Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and certmonger. Look like certificates were renewed. But I'm getting a different error now,
*ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true <http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true>".* [root@caer ~]# getcert list Number of certificates and requests being tracked: 8. Request ID '20111214223243': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-07-18 15:54:36 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223300': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-07-18 15:54:52 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20111214223316': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2016-07-18 15:55:04 UTC eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130519130741': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=CA Audit,O=TELOIP.NET expires: 2017-10-13 14:10:49 UTC pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130742': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=OCSP Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130743': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=CA Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130744': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=RA Subsystem,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20130519130745': status: MONITORING ca-error: Internal error: no response to " http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true ". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='297100916664' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TELOIP.NET subject: CN=caer.teloip.net,O=TELOIP.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv " TELOIP.NET" track: yes auto-renew: yes [root@caer ~]# Your help is highly appreciated! On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Linov Suresh wrote: > >> I logged into my IPA master, and found that the cert had expired again, >> we renewed these certificates about 18 months ago. >> >> Our environment is CentOS 6.4 and IPA 3.0.0-26. >> >> >> I followed the Redhat documentation,How do I manually renew Identity >> Management (IPA) certificates after they have expired? (Master IPA >> Server), https://access.redhat.com/solutions/643753 but no luck. >> >> >> I have also changed the directive "NSSEnforceValidCerts off" in >> /etc/httpd/conf.d/nss.conf and the value of nsslapd-validate-cert is warn. >> >> ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w ******* >> -b cn=config | grep nsslapd-validate-cert >> >> nsslapd-validate-cert: warn >> >> Here is my getcert list, >> >> [root@caer ~]# getcert list >> > > It looks like your CA subsystem certificates all renewed successfully it > is just the webserver and LDAP certificates that need renewing so that's > good. > > What I'd do is go back in time again to say Jan 20, 2016 and restart > certmonger. That should make it retry the renewals. > > rob >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project