Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem: # ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [root@master ~]# date Thu Dec 5 03:10:57 EST 2019 [root@master ~]# date --set="Tue Nov 13 15:23:34 PDT 2090" Mon Nov 13 17:23:34 EST 2090 [root@master ~]# service certmonger restart Redirecting to /bin/systemctl restart certmonger.service [root@master ~]# [root@master ~]# [root@master ~]# getcert list Number of certificates and requests being tracked: 9. Request ID '20191204141341': status: SUBMITTING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=IPA RA,O=IPA.TEST expires: 2021-11-23 09:13:43 EST key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20191204141418': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=CA Audit,O=IPA.TEST expires: 2021-11-23 09:13:04 EST key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141419': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=OCSP Subsystem,O=IPA.TEST expires: 2021-11-23 09:13:03 EST eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141420': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=CA Subsystem,O=IPA.TEST expires: 2021-11-23 09:13:04 EST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141421': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=Certificate Authority,O=IPA.TEST expires: 2039-12-04 09:13:03 EST key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141422': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2021-11-23 09:13:03 EST dns: master.ipa.test key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141449': status: SUBMITTING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-TEST/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2021-12-04 09:14:50 EST dns: master.ipa.test principal name: ldap/master.ipa.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-TEST track: yes auto-renew: yes Request ID '20191204141519': status: SUBMITTING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/master.ipa.test-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2021-12-04 09:15:20 EST dns: master.ipa.test principal name: HTTP/master.ipa.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20191204141533': status: SUBMITTING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2021-12-04 09:15:34 EST principal name: krbtgt/IPA.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes [root@master ~]# [root@master ~]# [root@master ~]# ipa-cert-fix WARNING ipa-cert-fix is intended for recovery when expired certificates prevent the normal operation of FreeIPA. It should ONLY be used in such scenarios, and backup of the system, especially certificates and keys, is STRONGLY RECOMMENDED. The following certificates will be renewed: Dogtag sslserver certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 3 Expires: 2021-11-23 14:13:03 Dogtag subsystem certificate: Subject: CN=CA Subsystem,O=IPA.TEST Serial: 4 Expires: 2021-11-23 14:13:04 Dogtag ca_ocsp_signing certificate: Subject: CN=OCSP Subsystem,O=IPA.TEST Serial: 2 Expires: 2021-11-23 14:13:03 Dogtag ca_audit_signing certificate: Subject: CN=CA Audit,O=IPA.TEST Serial: 5 Expires: 2021-11-23 14:13:04 IPA IPA RA certificate: Subject: CN=IPA RA,O=IPA.TEST Serial: 7 Expires: 2021-11-23 14:13:43 IPA Apache HTTPS certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 9 Expires: 2021-12-04 14:15:20 IPA LDAP certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 8 Expires: 2021-12-04 14:14:50 IPA KDC certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 10 Expires: 2021-12-04 14:15:34 Enter "yes" to proceed: YES Proceeding. Renewed Dogtag sslserver certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 3 Expires: 2091-02-13 22:24:40 [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/subsystem.crt' The ipa-cert-fix command failed. # getcert list Number of certificates and requests being tracked: 9. Request ID '20191204141341': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://master.ipa.test:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=IPA RA,O=IPA.TEST expires: 2021-11-23 09:13:43 EST key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20191204141418': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=CA Audit,O=IPA.TEST expires: 2021-11-23 09:13:04 EST key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141419': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://master.ipa.test:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=OCSP Subsystem,O=IPA.TEST expires: 2021-11-23 09:13:03 EST eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141420': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=CA Subsystem,O=IPA.TEST expires: 2021-11-23 09:13:04 EST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141421': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=Certificate Authority,O=IPA.TEST expires: 2039-12-04 09:13:03 EST key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141422': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://master.ipa.test:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2021-11-23 09:13:03 EST dns: master.ipa.test key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20191204141449': status: CA_UNREACHABLE ca-error: Server at https://master.ipa.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-TEST/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-TEST',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2021-12-04 09:14:50 EST dns: master.ipa.test principal name: ldap/master.ipa.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-TEST track: yes auto-renew: yes Request ID '20191204141519': status: CA_UNREACHABLE ca-error: Server at https://master.ipa.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/master.ipa.test-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2021-12-04 09:15:20 EST dns: master.ipa.test principal name: HTTP/master.ipa.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20191204141533': status: CA_UNREACHABLE ca-error: Server at https://master.ipa.test/ipa/xml failed request, will retry: -504 (HTTP POST to URL 'https://master.ipa.test/ipa/xml' failed. libcurl failed even to execute the HTTP transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST expires: 2021-12-04 09:15:34 EST principal name: krbtgt/IPA.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes [root@master ~]# [root@master ~]# [root@master ~]# ipa-ce^C [root@master ~]# date Mon Nov 13 17:38:15 EST 2090 [root@master ~]# ipa-cert-fix -v ipapython.admintool: DEBUG: Not logging to a file ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipaserver.install.installutils: DEBUG: httpd is configured ipaserver.install.installutils: DEBUG: kadmin is configured ipaserver.install.installutils: DEBUG: dirsrv is configured ipaserver.install.installutils: DEBUG: pki-tomcatd is configured ipaserver.install.installutils: DEBUG: install is not configured ipaserver.install.installutils: DEBUG: krb5kdc is configured ipaserver.install.installutils: DEBUG: named is configured ipaserver.install.installutils: DEBUG: filestore has files ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['pki-server', 'cert-fix', '--help'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Usage: pki-server cert-fix [OPTIONS] --cert <Cert ID> Fix specified system cert (default: all certs). --extra-cert <Serial> Also renew cert with given serial number. --agent-uid <String> UID of Dogtag agent user --ldapi-socket <Path> Path to DS LDAPI socket --ldap-url <URL> LDAP URL (mutually exclusive to --ldapi-socket) -i, --instance <instance ID> Instance ID (default: pki-tomcat). -p, --port <port number> Secure port number (default: 8443). -v, --verbose Run in verbose mode. --debug Run in debug mode. --help Show help message. ipapython.ipautil: DEBUG: stderr= ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins... ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automember ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certprofile ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.delegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.domainlevel ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2 ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.permission ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.radiusproxy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.realmdomains ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selfservice ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverrole ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverroles ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.servicedelegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipalib.backend: DEBUG: Created connection context.ldap2_140143513377144 ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipaserver.install.dsinstance: DEBUG: Trying to find certificate subject base in sysupgrade ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipaserver.install.dsinstance: DEBUG: Found certificate subject base in sysupgrade: O=IPA.TEST ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-IPA-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f75b3cceac8> ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'Server-Cert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIIDpzCCAg+gAwIBAgIBAzANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCIYDzIwOTAxMTEz MjIyNDQwWhgPMjA5MTAyMTMyMjI0NDBaMC0xETAPBgNVBAoMCElQQS5URVNUMRgw FgYDVQQDDA9tYXN0ZXIuaXBhLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQC31Xb28OL5wa9XVuu5bErjY2ne6Ly38SiPB52WrZVxV/apKtf2TD+u c5MnpF8HI0RMugn3PWvWkNg4sbuV9x/c3mm8aL2UOX9OwSHaFjsrgA9r5aZ2mQGp rn0wu9fB6jycbOjv5fp5qpzAeIDiYeY/xe4mqWeO7MAywyVaksDi1PJy+IDlhJFL 1HOUhcJukSy6VNNmhYMQg2hUU+i+JpM+gjc2JMr7rT8e899uvqv2QqjKyOzVaNhW QypbYRGjWnunn55YpPiKxPcPRbgTwgz8mipzQ7FO1thwuCcBwTZNQBLvVMdBGkKQ 1hqf/4tZnt5a08ze3Z0ww/OjBiZwAsd3AgMBAAGjSDBGMB8GA1UdIwQYMBaAFBXX tpAd0PuCZXK+vUd44vZxSNVyMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB /wQEAwIE8DANBgkqhkiG9w0BAQsFAAOCAYEAKEIejYEBvUxzNYmVib6VSX/6EhoD 4HzSTjEvEb37pI7HxUVL7zLQCPCk0K3wPi1Ca2VSW0fN2QHsDg1LOVvCBBiblZV0 V0hm8hG3sUZCoS61CEaGMfNe7fWUAf8odH4HT+w5YBjCXc0pHD1izEoadybQNqr8 tWAFi/skTqaC820PKjAYIGNWT84PSofFle5s8wXHKuSZLFxQPtuR4iRdg+Ew0+et 5EVtTiF0VCu+EyVUNbcBLoYGZ71XQbhidfS3hg5InkBuzorAVIqDCMb9hsR0Jd8D 27ucUGw6QnBm1ngpebpDx1yQW6mobWKuJxXQM0OxbH5GB+VezlebWMW6AZg2L+2F mEw0MPcAYnoDF8tYj7dthiXdYs78+tgBqgSTYgRpo68GrRyD1MIXuuNf99d6AWan QkugNFtufVretyx4hFhlAJkyB7ag9YbT/+DeTDOnc9QSNSqrrff5l2VbbLpYoB75 ZUfh9mkuj/rJXFNC9abq6M4reCUZpS6ZqOSM -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'subsystemCert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIID3jCCAkagAwIBAgIBBDANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTIwNDE0 MTMwNFoXDTIxMTEyMzE0MTMwNFowKjERMA8GA1UECgwISVBBLlRFU1QxFTATBgNV BAMMDENBIFN1YnN5c3RlbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ANNItKj3MUN4N3lXphMAZBvoj4lvwPxKbJCg+BciM2GimPs7Vq+LVjgHLK+v7la8 DF9TN3ejk05gxOyZLoYjecIeMU5Rbz4bIX70S63o8CWmRl2N8Uezk1ioq59skb/B Nzm9FazLkjua4Y4tXcYIF06sBCH7F+W1UbnjLOvAU0b4EUIdCiJMCgxT+YvKjre/ jehhnjv3MftoUUFqDn4eeqxuOOITvQIQ3HPccSf4c9OO+RSTlgr3A1tIuVR5Q9UR pXvymXyepLPf5+RJZepTBccBe0idr51graaiHmd6fMOMoozFnDL8OCpZdmqr3yxq iYLcyooDc2QzqpxyWfMJkHkCAwEAAaOBhTCBgjAfBgNVHSMEGDAWgBQV17aQHdD7 gmVyvr1HeOL2cUjVcjA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0dHA6 Ly9pcGEtY2EuaXBhLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwEwYDVR0l BAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBAMm4dGsUZ7FcFBe/E+t1 IDdfuj+LCN/Qp5KrXtBKez0dnblLAs8sQrb0iCTJMRitUO3DyjcF8G5GBzPBd2wN oKHRlIonrI4KPpLowmSh6GAaZBsGgIKfws0Tm25EVyey2gEEdFGv/eQGQtAgWlFa Jj4yIJ6LfWnj6ImggqnKtH5RTzMtF2qdNu/ompOd7D1FNCP9TtzFyj+lOYQ3+X1K kACguPbcpkhj/DyxyiNbLG+izchsKEE2KPomYSADY2l/NB8kY8PSsUi+RKVJOiLP HXT1XWsHZQJdzIaP8LEneMbjECOwUVRUyfs66zSxj4BB++f002zi3rXYMt5ciGiC vPMB7RKJMfg/+shauo0lxPsksx78WbZUK8jSA7OcfvD+t3bgFh9Hs7r4w2egWE7G xm7wbrpoNtTBuBq0dY20Sb46ByvRklC9oSQAPs7z9M+dLWUZoaldJqiXPuMfhZLS Xp6kEowY8qY9Nlf90fsJvWcGkeIG6I8MZMcMYDd/OoDZLA== -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'ocspSigningCert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIID4TCCAkmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTIwNDE0 MTMwM1oXDTIxMTEyMzE0MTMwM1owLDERMA8GA1UECgwISVBBLlRFU1QxFzAVBgNV BAMMDk9DU1AgU3Vic3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEArEldw1fRBnz0UVo69CP0vw+nT4FppzZJHye5ZnMTvd/o20/5QwJtoqxnStSK eDmmnSs5FFJBTT/xnGY3GLQ1s+qIMsx8KlBn/4c+uXFzgvrwvJvBHi3QcC4YTe2V Dz/GytSIyquowKG10Mt30Du9Qnw1RwSuJJ8bJdZdE54iWRIbm2ZfbV7WliKF3gBf muG5Z9tbEuypYFZOQ6I9A6KAyTt2bRkofRJIPKwveItsG6mnqQDvznITxG8+6BPB cB+NBWrMZCYRe3LkutO125iu3XVqbaDfxsyFssoj+HHU+Ct9pQ7IbxvAh5Zriyl6 w6KwyVmzCymigG41q++mw50jSwIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFBXXtpAd 0PuCZXK+vUd44vZxSNVyMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYeaHR0 cDovL2lwYS1jYS5pcGEudGVzdC9jYS9vY3NwMBMGA1UdJQQMMAoGCCsGAQUFBwMJ MA8GCSsGAQUFBzABBQQCBQAwDQYJKoZIhvcNAQELBQADggGBAIVjrCh0L+eZg9mk E5HkWJXsrT4A32pHcmHuJ5TMmLK6Bts9z9F05nwBXJN0psnZxjKZcANUblO0xS3a w3aLi+rZughipBfrvaWGvGp7DMb2Evp2jrRBfOfMBDJmW5o2wjObbcBkvFnq/vPO 1MwXZg6t7CKJQ3WLLyze+U0xBpRhwKN+D7M6EpE47SaVYzdp8OqqWPRGVVLmtyA2 dOVfb2onLwzwDVEt5ZI0uEBZOx80EfLv4/nPEuzv5zUazHhFfS/W8tOx7eW/bzK7 YE20aMFXIS4ahzOjGjW9uGQoHGRisob/bj35ZroVBToxpEyP/pATOBwGv0+AEYbn pCJtxpu4SaUGBLrxl+zCtG+HuRzdWoSBmdyS/HtZXltFgri+i6RasIyQzJbZ/rkv tt0ZexgBA8/WKHYxVO4mKI0L3POftKRQ7iFAjpoSXMCa9QzF08ZoF8Kk0kKARoIn lXLabWr4jXP+/j6+4fXqOd9wx4rr2Cg6PXospMDcy1X6HCizLA== -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'auditSigningCert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIIDwzCCAiugAwIBAgIBBTANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTIwNDE0 MTMwNFoXDTIxMTEyMzE0MTMwNFowJjERMA8GA1UECgwISVBBLlRFU1QxETAPBgNV BAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArmvG ofwbYb2y/A7b4/pIn09Dlc7DF0B/Qf2eAugI+L59Yz8QNjztegW+pPLJ2MfQhpYN k6ZFgG/JD8dP3VF9hFVXDkn9CheEKUA4pTEko/IsXdBntZw5U6LfNTFivLaPPdwo V4dLgMbHJENHlL0J/DnTMXwXOCUX7DsxSx8YmpOiA6mrLjrHsutXEzGI652mI8Ba 7xzngtYR73HZWdZHnikstRmQnYXBeVTfTPCAGlyz+HzmE4znvjY5Uiv017uCdsc6 8iFyOHJFet0GdHOIFZaTzEa/XskI5GxvIvbArnntm8CsQt60mMc7QFqUGuEfH7OT rpt28PECjbpXqUsC3QIDAQABo28wbTAfBgNVHSMEGDAWgBQV17aQHdD7gmVyvr1H eOL2cUjVcjAOBgNVHQ8BAf8EBAMCBsAwOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUF BzABhh5odHRwOi8vaXBhLWNhLmlwYS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQEL BQADggGBAEVixaUgDbw0VM565gPzVvTa9vU+Gjr9/jEUtbcBaVGAYoW57JXQeW1+ s5NJ3hglBXCCkI4IhHxya1vq0nPXosHED9vCyBfKAmZ8/IH9N/6Wrq/IBgzBfYhH rAE/uOwFONkOz14SL03aNNAKwgkTtNdWLwQ2Gx5nEaDKR6ACemFH7YSOXxOcTejF ez1ZkQXzoOTvQJnAv4GgUUNiq792u8aFBqueBm8iIfekaqD1kIz1l8eiTVxbpxBw cC61kmSdG6S9EJHEnS8S/N5344OIcVPP6r3EpBR5OrVt0SVz2FM2sokHQQhC9Srl CSb9LGc/e6ql5vB1jTia/DwKHdE41MFZUzFNNkBM5c+3eU8k2sNZX7swQs/doJFW NzU43rXFgVIAnCEdT48/UCGJj7Teo04BHQRgnWAnO7ishO8LZBxuiSA7b1NXtNCJ 9d/LTFKz2VWxyX6FgtGdPYS6iirMy9UIDBEEZozzyJ1kXlW68pfeoABTMB+93job luxdQPpsJg== -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'transportCert cert-pki-kra', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: transportCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'storageCert cert-pki-kra', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: storageCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'auditSigningCert cert-pki-kra', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: auditSigningCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-IPA-TEST/', '-L', '-n', 'Server-Cert', '-a', '-f', '/etc/dirsrv/slapd-IPA-TEST/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIIFDDCCA3SgAwIBAgIBCDANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTIwNDE0 MTQ1MFoXDTIxMTIwNDE0MTQ1MFowLTERMA8GA1UECgwISVBBLlRFU1QxGDAWBgNV BAMMD21hc3Rlci5pcGEudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBALbs+ygawcJcNzQAGE98fGglXVxf9lJlwZee2A3wRJxSXm1NZkdC6ci4w008 RiMcwc1xjATNKVMR+s9rLdK/3KipI3NGCCjJHauNh19Pp3mRV9RODRbyI8M6Cq9u FXxT3grx03G7NCtdItnKm3oHcnQh1vXVcf0dcsDQETO0sSwJ6yG5ziM+AxOiQbWA qsEh0igPSpiadZRsqwxMjcjG8yilIuu1jqGsFTDB0G4yI0LEvQtUDHB93xappFVK b7DFkELp+fuhKrgFu6kYyC5BJakKPEghb7vRTBpyFpgO68NEtmwPptVeSVPTRRce dRzbDXP4xvfamRU8r+pYOJaXPycCAwEAAaOCAa8wggGrMB8GA1UdIwQYMBaAFBXX tpAd0PuCZXK+vUd44vZxSNVyMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYe aHR0cDovL2lwYS1jYS5pcGEudGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAd BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwcwYDVR0fBGwwajBooDCgLoYs aHR0cDovL2lwYS1jYS5pcGEudGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQy MDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp dHkwHQYDVR0OBBYEFCG4NE403ukq1WLhx+5MMPOKKrbmMIGIBgNVHREEgYAwfoIP bWFzdGVyLmlwYS50ZXN0oC0GCisGAQQBgjcUAgOgHwwdbGRhcC9tYXN0ZXIuaXBh LnRlc3RASVBBLlRFU1SgPAYGKwYBBQICoDIwMKAKGwhJUEEuVEVTVKEiMCCgAwIB AaEZMBcbBGxkYXAbD21hc3Rlci5pcGEudGVzdDANBgkqhkiG9w0BAQsFAAOCAYEA yLbt651bPGrZ5VXDvdbiSBSmZ17oeUbbYgWB98w5Sa8mGWjBwMLFM5SHX0+a4GcV iEh4Clg10Dw30qNR0O7qBypHFxsh1VLgh1kkXhM3F3kedDZyLHaQHB46/WBadsgZ Q/MjISIZkW3+xScTwNlt+Vwtwb+DlHeu5jWWJ0ge3J2FfYmdnaBYFdHCdtL1+4cc M9VwdxJsXMFPslbPCOAhwephnipYQRsinzLkinTXEp4cnGuR3oxo19o06QX95GUO QcJzCv2G/z/XknYd1eYqVxrq5pl7jyCMZUtj3MT6IpXNmxTFSerJ6jCskyjubtq4 Ik8na1Gzt6p5oRa2e9Zhckn2O4W6QPJAkg2qj1hodtsvMjwVW7782FghbZE0vOUx BqSTByrDKXU+YTFgYssaGCrxcYQEmBCAkNGYiQPYgghp3lDvCACFSYOtr45egvTW drMi/AKk+Wmb2NBX3Yj00kyKvdvLSqB+TbUrQ2bX8YpPmJUiTRI1t8NxJWDipBSW -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= WARNING ipa-cert-fix is intended for recovery when expired certificates prevent the normal operation of FreeIPA. It should ONLY be used in such scenarios, and backup of the system, especially certificates and keys, is STRONGLY RECOMMENDED. The following certificates will be renewed: Dogtag subsystem certificate: Subject: CN=CA Subsystem,O=IPA.TEST Serial: 4 Expires: 2021-11-23 14:13:04 Dogtag ca_ocsp_signing certificate: Subject: CN=OCSP Subsystem,O=IPA.TEST Serial: 2 Expires: 2021-11-23 14:13:03 Dogtag ca_audit_signing certificate: Subject: CN=CA Audit,O=IPA.TEST Serial: 5 Expires: 2021-11-23 14:13:04 IPA IPA RA certificate: Subject: CN=IPA RA,O=IPA.TEST Serial: 7 Expires: 2021-11-23 14:13:43 IPA Apache HTTPS certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 9 Expires: 2021-12-04 14:15:20 IPA LDAP certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 8 Expires: 2021-12-04 14:14:50 IPA KDC certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 10 Expires: 2021-12-04 14:15:34 Enter "yes" to proceed: yes Proceeding. ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['pki-server', 'cert-fix', '--ldapi-socket', '/var/run/slapd-IPA-TEST.socket', '--agent-uid', 'ipara', '--cert', 'subsystem', '--cert', 'ca_ocsp_signing', '--cert', 'ca_audit_signing', '--extra-cert', '7', '--extra-cert', '9', '--extra-cert', '8', '--extra-cert', '10'] ipapython.ipautil: DEBUG: Process finished, return code=1 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=INFO: Loading instance: pki-tomcat INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf INFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf INFO: Loading password config: /etc/pki/pki-tomcat/password.conf INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat INFO: Loading subsystem: ca INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg INFO: Fixing the following system certs: ['subsystem', 'ca_ocsp_signing', 'ca_audit_signing'] INFO: Renewing the following additional certs: ['7', '9', '8', '10'] INFO: Stopping the instance to proceed with system cert renewal INFO: Configuring LDAP password authentication INFO: Setting pkidbuser password via ldappasswd SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Selftests disabled for subsystems: ca SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Resetting password for uid=ipara,ou=people,o=ipaca SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Starting the instance INFO: Sleeping for 10 seconds to allow server time to start... INFO: Requesting new cert for subsystem INFO: Getting subsystem cert info for ca from CS.cfg INFO: Getting subsystem cert info for ca from NSS database INFO: Trying to setup a secure connection to CA subsystem. INFO: Secure connection with CA is established. INFO: Placing cert creation request for serial: 4 INFO: Stopping the instance INFO: Selftests enabled for subsystems: ca INFO: Restoring previous LDAP configuration Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler return fn_call(inst, *args, **kwargs) File "/usr/lib/python3.6/site-packages/pki/cert.py", line 821, in review_request r = self.connection.get(url, headers=self.headers) File "/usr/lib/python3.6/site-packages/pki/client.py", line 46, in wrapper return func(self, *args, **kwargs) File "/usr/lib/python3.6/site-packages/pki/client.py", line 165, in get r.raise_for_status() File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 403 Client Error: for url: https://master.ipa.test:8443/ca/rest/agent/certrequests/20 During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 38, in <module> cli.execute(sys.argv) File "/usr/lib/python3.6/site-packages/pki/server/cli/__init__.py", line 142, in execute super(PKIServerCLI, self).execute(args) File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute module.execute(module_args) File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute module.execute(module_args) File "/usr/lib/python3.6/site-packages/pki/server/cli/cert.py", line 1256, in execute username=agent_uid, password=agent_pass, secure_port=port) File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 1781, in cert_create PKIServer.renew_certificate(connection, new_cert_file, serial) File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 820, in renew_certificate ret = cert_client.enroll_cert(inputs=inputs, profile_id='caManualRenewal') File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler return fn_call(inst, *args, **kwargs) File "/usr/lib/python3.6/site-packages/pki/cert.py", line 1032, in enroll_cert self.approve_request(request_id) File "/usr/lib/python3.6/site-packages/pki/cert.py", line 852, in approve_request request_id, cert_review_response, 'approve') File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler return fn_call(inst, *args, **kwargs) File "/usr/lib/python3.6/site-packages/pki/cert.py", line 834, in _perform_action cert_review_response = self.review_request(request_id) File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442, in handler raise pki_exception pki.ForbiddenException: Authentication method not allowed. ERROR: Authentication method not allowed. ipapython.admintool: DEBUG: File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_cert_fix.py", line 129, in run replicate_dogtag_certs(subject_base, ca_subject_dn, certs) File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_cert_fix.py", line 252, in replicate_dogtag_certs cert = x509.load_certificate_from_file(cert_path) File "/usr/lib/python3.6/site-packages/ipalib/x509.py", line 439, in load_certificate_from_file with open(filename, mode='rb') as f: ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception: FileNotFoundError: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/subsystem.crt' ipapython.admintool: ERROR: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/subsystem.crt' ipapython.admintool: ERROR: The ipa-cert-fix command failed. Machine: 10.0.154.50 Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: