hiipactl status result:---------------------------
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
getcert list result is :-------------------------root@ipasrv ~]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20140817123522':
status: MONITORING
stuck: no
key paCOM storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='
auditSigningCert cert-pki-ca',token='NSS Certificate
DB',pin='247087063310'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='audit
SigningCert cert-pki-ca',token='NSS Certificate
DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expCOMes: 2018-06-30 07:57:06 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigning Cert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140817123523':
status: MONITORING
stuck: no
key paCOM storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='
ocspSigningCert cert-pki-ca',token='NSS Certificate
DB',pin='247087063310'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspS
igningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expCOMes: 2018-06-30 07:56:06 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningC ert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140817123524':
status: MONITORING
stuck: no
key paCOM storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='
subsystemCert cert-pki-ca',token='NSS Certificate
DB',pin='247087063310'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsy
stemCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expCOMes: 2018-06-30 07:56:06 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCer t cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140817123525':
status: MONITORING
stuck: no
key paCOM storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCe
rt',token='NSS Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',t
oken='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expCOMes: 2018-06-30 07:56:06 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20140817123526':
status: MONITORING
stuck: no
key paCOM storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='
Server-Cert cert-pki-ca',token='NSS Certificate
DB',pin='247087063310'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Serve
r-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM
expCOMes: 2018-06-30 07:56:06 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20140817123534':
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Cannot
contact any KDC for realm 'EXAMPLE.COM'.
stuck: no
key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE-COM'
,nickname='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/dCOMsrv/slapd-MT
NCOMANCELL-COM/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE-COM',nick
name='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM
expCOMes: 2016-08-17 12:35:34 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv EXAMPLE-
COM
track: yes
auto-renew: yes
Request ID '20140817123602':
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Cannot
contact any KDC for realm 'EXAMPLE.COM'.
stuck: no
key paCOM storage:
type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickna
me='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/p
wdfile.txt'
certificate:
type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='S
erver-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM
expCOMes: 2016-08-17 12:36:02 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv PKI-IPA
track: yes
auto-renew: yes
Request ID '20140817123752':
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Cannot
contact any KDC for realm 'EXAMPLE.COM'.
stuck: no
key paCOM storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Serve
r-Cert',token='NSS Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cer
t',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM
expCOMes: 2016-08-17 12:37:51 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
[root@ipasrv ~]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20140817123522':
status: MONITORING
stuck: no
key paCOM storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='247087063310'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expCOMes: 2018-06-30 07:57:06 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140817123523':
status: MONITORING
stuck: no
key paCOM storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='247087063310'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expCOMes: 2018-06-30 07:56:06 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140817123524':
status: MONITORING
stuck: no
key paCOM storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='247087063310'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expCOMes: 2018-06-30 07:56:06 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140817123525':
status: MONITORING
stuck: no
key paCOM storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expCOMes: 2018-06-30 07:56:06 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20140817123526':
status: MONITORING
stuck: no
key paCOM storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='247087063310'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM
expCOMes: 2018-06-30 07:56:06 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20140817123534':
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'.
stuck: no
key paCOM storage:
type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM
expCOMes: 2016-08-17 12:35:34 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv EXAMPLE-COM
track: yes
auto-renew: yes
Request ID '20140817123602':
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'.
stuck: no
key paCOM storage:
type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM
expCOMes: 2016-08-17 12:36:02 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv PKI-IPA
track: yes
auto-renew: yes
Request ID '20140817123752':
status: MONITORING
ca-error: Error setting up ccache for local "host" service using
default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'.
stuck: no
key paCOM storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM
expCOMes: 2016-08-17 12:37:51 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
From: Rob Crittenden <[email protected]>
To: mohammad sereshki <[email protected]>; Freeipa-users
<[email protected]>
Sent: Saturday, July 23, 2016 11:30 PM
Subject: Re: [Freeipa-users] ipa-getcert shows error
mohammad sereshki wrote:
> hi
>
> I get below error
> ca-error: Error setting up ccache for local "host" service using default
> keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'.
I'm guessing IPA is not running, or not completely running. ipactl
status will tell you.
> when I run ipa-getcert list, also how can I check my CAs are renewed or not?
Use just getcert and not ipa-getcert (ipa-getcert returns just a subset
of all certificates being tracked).
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
