Unable to renew expired internal Dogtag/Red Hat Certificate System certificates with ipa-server

Solution In Progress - Updated -

Issue

After following the KCS article to renew expired Dogtag/Red Hat Certificate System certificates, the certificates still have the same expiration date.

[root@example ~]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20120217202940':
    status: NEED_TO_SUBMIT
    ca-error: Server at https://example.com/ipa/xml failed
request, will retry: 4301 (RPC failed at server.  Certificate operation
cannot be completed: Unable to communicate with CMS (Not Found)).
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM//pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=EXAMPLE.COM
    subject: CN=example,O=EXAMPLE.COM
    expires: 2000-01-01 20:03:56 UTC                                    <------ date will be in the past
    key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command:
    track: yes
    auto-renew: yes
Request ID '20120217203005':
    status: NEED_TO_SUBMIT
    ca-error: Server at https://example.com/ipa/xml failed
request, will retry: 4301 (RPC failed at server.  Certificate operation
cannot be completed: Unable to communicate with CMS (Not Found)).
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=EXAMPLE.COM
    subject: CN=example.com,O=EXAMPLE.COM
    expires: 2000-01-01 20:03:56 UTC                                    <----- date will be in the past
    key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command:
    track: yes
    auto-renew: yes
Request ID '20120217203028':
    status: NEED_TO_SUBMIT
    ca-error: Server at https://example.com/ipa/xml failed
request, will retry: 4301 (RPC failed at server.  Certificate operation
cannot be completed: Unable to communicate with CMS (Not Found)).
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=EXAMPLE.COM
    subject: CN=example.com,O=EXAMPLE.COM
    expires: 2000-01-01 20:03:56 UTC                                    <----- date will be in the past
    key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command:
    track: yes
    auto-renew: yes

Environment

  • Red Hat Enterprise Linux 6.7
  • Red Hat Enterprise Linux 7
  • ipa-server v3
  • ipa-server v4
  • jre-1.7.0-openjdk
  • jre-1.8.0-openjdk

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content