Unable to renew expired internal Dogtag/Red Hat Certificate System certificates with ipa-server
Issue
After following the KCS article to renew expired Dogtag/Red Hat Certificate System certificates, the certificates still have the same expiration date.
[root@example ~]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20120217202940':
status: NEED_TO_SUBMIT
ca-error: Server at https://example.com/ipa/xml failed
request, will retry: 4301 (RPC failed at server. Certificate operation
cannot be completed: Unable to communicate with CMS (Not Found)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=example,O=EXAMPLE.COM
expires: 2000-01-01 20:03:56 UTC <------ date will be in the past
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20120217203005':
status: NEED_TO_SUBMIT
ca-error: Server at https://example.com/ipa/xml failed
request, will retry: 4301 (RPC failed at server. Certificate operation
cannot be completed: Unable to communicate with CMS (Not Found)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=example.com,O=EXAMPLE.COM
expires: 2000-01-01 20:03:56 UTC <----- date will be in the past
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20120217203028':
status: NEED_TO_SUBMIT
ca-error: Server at https://example.com/ipa/xml failed
request, will retry: 4301 (RPC failed at server. Certificate operation
cannot be completed: Unable to communicate with CMS (Not Found)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=example.com,O=EXAMPLE.COM
expires: 2000-01-01 20:03:56 UTC <----- date will be in the past
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Environment
- Red Hat Enterprise Linux 6.7
- Red Hat Enterprise Linux 7
- ipa-server v3
- ipa-server v4
- jre-1.7.0-openjdk
- jre-1.8.0-openjdk
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
