it's ubuntu 16.04.7. Freeipa 4.3.1-0ubuntu1
which packages do you need else?
-----------------------------------
------------------------------------
getcert list:
------------
Request ID '20221130052539':
status: MONITORING
ca-error: Server at
"https://ipa.dom.loc:8443/ca/agent/ca/profileProcess"; replied: 1: You did not
provide a valid certificate for this operation
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=CA Audit,O=DOM.LOC
expires: 2024-11-19 05:25:15 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221130052540':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=OCSP Subsystem,O=DOM.LOC
expires: 2024-11-19 05:25:14 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221130052541':
status: MONITORING
ca-error: Server at
"https://ipa.dom.loc:8443/ca/agent/ca/profileProcess"; replied: 1: You did not
provide a valid certificate for this operation
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=CA Subsystem,O=DOM.LOC
expires: 2024-11-19 05:25:14 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221130052542':
status: MONITORING
ca-error: Server at
"https://ipa.dom.loc:8443/ca/agent/ca/profileProcess"; replied: 1: You did not
provide a valid certificate for this operation
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=Certificate Authority,O=DOM.LOC
expires: 2042-11-30 05:25:14 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221130052543':
status: MONITORING
ca-error: Server at
"https://ipa.dom.loc:8443/ca/agent/ca/profileProcess"; replied: 1: You did not
provide a valid certificate for this operation
stuck: no
key pair storage:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=IPA RA,O=DOM.LOC
expires: 2024-11-19 05:25:36 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20221130052544':
status: MONITORING
ca-error: Server at
"https://ipa.dom.loc:8443/ca/agent/ca/profileProcess"; replied: 1: You did not
provide a valid certificate for this operation
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=ipa.dom.loc,O=DOM.LOC
expires: 2024-11-19 05:25:14 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221130052605':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-DOM-LOC/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=ipa.dom.loc,O=DOM.LOC
expires: 2026-11-18 20:02:32 UTC
principal name: ldap/ipa.dom....@dom.loc
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_dirsrv DOM-LOC
track: yes
auto-renew: yes
Request ID '20221130052625':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=ipa.dom.loc,O=DOM.LOC
expires: 2026-11-18 20:02:42 UTC
principal name: HTTP/ipa.dom....@dom.loc
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
-------------------------------
ipa-cacert-manage renew -v:
-------------------------------
ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: Not logging to a
file
ipa: DEBUG: importing all plugin modules in ipalib.plugins...
ipa: DEBUG: importing plugin module ipalib.plugins.aci
ipa: DEBUG: importing plugin module ipalib.plugins.automember
ipa: DEBUG: importing plugin module ipalib.plugins.automount
ipa: DEBUG: importing plugin module ipalib.plugins.baseldap
ipa: DEBUG: importing plugin module ipalib.plugins.baseuser
ipa: DEBUG: importing plugin module ipalib.plugins.batch
ipa: DEBUG: importing plugin module ipalib.plugins.caacl
ipa: DEBUG: importing plugin module ipalib.plugins.cert
ipa: DEBUG: importing plugin module ipalib.plugins.certprofile
ipa: DEBUG: importing plugin module ipalib.plugins.config
ipa: DEBUG: importing plugin module ipalib.plugins.delegation
ipa: DEBUG: importing plugin module ipalib.plugins.dns
ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel
ipa: DEBUG: importing plugin module ipalib.plugins.group
ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule
ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc
ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup
ipa: DEBUG: importing plugin module ipalib.plugins.hbactest
ipa: DEBUG: importing plugin module ipalib.plugins.host
ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup
ipa: DEBUG: importing plugin module ipalib.plugins.idrange
ipa: DEBUG: importing plugin module ipalib.plugins.idviews
ipa: DEBUG: importing plugin module ipalib.plugins.internal
ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy
ipa: DEBUG: importing plugin module ipalib.plugins.migration
ipa: DEBUG: importing plugin module ipalib.plugins.misc
ipa: DEBUG: importing plugin module ipalib.plugins.netgroup
ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig
ipa: DEBUG: importing plugin module ipalib.plugins.otptoken
ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey
ipa: DEBUG: importing plugin module ipalib.plugins.passwd
ipa: DEBUG: importing plugin module ipalib.plugins.permission
ipa: DEBUG: importing plugin module ipalib.plugins.ping
ipa: DEBUG: importing plugin module ipalib.plugins.pkinit
ipa: DEBUG: importing plugin module ipalib.plugins.privilege
ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy
ipa: DEBUG: Starting external process
ipa: DEBUG: args=klist -V
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=Kerberos 5 version 1.13.2
ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy
ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains
ipa: DEBUG: importing plugin module ipalib.plugins.role
ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient
ipa: DEBUG: importing plugin module ipalib.plugins.selfservice
ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap
ipa: DEBUG: importing plugin module ipalib.plugins.server
ipa: DEBUG: importing plugin module ipalib.plugins.service
ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation
ipa: DEBUG: importing plugin module ipalib.plugins.session
ipa: DEBUG: importing plugin module ipalib.plugins.stageuser
ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd
ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup
ipa: DEBUG: importing plugin module ipalib.plugins.sudorule
ipa: DEBUG: importing plugin module ipalib.plugins.topology
ipa: DEBUG: importing plugin module ipalib.plugins.trust
ipa: DEBUG: importing plugin module ipalib.plugins.user
ipa: DEBUG: importing plugin module ipalib.plugins.vault
ipa: DEBUG: importing plugin module ipalib.plugins.virtual
ipa: DEBUG: importing all plugin modules in ipaserver.plugins...
ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag
ipa: DEBUG: importing plugin module ipaserver.plugins.join
ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2
ipa: DEBUG: importing plugin module ipaserver.plugins.rabase
ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver
ipa.ipalib.session.SessionAuthManager: DEBUG: SessionAuthManager.register:
name=jsonserver_session_140159754316752
ipa.ipalib.session.SessionAuthManager: DEBUG: SessionAuthManager.register:
name=xmlserver_session_140159754359568
ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting
ipaserver.rpcserver.xmlserver() at '/xml'
ipa.ipaserver.rpcserver.xmlserver: DEBUG: session_auth_duration: 0:20:00
ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting
ipaserver.rpcserver.xmlserver_session() at '/session/xml'
ipa.ipaserver.rpcserver.xmlserver_session: DEBUG: session_auth_duration: 0:20:00
ipa.ipaserver.rpcserver.xmlserver_session: DEBUG: session_auth_duration: 0:20:00
ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting
ipaserver.rpcserver.login_password() at '/session/login_password'
ipa.ipaserver.rpcserver.login_password: DEBUG: session_auth_duration: 0:20:00
ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting
ipaserver.rpcserver.change_password() at '/session/change_password'
ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting
ipaserver.rpcserver.jsonserver_session() at '/session/json'
ipa.ipaserver.rpcserver.jsonserver_session: DEBUG: session_auth_duration:
0:20:00
ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting
ipaserver.rpcserver.sync_token() at '/session/sync_token'
ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting
ipaserver.rpcserver.jsonserver_kerb() at '/json'
ipa.ipaserver.rpcserver.jsonserver_kerb: DEBUG: session_auth_duration: 0:20:00
ipa.ipaserver.rpcserver.wsgi_dispatch: DEBUG: Mounting
ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos'
ipa.ipaserver.rpcserver.login_kerberos: DEBUG: session_auth_duration: 0:20:00
ipa: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: Found certmonger
request id dbus.String(u'20221130052542', variant_level=1)
ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/certutil -d /etc/pki/pki-tomcat/alias -L -n
caSigningCert cert-pki-ca -a
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIIDfzCCAmegAwIBAgIBATANBgkqhkiG9w0BAQsFADAyMRAwDgYDVQQKDAdET00u
TE9DMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjIxMTMwMDUy
NTE0WhcNNDIxMTMwMDUyNTE0WjAyMRAwDgYDVQQKDAdET00uTE9DMR4wHAYDVQQD
DBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDScx6Ah9lD3MZ9Y/FnmC2BuM1l5mbaDo6n8ke07So+J2ryG13kKWf6
eGyaMiFf3o6bi9zTB2gDlIWDAgjsjYeVo7dz3dO+DM4o57C8OYGecySsJ3VSsYTs
utNNKxqMprOxqNB2ascwLiR6Oy2NWzOFtg0ZP4GBW1uqv26cYl0s28CcL1xU+Rnh
FsXTtn5yGdkUKPj9vBFxiQI11ILV+mp58NmIddqjjzsXzHrAJ7+v7EcVS1tlZvLA
bfgWVgaHE1GNdmL7DzkBtrIX6nwzVhbVFhKpYAAGJUPHFS9yMxgwGFejkVmyFOzG
o/cwikq699YHujpgPLej98BM6e9VIpxvAgMBAAGjgZ8wgZwwHwYDVR0jBBgwFoAU
CBaGdFi3XREanbDOr1fXZH4KKakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAcYwHQYDVR0OBBYEFAgWhnRYt10RGp2wzq9X12R+CimpMDkGCCsGAQUFBwEB
BC0wKzApBggrBgEFBQcwAYYdaHR0cDovL2lwYS5kb20ubG9jOjgwL2NhL29jc3Aw
DQYJKoZIhvcNAQELBQADggEBAEDtgTehcANC+hTvgxXsV6tboYBAza6+Gvs+jQd4
2LfBwZNJClqTL0F2u2vUBH6m4gaUMWmPoP6bwqFJ7Yw+ZT04DlGpt0JyaVfP8zAU
FV3k9fygY9Qk6+WGyIi172uB+7GR7CIDT90cGftq3RqF5kapnbRXmT46RHNIC2gB
/Ld/fG4SPWwmSB91YPbiaRJcWdCC2QZsn7i2pikqyOfn7m9Oim8HZhd4/t1TMezD
+AJcfwCkWyqaLZPGwvdt8gf6vk7DR+FYIvmLxGbhrmS3yfuBmcJ8LgCKK5QtMXUo
FNc869oM4O6QoH87gzef9Lu9LrbWH23V7LH33G0aY1v5Jxs=
-----END CERTIFICATE-----
ipa: DEBUG: stderr=
Renewing CA certificate, please wait
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-DOM-LOC.socket from SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-DOM-LOC.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f797c741248>
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: resubmitting
certmonger request '20221130052542'
ipa: DEBUG: certmonger request is in state dbus.String(u'GENERATING_CSR',
variant_level=1)
ipa: DEBUG: certmonger request is in state dbus.String(u'MONITORING',
variant_level=1)
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: File
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_cacert_manage.py", line
114, in run
rc = self.renew()
File
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_cacert_manage.py", line
172, in renew
return self.renew_self_signed(ca)
File
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_cacert_manage.py", line
184, in renew_self_signed
self.resubmit_request(ca, 'caCACert')
File
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_cacert_manage.py", line
314, in resubmit_request
"please check the request manually" % self.request_id)
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The
ipa-cacert-manage command failed, exception: ScriptError: Error resubmitting
certmonger request '20221130052542', please check the request manually
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: Error resubmitting
certmonger request '20221130052542', please check the request manually
ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: The
ipa-cacert-manage command failed.
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
