Rob,Thank you. So it looks like what I shared as the current config is actually what was there when the snapshot was taken. The changes outlined in that post were made on a machine which has since been deleted. So what I am saying is that the config I shared does not include any of the changes my co-worker had made. When I make the changes to match what Florence shared as a default config and attempt to renew the certs, I am now getting the following error:ca-error: Server at https://<HOSTNAME>/ipa/xml failed request, will retry: 4016 (RPC failed at server. Failed to authenticate to CA REST API).
How can I make sure that the credentials that are attempting to be used are valid for this operation?Many thanks,EvanOn Fri, Sep 15, 2023 at 10:25 AM Rob Crittenden <rcritten@redhat.com> wrote:IT Guy wrote:
> OK just one more thing to add, I had run across this link during
> troubleshooting and it seems that my co-worker had updated some of the
> lines in this configuration according to the steps outlined in this
> forum post: https://pagure.io/freeipa/issue/7267
>
> However I can say that this was a last ditch effort to try and get the
> renewals working, we had already been troubleshooting for 3+ days at the
> point that this was changed.
Looks like this was not correctly applied: "Especially note the
replacement of occurrences of $$ with $."
Your profile has $$ and it should be $, according to Fraser.
rob
>
> On Fri, Sep 15, 2023 at 9:58 AM IT Guy <underqualifieditguy@gmail.com
> <mailto:underqualifieditguy@gmail.com>> wrote:
>
> Wow that worked Rob, thank you! If I compare the values that
> Florence sent to what I have in this file, the only difference is
> this line:
>
> policyset.serverCertSet.1.default.params.name
> <http://policyset.serverCertSet.1.default.params.name>=CN=$$request.req_subject_name.cn
> <http://request.req_subject_name.cn>$$, $SUBJECT_DN_O
>
> Here's the full snippet for reference:
>
> policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
> policyset.serverCertSet.1.constraint.name
> <http://policyset.serverCertSet.1.constraint.name>=Subject Name
> Constraint
> policyset.serverCertSet.1.constraint.params.accept=true
> policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
> policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
> policyset.serverCertSet.1.default.name
> <http://policyset.serverCertSet.1.default.name>=Subject Name Default
> policyset.serverCertSet.1.default.params.name
> <http://policyset.serverCertSet.1.default.params.name>=CN=$$request.req_subject_name.cn
> <http://request.req_subject_name.cn>$$, $SUBJECT_DN_O
>
>
> One other thing I wanted to call out is that I have a good snapshot
> of this server that I have restored a couple of times to try
> different things and the one that got me the farthest was when I
> changed the name of the cert from our custom name back to
> Server-Cert. Even when I had the config this way I still could not
> renew but maybe modifying something in the above config plus
> changing back to Server-Cert could alleviate the issue?
>
> Many thanks,
>
> Evan
>
> On Fri, Sep 15, 2023 at 9:47 AM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> IT Guy via FreeIPA-users wrote:
> > Hi Florence,
> >
> > Thank you for your response. What does it mean if I run the ipa
> > certprofile-show command as outlined above and it just hangs?
> I don't
> > think there is any other way to see the settings you mentioned
> unless
> > this command is able to run right?
>
> I can't explain why it would hang but you can get the profile
> directly
> from LDAP:
>
> $ ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=directory manager' -W -b
> cn=caIPAserviceCert,ou=certificateProfiles,ou=ca,o=ipaca
> certProfileConfig > /tmp/profile
>
> Edit this file and remove the dn value and 'certProfileConfig::
> ' then
> base64-decode the result.
>
> The final really huge string should look something like:
>
> YXV0aC5pbnN0YW5jZV9pZ...=
>
> I used the coreutils base64 program to decode it:
>
> $ base64 -d /tmp/profile
>
> rob
> >
> > Many thanks,
> >
> > Evan
> >
> > On Fri, Sep 15, 2023 at 3:19 AM Florence Blanc-Renaud
> <flo@redhat.com <mailto:flo@redhat.com>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote:
> >
> > Hi,
> > it seems that PKI is not happy with the subject name of the
> > certificates.
> > The failing certs are for KDC, dirsrv and httpd and they
> all use the
> > same subject name constraint in their profile.
> >
> > 1. Was any certificate profile modified (caIPAserviceCert or
> > KDCs_PKINIT_Certs)? You can use
> > ipa certprofile-show <name> --out /dev/stdout
> > And then check the part related to Subject Name
> Constraint. In my
> > default installation, I have
> >
> policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
> > policyset.serverCertSet.1.constraint.name
> <http://policyset.serverCertSet.1.constraint.name>
> > <http://policyset.serverCertSet.1.constraint.name>=Subject
> Name
> > Constraint
> > policyset.serverCertSet.1.constraint.params.accept=true
> >
> policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
> >
> policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
> > policyset.serverCertSet.1.default.name
> <http://policyset.serverCertSet.1.default.name>
> > <http://policyset.serverCertSet.1.default.name>=Subject
> Name Default
> > policyset.serverCertSet.1.default.params.name
> <http://policyset.serverCertSet.1.default.params.name>
> >
> <http://policyset.serverCertSet.1.default.params.name>=CN=$request.req_subject_name.cn
> <http://request.req_subject_name.cn>
> > <http://request.req_subject_name.cn>$, O=IPA.TEST
> >
> > which means that the subject name should match CN= followed by
> > (anything except a comma) multiple times then a comma and
> any char
> > multiple times.
> >
> > 2. If the profile wasn't changed, can you check in
> > /var/log/pki/pki-tomcat/ca/debug.$DATE.log the received
> certificate
> > request? Does its subject match the pattern? The error
> > messagejava.lang.StringIndexOutOfBoundsException: String
> index out
> > of range: -1 hints that an expected pattern was not found.
> >
> > flo
> >
> > On Thu, Sep 14, 2023 at 4:11 PM Evan G via FreeIPA-users
> > <freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>> wrote:
> >
> > Hi Rob,
> >
> > When we start tomcat with the date rolled back, we are not
> > seeing any errors at all. All of the ipa services start up
> > without issue. The problem is in actually renewing the
> certs,
> > when we do so we have seen many different errors as
> we've been
> > troubleshooting -- mostly this one: `ca-error: Server at
> > https://<HOSTNAME>/ipa/xml failed request, will retry:
> 4035 (RPC
> > failed at server. Request failed with status 500: Non-2xx
> > response from CA REST API: 500. String index out of range:
> > -1).[02/Aug/2023:00:00:31][ajp-bio-127.0.0.1-8009-exec-2]:
> > EnrollProfile: populate: begins`
> >
> > When I restart certmonger after all services up, these
> are the
> > errors that I am seeing in the tomcat debug logs:
> > ```
> > [02/Aug/2023:00:00:31][ajp-bio-127.0.0.1-8009-exec-2]:
> > BasicProfile: populate: policy setid =serverCertSet
> > [02/Aug/2023:00:00:31][ajp-bio-127.0.0.1-8009-exec-2]:
> > EnrollDefault: populate: SubjectNameDefault: start
> > java.lang.StringIndexOutOfBoundsException: String
> index out of
> > range: -1
> > at java.lang.String.substring(String.java:1967)
> > at
> >
> com.netscape.certsrv.pattern.Pattern.substitute2(Pattern.java:132)
> > at
> >
> com.netscape.cms.profile.def.EnrollDefault.mapPattern(EnrollDefault.java:815)
> > at
> >
> com.netscape.cms.profile.def.SubjectNameDefault.populate(SubjectNameDefault.java:160)
> > at
> >
> com.netscape.cms.profile.def.EnrollDefault.populate(EnrollDefault.java:226)
> > at
> >
> com.netscape.cms.profile.common.BasicProfile.populate(BasicProfile.java:1114)
> > at
> >
> com.netscape.cms.profile.common.EnrollProfile.populate(EnrollProfile.java:2626)
> > at
> >
> com.netscape.cms.servlet.cert.CertProcessor.populateRequests(CertProcessor.java:379)
> > at
> >
> com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:188)
> > at
> >
> com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:96)
> > at
> >
> com.netscape.cms.servlet.cert.CertRequestDAO.submitRequest(CertRequestDAO.java:197)
> > at
> >
> org.dogtagpki.server.ca.rest.CertRequestService.enrollCert(CertRequestService.java:155)
> > at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> > Method)
> > at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at
> java.lang.reflect.Method.invoke(Method.java:498)
> > at
> >
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
> > at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280)
> > at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234)
> > at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221)
> > at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> > at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> > at
> >
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> > at
> >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> > at
> >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> > at
> >
> javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
> > at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> > Method)
> > at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at
> java.lang.reflect.Method.invoke(Method.java:498)
> > at
> >
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> > at
> >
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> > at
> java.security.AccessController.doPrivileged(Native
> > Method)
> > at
> >
> javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> > at
> >
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> > at
> >
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
> > at
> java.security.AccessController.doPrivileged(Native
> > Method)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
> > at
> >
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> > at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> > Method)
> > at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at
> java.lang.reflect.Method.invoke(Method.java:498)
> > at
> >
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> > at
> >
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> > at
> java.security.AccessController.doPrivileged(Native
> > Method)
> > at
> >
> javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> > at
> >
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> > at
> >
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
> > at
> java.security.AccessController.doPrivileged(Native
> > Method)
> > at
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
> > at
> >
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
> > at
> >
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
> > at
> >
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498)
> > at
> >
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
> > at
> >
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> > at
> >
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
> > at
> >
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
> > at
> >
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
> > at
> >
> org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)
> > at
> >
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
> > at org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>
> >
> <http://org.apache.tomcat.util.net>.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> > at
> >
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> > at java.lang.Thread.run(Thread.java:750)
> > ```
> >
> > This is what we see when we run `getcert list` and
> `ipa-getcert
> > list` respectively:
> >
> > ```
> > Number of certificates and requests being tracked: 9.
> > Request ID '20190920201259':
> > status: CA_UNREACHABLE
> > ca-error: Server at https://<HOSTNAME>/ipa/xml
> failed
> > request, will retry: 4035 (RPC failed at server.
> Request failed
> > with status 500: Non-2xx response from CA REST API:
> 500. String
> > index out of range: -1).
> > stuck: no
> > key pair storage:
> > type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
> > certificate:
> > type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=<OU>
> > subject: CN=<HOSTNAME>,O=<OU>
> > expires: 2023-08-25 18:05:07 UTC
> > principal name: krbtgt/<OU>@<OU>
> > key usage:
> >
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-pkinit-KPKdc
> > pre-save command:
> > post-save command:
> > /usr/libexec/ipa/certmonger/renew_kdc_cert
> > track: yes
> > auto-renew: yes
> > Request ID '20210908000050':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set
> > certificate:
> >
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
> > CA: dogtag-ipa-ca-renew-agent
> > issuer: CN=Certificate Authority,O=<OU>
> > subject: CN=CA Audit,O=<OU>
> > expires: 2025-07-21 02:36:57 UTC
> > key usage:
> digitalSignature,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> /usr/libexec/ipa/certmonger/stop_pkicad
> > post-save command:
> > /usr/libexec/ipa/certmonger/renew_ca_cert
> "auditSigningCert
> > cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20210908000051':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set
> > certificate:
> >
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
> > CA: dogtag-ipa-ca-renew-agent
> > issuer: CN=Certificate Authority,O=<OU>
> > subject: CN=OCSP Subsystem,O=<OU>
> > expires: 2025-07-21 02:36:17 UTC
> > key usage:
> digitalSignature,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> /usr/libexec/ipa/certmonger/stop_pkicad
> > post-save command:
> > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert
> > cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20210908000052':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set
> > certificate:
> >
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
> > CA: dogtag-ipa-ca-renew-agent
> > issuer: CN=Certificate Authority,O=<OU>
> > subject: CN=CA Subsystem,O=<OU>
> > expires: 2025-07-21 02:37:17 UTC
> > key usage:
> digitalSignature,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> /usr/libexec/ipa/certmonger/stop_pkicad
> > post-save command:
> > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
> > cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20210908000053':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set
> > certificate:
> >
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
> > CA: dogtag-ipa-ca-renew-agent
> > issuer: CN=Certificate Authority,O=<OU>
> > subject: CN=Certificate Authority,O=<OU>
> > expires: 2039-09-20 20:11:25 UTC
> > key usage:
> > digitalSignature,nonRepudiation,keyCertSign,cRLSign
> > pre-save command:
> /usr/libexec/ipa/certmonger/stop_pkicad
> > post-save command:
> > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
> > cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20210908000054':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> > type=FILE,location='/var/lib/ipa/ra-agent.key'
> > certificate:
> type=FILE,location='/var/lib/ipa/ra-agent.pem'
> > CA: dogtag-ipa-ca-renew-agent
> > issuer: CN=Certificate Authority,O=<OU>
> > subject: CN=IPA RA,O=<OU>
> > expires: 2025-06-26 02:36:15 UTC
> > key usage:
> digitalSignature,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > /usr/libexec/ipa/certmonger/renew_ra_cert_pre
> > post-save command:
> /usr/libexec/ipa/certmonger/renew_ra_cert
> > track: yes
> > auto-renew: yes
> > Request ID '20210908000055':
> > status: MONITORING
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set
> > certificate:
> >
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
> > CA: dogtag-ipa-ca-renew-agent
> > issuer: CN=Certificate Authority,O=<OU>
> > subject: CN=<HOSTNAME>,O=<OU>
> > expires: 2025-07-21 02:36:37 UTC
> > dns: <HOSTNAME>
> > key usage:
> digitalSignature,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> /usr/libexec/ipa/certmonger/stop_pkicad
> > post-save command:
> > /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
> cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20210908000056':
> > status: CA_UNREACHABLE
> > ca-error: Server at https://<HOSTNAME>/ipa/xml
> failed
> > request, will retry: 4035 (RPC failed at server.
> Request failed
> > with status 500: Non-2xx response from CA REST API:
> 500. String
> > index out of range: -1).
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-<OU>',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS
> > FIPS 140-2 Certificate
> > DB',pinfile='/etc/dirsrv/slapd-<OU>/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-<OU>',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS
> > FIPS 140-2 Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=<OU>
> > subject: CN=<HOSTNAME>,O=<OU>
> > expires: 2023-09-03 18:30:48 UTC
> > dns: <HOSTNAME>
> > key usage:
> >
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > /usr/libexec/ipa/certmonger/restart_dirsrv <OU>
> > track: yes
> > auto-renew: yes
> > Request ID '20210908000057':
> > status: CA_UNREACHABLE
> > ca-error: Server at https://<HOSTNAME>/ipa/xml
> failed
> > request, will retry: 4035 (RPC failed at server.
> Request failed
> > with status 500: Non-2xx response from CA REST API:
> 500. String
> > index out of range: -1).
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS
> > FIPS 140-2 Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS
> > FIPS 140-2 Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=<OU>
> > subject: CN=<HOSTNAME>,O=<OU>
> > expires: 2023-09-03 18:30:48 UTC
> > dns: <HOSTNAME>
> > key usage:
> >
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> /usr/libexec/ipa/certmonger/restart_httpd
> > track: yes
> > auto-renew: yes
> > ```
> >
> > ��```
> > Number of certificates and requests being tracked: 9.
> > Request ID '20190920201259':
> > status: CA_UNREACHABLE
> > ca-error: Server at https://<HOSTNAME>/ipa/xml
> failed
> > request, will retry: 4035 (RPC failed at server.
> Request failed
> > with status 500: Non-2xx response from CA REST API:
> 500. String
> > index out of range: -1).
> > stuck: no
> > key pair storage:
> > type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
> > certificate:
> > type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=<OU>
> > subject: CN=<HOSTNAME>,O=<OU>
> > expires: 2023-08-25 18:05:07 UTC
> > principal name: krbtgt/<OU>@<OU>
> > key usage:
> >
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-pkinit-KPKdc
> > pre-save command:
> > post-save command:
> > /usr/libexec/ipa/certmonger/renew_kdc_cert
> > track: yes
> > auto-renew: yes
> > Request ID '20210908000056':
> > status: CA_UNREACHABLE
> > ca-error: Server at https://<HOSTNAME>/ipa/xml
> failed
> > request, will retry: 4035 (RPC failed at server.
> Request failed
> > with status 500: Non-2xx response from CA REST API:
> 500. String
> > index out of range: -1).
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-<OU>',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS
> > FIPS 140-2 Certificate
> > DB',pinfile='/etc/dirsrv/slapd-<OU>/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-<OU>',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS
> > FIPS 140-2 Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=<OU>
> > subject: CN=<HOSTNAME>,O=<OU>
> > expires: 2023-09-03 18:30:48 UTC
> > dns: <HOSTNAME>
> > key usage:
> >
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > /usr/libexec/ipa/certmonger/restart_dirsrv <OU>
> > track: yes
> > auto-renew: yes
> > Request ID '20210908000057':
> > status: CA_UNREACHABLE
> > ca-error: Server at https://<HOSTNAME>/ipa/xml
> failed
> > request, will retry: 4035 (RPC failed at server.
> Request failed
> > with status 500: Non-2xx response from CA REST API:
> 500. String
> > index out of range: -1).
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS
> > FIPS 140-2 Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='CN=<HOSTNAME>,O=<OU>',token='NSS
> > FIPS 140-2 Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=<OU>
> > subject: CN=<HOSTNAME>,O=<OU>
> > expires: 2023-09-03 18:30:48 UTC
> > dns: <HOSTNAME>
> > key usage:
> >
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> /usr/libexec/ipa/certmonger/restart_httpd
> > track: yes
> > auto-renew: yes
> > ```
> > _______________________________________________
> > FreeIPA-users mailing list --
> > freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > To unsubscribe send an email to
> > freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > Fedora Code of Conduct:
> >
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> >
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > Do not reply to spam, report it:
> > https://pagure.io/fedora-infrastructure/new_issue
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list --
> freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > To unsubscribe send an email to
> freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
> >
>