More updates; it turns out that there were some duplicate and expired certificates as well as incorrect trust attributes; (e.g. seeing 2 instances of Server-Cert from certutil -L -d /etc/httpd/alias). So I deleted the duplicate cert and re-add certificate w/ valid date and fix cert trust attributes along the way.
So it went from this [root@test ~]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u ipaCert u,u,u sample.NET IPA CA CT,C,C ipaCert u,u,u Signing-Cert u,u,u Server-Cert u,u,u to this [root@test ~]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ipaCert u,u,u Server-Cert u,u,u sample.NET IPA CA CT,C,C Signing-Cert u,u,u And also re-try resubmit/restart processes but unfortunately error persists ( ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed : Unable to communicate with CMS (Not Found)).) Currently I am on the process to recreate this problem on RHEL 6 to try to get RH support on this. Thanks, Anthony On Wed, May 4, 2016 at 10:34 AM, Anthony Cheng <[email protected]> wrote: > On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden <[email protected]> wrote: >> Anthony Cheng wrote: >>> >>> Small update, I found an article on the RH solution library >>> (https://access.redhat.com/solutions/2020223) that has the same error >>> code that I am getting and I followed the steps with certutil to update >>> the cert attributes but it is still not working. The article is listed >>> as "Solution in Progress". >>> >>> [root@test ~]# getcert list | more >>> >>> Number of certificates and requests being tracked: 7. >>> >>> Request ID '20111214223243': >>> >>> status: CA_UNREACHABLE >>> >>> ca-error: Server failed request, will retry: 4301 (RPC failed at >>> server.Certificate operation cannot be comp >>> >>> leted: Unable to communicate with CMS (Not Found)). >> >> >> Not Found means the CA didn't start. You need to examine the debug and >> selftest logs to determine why. >> >> rob > > selftests.log is empty; there are entries for other time but not for > the test to when I set the clock to renew certs. > > [root@test pki-ca]# clock > Fri 29 Jan 2016 08:19:54 AM UTC -0.960583 seconds > [root@test pki-ca]# > [root@test pki-ca]# > > [root@test pki-ca]# ll * | grep self > -rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 selftests.log > -rw-r-----. 1 pkiuser pkiuser 1206 Apr 7 2015 > selftests.log.20150407143526 > -rw-r-----. 1 pkiuser pkiuser 3673 Jun 30 2015 > selftests.log.20150630163924 > -rw-r-----. 1 pkiuser pkiuser 1217 Aug 31 20:07 > selftests.log.20150831160735 > -rw-r-----. 1 pkiuser pkiuser 3798 Oct 24 14:12 > selftests.log.20151024101159 > > From debug log I see some error messages: > > [28/Jan/2016:21:09:03][main]: SigningUnit init: debug > org.mozilla.jss.crypto.ObjectNotFoundException > [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException > Certificate object not found > at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) > > Full log: > > [28/Jan/2016:21:07:30][main]: CMSEngine.shutdown() > [28/Jan/2016:21:09:02][main]: ============================================ > [28/Jan/2016:21:09:02][main]: ===== DEBUG SUBSYSTEM INITIALIZED ======= > [28/Jan/2016:21:09:02][main]: ============================================ > [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=debug > [28/Jan/2016:21:09:02][main]: CMSEngine: initialized debug > [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=log > [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=log > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > AUDIT_LOG_STARTUP > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > AUDIT_LOG_SHUTDOWN > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: ROLE_ASSUME > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_CERT_POLICY > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_CERT_PROFILE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_CRL_PROFILE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_OCSP_PROFILE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_AUTH > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ROLE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_ACL > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_SIGNED_AUDIT > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_ENCRYPTION > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CONFIG_TRUSTED_PUBLIC_KEY > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CONFIG_DRM > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > SELFTESTS_EXECUTION > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > AUDIT_LOG_DELETE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > LOG_PATH_CHANGE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > PRIVATE_KEY_ARCHIVE_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > KEY_RECOVERY_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > KEY_RECOVERY_REQUEST_ASYNC > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > KEY_RECOVERY_AGENT_LOGIN > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > KEY_RECOVERY_REQUEST_PROCESSED > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > KEY_RECOVERY_REQUEST_PROCESSED_ASYNC > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > KEY_GEN_ASYMMETRIC > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > NON_PROFILE_CERT_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > PROFILE_CERT_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CERT_REQUEST_PROCESSED > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CERT_STATUS_CHANGE_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CERT_STATUS_CHANGE_REQUEST_PROCESSED > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTHZ_FAIL > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: INTER_BOUNDARY > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_FAIL > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: AUTH_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CERT_PROFILE_APPROVAL > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > PROOF_OF_POSSESSION > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_RETRIEVAL > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: CRL_VALIDATION > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CMC_SIGNED_REQUEST_SIG_VERIFY > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > SERVER_SIDE_KEYGEN_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > COMPUTE_SESSION_KEY_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > DIVERSIFY_KEY_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > ENCRYPT_DATA_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > OCSP_ADD_CA_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > OCSP_ADD_CA_REQUEST_PROCESSED > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > OCSP_REMOVE_CA_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > COMPUTE_RANDOM_DATA_REQUEST > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE > [28/Jan/2016:21:09:02][main]: LogFile: log event type selected: > CIMC_CERT_VERIFICATION > [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=log > [28/Jan/2016:21:09:02][main]: CMSEngine: initialized log > [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=os > [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=os > [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=os > [28/Jan/2016:21:09:02][main]: CMSEngine: initialized os > [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=jss > [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=jss > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher rsa_rc4_40_md5 > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher rsa_rc2_40_md5 > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher rsa_des_sha > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher rsa_rc4_128_md5 > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher rsa_3des_sha > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher rsa_fips_des_sha > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher rsa_fips_3des_sha > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher fortezza > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher fortezza_rc4_128_sha > [28/Jan/2016:21:09:02][main]: JSSSubsystem: initSSL(): setting ssl > cipher rsa_null_md5 > [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=jss > [28/Jan/2016:21:09:02][main]: CMSEngine: initialized jss > [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=dbs > [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=dbs > [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init > [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init() > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal > LDAP Database > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory > cache > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password not in memory > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: try > to get it from password store > [28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password > store initialized before. > [28/Jan/2016:21:09:02][main]: CMSEngine: getPasswordStore(): password > store initialized. > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: > about to get from passwored store: Internal LDAP Da > tabase > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: > password store available > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: getPasswordFromStore: > password for Internal LDAP Database not found, tryi > ng internaldb > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: password ok: store in memory cache > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init ends > [28/Jan/2016:21:09:02][main]: init: before makeConnection errorIfDown is true > [28/Jan/2016:21:09:02][main]: makeConnection: errorIfDown true > [28/Jan/2016:21:09:02][main]: Established LDAP connection using basic > authentication to host test.sample.net port 738 > 9 as cn=Directory Manager > [28/Jan/2016:21:09:02][main]: initializing with mininum 3 and maximum > 15 connections to host test.sample.net port 738 > 9, secure connection, false, authentication type 1 > [28/Jan/2016:21:09:02][main]: increasing minimum connections by 3 > [28/Jan/2016:21:09:02][main]: new total available connections 3 > [28/Jan/2016:21:09:02][main]: new number of connections 3 > [28/Jan/2016:21:09:02][main]: CMSEngine: done init id=dbs > [28/Jan/2016:21:09:02][main]: CMSEngine: initialized dbs > [28/Jan/2016:21:09:02][main]: CMSEngine: initSubsystem id=usrgrp > [28/Jan/2016:21:09:02][main]: CMSEngine: ready to init id=usrgrp > [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory: init > [28/Jan/2016:21:09:02][main]: LdapBoundConnFactory:doCloning true > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init() > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init begins > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: prompt is Internal > LDAP Database > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: try getting from memory > cache > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: got password from memory > [28/Jan/2016:21:09:02][main]: LdapAuthInfo: init: password found for prompt. > [28/Jan/2016:21:09:03][main]: LdapAuthInfo: password ok: store in memory cache > [28/Jan/2016:21:09:03][main]: LdapAuthInfo: init ends > [28/Jan/2016:21:09:03][main]: init: before makeConnection errorIfDown is false > [28/Jan/2016:21:09:03][main]: makeConnection: errorIfDown false > [28/Jan/2016:21:09:03][main]: Established LDAP connection using basic > authentication to host test.sample.net port 738 > 9 as cn=Directory Manager > [28/Jan/2016:21:09:03][main]: initializing with mininum 3 and maximum > 15 connections to host test.sample.net port 738 > 9, secure connection, false, authentication type 1 > [28/Jan/2016:21:09:03][main]: increasing minimum connections by 3 > [28/Jan/2016:21:09:03][main]: new total available connections 3 > [28/Jan/2016:21:09:03][main]: new number of connections 3 > [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=usrgrp > [28/Jan/2016:21:09:03][main]: CMSEngine: initialized usrgrp > [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=registry > [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=registry > [28/Jan/2016:21:09:03][main]: RegistrySubsystem: start init > [28/Jan/2016:21:09:03][main]: added plugin profileOutput > pkcs7OutputImpl PKCS7 Output PKCS7 Output com.netscape.cms.p > rofile.output.PKCS7Output > [28/Jan/2016:21:09:03][main]: added plugin profileOutput > cmmfOutputImpl CMMF Response Output CMMF Response Output com > .netscape.cms.profile.output.CMMFOutput > [28/Jan/2016:21:09:03][main]: added plugin profileOutput > certOutputImpl Certificate Output Certificate Output com.net > scape.cms.profile.output.CertOutput > [28/Jan/2016:21:09:03][main]: added plugin profileOutput > nsNKeyOutputImpl nsNKeyOutputImpl nsNKeyOutputImpl com.netsc > ape.cms.profile.output.nsNKeyOutput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > submitterInfoInputImpl Submitter Information Input Submitter > Information Input com.netscape.cms.profile.input.SubmitterInfoInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > serialNumRenewInputImpl Certificate Renewal Request Serial Nu > mber Input Certificate Renewal Request Serial Number Input > com.netscape.cms.profile.input.SerialNumRenewInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > dualKeyGenInputImpl Dual Key Generation Input Dual Key Genera > tion Input com.netscape.cms.profile.input.DualKeyGenInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl nsNKeyCertReqIn > putImpl com.netscape.cms.profile.input.nsNKeyCertReqInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > fileSigningInputImpl File Signing Input File Signing Input co > m.netscape.cms.profile.input.FileSigningInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > certReqInputImpl Certificate Request Input Certificate Reques > t Input com.netscape.cms.profile.input.CertReqInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > cmcCertReqInputImpl CMC Certificate Request Input CMC Certifi > cate Request Input com.netscape.cms.profile.input.CMCCertReqInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl nsHKeyCertReqIn > putImpl com.netscape.cms.profile.input.nsHKeyCertReqInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > subjectDNInputImpl Subject DN Input Subject DN Input com.nets > cape.cms.profile.input.SubjectDNInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > keyGenInputImpl Key Generation Input Key Generation Input com > .netscape.cms.profile.input.KeyGenInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > genericInputImpl Generic Input Generic Input com.netscape.cms > .profile.input.GenericInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput imageInputImpl > Image Input Image Input com.netscape.cms.profi > le.input.ImageInput > [28/Jan/2016:21:09:03][main]: added plugin profileInput > subjectNameInputImpl Subject Name Input Subject Name Input co > m.netscape.cms.profile.input.SubjectNameInput > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > basicConstraintsExtConstraintImpl Basic Constraints Exten > sion Constraint Basic Constraints Extension Constraint > com.netscape.cms.profile.constraint.BasicConstraintsExtConstra > int > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > noConstraintImpl No Constraint No Constraint com.netscape > .cms.profile.constraint.NoConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > signingAlgConstraintImpl Signing Algorithm Constraint Sig > ning Algorithm Constraint > com.netscape.cms.profile.constraint.SigningAlgConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > extendedKeyUsageExtConstraintImpl Extended Key Usage Exte > nsion Constraint Extended Key Usage Extension Constraint > com.netscape.cms.profile.constraint.ExtendedKeyUsageExtConst > raint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > extensionConstraintImpl Extension Constraint Extension Co > nstraint com.netscape.cms.profile.constraint.ExtensionConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > subjectNameConstraintImpl Subject Name Constraint Subject > Name Constraint com.netscape.cms.profile.constraint.SubjectNameConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > uniqueSubjectNameConstraintImpl Unique Subject Name Const > raint Unique Subject Name Constraint > com.netscape.cms.profile.constraint.UniqueSubjectNameConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > keyUsageExtConstraintImpl Key Usage Extension Constraint > Key Usage Extension Constraint > com.netscape.cms.profile.constraint.KeyUsageExtConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > renewGracePeriodConstraintImpl Renewal Grace Period Const > raint Renewal Grace Period Constraint > com.netscape.cms.profile.constraint.RenewGracePeriodConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > keyConstraintImpl Key Constraint Key Constraint com.netsc > ape.cms.profile.constraint.KeyConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > nsCertTypeExtConstraintImpl Netscape Certificate Type Ext > ension Constraint Netscape Certificate Type Extension Constraint > com.netscape.cms.profile.constraint.NSCertTypeExtCon > straint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > validityConstraintImpl Validity Constraint Validity Const > raint com.netscape.cms.profile.constraint.ValidityConstraint > [28/Jan/2016:21:09:03][main]: added plugin constraintPolicy > uniqueKeyConstraintImpl Unique Public Key Constraint Uniq > ue Public Key Constraint > com.netscape.cms.profile.constraint.UniqueKeyConstraint > [28/Jan/2016:21:09:03][main]: added plugin profile caEnrollImpl > Generic Certificate Enrollment Profile Certificate Au > thority Generic Certificate Enrollment Profile > com.netscape.cms.profile.common.CAEnrollProfile > [28/Jan/2016:21:09:03][main]: added plugin profile > caUserCertEnrollImpl User Certificate Enrollment Profile Certifica > te Authority User Certificate Enrollment Profile > com.netscape.cms.profile.common.UserCertCAEnrollProfile > [28/Jan/2016:21:09:03][main]: added plugin profile > caServerCertEnrollImpl Server Certificate Enrollment Profile Certi > ficate Authority Server Certificate Enrollment Profile > com.netscape.cms.profile.common.ServerCertCAEnrollProfile > [28/Jan/2016:21:09:03][main]: added plugin profile caCACertEnrollImpl > CA Certificate Enrollment Profile Certificate A > uthority CA Certificate Enrollment Profile > com.netscape.cms.profile.common.CACertCAEnrollProfile > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > userKeyDefaultImpl User Supplied Key Default User Supplied K > ey Default com.netscape.cms.profile.def.UserKeyDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > freshestCRLExtDefaultImpl Freshest CRL Extension Default Fre > shest CRL Extension Default com.netscape.cms.profile.def.FreshestCRLExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > authInfoAccessExtDefaultImpl Authority Info Access Extension > Default Authority Info Access Extension Default > com.netscape.cms.profile.def.AuthInfoAccessExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > nsTokenUserKeySubjectNameDefaultImpl nsTokenUserKeySubjectNa > meDefault nsTokenUserKeySubjectNameDefaultImpl > com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > genericExtDefaultImpl Generic Extension Generic Extension co > m.netscape.cms.profile.def.GenericExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > authorityKeyIdentifierExtDefaultImpl Authority Key Identifie > r Extension Default Authority Key Identifier Extension Default > com.netscape.cms.profile.def.AuthorityKeyIdentifierExt > Default > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > issuerAltNameExtDefaultImpl Issuer Alternative Name Extensio > n Default Issuer Alternative Name Extension Default > com.netscape.cms.profile.def.IssuerAltNameExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > basicConstraintsExtDefaultImpl Basic Constraints Extension D > efault Basic Constraints Extension Default > com.netscape.cms.profile.def.BasicConstraintsExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > keyUsageExtDefaultImpl Key Usage Extension Default Key Usage > Extension Default com.netscape.cms.profile.def.KeyUsageExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > ocspNoCheckExtDefaultImpl OCSP No Check Extension Default OC > SP No Check Extension Default > com.netscape.cms.profile.def.OCSPNoCheckExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > subjectAltNameExtDefaultImpl Subject Alternative Name Extens > ion Default Subject Alternative Name Extension Default > com.netscape.cms.profile.def.SubjectAltNameExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > userValidityDefaultImpl User Supplied Validity Default User > Supplied Validity Default com.netscape.cms.profile.def.UserValidityDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > userSubjectNameDefaultImpl User Supplied Subject Name Defaul > t User Supplied Subject Name Default > com.netscape.cms.profile.def.UserSubjectNameDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > subjectDirAttributesExtDefaultImpl Subject Directory Attribu > tes Extension Default Subject Directory Attributes Extension Default > com.netscape.cms.profile.def.SubjectDirAttribute > sExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > certificateVersionDefaultImpl Certificate Version Default Ce > rtificate Version Default > com.netscape.cms.profile.def.CertificateVersionDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > extendedKeyUsageExtDefaultImpl Extended Key Usage Extension > Default Extended Key Usage Extension Default > com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > policyConstraintsExtDefaultImpl Policy Constraints Extension > Default Policy Constraints Extension Default > com.netscape.cms.profile.def.PolicyConstraintsExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > crlDistributionPointsExtDefaultImpl CRL Distribution Points > Extension Default CRL Distribution Points Extension Default > com.netscape.cms.profile.def.CRLDistributionPointsExtDefa > ult > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > certificatePoliciesExtDefaultImpl Certificate Policies Exten > sion Default Certificate Policies Extension Default > com.netscape.cms.profile.def.CertificatePoliciesExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > validityDefaultImpl Validity Default Validty Default com.net > scape.cms.profile.def.ValidityDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > privateKeyPeriodExtDefaultImpl Private Key Period Ext Defaul > t Private Key Period Ext Default > com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy noDefaultImpl > No Default No Default com.netscape.cms.profile > .def.NoDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > imageDefaultImpl Image Default Image Default com.netscape.cm > s.profile.def.ImageDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > subjectInfoAccessExtDefaultImpl Subject Info Access Extensio > n Default Subject Info Access Extension Default > com.netscape.cms.profile.def.SubjectInfoAccessExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > autoAssignDefaultImpl Auto Request Assignment Default Auto R > equest Assignment Default com.netscape.cms.profile.def.AutoAssignDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > policyMappingsExtDefaultImpl Policy Mappings Extension Defau > lt Policy Mappings Extension Default > com.netscape.cms.profile.def.PolicyMappingsExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > caValidityDefaultImpl CA Certificate Validity Default CA Cer > tificate Validty Default com.netscape.cms.profile.def.CAValidityDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > userExtensionDefaultImpl User Supplied Extension Default Use > r Supplied Extension Default com.netscape.cms.profile.def.UserExtensionDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > nsCertTypeExtDefaultImpl Netscape Certificate Type Extension > Default Netscape Certificate Type Extension Default > com.netscape.cms.profile.def.NSCertTypeExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > authTokenSubjectNameDefaultImpl Token Supplied Subject Name > Default Token Supplied Subject Name Default > com.netscape.cms.profile.def.AuthTokenSubjectNameDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > subjectNameDefaultImpl Subject Name Default Subject Name Def > ault com.netscape.cms.profile.def.SubjectNameDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > userSigningAlgDefaultImpl User Supplied Signing Alg Default > User Supplied Signing Alg Default > com.netscape.cms.profile.def.UserSigningAlgDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > subjectKeyIdentifierExtDefaultImpl Subject Key Identifier De > fault Subject Key Identifier Default > com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension > Default Inhibit Any-Policy Extension Default > com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubje > ctNameDefault nsTokenDeviceKeySubjectNameDefaultImpl > com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > nscCommentExtDefaultImpl Netscape Comment Extension Default > Netscape Comment Extension Default > com.netscape.cms.profile.def.NSCCommentExtDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > signingAlgDefaultImpl Signing Algorithm Default Signing Algo > rithm Default com.netscape.cms.profile.def.SigningAlgDefault > [28/Jan/2016:21:09:03][main]: added plugin defaultPolicy > nameConstraintsExtDefaultImpl Name Constraints Extension Def > ault Name Constraints Extension Default > com.netscape.cms.profile.def.NameConstraintsExtDefault > [28/Jan/2016:21:09:03][main]: added plugin profileUpdater > subsystemGroupUpdaterImpl Updater for Subsystem Group Updat > er for Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater > [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=registry > [28/Jan/2016:21:09:03][main]: CMSEngine: initialized registry > [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=oidmap > [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=oidmap > [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=oidmap > [28/Jan/2016:21:09:03][main]: CMSEngine: initialized oidmap > [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=X500Name > [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=X500Name > [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=X500Name > [28/Jan/2016:21:09:03][main]: CMSEngine: initialized X500Name > [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=request > [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=request > [28/Jan/2016:21:09:03][main]: CMSEngine: done init id=request > [28/Jan/2016:21:09:03][main]: CMSEngine: initialized request > [28/Jan/2016:21:09:03][main]: CMSEngine: initSubsystem id=ca > [28/Jan/2016:21:09:03][main]: CMSEngine: ready to init id=ca > [28/Jan/2016:21:09:03][main]: CertificateAuthority init > [28/Jan/2016:21:09:03][main]: Cert Repot inited > [28/Jan/2016:21:09:03][main]: CRL Repot inited > [28/Jan/2016:21:09:03][main]: Replica Repot inited > [28/Jan/2016:21:09:03][main]: ca.signing Signing Unit nickname > caSigningCert cert-pki-ca > [28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name > [28/Jan/2016:21:09:03][main]: Found cert by nickname: 'caSigningCert > cert-pki-ca' with serial number: 1 > [28/Jan/2016:21:09:03][main]: converted to x509CertImpl > [28/Jan/2016:21:09:03][main]: Got private key from cert > [28/Jan/2016:21:09:03][main]: Got public key from cert > [28/Jan/2016:21:09:03][main]: got signing algorithm > RSASignatureWithSHA256Digest > [28/Jan/2016:21:09:03][main]: CA signing unit inited > [28/Jan/2016:21:09:03][main]: cachainNum= 0 > [28/Jan/2016:21:09:03][main]: in init - got CA chain from JSS. > [28/Jan/2016:21:09:03][main]: ca.ocsp_signing Signing Unit nickname > ca.ocsp_signing.cert > [28/Jan/2016:21:09:03][main]: Got token Internal Key Storage Token by name > [28/Jan/2016:21:09:03][main]: SigningUnit init: debug > org.mozilla.jss.crypto.ObjectNotFoundException > [28/Jan/2016:21:09:03][main]: CMS:Caught EBaseException > Certificate object not found > at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) > at > com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204) > at > com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316) > at com.netscape.certsrv.apps.CMS.init(CMS.java:153) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) > at > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) > at > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) > at > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) > at > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187) > at > org.apache.catalina.core.StandardContext.start(StandardContext.java:4496) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) > at > org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) > at > org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) > at > org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) > at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) > at > org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) > at > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) > at org.apache.catalina.core.StandardHost.start(StandardHost.java:722) > at > org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) > at > org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) > at > org.apache.catalina.core.StandardService.start(StandardService.java:516) > at > org.apache.catalina.core.StandardServer.start(StandardServer.java:710) > at org.apache.catalina.startup.Catalina.start(Catalina.java:593) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:616) > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) > [28/Jan/2016:21:09:03][main]: CMSEngine.shutdown() > [28/Jan/2016:21:14:02][Timer-0]: CMSEngine: getPasswordStore(): > password store initialized before. > [28/Jan/2016:21:14:02][Timer-0]: CMSEngine: getPasswordStore(): > password store initialized. > [28/Jan/2016:21:19:02][Timer-0]: CMSEngine: getPasswordStore(): > password store initialized before. > [28/Jan/2016:21:19:02][Timer-0]: CMSEngine: getPasswordStore(): > password store initialized. > > > > >> >>> >>> stuck: yes >>> >>> key pair storage: >>> >>> type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS >>> Certifi >>> >>> cate DB',pinfile='/etc/dirsrv/slapd-SAMPLE-NET//pwdfile.txt' >>> >>> certificate: >>> >>> type=NSSDB,location='/etc/dirsrv/slapd-SAMPLE-NET',nickname='Server-Cert',token='NSS >>> Certificate >>> >>> DB' >>> >>> CA: IPA >>> >>> issuer: CN=Certificate Authority,O=SAMPLE.NET <http://SAMPLE.NET> >>> >>> subject: CN=caer.SAMPLE.net <http://caer.SAMPLE.net>,O=SAMPLE.NET >>> <http://SAMPLE.NET> >>> >>> expires: 2016-01-29 14:09:46 UTC >>> >>> eku: id-kp-serverAuth >>> >>> pre-save command: >>> >>> post-save command: >>> >>> track: yes >>> >>> auto-renew: yes >>> >>> >>> >>> On Mon, May 2, 2016 at 5:35 PM Anthony Cheng >>> <[email protected] <mailto:[email protected]>> wrote: >>> >>> On Mon, May 2, 2016 at 9:54 AM Rob Crittenden <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Anthony Cheng wrote: >>> > On Sat, Apr 30, 2016 at 10:08 AM Rob Crittenden >>> <[email protected] <mailto:[email protected]> >>> > <mailto:[email protected] <mailto:[email protected]>>> >>> wrote: >>> > >>> > Anthony Cheng wrote: >>> > > OK so I made process on my cert renew issue; I was >>> able to get kinit >>> > > working so I can follow the rest of the steps here >>> > > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) >>> > > >>> > > However, after using >>> > > >>> > > ldapmodify -x -h localhost -p 7389 -D 'cn=directory >>> manager' -w >>> > password >>> > > >>> > > and restarting apache (/sbin/service httpd restart), >>> resubmitting 3 >>> > > certs (ipa-getcert resubmit -i <ID>) and restarting >>> IPA (resubmit >>> > -i <ID>) >>> > > (/sbin/service ipa restart), I still see: >>> > > >>> > > [root@test ~]# ipa-getcert list | more >>> > > Number of certificates and requests being tracked: 8. >>> > > Request ID '20111214223243': >>> > > status: CA_UNREACHABLE >>> > > ca-error: Server failed request, will retry: >>> 4301 (RPC >>> > failed >>> > > at server. Certificate operation cannot be compl >>> > > eted: Unable to communicate with CMS (Not Found)). >>> > >>> > IPA proxies requests to the CA through Apache. This means >>> that while >>> > tomcat started ok it didn't load the dogtag CA >>> application, hence the >>> > Not Found. >>> > >>> > Check the CA debug and selftest logs to see why it failed >>> to start >>> > properly. >>> > >>> > [ snip ] >>> > >>> > Actually after a reboot that error went away and I just get >>> this error >>> > instead "ca-error: Server failed request, will retry: -504 >>> (libcurl >>> > failed to execute the HTTP POST transaction. Peer certificate >>> cannot be >>> > auth enticated with known CA certificates)." from "getcert >>> list" >>> > >>> > Result of service ipa restart is interesting since it shows >>> today's time >>> > when I already changed date/time/disable NTP so somehow the >>> system still >>> > know today's time. >>> > >>> > PKI-IPA...[02/May/2016:13:26:10 +0000] - SSL alert: >>> > CERT_VerifyCertificateNow: verify certificate failed for cert >>> > Server-Cert of family cn=RSA,cn=encryption,cn=config >>> (Netscape Portable >>> > Runtime error -8181 - Peer's Certificate has expired.) >>> >>> Hard to say. I'd confirm that there is no time syncing service >>> running, >>> ntp or otherwise. >>> >>> >>> I found out why the time kept changing; it was due to the fact that >>> it has VM tools installed (i didn't configure this box) so it >>> automatically sync time during bootup. >>> >>> I did still see this error message: >>> >>> ca-error: Server failed request, will retry: 4301 (RPC failed at >>> server. Certificate operation cannot be completed: Unable to >>> communicate with CMS (Not Found)) >>> >>> I tried the step http://www.freeipa.org/page/Troubleshooting with >>> >>> certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt >>> openssl x509 -text -in /tmp/ra.crt >>> certutil -A -n ipaCert -d /etc/httpd/alias -t u,u,u -a -i /tmp/ra.crt >>> service httpd restart >>> >>> So that I can get rid of one of the CA cert that is expired (kept >>> the 1st one) but still getting same error >>> >>> What exactly is CMS and why is it not found? >>> >>> >>> I did notice that the selftest log is empty with a different time: >>> >>> -rw-r-----. 1 pkiuser pkiuser 0 Nov 23 14:11 >>> /var/log/pki-ca/selftests.log >>> >>> [root@test ~]# clock Wed 27 Jan 2016 03:33:00 PM UTC -0.046800 seconds >>> >>> >>> Here are some debug log after reboot: >>> >>> [root@test pki-ca]# tail -n 100 catalina.out >>> >>> INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447> >>> >>> Jan 27, 2016 2:45:31 PM org.apache.jk.server.JkMain start >>> >>> INFO: Jk running ID=0 time=1/23config=null >>> >>> Jan 27, 2016 2:45:31 PM org.apache.catalina.startup.Catalina start >>> >>> INFO: Server startup in 1722 ms >>> >>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >>> >>> INFO: Pausing Coyote HTTP/1.1 on http-9180 >>> >>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >>> >>> INFO: Pausing Coyote HTTP/1.1 on http-9443 >>> >>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >>> >>> INFO: Pausing Coyote HTTP/1.1 on http-9445 >>> >>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >>> >>> INFO: Pausing Coyote HTTP/1.1 on http-9444 >>> >>> Jan 27, 2016 2:56:21 PM org.apache.coyote.http11.Http11Protocol pause >>> >>> INFO: Pausing Coyote HTTP/1.1 on http-9446 >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.core.StandardService stop >>> >>> INFO: Stopping service Catalina >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [Timer-0] but has failed to stop it. This is very like >>> >>> ly to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [/var/lib/pki-ca/logs/signedAudit/ca_audit.flush-4] bu >>> >>> t has failed to stop it. This is very likely to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [/var/lib/pki-ca/logs/signedAudit/ca_audit.rollover-6] >>> >>> but has failed to stop it. This is very likely to create a memory >>> leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [/var/lib/pki-ca/logs/system.flush-6] but has failed t >>> >>> o stop it. This is very likely to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [/var/lib/pki-ca/logs/system.rollover-8] but has faile >>> >>> d to stop it. This is very likely to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [/var/lib/pki-ca/logs/transactions.flush-9] but has fa >>> >>> iled to stop it. This is very likely to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [/var/lib/pki-ca/logs/transactions.rollover-10] but ha >>> >>> s failed to stop it. This is very likely to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [LDAPConnThread-2 ldap://test.sample.net:7389 >>> <http://test.sample.net:7389>] but has failed to stop it. This is >>> very likely to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [LDAPConnThread-3 ldap://test.sample.net:7389 >>> <http://test.sample.net:7389>] but has failed to stop it. This is >>> very likely to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearReferencesThreads >>> >>> SEVERE: A web application appears to have started a thread named >>> [LDAPConnThread-4 ldap://test.sample.net:7389 >>> <http://test.sample.net:7389>] but has failed to stop it. This is >>> very likely to create a memory leak. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearThreadLocalMap >>> >>> SEVERE: A web application created a ThreadLocal with key of type >>> [null] (value [com.netscape.cmscore.util.Debug$1@228b677f]) and a >>> value of type [java.text.SimpleDateFormat] (value >>> [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when >>> the web application was stopped. To prevent a memory leak, the >>> ThreadLocal has been forcibly removed. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.catalina.loader.WebappClassLoader >>> clearThreadLocalMap >>> >>> SEVERE: A web application created a ThreadLocal with key of type >>> [null] (value [com.netscape.cmscore.util.Debug$1@228b677f]) and a >>> value of type [java.text.SimpleDateFormat] (value >>> [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when >>> the web application was stopped. To prevent a memory leak, the >>> ThreadLocal has been forcibly removed. >>> >>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >>> destroy >>> >>> INFO: Stopping Coyote HTTP/1.1 on http-9180 >>> >>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >>> destroy >>> >>> INFO: Stopping Coyote HTTP/1.1 on http-9443 >>> >>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >>> destroy >>> >>> INFO: Stopping Coyote HTTP/1.1 on http-9445 >>> >>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >>> destroy >>> >>> INFO: Stopping Coyote HTTP/1.1 on http-9444 >>> >>> Jan 27, 2016 2:56:22 PM org.apache.coyote.http11.Http11Protocol >>> destroy >>> >>> INFO: Stopping Coyote HTTP/1.1 on http-9446 >>> >>> Jan 27, 2016 2:57:36 PM >>> org.apache.catalina.core.AprLifecycleListener init >>> >>> INFO: The APR based Apache Tomcat Native library which allows >>> optimal performance in production environments was not found on the >>> java.library.path: >>> >>> /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib >>> >>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >>> >>> INFO: Initializing Coyote HTTP/1.1 on http-9180 >>> >>> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" >>> unsupported by NSS. This is probably O.K. unless ECC support has >>> been installed. >>> >>> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" >>> unsupported by NSS. This is probably O.K. unless ECC support has >>> been installed. >>> >>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >>> >>> INFO: Initializing Coyote HTTP/1.1 on http-9443 >>> >>> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" >>> unsupported by NSS. This is probably O.K. unless ECC support has >>> been installed. >>> >>> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" >>> unsupported by NSS. This is probably O.K. unless ECC support has >>> been installed. >>> >>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >>> >>> INFO: Initializing Coyote HTTP/1.1 on http-9445 >>> >>> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" >>> unsupported by NSS. This is probably O.K. unless ECC support has >>> been installed. >>> >>> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" >>> unsupported by NSS. This is probably O.K. unless ECC support has >>> been installed. >>> >>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >>> >>> INFO: Initializing Coyote HTTP/1.1 on http-9444 >>> >>> Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" >>> unsupported by NSS. This is probably O.K. unless ECC support has >>> been installed. >>> >>> Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" >>> unsupported by NSS. This is probably O.K. unless ECC support has >>> been installed. >>> >>> Jan 27, 2016 2:57:37 PM org.apache.coyote.http11.Http11Protocol init >>> >>> INFO: Initializing Coyote HTTP/1.1 on http-9446 >>> >>> Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.Catalina load >>> >>> INFO: Initialization processed in 2198 ms >>> >>> Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardService start >>> >>> INFO: Starting service Catalina >>> >>> Jan 27, 2016 2:57:37 PM org.apache.catalina.core.StandardEngine start >>> >>> INFO: Starting Servlet Engine: Apache Tomcat/6.0.24 >>> >>> Jan 27, 2016 2:57:37 PM org.apache.catalina.startup.HostConfig >>> deployDirectory >>> >>> INFO: Deploying web application directory ROOT >>> >>> Jan 27, 2016 2:57:38 PM org.apache.catalina.startup.HostConfig >>> deployDirectory >>> >>> INFO: Deploying web application directory ca >>> >>> 64-bit osutil library loaded >>> >>> 64-bit osutil library loaded >>> >>> Certificate object not found >>> >>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >>> >>> INFO: Starting Coyote HTTP/1.1 on http-9180 >>> >>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >>> >>> INFO: Starting Coyote HTTP/1.1 on http-9443 >>> >>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >>> >>> INFO: Starting Coyote HTTP/1.1 on http-9445 >>> >>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >>> >>> INFO: Starting Coyote HTTP/1.1 on http-9444 >>> >>> Jan 27, 2016 2:57:40 PM org.apache.coyote.http11.Http11Protocol start >>> >>> INFO: Starting Coyote HTTP/1.1 on http-9446 >>> >>> Jan 27, 2016 2:57:40 PM org.apache.jk.common.ChannelSocket init >>> >>> INFO: JK: ajp13 listening on /0.0.0.0:9447 <http://0.0.0.0:9447> >>> >>> Jan 27, 2016 2:57:40 PM org.apache.jk.server.JkMain start >>> >>> INFO: Jk running ID=0 time=0/40config=null >>> >>> Jan 27, 2016 2:57:40 PM org.apache.catalina.startup.Catalina start >>> >>> INFO: Server startup in 2592 ms >>> >>> [root@test pki-ca]# tail -n 100 debug >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> subjectAltNameExtDefaultImpl Subject Alternative Name Extension >>> Default Subject Alternative Name Extension Default >>> com.netscape.cms.profile.def.SubjectAltNameExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> userValidityDefaultImpl User Supplied Validity Default User Supplied >>> Validity Default com.netscape.cms.profile.def.UserValidityDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> userSubjectNameDefaultImpl User Supplied Subject Name Default User >>> Supplied Subject Name Default >>> com.netscape.cms.profile.def.UserSubjectNameDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> subjectDirAttributesExtDefaultImpl Subject Directory Attributes >>> Extension Default Subject Directory Attributes Extension Default >>> com.netscape.cms.profile.def.SubjectDirAttributesExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> certificateVersionDefaultImpl Certificate Version Default >>> Certificate Version Default >>> com.netscape.cms.profile.def.CertificateVersionDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default >>> Extended Key Usage Extension Default >>> com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> policyConstraintsExtDefaultImpl Policy Constraints Extension Default >>> Policy Constraints Extension Default >>> com.netscape.cms.profile.def.PolicyConstraintsExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> crlDistributionPointsExtDefaultImpl CRL Distribution Points >>> Extension Default CRL Distribution Points Extension Default >>> com.netscape.cms.profile.def.CRLDistributionPointsExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> certificatePoliciesExtDefaultImpl Certificate Policies Extension >>> Default Certificate Policies Extension Default >>> com.netscape.cms.profile.def.CertificatePoliciesExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> validityDefaultImpl Validity Default Validty Default >>> com.netscape.cms.profile.def.ValidityDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> privateKeyPeriodExtDefaultImpl Private Key Period Ext Default >>> Private Key Period Ext Default >>> com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> noDefaultImpl No Default No Default >>> com.netscape.cms.profile.def.NoDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> imageDefaultImpl Image Default Image Default >>> com.netscape.cms.profile.def.ImageDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> subjectInfoAccessExtDefaultImpl Subject Info Access Extension >>> Default Subject Info Access Extension Default >>> com.netscape.cms.profile.def.SubjectInfoAccessExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> autoAssignDefaultImpl Auto Request Assignment Default Auto Request >>> Assignment Default com.netscape.cms.profile.def.AutoAssignDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> policyMappingsExtDefaultImpl Policy Mappings Extension Default >>> Policy Mappings Extension Default >>> com.netscape.cms.profile.def.PolicyMappingsExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> caValidityDefaultImpl CA Certificate Validity Default CA Certificate >>> Validty Default com.netscape.cms.profile.def.CAValidityDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> userExtensionDefaultImpl User Supplied Extension Default User >>> Supplied Extension Default >>> com.netscape.cms.profile.def.UserExtensionDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default >>> Netscape Certificate Type Extension Default >>> com.netscape.cms.profile.def.NSCertTypeExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default >>> Token Supplied Subject Name Default >>> com.netscape.cms.profile.def.AuthTokenSubjectNameDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> subjectNameDefaultImpl Subject Name Default Subject Name Default >>> com.netscape.cms.profile.def.SubjectNameDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> userSigningAlgDefaultImpl User Supplied Signing Alg Default User >>> Supplied Signing Alg Default >>> com.netscape.cms.profile.def.UserSigningAlgDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default >>> Subject Key Identifier Default >>> com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default >>> Inhibit Any-Policy Extension Default >>> com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> nsTokenDeviceKeySubjectNameDefaultImpl >>> nsTokenDeviceKeySubjectNameDefault >>> nsTokenDeviceKeySubjectNameDefaultImpl >>> com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape >>> Comment Extension Default >>> com.netscape.cms.profile.def.NSCCommentExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm >>> Default com.netscape.cms.profile.def.SigningAlgDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin defaultPolicy >>> nameConstraintsExtDefaultImpl Name Constraints Extension Default >>> Name Constraints Extension Default >>> com.netscape.cms.profile.def.NameConstraintsExtDefault >>> >>> [27/Jan/2016:15:30:43][main]: added plugin profileUpdater >>> subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for >>> Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=registry >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized registry >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=oidmap >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=oidmap >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=oidmap >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized oidmap >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=X500Name >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=X500Name >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=X500Name >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized X500Name >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=request >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=request >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: done init id=request >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: initialized request >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: initSubsystem id=ca >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine: ready to init id=ca >>> >>> [27/Jan/2016:15:30:43][main]: CertificateAuthority init >>> >>> [27/Jan/2016:15:30:43][main]: Cert Repot inited >>> >>> [27/Jan/2016:15:30:43][main]: CRL Repot inited >>> >>> [27/Jan/2016:15:30:43][main]: Replica Repot inited >>> >>> [27/Jan/2016:15:30:43][main]: ca.signing Signing Unit nickname >>> caSigningCert cert-pki-ca >>> >>> [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token >>> by name >>> >>> [27/Jan/2016:15:30:43][main]: Found cert by nickname: 'caSigningCert >>> cert-pki-ca' with serial number: 1 >>> >>> [27/Jan/2016:15:30:43][main]: converted to x509CertImpl >>> >>> [27/Jan/2016:15:30:43][main]: Got private key from cert >>> >>> [27/Jan/2016:15:30:43][main]: Got public key from cert >>> >>> [27/Jan/2016:15:30:43][main]: got signing algorithm >>> RSASignatureWithSHA256Digest >>> >>> [27/Jan/2016:15:30:43][main]: CA signing unit inited >>> >>> [27/Jan/2016:15:30:43][main]: cachainNum= 0 >>> >>> [27/Jan/2016:15:30:43][main]: in init - got CA chain from JSS. >>> >>> [27/Jan/2016:15:30:43][main]: ca.ocsp_signing Signing Unit nickname >>> ca.ocsp_signing.cert >>> >>> [27/Jan/2016:15:30:43][main]: Got token Internal Key Storage Token >>> by name >>> >>> [27/Jan/2016:15:30:43][main]: SigningUnit init: debug >>> org.mozilla.jss.crypto.ObjectNotFoundException >>> >>> [27/Jan/2016:15:30:43][main]: CMS:Caught EBaseException >>> >>> Certificate object not found >>> >>> at com.netscape.ca.SigningUnit.init(SigningUnit.java:190) >>> >>> at >>> >>> com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1204) >>> >>> at >>> >>> com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260) >>> >>> at >>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) >>> >>> at >>> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) >>> >>> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316) >>> >>> at com.netscape.certsrv.apps.CMS.init(CMS.java:153) >>> >>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) >>> >>> at >>> >>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) >>> >>> at >>> >>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) >>> >>> at >>> >>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) >>> >>> at >>> >>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187) >>> >>> at >>> >>> org.apache.catalina.core.StandardContext.start(StandardContext.java:4496) >>> >>> at >>> >>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) >>> >>> at >>> >>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) >>> >>> at >>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) >>> >>> at >>> >>> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) >>> >>> at >>> >>> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) >>> >>> at >>> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) >>> >>> at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) >>> >>> at >>> >>> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) >>> >>> at >>> >>> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) >>> >>> at >>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) >>> >>> at org.apache.catalina.core.StandardHost.start(StandardHost.java:722) >>> >>> at >>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) >>> >>> at >>> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) >>> >>> at >>> >>> org.apache.catalina.core.StandardService.start(StandardService.java:516) >>> >>> at >>> org.apache.catalina.core.StandardServer.start(StandardServer.java:710) >>> >>> at org.apache.catalina.startup.Catalina.start(Catalina.java:593) >>> >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> >>> at >>> >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>> >>> at >>> >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> >>> at java.lang.reflect.Method.invoke(Method.java:616) >>> >>> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) >>> >>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) >>> >>> [27/Jan/2016:15:30:43][main]: CMSEngine.shutdown() >>> >>> >>> >>> >>> > >>> >>> > > Would really greatly appreciate any help on this. >>> > > >>> > > Also I noticed after I do ldapmodify of >>> usercertificate binary >>> > data with >>> > > >>> > > add: usercertificate;binary >>> > > usercertificate;binary: !@#$@!#$#@$ >>> > >>> > You really pasted in binary? Or was this base64-encoded >>> data? >>> > >>> > I wonder if there is a problem in the wiki. If this is >>> really a binary >>> > value you should start with a DER-encoded cert and load >>> it using >>> > something like: >>> > >>> > dn: uid=ipara,ou=people,o=ipaca >>> > changetype: modify >>> > add: usercertificate;binary >>> > usercertificate;binary:< file:///path/to/cert.der >>> > >>> > You can use something like openssl x509 to switch between >>> PEM and DER >>> > formats. >>> > >>> > I have a vague memory that dogtag can deal with a >>> multi-valued >>> > usercertificate attribute. >>> > >>> > rob >>> > >>> > >>> > Yes the wiki stated binary, the result of: >>> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -b >>> > uid=ipara,ou=People,o=ipaca -W >>> > >>> > shows userCertificate;binary:: GJ6Q0NBbGVnQXd ... >>> > >>> > But the actual data is from a PEM though. >>> >>> Ok. So I looked at my CA data and it doesn't use the binary >>> subtype, so >>> my entries look like: >>> >>> userCertificate:: MIID.... >>> >>> It might make a difference if dogtag is looking for the subtype >>> or not. >>> >>> rob >>> >>> > >>> > > >>> > > Then I re-run >>> > > >>> > > ldapsearch -x -h localhost -p 7389 -D 'cn=directory >>> manager' -W >>> > -b uid=ipara,ou=People,o=ipaca >>> > > >>> > > I see 2 entries for usercertificate;binary (before >>> modify there >>> > was only >>> > > 1) but they are duplicate and NOT from data that I >>> added. That seems >>> > > incorrect to me. >>> > > >>> > > >>> > > On Thu, Apr 28, 2016 at 9:20 AM Anthony Cheng >>> > > <[email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected] >>> <mailto:[email protected]>> >>> > <mailto:[email protected] >>> <mailto:[email protected]> >>> > <mailto:[email protected] >>> <mailto:[email protected]>>>> wrote: >>> > > >>> > > klist is actually empty; kinit admin fails. >>> Sounds like then >>> > > getcert resubmit has a dependency on kerberoes. I >>> can get a >>> > backup >>> > > image that has a valid ticket but it is only good >>> for 1 day (and >>> > > dated pasted the cert expire). >>> > > >>> > > Also I had asked awhile back about whether there >>> is dependency on >>> > > DIRSRV to renew the cert; didn't get any response >>> but I suspect >>> > > there is a dependency. >>> > > >>> > > Regarding the clock skew, I found out from >>> /var/log/message that >>> > > shows me this so it may be from named: >>> > > >>> > > Jan 28 14:10:42 test named[2911]: Failed to init >>> credentials >>> > (Clock >>> > > skew too great) >>> > > Jan 28 14:10:42 test named[2911]: loading >>> configuration: failure >>> > > Jan 28 14:10:42 test named[2911]: exiting (due to >>> fatal error) >>> > > Jan 28 14:10:44 test ns-slapd: GSSAPI Error: >>> Unspecified GSS >>> > > failure. Minor code may provide more information >>> (Creden >>> > > tials cache file '/tmp/krb5cc_496' not found) >>> > > >>> > > I don't have a krb5cc_496 file (since klist is >>> empty), so >>> > sounds to >>> > > me I need to get a kerberoes ticket before going any >>> > further. Also >>> > > is the file /etc/krb5.keytab access/modification >>> time >>> > important? I >>> > > had changed time back to before the cert >>> expiration date and >>> > reboot >>> > > and try renew but the error message about clock >>> skew is still >>> > > there. That seems strange. >>> > > >>> > > Lastly, as a absolute last resort, can I >>> regenerate a new cert >>> > > myself? >>> > > >>> > >>> >>> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html >>> > > >>> > > [root@test /]# klist >>> > > klist: No credentials cache found (ticket cache >>> > FILE:/tmp/krb5cc_0) >>> > > [root@test /]# service ipa start >>> > > Starting Directory Service >>> > > Starting dirsrv: >>> > > PKI-IPA... >>> > [ OK ] >>> > > sample-NET... >>> > [ OK ] >>> > > Starting KDC Service >>> > > Starting Kerberos 5 KDC: >>> [ >>> > OK ] >>> > > Starting KPASSWD Service >>> > > Starting Kerberos 5 Admin Server: >>> [ >>> > OK ] >>> > > Starting DNS Service >>> > > Starting named: >>> > [FAILED] >>> > > Failed to start DNS Service >>> > > Shutting down >>> > > Stopping Kerberos 5 KDC: >>> [ >>> > OK ] >>> > > Stopping Kerberos 5 Admin Server: >>> [ >>> > OK ] >>> > > Stopping named: >>> [ >>> > OK ] >>> > > Stopping httpd: >>> [ >>> > OK ] >>> > > Stopping pki-ca: >>> [ >>> > OK ] >>> > > Shutting down dirsrv: >>> > > PKI-IPA... >>> > [ OK ] >>> > > sample-NET... >>> > [ OK ] >>> > > Aborting ipactl >>> > > [root@test /]# klist >>> > > klist: No credentials cache found (ticket cache >>> > FILE:/tmp/krb5cc_0) >>> > > [root@test /]# service ipa status >>> > > Directory Service: STOPPED >>> > > Failed to get list of services to probe status: >>> > > Directory Server is stopped >>> > > >>> > > On Thu, Apr 28, 2016 at 3:21 AM David Kupka >>> > <[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>> >>> > > <mailto:[email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>>>> wrote: >>> > > >>> > > On 27/04/16 21:54, Anthony Cheng wrote: >>> > > > Hi list, >>> > > > >>> > > > I am trying to renew expired certificates >>> following the >>> > > manual renewal procedure >>> > > > here >>> > (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) >>> > > but even with >>> > > > resetting the system/hardware clock to a >>> time before >>> > expires, >>> > > I am getting the >>> > > > error "ca-error: Error setting up ccache >>> for local "host" >>> > > service using default >>> > > > keytab: Clock skew too great." >>> > > > >>> > > > With NTP disable and clock reset why would >>> it complain >>> > about >>> > > clock skew and how >>> > > > does it even know about the current time? >>> > > > >>> > > > [root@test certs]# getcert list >>> > > > Number of certificates and requests being >>> tracked: 8. >>> > > > Request ID '20111214223243': >>> > > > status: MONITORING >>> > > > ca-error: Error setting up ccache >>> for local >>> > "host" >>> > > service using >>> > > > default keytab: Clock skew too great. >>> > > > stuck: no >>> > > > key pair storage: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >>> > > > Certificate >>> > > >>> DB',pinfile='/etc/dirsrv/slapd-sample-NET//pwdfile.txt' >>> > > > certificate: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/etc/dirsrv/slapd-sample-NET',nickname='Server-Cert',token='NSS >>> > > > Certificate DB' >>> > > > CA: IPA >>> > > > issuer: CN=Certificate >>> Authority,O=sample.NET >>> > > > subject: CN=test.sample.net >>> <http://test.sample.net> >>> > <http://test.sample.net> <http://test.sample.net> >>> > > <http://test.sample.net>,O=sample.NET >>> > > > expires: 2016-01-29 14:09:46 UTC >>> > > > eku: id-kp-serverAuth >>> > > > pre-save command: >>> > > > post-save command: >>> > > > track: yes >>> > > > auto-renew: yes >>> > > > Request ID '20111214223300': >>> > > > status: MONITORING >>> > > > ca-error: Error setting up ccache >>> for local >>> > "host" >>> > > service using >>> > > > default keytab: Clock skew too great. >>> > > > stuck: no >>> > > > key pair storage: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> > > Certificate >>> > > > >>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >>> > > > certificate: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> > > Certificate >>> > > > DB' >>> > > > CA: IPA >>> > > > issuer: CN=Certificate >>> Authority,O=sample.NET >>> > > > subject: CN=test.sample.net >>> <http://test.sample.net> >>> > <http://test.sample.net> <http://test.sample.net> >>> > > <http://test.sample.net>,O=sample.NET >>> > > > expires: 2016-01-29 14:09:45 UTC >>> > > > eku: id-kp-serverAuth >>> > > > pre-save command: >>> > > > post-save command: >>> > > > track: yes >>> > > > auto-renew: yes >>> > > > Request ID '20111214223316': >>> > > > status: MONITORING >>> > > > ca-error: Error setting up ccache >>> for local >>> > "host" >>> > > service using >>> > > > default keytab: Clock skew too great. >>> > > > stuck: no >>> > > > key pair storage: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > > > Certificate >>> DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > > > certificate: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> > > > Certificate DB' >>> > > > CA: IPA >>> > > > issuer: CN=Certificate >>> Authority,O=sample.NET >>> > > > subject: CN=test.sample.net >>> <http://test.sample.net> >>> > <http://test.sample.net> <http://test.sample.net> >>> > > <http://test.sample.net>,O=sample.NET >>> > > > expires: 2016-01-29 14:09:45 UTC >>> > > > eku: id-kp-serverAuth >>> > > > pre-save command: >>> > > > post-save command: >>> > > > track: yes >>> > > > auto-renew: yes >>> > > > Request ID '20130519130741': >>> > > > status: NEED_CSR_GEN_PIN >>> > > > ca-error: Internal error: no >>> response to >>> > > > >>> > > >>> > >>> >>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true";. >>> > > > stuck: yes >>> > > > key pair storage: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>> > > > cert-pki-ca',token='NSS Certificate >>> DB',pin='297100916664 >>> > > > ' >>> > > > certificate: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>> > > > cert-pki-ca',token='NSS Certificate DB' >>> > > > CA: dogtag-ipa-renew-agent >>> > > > issuer: CN=Certificate >>> Authority,O=sample.NET >>> > > > subject: CN=CA Audit,O=sample.NET >>> > > > expires: 2017-10-13 14:10:49 UTC >>> > > > pre-save command: >>> > /usr/lib64/ipa/certmonger/stop_pkicad >>> > > > post-save command: >>> > > /usr/lib64/ipa/certmonger/renew_ca_cert >>> > > > "auditSigningCert cert-pki-ca" >>> > > > track: yes >>> > > > auto-renew: yes >>> > > > Request ID '20130519130742': >>> > > > status: NEED_CSR_GEN_PIN >>> > > > ca-error: Internal error: no >>> response to >>> > > > >>> > > >>> > >>> >>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true";. >>> > > > stuck: yes >>> > > > key pair storage: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> > > > cert-pki-ca',token='NSS Certificate >>> DB',pin='297100916664 >>> > > > ' >>> > > > certificate: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>> > > > cert-pki-ca',token='NSS Certificate DB' >>> > > > CA: dogtag-ipa-renew-agent >>> > > > issuer: CN=Certificate >>> Authority,O=sample.NET >>> > > > subject: CN=OCSP >>> Subsystem,O=sample.NET >>> > > > expires: 2017-10-13 14:09:49 UTC >>> > > > eku: id-kp-OCSPSigning >>> > > > pre-save command: >>> > /usr/lib64/ipa/certmonger/stop_pkicad >>> > > > post-save command: >>> > > /usr/lib64/ipa/certmonger/renew_ca_cert >>> > > > "ocspSigningCert cert-pki-ca" >>> > > > track: yes >>> > > > auto-renew: yes >>> > > > Request ID '20130519130743': >>> > > > status: NEED_CSR_GEN_PIN >>> > > > ca-error: Internal error: no >>> response to >>> > > > >>> > > >>> > >>> >>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true";. >>> > > > stuck: yes >>> > > > key pair storage: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> > > > cert-pki-ca',token='NSS Certificate >>> DB',pin='297100916664 >>> > > > ' >>> > > > certificate: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>> > > > cert-pki-ca',token='NSS Certificate DB' >>> > > > CA: dogtag-ipa-renew-agent >>> > > > issuer: CN=Certificate >>> Authority,O=sample.NET >>> > > > subject: CN=CA >>> Subsystem,O=sample.NET >>> > > > expires: 2017-10-13 14:09:49 UTC >>> > > > eku: >>> id-kp-serverAuth,id-kp-clientAuth >>> > > > pre-save command: >>> > /usr/lib64/ipa/certmonger/stop_pkicad >>> > > > post-save command: >>> > > /usr/lib64/ipa/certmonger/renew_ca_cert >>> > > > "subsystemCert cert-pki-ca" >>> > > > track: yes >>> > > > auto-renew: yes >>> > > > Request ID '20130519130744': >>> > > > status: MONITORING >>> > > > ca-error: Internal error: no >>> response to >>> > > > >>> > > >>> > >>> >>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true";. >>> > > > stuck: no >>> > > > key pair storage: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> > > Certificate >>> > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > > > certificate: >>> > > > >>> > > >>> > >>> >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>> > > Certificate DB' >>> > > > CA: dogtag-ipa-renew-agent >>> > > > issuer: CN=Certificate >>> Authority,O=sample.NET >>> > > > subject: CN=RA >>> Subsystem,O=sample.NET >>> > > > expires: 2017-10-13 14:09:49 UTC >>> > > > eku: >>> id-kp-serverAuth,id-kp-clientAuth >>> > > > pre-save command: >>> > > > post-save command: >>> > > /usr/lib64/ipa/certmonger/renew_ra_cert >>> > > > track: yes >>> > > > auto-renew: yes >>> > > > Request ID '20130519130745': >>> > > > status: NEED_CSR_GEN_PIN >>> > > > ca-error: Internal error: no >>> response to >>> > > > >>> > > >>> > >>> >>> "http://test.sample.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true";. >>> > > > stuck: yes >>> > > > key pair storage: >>> > > > >>> > >>> >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>> > > > cert-pki-ca',token='NSS Certificate >>> DB',pin='297100916664 >>> > > > ' >>> > > > certificate: >>> > > > >>> > >>> >>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
