On 10/23/18 5:24 AM, None via FreeIPA-users wrote:
Hi Flo, the journalctl reports that request is rejected, error 2.
dogtag-ipa-ca-renew-agent-submit[29544]: Forwarding request to
dogtag-ipa-renew-agent
dogtag-ipa-renew-agent-submit[29558]: GET
http://ca-ldap01.:8080/ca/ee/ca/profileSubmit?profil
dogtag-ipa-renew-agent-submit[29558]: <html><head><title>Apache Tomcat/7.0.69 - Error
report</title><style>
dogtag-ipa-ca-renew-agent-submit[29544]: dogtag-ipa-renew-agent returned 2
Hi,
PKI debug log may contain more information explaining why the request
was rejected (/var/log/pki/pki-tomcat/ca/debug). You can also increase
the debug level to get more information: edit (or create)
/etc/ipa/server.conf and add the following:
[global]
debug=True
Then modify the certmonger helper that is used to renew the PKI
certificates to increase verbosity:
$ getcert modify-ca -c dogtag-ipa-ca-renew-agent -e
'/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit -vv'
(this simply adds -vv to the command executed by certmonger to renew the
cert). The helper will log information in /var/log/ipa/renew.log.
HTH,
flo
I can't find a common date where all the certificates are valid, since
""ocspSigningCert cert-pki-ca" is not valid before today.
# certutil -L -d /etc/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-ca" | egrep
"Not Before|After"
Not Before: Wed Aug 24 20:49:38 2016
Not After : Tue Aug 14 20:49:38 2018
# certutil -L -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" | egrep
"Not Before|After"
Not Before: Mon Oct 22 20:15:53 2018
Not After : Sun Oct 11 20:15:53 2020
# certutil -L -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca" | egrep
"Not Before|After"
Not Before: Wed Aug 24 20:49:36 2016
Not After : Tue Aug 14 20:49:36 2018
# certutil -L -d /etc/pki/pki-tomcat/alias -n "caSigningCert cert-pki-ca" | egrep
"Not Before|After"
Not Before: Mon Oct 22 18:15:48 2018
Not After : Fri Oct 22 18:15:48 2038
# certutil -L -d /etc/httpd/alias -n "ipaCert" | egrep "Not Before|After"
Not Before: Wed Aug 24 20:50:00 2016
Not After : Tue Aug 14 20:50:00 2018
# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" | egrep "Not
Before|After"
Not Before: Wed Jul 18 01:47:45 2018
Not After : Tue Jul 07 01:47:45 2020
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org