Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1256038

Summary: ipa-replica-install: "Could not find a CA cert in /tmp/[TMPDIR]/realm_info/dscert.p12"
Product: Red Hat Enterprise Linux 7 Reporter: Daniel Riek <riek>
Component: ipaAssignee: Jan Cholasta <jcholast>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: fjayalat, jcholast, jnansi, mkosek, pvoborni, rcritten, riek, thing.thing, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-16 11:49:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Riek 2015-08-23 14:27:17 UTC 
Description of problem:
When trying to create a replica as part of the upgrade process from RHEL 6.7 to 7.1, ipa-replica-install fails to parse the cert chain in dscert.p12.

Version-Release number of selected component (if applicable):
The replica information was created on RHEL 6.7 with the following ipa packages: 
* ipa-server et al: 3.0.0-47
* pki-ca et al: 9.0.3-43

ipa-replica-install is run on RHEL 7.1
ipa-server-4.1.0-18.el7_1.4 etc.
pki-base-10.1.2-7.el7 etc.

ipa-replica-install is run with the following commandline:
 --setup-ca --ip-address={IPADDRESS] -N --setup-dns --no-forwarders -U

The problem appears to be trucation of the server-cert name in /usr/lib/python2.7/site-packages/ipaserver/install/certs.py

The following patch allowed me to proceed:

--- /usr/lib/python2.7/site-packages/ipaserver/install/certs.py.orig    2015-08-23 00:28:21.223510211 -0400
+++ /usr/lib/python2.7/site-packages/ipaserver/install/certs.py 2015-08-23 00:28:48.791493470 -0400
@@ -629,7 +629,7 @@
         # We only handle one server cert
         nickname = server_certs[0][0]
 
-        ca_names = self.find_root_cert(nickname)[:-1]
+        ca_names = self.find_root_cert(nickname)
         if len(ca_names) == 0:
             raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname)
Comment 7 gzcwnk 2015-09-29 22:02:08 UTC 
I think this just bit me as a production server while upgrading for 6.7 to 7..

:(

[root@vuwunicoipam001 thing]# ipa-replica-install --setup-dns --setup-ca --forwarder=10.100.32.31 -U replica-info-vuwunicoipam001.ods.vuw.ac.nz.gpg --skip-conncheck
Checking forwarders, please wait ...
WARNING: DNS forwarder 10.100.32.31 does not return DNSSEC signatures in answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive "dnssec-enable yes;" to "options {}")
WARNING: DNSSEC validation will be disabled
Directory Manager (existing master) password:
Reply 
Message
Jones, Steven on Sep 29 2015 at 03:54 PM +13:00
Adding [10.100.32.50 vuwunicoipam001.ods.vuw.ac.nz] to your /etc/hosts file
Using reverse zone(s) 32.100.10.in-addr.arpa.
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd

8><----

[15/35]: creating indices [16/35]: enabling referential integrity plugin [17/35]: configuring ssl for ds instance [error] RuntimeError: Could not find a CA cert in /tmp/tmpbA9qvbipa/realm_info/dscert.p12 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Could not find a CA cert in /tmp/tmpbA9qvbipa/realm_info/dscert.p12 [root@vuwunicoipam001 thing]#
Comment 8 Jan Cholasta 2015-09-30 05:47:06 UTC 
Could you please post the output of the following commands:

$ gpg --output replica-info-<HOSTNAME>.tar --decrypt replica-info-<HOSTNAME>.gpg
$ tar -xf replica-info-<HOSTNAME>.tar
$ pk12util -l realm_info/dscert.p12 -w realm_info/dirsrv_pin.txt

?
Comment 9 gzcwnk 2015-09-30 19:57:01 UTC 
I need better/explicit commands as neither of these work.
Comment 10 gzcwnk 2015-09-30 19:58:15 UTC 
-rw-------. 1 thing thing 27817 Sep 29 15:29 replica-info-vuwunicoipam001.ods.vuw.ac.nz.gpg
[root@vuwunicoipam001 thing]# gpg --output replica-info-vuwunicoipam001.tar --decrypt replica-info-vuwunicoipam001.ods.vuw.ac.nz.gpg 
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: DBG: cleared passphrase cached with ID: S344DB72179BFB587
gpg: decryption failed: Bad session key



===
[root@vuwunicoipam001 thing]# pk12util -l realm_info/dscert.p12 -w realm_info/dirsrv_pin.txt
pk12util: File Open failed: realm_info/dscert.p12: PR_FILE_NOT_FOUND_ERROR: File not found
pk12util: PKCS12 decode not verified: PR_FILE_NOT_FOUND_ERROR: File not found
[root@vuwunicoipam001 thing]#
Comment 11 Rob Crittenden 2015-09-30 20:13:18 UTC 
What password are you using for decryption? It should be the Directory Manager password.
Comment 12 gzcwnk 2015-09-30 20:26:49 UTC 
[root@vuwunicoipam001 thing]# pk12util -l realm_info/dscert.p12 -w realm_info/dirsrv_pin.txt
Key(shrouded):
    Friendly Name: Server-Cert

    Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
        Parameters:
            Salt:
                17:9f:15:4b:7b:0d:67:ca:24:38:47:31:2d:db:2e:cb
            Iteration Count: 2000 (0x7d0)
Certificate(has private key):
    Data:
        Version: 3 (0x2)
        Serial Number: 8 (0x8)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=ODS.VUW.AC.NZ"
        Validity:
            Not Before: Tue Sep 29 02:26:56 2015
            Not After : Fri Sep 29 02:26:56 2017
        Subject: "CN=vuwunicoipam001.ods.vuw.ac.nz,O=ODS.VUW.AC.NZ"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    dc:92:37:28:84:aa:2d:4a:f7:3b:07:84:e5:7f:de:eb:
                    59:51:91:9c:27:06:61:73:95:48:b8:fe:80:92:09:90:
                    57:14:32:9f:e8:fd:0e:21:2c:d5:75:52:f9:e2:25:e1:
                    d5:71:f0:e7:80:4a:48:66:7c:f5:47:01:0f:60:5d:dd:
                    0b:00:22:72:9c:6a:28:b6:7a:f5:5e:b2:98:e5:ef:11:
                    8b:26:e3:67:e9:3c:39:f7:89:ff:ec:9f:e1:3f:d0:a5:
                    ab:c7:d5:7d:8a:d1:30:39:85:69:f3:a6:b2:96:6b:c0:
                    30:06:03:f6:60:b0:78:a0:51:74:07:49:a1:fc:a9:bc:
                    b2:e4:c0:08:f3:07:9e:4a:37:f0:e1:2a:72:65:d4:4d:
                    59:0d:7c:be:80:50:36:66:c0:2c:02:1e:ed:ef:15:04:
                    b1:30:6b:e3:eb:62:3d:29:e3:a1:49:ff:fc:80:9f:20:
                    3a:46:83:77:8d:84:c3:86:b1:f6:20:3a:24:7f:98:74:
                    b2:2f:70:24:8a:e5:d2:b4:99:f8:da:b1:1f:e4:d0:6c:
                    a5:69:58:71:3f:9a:d8:f7:be:51:8a:5d:08:a4:4f:d9:
                    d1:dd:08:0c:90:80:59:47:09:81:db:7a:1f:fd:71:86:
                    ec:04:6b:ae:2c:64:68:a6:1d:c7:25:ff:3a:09:a5:09
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                eb:51:de:2a:c7:78:6a:3e:ab:67:79:22:8b:d7:49:fa:
                9e:67:f4:15

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://ipa-ca.ods.vuw.ac.nz/ca/ocsp"

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Non-Repudiation
                    Key Encipherment
                    Data Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate
                TLS Web Client Authentication Certificate

            Name: CRL Distribution Points
            Distribution point:
                URI: "http://ipa-ca.ods.vuw.ac.nz/ipa/crl/MasterCRL.bin"
                CRL issuer: 
                    Directory Name: "CN=Certificate Authority,O=ipaca"

            Name: Certificate Subject Key ID
            Data:
                a0:8a:f1:71:96:c1:1d:7b:71:cf:17:05:9a:27:4b:11:
                b3:11:74:17

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        a1:f5:97:00:ea:da:e3:ee:61:e0:4a:5f:f2:af:d7:4a:
        e5:eb:00:58:fc:60:57:00:1e:f5:d7:6a:b8:87:85:fc:
        88:b7:79:5f:25:d7:40:89:c3:5f:ab:83:38:9f:c3:fb:
        64:0c:7c:d8:ba:2c:5d:15:4a:f3:ea:1b:45:01:a5:00:
        8a:54:f6:62:3f:2b:e2:ee:b9:d4:fc:71:80:fd:52:8b:
        84:80:d8:76:fd:4a:f4:f8:7f:7d:0a:7a:51:48:b5:3a:
        01:3e:f4:0c:77:cd:18:c0:48:00:b1:3d:11:7b:13:fc:
        34:03:92:0c:0b:24:4c:53:67:8b:97:ab:eb:f1:53:9f:
        0f:68:86:22:7c:1b:ef:de:f8:6d:af:e1:2d:d2:04:79:
        02:43:84:99:0d:da:39:17:3d:3f:47:dd:7c:6c:f4:c1:
        59:c8:68:48:80:4f:63:34:40:a2:02:c2:42:c0:56:9b:
        52:6c:44:7c:3c:1c:01:50:f5:1d:70:0e:f1:28:15:bc:
        ea:40:26:18:f3:bc:91:0a:6e:a0:2d:61:08:31:6a:e6:
        29:ad:be:0b:a8:9b:a1:e5:9f:77:8e:fc:47:82:73:ba:
        a9:15:d7:da:57:cb:85:3a:b3:b5:ed:bb:84:cd:dd:cb:
        ec:4a:15:ad:c3:b7:6d:f0:9e:0c:8e:03:a2:a3:3d:a0
    Fingerprint (SHA-256):
        F6:35:43:FC:AA:88:B6:3F:0D:25:78:40:52:14:F7:EC:8C:CE:36:19:55:44:3F:D2:CD:2F:4F:4A:7F:C6:E2:E6
    Fingerprint (SHA1):
        95:5E:14:B1:38:27:E0:39:4C:6C:B6:93:D4:7F:1C:6C:5F:0F:5F:EF

    Friendly Name: Server-Cert

[root@vuwunicoipam001 thing]#
Comment 13 gzcwnk 2015-09-30 20:33:38 UTC 
So I have already added a RHEL7.1 replica vuwunicoipam003 to the old RHEL6.7 master vuwunicoipam002. Moved the self-certificate to ipam003 and then upgraded ipam003 to dogtag.  What I am trying to do now is add vuwunicoipam001 to vuwunicoipam003 as a replica, and I see this failure.
Comment 14 Rob Crittenden 2015-09-30 20:50:08 UTC 
Sorry, I'm not following most of that.

You started with vuwunicoipam002 running IPA 3.0.0 on EL 6.7. You added a new master vuwunicoipam003 and used the --setup-ca option? So now both have a CA?

What do you mean by upgraded ipam003 to dogtag?

Looking at the output ds_cert.p12 really is missing the CA. There should be 1+ CA certificate, the private key and the DS server certificate. According to this output only the latter two are in the file.
Comment 15 gzcwnk 2015-09-30 21:43:40 UTC 
"You started with vuwunicoipam002 running IPA 3.0.0 on EL 6.7. You added a new master vuwunicoipam003 and used the --setup-ca option? So now both have a CA?"  

No the old one was a self-cert, no dogtag.  The new one i made self-cert then upgraded it to CA with dogtag. So now I am trying to join a replica to the upgraded server.

So it sounds like something is missing from the replica file I created. In which case sorry but this probably isnt the same bug? but a new one? or I made a mistake?
Comment 16 gzcwnk 2015-09-30 21:51:17 UTC 
"What do you mean by upgraded ipam003 to dogtag?"

I have been doing/done this,  as in RHEL6.2 I chose --self-cert and not dogtag.

"Promote a self-signed FreeIPA CA"

http://www.freeipa.org/page/Howto/Promoting_a_self-signed_FreeIPA_CA
Comment 17 Rob Crittenden 2015-10-01 19:55:47 UTC 
I'd need to see the steps on what you've done. That link applies only to < 3.2 servers and the option is gone completely in 3.3+, so as a CA the --selfsign CA is completely gone.

As for adding a dogtag instance to an existing IPA installed with --selfsign, I don't know that this has ever been done but if you've worked out a way I think we'd like to see it.
Comment 18 gzcwnk 2015-10-01 20:21:15 UTC 
RHEL 6.7 is IPA 3.0 so < 3.2

I am working with RH support, case number which I assume you can see?

https://access.redhat.com/support/cases/#/case/01502556

You have my permission to view it if that is needed.

At the moment the steps are a mess as it is in a test environment and the first go.  But once its complete I will write it up and do the entire thing again to prove it and then do it to our production.

generally though I/we are following the freeipa doc above,  ie,

http://www.freeipa.org/page/Howto/Promoting_a_self-signed_FreeIPA_CA
Comment 19 Jan Cholasta 2015-10-02 07:12:10 UTC 
I was not able to reproduce this, but even if there is no CA certificate in realm_info/dscert.p12, it still is in realm_info/ca.crt, so we should be robust enough to handle this situation.

As a workaround, you can try amending the replica file, as follows:

$ gpg --output replica-info-$HOSTNAME.tar --decrypt replica-info-$HOSTNAME.gpg
$ tar -xf replica-info-$HOSTNAME.tar

$ mkdir tmpdb
$ certutil -d tmpdb -N -f realm_info/dirsrv_pin.txt
$ certutil -d tmpdb -A -n "$REALM Certificate Authority" -t CT,C,C -a -i realm_info/ca.crt
$ pk12util -i realm_info/dscert.p12 -d tmpdb -k realm_info/dirsrv_pin.txt -w realm_info/dirsrv_pin.txt
$ pk12util -o realm_info/dscert.p12 -n Server-Cert -d tmpdb -k realm_info/dirsrv_pin.txt -w realm_info/dirsrv_pin.txt
$ rm -rf tmpdb

$ mkdir tmpdb
$ certutil -d tmpdb -N -f realm_info/http_pin.txt
$ certutil -d tmpdb -A -n "$REALM Certificate Authority" -t CT,C,C -a -i realm_info/ca.crt
$ pk12util -i realm_info/httpcert.p12 -d tmpdb -k realm_info/http_pin.txt -w realm_info/http_pin.txt
$ pk12util -o realm_info/httpcert.p12 -n Server-Cert -d tmpdb -k realm_info/http_pin.txt -w realm_info/http_pin.txt
$ rm -rf tmpdb

$ tar -cf replica-info-$HOSTNAME.tar realm_info
$ gpg --output fixed-replica-info-$HOSTNAME.gpg --symmetric replica-info-$HOSTNAME.tar

When gpg asks you for password, type in the directory manager password. The resulting fixed-replica-info-$HOSTNAME.gpg file should work with ipa-replica-install on RHEL 7.1.
Comment 20 Jan Cholasta 2015-10-02 07:14:55 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5338
Comment 21 gzcwnk 2015-10-05 01:11:08 UTC 
Went well until, 

======== 
[root@vuwunicoipam003 fix2]# certutil -d tmpdb -N -f realm_info/http_pin.txt Invalid password. 
[root@vuwunicoipam003 fix2]# 
========
Comment 22 gzcwnk 2015-10-05 01:31:24 UTC 
(In reply to gzcwnk from comment #21)
> Went well until, 
> 
> ======== 
> [root@vuwunicoipam003 fix2]# certutil -d tmpdb -N -f realm_info/http_pin.txt
> Invalid password. 
> [root@vuwunicoipam003 fix2]# 
> ========

ignore i made an error, worked fine I think.
Comment 23 gzcwnk 2015-10-05 21:03:33 UTC 
I odnt know if I did something wrong but, same failure error,

========
17/35]: configuring ssl for ds instance [error] RuntimeError: Could not find a CA cert in /tmp/tmpO3ppvFipa/realm_info/dscert.p12 
Your system may be partly configured. 
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Could not find a CA cert in /tmp/tmpO3ppvFipa/realm_info/dscert.p12 
========
Comment 24 gzcwnk 2015-10-05 21:07:33 UTC 
This was the output,


======== 
[root@vuwunicoipam001 thing]# ls -l 
total 84 drwx------. 2 root root 4096 Sep 29 15:27 
realm_info -rw-------. 1 thing thing 27817 Sep 29 15:29 
replica-info-vuwunicoipam001.ods.vuw.ac.nz.gpg -rw-r--r--. 1 root root 51200 Oct 1 09:23 replica-info-vuwunicoipam001.tar 
[root@vuwunicoipam001 thing]# gpg --output replica-info-$HOSTNAME.tar --decrypt replica-info-$HOSTNAME.gpg gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected 
[root@vuwunicoipam001 thing]# tar -xf replica-info-$HOSTNAME.tar 
[root@vuwunicoipam001 thing]# mkdir tmpdb 
[root@vuwunicoipam001 thing]# certutil -d tmpdb -N -f realm_info/dirsrv_pin.txt 
[root@vuwunicoipam001 thing]# certutil -d tmpdb -A -n "$REALM Certificate Authority" -t CT,C,C -a -i realm_info/ca.crt 
[root@vuwunicoipam001 thing]# pk12util -i realm_info/dscert.p12 -d tmpdb -k realm_info/dirsrv_pin.txt -w realm_info/dirsrv_pin.txt pk12util: PKCS12 IMPORT SUCCESSFUL 
[root@vuwunicoipam001 thing]# pk12util -o realm_info/dscert.p12 -n Server-Cert -d tmpdb -k realm_info/dirsrv_pin.txt -w realm_info/dirsrv_pin.txt pk12util: PKCS12 EXPORT SUCCESSFUL [root@vuwunicoipam001 thing]# rm -rf tmpdb 
[root@vuwunicoipam001 thing]# mkdir tmpdb 
[root@vuwunicoipam001 thing]# certutil -d tmpdb -N -f realm_info/http_pin.txt 
[root@vuwunicoipam001 thing]# certutil -d tmpdb -A -n "$REALM Certificate Authority" -t CT,C,C -a -i realm_info/ca.crt 
[root@vuwunicoipam001 thing]# pk12util -i realm_info/httpcert.p12 -d tmpdb -k realm_info/http_pin.txt -w realm_info/http_pin.txt pk12util: PKCS12 IMPORT SUCCESSFUL 
[root@vuwunicoipam001 thing]# pk12util -o realm_info/httpcert.p12 -n Server-Cert -d tmpdb -k realm_info/http_pin.txt -w realm_info/http_pin.txt pk12util: PKCS12 EXPORT SUCCESSFUL [root@vuwunicoipam001 thing]# rm -rf tmpdb 
[root@vuwunicoipam001 thing]# tar -cf replica-info-$HOSTNAME.tar realm_info 
[root@vuwunicoipam001 thing]# gpg --output fixed-replica-info-$HOSTNAME.gpg --symmetric replica-info-$HOSTNAME.tar 
[root@vuwunicoipam001 thing]# 
============
Comment 25 Jan Cholasta 2015-10-06 06:18:35 UTC 
Maybe there is something wrong with the CA cert after all. Could you please post the output of:

$ pk12util -l realm_info/dscert.p12 -w realm_info/dirsrv_pin.txt
$ openssl x509 -text -in realm_info/ca.crt

?
Comment 26 Jatin Nansi 2015-10-06 06:56:50 UTC 
Hello Jan,

User gzcwnk is Steven Jones (University of Wellington), this issue is also being worked upon in support case #01502556. The following is background information about the setup:

3 IPAv3.0 servers (ipam01 to ipam03) on RHEL6 - ipam02 installed with the --selfsign option. 01 and 03 were replicas of 02. Customer wants to move to RHEL7 with dog tag CA. 
ipa-ca-install would not run on a RHEL7 ipa replica, so we followed the steps in 
http://www.freeipa.org/page/Howto/Promoting_a_self-signed_FreeIPA_CA
to install a self sign CA on the RHEL7 IPA server and upgrade to dog tag CA with the ipa-ca-install command.


Hello Steven,
In the last output, I believe the error is because you named the CA certificate as  "$REALM Certificate Authority" when it should be named "$REALM IPA CA".

Thank you,
Jatin Nansi
APAC SEG (IDM)
Comment 27 Jan Cholasta 2015-10-06 07:48:38 UTC 
(In reply to Jatin Nansi from comment #26)
> 3 IPAv3.0 servers (ipam01 to ipam03) on RHEL6 - ipam02 installed with the
> --selfsign option. 01 and 03 were replicas of 02. Customer wants to move to
> RHEL7 with dog tag CA. 
> ipa-ca-install would not run on a RHEL7 ipa replica, so we followed the
> steps in 
> http://www.freeipa.org/page/Howto/Promoting_a_self-signed_FreeIPA_CA
> to install a self sign CA on the RHEL7 IPA server and upgrade to dog tag CA
> with the ipa-ca-install command.

This sounds wrong. First, the guide clearly states it is applicable only to IPA 3.2 or older, i.e. you can't use it on RHEL 7. Second, you can't both follow the guide and run ipa-ca-install, you have to choose one and stick to it.

> 
> 
> Hello Steven,
> In the last output, I believe the error is because you named the CA
> certificate as  "$REALM Certificate Authority" when it should be named
> "$REALM IPA CA".

This is not the issue, the name is not used to determine the CA certificate.
Comment 28 gzcwnk 2015-10-06 19:59:09 UTC 
Hi Jan,

I am following the ipa doc as it is the only upgrade path I can find for RHEL 6.7 IPA3.0 to 7.1 IPA4.1.

(Originally I build a 6.1 or 6.2RHEL IPA and at the time --self-cert was an allowed option.)

"This may be useful for example when the old FreeIPA master server is to be decommissioned and is being replaced with a new replica."  

Which is exactly what we are doing.  the doc however doesnt specify which version to, so we assumed to 7.1/ipa4.1 was OK.

However what you know suggest is we have to upgrade IPA3.0 on RHEL6.7 to a newer IPA3.x on RHEL6.7? and then upgrade to RHEL7.1?  not sure.  

What we have done is successfully is joined a 7.1/ipa4.1 replica to 6.7/3.0 --self-cert master, swapped the --self-cert and then got the new 7.1/ipa4.1 replica to run dog-tag, ergo the procedure does appear to have worked.

So what I am trying to do now is join a second 7.1/ipa4.1 replica to the original 7.1/ipa4.1 replica which is now the dogtag master, or should be.
Comment 29 gzcwnk 2015-10-06 20:06:24 UTC 
[root@vuwunicoipam001 thing]# pk12util -l realm_info/dscert.p12 -w realm_info/dirsrv_pin.txt
Key(shrouded):
    Friendly Name: Server-Cert

    Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
        Parameters:
            Salt:
                6e:ef:c1:04:3f:87:fb:4f:4c:a9:87:96:8d:7c:05:10
            Iteration Count: 2000 (0x7d0)
Certificate(has private key):
    Data:
        Version: 3 (0x2)
        Serial Number: 8 (0x8)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=ODS.VUW.AC.NZ"
        Validity:
            Not Before: Tue Sep 29 02:26:56 2015
            Not After : Fri Sep 29 02:26:56 2017
        Subject: "CN=vuwunicoipam001.ods.vuw.ac.nz,O=ODS.VUW.AC.NZ"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    dc:92:37:28:84:aa:2d:4a:f7:3b:07:84:e5:7f:de:eb:
                    59:51:91:9c:27:06:61:73:95:48:b8:fe:80:92:09:90:
                    57:14:32:9f:e8:fd:0e:21:2c:d5:75:52:f9:e2:25:e1:
                    d5:71:f0:e7:80:4a:48:66:7c:f5:47:01:0f:60:5d:dd:
                    0b:00:22:72:9c:6a:28:b6:7a:f5:5e:b2:98:e5:ef:11:
                    8b:26:e3:67:e9:3c:39:f7:89:ff:ec:9f:e1:3f:d0:a5:
                    ab:c7:d5:7d:8a:d1:30:39:85:69:f3:a6:b2:96:6b:c0:
                    30:06:03:f6:60:b0:78:a0:51:74:07:49:a1:fc:a9:bc:
                    b2:e4:c0:08:f3:07:9e:4a:37:f0:e1:2a:72:65:d4:4d:
                    59:0d:7c:be:80:50:36:66:c0:2c:02:1e:ed:ef:15:04:
                    b1:30:6b:e3:eb:62:3d:29:e3:a1:49:ff:fc:80:9f:20:
                    3a:46:83:77:8d:84:c3:86:b1:f6:20:3a:24:7f:98:74:
                    b2:2f:70:24:8a:e5:d2:b4:99:f8:da:b1:1f:e4:d0:6c:
                    a5:69:58:71:3f:9a:d8:f7:be:51:8a:5d:08:a4:4f:d9:
                    d1:dd:08:0c:90:80:59:47:09:81:db:7a:1f:fd:71:86:
                    ec:04:6b:ae:2c:64:68:a6:1d:c7:25:ff:3a:09:a5:09
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                eb:51:de:2a:c7:78:6a:3e:ab:67:79:22:8b:d7:49:fa:
                9e:67:f4:15

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://ipa-ca.ods.vuw.ac.nz/ca/ocsp"

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Non-Repudiation
                    Key Encipherment
                    Data Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate
                TLS Web Client Authentication Certificate

            Name: CRL Distribution Points
            Distribution point:
                URI: "http://ipa-ca.ods.vuw.ac.nz/ipa/crl/MasterCRL.bin"
                CRL issuer: 
                    Directory Name: "CN=Certificate Authority,O=ipaca"

            Name: Certificate Subject Key ID
            Data:
                a0:8a:f1:71:96:c1:1d:7b:71:cf:17:05:9a:27:4b:11:
                b3:11:74:17

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        a1:f5:97:00:ea:da:e3:ee:61:e0:4a:5f:f2:af:d7:4a:
        e5:eb:00:58:fc:60:57:00:1e:f5:d7:6a:b8:87:85:fc:
        88:b7:79:5f:25:d7:40:89:c3:5f:ab:83:38:9f:c3:fb:
        64:0c:7c:d8:ba:2c:5d:15:4a:f3:ea:1b:45:01:a5:00:
        8a:54:f6:62:3f:2b:e2:ee:b9:d4:fc:71:80:fd:52:8b:
        84:80:d8:76:fd:4a:f4:f8:7f:7d:0a:7a:51:48:b5:3a:
        01:3e:f4:0c:77:cd:18:c0:48:00:b1:3d:11:7b:13:fc:
        34:03:92:0c:0b:24:4c:53:67:8b:97:ab:eb:f1:53:9f:
        0f:68:86:22:7c:1b:ef:de:f8:6d:af:e1:2d:d2:04:79:
        02:43:84:99:0d:da:39:17:3d:3f:47:dd:7c:6c:f4:c1:
        59:c8:68:48:80:4f:63:34:40:a2:02:c2:42:c0:56:9b:
        52:6c:44:7c:3c:1c:01:50:f5:1d:70:0e:f1:28:15:bc:
        ea:40:26:18:f3:bc:91:0a:6e:a0:2d:61:08:31:6a:e6:
        29:ad:be:0b:a8:9b:a1:e5:9f:77:8e:fc:47:82:73:ba:
        a9:15:d7:da:57:cb:85:3a:b3:b5:ed:bb:84:cd:dd:cb:
        ec:4a:15:ad:c3:b7:6d:f0:9e:0c:8e:03:a2:a3:3d:a0
    Fingerprint (SHA-256):
        F6:35:43:FC:AA:88:B6:3F:0D:25:78:40:52:14:F7:EC:8C:CE:36:19:55:44:3F:D2:CD:2F:4F:4A:7F:C6:E2:E6
    Fingerprint (SHA1):
        95:5E:14:B1:38:27:E0:39:4C:6C:B6:93:D4:7F:1C:6C:5F:0F:5F:EF

    Friendly Name: Server-Cert

[root@vuwunicoipam001 thing]# openssl x509 -text -in realm_info/ca.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=ODS.VUW.AC.NZ Certificate Authority
        Validity
            Not Before: Mar 20 00:25:53 2012 GMT
            Not After : Mar 20 00:25:53 2022 GMT
        Subject: CN=ODS.VUW.AC.NZ Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:cd:c1:30:47:e3:64:bb:5b:c1:d4:27:c2:c4:d2:
                    bc:ee:0d:18:91:f8:3f:95:b9:b9:f1:fe:38:5c:7e:
                    7a:00:d8:5a:ce:97:f3:08:21:33:56:5e:1a:af:26:
                    4a:5d:ef:a7:e8:3b:f3:16:1e:bc:61:dd:bc:36:76:
                    95:79:18:08:61:bf:b1:bc:4d:7b:a7:e8:78:25:20:
                    43:94:00:a8:5a:fe:43:98:1e:b7:6c:04:a5:27:d3:
                    cd:20:d7:f0:4e:2f:b0:1a:43:f2:cd:62:a8:0d:88:
                    08:a2:83:e3:1d:50:43:69:c5:0e:f5:a5:05:66:b7:
                    10:88:d5:77:bf:32:af:df:1d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type: 
                SSL CA, S/MIME CA, Object Signing CA
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Certificate Sign
    Signature Algorithm: sha1WithRSAEncryption
         84:db:ee:5b:53:db:1e:c8:88:32:17:d7:23:d4:a1:4c:fc:74:
         bf:b4:db:35:9e:76:3e:03:ff:5b:0d:d2:48:71:f5:e9:48:27:
         70:2c:c5:8c:e3:b3:2f:87:65:b4:d2:20:e7:cd:6a:a3:ac:3a:
         1e:6d:87:0c:3a:a5:71:6c:c1:e8:f9:b7:9c:92:d7:be:05:47:
         64:57:6b:ec:1c:ee:9d:f8:4e:dd:d1:c3:c7:8a:78:81:1f:c6:
         8d:89:7f:51:4e:97:a7:8e:cf:80:38:45:b4:ce:12:66:8c:60:
         b5:8d:17:b5:ad:43:92:44:56:45:79:b1:71:56:e3:2c:1a:e9:
         94:4e
-----BEGIN CERTIFICATE-----
MIICCTCCAXKgAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwLjEsMCoGA1UEAxMjT0RT
LlZVVy5BQy5OWiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwMzIwMDAyNTUz
WhcNMjIwMzIwMDAyNTUzWjAuMSwwKgYDVQQDEyNPRFMuVlVXLkFDLk5aIENlcnRp
ZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzcEw
R+Nku1vB1CfCxNK87g0Ykfg/lbm58f44XH56ANhazpfzCCEzVl4aryZKXe+n6Dvz
Fh68Yd28NnaVeRgIYb+xvE17p+h4JSBDlACoWv5DmB63bASlJ9PNINfwTi+wGkPy
zWKoDYgIooPjHVBDacUO9aUFZrcQiNV3vzKv3x0CAwEAAaM2MDQwEQYJYIZIAYb4
QgEBBAQDAgAHMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgLEMA0GCSqG
SIb3DQEBBQUAA4GBAITb7ltT2x7IiDIX1yPUoUz8dL+02zWedj4D/1sN0khx9elI
J3AsxYzjsy+HZbTSIOfNaqOsOh5thww6pXFswej5t5yS174FR2RXa+wc7p34Tt3R
w8eKeIEfxo2Jf1FOl6eOz4A4RbTOEmaMYLWNF7WtQ5JEVkV5sXFW4ywa6ZRO
-----END CERTIFICATE-----
[root@vuwunicoipam001 thing]#
Comment 30 gzcwnk 2015-10-06 20:24:51 UTC 
Hi,

maybe this will help,


So the first stage as per doc went well I/we think,


    ipa002(RHEL6.7/IPA3.0)--self-cert
         /
        /
ipa003(RHEL7.1/IPA4.1)-dog-tag

==================

Dog-tag looks to be running, we have replication.

======
[root@vuwunicoipam003 thing]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@vuwunicoipam003 thing]#
======

so the second stage is now,

==================


    ipa002(RHEL6.7/IPA3.0)--self-cert
         /
        /
ipa003(RHEL7.1/IPA4.1)-dog-tag-master
        \
         \
     ipa001(RHEL7.1/IPA4.1) replica

My problem is I cannot join the second 7.1/IPA4.1 replica to the new RHEL7.1/4.1 "master"  yet this should be trivial.....
Comment 31 Rob Crittenden 2015-10-06 20:58:47 UTC 
The CA certificate provided isn't the issuer for the 389-ds Server certificate here. pk12util will automatically add in any chain required and available when creating a PKCS#12 file. 

If memory serves you've included the self-sign CA here and not the new dogtag-generated CA certificate, at least based on the subject format.
Comment 32 gzcwnk 2015-10-06 21:15:43 UTC 
Ok, so we have a mis-config on the new 7.1/IPA4.1 still?

So not being very good with this it sounds like we need to swap a cert out still?

All I did was do a replica-prepare for ipa001 on ipa003.
Comment 33 Rob Crittenden 2015-10-06 21:27:21 UTC 
Hard to say because I have no idea where you got that CA certificate. The right one exists somewhere, I presume on the upgraded servers assuming they have certificates issued from it.

The self-sign CA has a subject format of 'cn=$REALM Certificate Authority' and a dogtag-issued CA has a subject format of 'cn=Certificate Authority, o=$REALM'

The certificates in the prepared file sure look like they were issued by the dogtag CA.

Were I to guess /etc/ipa/ca.crt still contains the self-sign CA. You can confirm with: openssl x509 -text -in /etc/ipa/ca.crt |grep Subject:

I'd save a copy of that and replace it with:

# ipa cert-show --out /etc/ipa/ca.crt 1

Then re-create a prepare file, break it apart as discussed earlier and confirm that there are 2 certs and 1 private key in the PKCS#12 file. If there isn't there is no point in trying the install again as it will fail in the same way. If the both are there then I'd give the install another go.
Comment 34 Jatin Nansi 2015-10-07 06:37:58 UTC 
Hello Steven,

Can you attach the output of the following as a text files here:
pk12util -l realm_info/cacert.p12
openssl x509 -in realm_info/ca.crt -text

Where realm_info is the directory that was extracted from the replica information gpg tarball.

Thank you,
Jatin
Comment 35 gzcwnk 2015-10-07 20:03:01 UTC 
[root@vuwunicoipam001 thing]# pk12util -l realm_info/cacert.p12
Enter password for PKCS12 file: 
Certificate(has private key):
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=ODS.VUW.AC.NZ"
        Validity:
            Not Before: Mon Sep 28 23:59:31 2015
            Not After : Sun Sep 17 23:59:31 2017
        Subject: "CN=OCSP Subsystem,O=ODS.VUW.AC.NZ"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    b1:10:a6:0c:09:79:44:79:8d:27:e5:52:66:d8:c2:41:
                    b8:90:28:21:28:30:9c:1e:89:59:a9:2b:62:31:ae:ce:
                    bc:1a:eb:97:d4:0a:f0:71:20:6c:52:bd:bf:77:92:e9:
                    19:72:83:da:80:c4:ba:38:a8:e4:f8:88:8f:c6:38:0c:
                    90:9b:f2:9a:bf:2f:a1:e1:86:a0:66:71:c6:41:b9:a3:
                    37:44:46:3d:ab:f3:45:00:fe:d8:2e:c2:83:e1:49:0d:
                    51:8c:9d:85:fc:62:1a:d5:a4:05:2b:5e:45:ed:44:56:
                    33:70:92:42:4c:14:af:41:52:4c:79:d1:99:3d:30:1f:
                    95:7b:af:28:1d:a2:40:4a:42:b3:8b:b1:d0:5b:14:a9:
                    57:2b:13:71:3a:90:a7:20:36:64:ef:ac:5f:82:99:00:
                    be:b8:38:98:fd:6d:cb:d0:8d:34:82:78:b0:3f:98:16:
                    60:6a:d2:c1:3a:36:64:bd:6b:ac:5d:47:1f:0a:3e:4a:
                    5a:37:24:6b:55:fe:cc:dd:09:11:02:a1:7c:e1:99:6e:
                    97:a9:4c:bb:9f:c0:52:e8:20:f4:e9:aa:42:cc:d5:fa:
                    35:af:36:a0:c5:9d:65:f9:04:ad:1e:92:2d:97:a2:8f:
                    3c:c8:fa:b2:05:12:6e:68:f1:84:39:a7:e5:8f:e0:ed
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                eb:51:de:2a:c7:78:6a:3e:ab:67:79:22:8b:d7:49:fa:
                9e:67:f4:15

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Non-Repudiation
                    Certificate Signing
                    CRL Signing

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://vuwunicoipam003.ods.vuw.ac.nz:80/ca/ocsp"

            Name: Extended Key Usage
                OCSP Responder Certificate

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        53:ae:de:83:8d:cd:4a:d2:7d:36:83:ae:5f:8b:b5:41:
        90:50:6c:dc:ed:a8:4a:20:7b:c5:7d:2e:0f:09:ac:3c:
        2f:e5:ad:50:56:c2:6a:a0:44:1a:09:6a:4b:3c:5d:86:
        a2:9c:4f:62:6e:a9:63:fc:32:fe:d2:46:b6:2e:f8:1b:
        12:69:6e:31:03:68:9a:cc:fa:5e:08:8f:a8:1a:bd:9b:
        75:8a:d0:68:27:0d:f0:85:6b:03:8d:b3:6d:39:01:fe:
        dc:f5:bd:73:de:64:ce:74:fd:a6:2d:4f:60:b9:49:2f:
        d2:66:39:50:b6:e1:5e:11:9e:4e:b7:66:8e:c7:cd:93:
        08:d6:2c:92:26:65:8a:b5:63:5c:61:e6:9a:2e:60:e7:
        ad:c3:55:a7:ce:bf:d0:5d:4f:19:b4:33:1b:da:ea:03:
        5a:31:9b:d2:8f:49:fa:e6:99:6a:68:ad:9b:97:ea:f8:
        55:64:49:7f:e2:fa:d7:a6:ff:41:b7:8e:b7:44:2c:d9:
        a7:64:ec:8d:b2:5d:80:6c:e5:94:df:95:8a:5b:a3:c9:
        a4:61:3c:ce:84:69:5a:5c:6f:f1:ff:89:61:ba:38:3b:
        b2:5b:a8:a0:18:cb:62:73:0b:57:8f:4b:00:aa:03:2f:
        61:ee:80:4f:de:83:1b:df:4f:72:05:67:db:98:bc:81
    Fingerprint (SHA-256):
        36:AC:C0:E2:2B:D5:37:48:8E:E2:CA:A8:C0:7B:41:07:D2:6C:FE:29:9E:90:47:4D:D1:E9:C4:D7:F7:B6:35:60
    Fingerprint (SHA1):
        F1:00:5A:82:99:18:A9:1B:42:35:31:F7:7B:56:90:67:94:73:16:AB

    Friendly Name: ocspSigningCert cert-pki-ca

Certificate(has private key):
    Data:
        Version: 3 (0x2)
        Serial Number: 4 (0x4)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=ODS.VUW.AC.NZ"
        Validity:
            Not Before: Mon Sep 28 23:59:32 2015
            Not After : Sun Sep 17 23:59:32 2017
        Subject: "CN=CA Subsystem,O=ODS.VUW.AC.NZ"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    9b:0b:5a:9f:19:e2:3f:50:ef:07:1a:56:24:4b:40:a3:
                    0f:e2:66:b6:fb:c8:cb:3c:e4:0d:16:f3:fa:0f:cc:ac:
                    d0:27:43:46:2f:01:33:ad:3d:60:bb:16:b1:92:00:06:
                    5b:a6:e8:75:c8:99:42:c0:27:f4:d1:50:c3:ab:04:6c:
                    a2:52:5a:bb:6b:71:e2:3f:c3:b7:a2:a8:37:b5:d4:55:
                    15:b0:0c:60:ce:6e:4f:8e:bf:5b:5e:3e:98:f3:91:f8:
                    b3:19:cb:f3:df:41:e5:39:de:c7:25:ff:8f:ac:c4:3c:
                    bb:77:0c:5b:a2:ec:46:b1:86:f5:ef:18:70:99:73:cb:
                    f3:2a:e7:93:c6:6e:82:85:05:0d:73:4b:08:c6:b0:bc:
                    75:2f:64:16:38:e9:21:90:e5:cf:1c:7f:2e:cb:8e:21:
                    33:66:05:22:87:d4:28:c7:f4:14:86:fd:fd:9e:51:07:
                    97:f3:de:d8:65:b9:ed:24:21:48:07:46:33:1f:c5:45:
                    1d:d8:96:ca:5a:48:a1:43:80:fe:0b:0a:e7:a7:cd:1e:
                    1d:f4:df:58:b5:56:6c:4a:56:2f:d9:2b:bb:09:08:b2:
                    16:fb:26:85:6c:e6:06:43:b8:92:a9:78:f5:25:ab:cf:
                    38:ca:d3:3e:a0:ab:78:0d:55:31:3b:48:d2:10:9d:cb
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                eb:51:de:2a:c7:78:6a:3e:ab:67:79:22:8b:d7:49:fa:
                9e:67:f4:15

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://vuwunicoipam003.ods.vuw.ac.nz:80/ca/ocsp"

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Non-Repudiation
                    Key Encipherment
                    Data Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate
                TLS Web Client Authentication Certificate

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        78:62:0b:e1:8a:81:9c:d7:f4:0b:e8:2e:02:fa:53:a7:
        8a:4a:ef:8c:39:fb:63:bb:e9:bb:6a:21:9e:3b:7d:4d:
        d4:fd:cb:40:af:e7:5f:73:00:3d:02:59:8c:b4:ae:21:
        1f:8e:d3:a8:f6:a7:dc:45:9b:6f:72:aa:ba:43:b3:cc:
        74:a9:fa:38:9c:f4:42:d6:4e:57:63:5b:9c:44:22:03:
        c5:c1:8f:6d:8f:e4:68:08:80:c0:3f:42:9d:b0:1f:a2:
        23:3e:8f:02:2f:cd:b1:11:b3:a6:78:ed:11:15:eb:a5:
        54:b0:b2:8c:ab:46:06:9d:52:68:c4:f5:88:02:bc:16:
        71:29:52:39:32:ea:64:e7:b1:bc:6f:09:e0:5d:98:19:
        47:17:87:48:ea:ee:83:54:24:57:9e:82:3a:3b:c2:61:
        eb:1c:0d:c3:d5:11:8b:29:28:ce:ee:09:de:32:e6:aa:
        1f:4d:b9:0c:cc:a4:1d:0d:80:53:d7:0c:73:d1:c9:ab:
        18:1a:dd:68:78:a6:6d:3c:94:ff:d2:01:86:ec:cb:2a:
        cf:0c:ac:19:11:da:77:03:6f:6d:9a:f4:63:43:12:b7:
        bd:29:ab:4b:92:6a:97:cf:d5:e4:09:ba:90:57:a9:0e:
        8f:31:f4:4d:b1:ec:38:36:2e:c9:35:7b:a3:f7:e2:41
    Fingerprint (SHA-256):
        E3:47:79:E3:3B:64:34:18:96:4C:58:D2:13:69:94:6C:70:9B:57:D5:C8:90:6A:56:E7:5F:AE:B8:D7:F3:96:42
    Fingerprint (SHA1):
        41:E6:A3:C2:F1:2A:18:FF:67:A4:48:46:48:42:CA:0F:5D:DA:B9:66

    Friendly Name: subsystemCert cert-pki-ca

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=ODS.VUW.AC.NZ Certificate Authority"
        Validity:
            Not Before: Tue Mar 20 00:25:53 2012
            Not After : Sun Mar 20 00:25:53 2022
        Subject: "CN=ODS.VUW.AC.NZ Certificate Authority"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    cd:c1:30:47:e3:64:bb:5b:c1:d4:27:c2:c4:d2:bc:ee:
                    0d:18:91:f8:3f:95:b9:b9:f1:fe:38:5c:7e:7a:00:d8:
                    5a:ce:97:f3:08:21:33:56:5e:1a:af:26:4a:5d:ef:a7:
                    e8:3b:f3:16:1e:bc:61:dd:bc:36:76:95:79:18:08:61:
                    bf:b1:bc:4d:7b:a7:e8:78:25:20:43:94:00:a8:5a:fe:
                    43:98:1e:b7:6c:04:a5:27:d3:cd:20:d7:f0:4e:2f:b0:
                    1a:43:f2:cd:62:a8:0d:88:08:a2:83:e3:1d:50:43:69:
                    c5:0e:f5:a5:05:66:b7:10:88:d5:77:bf:32:af:df:1d
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Type
            Data: <SSL CA,S/MIME CA,ObjectSigning CA>

            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with no maximum path length.

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Non-Repudiation
                    Certificate Signing

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        84:db:ee:5b:53:db:1e:c8:88:32:17:d7:23:d4:a1:4c:
        fc:74:bf:b4:db:35:9e:76:3e:03:ff:5b:0d:d2:48:71:
        f5:e9:48:27:70:2c:c5:8c:e3:b3:2f:87:65:b4:d2:20:
        e7:cd:6a:a3:ac:3a:1e:6d:87:0c:3a:a5:71:6c:c1:e8:
        f9:b7:9c:92:d7:be:05:47:64:57:6b:ec:1c:ee:9d:f8:
        4e:dd:d1:c3:c7:8a:78:81:1f:c6:8d:89:7f:51:4e:97:
        a7:8e:cf:80:38:45:b4:ce:12:66:8c:60:b5:8d:17:b5:
        ad:43:92:44:56:45:79:b1:71:56:e3:2c:1a:e9:94:4e
    Fingerprint (SHA-256):
        1D:7A:94:C6:9F:9F:3C:B7:1F:63:A2:F9:D8:5E:99:A6:AC:5D:32:F6:15:8E:F0:F7:F6:4D:15:BF:DC:38:02:96
    Fingerprint (SHA1):
        DC:B3:C0:91:6E:C9:42:A7:54:26:57:5E:B7:91:38:A5:B6:64:A2:BB

Certificate(has private key):
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=ODS.VUW.AC.NZ"
        Validity:
            Not Before: Mon Sep 28 23:59:30 2015
            Not After : Fri Sep 28 23:59:30 2035
        Subject: "CN=Certificate Authority,O=ODS.VUW.AC.NZ"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    dc:b6:37:db:18:e1:50:ff:4a:af:74:da:1a:58:8f:41:
                    7e:35:74:bf:da:11:37:30:40:46:19:40:6d:61:02:4d:
                    a1:a8:45:77:85:05:91:3e:d7:64:4a:b4:12:6f:2e:11:
                    15:e2:46:bb:b8:9e:7b:60:03:3e:07:37:9b:ef:a4:92:
                    56:f7:63:2d:62:98:d0:13:23:7f:d1:d9:b1:20:50:ae:
                    79:32:38:ea:56:c0:4b:20:9e:51:77:72:35:43:72:d0:
                    e9:a1:95:da:4a:71:3b:15:52:cc:b6:6e:04:db:50:6f:
                    0c:0e:60:36:d2:8d:c1:74:9f:76:58:fc:f4:f3:60:49:
                    3a:53:8e:25:c3:a5:33:3d:22:89:c3:7f:a5:c2:b7:86:
                    23:eb:14:a7:64:c7:66:69:14:33:20:a6:23:f8:e6:c7:
                    c9:8c:99:ae:60:6d:51:21:40:7b:63:10:6a:91:73:22:
                    96:fd:c9:2d:3d:1c:09:52:89:75:56:e3:b9:70:22:ed:
                    9f:e5:30:b9:1f:81:9c:41:51:6b:4d:f8:91:2d:fb:37:
                    f5:f6:26:66:74:2d:1f:9d:7f:ba:f3:32:36:34:48:88:
                    db:73:f0:bf:7f:2a:10:6e:5c:fc:54:80:04:cc:fb:00:
                    9a:97:7c:60:98:ca:c9:49:95:ec:ef:cd:e8:d4:3f:8b
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                eb:51:de:2a:c7:78:6a:3e:ab:67:79:22:8b:d7:49:fa:
                9e:67:f4:15

            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with no maximum path length.

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Non-Repudiation
                    Certificate Signing
                    CRL Signing

            Name: Certificate Subject Key ID
            Data:
                eb:51:de:2a:c7:78:6a:3e:ab:67:79:22:8b:d7:49:fa:
                9e:67:f4:15

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://vuwunicoipam003.ods.vuw.ac.nz:80/ca/ocsp"

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        4f:0f:02:64:17:d1:d3:e1:55:ce:8d:75:dc:72:64:dd:
        65:e6:3a:32:b4:8d:45:9e:97:f5:f2:ae:3a:7f:a9:30:
        bc:f9:76:84:d9:b5:97:60:b9:cc:a8:f5:99:ae:4a:e5:
        72:30:8d:e4:71:0f:b6:bc:16:8b:98:ee:97:c6:3e:b0:
        89:4e:c6:b1:ed:ca:bd:db:56:81:f0:b2:4d:47:a1:04:
        8c:9c:b5:06:b5:ce:a3:a3:ea:23:bc:43:66:83:87:26:
        98:1e:02:91:aa:0d:63:c9:69:96:4d:6f:08:14:f1:ca:
        a7:c6:9d:1b:6f:7f:fb:f1:b3:ea:49:77:14:ff:b3:dd:
        f1:02:7d:4f:9e:2d:e3:96:8f:45:a8:6d:f9:5f:59:77:
        dd:b0:91:94:e6:ab:66:29:2d:3d:1f:d4:52:6f:fa:24:
        76:cf:f8:c5:f3:68:0e:8b:cf:83:d8:67:f8:48:70:a7:
        37:a7:a1:10:83:a9:89:b7:7b:dc:db:9b:51:f1:38:8f:
        a4:fe:02:18:62:b6:51:d2:28:83:fa:05:fd:6c:ba:63:
        45:cf:a3:6e:57:75:ee:f9:3e:9c:cc:bd:d9:1c:7c:b1:
        46:45:bb:c1:b2:0b:ea:2f:82:a2:8c:35:dc:5c:53:c6:
        7d:cf:a5:34:21:e7:97:3e:d4:aa:de:18:77:42:bb:18
    Fingerprint (SHA-256):
        DF:C1:83:36:AD:05:66:B3:68:26:F4:AD:AC:EF:2B:E3:F7:E1:B6:8A:2B:13:F2:4A:09:13:1D:F3:28:FE:7D:4F
    Fingerprint (SHA1):
        63:68:08:FE:24:2A:B4:D7:11:98:C7:D4:2F:0B:43:32:4F:FD:11:F5

    Friendly Name: caSigningCert cert-pki-ca

Certificate(has private key):
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=ODS.VUW.AC.NZ"
        Validity:
            Not Before: Mon Sep 28 23:59:31 2015
            Not After : Sun Sep 17 23:59:31 2017
        Subject: "CN=vuwunicoipam003.ods.vuw.ac.nz,O=ODS.VUW.AC.NZ"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    db:72:55:dc:83:50:44:b5:20:d3:f5:f1:d6:a8:05:41:
                    4d:36:07:42:0c:25:28:6b:d8:7f:09:8f:d5:a8:fe:68:
                    57:18:67:6e:41:d5:78:38:47:ab:7b:69:71:d7:dd:8b:
                    f0:d5:f0:54:7e:61:15:14:d2:56:a9:2d:51:7c:7e:7d:
                    8b:0d:df:eb:04:10:2b:1d:bd:e9:a8:e1:a9:c0:fc:5f:
                    ca:22:53:83:c3:12:68:61:ea:34:c4:8d:92:3d:33:83:
                    4b:fb:7f:b3:45:aa:c8:4d:d8:e2:79:ac:02:1b:dd:ba:
                    27:9c:b4:a9:be:b0:e4:ad:6e:f8:d1:6f:6e:09:c6:08:
                    21:e6:5b:2a:7a:0c:3d:da:62:4b:e3:f4:d8:b0:8f:a2:
                    8c:4d:88:20:6a:e7:ef:a3:df:b4:39:db:d3:bf:cb:15:
                    24:7b:ea:1e:c2:8d:49:53:b1:16:bd:d8:0c:65:3d:3b:
                    ed:96:c0:7a:7c:4f:99:0c:a5:9b:1b:ed:d9:e0:5e:9a:
                    61:7e:99:e6:72:4d:a2:9b:d3:cb:29:08:ff:8d:1d:e8:
                    99:cb:f1:03:e3:32:d4:62:18:c3:ce:24:98:35:53:14:
                    0a:80:72:31:fc:94:aa:e6:a8:2b:a8:a8:7b:d3:f7:62:
                    e1:27:52:89:ec:dc:d6:a8:50:5f:d7:5b:2e:1b:96:5f
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                eb:51:de:2a:c7:78:6a:3e:ab:67:79:22:8b:d7:49:fa:
                9e:67:f4:15

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://vuwunicoipam003.ods.vuw.ac.nz:80/ca/ocsp"

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Non-Repudiation
                    Key Encipherment
                    Data Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        0e:c6:46:35:5d:f5:aa:3a:3f:e5:71:e8:a3:18:59:a3:
        97:cc:d6:bc:47:7f:3b:61:df:b7:43:69:db:6a:7e:44:
        9b:9d:79:60:68:cc:9f:27:48:5f:8e:5f:ad:a4:e4:90:
        36:55:8f:01:d5:ee:e9:23:81:f5:93:67:ab:47:bd:f7:
        45:25:11:41:88:8b:88:0b:ea:d7:39:aa:f1:9e:b6:ee:
        c2:d1:e6:40:8e:0a:b0:1d:cf:50:63:be:34:9d:cb:aa:
        16:7f:f8:9c:a4:2c:6a:e4:38:26:b9:89:a3:5b:19:a8:
        73:75:76:d4:b1:05:c5:0b:d8:70:07:18:82:ec:76:c4:
        97:18:a5:3d:4a:65:7f:24:21:97:96:1f:41:79:3a:49:
        d9:77:6f:5c:d8:37:a2:85:16:21:b8:8a:ae:34:9a:3a:
        20:e2:a4:0b:05:93:d3:c3:d1:24:ad:03:0c:fa:d1:b6:
        7b:6f:4e:9c:f7:f6:d7:f6:de:2e:39:a2:55:32:a2:a8:
        17:a7:06:77:bb:ef:b5:2a:f5:1d:fe:ee:78:a7:de:35:
        71:ac:6b:c7:8c:7c:08:66:3b:95:c1:65:02:3c:4e:6b:
        f9:7c:e1:6a:e9:64:a8:2b:f0:2d:df:96:aa:7c:50:2a:
        c9:ec:7d:9e:71:8a:2a:b2:00:61:19:74:17:cb:1f:0a
    Fingerprint (SHA-256):
        A2:45:B2:ED:95:AE:C5:54:F7:05:00:3E:B7:37:49:FB:27:27:4A:FA:BE:EF:43:36:44:82:B5:62:58:4D:E4:91
    Fingerprint (SHA1):
        FF:4B:F9:BB:C8:36:E5:08:01:D1:4E:20:3C:75:35:0A:00:B2:57:DD

    Friendly Name: Server-Cert cert-pki-ca

Certificate(has private key):
    Data:
        Version: 3 (0x2)
        Serial Number: 5 (0x5)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=ODS.VUW.AC.NZ"
        Validity:
            Not Before: Mon Sep 28 23:59:33 2015
            Not After : Sun Sep 17 23:59:33 2017
        Subject: "CN=CA Audit,O=ODS.VUW.AC.NZ"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    b3:39:e8:07:d7:25:3a:ca:10:45:6f:c4:07:19:6f:87:
                    8d:36:6f:ba:1d:90:27:3a:22:cc:6c:8e:ef:54:5b:24:
                    de:b7:ef:78:c8:3b:fc:aa:4c:bc:36:c3:61:9a:08:14:
                    fb:d1:a4:b5:94:1e:d5:f7:fe:c2:6b:45:fb:0b:a6:9f:
                    48:7c:47:be:2a:33:47:b1:6d:85:d6:ae:3d:ce:a6:82:
                    f8:8f:be:aa:b6:1a:5b:1b:89:12:50:5f:a9:c3:59:39:
                    b9:de:57:d4:83:f6:66:f5:68:ff:d5:a3:df:64:6f:7b:
                    6e:8a:cd:f1:d3:c6:ca:0d:06:0c:91:e4:65:8b:a2:f0:
                    05:43:bc:65:36:0b:e3:48:d4:82:47:76:96:58:7b:5f:
                    96:fc:d8:8b:32:f0:eb:f3:92:b4:4a:15:45:ea:dc:96:
                    a4:ab:60:f3:77:4a:18:4c:73:09:e7:a1:30:4f:e9:d8:
                    f1:94:28:37:61:fb:af:8c:a0:88:25:00:73:4e:14:d4:
                    5d:c7:48:68:82:0c:3c:22:3e:9a:40:d6:eb:2c:aa:54:
                    3f:f7:ea:5b:23:ec:41:43:8c:2e:a5:bf:59:f3:17:e1:
                    62:83:33:1f:32:69:60:4d:28:7f:34:73:8c:6b:5f:58:
                    f2:73:79:0a:29:3e:ae:90:df:30:e1:d1:36:ee:86:b3
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                eb:51:de:2a:c7:78:6a:3e:ab:67:79:22:8b:d7:49:fa:
                9e:67:f4:15

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Non-Repudiation

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://vuwunicoipam003.ods.vuw.ac.nz:80/ca/ocsp"

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        d8:89:4d:f9:59:8f:c3:33:88:fd:e2:5d:3b:b8:ed:07:
        3e:74:7b:fe:03:02:db:cb:0d:43:21:a2:55:4d:2f:b5:
        cf:d8:3f:ba:df:d5:da:2c:a3:10:50:03:c3:04:a6:17:
        03:9d:50:b3:01:5b:34:0a:be:89:b3:8a:f3:12:f6:7a:
        98:56:1b:9e:7c:31:5a:69:5e:bb:ad:66:72:17:ad:9f:
        1c:83:9e:a6:65:33:24:41:4b:0e:81:21:70:6c:b1:4f:
        0a:60:3b:c6:5f:0b:a8:b9:b2:69:1c:ec:23:13:5e:30:
        e5:9e:77:b1:ae:e8:c9:9b:11:14:9b:7a:34:42:bf:99:
        64:6b:09:7b:83:20:5a:89:25:bf:1e:b6:dc:8e:88:ee:
        ab:2b:2f:b9:d0:7d:fa:8a:80:d3:f2:19:6a:6e:5d:f5:
        a8:6d:71:52:03:f6:09:0d:24:06:62:92:0d:36:a6:37:
        68:5d:98:45:a7:53:96:6e:80:5d:02:86:57:96:a9:5d:
        27:21:94:e6:b6:bb:73:82:e1:61:b8:2e:87:98:6a:65:
        c3:6a:b4:23:e2:19:28:3b:30:d0:36:fd:cb:e1:27:2b:
        f2:ad:fa:c0:e4:9c:9d:11:34:e9:2d:43:78:fb:b4:e8:
        b2:78:6c:e7:89:e4:68:06:e8:a4:d1:68:f5:54:6d:41
    Fingerprint (SHA-256):
        7C:EA:BB:16:CD:AC:C2:5A:8A:6E:05:E4:11:DC:F3:C9:A0:55:B3:C7:21:A5:A7:3E:5D:A5:E5:19:25:3C:0A:43
    Fingerprint (SHA1):
        62:C3:41:54:4F:76:23:40:86:9A:18:D7:B5:EA:ED:FF:63:7F:3D:03

    Friendly Name: auditSigningCert cert-pki-ca

Key(shrouded):
    Friendly Name: CN=OCSP Subsystem,O=ODS.VUW.AC.NZ

    Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
        Parameters:
            Salt:
                01:01:01:01
            Iteration Count: 1 (0x1)
Key(shrouded):
    Friendly Name: CN=CA Subsystem,O=ODS.VUW.AC.NZ

    Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
        Parameters:
            Salt:
                01:01:01:01
            Iteration Count: 1 (0x1)
Key(shrouded):
    Friendly Name: CN=Certificate Authority,O=ODS.VUW.AC.NZ

    Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
        Parameters:
            Salt:
                01:01:01:01
            Iteration Count: 1 (0x1)
Key(shrouded):
    Friendly Name: CN=vuwunicoipam003.ods.vuw.ac.nz,O=ODS.VUW.AC.NZ

    Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
        Parameters:
            Salt:
                01:01:01:01
            Iteration Count: 1 (0x1)
Key(shrouded):
    Friendly Name: CN=CA Audit,O=ODS.VUW.AC.NZ

    Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
        Parameters:
            Salt:
                01:01:01:01
            Iteration Count: 1 (0x1)
[root@vuwunicoipam001 thing]#
Comment 36 gzcwnk 2015-10-07 20:04:04 UTC 
[root@vuwunicoipam001 thing]# openssl x509 -in realm_info/ca.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=ODS.VUW.AC.NZ Certificate Authority
        Validity
            Not Before: Mar 20 00:25:53 2012 GMT
            Not After : Mar 20 00:25:53 2022 GMT
        Subject: CN=ODS.VUW.AC.NZ Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:cd:c1:30:47:e3:64:bb:5b:c1:d4:27:c2:c4:d2:
                    bc:ee:0d:18:91:f8:3f:95:b9:b9:f1:fe:38:5c:7e:
                    7a:00:d8:5a:ce:97:f3:08:21:33:56:5e:1a:af:26:
                    4a:5d:ef:a7:e8:3b:f3:16:1e:bc:61:dd:bc:36:76:
                    95:79:18:08:61:bf:b1:bc:4d:7b:a7:e8:78:25:20:
                    43:94:00:a8:5a:fe:43:98:1e:b7:6c:04:a5:27:d3:
                    cd:20:d7:f0:4e:2f:b0:1a:43:f2:cd:62:a8:0d:88:
                    08:a2:83:e3:1d:50:43:69:c5:0e:f5:a5:05:66:b7:
                    10:88:d5:77:bf:32:af:df:1d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type: 
                SSL CA, S/MIME CA, Object Signing CA
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Certificate Sign
    Signature Algorithm: sha1WithRSAEncryption
         84:db:ee:5b:53:db:1e:c8:88:32:17:d7:23:d4:a1:4c:fc:74:
         bf:b4:db:35:9e:76:3e:03:ff:5b:0d:d2:48:71:f5:e9:48:27:
         70:2c:c5:8c:e3:b3:2f:87:65:b4:d2:20:e7:cd:6a:a3:ac:3a:
         1e:6d:87:0c:3a:a5:71:6c:c1:e8:f9:b7:9c:92:d7:be:05:47:
         64:57:6b:ec:1c:ee:9d:f8:4e:dd:d1:c3:c7:8a:78:81:1f:c6:
         8d:89:7f:51:4e:97:a7:8e:cf:80:38:45:b4:ce:12:66:8c:60:
         b5:8d:17:b5:ad:43:92:44:56:45:79:b1:71:56:e3:2c:1a:e9:
         94:4e
-----BEGIN CERTIFICATE-----
MIICCTCCAXKgAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwLjEsMCoGA1UEAxMjT0RT
LlZVVy5BQy5OWiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwMzIwMDAyNTUz
WhcNMjIwMzIwMDAyNTUzWjAuMSwwKgYDVQQDEyNPRFMuVlVXLkFDLk5aIENlcnRp
ZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzcEw
R+Nku1vB1CfCxNK87g0Ykfg/lbm58f44XH56ANhazpfzCCEzVl4aryZKXe+n6Dvz
Fh68Yd28NnaVeRgIYb+xvE17p+h4JSBDlACoWv5DmB63bASlJ9PNINfwTi+wGkPy
zWKoDYgIooPjHVBDacUO9aUFZrcQiNV3vzKv3x0CAwEAAaM2MDQwEQYJYIZIAYb4
QgEBBAQDAgAHMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgLEMA0GCSqG
SIb3DQEBBQUAA4GBAITb7ltT2x7IiDIX1yPUoUz8dL+02zWedj4D/1sN0khx9elI
J3AsxYzjsy+HZbTSIOfNaqOsOh5thww6pXFswej5t5yS174FR2RXa+wc7p34Tt3R
w8eKeIEfxo2Jf1FOl6eOz4A4RbTOEmaMYLWNF7WtQ5JEVkV5sXFW4ywa6ZRO
-----END CERTIFICATE-----
[root@vuwunicoipam001 thing]#
Comment 37 Jatin Nansi 2015-10-08 04:02:56 UTC 
Hello Jan, Rob,

The problem here is that the CA certificate subject/issuer is 'CN=ODS.VUW.AC.NZ Certificate Authority', while it is expected to be 'CN=Certificate Authority,O=ODS.VUW.AC.NZ'. The CA certificate subject/issuer is named as such as it is the certificate that we migrated from the --selfsign CA. Would we be able to work around this issue by creating a sub-CA of the --selfsign CA? I mean create a sub CA that has a subject 'CN=Certificate Authority,O=ODS.VUW.AC.NZ', issued by 'CN=ODS.VUW.AC.NZ Certificate Authority', then use that as the IPA CA certificate? Should we be doing this? I am worried that this might break automatic certificate renewals. 

Thank you,
Jatin
Comment 38 Jan Cholasta 2015-10-08 06:05:45 UTC 
(In reply to Jatin Nansi from comment #37)
> Would we be able to work around this issue by
> creating a sub-CA of the --selfsign CA? I mean create a sub CA that has a
> subject 'CN=Certificate Authority,O=ODS.VUW.AC.NZ', issued by
> 'CN=ODS.VUW.AC.NZ Certificate Authority', then use that as the IPA CA
> certificate? Should we be doing this? I am worried that this might break
> automatic certificate renewals. 

This would only make things more complicated and I don't think it would help us in any way.

The problem is that not all filesystem locations on ipa003 have the new CA cert. This should be fixable by running ipa-certupdate. Steven, could you post the output of:

# ipa-certupdate -v

If it succeeds, you should be able to create a new, installable replica file for ipa001 from ipa003.
Comment 39 gzcwnk 2015-10-08 19:58:16 UTC 
I hope this isnt a silly Q but can I run this during the real upgrade as a matter of course?  ie there is no risk anything will break? but 'guarantee' all is well?

it is taking a while to run....
Comment 40 gzcwnk 2015-10-08 20:04:40 UTC 
[root@vuwunicoipam003 ipa]# ipa-certupdate -v
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: Not logging to a file
ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idrange.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/idviews.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken_yubikey.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pkinit.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: Starting external process
ipa: DEBUG: args='klist' '-V'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=Kerberos 5 version 1.12.2

ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/radiusproxy.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/realmdomains.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/rpcclient.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/selinuxusermap.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'search' '@s' 'user' 'ipa_session_cookie:host/vuwunicoipam003.ods.vuw.ac.nz.AC.NZ'
ipa: DEBUG: Process finished, return code=1
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=keyctl_search: Required key not available

ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG: failed to find session_cookie in persistent storage for principal 'host/vuwunicoipam003.ods.vuw.ac.nz.AC.NZ'
ipa.ipalib.plugins.rpcclient.rpcclient: INFO: trying https://vuwunicoipam003.ods.vuw.ac.nz/ipa/json
ipa: DEBUG: NSSConnection init vuwunicoipam003.ods.vuw.ac.nz
ipa: DEBUG: Connecting: 10.100.32.52:0
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
Data:
        Version:       3 (0x2)
        Serial Number: 1085 (0x43d)
        Signature Algorithm:
            Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: CN=ODS.VUW.AC.NZ Certificate Authority
        Validity:
            Not Before: Mon Sep 28 03:11:29 2015 UTC
            Not After:  Sun Sep 28 03:11:29 2025 UTC
        Subject: CN=vuwunicoipam003.ods.vuw.ac.nz,O=ODS.VUW.AC.NZ
        Subject Public Key Info:
            Public Key Algorithm:
                Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    a4:e7:5a:ee:59:bd:9a:b7:12:13:d5:8a:8e:e6:bf:48:
                    ab:af:86:e6:75:92:dd:37:4a:a8:31:cb:f5:53:fd:38:
                    10:e7:99:e4:eb:b9:ec:4f:b7:65:85:29:9e:5d:19:6b:
                    c2:10:6e:c2:15:af:29:13:34:6b:73:d7:b3:e1:1f:52:
                    9c:82:3e:56:88:ec:37:64:b6:fe:8e:ec:03:aa:37:dc:
                    f4:79:83:1d:d9:6c:cf:0b:e7:e7:47:5d:0b:fa:51:0c:
                    e8:33:2c:eb:f0:87:0d:dc:ad:e6:c6:14:2c:4a:7a:e9:
                    14:cb:6a:c3:88:f8:a4:9f:7a:b9:6f:8c:e9:05:aa:71:
                    34:1e:79:0b:db:f3:86:8b:b7:07:b7:b1:18:08:3e:93:
                    4e:d0:04:62:0d:01:9e:45:51:1c:49:9d:b6:26:b6:e2:
                    42:e7:9c:fe:d8:3b:9c:df:14:51:0a:c8:e7:37:44:b1:
                    59:5b:84:76:40:0c:d5:9a:b4:fa:0b:9f:57:fa:aa:e0:
                    9c:76:b4:2e:b3:4e:32:bd:b6:3d:0c:5d:3f:cb:17:12:
                    98:1a:13:5f:38:96:b6:f4:59:9a:a4:45:fc:e7:e5:1b:
                    40:14:fe:5f:d2:55:c6:d3:34:a4:cf:9f:25:28:59:6f:
                    9f:b4:78:d1:28:41:c1:ee:e8:8a:2f:82:49:34:c3:43
                Exponent:
                    65537 (0x10001)
    Signed Extensions: (2 total)
        Name:     Certificate Type
        Critical: False
        Types:
            SSL Server

        Name:     Certificate Key Usage
        Critical: False
        Usages:
            Key Encipherment

    Signature:
        Signature Algorithm:
            Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Signature:
            78:7b:f2:32:9f:6b:c3:cf:39:36:74:bf:ca:ab:9e:7c:
            90:b3:12:f8:57:69:54:b8:70:85:af:1f:fc:32:00:19:
            71:0c:3d:36:0e:8c:24:8a:f4:c8:f3:f6:94:cc:a1:cb:
            dd:71:d7:78:8a:63:89:71:c8:cd:77:de:b6:4d:40:e5:
            43:ec:cb:50:38:4e:cf:1d:2c:f9:f2:5a:71:cf:9d:7b:
            d2:c2:c6:0c:43:c0:5d:7a:4f:c7:9a:c1:02:e5:c5:4c:
            90:f8:6c:5d:2a:3f:9b:46:e2:89:be:1f:ad:90:d4:96:
            9f:47:57:93:d5:e0:a6:23:45:ba:c6:42:bf:52:3d:85
        Fingerprint (MD5):
            5a:54:87:f8:8f:eb:c9:f6:01:17:07:b7:0d:09:6d:00
        Fingerprint (SHA1):
            a1:a8:8a:8d:7a:b1:88:c5:74:cf:34:e1:81:2f:50:2d:
            87:1f:10:49
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=vuwunicoipam003.ods.vuw.ac.nz,O=ODS.VUW.AC.NZ"
ipa: DEBUG: handshake complete, peer = 10.100.32.52:443
ipa: DEBUG: Protocol: TLS1.1
ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA
ipa: DEBUG: received Set-Cookie 'ipa_session=d73f241dc31864b1f1def82fdaca2284; Domain=vuwunicoipam003.ods.vuw.ac.nz; Path=/ipa; Expires=Thu, 08 Oct 2015 20:14:30 GMT; Secure; HttpOnly'
ipa: DEBUG: storing cookie 'ipa_session=d73f241dc31864b1f1def82fdaca2284; Domain=vuwunicoipam003.ods.vuw.ac.nz; Path=/ipa; Expires=Thu, 08 Oct 2015 20:14:30 GMT; Secure; HttpOnly' for principal host/vuwunicoipam003.ods.vuw.ac.nz.AC.NZ
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'search' '@s' 'user' 'ipa_session_cookie:host/vuwunicoipam003.ods.vuw.ac.nz.AC.NZ'
ipa: DEBUG: Process finished, return code=1
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=keyctl_search: Required key not available

ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'search' '@s' 'user' 'ipa_session_cookie:host/vuwunicoipam003.ods.vuw.ac.nz.AC.NZ'
ipa: DEBUG: Process finished, return code=1
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=keyctl_search: Required key not available

ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'padd' 'user' 'ipa_session_cookie:host/vuwunicoipam003.ods.vuw.ac.nz.AC.NZ' '@s'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=288640581

ipa: DEBUG: stderr=
ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG: Created connection context.rpcclient
ipa.ipalib.plugins.rpcclient.rpcclient: INFO: Forwarding 'ca_is_enabled' to json server 'https://vuwunicoipam003.ods.vuw.ac.nz/ipa/json'
ipa: DEBUG: NSSConnection init vuwunicoipam003.ods.vuw.ac.nz
ipa: DEBUG: Connecting: 10.100.32.52:0
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
Data:
        Version:       3 (0x2)
        Serial Number: 1085 (0x43d)
        Signature Algorithm:
            Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: CN=ODS.VUW.AC.NZ Certificate Authority
        Validity:
            Not Before: Mon Sep 28 03:11:29 2015 UTC
            Not After:  Sun Sep 28 03:11:29 2025 UTC
        Subject: CN=vuwunicoipam003.ods.vuw.ac.nz,O=ODS.VUW.AC.NZ
        Subject Public Key Info:
            Public Key Algorithm:
                Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    a4:e7:5a:ee:59:bd:9a:b7:12:13:d5:8a:8e:e6:bf:48:
                    ab:af:86:e6:75:92:dd:37:4a:a8:31:cb:f5:53:fd:38:
                    10:e7:99:e4:eb:b9:ec:4f:b7:65:85:29:9e:5d:19:6b:
                    c2:10:6e:c2:15:af:29:13:34:6b:73:d7:b3:e1:1f:52:
                    9c:82:3e:56:88:ec:37:64:b6:fe:8e:ec:03:aa:37:dc:
                    f4:79:83:1d:d9:6c:cf:0b:e7:e7:47:5d:0b:fa:51:0c:
                    e8:33:2c:eb:f0:87:0d:dc:ad:e6:c6:14:2c:4a:7a:e9:
                    14:cb:6a:c3:88:f8:a4:9f:7a:b9:6f:8c:e9:05:aa:71:
                    34:1e:79:0b:db:f3:86:8b:b7:07:b7:b1:18:08:3e:93:
                    4e:d0:04:62:0d:01:9e:45:51:1c:49:9d:b6:26:b6:e2:
                    42:e7:9c:fe:d8:3b:9c:df:14:51:0a:c8:e7:37:44:b1:
                    59:5b:84:76:40:0c:d5:9a:b4:fa:0b:9f:57:fa:aa:e0:
                    9c:76:b4:2e:b3:4e:32:bd:b6:3d:0c:5d:3f:cb:17:12:
                    98:1a:13:5f:38:96:b6:f4:59:9a:a4:45:fc:e7:e5:1b:
                    40:14:fe:5f:d2:55:c6:d3:34:a4:cf:9f:25:28:59:6f:
                    9f:b4:78:d1:28:41:c1:ee:e8:8a:2f:82:49:34:c3:43
                Exponent:
                    65537 (0x10001)
    Signed Extensions: (2 total)
        Name:     Certificate Type
        Critical: False
        Types:
            SSL Server

        Name:     Certificate Key Usage
        Critical: False
        Usages:
            Key Encipherment

    Signature:
        Signature Algorithm:
            Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Signature:
            78:7b:f2:32:9f:6b:c3:cf:39:36:74:bf:ca:ab:9e:7c:
            90:b3:12:f8:57:69:54:b8:70:85:af:1f:fc:32:00:19:
            71:0c:3d:36:0e:8c:24:8a:f4:c8:f3:f6:94:cc:a1:cb:
            dd:71:d7:78:8a:63:89:71:c8:cd:77:de:b6:4d:40:e5:
            43:ec:cb:50:38:4e:cf:1d:2c:f9:f2:5a:71:cf:9d:7b:
            d2:c2:c6:0c:43:c0:5d:7a:4f:c7:9a:c1:02:e5:c5:4c:
            90:f8:6c:5d:2a:3f:9b:46:e2:89:be:1f:ad:90:d4:96:
            9f:47:57:93:d5:e0:a6:23:45:ba:c6:42:bf:52:3d:85
        Fingerprint (MD5):
            5a:54:87:f8:8f:eb:c9:f6:01:17:07:b7:0d:09:6d:00
        Fingerprint (SHA1):
            a1:a8:8a:8d:7a:b1:88:c5:74:cf:34:e1:81:2f:50:2d:
            87:1f:10:49
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for "CN=vuwunicoipam003.ods.vuw.ac.nz,O=ODS.VUW.AC.NZ"
ipa: DEBUG: handshake complete, peer = 10.100.32.52:443
ipa: DEBUG: Protocol: TLS1.1
ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA
ipa: DEBUG: received Set-Cookie 'ipa_session=4c32176ebe1b82299bb9d9634c416cc8; Domain=vuwunicoipam003.ods.vuw.ac.nz; Path=/ipa; Expires=Thu, 08 Oct 2015 20:14:35 GMT; Secure; HttpOnly'
ipa: DEBUG: storing cookie 'ipa_session=4c32176ebe1b82299bb9d9634c416cc8; Domain=vuwunicoipam003.ods.vuw.ac.nz; Path=/ipa; Expires=Thu, 08 Oct 2015 20:14:35 GMT; Secure; HttpOnly' for principal host/vuwunicoipam003.ods.vuw.ac.nz.AC.NZ
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'search' '@s' 'user' 'ipa_session_cookie:host/vuwunicoipam003.ods.vuw.ac.nz.AC.NZ'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=288640581

ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'search' '@s' 'user' 'ipa_session_cookie:host/vuwunicoipam003.ods.vuw.ac.nz.AC.NZ'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=288640581

ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='keyctl' 'pupdate' '288640581'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa.ipalib.plugins.rpcclient.rpcclient: DEBUG: Destroyed connection context.rpcclient
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing ldap://vuwunicoipam003.ods.vuw.ac.nz:389 from SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldap://vuwunicoipam003.ods.vuw.ac.nz:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x358f1b8>
ipa: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-ODS-VUW-AC-NZ' '-A' '-n' 'CN=ODS.VUW.AC.NZ Certificate Authority' '-t' 'C,,'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/dirsrv/slapd-ODS-VUW-AC-NZ' '-A' '-n' 'ODS.VUW.AC.NZ IPA CA' '-t' 'CT,C,C'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'dirsrv'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' '--system' 'daemon-reload'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'restart' 'dirsrv'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'dirsrv'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: wait_for_open_ports: localhost [389] timeout 300
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-A' '-n' 'CN=ODS.VUW.AC.NZ Certificate Authority' '-t' 'C,,'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-A' '-n' 'ODS.VUW.AC.NZ IPA CA' '-t' 'CT,C,C'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'httpd.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'restart' 'httpd.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'httpd.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: resubmitting certmonger request '20150929000126'
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'SUBMITTING', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'PRE_SAVE_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'PRE_SAVE_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'PRE_SAVE_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'PRE_SAVE_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)


ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)


ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'POST_SAVED_CERT', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: certmonger request is in state dbus.String(u'MONITORING', variant_level=1)
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: modifying certmonger request '20150929000126'
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/bin/systemctl' 'is-active' 'certmonger.service'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=active

ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CN=ODS.VUW.AC.NZ Certificate Authority                       C,,  

ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-L' '-n' 'CN=ODS.VUW.AC.NZ Certificate Authority' '-r'
ipa: DEBUG: Process finished, return code=0
�Hq��H'p,Ō��/�e�� ��j��:m�>�[`�H��B0U�0�0U��0b�
                           :�ql������׾GdWk����N���NJx�ƍ�QN���8E��f�`����C�DVEy�qV�,��N
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-D' '-n' 'CN=ODS.VUW.AC.NZ Certificate Authority'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-L' '-n' 'CN=ODS.VUW.AC.NZ Certificate Authority' '-r'
ipa: DEBUG: Process finished, return code=255
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=certutil: Could not find cert: CN=ODS.VUW.AC.NZ Certificate Authority
: PR_FILE_NOT_FOUND_ERROR: File not found

ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L' '-n' 'IPA CA' '-r'
ipa: DEBUG: Process finished, return code=255
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=certutil: Could not find cert: IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found

ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L' '-n' 'External CA cert' '-r'
ipa: DEBUG: Process finished, return code=255
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=certutil: Could not find cert: External CA cert
: PR_FILE_NOT_FOUND_ERROR: File not found

ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-A' '-n' 'CN=ODS.VUW.AC.NZ Certificate Authority' '-t' 'C,,'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-A' '-n' 'ODS.VUW.AC.NZ IPA CA' '-t' 'CT,C,C'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-A' '-n' 'CN=ODS.VUW.AC.NZ Certificate Authority' '-t' 'C,,'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/certutil' '-d' '/etc/pki/nssdb' '-A' '-n' 'ODS.VUW.AC.NZ IPA CA' '-t' 'CT,C,C'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/update-ca-trust'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: INFO: Systemwide CA database updated.
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/update-ca-trust'
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: INFO: Systemwide CA database updated.
ipa.ipaclient.ipa_certupdate.CertUpdate: INFO: The ipa-certupdate command was successful
[root@vuwunicoipam003 ipa]#
Comment 41 gzcwnk 2015-10-08 20:14:26 UTC 
not so good,

========
[root@vuwunicoipam003 ipa]# ipa-replica-prepare vuwunicoipam001.ods.vuw.ac.nz --ip-address 10.100.32.50
Directory Manager (existing master) password: 

Preparing replica for vuwunicoipam001.ods.vuw.ac.nz from vuwunicoipam003.ods.vuw.ac.nz
Creating SSL certificate for the Directory Server
Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)
[root@vuwunicoipam003 ipa]# 
=========
Comment 42 gzcwnk 2015-10-08 20:30:10 UTC 
[root@vuwunicoipam003 Desktop]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: STOPPED
ipa: INFO: The ipactl command was successful
[root@vuwunicoipam003 Desktop]# 

on the other hand,

ipactl -d restart,

============
8><-------
ipa: DEBUG: The CA status is: check interrupted
ipa: DEBUG: Waiting for CA to start...
ipa: DEBUG: request 'https://vuwunicoipam003.ods.vuw.ac.nz:443/ca/admin/ca/getStatus'
ipa: DEBUG: request body ''
ipa: DEBUG: request status 500
ipa: DEBUG: request reason_phrase u'Internal Server Error'
ipa: DEBUG: request headers {'content-length': '2767', 'content-language': 'en', 'server': 'Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.16.2.3 Basic ECC mod_wsgi/3.4 Python/2.7.5', 'connection': 'close', 'date': 'Thu, 08 Oct 2015 20:27:45 GMT', 'content-type': 'text/html;charset=utf-8'}
ipa: DEBUG: request body '<html><head><title>Apache Tomcat/7.0.54 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - CS server is not ready to serve.</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>CS server is not ready to serve.</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>java.io.IOException: CS server is not ready to serve.\n\tcom.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:443)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:727)\n\tsun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source)\n\tsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tjava.lang.reflect.Method.invoke(Method.java:606)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\tjavax.security.auth.Subject.doAsPrivileged(Subject.java:536)\n\torg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)\n\torg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\torg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n\tsun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)\n\tsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tjava.lang.reflect.Method.invoke(Method.java:606)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)\n\torg.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)\n\tjava.security.AccessController.doPrivileged(Native Method)\n\tjavax.security.auth.Subject.doAsPrivileged(Subject.java:536)\n\torg.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)\n\torg.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)\n</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/7.0.54 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.54</h3></body></html>'
ipa: DEBUG: The CA status is: check interrupted
ipa: DEBUG: Waiting for CA to start...
^Cipa: DEBUG:   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script
    return_value = main_function()

  File "/sbin/ipactl", line 515, in main
    ipa_restart(options)

  File "/sbin/ipactl", line 415, in ipa_restart
    svchandle.start(capture_output=get_capture_output(svc, options.debug))

  File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 203, in start
    self.wait_until_running()

  File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 195, in wait_until_running
    time.sleep(1)

ipa: DEBUG: The ipactl command failed, exception: KeyboardInterrupt: 
Cancelled.
[root@vuwunicoipam003 Desktop]#
=========

seemed to loop/wait so I cntrl-c'd it
Comment 43 gzcwnk 2015-10-08 20:37:37 UTC 
[root@vuwunicoipam003 Desktop]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Failed to restart pki-tomcatd Service
Shutting down
Aborting ipactl
[root@vuwunicoipam003 Desktop]#

so the above broke the CA?
Comment 44 Jan Cholasta 2015-10-12 07:00:03 UTC 
Are there any errors in

# journalctl -u pki-tomcatd

?

Could you please post the output of:

# ldapsearch -H ldapi://%2fvar%2frun%2fslapd-ODS-VUW-AC-NZ.socket -Y EXTERNAL -b cn=certificates,cn=ipa,cn=etc,dc=ods,dc=vuw,dc=ac,dc=nz
# certutil -d /etc/pki/pki-tomcat/alias -L
# certutil -d /etc/dirsrv/slapd-ODS-VUW-AC-NZ -L

?
Comment 47 Jan Cholasta 2015-10-14 08:29:05 UTC 
This should fix the problem:

# certutil -d /etc/dirsrv/slapd-ODS-VUW-AC-NZ -L -n 'CN=ODS.VUW.AC.NZ Certificate Authority' -a -o old_ca.crt
# certutil -d /etc/pki/pki-tomcat/alias -A -n 'ODS.VUW.AC.NZ Certificate Authority' -t C,, -a -i old_ca.crt
Comment 59 Petr Vobornik 2016-08-16 11:49:50 UTC 
This bug covers 3 various use cases. 

It is not clear what each individual case wants to have fixed. For this reason I'm closing it as INSUFFICIENT_DATA.

CA-less -> CA migration is tracked in bug 1301687 which is ON_QA now.

If the issue is still present, please provide reproduction steps with new logs.