Hi,
I have two IPA servers 4.10.2-8.el9_3 (fserver & mserver) running
Rocky 9.3. I realized that some of the most recently created users, had
problems logging in. One strange thing was that when listing their home
directory, in place of owner there was their uidnumber instead their
username.
One of the servers (mserver) fails to start pki-tomcat and suspected a
certificate issue (some show expiration a month ago). Below I show some
info (sanitized) and I could use some help:
*[root@fserver]# ipa-healthcheck*
Internal server error 503 Server Error: Service Unavailable for url:
https://mserver.example.com:443/ca/rest/certs/search?size=3
[
{
"source": "pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "ae2033bb-9595-4907-8b6d-0db6d13813c3",
"when": "20250320202815Z",
"duration": "0.605725",
"kw": {
"status": "ERROR: pki-tomcat : Internal error testing CA clone.
Host: mserver.example.com Port: 443"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "ERROR",
"uuid": "cd8ecc04-1e11-4229-b0e9-605fc08cc2af",
"when": "20250320202818Z",
"duration": "0.381935",
"kw": {
"key": "DSREPLLE0003",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement (metomserver.example.com) under
\"dc=IPA,dc=ss,dc=lan\" is not in synchronization.\nStatus message:
error (18) can't acquire replica (incremental update transient warning.
backing off, will retry update later.)"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "ERROR",
"uuid": "2178f7ef-f4fc-426f-a4c4-f357c3540baa",
"when": "20250320202818Z",
"duration": "0.381965",
"kw": {
"key": "DSREPLLE0003",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement (catomserver.example.com) under
\"o=ipaca\" is not in synchronization.\nStatus message: error (18) can't
acquire replica (incremental update transient warning. backing off,
will retry update later.)"
}
}
===================================================================================
*[root@mserver ~]# ipa-healthcheck *
Expired Cert: ocsp_signing
Expired Cert: subsystem
Expired Cert: audit_signing
Internal server error HTTPConnectionPool(host='mserver.example.com',
port=8080): Max retries exceeded with url:
/ca/rest/securityDomain/domainInfo (Caused by
NewConnectionError('<urllib3.connection.HTTPConnection object at
0x7f1a6ea9c6d0>: Failed to establish a new connection: [Errno 111]
Connection refused'))
Internal server error HTTPSConnectionPool(host='mserver.example.com',
port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus
(Caused by NewConnectionError('<urllib3.connection.HTTPSConnection
object at 0x7f1a6e9194f0>: Failed to establish a new connection: [Errno
111] Connection refused'))
[
{
"source": "ipahealthcheck.meta.services",
"check": "pki_tomcatd",
"result": "ERROR",
"uuid": "1f169946-8a47-4d93-ae38-f8072abf82e1",
"when": "20250320203343Z",
"duration": "0.000577",
"kw": {
"status": false,
"msg": "pki_tomcatd: not running"
}
},
{
"source": "pki.server.healthcheck.certs.expiration",
"check": "CASystemCertExpiryCheck",
"result": "ERROR",
"uuid": "d659a57c-f625-462d-b6d5-1a60d8216953",
"when": "20250320203344Z",
"duration": "0.143464",
"kw": {
"cert_id": "ocsp_signing",
"expiry_date": "Feb 17 2025",
"msg": "Certificate has ALREADY EXPIRED"
}
},
{
"source": "pki.server.healthcheck.certs.expiration",
"check": "CASystemCertExpiryCheck",
"result": "ERROR",
"uuid": "7232e7cb-3cc2-4ff2-9953-954ef2e5d3b9",
"when": "20250320203344Z",
"duration": "0.280452",
"kw": {
"cert_id": "subsystem",
"expiry_date": "Feb 17 2025",
"msg": "Certificate has ALREADY EXPIRED"
}
},
{
"source": "pki.server.healthcheck.certs.expiration",
"check": "CASystemCertExpiryCheck",
"result": "ERROR",
"uuid": "117eece4-37dd-45cb-bf6c-acdfa29fb525",
"when": "20250320203344Z",
"duration": "0.349712",
"kw": {
"cert_id": "audit_signing",
"expiry_date": "Feb 17 2025",
"msg": "Certificate has ALREADY EXPIRED"
}
},
{
"source": "pki.server.healthcheck.meta.connectivity",
"check": "DogtagCACertsConnectivityCheck",
"result": "CRITICAL",
"uuid": "bb5c2f08-e28e-47d7-9752-404f83fb67a8",
"when": "20250320203345Z",
"duration": "0.035959",
"kw": {
"msg": "Internal server error. Is your CA subsystem and LDAP
database up?",
"instance_name": "pki-tomcat",
"exception": "HTTPSConnectionPool(host='mserver.example.com',
port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus
(Caused by NewConnectionError('<urllib3.connection.HTTPSConnection
object at 0x7f1a6e9194f0>: Failed to establish a new connection: [Errno
111] Connection refused'))"
}
},
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "2c134180-e055-41fe-bd8e-8aa9ca4f56a6",
"when": "20250320203346Z",
"duration": "0.423802",
"kw": {
"key": "cert_show_ra",
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/41': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"serial": "41",
"msg": "Request for certificate failed: {error}"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "ERROR",
"uuid": "55b716e8-43e9-44b0-8764-4263d283dc2d",
"when": "20250320203347Z",
"duration": "0.346086",
"kw": {
"key": "DSREPLLE0003",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement (metofserver.example.com) under
\"dc=IPA,dc=ss,dc=lan\" is not in synchronization.\nStatus message:
error (18) can't acquire replica (incremental update transient warning.
backing off, will retry update later.)"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "ERROR",
"uuid": "37bc48b0-7eca-4576-8e61-b30b1bde621b",
"when": "20250320203347Z",
"duration": "0.346109",
"kw": {
"key": "DSREPLLE0003",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement (catofserver.example.com) under
\"o=ipaca\" is not in synchronization.\nStatus message: error (18) can't
acquire replica (incremental update transient warning. backing off,
will retry update later.)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertmongerExpirationCheck",
"result": "ERROR",
"uuid": "3170174f-6bb6-4afc-82f0-a795791036ed",
"when": "20250320203347Z",
"duration": "0.010887",
"kw": {
"key": "20240325182332",
"expiration_date": "20250217085937Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertmongerExpirationCheck",
"result": "ERROR",
"uuid": "727c67e4-f647-4942-b9f4-2861ffd244a8",
"when": "20250320203347Z",
"duration": "0.013823",
"kw": {
"key": "20240325182333",
"expiration_date": "20250217085837Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertmongerExpirationCheck",
"result": "ERROR",
"uuid": "83c634aa-24d0-41df-88c3-401a0ce804f4",
"when": "20250320203347Z",
"duration": "0.016737",
"kw": {
"key": "20240325182337",
"expiration_date": "20250217085847Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertmongerExpirationCheck",
"result": "ERROR",
"uuid": "d8ff80a5-f947-48a2-b97c-078becf2f8f9",
"when": "20250320203347Z",
"duration": "0.019678",
"kw": {
"key": "20240325182339",
"expiration_date": "20250217085927Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertfileExpirationCheck",
"result": "ERROR",
"uuid": "31b38213-3510-4a6d-b01f-4aef8f01fdfe",
"when": "20250320203347Z",
"duration": "0.059710",
"kw": {
"key": "20240325182332",
"expiration_date": "20250217085937Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertfileExpirationCheck",
"result": "ERROR",
"uuid": "140abdf2-c6a6-4f5a-9c4e-1381ad9ffef2",
"when": "20250320203347Z",
"duration": "0.103873",
"kw": {
"key": "20240325182333",
"expiration_date": "20250217085837Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertfileExpirationCheck",
"result": "ERROR",
"uuid": "bb70dc48-0382-43a5-80c9-1303302d0332",
"when": "20250320203347Z",
"duration": "0.148327",
"kw": {
"key": "20240325182337",
"expiration_date": "20250217085847Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertfileExpirationCheck",
"result": "ERROR",
"uuid": "d7c88743-8fb3-4793-b193-5e7a6a963e4b",
"when": "20250320203348Z",
"duration": "0.192067",
"kw": {
"key": "20240325182339",
"expiration_date": "20250217085927Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPAOpenSSLChainValidation",
"result": "ERROR",
"uuid": "faab3d0d-c726-4d93-a4fd-b3f47cbee7a0",
"when": "20250320203351Z",
"duration": "0.016884",
"kw": {
"key": "/var/lib/ipa/ra-agent.pem",
"reason": "O = IPA.SS.LAN, CN = IPA RA\nerror 10 at 0 depth
lookup: certificate has expired\nerror /var/lib/ipa/ra-agent.pem:
verification failed\n",
"msg": "Certificate validation for {key} failed: {reason}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "c962600a-5f2e-4000-995e-0d6e2c51bf6c",
"when": "20250320203351Z",
"duration": "0.438354",
"kw": {
"key": "20240325182332",
"serial": 41,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/41': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "524f71a3-92aa-424c-a660-f48efef17684",
"when": "20250320203351Z",
"duration": "0.513622",
"kw": {
"key": "20240325182333",
"serial": 37,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/37': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "c2f9fc6f-0561-45e9-aa2b-c741b893a173",
"when": "20250320203351Z",
"duration": "0.591474",
"kw": {
"key": "20240325182337",
"serial": 38,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/38': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "a373bde5-64bd-4cdb-9db1-4b9a565f6d60",
"when": "20250320203351Z",
"duration": "0.667891",
"kw": {
"key": "20240325182339",
"serial": 40,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/40': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "4adb473e-4604-4f6b-85de-aeda264b2bfd",
"when": "20250320203352Z",
"duration": "0.749218",
"kw": {
"key": "20240325182340",
"serial": 1,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/1': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "3cd2e311-a4cc-47a1-86fa-c80ae7c35535",
"when": "20250320203352Z",
"duration": "0.826249",
"kw": {
"key": "20240325182341",
"serial": 805175299,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/805175299': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "3355e9e4-e18d-48b5-9a1f-018ea8a02018",
"when": "20250320203352Z",
"duration": "0.865347",
"kw": {
"key": "20240325182024",
"serial": 805175298,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/805175298': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "43779b90-74cd-4db1-a1b2-19b30f1400ac",
"when": "20250320203352Z",
"duration": "0.947838",
"kw": {
"key": "20240325182004",
"serial": 805175297,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/805175297': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "76a26aa3-c56f-4984-8abc-c5113d25f2e2",
"when": "20250320203352Z",
"duration": "0.992108",
"kw": {
"key": "20240325182408",
"serial": 268304393,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/268304393': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
}
]
===================================================================================
*[root@mserver]# ipactl -d status*
[...]
ipa-custodia Service: RUNNING
ipa: DEBUG: request POST
http://mserver.example.com:8080/ca/admin/ca/getStatus
ipa: DEBUG: request body ''
ipa: DEBUG: httplib request failed:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipapython/dogtag.py", line
271, in _httplib_request
conn.request(method, path, body=request_body, headers=headers)
File "/usr/lib64/python3.9/http/client.py", line 1285, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib64/python3.9/http/client.py", line 1331, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib64/python3.9/http/client.py", line 1280, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib64/python3.9/http/client.py", line 1040, in _send_output
self.send(msg)
File "/usr/lib64/python3.9/http/client.py", line 980, in send
self.connect()
File "/usr/lib64/python3.9/http/client.py", line 946, in connect
self.sock = self._create_connection(
File "/usr/lib64/python3.9/socket.py", line 844, in create_connection
raise err
File "/usr/lib64/python3.9/socket.py", line 832, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
ipa: DEBUG: Failed to check CA status: cannot connect to
'http://mserver.example.com:8080/ca/admin/ca/getStatus': [Errno 111]
Connection refused
pki-tomcatd Service: STOPPED
[...]
===================================================================================
*[root@mserver ~]# getcert list*
Number of certificates and requests being tracked: 9.
Request ID '20240325182004':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-IPA-SS-LAN',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-SS-LAN/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-IPA-SS-LAN',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=mserver.example.com,O=IPA.SS.LAN
issued: 2024-03-25 20:20:06 EET
expires: 2026-03-26 20:20:06 EET
dns: mserver.example.com
principal name: ldap/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
IPA-SS-LAN
track: yes
auto-renew: yes
Request ID '20240325182024':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/mserver.example.com-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=mserver.example.com,O=IPA.SS.LAN
issued: 2024-03-25 20:20:25 EET
expires: 2026-03-26 20:20:25 EET
dns: mserver.example.com,ipa-ca.IPA.SS.LAN
principal name: HTTP/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20240325182332':
status: CA_WORKING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=IPA RA,O=IPA.SS.LAN
issued: 2023-02-28 10:59:37 EET
expires: 2025-02-17 10:59:37 EET
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20240325182333':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=CA Audit,O=IPA.SS.LAN
issued: 2023-02-28 10:58:37 EET
expires: 2025-02-17 10:58:37 EET
key usage: digitalSignature,nonRepudiation
profile: caSignedLogCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20240325182337':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=OCSP Subsystem,O=IPA.SS.LAN
issued: 2023-02-28 10:58:47 EET
expires: 2025-02-17 10:58:47 EET
eku: id-kp-OCSPSigning
profile: caOCSPCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20240325182339':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=CA Subsystem,O=IPA.SS.LAN
issued: 2023-02-28 10:59:27 EET
expires: 2025-02-17 10:59:27 EET
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20240325182340':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=Certificate Authority,O=IPA.SS.LAN
issued: 2017-06-20 18:03:50 EEST
expires: 2037-06-20 18:03:50 EEST
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20240325182341':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=mserver.example.com,O=IPA.SS.LAN
issued: 2024-03-25 20:22:48 EET
expires: 2026-03-15 20:22:48 EET
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
profile: caServerCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20240325182408':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=mserver.example.com,O=IPA.SS.LAN
issued: 2024-03-25 20:24:13 EET
expires: 2026-03-26 20:24:13 EET
dns: mserver.example.com
principal name: krbtgt/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
===================================================================================
Thanks in advance,
Petros
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
