Unable to renew expired internal Dogtag/Red Hat Certificate System certificates with ipa-server

Solution In Progress - Updated -

Issue

After following the KCS article to renew expired Dogtag/Red Hat Certificate System certificates, the certificates still have the same expiration date.

[root@example ~]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20120217202940':
    status: NEED_TO_SUBMIT
    ca-error: Server at https://example.com/ipa/xml failed
request, will retry: 4301 (RPC failed at server.  Certificate operation
cannot be completed: Unable to communicate with CMS (Not Found)).
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM//pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=EXAMPLE.COM
    subject: CN=example,O=EXAMPLE.COM
    expires: 2000-01-01 20:03:56 UTC                                    <------ date will be in the past
    key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command:
    track: yes
    auto-renew: yes
Request ID '20120217203005':
    status: NEED_TO_SUBMIT
    ca-error: Server at https://example.com/ipa/xml failed
request, will retry: 4301 (RPC failed at server.  Certificate operation
cannot be completed: Unable to communicate with CMS (Not Found)).
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=EXAMPLE.COM
    subject: CN=example.com,O=EXAMPLE.COM
    expires: 2000-01-01 20:03:56 UTC                                    <----- date will be in the past
    key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command:
    track: yes
    auto-renew: yes
Request ID '20120217203028':
    status: NEED_TO_SUBMIT
    ca-error: Server at https://example.com/ipa/xml failed
request, will retry: 4301 (RPC failed at server.  Certificate operation
cannot be completed: Unable to communicate with CMS (Not Found)).
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=EXAMPLE.COM
    subject: CN=example.com,O=EXAMPLE.COM
    expires: 2000-01-01 20:03:56 UTC                                    <----- date will be in the past
    key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command:
    track: yes
    auto-renew: yes

Environment

  • Red Hat Enterprise Linux 6.7
  • Red Hat Enterprise Linux 7
  • ipa-server v3
  • ipa-server v4
  • jre-1.7.0-openjdk
  • jre-1.8.0-openjdk

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.