Rob, Thank you. So it looks like what I shared as the current config is actually what was there when the snapshot was taken. The changes outlined in that post were made on a machine which has since been deleted. So what I am saying is that the config I shared does not include any of the changes my co-worker had made. When I make the changes to match what Florence shared as a default config and attempt to renew the certs, I am now getting the following error:
ca-error: Server at https://<HOSTNAME>/ipa/xml failed request, will retry: 4016 (RPC failed at server. Failed to authenticate to CA REST API). How can I make sure that the credentials that are attempting to be used are valid for this operation? Many thanks, Evan On Fri, Sep 15, 2023 at 10:25 AM Rob Crittenden <rcrit...@redhat.com> wrote: > IT Guy wrote: > > OK just one more thing to add, I had run across this link during > > troubleshooting and it seems that my co-worker had updated some of the > > lines in this configuration according to the steps outlined in this > > forum post: https://pagure.io/freeipa/issue/7267 > > > > However I can say that this was a last ditch effort to try and get the > > renewals working, we had already been troubleshooting for 3+ days at the > > point that this was changed. > > Looks like this was not correctly applied: "Especially note the > replacement of occurrences of $$ with $." > > Your profile has $$ and it should be $, according to Fraser. > > rob > > > > > On Fri, Sep 15, 2023 at 9:58 AM IT Guy <underqualifiedit...@gmail.com > > <mailto:underqualifiedit...@gmail.com>> wrote: > > > > Wow that worked Rob, thank you! If I compare the values that > > Florence sent to what I have in this file, the only difference is > > this line: > > > > policyset.serverCertSet.1.default.params.name > > <http://policyset.serverCertSet.1.default.params.name>=CN=$$ > request.req_subject_name.cn > > <http://request.req_subject_name.cn>$$, $SUBJECT_DN_O > > > > Here's the full snippet for reference: > > > > > policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl > > policyset.serverCertSet.1.constraint.name > > <http://policyset.serverCertSet.1.constraint.name>=Subject Name > > Constraint > > policyset.serverCertSet.1.constraint.params.accept=true > > policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ > > policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl > > policyset.serverCertSet.1.default.name > > <http://policyset.serverCertSet.1.default.name>=Subject Name Default > > policyset.serverCertSet.1.default.params.name > > <http://policyset.serverCertSet.1.default.params.name>=CN=$$ > request.req_subject_name.cn > > <http://request.req_subject_name.cn>$$, $SUBJECT_DN_O > > > > > > One other thing I wanted to call out is that I have a good snapshot > > of this server that I have restored a couple of times to try > > different things and the one that got me the farthest was when I > > changed the name of the cert from our custom name back to > > Server-Cert. Even when I had the config this way I still could not > > renew but maybe modifying something in the above config plus > > changing back to Server-Cert could alleviate the issue? > > > > Many thanks, > > > > Evan > > > > On Fri, Sep 15, 2023 at 9:47 AM Rob Crittenden <rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>> wrote: > > > > IT Guy via FreeIPA-users wrote: > > > Hi Florence, > > > > > > Thank you for your response. What does it mean if I run the ipa > > > certprofile-show command as outlined above and it just hangs? > > I don't > > > think there is any other way to see the settings you mentioned > > unless > > > this command is able to run right? > > > > I can't explain why it would hang but you can get the profile > > directly > > from LDAP: > > > > $ ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=directory manager' > -W -b > > cn=caIPAserviceCert,ou=certificateProfiles,ou=ca,o=ipaca > > certProfileConfig > /tmp/profile > > > > Edit this file and remove the dn value and 'certProfileConfig:: > > ' then > > base64-decode the result. > > > > The final really huge string should look something like: > > > > YXV0aC5pbnN0YW5jZV9pZ...= > > > > I used the coreutils base64 program to decode it: > > > > $ base64 -d /tmp/profile > > > > rob > > > > > > Many thanks, > > > > > > Evan > > > > > > On Fri, Sep 15, 2023 at 3:19 AM Florence Blanc-Renaud > > <f...@redhat.com <mailto:f...@redhat.com> > > > <mailto:f...@redhat.com <mailto:f...@redhat.com>>> wrote: > > > > > > Hi, > > > it seems that PKI is not happy with the subject name of the > > > certificates. > > > The failing certs are for KDC, dirsrv and httpd and they > > all use the > > > same subject name constraint in their profile. > > > > > > 1. Was any certificate profile modified (caIPAserviceCert > or > > > KDCs_PKINIT_Certs)? You can use > > > ipa certprofile-show <name> --out /dev/stdout > > > And then check the part related to Subject Name > > Constraint. In my > > > default installation, I have > > > > > > policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl > > > policyset.serverCertSet.1.constraint.name > > <http://policyset.serverCertSet.1.constraint.name> > > > <http://policyset.serverCertSet.1.constraint.name>=Subject > > Name > > > Constraint > > > policyset.serverCertSet.1.constraint.params.accept=true > > > > > policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ > > > > > > policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl > > > policyset.serverCertSet.1.default.name > > <http://policyset.serverCertSet.1.default.name> > > > <http://policyset.serverCertSet.1.default.name>=Subject > > Name Default > > > policyset.serverCertSet.1.default.params.name > > <http://policyset.serverCertSet.1.default.params.name> > > > > > <http://policyset.serverCertSet.1.default.params.name>=CN=$ > request.req_subject_name.cn > > <http://request.req_subject_name.cn> > > > <http://request.req_subject_name.cn>$, O=IPA.TEST > > > > > > which means that the subject name should match CN= > followed by > > > (anything except a comma) multiple times then a comma and > > any char > > > multiple times. > > > > > > 2. If the profile wasn't changed, can you check in > > > /var/log/pki/pki-tomcat/ca/debug.$DATE.log the received > > certificate > > > request? Does its subject match the pattern? The error > > > messagejava.lang.StringIndexOutOfBoundsException: String > > index out > > > of range: -1 hints that an expected pattern was not found. > > > > > > flo > > > > > > On Thu, Sep 14, 2023 at 4:11 PM Evan G via FreeIPA-users > > > <freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>>> wrote: > > > > > > Hi Rob, > > > > > > When we start tomcat with the date rolled back, we are > not > > > seeing any errors at all. All of the ipa services > start up > > > without issue. The problem is in actually renewing the > > certs, > > > when we do so we have seen many different errors as > > we've been > > > troubleshooting -- mostly this one: `ca-error: Server > at > > > https://<HOSTNAME>/ipa/xml failed request, will retry: > > 4035 (RPC > > > failed at server. Request failed with status 500: > Non-2xx > > > response from CA REST API: 500. String index out of > range: > > > > -1).[02/Aug/2023:00:00:31][ajp-bio-127.0.0.1-8009-exec-2]: > > > EnrollProfile: populate: begins` > > > > > > When I restart certmonger after all services up, these > > are the > > > errors that I am seeing in the tomcat debug logs: > > > ``` > > > [02/Aug/2023:00:00:31][ajp-bio-127.0.0.1-8009-exec-2]: > > > BasicProfile: populate: policy setid =serverCertSet > > > [02/Aug/2023:00:00:31][ajp-bio-127.0.0.1-8009-exec-2]: > > > EnrollDefault: populate: SubjectNameDefault: start > > > java.lang.StringIndexOutOfBoundsException: String > > index out of > > > range: -1 > > > at java.lang.String.substring(String.java:1967) > > > at > > > > > > com.netscape.certsrv.pattern.Pattern.substitute2(Pattern.java:132) > > > at > > > > > > > com.netscape.cms.profile.def.EnrollDefault.mapPattern(EnrollDefault.java:815) > > > at > > > > > > > com.netscape.cms.profile.def.SubjectNameDefault.populate(SubjectNameDefault.java:160) > > > at > > > > > > com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:226) > > > at > > > > > > > com.netscape.cms.profile.common.BasicProfile.populate(BasicProfile.java:1114) > > > at > > > > > > > com.netscape.cms.profile.common.EnrollProfile.populate(EnrollProfile.java:2626) > > > at > > > > > > > com.netscape.cms.servlet.cert.CertProcessor.populateRequests(CertProcessor.java:379) > > > at > > > > > > > com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:188) > > > at > > > > > > > com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:96) > > > at > > > > > > > com.netscape.cms.servlet.cert.CertRequestDAO.submitRequest(CertRequestDAO.java:197) > > > at > > > > > > > org.dogtagpki.server.ca.rest.CertRequestService.enrollCert(CertRequestService.java:155) > > > at > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native > > > Method) > > > at > > > > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > > at > > > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > at > > java.lang.reflect.Method.invoke(Method.java:498) > > > at > > > > > > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > > > at > > > > > > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280) > > > at > > > > > > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234) > > > at > > > > > > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221) > > > at > > > > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > > > at > > > > > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > > > at > > > > > > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > > > at > > > > > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > > > at > > > > > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > > > at > > > > > javax.servlet.http.HttpServlet.service(HttpServlet.java:731) > > > at > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native > > > Method) > > > at > > > > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > > at > > > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > at > > java.lang.reflect.Method.invoke(Method.java:498) > > > at > > > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > > > at > > > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > > > at > > java.security.AccessController.doPrivileged(Native > > > Method) > > > at > > > > > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > > at > > > > > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > > > at > > > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) > > > at > > > > > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) > > > at > > > > > > > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) > > > at > > > > > > > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) > > > at > > > > > > > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) > > > at > > java.security.AccessController.doPrivileged(Native > > > Method) > > > at > > > > > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > > > at > > > > > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > > > at > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native > > > Method) > > > at > > > > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > > at > > > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > at > > java.lang.reflect.Method.invoke(Method.java:498) > > > at > > > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > > > at > > > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > > > at > > java.security.AccessController.doPrivileged(Native > > > Method) > > > at > > > > > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > > at > > > > > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > > > at > > > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) > > > at > > > > > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) > > > at > > > > > > > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) > > > at > > > > > > > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) > > > at > > > > > > > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) > > > at > > java.security.AccessController.doPrivileged(Native > > > Method) > > > at > > > > > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) > > > at > > > > > > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218) > > > at > > > > > > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) > > > at > > > > > > > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498) > > > at > > > > > > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) > > > at > > > > > > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > > > at > > > > > > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) > > > at > > > > > > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > > > at > > > > > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) > > > at > > > > > > org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) > > > at > > > > > > > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) > > > at org.apache.tomcat.util.net > > <http://org.apache.tomcat.util.net> > > > > > <http://org.apache.tomcat.util.net > >.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) > > > at > > > > > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > > > at > > > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > > > at > > > > > > > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > > > at java.lang.Thread.run(Thread.java:750) > > > ``` > > > > > > This is what we see when we run `getcert list` and > > `ipa-getcert > > > list` respectively: > > > > > > ``` > > > Number of certificates and requests being tracked: 9. > > > Request ID '20190920201259': > > > status: CA_UNREACHABLE > > > ca-error: Server at https://<HOSTNAME>/ipa/xml > > failed > > > request, will retry: 4035 (RPC failed at server. > > Request failed > > > with status 500: Non-2xx response from CA REST API: > > 500. String > > > index out of range: -1). > > > stuck: no > > > key pair storage: > > > type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > > > certificate: > > > type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=<OU> > > > subject: CN=<HOSTNAME>,O=<OU> > > > expires: 2023-08-25 18:05:07 UTC > > > principal name: krbtgt/<OU>@<OU> > > > key usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-pkinit-KPKdc > > > pre-save command: > > > post-save command: > > > /usr/libexec/ipa/certmonger/renew_kdc_cert > > > track: yes > > > auto-renew: yes > > > Request ID '20210908000050': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin > set > > > certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' > > > CA: dogtag-ipa-ca-renew-agent > > > issuer: CN=Certificate Authority,O=<OU> > > > subject: CN=CA Audit,O=<OU> > > > expires: 2025-07-21 02:36:57 UTC > > > key usage: > > digitalSignature,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > /usr/libexec/ipa/certmonger/stop_pkicad > > > post-save command: > > > /usr/libexec/ipa/certmonger/renew_ca_cert > > "auditSigningCert > > > cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20210908000051': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin > set > > > certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' > > > CA: dogtag-ipa-ca-renew-agent > > > issuer: CN=Certificate Authority,O=<OU> > > > subject: CN=OCSP Subsystem,O=<OU> > > > expires: 2025-07-21 02:36:17 UTC > > > key usage: > > digitalSignature,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > /usr/libexec/ipa/certmonger/stop_pkicad > > > post-save command: > > > /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert > > > cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20210908000052': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin > set > > > certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' > > > CA: dogtag-ipa-ca-renew-agent > > > issuer: CN=Certificate Authority,O=<OU> > > > subject: CN=CA Subsystem,O=<OU> > > > expires: 2025-07-21 02:37:17 UTC > > > key usage: > > digitalSignature,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > /usr/libexec/ipa/certmonger/stop_pkicad > > > post-save command: > > > /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert > > > cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20210908000053': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin > set > > > certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' > > > CA: dogtag-ipa-ca-renew-agent > > > issuer: CN=Certificate Authority,O=<OU> > > > subject: CN=Certificate Authority,O=<OU> > > > expires: 2039-09-20 20:11:25 UTC > > > key usage: > > > digitalSignature,nonRepudiation,keyCertSign,cRLSign > > > pre-save command: > > /usr/libexec/ipa/certmonger/stop_pkicad > > > post-save command: > > > /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert > > > cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20210908000054': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > type=FILE,location='/var/lib/ipa/ra-agent.key' > > > certificate: > > type=FILE,location='/var/lib/ipa/ra-agent.pem' > > > CA: dogtag-ipa-ca-renew-agent > > > issuer: CN=Certificate Authority,O=<OU> > > > subject: CN=IPA RA,O=<OU> > > > expires: 2025-06-26 02:36:15 UTC > > > key usage: > > digitalSignature,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre > > > post-save command: > > /usr/libexec/ipa/certmonger/renew_ra_cert > > > track: yes > > > auto-renew: yes > > > Request ID '20210908000055': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > > > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin > set > > > certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > > > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' > > > CA: dogtag-ipa-ca-renew-agent > > > issuer: CN=Certificate Authority,O=<OU> > > > subject: CN=<HOSTNAME>,O=<OU> > > > expires: 2025-07-21 02:36:37 UTC > > > dns: <HOSTNAME> > > > key usage: > > digitalSignature,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > /usr/libexec/ipa/certmonger/stop_pkicad > > > post-save command: > > > /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert > > cert-pki-ca" > > > track: yes > > > auto-renew: yes > > > Request ID '20210908000056': > > > status: CA_UNREACHABLE > > > ca-error: Server at https://<HOSTNAME>/ipa/xml > > failed > > > request, will retry: 4035 (RPC failed at server. > > Request failed > > > with status 500: Non-2xx response from CA REST API: > > 500. String > > > index out of range: -1). > > > stuck: no > > > key pair storage: > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-<OU>',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS > > > FIPS 140-2 Certificate > > > DB',pinfile='/etc/dirsrv/slapd-<OU>/pwdfile.txt' > > > certificate: > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-<OU>',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS > > > FIPS 140-2 Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=<OU> > > > subject: CN=<HOSTNAME>,O=<OU> > > > expires: 2023-09-03 18:30:48 UTC > > > dns: <HOSTNAME> > > > key usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > > /usr/libexec/ipa/certmonger/restart_dirsrv <OU> > > > track: yes > > > auto-renew: yes > > > Request ID '20210908000057': > > > status: CA_UNREACHABLE > > > ca-error: Server at https://<HOSTNAME>/ipa/xml > > failed > > > request, will retry: 4035 (RPC failed at server. > > Request failed > > > with status 500: Non-2xx response from CA REST API: > > 500. String > > > index out of range: -1). > > > stuck: no > > > key pair storage: > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS > > > FIPS 140-2 Certificate > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS > > > FIPS 140-2 Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=<OU> > > > subject: CN=<HOSTNAME>,O=<OU> > > > expires: 2023-09-03 18:30:48 UTC > > > dns: <HOSTNAME> > > > key usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > /usr/libexec/ipa/certmonger/restart_httpd > > > track: yes > > > auto-renew: yes > > > ``` > > > > > > ��``` > > > Number of certificates and requests being tracked: 9. > > > Request ID '20190920201259': > > > status: CA_UNREACHABLE > > > ca-error: Server at https://<HOSTNAME>/ipa/xml > > failed > > > request, will retry: 4035 (RPC failed at server. > > Request failed > > > with status 500: Non-2xx response from CA REST API: > > 500. String > > > index out of range: -1). > > > stuck: no > > > key pair storage: > > > type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > > > certificate: > > > type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=<OU> > > > subject: CN=<HOSTNAME>,O=<OU> > > > expires: 2023-08-25 18:05:07 UTC > > > principal name: krbtgt/<OU>@<OU> > > > key usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-pkinit-KPKdc > > > pre-save command: > > > post-save command: > > > /usr/libexec/ipa/certmonger/renew_kdc_cert > > > track: yes > > > auto-renew: yes > > > Request ID '20210908000056': > > > status: CA_UNREACHABLE > > > ca-error: Server at https://<HOSTNAME>/ipa/xml > > failed > > > request, will retry: 4035 (RPC failed at server. > > Request failed > > > with status 500: Non-2xx response from CA REST API: > > 500. String > > > index out of range: -1). > > > stuck: no > > > key pair storage: > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-<OU>',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS > > > FIPS 140-2 Certificate > > > DB',pinfile='/etc/dirsrv/slapd-<OU>/pwdfile.txt' > > > certificate: > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-<OU>',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS > > > FIPS 140-2 Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=<OU> > > > subject: CN=<HOSTNAME>,O=<OU> > > > expires: 2023-09-03 18:30:48 UTC > > > dns: <HOSTNAME> > > > key usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > > /usr/libexec/ipa/certmonger/restart_dirsrv <OU> > > > track: yes > > > auto-renew: yes > > > Request ID '20210908000057': > > > status: CA_UNREACHABLE > > > ca-error: Server at https://<HOSTNAME>/ipa/xml > > failed > > > request, will retry: 4035 (RPC failed at server. > > Request failed > > > with status 500: Non-2xx response from CA REST API: > > 500. String > > > index out of range: -1). > > > stuck: no > > > key pair storage: > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS > > > FIPS 140-2 Certificate > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: > > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS > > > FIPS 140-2 Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=<OU> > > > subject: CN=<HOSTNAME>,O=<OU> > > > expires: 2023-09-03 18:30:48 UTC > > > dns: <HOSTNAME> > > > key usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > /usr/libexec/ipa/certmonger/restart_httpd > > > track: yes > > > auto-renew: yes > > > ``` > > > _______________________________________________ > > > FreeIPA-users mailing list -- > > > freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > <mailto:freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> > > > To unsubscribe send an email to > > > freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org>> > > > Fedora Code of Conduct: > > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > Do not reply to spam, report it: > > > https://pagure.io/fedora-infrastructure/new_issue > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- > > freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > > > > > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue