to stop it. This is very like

ly to create a memory leak.

Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads

SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu

t has failed to stop it. This is very likely to create a memory leak.

Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads

SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6]

but has failed to stop it. This is very likely to create a memory leak.

Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads

SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.flush-6] but has failed t

o stop it. This is very likely to create a memory leak.

Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads

SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.rollover-8] but has faile

d to stop it. This is very likely to create a memory leak.

Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads

SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.flush-9] but has fa

iled to stop it. This is very likely to create a memory leak.

Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads

SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.rollover-10] but ha

s failed to stop it. This is very likely to create a memory leak.

Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads

SEVERE: A web application appears to have started a thread named
[LDAPConnThread-2 ldap://test.sample.net:7389] but has failed to stop it.
This is very likely to create a memory leak.

Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads

SEVERE: A web application appears to have started a thread named
[LDAPConnThread-3 ldap://test.sample.net:7389] but has failed to stop it.
This is very likely to create a memory leak.

Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads

SEVERE: A web application appears to have started a thread named
[LDAPConnThread-4 ldap://test.sample.net:7389] but has failed to stop it.
This is very likely to create a memory leak.

Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap

SEVERE: A web application created a ThreadLocal with key of type [null]
(value [com.netscape.cmscore.util.Debug$***@228b677f]) and a value of type
[java.text.SimpleDateFormat] (value [***@d1b317c9])
but failed to remove it when the web application was stopped. To prevent a
memory leak, the ThreadLocal has been forcibly removed.

Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap

SEVERE: A web application created a ThreadLocal with key of type [null]
(value [com.netscape.cmscore.util.Debug$***@228b677f]) and a value of type
[java.text.SimpleDateFormat] (value [***@d1b317c9])
but failed to remove it when the web application was stopped. To prevent a
memory leak, the ThreadLocal has been forcibly removed.

Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy

INFO: Stopping Coyote HTTP/1.1 on http-9180

Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy

INFO: Stopping Coyote HTTP/1.1 on http-9443

Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy

INFO: Stopping Coyote HTTP/1.1 on http-9445

Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy

INFO: Stopping Coyote HTTP/1.1 on http-9444

Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy

INFO: Stopping Coyote HTTP/1.1 on http-9446

Jan 27, 2016 2:57:36 PM org.apache.catalina.core.AprLifecycleListener init

INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path:
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib

Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init

INFO: Initializing Coyote HTTP/1.1 on http-9180

Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.

Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.

Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init

INFO: Initializing Coyote HTTP/1.1 on http-9443

Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.

Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.

Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init

INFO: Initializing Coyote HTTP/1.1 on http-9445

Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.

Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.

Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init

INFO: Initializing Coyote HTTP/1.1 on http-9444

Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.

Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.

Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init

INFO: Initializing Coyote HTTP/1.1 on http-9446

Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load

INFO: Initialization processed in 2198 ms

Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start

INFO: Starting service Catalina

Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start

INFO: Starting Servlet Engine: Apache Tomcat/6.0.24

Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig
deployDirectory

INFO: Deploying web application directory ROOT

Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig
deployDirectory

INFO: Deploying web application directory ca

64-bit osutil library loaded

64-bit osutil library loaded

Certificate object not found

Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start

INFO: Starting Coyote HTTP/1.1 on http-9180

Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start

INFO: Starting Coyote HTTP/1.1 on http-9443

Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start

INFO: Starting Coyote HTTP/1.1 on http-9445

Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start

INFO: Starting Coyote HTTP/1.1 on http-9444

Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start

INFO: Starting Coyote HTTP/1.1 on http-9446

Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init

INFO: JK: ajp13 listening on /0.0.0.0:9447

Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start

INFO: Jk running ID=0 time=0/40 config=null

Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start

INFO: Server startup in 2592 ms

[***@test pki-ca]# tail -n 100 debug

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectAltNameExtDefaultImpl Subject Alternative Name Extension Default
Subject Alternative Name Extension Default
com.netscape.cms.profile.def.SubjectAltNameExtDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userValidityDefaultImpl User Supplied Validity Default User Supplied
Validity Default com.netscape.cms.profile.def.UserValidityDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSubjectNameDefaultImpl User Supplied Subject Name Default User Supplied
Subject Name Default com.netscape.cms.profile.def.UserSubjectNameDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectDirAttributesExtDefaultImpl Subject Directory Attributes Extension
Default Subject Directory Attributes Extension Default
com.netscape.cms.profile.def.SubjectDirAttributesExtDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificateVersionDefaultImpl Certificate Version Default Certificate
Version Default com.netscape.cms.profile.def.CertificateVersionDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default
Extended Key Usage Extension Default
com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyConstraintsExtDefaultImpl Policy Constraints Extension Default Policy
Constraints Extension Default
com.netscape.cms.profile.def.PolicyConstraintsExtDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
crlDistributionPointsExtDefaultImpl CRL Distribution Points Extension
Default CRL Distribution Points Extension Default
com.netscape.cms.profile.def.CRLDistributionPointsExtDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificatePoliciesExtDefaultImpl Certificate Policies Extension Default
Certificate Policies Extension Default
com.netscape.cms.profile.def.CertificatePoliciesExtDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
validityDefaultImpl Validity Default Validty Default
com.netscape.cms.profile.def.ValidityDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
privateKeyPeriodExtDefaultImpl Private Key Period Ext Default Private Key
Period Ext Default
com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy noDefaultImpl No
Default No Default com.netscape.cms.profile.def.NoDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy imageDefaultImpl
Image Default Image Default com.netscape.cms.profile.def.ImageDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectInfoAccessExtDefaultImpl Subject Info Access Extension Default
Subject Info Access Extension Default
com.netscape.cms.profile.def.SubjectInfoAccessExtDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
autoAssignDefaultImpl Auto Request Assignment Default Auto Request
Assignment Default com.netscape.cms.profile.def.AutoAssignDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyMappingsExtDefaultImpl Policy Mappings Extension Default Policy
Mappings Extension Default
com.netscape.cms.profile.def.PolicyMappingsExtDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
caValidityDefaultImpl CA Certificate Validity Default CA Certificate
Validty Default com.netscape.cms.profile.def.CAValidityDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userExtensionDefaultImpl User Supplied Extension Default User Supplied
Extension Default com.netscape.cms.profile.def.UserExtensionDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default
Netscape Certificate Type Extension Default
com.netscape.cms.profile.def.NSCertTypeExtDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default Token
Supplied Subject Name Default
com.netscape.cms.profile.def.AuthTokenSubjectNameDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectNameDefaultImpl Subject Name Default Subject Name Default
com.netscape.cms.profile.def.SubjectNameDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSigningAlgDefaultImpl User Supplied Signing Alg Default User Supplied
Signing Alg Default com.netscape.cms.profile.def.UserSigningAlgDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default Subject
Key Identifier Default
com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default Inhibit
Any-Policy Extension Default
com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubjectNameDefault
nsTokenDeviceKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape
Comment Extension Default com.netscape.cms.profile.def.NSCCommentExtDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm Default
com.netscape.cms.profile.def.SigningAlgDefault

[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nameConstraintsExtDefaultImpl Name Constraints Extension Default Name
Constraints Extension Default
com.netscape.cms.profile.def.NameConstraintsExtDefault

[27/Jan/2016:15:30:43][main]: added plugin profileUpdater
subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for Subsystem
Group com.netscape.cms.profile.updater.SubsystemGroupUpdater

[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry

[27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry

[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap

[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap

[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap

[27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap

[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name

[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name

[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name

[27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name

[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request

[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request

[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request

[27/Jan/2016:15:30:43][main]: CMSEngine: initialized request

[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca

[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca

[27/Jan/2016:15:30:43][main]: CertificateAuthority init

[27/Jan/2016:15:30:43][main]: Cert Repot inited

[27/Jan/2016:15:30:43][main]: CRL Repot inited

[27/Jan/2016:15:30:43][main]: Replica Repot inited

[27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname
caSigningCert cert-pki-ca

[27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name

[27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert
cert-pki-ca' with serial number: 1

[27/Jan/2016:15:30:43][main]: converted to x509CertImpl

[27/Jan/2016:15:30:43][main]: Got private key from cert

[27/Jan/2016:15:30:43][main]: Got public key from cert

[27/Jan/2016:15:30:43][main]: got signing algorithm
RSASignatureWithSHA256Digest

[27/Jan/2016:15:30:43][main]: CA signing unit inited

[27/Jan/2016:15:30:43][main]: cachainNum= 0

[27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS.

[27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname
ca.ocsp_signing.cert

[27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name

[27/Jan/2016:15:30:43][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException

[27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException

Certificate object not found

at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)

at
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)

at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)

at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)

at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)

at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)

at com.netscape.certsrv.apps.CMS.init(CMS.java:153)

at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)

at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)

at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)

at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)

at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)

at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)

at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)

at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)

at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)

at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)

at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)

at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)

at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)

at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)

at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)

at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)

at
org.apache.catalina.core.StandardHost.start(StandardHost.java:722)

at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)

at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)

at
org.apache.catalina.core.StandardService.start(StandardService.java:516)

at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)

at org.apache.catalina.startup.Catalina.start(Catalina.java:593)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:616)

at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)

at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)

[27/Jan/2016:15:30:43][main]: CMSEngine.shutdown()
Post by Rob Crittenden
Post by Anthony Cheng
Post by Anthony Cheng
Would really greatly appreciate any help on this.
Also I noticed after I do ldapmodify of usercertificate binary
data with
Post by Anthony Cheng
add: usercertificate;binary
You really pasted in binary? Or was this base64-encoded data?
I wonder if there is a problem in the wiki. If this is really a
binary
Post by Anthony Cheng
value you should start with a DER-encoded cert and load it using
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate;binary
usercertificate;binary:< file:///path/to/cert.der
You can use something like openssl x509 to switch between PEM and DER
formats.
I have a vague memory that dogtag can deal with a multi-valued
usercertificate attribute.
rob
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
uid=ipara,ou=People,o=ipaca -W
shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...
But the actual data is from a PEM though.
Ok. So I looked at my CA data and it doesn't use the binary subtype, so
userCertificate:: MIID....
It might make a difference if dogtag is looking for the subtype or not.
rob
Post by Anthony Cheng
Post by Anthony Cheng
Then I re-run
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W
-b uid=ipara,ou=People,o=ipaca
Post by Anthony Cheng
I see 2 entries for usercertificate;binary (before modify there
was only
Post by Anthony Cheng
1) but they are duplicate and NOT from data that I added. That
seems
Post by Anthony Cheng
Post by Anthony Cheng
incorrect to me.
On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
klist is actually empty; kinit admin fails. Sounds like then
getcert resubmit has a dependency on kerberoes. I can get a
backup
Post by Anthony Cheng
image that has a valid ticket but it is only good for 1 day
(and
Post by Anthony Cheng
Post by Anthony Cheng
dated pasted the cert expire).
Also I had asked awhile back about whether there is
dependency on
Post by Anthony Cheng
Post by Anthony Cheng
DIRSRV to renew the cert; didn't get any response but I
suspect
Post by Anthony Cheng
Post by Anthony Cheng
there is a dependency.
Regarding the clock skew, I found out from /var/log/message
that
Post by Anthony Cheng
Post by Anthony Cheng
Jan 28 14:10:42 test named[2911]: Failed to init credentials
(Clock
Post by Anthony Cheng
skew too great)
failure
Post by Anthony Cheng
Post by Anthony Cheng
Jan 28 14:10:42 test named[2911]: exiting (due to fatal error)
Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Creden
tials cache file '/tmp/krb5cc_496' not found)
I don't have a krb5cc_496 file (since klist is empty), so
sounds to
Post by Anthony Cheng
me I need to get a kerberoes ticket before going any
further. Also
Post by Anthony Cheng
is the file /etc/krb5.keytab access/modification time
important? I
Post by Anthony Cheng
had changed time back to before the cert expiration date and
reboot
Post by Anthony Cheng
and try renew but the error message about clock skew is still
there. That seems strange.
Lastly, as a absolute last resort, can I regenerate a new cert
myself?
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
Post by Anthony Cheng
Post by Anthony Cheng
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_0)
Post by Anthony Cheng
Starting Directory Service
PKI-IPA...
[ OK ]
Post by Anthony Cheng
sample-NET...
[ OK ]
Post by Anthony Cheng
Starting KDC Service
Starting Kerberos 5 KDC: [
OK ]
Post by Anthony Cheng
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [
OK ]
Post by Anthony Cheng
Starting DNS Service
[FAILED]
Post by Anthony Cheng
Failed to start DNS Service
Shutting down
Stopping Kerberos 5 KDC: [
OK ]
Post by Anthony Cheng
Stopping Kerberos 5 Admin Server: [
OK ]
Post by Anthony Cheng
Stopping named: [
OK ]
Post by Anthony Cheng
Stopping httpd: [
OK ]
Post by Anthony Cheng
Stopping pki-ca: [
OK ]
Post by Anthony Cheng
PKI-IPA...
[ OK ]
Post by Anthony Cheng
sample-NET...
[ OK ]
Post by Anthony Cheng
Aborting ipactl
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_0)
Post by Anthony Cheng
Directory Service: STOPPED
Directory Server is stopped
On Thu, Apr 28, 2016 at 3:21 AM David Kupka
Post by Anthony Cheng
Hi list,
I am trying to renew expired certificates following the
manual renewal procedure
Post by Anthony Cheng
here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
Post by Anthony Cheng
but even with
Post by Anthony Cheng
resetting the system/hardware clock to a time before
expires,
Post by Anthony Cheng
I am getting the
Post by Anthony Cheng
error "ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
Post by Anthony Cheng
service using default
Post by Anthony Cheng
keytab: Clock skew too great."
With NTP disable and clock reset why would it complain
about
Post by Anthony Cheng
clock skew and how
Post by Anthony Cheng
does it even know about the current time?
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/renew_ra_cert
Post by Anthony Cheng
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
list
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/renew_ra_cert
Post by Anthony Cheng
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
auto-renew: yes
--
Thanks, Anthony
Hello Anthony!
After stopping NTP (or other time synchronizing service)
and setting
Post by Anthony Cheng
time manually server really don't have a way to determine
that
Post by Anthony Cheng
its time
differs from the real one.
I think this might be issue with Kerberos ticket. You can
show
Post by Anthony Cheng
content
of root's ticket cache using klist. If there is anything
clean
Post by Anthony Cheng
it with
kdestroy and try to resubmit the request again.
--
David Kupka
--
Thanks, Anthony
--
Thanks, Anthony
--
Thanks, Anthony
--
Thanks, Anthony
Anthony Cheng
2016-05-03 21:15:49 UTC
Permalink
Small update, I found an article on the RH solution library (
https://access.redhat.com/solutions/2020223) that has the same error code
that I am getting and I followed the steps with certutil to update the cert
attributes but it is still not working. The article is listed as "Solution
in Progress".

[***@test ~]# getcert list | more

Number of certificates and requests being tracked: 7.

Request ID '20111214223243':

status: CA_UNREACHABLE

ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be comp

leted: Unable to communicate with CMS (Not Found)).

stuck: yes

key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certifi

cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt'

certificate:
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certificate

DB'

CA: IPA

issuer: CN=Certificate Authority,O=SAMPLE.NET

subject: CN=caer.SAMPLE.net,O=SAMPLE.NET

expires: 2016-01-29 14:09:46 UTC

eku: id-kp-serverAuth

pre-save command:

post-save command:

track: yes

auto-renew: yes
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
OK so I made process on my cert renew issue; I was able to get
kinit
Post by Anthony Cheng
Post by Anthony Cheng
working so I can follow the rest of the steps here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
However, after using
ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w
password
Post by Anthony Cheng
and restarting apache (/sbin/service httpd restart),
resubmitting 3
Post by Anthony Cheng
Post by Anthony Cheng
certs (ipa-getcert resubmit -i <ID>) and restarting IPA (resubmit
-i <ID>)
Post by Anthony Cheng
Number of certificates and requests being tracked: 8.
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC
failed
Post by Anthony Cheng
at server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
IPA proxies requests to the CA through Apache. This means that while
tomcat started ok it didn't load the dogtag CA application, hence
the
Post by Anthony Cheng
Not Found.
Check the CA debug and selftest logs to see why it failed to start properly.
[ snip ]
Actually after a reboot that error went away and I just get this error
instead "ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction. Peer certificate cannot be
auth enticated with known CA certificates)." from "getcert list"
Result of service ipa restart is interesting since it shows today's time
when I already changed date/time/disable NTP so somehow the system still
know today's time.
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.)
Hard to say. I'd confirm that there is no time syncing service running,
ntp or otherwise.
I found out why the time kept changing; it was due to the fact that it has
VM tools installed (i didn't configure this box) so it automatically sync
time during bootup.
ca-error: Server failed request, will retry: 4301 (RPC failed at server.
Certificate operation cannot be completed: Unable to communicate with CMS
(Not Found))
I tried the step http://www.freeipa.org/page/Troubleshooting with
certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt
openssl x509 -text -in /tmp/ra.crt
certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt
service httpd restart
So that I can get rid of one of the CA cert that is expired (kept the 1st
one) but still getting same error
What exactly is CMS and why is it not found?
-rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 /var/log/pki-ca/selftests.log
INFO: JK: ajp13 listening on /0.0.0.0:9447
Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=1/23 config=null
Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1722 ms
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop
INFO: Stopping service Catalina
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named [Timer-0]
but has failed to stop it. This is very like
ly to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu
t has failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6]
but has failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.flush-6] but has failed t
o stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.rollover-8] but has faile
d to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.flush-9] but has fa
iled to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.rollover-10] but ha
s failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-2 ldap://test.sample.net:7389] but has failed to stop it.
This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-3 ldap://test.sample.net:7389] but has failed to stop it.
This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-4 ldap://test.sample.net:7389] but has failed to stop it.
This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type [null]
but failed to remove it when the web application was stopped. To prevent a
memory leak, the ThreadLocal has been forcibly removed.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type [null]
but failed to remove it when the web application was stopped. To prevent a
memory leak, the ThreadLocal has been forcibly removed.
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:36 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9180
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9443
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9445
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9444
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported
by NSS. This is probably O.K. unless ECC support has been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2198 ms
Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.24
Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ROOT
Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ca
64-bit osutil library loaded
64-bit osutil library loaded
Certificate object not found
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:9447
Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/40 config=null
Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2592 ms
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectAltNameExtDefaultImpl Subject Alternative Name Extension Default
Subject Alternative Name Extension Default
com.netscape.cms.profile.def.SubjectAltNameExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userValidityDefaultImpl User Supplied Validity Default User Supplied
Validity Default com.netscape.cms.profile.def.UserValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSubjectNameDefaultImpl User Supplied Subject Name Default User Supplied
Subject Name Default com.netscape.cms.profile.def.UserSubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectDirAttributesExtDefaultImpl Subject Directory Attributes Extension
Default Subject Directory Attributes Extension Default
com.netscape.cms.profile.def.SubjectDirAttributesExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificateVersionDefaultImpl Certificate Version Default Certificate
Version Default com.netscape.cms.profile.def.CertificateVersionDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default
Extended Key Usage Extension Default
com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyConstraintsExtDefaultImpl Policy Constraints Extension Default Policy
Constraints Extension Default
com.netscape.cms.profile.def.PolicyConstraintsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
crlDistributionPointsExtDefaultImpl CRL Distribution Points Extension
Default CRL Distribution Points Extension Default
com.netscape.cms.profile.def.CRLDistributionPointsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificatePoliciesExtDefaultImpl Certificate Policies Extension Default
Certificate Policies Extension Default
com.netscape.cms.profile.def.CertificatePoliciesExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
validityDefaultImpl Validity Default Validty Default
com.netscape.cms.profile.def.ValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
privateKeyPeriodExtDefaultImpl Private Key Period Ext Default Private Key
Period Ext Default
com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy noDefaultImpl No
Default No Default com.netscape.cms.profile.def.NoDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy imageDefaultImpl
Image Default Image Default com.netscape.cms.profile.def.ImageDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectInfoAccessExtDefaultImpl Subject Info Access Extension Default
Subject Info Access Extension Default
com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
autoAssignDefaultImpl Auto Request Assignment Default Auto Request
Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyMappingsExtDefaultImpl Policy Mappings Extension Default Policy
Mappings Extension Default
com.netscape.cms.profile.def.PolicyMappingsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
caValidityDefaultImpl CA Certificate Validity Default CA Certificate
Validty Default com.netscape.cms.profile.def.CAValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userExtensionDefaultImpl User Supplied Extension Default User Supplied
Extension Default com.netscape.cms.profile.def.UserExtensionDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default
Netscape Certificate Type Extension Default
com.netscape.cms.profile.def.NSCertTypeExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default Token
Supplied Subject Name Default
com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectNameDefaultImpl Subject Name Default Subject Name Default
com.netscape.cms.profile.def.SubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSigningAlgDefaultImpl User Supplied Signing Alg Default User Supplied
Signing Alg Default com.netscape.cms.profile.def.UserSigningAlgDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default Subject
Key Identifier Default
com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default Inhibit
Any-Policy Extension Default
com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubjectNameDefault
nsTokenDeviceKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape
Comment Extension Default com.netscape.cms.profile.def.NSCCommentExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm Default
com.netscape.cms.profile.def.SigningAlgDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nameConstraintsExtDefaultImpl Name Constraints Extension Default Name
Constraints Extension Default
com.netscape.cms.profile.def.NameConstraintsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin profileUpdater
subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for Subsystem
Group com.netscape.cms.profile.updater.SubsystemGroupUpdater
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized request
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca
[27/Jan/2016:15:30:43][main]: CertificateAuthority init
[27/Jan/2016:15:30:43][main]: Cert Repot inited
[27/Jan/2016:15:30:43][main]: CRL Repot inited
[27/Jan/2016:15:30:43][main]: Replica Repot inited
[27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname
caSigningCert cert-pki-ca
[27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name
[27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert
cert-pki-ca' with serial number: 1
[27/Jan/2016:15:30:43][main]: converted to x509CertImpl
[27/Jan/2016:15:30:43][main]: Got private key from cert
[27/Jan/2016:15:30:43][main]: Got public key from cert
[27/Jan/2016:15:30:43][main]: got signing algorithm
RSASignatureWithSHA256Digest
[27/Jan/2016:15:30:43][main]: CA signing unit inited
[27/Jan/2016:15:30:43][main]: cachainNum= 0
[27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS.
[27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname
ca.ocsp_signing.cert
[27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name
[27/Jan/2016:15:30:43][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
at
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)
at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at
org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[27/Jan/2016:15:30:43][main]: CMSEngine.shutdown()
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Would really greatly appreciate any help on this.
Also I noticed after I do ldapmodify of usercertificate binary
data with
Post by Anthony Cheng
add: usercertificate;binary
You really pasted in binary? Or was this base64-encoded data?
I wonder if there is a problem in the wiki. If this is really a
binary
Post by Anthony Cheng
value you should start with a DER-encoded cert and load it using
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate;binary
usercertificate;binary:< file:///path/to/cert.der
You can use something like openssl x509 to switch between PEM and
DER
Post by Anthony Cheng
formats.
I have a vague memory that dogtag can deal with a multi-valued
usercertificate attribute.
rob
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
uid=ipara,ou=People,o=ipaca -W
shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...
But the actual data is from a PEM though.
Ok. So I looked at my CA data and it doesn't use the binary subtype, so
userCertificate:: MIID....
It might make a difference if dogtag is looking for the subtype or not.
rob
Post by Anthony Cheng
Post by Anthony Cheng
Then I re-run
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W
-b uid=ipara,ou=People,o=ipaca
Post by Anthony Cheng
I see 2 entries for usercertificate;binary (before modify there
was only
Post by Anthony Cheng
1) but they are duplicate and NOT from data that I added. That
seems
Post by Anthony Cheng
Post by Anthony Cheng
incorrect to me.
On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
klist is actually empty; kinit admin fails. Sounds like then
getcert resubmit has a dependency on kerberoes. I can get a
backup
Post by Anthony Cheng
image that has a valid ticket but it is only good for 1 day
(and
Post by Anthony Cheng
Post by Anthony Cheng
dated pasted the cert expire).
Also I had asked awhile back about whether there is
dependency on
Post by Anthony Cheng
Post by Anthony Cheng
DIRSRV to renew the cert; didn't get any response but I
suspect
Post by Anthony Cheng
Post by Anthony Cheng
there is a dependency.
Regarding the clock skew, I found out from /var/log/message
that
Post by Anthony Cheng
Post by Anthony Cheng
Jan 28 14:10:42 test named[2911]: Failed to init credentials
(Clock
Post by Anthony Cheng
skew too great)
failure
Post by Anthony Cheng
Post by Anthony Cheng
Jan 28 14:10:42 test named[2911]: exiting (due to fatal
error)
Post by Anthony Cheng
Post by Anthony Cheng
Jan 28 14:10:44 test ns-slapd: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Creden
tials cache file '/tmp/krb5cc_496' not found)
I don't have a krb5cc_496 file (since klist is empty), so
sounds to
Post by Anthony Cheng
me I need to get a kerberoes ticket before going any
further. Also
Post by Anthony Cheng
is the file /etc/krb5.keytab access/modification time
important? I
Post by Anthony Cheng
had changed time back to before the cert expiration date and
reboot
Post by Anthony Cheng
and try renew but the error message about clock skew is still
there. That seems strange.
Lastly, as a absolute last resort, can I regenerate a new
cert
Post by Anthony Cheng
Post by Anthony Cheng
myself?
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
Post by Anthony Cheng
Post by Anthony Cheng
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_0)
Post by Anthony Cheng
Starting Directory Service
PKI-IPA...
[ OK ]
Post by Anthony Cheng
sample-NET...
[ OK ]
Post by Anthony Cheng
Starting KDC Service
Starting Kerberos 5 KDC: [
OK ]
Post by Anthony Cheng
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [
OK ]
Post by Anthony Cheng
Starting DNS Service
[FAILED]
Post by Anthony Cheng
Failed to start DNS Service
Shutting down
Stopping Kerberos 5 KDC: [
OK ]
Post by Anthony Cheng
Stopping Kerberos 5 Admin Server: [
OK ]
Post by Anthony Cheng
Stopping named: [
OK ]
Post by Anthony Cheng
Stopping httpd: [
OK ]
Post by Anthony Cheng
Stopping pki-ca: [
OK ]
Post by Anthony Cheng
PKI-IPA...
[ OK ]
Post by Anthony Cheng
sample-NET...
[ OK ]
Post by Anthony Cheng
Aborting ipactl
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_0)
Post by Anthony Cheng
Directory Service: STOPPED
Directory Server is stopped
On Thu, Apr 28, 2016 at 3:21 AM David Kupka
Post by Anthony Cheng
Hi list,
I am trying to renew expired certificates following
the
Post by Anthony Cheng
Post by Anthony Cheng
manual renewal procedure
Post by Anthony Cheng
here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
Post by Anthony Cheng
but even with
Post by Anthony Cheng
resetting the system/hardware clock to a time before
expires,
Post by Anthony Cheng
I am getting the
Post by Anthony Cheng
error "ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
Post by Anthony Cheng
service using default
Post by Anthony Cheng
keytab: Clock skew too great."
With NTP disable and clock reset why would it complain
about
Post by Anthony Cheng
clock skew and how
Post by Anthony Cheng
does it even know about the current time?
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/renew_ra_cert
Post by Anthony Cheng
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
list
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/renew_ra_cert
Post by Anthony Cheng
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to
"
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
auto-renew: yes
--
Thanks, Anthony
Hello Anthony!
After stopping NTP (or other time synchronizing service)
and setting
Post by Anthony Cheng
time manually server really don't have a way to determine
that
Post by Anthony Cheng
its time
differs from the real one.
I think this might be issue with Kerberos ticket. You can
show
Post by Anthony Cheng
content
of root's ticket cache using klist. If there is anything
clean
Post by Anthony Cheng
it with
kdestroy and try to resubmit the request again.
--
David Kupka
--
Thanks, Anthony
--
Thanks, Anthony
--
Thanks, Anthony
--
Thanks, Anthony
--
Thanks, Anthony
Rob Crittenden
2016-05-04 13:07:08 UTC
Permalink
Post by Anthony Cheng
Small update, I found an article on the RH solution library
(https://access.redhat.com/solutions/2020223) that has the same error
code that I am getting and I followed the steps with certutil to update
the cert attributes but it is still not working. The article is listed
as "Solution in Progress".
Number of certificates and requests being tracked: 7.
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.Certificate operation cannot be comp
leted: Unable to communicate with CMS (Not Found)).
Not Found means the CA didn't start. You need to examine the debug and
selftest logs to determine why.

rob
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certifi
cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certificate
DB'
CA: IPA
issuer: CN=Certificate Authority,O=SAMPLE.NET <http://SAMPLE.NET>
subject: CN=caer.SAMPLE.net <http://caer.SAMPLE.net>,O=SAMPLE.NET
<http://SAMPLE.NET>
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
On Mon, May 2, 2016 at 5:35 PM Anthony Cheng
On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden
Post by Anthony Cheng
OK so I made process on my cert renew issue; I was
able to get kinit
Post by Anthony Cheng
working so I can follow the rest of the steps here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
However, after using
ldapmodify -x -h localhost -p 7389 -D 'cn=directory
manager' -w
password
Post by Anthony Cheng
and restarting apache (/sbin/service httpd restart),
resubmitting 3
Post by Anthony Cheng
certs (ipa-getcert resubmit -i <ID>) and restarting
IPA (resubmit
-i <ID>)
Post by Anthony Cheng
Number of certificates and requests being tracked: 8.
status: CA_UNREACHABLE
4301 (RPC
failed
Post by Anthony Cheng
at server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
IPA proxies requests to the CA through Apache. This means
that while
tomcat started ok it didn't load the dogtag CA
application, hence the
Not Found.
Check the CA debug and selftest logs to see why it failed
to start
properly.
[ snip ]
Actually after a reboot that error went away and I just get
this error
instead "ca-error: Server failed request, will retry: -504
(libcurl
failed to execute the HTTP POST transaction. Peer certificate
cannot be
auth enticated with known CA certificates)." from "getcert list"
Result of service ipa restart is interesting since it shows
today's time
when I already changed date/time/disable NTP so somehow the
system still
know today's time.
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config
(Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.)
Hard to say. I'd confirm that there is no time syncing service running,
ntp or otherwise.
I found out why the time kept changing; it was due to the fact that
it has VM tools installed (i didn't configure this box) so it
automatically sync time during bootup.
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found))
I tried the step http://www.freeipa.org/page/Troubleshooting with
certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt
openssl x509 -text -in /tmp/ra.crt
certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt
service httpd restart
So that I can get rid of one of the CA cert that is expired (kept
the 1st one) but still getting same error
What exactly is CMS and why is it not found?
-rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11
/var/log/pki-ca/selftests.log
INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=1/23config=null
Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1722 ms
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop
INFO: Stopping service Catalina
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[Timer-0] but has failed to stop it. This is very like
ly to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu
t has failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6]
but has failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.flush-6] but has failed t
o stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.rollover-8] but has faile
d to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.flush-9] but has fa
iled to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.rollover-10] but ha
s failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-2 ldap://test.sample.net:7389
<http://test.sample.net:7389>] but has failed to stop it. This is
very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-3 ldap://test.sample.net:7389
<http://test.sample.net:7389>] but has failed to stop it. This is
very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-4 ldap://test.sample.net:7389
<http://test.sample.net:7389>] but has failed to stop it. This is
very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
value of type [java.text.SimpleDateFormat] (value
the web application was stopped. To prevent a memory leak, the
ThreadLocal has been forcibly removed.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
value of type [java.text.SimpleDateFormat] (value
the web application was stopped. To prevent a memory leak, the
ThreadLocal has been forcibly removed.
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:36 PM
org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows
optimal performance in production environments was not found on the
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9180
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9443
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9445
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9444
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2198 ms
Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.24
Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ROOT
Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ca
64-bit osutil library loaded
64-bit osutil library loaded
Certificate object not found
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/40config=null
Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2592 ms
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectAltNameExtDefaultImpl Subject Alternative Name Extension
Default Subject Alternative Name Extension Default
com.netscape.cms.profile.def.SubjectAltNameExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userValidityDefaultImpl User Supplied Validity Default User Supplied
Validity Default com.netscape.cms.profile.def.UserValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSubjectNameDefaultImpl User Supplied Subject Name Default User
Supplied Subject Name Default
com.netscape.cms.profile.def.UserSubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectDirAttributesExtDefaultImpl Subject Directory Attributes
Extension Default Subject Directory Attributes Extension Default
com.netscape.cms.profile.def.SubjectDirAttributesExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificateVersionDefaultImpl Certificate Version Default
Certificate Version Default
com.netscape.cms.profile.def.CertificateVersionDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default
Extended Key Usage Extension Default
com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyConstraintsExtDefaultImpl Policy Constraints Extension Default
Policy Constraints Extension Default
com.netscape.cms.profile.def.PolicyConstraintsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
crlDistributionPointsExtDefaultImpl CRL Distribution Points
Extension Default CRL Distribution Points Extension Default
com.netscape.cms.profile.def.CRLDistributionPointsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificatePoliciesExtDefaultImpl Certificate Policies Extension
Default Certificate Policies Extension Default
com.netscape.cms.profile.def.CertificatePoliciesExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
validityDefaultImpl Validity Default Validty Default
com.netscape.cms.profile.def.ValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
privateKeyPeriodExtDefaultImpl Private Key Period Ext Default
Private Key Period Ext Default
com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
noDefaultImpl No Default No Default
com.netscape.cms.profile.def.NoDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
imageDefaultImpl Image Default Image Default
com.netscape.cms.profile.def.ImageDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectInfoAccessExtDefaultImpl Subject Info Access Extension
Default Subject Info Access Extension Default
com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
autoAssignDefaultImpl Auto Request Assignment Default Auto Request
Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyMappingsExtDefaultImpl Policy Mappings Extension Default
Policy Mappings Extension Default
com.netscape.cms.profile.def.PolicyMappingsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
caValidityDefaultImpl CA Certificate Validity Default CA Certificate
Validty Default com.netscape.cms.profile.def.CAValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userExtensionDefaultImpl User Supplied Extension Default User
Supplied Extension Default
com.netscape.cms.profile.def.UserExtensionDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default
Netscape Certificate Type Extension Default
com.netscape.cms.profile.def.NSCertTypeExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default
Token Supplied Subject Name Default
com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectNameDefaultImpl Subject Name Default Subject Name Default
com.netscape.cms.profile.def.SubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSigningAlgDefaultImpl User Supplied Signing Alg Default User
Supplied Signing Alg Default
com.netscape.cms.profile.def.UserSigningAlgDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default
Subject Key Identifier Default
com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default
Inhibit Any-Policy Extension Default
com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsTokenDeviceKeySubjectNameDefaultImpl
nsTokenDeviceKeySubjectNameDefault
nsTokenDeviceKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape
Comment Extension Default
com.netscape.cms.profile.def.NSCCommentExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm
Default com.netscape.cms.profile.def.SigningAlgDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nameConstraintsExtDefaultImpl Name Constraints Extension Default
Name Constraints Extension Default
com.netscape.cms.profile.def.NameConstraintsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin profileUpdater
subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for
Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized request
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca
[27/Jan/2016:15:30:43][main]: CertificateAuthority init
[27/Jan/2016:15:30:43][main]: Cert Repot inited
[27/Jan/2016:15:30:43][main]: CRL Repot inited
[27/Jan/2016:15:30:43][main]: Replica Repot inited
[27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname
caSigningCert cert-pki-ca
[27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name
[27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert
cert-pki-ca' with serial number: 1
[27/Jan/2016:15:30:43][main]: converted to x509CertImpl
[27/Jan/2016:15:30:43][main]: Got private key from cert
[27/Jan/2016:15:30:43][main]: Got public key from cert
[27/Jan/2016:15:30:43][main]: got signing algorithm
RSASignatureWithSHA256Digest
[27/Jan/2016:15:30:43][main]: CA signing unit inited
[27/Jan/2016:15:30:43][main]: cachainNum= 0
[27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS.
[27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname
ca.ocsp_signing.cert
[27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name
[27/Jan/2016:15:30:43][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
at
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)
at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[27/Jan/2016:15:30:43][main]: CMSEngine.shutdown()
Post by Anthony Cheng
Would really greatly appreciate any help on this.
Also I noticed after I do ldapmodify of
usercertificate binary
data with
Post by Anthony Cheng
add: usercertificate;binary
You really pasted in binary? Or was this base64-encoded data?
I wonder if there is a problem in the wiki. If this is
really a binary
value you should start with a DER-encoded cert and load
it using
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate;binary
usercertificate;binary:< file:///path/to/cert.der
You can use something like openssl x509 to switch between
PEM and DER
formats.
I have a vague memory that dogtag can deal with a
multi-valued
usercertificate attribute.
rob
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
uid=ipara,ou=People,o=ipaca -W
shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...
But the actual data is from a PEM though.
Ok. So I looked at my CA data and it doesn't use the binary subtype, so
userCertificate:: MIID....
It might make a difference if dogtag is looking for the subtype or not.
rob
Post by Anthony Cheng
Then I re-run
ldapsearch -x -h localhost -p 7389 -D 'cn=directory
manager' -W
-b uid=ipara,ou=People,o=ipaca
Post by Anthony Cheng
I see 2 entries for usercertificate;binary (before
modify there
was only
Post by Anthony Cheng
1) but they are duplicate and NOT from data that I
added. That seems
Post by Anthony Cheng
incorrect to me.
On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
klist is actually empty; kinit admin fails.
Sounds like then
Post by Anthony Cheng
getcert resubmit has a dependency on kerberoes. I
can get a
backup
Post by Anthony Cheng
image that has a valid ticket but it is only good
for 1 day (and
Post by Anthony Cheng
dated pasted the cert expire).
Also I had asked awhile back about whether there
is dependency on
Post by Anthony Cheng
DIRSRV to renew the cert; didn't get any response
but I suspect
Post by Anthony Cheng
there is a dependency.
Regarding the clock skew, I found out from
/var/log/message that
Post by Anthony Cheng
Jan 28 14:10:42 test named[2911]: Failed to init
credentials
(Clock
Post by Anthony Cheng
skew too great)
Jan 28 14:10:42 test named[2911]: loading
configuration: failure
Post by Anthony Cheng
Jan 28 14:10:42 test named[2911]: exiting (due to
fatal error)
Unspecified GSS
Post by Anthony Cheng
failure. Minor code may provide more information
(Creden
Post by Anthony Cheng
tials cache file '/tmp/krb5cc_496' not found)
I don't have a krb5cc_496 file (since klist is
empty), so
sounds to
Post by Anthony Cheng
me I need to get a kerberoes ticket before going any
further. Also
Post by Anthony Cheng
is the file /etc/krb5.keytab access/modification time
important? I
Post by Anthony Cheng
had changed time back to before the cert
expiration date and
reboot
Post by Anthony Cheng
and try renew but the error message about clock
skew is still
Post by Anthony Cheng
there. That seems strange.
Lastly, as a absolute last resort, can I
regenerate a new cert
Post by Anthony Cheng
myself?
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
Post by Anthony Cheng
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_0)
Post by Anthony Cheng
Starting Directory Service
PKI-IPA...
[ OK ]
Post by Anthony Cheng
sample-NET...
[ OK ]
Post by Anthony Cheng
Starting KDC Service
[
OK ]
Post by Anthony Cheng
Starting KPASSWD Service
[
OK ]
Post by Anthony Cheng
Starting DNS Service
[FAILED]
Post by Anthony Cheng
Failed to start DNS Service
Shutting down
[
OK ]
[
OK ]
[
OK ]
[
OK ]
[
OK ]
Post by Anthony Cheng
PKI-IPA...
[ OK ]
Post by Anthony Cheng
sample-NET...
[ OK ]
Post by Anthony Cheng
Aborting ipactl
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_0)
Post by Anthony Cheng
Directory Service: STOPPED
Directory Server is stopped
On Thu, Apr 28, 2016 at 3:21 AM David Kupka
Post by Anthony Cheng
Hi list,
I am trying to renew expired certificates
following the
Post by Anthony Cheng
manual renewal procedure
Post by Anthony Cheng
here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
Post by Anthony Cheng
but even with
Post by Anthony Cheng
resetting the system/hardware clock to a
time before
expires,
Post by Anthony Cheng
I am getting the
Post by Anthony Cheng
error "ca-error: Error setting up ccache
for local "host"
Post by Anthony Cheng
service using default
Post by Anthony Cheng
keytab: Clock skew too great."
With NTP disable and clock reset why would
it complain
about
Post by Anthony Cheng
clock skew and how
Post by Anthony Cheng
does it even know about the current time?
Number of certificates and requests being
tracked: 8.
Post by Anthony Cheng
Post by Anthony Cheng
status: MONITORING
ca-error: Error setting up ccache
for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=test.sample.net
<http://test.sample.net>
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache
for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=test.sample.net
<http://test.sample.net>
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache
for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=test.sample.net
<http://test.sample.net>
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=OCSP
Subsystem,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/renew_ra_cert
Post by Anthony Cheng
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=test.sample.net
<http://test.sample.net>
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
getcert list
Post by Anthony Cheng
Post by Anthony Cheng
Number of certificates and requests being
tracked: 8.
Post by Anthony Cheng
Post by Anthony Cheng
status: MONITORING
ca-error: Error setting up ccache
for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=test.sample.net
<http://test.sample.net>
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache
for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=test.sample.net
<http://test.sample.net>
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache
for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=test.sample.net
<http://test.sample.net>
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=OCSP
Subsystem,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/renew_ra_cert
Post by Anthony Cheng
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=test.sample.net
<http://test.sample.net>
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
auto-renew: yes
--
Thanks, Anthony
Hello Anthony!
After stopping NTP (or other time
synchronizing service)
and setting
Post by Anthony Cheng
time manually server really don't have a way
to determine
that
Post by Anthony Cheng
its time
differs from the real one.
I think this might be issue with Kerberos
ticket. You can
show
Post by Anthony Cheng
content
of root's ticket cache using klist. If there
is anything
clean
Post by Anthony Cheng
it with
kdestroy and try to resubmit the request again.
--
David Kupka
--
Thanks, Anthony
--
Thanks, Anthony
--
Thanks, Anthony
--
Thanks, Anthony
--
Thanks, Anthony
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Anthony Cheng
2016-05-04 14:34:43 UTC
Permalink
Post by Rob Crittenden
Post by Anthony Cheng
Small update, I found an article on the RH solution library
(https://access.redhat.com/solutions/2020223) that has the same error
code that I am getting and I followed the steps with certutil to update
the cert attributes but it is still not working. The article is listed
as "Solution in Progress".
Number of certificates and requests being tracked: 7.
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.Certificate operation cannot be comp
leted: Unable to communicate with CMS (Not Found)).
Not Found means the CA didn't start. You need to examine the debug and
selftest logs to determine why.
rob
selftests.log is empty; there are entries for other time but not for
the test to when I set the clock to renew certs.

[***@test pki-ca]# clock
Fri 29 Jan 2016 08:19:54 AM UTC -0.960583 seconds
[***@test pki-ca]#
[***@test pki-ca]#

[***@test pki-ca]# ll * | grep self
-rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log
-rw-r-----. 1 pkiuser pkiuser 1206 Apr 7 2015
selftests.log.20150407143526
-rw-r-----. 1 pkiuser pkiuser 3673 Jun 30 2015
selftests.log.20150630163924
-rw-r-----. 1 pkiuser pkiuser 1217 Aug 31 20:07
selftests.log.20150831160735
-rw-r-----. 1 pkiuser pkiuser 3798 Oct 24 14:12
selftests.log.20151024101159
[28/Jan/2016:21:09:03][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)

Full log:

[28/Jan/2016:21:07:30][main]: CMSEngine.shutdown()
[28/Jan/2016:21:09:02][main]: ============================================
[28/Jan/2016:21:09:02][main]: ===== DEBUG SUBSYSTEM INITIALIZED =======
[28/Jan/2016:21:09:02][main]: ============================================
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
AUDIT_LOG_STARTUP
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
AUDIT_LOG_SHUTDOWN
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CERT_POLICY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CERT_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_CRL_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_OCSP_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ROLE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ACL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_SIGNED_AUDIT
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_ENCRYPTION
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CONFIG_TRUSTED_PUBLIC_KEY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_DRM
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
SELFTESTS_EXECUTION
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUDIT_LOG_DELETE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: LOG_PATH_CHANGE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PRIVATE_KEY_ARCHIVE_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST_ASYNC
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_AGENT_LOGIN
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST_PROCESSED
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
KEY_GEN_ASYMMETRIC
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
NON_PROFILE_CERT_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PROFILE_CERT_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CERT_REQUEST_PROCESSED
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CERT_STATUS_CHANGE_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CERT_STATUS_CHANGE_REQUEST_PROCESSED
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_FAIL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: INTER_BOUNDARY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_FAIL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CERT_PROFILE_APPROVAL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
PROOF_OF_POSSESSION
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_RETRIEVAL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_VALIDATION
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CMC_SIGNED_REQUEST_SIG_VERIFY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
SERVER_SIDE_KEYGEN_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
COMPUTE_SESSION_KEY_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
DIVERSIFY_KEY_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
ENCRYPT_DATA_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
OCSP_ADD_CA_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
OCSP_ADD_CA_REQUEST_PROCESSED
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
OCSP_REMOVE_CA_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
COMPUTE_RANDOM_DATA_REQUEST
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected:
CIMC_CERT_VERIFICATION
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=log
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized log
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=os
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=os
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=os
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized os
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=jss
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=jss
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_rc4_40_md5
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_rc2_40_md5
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_des_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_rc4_128_md5
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_3des_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_fips_des_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_fips_3des_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher fortezza
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher fortezza_rc4_128_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_null_md5
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=jss
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized jss
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=dbs
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=dbs
[28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init
[28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init()
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal
LDAP Database
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory cache
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password not in memory
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: try
to get it from password store
[28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password
store initialized before.
[28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password
store initialized.
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore:
about to get from passwored store: Internal LDAP Da
tabase
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore:
password store available
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore:
password for Internal LDAP Database not found, tryi
ng internaldb
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: password ok: store in memory cache
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init ends
[28/Jan/2016:21:09:02][main]: init: before makeConnection errorIfDown is true
[28/Jan/2016:21:09:02][main]: makeConnection: errorIfDown true
[28/Jan/2016:21:09:02][main]: Established LDAP connection using basic
authentication to host test.sample.net port 738
9 as cn=Directory Manager
[28/Jan/2016:21:09:02][main]: initializing with mininum 3 and maximum
15 connections to host test.sample.net port 738
9, secure connection, false, authentication type 1
[28/Jan/2016:21:09:02][main]: increasing minimum connections by 3
[28/Jan/2016:21:09:02][main]: new total available connections 3
[28/Jan/2016:21:09:02][main]: new number of connections 3
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=dbs
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized dbs
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=usrgrp
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=usrgrp
[28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init
[28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init()
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal
LDAP Database
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory cache
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: got password from memory
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password found for prompt.
[28/Jan/2016:21:09:03][main]: LdapAuthInfo: password ok: store in memory cache
[28/Jan/2016:21:09:03][main]: LdapAuthInfo: init ends
[28/Jan/2016:21:09:03][main]: init: before makeConnection errorIfDown is false
[28/Jan/2016:21:09:03][main]: makeConnection: errorIfDown false
[28/Jan/2016:21:09:03][main]: Established LDAP connection using basic
authentication to host test.sample.net port 738
9 as cn=Directory Manager
[28/Jan/2016:21:09:03][main]: initializing with mininum 3 and maximum
15 connections to host test.sample.net port 738
9, secure connection, false, authentication type 1
[28/Jan/2016:21:09:03][main]: increasing minimum connections by 3
[28/Jan/2016:21:09:03][main]: new total available connections 3
[28/Jan/2016:21:09:03][main]: new number of connections 3
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=usrgrp
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized usrgrp
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=registry
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=registry
[28/Jan/2016:21:09:03][main]: RegistrySubsystem: start init
[28/Jan/2016:21:09:03][main]: added plugin profileOutput
pkcs7OutputImpl PKCS7 Output PKCS7 Output com.netscape.cms.p
rofile.output.PKCS7Output
[28/Jan/2016:21:09:03][main]: added plugin profileOutput
cmmfOutputImpl CMMF Response Output CMMF Response Output com
.netscape.cms.profile.output.CMMFOutput
[28/Jan/2016:21:09:03][main]: added plugin profileOutput
certOutputImpl Certificate Output Certificate Output com.net
scape.cms.profile.output.CertOutput
[28/Jan/2016:21:09:03][main]: added plugin profileOutput
nsNKeyOutputImpl nsNKeyOutputImpl nsNKeyOutputImpl com.netsc
ape.cms.profile.output.nsNKeyOutput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
submitterInfoInputImpl Submitter Information Input Submitter
Information Input com.netscape.cms.profile.input.SubmitterInfoInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
serialNumRenewInputImpl Certificate Renewal Request Serial Nu
mber Input Certificate Renewal Request Serial Number Input
com.netscape.cms.profile.input.SerialNumRenewInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
dualKeyGenInputImpl Dual Key Generation Input Dual Key Genera
tion Input com.netscape.cms.profile.input.DualKeyGenInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl nsNKeyCertReqIn
putImpl com.netscape.cms.profile.input.nsNKeyCertReqInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
fileSigningInputImpl File Signing Input File Signing Input co
m.netscape.cms.profile.input.FileSigningInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
certReqInputImpl Certificate Request Input Certificate Reques
t Input com.netscape.cms.profile.input.CertReqInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
cmcCertReqInputImpl CMC Certificate Request Input CMC Certifi
cate Request Input com.netscape.cms.profile.input.CMCCertReqInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl nsHKeyCertReqIn
putImpl com.netscape.cms.profile.input.nsHKeyCertReqInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
subjectDNInputImpl Subject DN Input Subject DN Input com.nets
cape.cms.profile.input.SubjectDNInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
keyGenInputImpl Key Generation Input Key Generation Input com
.netscape.cms.profile.input.KeyGenInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
genericInputImpl Generic Input Generic Input com.netscape.cms
.profile.input.GenericInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput imageInputImpl
Image Input Image Input com.netscape.cms.profi
le.input.ImageInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
subjectNameInputImpl Subject Name Input Subject Name Input co
m.netscape.cms.profile.input.SubjectNameInput
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
basicConstraintsExtConstraintImpl Basic Constraints Exten
sion Constraint Basic Constraints Extension Constraint
com.netscape.cms.profile.constraint.BasicConstraintsExtConstra
int
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
noConstraintImpl No Constraint No Constraint com.netscape
.cms.profile.constraint.NoConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
signingAlgConstraintImpl Signing Algorithm Constraint Sig
ning Algorithm Constraint
com.netscape.cms.profile.constraint.SigningAlgConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
extendedKeyUsageExtConstraintImpl Extended Key Usage Exte
nsion Constraint Extended Key Usage Extension Constraint
com.netscape.cms.profile.constraint.ExtendedKeyUsageExtConst
raint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
extensionConstraintImpl Extension Constraint Extension Co
nstraint com.netscape.cms.profile.constraint.ExtensionConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
subjectNameConstraintImpl Subject Name Constraint Subject
Name Constraint com.netscape.cms.profile.constraint.SubjectNameConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
uniqueSubjectNameConstraintImpl Unique Subject Name Const
raint Unique Subject Name Constraint
com.netscape.cms.profile.constraint.UniqueSubjectNameConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
keyUsageExtConstraintImpl Key Usage Extension Constraint
Key Usage Extension Constraint
com.netscape.cms.profile.constraint.KeyUsageExtConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
renewGracePeriodConstraintImpl Renewal Grace Period Const
raint Renewal Grace Period Constraint
com.netscape.cms.profile.constraint.RenewGracePeriodConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
keyConstraintImpl Key Constraint Key Constraint com.netsc
ape.cms.profile.constraint.KeyConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
nsCertTypeExtConstraintImpl Netscape Certificate Type Ext
ension Constraint Netscape Certificate Type Extension Constraint
com.netscape.cms.profile.constraint.NSCertTypeExtCon
straint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
validityConstraintImpl Validity Constraint Validity Const
raint com.netscape.cms.profile.constraint.ValidityConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
uniqueKeyConstraintImpl Unique Public Key Constraint Uniq
ue Public Key Constraint com.netscape.cms.profile.constraint.UniqueKeyConstraint
[28/Jan/2016:21:09:03][main]: added plugin profile caEnrollImpl
Generic Certificate Enrollment Profile Certificate Au
thority Generic Certificate Enrollment Profile
com.netscape.cms.profile.common.CAEnrollProfile
[28/Jan/2016:21:09:03][main]: added plugin profile
caUserCertEnrollImpl User Certificate Enrollment Profile Certifica
te Authority User Certificate Enrollment Profile
com.netscape.cms.profile.common.UserCertCAEnrollProfile
[28/Jan/2016:21:09:03][main]: added plugin profile
caServerCertEnrollImpl Server Certificate Enrollment Profile Certi
ficate Authority Server Certificate Enrollment Profile
com.netscape.cms.profile.common.ServerCertCAEnrollProfile
[28/Jan/2016:21:09:03][main]: added plugin profile caCACertEnrollImpl
CA Certificate Enrollment Profile Certificate A
uthority CA Certificate Enrollment Profile
com.netscape.cms.profile.common.CACertCAEnrollProfile
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userKeyDefaultImpl User Supplied Key Default User Supplied K
ey Default com.netscape.cms.profile.def.UserKeyDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
freshestCRLExtDefaultImpl Freshest CRL Extension Default Fre
shest CRL Extension Default com.netscape.cms.profile.def.FreshestCRLExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
authInfoAccessExtDefaultImpl Authority Info Access Extension
Default Authority Info Access Extension Default
com.netscape.cms.profile.def.AuthInfoAccessExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nsTokenUserKeySubjectNameDefaultImpl nsTokenUserKeySubjectNa
meDefault nsTokenUserKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
genericExtDefaultImpl Generic Extension Generic Extension co
m.netscape.cms.profile.def.GenericExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
authorityKeyIdentifierExtDefaultImpl Authority Key Identifie
r Extension Default Authority Key Identifier Extension Default
com.netscape.cms.profile.def.AuthorityKeyIdentifierExt
Default
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
issuerAltNameExtDefaultImpl Issuer Alternative Name Extensio
n Default Issuer Alternative Name Extension Default
com.netscape.cms.profile.def.IssuerAltNameExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
basicConstraintsExtDefaultImpl Basic Constraints Extension D
efault Basic Constraints Extension Default
com.netscape.cms.profile.def.BasicConstraintsExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
keyUsageExtDefaultImpl Key Usage Extension Default Key Usage
Extension Default com.netscape.cms.profile.def.KeyUsageExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
ocspNoCheckExtDefaultImpl OCSP No Check Extension Default OC
SP No Check Extension Default com.netscape.cms.profile.def.OCSPNoCheckExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectAltNameExtDefaultImpl Subject Alternative Name Extens
ion Default Subject Alternative Name Extension Default
com.netscape.cms.profile.def.SubjectAltNameExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userValidityDefaultImpl User Supplied Validity Default User
Supplied Validity Default com.netscape.cms.profile.def.UserValidityDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userSubjectNameDefaultImpl User Supplied Subject Name Defaul
t User Supplied Subject Name Default
com.netscape.cms.profile.def.UserSubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectDirAttributesExtDefaultImpl Subject Directory Attribu
tes Extension Default Subject Directory Attributes Extension Default
com.netscape.cms.profile.def.SubjectDirAttribute
sExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
certificateVersionDefaultImpl Certificate Version Default Ce
rtificate Version Default com.netscape.cms.profile.def.CertificateVersionDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
extendedKeyUsageExtDefaultImpl Extended Key Usage Extension
Default Extended Key Usage Extension Default
com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
policyConstraintsExtDefaultImpl Policy Constraints Extension
Default Policy Constraints Extension Default
com.netscape.cms.profile.def.PolicyConstraintsExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
crlDistributionPointsExtDefaultImpl CRL Distribution Points
Extension Default CRL Distribution Points Extension Default
com.netscape.cms.profile.def.CRLDistributionPointsExtDefa
ult
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
certificatePoliciesExtDefaultImpl Certificate Policies Exten
sion Default Certificate Policies Extension Default
com.netscape.cms.profile.def.CertificatePoliciesExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
validityDefaultImpl Validity Default Validty Default com.net
scape.cms.profile.def.ValidityDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
privateKeyPeriodExtDefaultImpl Private Key Period Ext Defaul
t Private Key Period Ext Default
com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy noDefaultImpl
No Default No Default com.netscape.cms.profile
.def.NoDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
imageDefaultImpl Image Default Image Default com.netscape.cm
s.profile.def.ImageDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectInfoAccessExtDefaultImpl Subject Info Access Extensio
n Default Subject Info Access Extension Default
com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
autoAssignDefaultImpl Auto Request Assignment Default Auto R
equest Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
policyMappingsExtDefaultImpl Policy Mappings Extension Defau
lt Policy Mappings Extension Default
com.netscape.cms.profile.def.PolicyMappingsExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
caValidityDefaultImpl CA Certificate Validity Default CA Cer
tificate Validty Default com.netscape.cms.profile.def.CAValidityDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userExtensionDefaultImpl User Supplied Extension Default Use
r Supplied Extension Default com.netscape.cms.profile.def.UserExtensionDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nsCertTypeExtDefaultImpl Netscape Certificate Type Extension
Default Netscape Certificate Type Extension Default
com.netscape.cms.profile.def.NSCertTypeExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
authTokenSubjectNameDefaultImpl Token Supplied Subject Name
Default Token Supplied Subject Name Default
com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectNameDefaultImpl Subject Name Default Subject Name Def
ault com.netscape.cms.profile.def.SubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userSigningAlgDefaultImpl User Supplied Signing Alg Default
User Supplied Signing Alg Default
com.netscape.cms.profile.def.UserSigningAlgDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectKeyIdentifierExtDefaultImpl Subject Key Identifier De
fault Subject Key Identifier Default
com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension
Default Inhibit Any-Policy Extension Default
com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubje
ctNameDefault nsTokenDeviceKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nscCommentExtDefaultImpl Netscape Comment Extension Default
Netscape Comment Extension Default
com.netscape.cms.profile.def.NSCCommentExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
signingAlgDefaultImpl Signing Algorithm Default Signing Algo
rithm Default com.netscape.cms.profile.def.SigningAlgDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nameConstraintsExtDefaultImpl Name Constraints Extension Def
ault Name Constraints Extension Default
com.netscape.cms.profile.def.NameConstraintsExtDefault
[28/Jan/2016:21:09:03][main]: added plugin profileUpdater
subsystemGroupUpdaterImpl Updater for Subsystem Group Updat
er for Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=registry
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized registry
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=oidmap
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=oidmap
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=oidmap
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized oidmap
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=X500Name
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=X500Name
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=X500Name
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized X500Name
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=request
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=request
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=request
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized request
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=ca
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=ca
[28/Jan/2016:21:09:03][main]: CertificateAuthority init
[28/Jan/2016:21:09:03][main]: Cert Repot inited
[28/Jan/2016:21:09:03][main]: CRL Repot inited
[28/Jan/2016:21:09:03][main]: Replica Repot inited
[28/Jan/2016:21:09:03][main]: ca.signing Signing Unit nickname
caSigningCert cert-pki-ca
[28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name
[28/Jan/2016:21:09:03][main]: Found cert by nickname: 'caSigningCert
cert-pki-ca' with serial number: 1
[28/Jan/2016:21:09:03][main]: converted to x509CertImpl
[28/Jan/2016:21:09:03][main]: Got private key from cert
[28/Jan/2016:21:09:03][main]: Got public key from cert
[28/Jan/2016:21:09:03][main]: got signing algorithm RSASignatureWithSHA256Digest
[28/Jan/2016:21:09:03][main]: CA signing unit inited
[28/Jan/2016:21:09:03][main]: cachainNum= 0
[28/Jan/2016:21:09:03][main]: in init - got CA chain from JSS.
[28/Jan/2016:21:09:03][main]: ca.ocsp_signing Signing Unit nickname
ca.ocsp_signing.cert
[28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name
[28/Jan/2016:21:09:03][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
at com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)
at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[28/Jan/2016:21:09:03][main]: CMSEngine.shutdown()
[28/Jan/2016:21:14:02][Timer-0]: CMSEngine: getPasswordStore():
password store initialized before.
[28/Jan/2016:21:14:02][Timer-0]: CMSEngine: getPasswordStore():
password store initialized.
[28/Jan/2016:21:19:02][Timer-0]: CMSEngine: getPasswordStore():
password store initialized before.
[28/Jan/2016:21:19:02][Timer-0]: CMSEngine: getPasswordStore():
password store initialized.
Post by Rob Crittenden
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certifi
cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certificate
DB'
CA: IPA
issuer: CN=Certificate Authority,O=SAMPLE.NET <http://SAMPLE.NET>
subject: CN=caer.SAMPLE.net <http://caer.SAMPLE.net>,O=SAMPLE.NET
<http://SAMPLE.NET>
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
On Mon, May 2, 2016 at 5:35 PM Anthony Cheng
On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden
Post by Anthony Cheng
OK so I made process on my cert renew issue; I was
able to get kinit
Post by Anthony Cheng
working so I can follow the rest of the steps here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
However, after using
ldapmodify -x -h localhost -p 7389 -D 'cn=directory
manager' -w
password
Post by Anthony Cheng
and restarting apache (/sbin/service httpd restart),
resubmitting 3
Post by Anthony Cheng
certs (ipa-getcert resubmit -i <ID>) and restarting
IPA (resubmit
-i <ID>)
Post by Anthony Cheng
Number of certificates and requests being tracked: 8.
status: CA_UNREACHABLE
4301 (RPC
failed
Post by Anthony Cheng
at server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
IPA proxies requests to the CA through Apache. This means
that while
tomcat started ok it didn't load the dogtag CA
application, hence the
Not Found.
Check the CA debug and selftest logs to see why it failed
to start
properly.
[ snip ]
Actually after a reboot that error went away and I just get
this error
instead "ca-error: Server failed request, will retry: -504
(libcurl
failed to execute the HTTP POST transaction. Peer certificate
cannot be
auth enticated with known CA certificates)." from "getcert
list"
Result of service ipa restart is interesting since it shows
today's time
when I already changed date/time/disable NTP so somehow the
system still
know today's time.
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config
(Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.)
Hard to say. I'd confirm that there is no time syncing service running,
ntp or otherwise.
I found out why the time kept changing; it was due to the fact that
it has VM tools installed (i didn't configure this box) so it
automatically sync time during bootup.
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found))
I tried the step http://www.freeipa.org/page/Troubleshooting with
certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt
openssl x509 -text -in /tmp/ra.crt
certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt
service httpd restart
So that I can get rid of one of the CA cert that is expired (kept
the 1st one) but still getting same error
What exactly is CMS and why is it not found?
-rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11
/var/log/pki-ca/selftests.log
INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=1/23config=null
Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1722 ms
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop
INFO: Stopping service Catalina
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[Timer-0] but has failed to stop it. This is very like
ly to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu
t has failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6]
but has failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.flush-6] but has failed t
o stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.rollover-8] but has faile
d to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.flush-9] but has fa
iled to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.rollover-10] but ha
s failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-2 ldap://test.sample.net:7389
<http://test.sample.net:7389>] but has failed to stop it. This is
very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-3 ldap://test.sample.net:7389
<http://test.sample.net:7389>] but has failed to stop it. This is
very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-4 ldap://test.sample.net:7389
<http://test.sample.net:7389>] but has failed to stop it. This is
very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
value of type [java.text.SimpleDateFormat] (value
the web application was stopped. To prevent a memory leak, the
ThreadLocal has been forcibly removed.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
value of type [java.text.SimpleDateFormat] (value
the web application was stopped. To prevent a memory leak, the
ThreadLocal has been forcibly removed.
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:36 PM
org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows
optimal performance in production environments was not found on the
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9180
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9443
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9445
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9444
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2198 ms
Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.24
Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ROOT
Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ca
64-bit osutil library loaded
64-bit osutil library loaded
Certificate object not found
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/40config=null
Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2592 ms
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectAltNameExtDefaultImpl Subject Alternative Name Extension
Default Subject Alternative Name Extension Default
com.netscape.cms.profile.def.SubjectAltNameExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userValidityDefaultImpl User Supplied Validity Default User Supplied
Validity Default com.netscape.cms.profile.def.UserValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSubjectNameDefaultImpl User Supplied Subject Name Default User
Supplied Subject Name Default
com.netscape.cms.profile.def.UserSubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectDirAttributesExtDefaultImpl Subject Directory Attributes
Extension Default Subject Directory Attributes Extension Default
com.netscape.cms.profile.def.SubjectDirAttributesExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificateVersionDefaultImpl Certificate Version Default
Certificate Version Default
com.netscape.cms.profile.def.CertificateVersionDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default
Extended Key Usage Extension Default
com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyConstraintsExtDefaultImpl Policy Constraints Extension Default
Policy Constraints Extension Default
com.netscape.cms.profile.def.PolicyConstraintsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
crlDistributionPointsExtDefaultImpl CRL Distribution Points
Extension Default CRL Distribution Points Extension Default
com.netscape.cms.profile.def.CRLDistributionPointsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificatePoliciesExtDefaultImpl Certificate Policies Extension
Default Certificate Policies Extension Default
com.netscape.cms.profile.def.CertificatePoliciesExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
validityDefaultImpl Validity Default Validty Default
com.netscape.cms.profile.def.ValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
privateKeyPeriodExtDefaultImpl Private Key Period Ext Default
Private Key Period Ext Default
com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
noDefaultImpl No Default No Default
com.netscape.cms.profile.def.NoDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
imageDefaultImpl Image Default Image Default
com.netscape.cms.profile.def.ImageDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectInfoAccessExtDefaultImpl Subject Info Access Extension
Default Subject Info Access Extension Default
com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
autoAssignDefaultImpl Auto Request Assignment Default Auto Request
Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyMappingsExtDefaultImpl Policy Mappings Extension Default
Policy Mappings Extension Default
com.netscape.cms.profile.def.PolicyMappingsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
caValidityDefaultImpl CA Certificate Validity Default CA Certificate
Validty Default com.netscape.cms.profile.def.CAValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userExtensionDefaultImpl User Supplied Extension Default User
Supplied Extension Default
com.netscape.cms.profile.def.UserExtensionDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default
Netscape Certificate Type Extension Default
com.netscape.cms.profile.def.NSCertTypeExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default
Token Supplied Subject Name Default
com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectNameDefaultImpl Subject Name Default Subject Name Default
com.netscape.cms.profile.def.SubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSigningAlgDefaultImpl User Supplied Signing Alg Default User
Supplied Signing Alg Default
com.netscape.cms.profile.def.UserSigningAlgDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default
Subject Key Identifier Default
com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default
Inhibit Any-Policy Extension Default
com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsTokenDeviceKeySubjectNameDefaultImpl
nsTokenDeviceKeySubjectNameDefault
nsTokenDeviceKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape
Comment Extension Default
com.netscape.cms.profile.def.NSCCommentExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm
Default com.netscape.cms.profile.def.SigningAlgDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nameConstraintsExtDefaultImpl Name Constraints Extension Default
Name Constraints Extension Default
com.netscape.cms.profile.def.NameConstraintsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin profileUpdater
subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for
Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized request
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca
[27/Jan/2016:15:30:43][main]: CertificateAuthority init
[27/Jan/2016:15:30:43][main]: Cert Repot inited
[27/Jan/2016:15:30:43][main]: CRL Repot inited
[27/Jan/2016:15:30:43][main]: Replica Repot inited
[27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname
caSigningCert cert-pki-ca
[27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name
[27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert
cert-pki-ca' with serial number: 1
[27/Jan/2016:15:30:43][main]: converted to x509CertImpl
[27/Jan/2016:15:30:43][main]: Got private key from cert
[27/Jan/2016:15:30:43][main]: Got public key from cert
[27/Jan/2016:15:30:43][main]: got signing algorithm
RSASignatureWithSHA256Digest
[27/Jan/2016:15:30:43][main]: CA signing unit inited
[27/Jan/2016:15:30:43][main]: cachainNum= 0
[27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS.
[27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname
ca.ocsp_signing.cert
[27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name
[27/Jan/2016:15:30:43][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
at
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)
at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[27/Jan/2016:15:30:43][main]: CMSEngine.shutdown()
Post by Anthony Cheng
Would really greatly appreciate any help on this.
Also I noticed after I do ldapmodify of
usercertificate binary
data with
Post by Anthony Cheng
add: usercertificate;binary
You really pasted in binary? Or was this base64-encoded
data?
I wonder if there is a problem in the wiki. If this is
really a binary
value you should start with a DER-encoded cert and load
it using
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate;binary
usercertificate;binary:< file:///path/to/cert.der
You can use something like openssl x509 to switch between
PEM and DER
formats.
I have a vague memory that dogtag can deal with a
multi-valued
usercertificate attribute.
rob
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
uid=ipara,ou=People,o=ipaca -W
shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...
But the actual data is from a PEM though.
Ok. So I looked at my CA data and it doesn't use the binary subtype, so
userCertificate:: MIID....
It might make a difference if dogtag is looking for the subtype or not.
rob
Post by Anthony Cheng
Then I re-run
ldapsearch -x -h localhost -p 7389 -D 'cn=directory
manager' -W
-b uid=ipara,ou=People,o=ipaca
Post by Anthony Cheng
I see 2 entries for usercertificate;binary (before
modify there
was only
Post by Anthony Cheng
1) but they are duplicate and NOT from data that I
added. That seems
Post by Anthony Cheng
incorrect to me.
On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
klist is actually empty; kinit admin fails.
Sounds like then
Post by Anthony Cheng
getcert resubmit has a dependency on kerberoes. I
can get a
backup
Post by Anthony Cheng
image that has a valid ticket but it is only good
for 1 day (and
Post by Anthony Cheng
dated pasted the cert expire).
Also I had asked awhile back about whether there
is dependency on
Post by Anthony Cheng
DIRSRV to renew the cert; didn't get any response
but I suspect
Post by Anthony Cheng
there is a dependency.
Regarding the clock skew, I found out from
/var/log/message that
Post by Anthony Cheng
Jan 28 14:10:42 test named[2911]: Failed to init
credentials
(Clock
Post by Anthony Cheng
skew too great)
Jan 28 14:10:42 test named[2911]: loading
configuration: failure
Post by Anthony Cheng
Jan 28 14:10:42 test named[2911]: exiting (due to
fatal error)
Unspecified GSS
Post by Anthony Cheng
failure. Minor code may provide more information
(Creden
Post by Anthony Cheng
tials cache file '/tmp/krb5cc_496' not found)
I don't have a krb5cc_496 file (since klist is
empty), so
sounds to
Post by Anthony Cheng
me I need to get a kerberoes ticket before going any
further. Also
Post by Anthony Cheng
is the file /etc/krb5.keytab access/modification
time
important? I
Post by Anthony Cheng
had changed time back to before the cert
expiration date and
reboot
Post by Anthony Cheng
and try renew but the error message about clock
skew is still
Post by Anthony Cheng
there. That seems strange.
Lastly, as a absolute last resort, can I
regenerate a new cert
Post by Anthony Cheng
myself?
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
Post by Anthony Cheng
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_0)
Post by Anthony Cheng
Starting Directory Service
PKI-IPA...
[ OK ]
Post by Anthony Cheng
sample-NET...
[ OK ]
Post by Anthony Cheng
Starting KDC Service
[
OK ]
Post by Anthony Cheng
Starting KPASSWD Service
[
OK ]
Post by Anthony Cheng
Starting DNS Service
[FAILED]
Post by Anthony Cheng
Failed to start DNS Service
Shutting down
[
OK ]
[
OK ]
[
OK ]
[
OK ]
[
OK ]
Post by Anthony Cheng
PKI-IPA...
[ OK ]
Post by Anthony Cheng
sample-NET...
[ OK ]
Post by Anthony Cheng
Aborting ipactl
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_0)
Post by Anthony Cheng
Directory Service: STOPPED
Directory Server is stopped
On Thu, Apr 28, 2016 at 3:21 AM David Kupka
Post by Anthony Cheng
Hi list,
I am trying to renew expired certificates
following the
Post by Anthony Cheng
manual renewal procedure
Post by Anthony Cheng
here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
Post by Anthony Cheng
but even with
Post by Anthony Cheng
resetting the system/hardware clock to a
time before
expires,
Post by Anthony Cheng
I am getting the
Post by Anthony Cheng
error "ca-error: Error setting up ccache
for local "host"
Post by Anthony Cheng
service using default
Post by Anthony Cheng
keytab: Clock skew too great."
With NTP disable and clock reset why would
it complain
about
Post by Anthony Cheng
clock skew and how
Post by Anthony Cheng
does it even know about the current time?
Number of certificates and requests being
tracked: 8.
Post by Anthony Cheng
Post by Anthony Cheng
status: MONITORING
ca-error: Error setting up ccache
for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=test.sample.net
<http://test.sample.net>
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache
for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=test.sample.net
<http://test.sample.net>
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache
for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=test.sample.net
<http://test.sample.net>
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=OCSP
Subsystem,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=CA
Subsystem,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=RA
Subsystem,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
id-kp-serverAuth,id-kp-clientAuth
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ra_cert
Post by Anthony Cheng
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Anthony Cheng
2016-05-05 21:28:51 UTC
Permalink
More updates; it turns out that there were some duplicate and expired
certificates as well as incorrect trust attributes; (e.g. seeing 2
instances of Server-Cert from certutil -L -d /etc/httpd/alias). So I
deleted the duplicate cert and re-add certificate w/ valid date and
fix cert trust attributes along the way.

So it went from this

[***@test ~]# certutil -L -d /etc/httpd/alias

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

Server-Cert u,u,u
ipaCert u,u,u
sample.NET IPA CA CT,C,C
ipaCert u,u,u
Signing-Cert u,u,u
Server-Cert u,u,u

to this

[***@test ~]# certutil -L -d /etc/httpd/alias

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

ipaCert u,u,u
Server-Cert u,u,u
sample.NET IPA CA CT,C,C
Signing-Cert u,u,u

And also re-try resubmit/restart processes but unfortunately error
persists ( ca-error: Server failed request, will retry: 4301 (RPC
failed at server. Certificate operation cannot be completed : Unable
to communicate with CMS (Not Found)).)

Currently I am on the process to recreate this problem on RHEL 6 to
try to get RH support on this.

Thanks, Anthony


On Wed, May 4, 2016 at 10:34 AM, Anthony Cheng
Post by Anthony Cheng
Post by Rob Crittenden
Post by Anthony Cheng
Small update, I found an article on the RH solution library
(https://access.redhat.com/solutions/2020223) that has the same error
code that I am getting and I followed the steps with certutil to update
the cert attributes but it is still not working. The article is listed
as "Solution in Progress".
Number of certificates and requests being tracked: 7.
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.Certificate operation cannot be comp
leted: Unable to communicate with CMS (Not Found)).
Not Found means the CA didn't start. You need to examine the debug and
selftest logs to determine why.
rob
selftests.log is empty; there are entries for other time but not for
the test to when I set the clock to renew certs.
Fri 29 Jan 2016 08:19:54 AM UTC -0.960583 seconds
-rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log
-rw-r-----. 1 pkiuser pkiuser 1206 Apr 7 2015
selftests.log.20150407143526
-rw-r-----. 1 pkiuser pkiuser 3673 Jun 30 2015
selftests.log.20150630163924
-rw-r-----. 1 pkiuser pkiuser 1217 Aug 31 20:07
selftests.log.20150831160735
-rw-r-----. 1 pkiuser pkiuser 3798 Oct 24 14:12
selftests.log.20151024101159
[28/Jan/2016:21:09:03][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
[28/Jan/2016:21:07:30][main]: CMSEngine.shutdown()
[28/Jan/2016:21:09:02][main]: ============================================
[28/Jan/2016:21:09:02][main]: ===== DEBUG SUBSYSTEM INITIALIZED =======
[28/Jan/2016:21:09:02][main]: ============================================
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log
AUDIT_LOG_STARTUP
AUDIT_LOG_SHUTDOWN
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME
CONFIG_CERT_POLICY
CONFIG_CERT_PROFILE
CONFIG_CRL_PROFILE
CONFIG_OCSP_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ROLE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ACL
CONFIG_SIGNED_AUDIT
CONFIG_ENCRYPTION
CONFIG_TRUSTED_PUBLIC_KEY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_DRM
SELFTESTS_EXECUTION
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUDIT_LOG_DELETE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: LOG_PATH_CHANGE
PRIVATE_KEY_ARCHIVE_REQUEST
PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
KEY_RECOVERY_REQUEST
KEY_RECOVERY_REQUEST_ASYNC
KEY_RECOVERY_AGENT_LOGIN
KEY_RECOVERY_REQUEST_PROCESSED
KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
KEY_GEN_ASYMMETRIC
NON_PROFILE_CERT_REQUEST
PROFILE_CERT_REQUEST
CERT_REQUEST_PROCESSED
CERT_STATUS_CHANGE_REQUEST
CERT_STATUS_CHANGE_REQUEST_PROCESSED
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_FAIL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: INTER_BOUNDARY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_FAIL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_SUCCESS
CERT_PROFILE_APPROVAL
PROOF_OF_POSSESSION
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_RETRIEVAL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_VALIDATION
CMC_SIGNED_REQUEST_SIG_VERIFY
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS
SERVER_SIDE_KEYGEN_REQUEST
COMPUTE_SESSION_KEY_REQUEST
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
DIVERSIFY_KEY_REQUEST
DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
ENCRYPT_DATA_REQUEST
ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
OCSP_ADD_CA_REQUEST
OCSP_ADD_CA_REQUEST_PROCESSED
OCSP_REMOVE_CA_REQUEST
OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS
OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE
COMPUTE_RANDOM_DATA_REQUEST
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
CIMC_CERT_VERIFICATION
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=log
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized log
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=os
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=os
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=os
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized os
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=jss
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=jss
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_rc4_40_md5
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_rc2_40_md5
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_des_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_rc4_128_md5
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_3des_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_fips_des_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_fips_3des_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher fortezza
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher fortezza_rc4_128_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_null_md5
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=jss
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized jss
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=dbs
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=dbs
[28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init
[28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init()
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal
LDAP Database
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory cache
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password not in memory
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: try
to get it from password store
[28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password
store initialized before.
[28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password
store initialized.
about to get from passwored store: Internal LDAP Da
tabase
password store available
password for Internal LDAP Database not found, tryi
ng internaldb
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: password ok: store in memory cache
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init ends
[28/Jan/2016:21:09:02][main]: init: before makeConnection errorIfDown is true
[28/Jan/2016:21:09:02][main]: makeConnection: errorIfDown true
[28/Jan/2016:21:09:02][main]: Established LDAP connection using basic
authentication to host test.sample.net port 738
9 as cn=Directory Manager
[28/Jan/2016:21:09:02][main]: initializing with mininum 3 and maximum
15 connections to host test.sample.net port 738
9, secure connection, false, authentication type 1
[28/Jan/2016:21:09:02][main]: increasing minimum connections by 3
[28/Jan/2016:21:09:02][main]: new total available connections 3
[28/Jan/2016:21:09:02][main]: new number of connections 3
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=dbs
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized dbs
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=usrgrp
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=usrgrp
[28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init
[28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init()
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal
LDAP Database
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory cache
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: got password from memory
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password found for prompt.
[28/Jan/2016:21:09:03][main]: LdapAuthInfo: password ok: store in memory cache
[28/Jan/2016:21:09:03][main]: LdapAuthInfo: init ends
[28/Jan/2016:21:09:03][main]: init: before makeConnection errorIfDown is false
[28/Jan/2016:21:09:03][main]: makeConnection: errorIfDown false
[28/Jan/2016:21:09:03][main]: Established LDAP connection using basic
authentication to host test.sample.net port 738
9 as cn=Directory Manager
[28/Jan/2016:21:09:03][main]: initializing with mininum 3 and maximum
15 connections to host test.sample.net port 738
9, secure connection, false, authentication type 1
[28/Jan/2016:21:09:03][main]: increasing minimum connections by 3
[28/Jan/2016:21:09:03][main]: new total available connections 3
[28/Jan/2016:21:09:03][main]: new number of connections 3
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=usrgrp
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized usrgrp
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=registry
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=registry
[28/Jan/2016:21:09:03][main]: RegistrySubsystem: start init
[28/Jan/2016:21:09:03][main]: added plugin profileOutput
pkcs7OutputImpl PKCS7 Output PKCS7 Output com.netscape.cms.p
rofile.output.PKCS7Output
[28/Jan/2016:21:09:03][main]: added plugin profileOutput
cmmfOutputImpl CMMF Response Output CMMF Response Output com
.netscape.cms.profile.output.CMMFOutput
[28/Jan/2016:21:09:03][main]: added plugin profileOutput
certOutputImpl Certificate Output Certificate Output com.net
scape.cms.profile.output.CertOutput
[28/Jan/2016:21:09:03][main]: added plugin profileOutput
nsNKeyOutputImpl nsNKeyOutputImpl nsNKeyOutputImpl com.netsc
ape.cms.profile.output.nsNKeyOutput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
submitterInfoInputImpl Submitter Information Input Submitter
Information Input com.netscape.cms.profile.input.SubmitterInfoInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
serialNumRenewInputImpl Certificate Renewal Request Serial Nu
mber Input Certificate Renewal Request Serial Number Input
com.netscape.cms.profile.input.SerialNumRenewInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
dualKeyGenInputImpl Dual Key Generation Input Dual Key Genera
tion Input com.netscape.cms.profile.input.DualKeyGenInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl nsNKeyCertReqIn
putImpl com.netscape.cms.profile.input.nsNKeyCertReqInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
fileSigningInputImpl File Signing Input File Signing Input co
m.netscape.cms.profile.input.FileSigningInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
certReqInputImpl Certificate Request Input Certificate Reques
t Input com.netscape.cms.profile.input.CertReqInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
cmcCertReqInputImpl CMC Certificate Request Input CMC Certifi
cate Request Input com.netscape.cms.profile.input.CMCCertReqInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl nsHKeyCertReqIn
putImpl com.netscape.cms.profile.input.nsHKeyCertReqInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
subjectDNInputImpl Subject DN Input Subject DN Input com.nets
cape.cms.profile.input.SubjectDNInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
keyGenInputImpl Key Generation Input Key Generation Input com
.netscape.cms.profile.input.KeyGenInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
genericInputImpl Generic Input Generic Input com.netscape.cms
.profile.input.GenericInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput imageInputImpl
Image Input Image Input com.netscape.cms.profi
le.input.ImageInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
subjectNameInputImpl Subject Name Input Subject Name Input co
m.netscape.cms.profile.input.SubjectNameInput
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
basicConstraintsExtConstraintImpl Basic Constraints Exten
sion Constraint Basic Constraints Extension Constraint
com.netscape.cms.profile.constraint.BasicConstraintsExtConstra
int
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
noConstraintImpl No Constraint No Constraint com.netscape
.cms.profile.constraint.NoConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
signingAlgConstraintImpl Signing Algorithm Constraint Sig
ning Algorithm Constraint
com.netscape.cms.profile.constraint.SigningAlgConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
extendedKeyUsageExtConstraintImpl Extended Key Usage Exte
nsion Constraint Extended Key Usage Extension Constraint
com.netscape.cms.profile.constraint.ExtendedKeyUsageExtConst
raint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
extensionConstraintImpl Extension Constraint Extension Co
nstraint com.netscape.cms.profile.constraint.ExtensionConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
subjectNameConstraintImpl Subject Name Constraint Subject
Name Constraint com.netscape.cms.profile.constraint.SubjectNameConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
uniqueSubjectNameConstraintImpl Unique Subject Name Const
raint Unique Subject Name Constraint
com.netscape.cms.profile.constraint.UniqueSubjectNameConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
keyUsageExtConstraintImpl Key Usage Extension Constraint
Key Usage Extension Constraint
com.netscape.cms.profile.constraint.KeyUsageExtConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
renewGracePeriodConstraintImpl Renewal Grace Period Const
raint Renewal Grace Period Constraint
com.netscape.cms.profile.constraint.RenewGracePeriodConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
keyConstraintImpl Key Constraint Key Constraint com.netsc
ape.cms.profile.constraint.KeyConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
nsCertTypeExtConstraintImpl Netscape Certificate Type Ext
ension Constraint Netscape Certificate Type Extension Constraint
com.netscape.cms.profile.constraint.NSCertTypeExtCon
straint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
validityConstraintImpl Validity Constraint Validity Const
raint com.netscape.cms.profile.constraint.ValidityConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
uniqueKeyConstraintImpl Unique Public Key Constraint Uniq
ue Public Key Constraint com.netscape.cms.profile.constraint.UniqueKeyConstraint
[28/Jan/2016:21:09:03][main]: added plugin profile caEnrollImpl
Generic Certificate Enrollment Profile Certificate Au
thority Generic Certificate Enrollment Profile
com.netscape.cms.profile.common.CAEnrollProfile
[28/Jan/2016:21:09:03][main]: added plugin profile
caUserCertEnrollImpl User Certificate Enrollment Profile Certifica
te Authority User Certificate Enrollment Profile
com.netscape.cms.profile.common.UserCertCAEnrollProfile
[28/Jan/2016:21:09:03][main]: added plugin profile
caServerCertEnrollImpl Server Certificate Enrollment Profile Certi
ficate Authority Server Certificate Enrollment Profile
com.netscape.cms.profile.common.ServerCertCAEnrollProfile
[28/Jan/2016:21:09:03][main]: added plugin profile caCACertEnrollImpl
CA Certificate Enrollment Profile Certificate A
uthority CA Certificate Enrollment Profile
com.netscape.cms.profile.common.CACertCAEnrollProfile
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userKeyDefaultImpl User Supplied Key Default User Supplied K
ey Default com.netscape.cms.profile.def.UserKeyDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
freshestCRLExtDefaultImpl Freshest CRL Extension Default Fre
shest CRL Extension Default com.netscape.cms.profile.def.FreshestCRLExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
authInfoAccessExtDefaultImpl Authority Info Access Extension
Default Authority Info Access Extension Default
com.netscape.cms.profile.def.AuthInfoAccessExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nsTokenUserKeySubjectNameDefaultImpl nsTokenUserKeySubjectNa
meDefault nsTokenUserKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
genericExtDefaultImpl Generic Extension Generic Extension co
m.netscape.cms.profile.def.GenericExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
authorityKeyIdentifierExtDefaultImpl Authority Key Identifie
r Extension Default Authority Key Identifier Extension Default
com.netscape.cms.profile.def.AuthorityKeyIdentifierExt
Default
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
issuerAltNameExtDefaultImpl Issuer Alternative Name Extensio
n Default Issuer Alternative Name Extension Default
com.netscape.cms.profile.def.IssuerAltNameExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
basicConstraintsExtDefaultImpl Basic Constraints Extension D
efault Basic Constraints Extension Default
com.netscape.cms.profile.def.BasicConstraintsExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
keyUsageExtDefaultImpl Key Usage Extension Default Key Usage
Extension Default com.netscape.cms.profile.def.KeyUsageExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
ocspNoCheckExtDefaultImpl OCSP No Check Extension Default OC
SP No Check Extension Default com.netscape.cms.profile.def.OCSPNoCheckExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectAltNameExtDefaultImpl Subject Alternative Name Extens
ion Default Subject Alternative Name Extension Default
com.netscape.cms.profile.def.SubjectAltNameExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userValidityDefaultImpl User Supplied Validity Default User
Supplied Validity Default com.netscape.cms.profile.def.UserValidityDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userSubjectNameDefaultImpl User Supplied Subject Name Defaul
t User Supplied Subject Name Default
com.netscape.cms.profile.def.UserSubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectDirAttributesExtDefaultImpl Subject Directory Attribu
tes Extension Default Subject Directory Attributes Extension Default
com.netscape.cms.profile.def.SubjectDirAttribute
sExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
certificateVersionDefaultImpl Certificate Version Default Ce
rtificate Version Default com.netscape.cms.profile.def.CertificateVersionDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
extendedKeyUsageExtDefaultImpl Extended Key Usage Extension
Default Extended Key Usage Extension Default
com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
policyConstraintsExtDefaultImpl Policy Constraints Extension
Default Policy Constraints Extension Default
com.netscape.cms.profile.def.PolicyConstraintsExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
crlDistributionPointsExtDefaultImpl CRL Distribution Points
Extension Default CRL Distribution Points Extension Default
com.netscape.cms.profile.def.CRLDistributionPointsExtDefa
ult
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
certificatePoliciesExtDefaultImpl Certificate Policies Exten
sion Default Certificate Policies Extension Default
com.netscape.cms.profile.def.CertificatePoliciesExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
validityDefaultImpl Validity Default Validty Default com.net
scape.cms.profile.def.ValidityDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
privateKeyPeriodExtDefaultImpl Private Key Period Ext Defaul
t Private Key Period Ext Default
com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy noDefaultImpl
No Default No Default com.netscape.cms.profile
.def.NoDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
imageDefaultImpl Image Default Image Default com.netscape.cm
s.profile.def.ImageDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectInfoAccessExtDefaultImpl Subject Info Access Extensio
n Default Subject Info Access Extension Default
com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
autoAssignDefaultImpl Auto Request Assignment Default Auto R
equest Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
policyMappingsExtDefaultImpl Policy Mappings Extension Defau
lt Policy Mappings Extension Default
com.netscape.cms.profile.def.PolicyMappingsExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
caValidityDefaultImpl CA Certificate Validity Default CA Cer
tificate Validty Default com.netscape.cms.profile.def.CAValidityDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userExtensionDefaultImpl User Supplied Extension Default Use
r Supplied Extension Default com.netscape.cms.profile.def.UserExtensionDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nsCertTypeExtDefaultImpl Netscape Certificate Type Extension
Default Netscape Certificate Type Extension Default
com.netscape.cms.profile.def.NSCertTypeExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
authTokenSubjectNameDefaultImpl Token Supplied Subject Name
Default Token Supplied Subject Name Default
com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectNameDefaultImpl Subject Name Default Subject Name Def
ault com.netscape.cms.profile.def.SubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userSigningAlgDefaultImpl User Supplied Signing Alg Default
User Supplied Signing Alg Default
com.netscape.cms.profile.def.UserSigningAlgDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectKeyIdentifierExtDefaultImpl Subject Key Identifier De
fault Subject Key Identifier Default
com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension
Default Inhibit Any-Policy Extension Default
com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubje
ctNameDefault nsTokenDeviceKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nscCommentExtDefaultImpl Netscape Comment Extension Default
Netscape Comment Extension Default
com.netscape.cms.profile.def.NSCCommentExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
signingAlgDefaultImpl Signing Algorithm Default Signing Algo
rithm Default com.netscape.cms.profile.def.SigningAlgDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nameConstraintsExtDefaultImpl Name Constraints Extension Def
ault Name Constraints Extension Default
com.netscape.cms.profile.def.NameConstraintsExtDefault
[28/Jan/2016:21:09:03][main]: added plugin profileUpdater
subsystemGroupUpdaterImpl Updater for Subsystem Group Updat
er for Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=registry
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized registry
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=oidmap
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=oidmap
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=oidmap
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized oidmap
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=X500Name
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=X500Name
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=X500Name
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized X500Name
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=request
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=request
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=request
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized request
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=ca
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=ca
[28/Jan/2016:21:09:03][main]: CertificateAuthority init
[28/Jan/2016:21:09:03][main]: Cert Repot inited
[28/Jan/2016:21:09:03][main]: CRL Repot inited
[28/Jan/2016:21:09:03][main]: Replica Repot inited
[28/Jan/2016:21:09:03][main]: ca.signing Signing Unit nickname
caSigningCert cert-pki-ca
[28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name
[28/Jan/2016:21:09:03][main]: Found cert by nickname: 'caSigningCert
cert-pki-ca' with serial number: 1
[28/Jan/2016:21:09:03][main]: converted to x509CertImpl
[28/Jan/2016:21:09:03][main]: Got private key from cert
[28/Jan/2016:21:09:03][main]: Got public key from cert
[28/Jan/2016:21:09:03][main]: got signing algorithm RSASignatureWithSHA256Digest
[28/Jan/2016:21:09:03][main]: CA signing unit inited
[28/Jan/2016:21:09:03][main]: cachainNum= 0
[28/Jan/2016:21:09:03][main]: in init - got CA chain from JSS.
[28/Jan/2016:21:09:03][main]: ca.ocsp_signing Signing Unit nickname
ca.ocsp_signing.cert
[28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name
[28/Jan/2016:21:09:03][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
at com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)
at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[28/Jan/2016:21:09:03][main]: CMSEngine.shutdown()
password store initialized before.
password store initialized.
password store initialized before.
password store initialized.
Post by Rob Crittenden
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certifi
cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certificate
DB'
CA: IPA
issuer: CN=Certificate Authority,O=SAMPLE.NET <http://SAMPLE.NET>
subject: CN=caer.SAMPLE.net <http://caer.SAMPLE.net>,O=SAMPLE.NET
<http://SAMPLE.NET>
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
On Mon, May 2, 2016 at 5:35 PM Anthony Cheng
On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden
Post by Anthony Cheng
OK so I made process on my cert renew issue; I was
able to get kinit
Post by Anthony Cheng
working so I can follow the rest of the steps here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
However, after using
ldapmodify -x -h localhost -p 7389 -D 'cn=directory
manager' -w
password
Post by Anthony Cheng
and restarting apache (/sbin/service httpd restart),
resubmitting 3
Post by Anthony Cheng
certs (ipa-getcert resubmit -i <ID>) and restarting
IPA (resubmit
-i <ID>)
Post by Anthony Cheng
Number of certificates and requests being tracked: 8.
status: CA_UNREACHABLE
4301 (RPC
failed
Post by Anthony Cheng
at server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
IPA proxies requests to the CA through Apache. This means
that while
tomcat started ok it didn't load the dogtag CA
application, hence the
Not Found.
Check the CA debug and selftest logs to see why it failed
to start
properly.
[ snip ]
Actually after a reboot that error went away and I just get
this error
instead "ca-error: Server failed request, will retry: -504
(libcurl
failed to execute the HTTP POST transaction. Peer certificate
cannot be
auth enticated with known CA certificates)." from "getcert
list"
Result of service ipa restart is interesting since it shows
today's time
when I already changed date/time/disable NTP so somehow the
system still
know today's time.
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config
(Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.)
Hard to say. I'd confirm that there is no time syncing service running,
ntp or otherwise.
I found out why the time kept changing; it was due to the fact that
it has VM tools installed (i didn't configure this box) so it
automatically sync time during bootup.
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found))
I tried the step http://www.freeipa.org/page/Troubleshooting with
certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt
openssl x509 -text -in /tmp/ra.crt
certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt
service httpd restart
So that I can get rid of one of the CA cert that is expired (kept
the 1st one) but still getting same error
What exactly is CMS and why is it not found?
-rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11
/var/log/pki-ca/selftests.log
INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=1/23config=null
Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1722 ms
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop
INFO: Stopping service Catalina
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[Timer-0] but has failed to stop it. This is very like
ly to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu
t has failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6]
but has failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.flush-6] but has failed t
o stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.rollover-8] but has faile
d to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.flush-9] but has fa
iled to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.rollover-10] but ha
s failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-2 ldap://test.sample.net:7389
<http://test.sample.net:7389>] but has failed to stop it. This is
very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-3 ldap://test.sample.net:7389
<http://test.sample.net:7389>] but has failed to stop it. This is
very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-4 ldap://test.sample.net:7389
<http://test.sample.net:7389>] but has failed to stop it. This is
very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
value of type [java.text.SimpleDateFormat] (value
the web application was stopped. To prevent a memory leak, the
ThreadLocal has been forcibly removed.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
value of type [java.text.SimpleDateFormat] (value
the web application was stopped. To prevent a memory leak, the
ThreadLocal has been forcibly removed.
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:36 PM
org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows
optimal performance in production environments was not found on the
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9180
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9443
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9445
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9444
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2198 ms
Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.24
Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ROOT
Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ca
64-bit osutil library loaded
64-bit osutil library loaded
Certificate object not found
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/40config=null
Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2592 ms
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectAltNameExtDefaultImpl Subject Alternative Name Extension
Default Subject Alternative Name Extension Default
com.netscape.cms.profile.def.SubjectAltNameExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userValidityDefaultImpl User Supplied Validity Default User Supplied
Validity Default com.netscape.cms.profile.def.UserValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSubjectNameDefaultImpl User Supplied Subject Name Default User
Supplied Subject Name Default
com.netscape.cms.profile.def.UserSubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectDirAttributesExtDefaultImpl Subject Directory Attributes
Extension Default Subject Directory Attributes Extension Default
com.netscape.cms.profile.def.SubjectDirAttributesExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificateVersionDefaultImpl Certificate Version Default
Certificate Version Default
com.netscape.cms.profile.def.CertificateVersionDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default
Extended Key Usage Extension Default
com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyConstraintsExtDefaultImpl Policy Constraints Extension Default
Policy Constraints Extension Default
com.netscape.cms.profile.def.PolicyConstraintsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
crlDistributionPointsExtDefaultImpl CRL Distribution Points
Extension Default CRL Distribution Points Extension Default
com.netscape.cms.profile.def.CRLDistributionPointsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificatePoliciesExtDefaultImpl Certificate Policies Extension
Default Certificate Policies Extension Default
com.netscape.cms.profile.def.CertificatePoliciesExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
validityDefaultImpl Validity Default Validty Default
com.netscape.cms.profile.def.ValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
privateKeyPeriodExtDefaultImpl Private Key Period Ext Default
Private Key Period Ext Default
com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
noDefaultImpl No Default No Default
com.netscape.cms.profile.def.NoDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
imageDefaultImpl Image Default Image Default
com.netscape.cms.profile.def.ImageDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectInfoAccessExtDefaultImpl Subject Info Access Extension
Default Subject Info Access Extension Default
com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
autoAssignDefaultImpl Auto Request Assignment Default Auto Request
Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyMappingsExtDefaultImpl Policy Mappings Extension Default
Policy Mappings Extension Default
com.netscape.cms.profile.def.PolicyMappingsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
caValidityDefaultImpl CA Certificate Validity Default CA Certificate
Validty Default com.netscape.cms.profile.def.CAValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userExtensionDefaultImpl User Supplied Extension Default User
Supplied Extension Default
com.netscape.cms.profile.def.UserExtensionDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default
Netscape Certificate Type Extension Default
com.netscape.cms.profile.def.NSCertTypeExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default
Token Supplied Subject Name Default
com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectNameDefaultImpl Subject Name Default Subject Name Default
com.netscape.cms.profile.def.SubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSigningAlgDefaultImpl User Supplied Signing Alg Default User
Supplied Signing Alg Default
com.netscape.cms.profile.def.UserSigningAlgDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default
Subject Key Identifier Default
com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default
Inhibit Any-Policy Extension Default
com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsTokenDeviceKeySubjectNameDefaultImpl
nsTokenDeviceKeySubjectNameDefault
nsTokenDeviceKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape
Comment Extension Default
com.netscape.cms.profile.def.NSCCommentExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm
Default com.netscape.cms.profile.def.SigningAlgDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nameConstraintsExtDefaultImpl Name Constraints Extension Default
Name Constraints Extension Default
com.netscape.cms.profile.def.NameConstraintsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin profileUpdater
subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for
Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized request
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca
[27/Jan/2016:15:30:43][main]: CertificateAuthority init
[27/Jan/2016:15:30:43][main]: Cert Repot inited
[27/Jan/2016:15:30:43][main]: CRL Repot inited
[27/Jan/2016:15:30:43][main]: Replica Repot inited
[27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname
caSigningCert cert-pki-ca
[27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name
[27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert
cert-pki-ca' with serial number: 1
[27/Jan/2016:15:30:43][main]: converted to x509CertImpl
[27/Jan/2016:15:30:43][main]: Got private key from cert
[27/Jan/2016:15:30:43][main]: Got public key from cert
[27/Jan/2016:15:30:43][main]: got signing algorithm
RSASignatureWithSHA256Digest
[27/Jan/2016:15:30:43][main]: CA signing unit inited
[27/Jan/2016:15:30:43][main]: cachainNum= 0
[27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS.
[27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname
ca.ocsp_signing.cert
[27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name
[27/Jan/2016:15:30:43][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
at
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)
at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[27/Jan/2016:15:30:43][main]: CMSEngine.shutdown()
Post by Anthony Cheng
Would really greatly appreciate any help on this.
Also I noticed after I do ldapmodify of
usercertificate binary
data with
Post by Anthony Cheng
add: usercertificate;binary
You really pasted in binary? Or was this base64-encoded
data?
I wonder if there is a problem in the wiki. If this is
really a binary
value you should start with a DER-encoded cert and load
it using
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate;binary
usercertificate;binary:< file:///path/to/cert.der
You can use something like openssl x509 to switch between
PEM and DER
formats.
I have a vague memory that dogtag can deal with a
multi-valued
usercertificate attribute.
rob
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
uid=ipara,ou=People,o=ipaca -W
shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...
But the actual data is from a PEM though.
Ok. So I looked at my CA data and it doesn't use the binary subtype, so
userCertificate:: MIID....
It might make a difference if dogtag is looking for the subtype or not.
rob
Post by Anthony Cheng
Then I re-run
ldapsearch -x -h localhost -p 7389 -D 'cn=directory
manager' -W
-b uid=ipara,ou=People,o=ipaca
Post by Anthony Cheng
I see 2 entries for usercertificate;binary (before
modify there
was only
Post by Anthony Cheng
1) but they are duplicate and NOT from data that I
added. That seems
Post by Anthony Cheng
incorrect to me.
On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
klist is actually empty; kinit admin fails.
Sounds like then
Post by Anthony Cheng
getcert resubmit has a dependency on kerberoes. I
can get a
backup
Post by Anthony Cheng
image that has a valid ticket but it is only good
for 1 day (and
Post by Anthony Cheng
dated pasted the cert expire).
Also I had asked awhile back about whether there
is dependency on
Post by Anthony Cheng
DIRSRV to renew the cert; didn't get any response
but I suspect
Post by Anthony Cheng
there is a dependency.
Regarding the clock skew, I found out from
/var/log/message that
Post by Anthony Cheng
Jan 28 14:10:42 test named[2911]: Failed to init
credentials
(Clock
Post by Anthony Cheng
skew too great)
Jan 28 14:10:42 test named[2911]: loading
configuration: failure
Post by Anthony Cheng
Jan 28 14:10:42 test named[2911]: exiting (due to
fatal error)
Unspecified GSS
Post by Anthony Cheng
failure. Minor code may provide more information
(Creden
Post by Anthony Cheng
tials cache file '/tmp/krb5cc_496' not found)
I don't have a krb5cc_496 file (since klist is
empty), so
sounds to
Post by Anthony Cheng
me I need to get a kerberoes ticket before going any
further. Also
Post by Anthony Cheng
is the file /etc/krb5.keytab access/modification
time
important? I
Post by Anthony Cheng
had changed time back to before the cert
expiration date and
reboot
Post by Anthony Cheng
and try renew but the error message about clock
skew is still
Post by Anthony Cheng
there. That seems strange.
Lastly, as a absolute last resort, can I
regenerate a new cert
Post by Anthony Cheng
myself?
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
Post by Anthony Cheng
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_0)
Post by Anthony Cheng
Starting Directory Service
PKI-IPA...
[ OK ]
Post by Anthony Cheng
sample-NET...
[ OK ]
Post by Anthony Cheng
Starting KDC Service
[
OK ]
Post by Anthony Cheng
Starting KPASSWD Service
[
OK ]
Post by Anthony Cheng
Starting DNS Service
[FAILED]
Post by Anthony Cheng
Failed to start DNS Service
Shutting down
[
OK ]
[
OK ]
[
OK ]
[
OK ]
[
OK ]
Post by Anthony Cheng
PKI-IPA...
[ OK ]
Post by Anthony Cheng
sample-NET...
[ OK ]
Post by Anthony Cheng
Aborting ipactl
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_0)
Post by Anthony Cheng
Directory Service: STOPPED
Directory Server is stopped
On Thu, Apr 28, 2016 at 3:21 AM David Kupka
Post by Anthony Cheng
Hi list,
I am trying to renew expired certificates
following the
Post by Anthony Cheng
manual renewal procedure
Post by Anthony Cheng
here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
Post by Anthony Cheng
but even with
Post by Anthony Cheng
resetting the system/hardware clock to a
time before
expires,
Post by Anthony Cheng
I am getting the
Post by Anthony Cheng
error "ca-error: Error setting up ccache
for local "host"
Post by Anthony Cheng
service using default
Post by Anthony Cheng
keytab: Clock skew too great."
With NTP disable and clock reset why would
it complain
about
Post by Anthony Cheng
clock skew and how
Post by Anthony Cheng
does it even know about the current time?
Number of certificates and requests being
tracked: 8.
Post by Anthony Cheng
Post by Anthony Cheng
status: MONITORING
ca-error: Error setting up ccache
for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=test.sample.net
<http://test.sample.net>
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache
for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=test.sample.net
<http://test.sample.net>
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache
for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=test.sample.net
<http://test.sample.net>
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=OCSP
Subsystem,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=CA
Subsystem,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=RA
Subsystem,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
id-kp-serverAuth,id-kp-clientAuth
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ra_cert
Post by Anthony Cheng
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Rob Crittenden
2016-05-05 21:39:08 UTC
Permalink
Post by Anthony Cheng
More updates; it turns out that there were some duplicate and expired
certificates as well as incorrect trust attributes; (e.g. seeing 2
instances of Server-Cert from certutil -L -d /etc/httpd/alias). So I
deleted the duplicate cert and re-add certificate w/ valid date and
fix cert trust attributes along the way.
You're fixing the wrong place. Apache is up and serving which is how you
are getting Not Found. It is dogtag that isn't starting for some reason.
Maybe Endi has some ideas.

rob
Post by Anthony Cheng
So it went from this
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
ipaCert u,u,u
sample.NET IPA CA CT,C,C
ipaCert u,u,u
Signing-Cert u,u,u
Server-Cert u,u,u
to this
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ipaCert u,u,u
Server-Cert u,u,u
sample.NET IPA CA CT,C,C
Signing-Cert u,u,u
And also re-try resubmit/restart processes but unfortunately error
persists ( ca-error: Server failed request, will retry: 4301 (RPC
failed at server. Certificate operation cannot be completed : Unable
to communicate with CMS (Not Found)).)
Currently I am on the process to recreate this problem on RHEL 6 to
try to get RH support on this.
Thanks, Anthony
On Wed, May 4, 2016 at 10:34 AM, Anthony Cheng
Post by Anthony Cheng
Post by Rob Crittenden
Post by Anthony Cheng
Small update, I found an article on the RH solution library
(https://access.redhat.com/solutions/2020223) that has the same error
code that I am getting and I followed the steps with certutil to update
the cert attributes but it is still not working. The article is listed
as "Solution in Progress".
Number of certificates and requests being tracked: 7.
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.Certificate operation cannot be comp
leted: Unable to communicate with CMS (Not Found)).
Not Found means the CA didn't start. You need to examine the debug and
selftest logs to determine why.
rob
selftests.log is empty; there are entries for other time but not for
the test to when I set the clock to renew certs.
Fri 29 Jan 2016 08:19:54 AM UTC -0.960583 seconds
-rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log
-rw-r-----. 1 pkiuser pkiuser 1206 Apr 7 2015
selftests.log.20150407143526
-rw-r-----. 1 pkiuser pkiuser 3673 Jun 30 2015
selftests.log.20150630163924
-rw-r-----. 1 pkiuser pkiuser 1217 Aug 31 20:07
selftests.log.20150831160735
-rw-r-----. 1 pkiuser pkiuser 3798 Oct 24 14:12
selftests.log.20151024101159
[28/Jan/2016:21:09:03][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
[28/Jan/2016:21:07:30][main]: CMSEngine.shutdown()
[28/Jan/2016:21:09:02][main]: ============================================
[28/Jan/2016:21:09:02][main]: ===== DEBUG SUBSYSTEM INITIALIZED =======
[28/Jan/2016:21:09:02][main]: ============================================
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log
AUDIT_LOG_STARTUP
AUDIT_LOG_SHUTDOWN
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME
CONFIG_CERT_POLICY
CONFIG_CERT_PROFILE
CONFIG_CRL_PROFILE
CONFIG_OCSP_PROFILE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ROLE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ACL
CONFIG_SIGNED_AUDIT
CONFIG_ENCRYPTION
CONFIG_TRUSTED_PUBLIC_KEY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_DRM
SELFTESTS_EXECUTION
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUDIT_LOG_DELETE
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: LOG_PATH_CHANGE
PRIVATE_KEY_ARCHIVE_REQUEST
PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
KEY_RECOVERY_REQUEST
KEY_RECOVERY_REQUEST_ASYNC
KEY_RECOVERY_AGENT_LOGIN
KEY_RECOVERY_REQUEST_PROCESSED
KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
KEY_GEN_ASYMMETRIC
NON_PROFILE_CERT_REQUEST
PROFILE_CERT_REQUEST
CERT_REQUEST_PROCESSED
CERT_STATUS_CHANGE_REQUEST
CERT_STATUS_CHANGE_REQUEST_PROCESSED
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_SUCCESS
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_FAIL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: INTER_BOUNDARY
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_FAIL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_SUCCESS
CERT_PROFILE_APPROVAL
PROOF_OF_POSSESSION
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_RETRIEVAL
[28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_VALIDATION
CMC_SIGNED_REQUEST_SIG_VERIFY
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS
SERVER_SIDE_KEYGEN_REQUEST
COMPUTE_SESSION_KEY_REQUEST
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
DIVERSIFY_KEY_REQUEST
DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
ENCRYPT_DATA_REQUEST
ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
OCSP_ADD_CA_REQUEST
OCSP_ADD_CA_REQUEST_PROCESSED
OCSP_REMOVE_CA_REQUEST
OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS
OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE
COMPUTE_RANDOM_DATA_REQUEST
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
CIMC_CERT_VERIFICATION
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=log
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized log
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=os
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=os
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=os
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized os
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=jss
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=jss
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_rc4_40_md5
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_rc2_40_md5
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_des_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_rc4_128_md5
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_3des_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_fips_des_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_fips_3des_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher fortezza
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher fortezza_rc4_128_sha
[28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl
cipher rsa_null_md5
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=jss
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized jss
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=dbs
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=dbs
[28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init
[28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init()
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal
LDAP Database
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory cache
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password not in memory
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: try
to get it from password store
[28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password
store initialized before.
[28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password
store initialized.
about to get from passwored store: Internal LDAP Da
tabase
password store available
password for Internal LDAP Database not found, tryi
ng internaldb
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: password ok: store in memory cache
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init ends
[28/Jan/2016:21:09:02][main]: init: before makeConnection errorIfDown is true
[28/Jan/2016:21:09:02][main]: makeConnection: errorIfDown true
[28/Jan/2016:21:09:02][main]: Established LDAP connection using basic
authentication to host test.sample.net port 738
9 as cn=Directory Manager
[28/Jan/2016:21:09:02][main]: initializing with mininum 3 and maximum
15 connections to host test.sample.net port 738
9, secure connection, false, authentication type 1
[28/Jan/2016:21:09:02][main]: increasing minimum connections by 3
[28/Jan/2016:21:09:02][main]: new total available connections 3
[28/Jan/2016:21:09:02][main]: new number of connections 3
[28/Jan/2016:21:09:02][main]: CMSEngine: done init id=dbs
[28/Jan/2016:21:09:02][main]: CMSEngine: initialized dbs
[28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=usrgrp
[28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=usrgrp
[28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init
[28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init()
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal
LDAP Database
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory cache
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: got password from memory
[28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password found for prompt.
[28/Jan/2016:21:09:03][main]: LdapAuthInfo: password ok: store in memory cache
[28/Jan/2016:21:09:03][main]: LdapAuthInfo: init ends
[28/Jan/2016:21:09:03][main]: init: before makeConnection errorIfDown is false
[28/Jan/2016:21:09:03][main]: makeConnection: errorIfDown false
[28/Jan/2016:21:09:03][main]: Established LDAP connection using basic
authentication to host test.sample.net port 738
9 as cn=Directory Manager
[28/Jan/2016:21:09:03][main]: initializing with mininum 3 and maximum
15 connections to host test.sample.net port 738
9, secure connection, false, authentication type 1
[28/Jan/2016:21:09:03][main]: increasing minimum connections by 3
[28/Jan/2016:21:09:03][main]: new total available connections 3
[28/Jan/2016:21:09:03][main]: new number of connections 3
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=usrgrp
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized usrgrp
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=registry
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=registry
[28/Jan/2016:21:09:03][main]: RegistrySubsystem: start init
[28/Jan/2016:21:09:03][main]: added plugin profileOutput
pkcs7OutputImpl PKCS7 Output PKCS7 Output com.netscape.cms.p
rofile.output.PKCS7Output
[28/Jan/2016:21:09:03][main]: added plugin profileOutput
cmmfOutputImpl CMMF Response Output CMMF Response Output com
.netscape.cms.profile.output.CMMFOutput
[28/Jan/2016:21:09:03][main]: added plugin profileOutput
certOutputImpl Certificate Output Certificate Output com.net
scape.cms.profile.output.CertOutput
[28/Jan/2016:21:09:03][main]: added plugin profileOutput
nsNKeyOutputImpl nsNKeyOutputImpl nsNKeyOutputImpl com.netsc
ape.cms.profile.output.nsNKeyOutput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
submitterInfoInputImpl Submitter Information Input Submitter
Information Input com.netscape.cms.profile.input.SubmitterInfoInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
serialNumRenewInputImpl Certificate Renewal Request Serial Nu
mber Input Certificate Renewal Request Serial Number Input
com.netscape.cms.profile.input.SerialNumRenewInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
dualKeyGenInputImpl Dual Key Generation Input Dual Key Genera
tion Input com.netscape.cms.profile.input.DualKeyGenInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl nsNKeyCertReqIn
putImpl com.netscape.cms.profile.input.nsNKeyCertReqInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
fileSigningInputImpl File Signing Input File Signing Input co
m.netscape.cms.profile.input.FileSigningInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
certReqInputImpl Certificate Request Input Certificate Reques
t Input com.netscape.cms.profile.input.CertReqInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
cmcCertReqInputImpl CMC Certificate Request Input CMC Certifi
cate Request Input com.netscape.cms.profile.input.CMCCertReqInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl nsHKeyCertReqIn
putImpl com.netscape.cms.profile.input.nsHKeyCertReqInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
subjectDNInputImpl Subject DN Input Subject DN Input com.nets
cape.cms.profile.input.SubjectDNInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
keyGenInputImpl Key Generation Input Key Generation Input com
.netscape.cms.profile.input.KeyGenInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
genericInputImpl Generic Input Generic Input com.netscape.cms
.profile.input.GenericInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput imageInputImpl
Image Input Image Input com.netscape.cms.profi
le.input.ImageInput
[28/Jan/2016:21:09:03][main]: added plugin profileInput
subjectNameInputImpl Subject Name Input Subject Name Input co
m.netscape.cms.profile.input.SubjectNameInput
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
basicConstraintsExtConstraintImpl Basic Constraints Exten
sion Constraint Basic Constraints Extension Constraint
com.netscape.cms.profile.constraint.BasicConstraintsExtConstra
int
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
noConstraintImpl No Constraint No Constraint com.netscape
.cms.profile.constraint.NoConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
signingAlgConstraintImpl Signing Algorithm Constraint Sig
ning Algorithm Constraint
com.netscape.cms.profile.constraint.SigningAlgConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
extendedKeyUsageExtConstraintImpl Extended Key Usage Exte
nsion Constraint Extended Key Usage Extension Constraint
com.netscape.cms.profile.constraint.ExtendedKeyUsageExtConst
raint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
extensionConstraintImpl Extension Constraint Extension Co
nstraint com.netscape.cms.profile.constraint.ExtensionConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
subjectNameConstraintImpl Subject Name Constraint Subject
Name Constraint com.netscape.cms.profile.constraint.SubjectNameConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
uniqueSubjectNameConstraintImpl Unique Subject Name Const
raint Unique Subject Name Constraint
com.netscape.cms.profile.constraint.UniqueSubjectNameConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
keyUsageExtConstraintImpl Key Usage Extension Constraint
Key Usage Extension Constraint
com.netscape.cms.profile.constraint.KeyUsageExtConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
renewGracePeriodConstraintImpl Renewal Grace Period Const
raint Renewal Grace Period Constraint
com.netscape.cms.profile.constraint.RenewGracePeriodConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
keyConstraintImpl Key Constraint Key Constraint com.netsc
ape.cms.profile.constraint.KeyConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
nsCertTypeExtConstraintImpl Netscape Certificate Type Ext
ension Constraint Netscape Certificate Type Extension Constraint
com.netscape.cms.profile.constraint.NSCertTypeExtCon
straint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
validityConstraintImpl Validity Constraint Validity Const
raint com.netscape.cms.profile.constraint.ValidityConstraint
[28/Jan/2016:21:09:03][main]: added plugin constraintPolicy
uniqueKeyConstraintImpl Unique Public Key Constraint Uniq
ue Public Key Constraint com.netscape.cms.profile.constraint.UniqueKeyConstraint
[28/Jan/2016:21:09:03][main]: added plugin profile caEnrollImpl
Generic Certificate Enrollment Profile Certificate Au
thority Generic Certificate Enrollment Profile
com.netscape.cms.profile.common.CAEnrollProfile
[28/Jan/2016:21:09:03][main]: added plugin profile
caUserCertEnrollImpl User Certificate Enrollment Profile Certifica
te Authority User Certificate Enrollment Profile
com.netscape.cms.profile.common.UserCertCAEnrollProfile
[28/Jan/2016:21:09:03][main]: added plugin profile
caServerCertEnrollImpl Server Certificate Enrollment Profile Certi
ficate Authority Server Certificate Enrollment Profile
com.netscape.cms.profile.common.ServerCertCAEnrollProfile
[28/Jan/2016:21:09:03][main]: added plugin profile caCACertEnrollImpl
CA Certificate Enrollment Profile Certificate A
uthority CA Certificate Enrollment Profile
com.netscape.cms.profile.common.CACertCAEnrollProfile
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userKeyDefaultImpl User Supplied Key Default User Supplied K
ey Default com.netscape.cms.profile.def.UserKeyDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
freshestCRLExtDefaultImpl Freshest CRL Extension Default Fre
shest CRL Extension Default com.netscape.cms.profile.def.FreshestCRLExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
authInfoAccessExtDefaultImpl Authority Info Access Extension
Default Authority Info Access Extension Default
com.netscape.cms.profile.def.AuthInfoAccessExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nsTokenUserKeySubjectNameDefaultImpl nsTokenUserKeySubjectNa
meDefault nsTokenUserKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
genericExtDefaultImpl Generic Extension Generic Extension co
m.netscape.cms.profile.def.GenericExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
authorityKeyIdentifierExtDefaultImpl Authority Key Identifie
r Extension Default Authority Key Identifier Extension Default
com.netscape.cms.profile.def.AuthorityKeyIdentifierExt
Default
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
issuerAltNameExtDefaultImpl Issuer Alternative Name Extensio
n Default Issuer Alternative Name Extension Default
com.netscape.cms.profile.def.IssuerAltNameExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
basicConstraintsExtDefaultImpl Basic Constraints Extension D
efault Basic Constraints Extension Default
com.netscape.cms.profile.def.BasicConstraintsExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
keyUsageExtDefaultImpl Key Usage Extension Default Key Usage
Extension Default com.netscape.cms.profile.def.KeyUsageExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
ocspNoCheckExtDefaultImpl OCSP No Check Extension Default OC
SP No Check Extension Default com.netscape.cms.profile.def.OCSPNoCheckExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectAltNameExtDefaultImpl Subject Alternative Name Extens
ion Default Subject Alternative Name Extension Default
com.netscape.cms.profile.def.SubjectAltNameExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userValidityDefaultImpl User Supplied Validity Default User
Supplied Validity Default com.netscape.cms.profile.def.UserValidityDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userSubjectNameDefaultImpl User Supplied Subject Name Defaul
t User Supplied Subject Name Default
com.netscape.cms.profile.def.UserSubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectDirAttributesExtDefaultImpl Subject Directory Attribu
tes Extension Default Subject Directory Attributes Extension Default
com.netscape.cms.profile.def.SubjectDirAttribute
sExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
certificateVersionDefaultImpl Certificate Version Default Ce
rtificate Version Default com.netscape.cms.profile.def.CertificateVersionDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
extendedKeyUsageExtDefaultImpl Extended Key Usage Extension
Default Extended Key Usage Extension Default
com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
policyConstraintsExtDefaultImpl Policy Constraints Extension
Default Policy Constraints Extension Default
com.netscape.cms.profile.def.PolicyConstraintsExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
crlDistributionPointsExtDefaultImpl CRL Distribution Points
Extension Default CRL Distribution Points Extension Default
com.netscape.cms.profile.def.CRLDistributionPointsExtDefa
ult
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
certificatePoliciesExtDefaultImpl Certificate Policies Exten
sion Default Certificate Policies Extension Default
com.netscape.cms.profile.def.CertificatePoliciesExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
validityDefaultImpl Validity Default Validty Default com.net
scape.cms.profile.def.ValidityDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
privateKeyPeriodExtDefaultImpl Private Key Period Ext Defaul
t Private Key Period Ext Default
com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy noDefaultImpl
No Default No Default com.netscape.cms.profile
.def.NoDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
imageDefaultImpl Image Default Image Default com.netscape.cm
s.profile.def.ImageDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectInfoAccessExtDefaultImpl Subject Info Access Extensio
n Default Subject Info Access Extension Default
com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
autoAssignDefaultImpl Auto Request Assignment Default Auto R
equest Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
policyMappingsExtDefaultImpl Policy Mappings Extension Defau
lt Policy Mappings Extension Default
com.netscape.cms.profile.def.PolicyMappingsExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
caValidityDefaultImpl CA Certificate Validity Default CA Cer
tificate Validty Default com.netscape.cms.profile.def.CAValidityDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userExtensionDefaultImpl User Supplied Extension Default Use
r Supplied Extension Default com.netscape.cms.profile.def.UserExtensionDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nsCertTypeExtDefaultImpl Netscape Certificate Type Extension
Default Netscape Certificate Type Extension Default
com.netscape.cms.profile.def.NSCertTypeExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
authTokenSubjectNameDefaultImpl Token Supplied Subject Name
Default Token Supplied Subject Name Default
com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectNameDefaultImpl Subject Name Default Subject Name Def
ault com.netscape.cms.profile.def.SubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
userSigningAlgDefaultImpl User Supplied Signing Alg Default
User Supplied Signing Alg Default
com.netscape.cms.profile.def.UserSigningAlgDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
subjectKeyIdentifierExtDefaultImpl Subject Key Identifier De
fault Subject Key Identifier Default
com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension
Default Inhibit Any-Policy Extension Default
com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubje
ctNameDefault nsTokenDeviceKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nscCommentExtDefaultImpl Netscape Comment Extension Default
Netscape Comment Extension Default
com.netscape.cms.profile.def.NSCCommentExtDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
signingAlgDefaultImpl Signing Algorithm Default Signing Algo
rithm Default com.netscape.cms.profile.def.SigningAlgDefault
[28/Jan/2016:21:09:03][main]: added plugin defaultPolicy
nameConstraintsExtDefaultImpl Name Constraints Extension Def
ault Name Constraints Extension Default
com.netscape.cms.profile.def.NameConstraintsExtDefault
[28/Jan/2016:21:09:03][main]: added plugin profileUpdater
subsystemGroupUpdaterImpl Updater for Subsystem Group Updat
er for Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=registry
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized registry
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=oidmap
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=oidmap
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=oidmap
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized oidmap
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=X500Name
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=X500Name
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=X500Name
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized X500Name
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=request
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=request
[28/Jan/2016:21:09:03][main]: CMSEngine: done init id=request
[28/Jan/2016:21:09:03][main]: CMSEngine: initialized request
[28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=ca
[28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=ca
[28/Jan/2016:21:09:03][main]: CertificateAuthority init
[28/Jan/2016:21:09:03][main]: Cert Repot inited
[28/Jan/2016:21:09:03][main]: CRL Repot inited
[28/Jan/2016:21:09:03][main]: Replica Repot inited
[28/Jan/2016:21:09:03][main]: ca.signing Signing Unit nickname
caSigningCert cert-pki-ca
[28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name
[28/Jan/2016:21:09:03][main]: Found cert by nickname: 'caSigningCert
cert-pki-ca' with serial number: 1
[28/Jan/2016:21:09:03][main]: converted to x509CertImpl
[28/Jan/2016:21:09:03][main]: Got private key from cert
[28/Jan/2016:21:09:03][main]: Got public key from cert
[28/Jan/2016:21:09:03][main]: got signing algorithm RSASignatureWithSHA256Digest
[28/Jan/2016:21:09:03][main]: CA signing unit inited
[28/Jan/2016:21:09:03][main]: cachainNum= 0
[28/Jan/2016:21:09:03][main]: in init - got CA chain from JSS.
[28/Jan/2016:21:09:03][main]: ca.ocsp_signing Signing Unit nickname
ca.ocsp_signing.cert
[28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name
[28/Jan/2016:21:09:03][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
at com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)
at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[28/Jan/2016:21:09:03][main]: CMSEngine.shutdown()
password store initialized before.
password store initialized.
password store initialized before.
password store initialized.
Post by Rob Crittenden
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certifi
cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS
Certificate
DB'
CA: IPA
issuer: CN=Certificate Authority,O=SAMPLE.NET <http://SAMPLE.NET>
subject: CN=caer.SAMPLE.net <http://caer.SAMPLE.net>,O=SAMPLE.NET
<http://SAMPLE.NET>
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
On Mon, May 2, 2016 at 5:35 PM Anthony Cheng
On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden
Post by Anthony Cheng
OK so I made process on my cert renew issue; I was
able to get kinit
Post by Anthony Cheng
working so I can follow the rest of the steps here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
However, after using
ldapmodify -x -h localhost -p 7389 -D 'cn=directory
manager' -w
password
Post by Anthony Cheng
and restarting apache (/sbin/service httpd restart),
resubmitting 3
Post by Anthony Cheng
certs (ipa-getcert resubmit -i <ID>) and restarting
IPA (resubmit
-i <ID>)
Post by Anthony Cheng
Number of certificates and requests being tracked: 8.
status: CA_UNREACHABLE
4301 (RPC
failed
Post by Anthony Cheng
at server. Certificate operation cannot be compl
eted: Unable to communicate with CMS (Not Found)).
IPA proxies requests to the CA through Apache. This means
that while
tomcat started ok it didn't load the dogtag CA
application, hence the
Not Found.
Check the CA debug and selftest logs to see why it failed
to start
properly.
[ snip ]
Actually after a reboot that error went away and I just get
this error
instead "ca-error: Server failed request, will retry: -504
(libcurl
failed to execute the HTTP POST transaction. Peer certificate
cannot be
auth enticated with known CA certificates)." from "getcert
list"
Result of service ipa restart is interesting since it shows
today's time
when I already changed date/time/disable NTP so somehow the
system still
know today's time.
CERT_VerifyCertificateNow: verify certificate failed for cert
Server-Cert of family cn=RSA,cn=encryption,cn=config
(Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.)
Hard to say. I'd confirm that there is no time syncing service
running,
ntp or otherwise.
I found out why the time kept changing; it was due to the fact that
it has VM tools installed (i didn't configure this box) so it
automatically sync time during bootup.
ca-error: Server failed request, will retry: 4301 (RPC failed at
server. Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found))
I tried the step http://www.freeipa.org/page/Troubleshooting with
certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt
openssl x509 -text -in /tmp/ra.crt
certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt
service httpd restart
So that I can get rid of one of the CA cert that is expired (kept
the 1st one) but still getting same error
What exactly is CMS and why is it not found?
-rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11
/var/log/pki-ca/selftests.log
INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=1/23config=null
Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1722 ms
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause
INFO: Pausing Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop
INFO: Stopping service Catalina
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[Timer-0] but has failed to stop it. This is very like
ly to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu
t has failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6]
but has failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.flush-6] but has failed t
o stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/system.rollover-8] but has faile
d to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.flush-9] but has fa
iled to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[/var/lib/pki-ca/logs/transactions.rollover-10] but ha
s failed to stop it. This is very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-2 ldap://test.sample.net:7389
<http://test.sample.net:7389>] but has failed to stop it. This is
very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-3 ldap://test.sample.net:7389
<http://test.sample.net:7389>] but has failed to stop it. This is
very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearReferencesThreads
SEVERE: A web application appears to have started a thread named
[LDAPConnThread-4 ldap://test.sample.net:7389
<http://test.sample.net:7389>] but has failed to stop it. This is
very likely to create a memory leak.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
value of type [java.text.SimpleDateFormat] (value
the web application was stopped. To prevent a memory leak, the
ThreadLocal has been forcibly removed.
Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type
value of type [java.text.SimpleDateFormat] (value
the web application was stopped. To prevent a memory leak, the
ThreadLocal has been forcibly removed.
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:36 PM
org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows
optimal performance in production environments was not found on the
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9180
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9443
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9445
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9444
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has
been installed.
Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2198 ms
Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.24
Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ROOT
Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory ca
64-bit osutil library loaded
64-bit osutil library loaded
Certificate object not found
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9180
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9443
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9445
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9444
Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-9446
Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447>
Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/40config=null
Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 2592 ms
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectAltNameExtDefaultImpl Subject Alternative Name Extension
Default Subject Alternative Name Extension Default
com.netscape.cms.profile.def.SubjectAltNameExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userValidityDefaultImpl User Supplied Validity Default User Supplied
Validity Default com.netscape.cms.profile.def.UserValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSubjectNameDefaultImpl User Supplied Subject Name Default User
Supplied Subject Name Default
com.netscape.cms.profile.def.UserSubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectDirAttributesExtDefaultImpl Subject Directory Attributes
Extension Default Subject Directory Attributes Extension Default
com.netscape.cms.profile.def.SubjectDirAttributesExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificateVersionDefaultImpl Certificate Version Default
Certificate Version Default
com.netscape.cms.profile.def.CertificateVersionDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default
Extended Key Usage Extension Default
com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyConstraintsExtDefaultImpl Policy Constraints Extension Default
Policy Constraints Extension Default
com.netscape.cms.profile.def.PolicyConstraintsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
crlDistributionPointsExtDefaultImpl CRL Distribution Points
Extension Default CRL Distribution Points Extension Default
com.netscape.cms.profile.def.CRLDistributionPointsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
certificatePoliciesExtDefaultImpl Certificate Policies Extension
Default Certificate Policies Extension Default
com.netscape.cms.profile.def.CertificatePoliciesExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
validityDefaultImpl Validity Default Validty Default
com.netscape.cms.profile.def.ValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
privateKeyPeriodExtDefaultImpl Private Key Period Ext Default
Private Key Period Ext Default
com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
noDefaultImpl No Default No Default
com.netscape.cms.profile.def.NoDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
imageDefaultImpl Image Default Image Default
com.netscape.cms.profile.def.ImageDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectInfoAccessExtDefaultImpl Subject Info Access Extension
Default Subject Info Access Extension Default
com.netscape.cms.profile.def.SubjectInfoAccessExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
autoAssignDefaultImpl Auto Request Assignment Default Auto Request
Assignment Default com.netscape.cms.profile.def.AutoAssignDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
policyMappingsExtDefaultImpl Policy Mappings Extension Default
Policy Mappings Extension Default
com.netscape.cms.profile.def.PolicyMappingsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
caValidityDefaultImpl CA Certificate Validity Default CA Certificate
Validty Default com.netscape.cms.profile.def.CAValidityDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userExtensionDefaultImpl User Supplied Extension Default User
Supplied Extension Default
com.netscape.cms.profile.def.UserExtensionDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default
Netscape Certificate Type Extension Default
com.netscape.cms.profile.def.NSCertTypeExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default
Token Supplied Subject Name Default
com.netscape.cms.profile.def.AuthTokenSubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectNameDefaultImpl Subject Name Default Subject Name Default
com.netscape.cms.profile.def.SubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
userSigningAlgDefaultImpl User Supplied Signing Alg Default User
Supplied Signing Alg Default
com.netscape.cms.profile.def.UserSigningAlgDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default
Subject Key Identifier Default
com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default
Inhibit Any-Policy Extension Default
com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nsTokenDeviceKeySubjectNameDefaultImpl
nsTokenDeviceKeySubjectNameDefault
nsTokenDeviceKeySubjectNameDefaultImpl
com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape
Comment Extension Default
com.netscape.cms.profile.def.NSCCommentExtDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm
Default com.netscape.cms.profile.def.SigningAlgDefault
[27/Jan/2016:15:30:43][main]: added plugin defaultPolicy
nameConstraintsExtDefaultImpl Name Constraints Extension Default
Name Constraints Extension Default
com.netscape.cms.profile.def.NameConstraintsExtDefault
[27/Jan/2016:15:30:43][main]: added plugin profileUpdater
subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for
Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request
[27/Jan/2016:15:30:43][main]: CMSEngine: initialized request
[27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca
[27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca
[27/Jan/2016:15:30:43][main]: CertificateAuthority init
[27/Jan/2016:15:30:43][main]: Cert Repot inited
[27/Jan/2016:15:30:43][main]: CRL Repot inited
[27/Jan/2016:15:30:43][main]: Replica Repot inited
[27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname
caSigningCert cert-pki-ca
[27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name
[27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert
cert-pki-ca' with serial number: 1
[27/Jan/2016:15:30:43][main]: converted to x509CertImpl
[27/Jan/2016:15:30:43][main]: Got private key from cert
[27/Jan/2016:15:30:43][main]: Got public key from cert
[27/Jan/2016:15:30:43][main]: got signing algorithm
RSASignatureWithSHA256Digest
[27/Jan/2016:15:30:43][main]: CA signing unit inited
[27/Jan/2016:15:30:43][main]: cachainNum= 0
[27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS.
[27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname
ca.ocsp_signing.cert
[27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token by name
[27/Jan/2016:15:30:43][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
[27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
at
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204)
at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[27/Jan/2016:15:30:43][main]: CMSEngine.shutdown()
Post by Anthony Cheng
Would really greatly appreciate any help on this.
Also I noticed after I do ldapmodify of
usercertificate binary
data with
Post by Anthony Cheng
add: usercertificate;binary
You really pasted in binary? Or was this base64-encoded
data?
I wonder if there is a problem in the wiki. If this is
really a binary
value you should start with a DER-encoded cert and load
it using
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate;binary
usercertificate;binary:< file:///path/to/cert.der
You can use something like openssl x509 to switch between
PEM and DER
formats.
I have a vague memory that dogtag can deal with a
multi-valued
usercertificate attribute.
rob
ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b
uid=ipara,ou=People,o=ipaca -W
shows userCertificate;binary:: GJ6Q0NBbGVnQXd ...
But the actual data is from a PEM though.
Ok. So I looked at my CA data and it doesn't use the binary
subtype, so
userCertificate:: MIID....
It might make a difference if dogtag is looking for the subtype
or not.
rob
Post by Anthony Cheng
Then I re-run
ldapsearch -x -h localhost -p 7389 -D 'cn=directory
manager' -W
-b uid=ipara,ou=People,o=ipaca
Post by Anthony Cheng
I see 2 entries for usercertificate;binary (before
modify there
was only
Post by Anthony Cheng
1) but they are duplicate and NOT from data that I
added. That seems
Post by Anthony Cheng
incorrect to me.
On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng
klist is actually empty; kinit admin fails.
Sounds like then
Post by Anthony Cheng
getcert resubmit has a dependency on kerberoes. I
can get a
backup
Post by Anthony Cheng
image that has a valid ticket but it is only good
for 1 day (and
Post by Anthony Cheng
dated pasted the cert expire).
Also I had asked awhile back about whether there
is dependency on
Post by Anthony Cheng
DIRSRV to renew the cert; didn't get any response
but I suspect
Post by Anthony Cheng
there is a dependency.
Regarding the clock skew, I found out from
/var/log/message that
Post by Anthony Cheng
Jan 28 14:10:42 test named[2911]: Failed to init
credentials
(Clock
Post by Anthony Cheng
skew too great)
Jan 28 14:10:42 test named[2911]: loading
configuration: failure
Post by Anthony Cheng
Jan 28 14:10:42 test named[2911]: exiting (due to
fatal error)
Unspecified GSS
Post by Anthony Cheng
failure. Minor code may provide more information
(Creden
Post by Anthony Cheng
tials cache file '/tmp/krb5cc_496' not found)
I don't have a krb5cc_496 file (since klist is
empty), so
sounds to
Post by Anthony Cheng
me I need to get a kerberoes ticket before going any
further. Also
Post by Anthony Cheng
is the file /etc/krb5.keytab access/modification
time
important? I
Post by Anthony Cheng
had changed time back to before the cert
expiration date and
reboot
Post by Anthony Cheng
and try renew but the error message about clock
skew is still
Post by Anthony Cheng
there. That seems strange.
Lastly, as a absolute last resort, can I
regenerate a new cert
Post by Anthony Cheng
myself?
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html
Post by Anthony Cheng
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_0)
Post by Anthony Cheng
Starting Directory Service
PKI-IPA...
[ OK ]
Post by Anthony Cheng
sample-NET...
[ OK ]
Post by Anthony Cheng
Starting KDC Service
[
OK ]
Post by Anthony Cheng
Starting KPASSWD Service
[
OK ]
Post by Anthony Cheng
Starting DNS Service
[FAILED]
Post by Anthony Cheng
Failed to start DNS Service
Shutting down
[
OK ]
[
OK ]
[
OK ]
[
OK ]
[
OK ]
Post by Anthony Cheng
PKI-IPA...
[ OK ]
Post by Anthony Cheng
sample-NET...
[ OK ]
Post by Anthony Cheng
Aborting ipactl
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_0)
Post by Anthony Cheng
Directory Service: STOPPED
Directory Server is stopped
On Thu, Apr 28, 2016 at 3:21 AM David Kupka
Post by Anthony Cheng
Hi list,
I am trying to renew expired certificates
following the
Post by Anthony Cheng
manual renewal procedure
Post by Anthony Cheng
here
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
Post by Anthony Cheng
but even with
Post by Anthony Cheng
resetting the system/hardware clock to a
time before
expires,
Post by Anthony Cheng
I am getting the
Post by Anthony Cheng
error "ca-error: Error setting up ccache
for local "host"
Post by Anthony Cheng
service using default
Post by Anthony Cheng
keytab: Clock skew too great."
With NTP disable and clock reset why would
it complain
about
Post by Anthony Cheng
clock skew and how
Post by Anthony Cheng
does it even know about the current time?
Number of certificates and requests being
tracked: 8.
Post by Anthony Cheng
Post by Anthony Cheng
status: MONITORING
ca-error: Error setting up ccache
for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=test.sample.net
<http://test.sample.net>
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache
for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB'
CA: IPA
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=test.sample.net
<http://test.sample.net>
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache
for local
"host"
Post by Anthony Cheng
service using
Post by Anthony Cheng
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Post by Anthony Cheng
Post by Anthony Cheng
Certificate DB'
CA: IPA
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=test.sample.net
<http://test.sample.net>
<http://test.sample.net> <http://test.sample.net>
Post by Anthony Cheng
<http://test.sample.net>,O=sample.NET
Post by Anthony Cheng
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=OCSP
Subsystem,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=CA
Subsystem,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
id-kp-serverAuth,id-kp-clientAuth
/usr/lib64/ipa/certmonger/stop_pkicad
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ca_cert
Post by Anthony Cheng
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate
Post by Anthony Cheng
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Post by Anthony Cheng
Certificate DB'
Post by Anthony Cheng
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate
Authority,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
subject: CN=RA
Subsystem,O=sample.NET
Post by Anthony Cheng
Post by Anthony Cheng
expires: 2017-10-13 14:09:49 UTC
id-kp-serverAuth,id-kp-clientAuth
Post by Anthony Cheng
/usr/lib64/ipa/certmonger/renew_ra_cert
Post by Anthony Cheng
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no
response to
"http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true".
Post by Anthony Cheng
Post by Anthony Cheng
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
Post by Anthony Cheng
Post by Anthony Cheng
cert-pki-ca',token='NSS Certificate
DB',pin='297100916664
Post by Anthony Cheng
Post by Anthony Cheng
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Sumit Bose
2016-04-28 07:23:19 UTC
Permalink
Post by Anthony Cheng
Hi list,
I am trying to renew expired certificates following the manual renewal
procedure here (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but
even with resetting the system/hardware clock to a time before expires, I
am getting the error "ca-error: Error setting up ccache for local "host"
service using default keytab: Clock skew too great."
This is a Kerberos error message which it not related to the certificate
lifetime. Please try to make sure that client and server use the same
time.

bye,
Sumit
Post by Anthony Cheng
With NTP disable and clock reset why would it complain about clock skew and
how does it even know about the current time?
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
Number of certificates and requests being tracked: 8.
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:46 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Clock skew too great.
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2016-01-29 14:09:45 UTC
eku: id-kp-serverAuth
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true
".
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Audit,O=sample.NET
expires: 2017-10-13 14:10:49 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true
".
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=OCSP Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true
".
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=CA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
status: MONITORING
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true
".
stuck: no
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=RA Subsystem,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
status: NEED_CSR_GEN_PIN
ca-error: Internal error: no response to "
http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true
".
stuck: yes
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='297100916664
'
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=sample.NET
subject: CN=test.sample.net,O=sample.NET
expires: 2017-10-13 14:09:49 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
track: yes
auto-renew: yes
--
Thanks, Anthony
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Continue reading on narkive: