Hi Rob, i set the date in past "26 MAY 2015" and add "NSSEnforceValidCerts off" to nss.conf
and resubmit the 3 ID [root@be-ipasrv httpd]# getcert resubmit -i 20130528090822 Resubmitting "20130528090822" to "IPA". [root@be-ipasrv httpd]# getcert resubmit -i 20130528090849 Resubmitting "20130528090849" to "IPA". [root@be-ipasrv httpd]# getcert resubmit -i 20130528090923 Resubmitting "20130528090923" to "IPA". Restart ipa and certmonger now I get error in http_error [Tue May 26 10:00:30 2015] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Tue May 26 10:00:30 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue May 26 10:00:31 2015] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured. [Tue May 26 10:00:31 2015] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9" [Tue May 26 10:00:31 2015] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" [Tue May 26 10:00:31 2015] [notice] ModSecurity: LUA compiled version="Lua 5.1" [Tue May 26 10:00:31 2015] [notice] ModSecurity: LIBXML compiled version="2.7.6" [Tue May 26 10:00:31 2015] [notice] Digest: generating secret for digest authentication ... [Tue May 26 10:00:31 2015] [notice] Digest: done [Tue May 26 10:00:32 2015] [notice] Apache/2.2.15 (Unix) mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.14.0.0 Basic ECC PHP/5.3.25 mod_wsgi/3.2 Python/2.6.6 configured -- resuming normal operations [Tue May 26 10:00:33 2015] [error] ipa: INFO: *** PROCESS START *** [Tue May 26 10:00:33 2015] [error] ipa: INFO: *** PROCESS START *** [Tue May 26 10:01:23 2015] [warn] proxy: No protocol handler was valid for the URL /ca/agent/ca/displayBySerial. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue May 26 10:01:23 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Internal Server Error) [Tue May 26 10:01:23 2015] [error] ipa: INFO: host/[email protected]: cert_request(u'MIIDvjCCAqYCAQAwUDEhMB8GA1UEChMYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFMSswKQYDVQQDEyJiZS1pcGFzcnYudGliZXQudHJhZmZpY3Mtc3dpdGNoLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAshxjlzWHlUYC262eB9BKIYu5mwTM2ncvHIibZwD+wrCp879Z+o6FRuV4jIg8iWo0gHqusuVSpRaGtHpKIXCwYcWU+ESYFZsPiuSXjjs9VmbgEmuM9Dz/4jIfVQXDAecGfcpDfLQxkMcRhaVaOHXwEGeM19xUig6s2kWa81T+TNwEKItNXmovQSpE+6cxpcT3rH00b89F/Z2vUIXagEJnJMuXEdqz3XpaXr6ahcYXgCSDq7L8VSd7zbguEpWZmD0lZ8857+tVXz6LBHryko3n5qyTpwFJ5M/hd6FoJyWTDulCKaF20sHsOBp+P18YcLUmR8pHjA9LQ4m/4dd5cG9yBwIDAQABoIIBJzAaBgkqhkiG9w0BCRQxDRMLU2VydmVyLUNlcnQwggEHBgkqhkiG9w0BCQ4xgfkwgfYwDgYDVR0PAQEABAQDAgTwMIHBBgNVHREBAQAEgbYwgbOgUAYKKwYBBAGCNxQCA6BCDEBsZGFwL2JlLWlwYXNydi50aWJldC50cmFmZmljcy1zd2l0Y2guZGVAVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFoF8GBisGAQUCAqBVMFOgGhsYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFoTUwM6ADAgEBoSwwKhsEbGRhcBsiYmUtaXBhc3J2LnRpYmV0LnRyYWZmaWNzLXN3aXRjaC5kZTAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAIX+XKk/Mxa0KN+rYikYjoaX6/VVj2eOI+O+nUe2CoFNz2r+r2HUb/lkl6+zOZpO3Stq+Qx/Bk8M230OFCigycz19Uxkmz5n5r8nxxtifWZUcC7wO+ZdEURUcDIfeg8lraBOsBWjiId+0TCVtuFJxbuNQkmy3lpt6uQoiDB4XB3/DbEYi9jWrXrtT4XpKrzaj6wsoxVJi1M2JsywFrzio7yhDLtUsXVmycwm5Kw1kQPELBQgCpkzpba85u2uvD2z9DZ/AykXcd0DLRmbNaFAKdg5E+8dN6IySp30Dqyfkoldhi4zKtMCurn2WBDO3A19BP52iwOXOgKKReiGJd2X0eM=', principal=u'ldap/[email protected]', add=True): CertificateOperationError [Tue May 26 10:01:29 2015] [warn] proxy: No protocol handler was valid for the URL /ca/agent/ca/displayBySerial. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue May 26 10:01:29 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Internal Server Error) [Tue May 26 10:01:29 2015] [error] ipa: INFO: host/[email protected]: cert_request(u'MIIDzDCCArQCAQAwUDEhMB8GA1UEChMYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFMSswKQYDVQQDEyJiZS1pcGFzcnYudGliZXQudHJhZmZpY3Mtc3dpdGNoLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwb1hNjym7KUoL5Sdv5xsx1tn8W65DghiDdY9RKmqQik1QanWXVvhVCmvNgUeOmXkQBBRwZHRqKvV5JiZfnm1qvk/eHbujzzocmJITktP8uxDgugCe4XzBdNYckrFKvwRVkZVfv0vUuYtCoVTUOo9yH17pwvzywUTwCO0PXRcy+9Ch1NViLbuFrhynNXrNBf9s62nyRBgrexcHPU6QXZoFSmu75QKqh7pqddG9ngPdi+PTW+1RwOnGFSVStrb0KGfLBPY9yX8OaRbqCt0PmLlGW3jnzBm+UT4yiHeudGa2bt/LXRmGsaIz6uIJL4Gxdcx4eQJMUwSU3hApuEuObdplwIDAQABoIIBNTAaBgkqhkiG9w0BCRQxDRMLU2VydmVyLUNlcnQwggEVBgkqhkiG9w0BCQ4xggEGMIIBAjAOBgNVHQ8BAQAEBAMCBPAwgc0GA1UdEQEBAASBwjCBv6BWBgorBgEEAYI3FAIDoEgMRmRvZ3RhZ2xkYXAvYmUtaXBhc3J2LnRpYmV0LnRyYWZmaWNzLXN3aXRjaC5kZUBUSUJFVC5UUkFGRklDUy1TV0lUQ0guREWgZQYGKwYBBQICoFswWaAaGxhUSUJFVC5UUkFGRklDUy1TV0lUQ0guREWhOzA5oAMCAQGhMjAwGwpkb2d0YWdsZGFwGyJiZS1pcGFzcnYudGliZXQudHJhZmZpY3Mtc3dpdGNoLmRlMCAGA1UdJQEBAAQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAUl4xz38rDD1ocOtoRvv+y+SNkLONmgLtPgy3U7KFmsySEWkfwNrGIpgJg/RGgsRnNFxatOvTrhBISzIuvlpxtA2v4er4LtbLx1EAieta1Tu+x7vAkZfdFN3gY18Z3UrmKEDJ4xUyVB2za3p9Bz8zGHlpYJ7NCLNOXqB3bFH3KgmtPpw2zKvIrqU5GqJnPk47eZgTJcvFcPQtsjdir1o3uemd1kTfYwnPN+wX6umH8/Y8iBMrtTbT36K5PqcBK1BZug8Qypu/e+S/NQ1dRK+o5jL8ruOVaNQuai7svoFlhaqSx8oB+BoVNXnYT4B2+ynVWFcY3IBe+t2eJgvkJNjkxw==', principal=u'dogtagldap/[email protected]', add=True): CertificateOperationError [Tue May 26 10:01:34 2015] [warn] proxy: No protocol handler was valid for the URL /ca/agent/ca/displayBySerial. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue May 26 10:01:34 2015] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Internal Server Error) [Tue May 26 10:01:34 2015] [error] ipa: INFO: host/[email protected]: cert_request(u'MIIDvjCCAqYCAQAwUDEhMB8GA1UEChMYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFMSswKQYDVQQDEyJiZS1pcGFzcnYudGliZXQudHJhZmZpY3Mtc3dpdGNoLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00K4xFX20ER7sKdSD13xHK+qboUSQGoshw3Fhb55ZiPAj5e0N6iDtLPAoo2MI8J/HtXIlW32yVEHrWGezkzcbh4uXQsig5EjicC75vZ0MQDVrNMj3u2P/HeqkAzZvoEpX7CyemK2lp3NdgwmnWbE6xzM7/owJm3cLZxXl9yAM0f2813Zk94BOfxNPDubfcLNo2ZIOcH5eDZ4JTy2AiNLrQvoqt3ceXJ5dKPV58JSEyZO4xhF7dftw2ZKleh7OId3zePhOgM7twV/22HxuBxAVKapLldh0iofeBUOdGpALzSG+LaxFIHL5aeJ0brTH213PtRttaJ87ZZ4j3PaSx5OJQIDAQABoIIBJzAaBgkqhkiG9w0BCRQxDRMLU2VydmVyLUNlcnQwggEHBgkqhkiG9w0BCQ4xgfkwgfYwDgYDVR0PAQEABAQDAgTwMIHBBgNVHREBAQAEgbYwgbOgUAYKKwYBBAGCNxQCA6BCDEBIVFRQL2JlLWlwYXNydi50aWJldC50cmFmZmljcy1zd2l0Y2guZGVAVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFoF8GBisGAQUCAqBVMFOgGhsYVElCRVQuVFJBRkZJQ1MtU1dJVENILkRFoTUwM6ADAgEBoSwwKhsESFRUUBsiYmUtaXBhc3J2LnRpYmV0LnRyYWZmaWNzLXN3aXRjaC5kZTAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAKj57WgJGQRR4SCFmstbB/c0rdqIW8csAf1yqU4PW9B2x145QEdWlgjxfBlB6i5dr9Mx1NjJVhNicR3EAqofNsEC+ppk8M2LPn5MVuRtfJ6SaqfUEgrQs1+XK2yyf2StamGW5QSPhX5ub9tq0MzYxBKhZ9XOemga2QpEnzAHNOXtMObeFzGRR0Eh5+LwL383F38GCr54VhHoLXd8/hC8RA+CSMCKCPCK4G9fjExvaDkVWhErCtY6NP7soxHWYRKB3ipErEXI7Wkpjq26MxulK9z3y9jHL/fBffZ7Kh7TM9LSu48CD99hm3c3eBQjukr/dgT+XxQQqHP5yaIGPJCdC4Y=', principal=u'HTTP/[email protected]', add=True): CertificateOperationError _____________________________________________ Best regards Junhe Jian -----Ursprüngliche Nachricht----- Von: Rob Crittenden [mailto:[email protected]] Gesendet: Donnerstag, 4. Juni 2015 16:38 An: Junhe Jian; [email protected] Betreff: Re: [Freeipa-users] IPA v3 Certificate not renewed Junhe Jian wrote: > Hello everyone, > > I'm new here and have problem with IPA Server > > our single IPA Server all Certificate was expired. > > Autorenewal not worked, so I read the docu > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal and do manually > > my server is centos 6.4 > > [root@be-ipasrv ~]# rpm -qa | grep ipa > > ipa-client-3.0.0-26.el6_4.4.x86_64 > > ipa-server-3.0.0-26.el6_4.4.x86_64 > > python-iniparse-0.3.1-2.1.el6.noarch > > ipa-python-3.0.0-26.el6_4.4.x86_64 > > libipa_hbac-1.9.2-82.7.el6_4.x86_64 > > libipa_hbac-python-1.9.2-82.7.el6_4.x86_64 > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > ipa-admintools-3.0.0-26.el6_4.4.x86_64 > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 > > I change the Domain name to EXAMPLE > > The 5 CAs: dogtag-ipa-renew-agent get new certificate and has status > MONITORING. > > Only the last 3 CA: IPA (dirv-slapd-PKI-IPA, dirv-slapd-EXAMPLE, > /etc/httpd/alias) not renew, hab Status CA_UNREACHABLE > > Number of certificates and requests being tracked: 8. > > Request ID '20130528090810': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='379816045864' > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=CA Audit,O= EXAMPLE.DE > > expires: 2017-04-29 08:14:24 UTC > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130528090811': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='379816045864' > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=OCSP Subsystem,O= EXAMPLE.DE > > expires: 2017-04-29 08:13:24 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130528090812': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='379816045864' > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=CA Subsystem,O= EXAMPLE.DE > > expires: 2017-04-29 08:13:24 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20130528090813': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=IPA RA,O= EXAMPLE.DE > > expires: 2017-04-29 08:13:24 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20130528090814': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='379816045864' > > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN= EXAMPLE.de,O= EXAMPLE.DE > > expires: 2017-04-29 08:13:24 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130528090822': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Internal Server Error)). > > stuck: yes > > key pair storage: type=NSSDB,location='/etc/dirsrv/slapd- > EXAMPLE -DE',nickname='Server-Cert',token='NSS Certificate > DB',pinfile='/etc/dirsrv/slapd- EXAMPLE -DE/pwdfile.txt' > > certificate: type=NSSDB,location='/etc/dirsrv/slapd- EXAMPLE > -DE',nickname='Server-Cert',token='NSS Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=example.de,O= EXAMPLE.DE > > expires: 2015-05-29 09:08:22 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv > EXAMPLE -DE > > track: yes > > auto-renew: yes > > Request ID '20130528090849': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Internal Server Error)). > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' > ,token='NSS Certificate > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' > ,token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=example.de,O= EXAMPLE.DE > > expires: 2015-05-29 09:08:49 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv > PKI-IPA > > track: yes > > auto-renew: yes > > Request ID '20130528090923': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Internal Server Error)). > > stuck: yes > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N > SS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N > SS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O= EXAMPLE.DE > > subject: CN=example.de,O= EXAMPLE.DE > > expires: 2015-05-29 09:09:23 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > > track: yes > > auto-renew: yes > > later I update the os to centos 6.6 > > [root@be-ipasrv]# rpm -qa | grep ipa > > sssd-ipa-1.11.6-30.el6_6.4.x86_64 > > ipa-admintools-3.0.0-42.el6.centos.x86_64 > > ipa-python-3.0.0-42.el6.centos.x86_64 > > python-iniparse-0.3.1-2.1.el6.noarch > > libipa_hbac-python-1.11.6-30.el6_6.4.x86_64 > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > ipa-server-3.0.0-42.el6.centos.x86_64 > > ipa-client-3.0.0-42.el6.centos.x86_64 > > ipa-server-selinux-3.0.0-42.el6.centos.x86_64 > > libipa_hbac-1.11.6-30.el6_6.4.x86_64 > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > i get same status of the last 3. > > Request ID '20130528090822': > > status: CA_UNREACHABLE > > ca-error: Server at https://example.de/ipa/xml > <https://example.de/ipa/xml> failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot > be > completed: Failure decoding Certificate Signing Request). > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-DE',nickname='Server-Ce > rt',token='NSS Certificate > DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-DE/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-DE',nickname='Server-Ce > rt',token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.DE > > subject: CN=example.de,O=EXAMPLE.DE > > expires: 2015-05-29 09:08:22 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130528090849': > > status: CA_UNREACHABLE > > ca-error: Server at https://example.de/ipa/xml > <https://example.de/ipa/xml> failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot > be > completed: Failure decoding Certificate Signing Request). > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' > ,token='NSS Certificate > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert' > ,token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.DE > > subject: CN=example.de,O=EXAMPLE.DE > > expires: 2015-05-29 09:08:49 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > Request ID '20130528090923': > > status: CA_UNREACHABLE > > ca-error: Server at https://example.de/ipa/xml > <https://example.de/ipa/xml> failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot > be > completed: Failure decoding Certificate Signing Request). > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N > SS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='N > SS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.DE > > subject: CN=example.de,O=EXAMPLE.DE > > expires: 2015-05-29 09:09:23 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > i read all the post on redhat archive and goolge. I cannot find a solution. > > Anybody know the issue? I'd suggest starting with the apache error log, /var/log/httpd/errors. That should tell you what the Internal Error is. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
