Hi,
The discussions about deleting certs you provided have a certain
'academic' quality, the fail to address the needs of actual people faced
with the reality of more certs than the system can display much less
ever find use (owing to mishaps with the API generating useless certs,
closed customer accounts, etc. etc. ). I suspect most reading those
things, faced with the actual problems, would find their only practical
answer is to delete the entire freeipa installation, re-create and
reissue the useful certs, and tell the people facing the disruption
'well, the professors had an issue they couldn't solve in a real way,
this was the best we could come up with'.
In the spirit of 'light a candle instead of curse the darkness', a
command protected by lots of 'do you really really mean it' prompts, that:
1) created an entirely new CA that in all respects matched the
parameters of the current freeipa one generated at install time, then
2) went through all the certs of the 'install time CA', ignoring revoked
and expired ones, and creating as near to duplicates for the rest as
possible.
3) added appropriate 'mirror' certs to services, users and hosts,
4) made the 'new' ca the 'default'.
--- give the admins a chance to cope/reboot/accept the 'new ca' as
'real' --, then a 'second half of the command to:
5) remove all the user/service/host use of the old certs.
6) delete all references to anything done by the old ca, certs and all,
and the old ca itself from system.
That might be a way to satisfy the academic aspects mentioned in the
dicussions (which presume the CA generated by freeipa was always
'public' and so 'promises' needed to be 'kept' -- which isn't
the case a
whole lot of the time, the freeipa CA being a creature for internal use
only).
Remember, in the real world, the alternative freeipa offers to a pile of
useless certs so bad the system UI can't so much as display them all is
'blow away the whole thing and restart'. There has to be a middle
ground. Maybe an attribute of the CA at CA creation time delivering the
meaning 'for internal use only-- ok to massively zap and remake'?
On 8/20/21 2:58 AM, Florence Renaud wrote:
Hi,
we have an open ticket for pruning expired certs from the database,
please see ticket 7219 <
https://pagure.io/freeipa/issue/7219>. Note
that this mentions only expired certs, not unused certs.
The problem was already discussed a few times in the past, see for
instance
- Removal of obsolete certificates from o=ipaca
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
- Removal & clean up certificates from o=ipaca
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
- Re: Delete certificates from Dogtag PKI
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
flo
On Thu, Aug 19, 2021 at 9:10 PM Harry G. Coin <hgcoin(a)gmail.com
<mailto:hgcoin@gmail.com>> wrote:
Flo,
Yes, that's it exactly. Thanks. Paging the certificate list
really ought to have been been lifted from other code, it's
already standard in the DNS entry listings, for example.
To anyone:
In my case, it seems several hundred certificates were
'automatically' created and are of no use to anyone, never
released, just taking up space. How can they best be deleted as if
they never were?
Harry
On 8/19/21 10:02 AM, Florence Renaud wrote:
> Hi,
> you may be hitting *Bug 1959057*
> <
https://bugzilla.redhat.com/show_bug.cgi?id=1959057> - An error
> has ocorred (IPA Error 4301:CertificateOperationError)
>
> The error happens when there are more entries to return than the
> configured nsSizeLimit. The workaround is to raise the
> nsSizeLimit as described in the BZ but this may also degrade
> performances (please refer to Improving Search Performance
> through Resource Limits
>
<
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
> for more details)
>
> flo
>
> On Thu, Aug 19, 2021 at 12:31 AM Harry G. Coin via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>
>
> On 8/18/21 5:20 PM, Rob Crittenden wrote:
> > Harry G. Coin via FreeIPA-users wrote:
> >> What causes "IPA Error 4301: CertificateOperationError" /
> "Certificate
> >> operation cannot be completed: Unable to communicate with
> CMS (500)"
> >>
> >> on latest fedora 34 freeipa, running on two hosts,
> master/master?
> >>
> >> Usually I'd expect 'ipa cert-show 1' to fail, but it
> works, and
> >> 'systemctl' reports everything is running, and all the UI
> and other
> >> functions appear to be normal (even dnssec !).
> > Seems like it doesn't like something about cert serial
> number 2000. You
> > can see if you get the same behavior with cert-show 2000 or
> cert-find on
> > the cli.
> >
> > rob
>
>
> Thanks Rob. Other than having a bunch of SAN entries, it
> works from the
> command line:
>
> [root@registry1 ca]# ipa cert-show 2000
> Issuing CA: ipa
> Certificate:
>
MIIRsTCCEBmgAwIBAgICB9AwDQYJKoZIhvcNAQELBQAwPjEcMBoGA1UECgwTMS5RVUlFVEZPVU5UQUlOLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTIxMDgxNTIzMDM1MloXDTIzMDgxNjIzMDM1MlowQjEcMBoGA1UECgwTMS5RVUlFVEZPVU5UQUlOLkNPTTEiMCAGA1UEAwwZZW1haWwuMS5xdWlldGZvdW50YWluLmNvbTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKXYGmYtVHqENW8IUQVIuKKsQ8e64IfpqnWpDtxoav1fIrWmYm1XqL+ZYCgST9qAeKD0JIosxtzX9LRVY+BCqFsCrDIGCdNefog2e83vZ52zhTHJV1GxsBhXHppGyqAw7QK8ogi0nDRdQpEtpFR5QoZWf/YU0WQEBprnpkflbZhT6eF5LwL/5C0LfD6NVBxuPzu990XOsQwK0D9HXL25tvFfuk0O33RwMEQIDbTORuXD6ES5lbG1/50V2RCHBpe73rBnRPjzRF8b8zMWqv4/Rz4Xgrbjix+jnUmlhkV/lUQWfvvmj6zjYoo1YmiaXm3+8EbxOBGBMi0FLjEu3ZKgK1I1fbdW8b27ZtDxJvcawRJVfVFHzcTKk6OLeg+j4bcvHn7m9cBVjrSvN4amSFayf1gOaQT3R3NtGn8kuRezJaGCflVYycDCUhDZs7wZfGA9bP0OK2O5PZKeRcd0fy8IwnlBMc2n1MzHDWqp0Dl5W+EoJ4qw6/+9hZ4LYkDsKwu+UwIDAQABo4INszCCDa8wHwYDVR0jBBgwFoAUXW5JhdkJzAZFZf9sx8NRcgBLb5swRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vaXBhLWNhLjEucXVpZXRmb3VudGFpbi5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMH4GA1UdHwR3MHUwc6A7oDmGN2h0dHA6Ly9pcGEtY2EuMS5xdWlldGZvdW50YWluLmNvbS9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFCx51ek7Vv2tczzH1FL5QtX3oeixMIIMdQYDVR0RBIIMbDCCDGiCGWVtYWlsLjEucXVpZXRmb3VudGFpbi5jb22HBKwQxwSHEPwAEAEAxwAAAAAAAAAAAASCGmVtYWlsMS4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLABhxD8ABAAAAAMAAAAAAAAAAABghplbWFpbDIuMS5xdWlldGZvdW50YWluLmNvbYcEwKiwAocQ/AAQAAAADAAAAAAAAAAAAoIaZW1haWwzLjEucXVpZXRmb3VudGFpbi5jb22HBMCosAOHEPwAEAAAAAwAAAAAAAAAAAOCGmVtYWlsNC4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLAEhxD8ABAAAAAMAAAAAAAAAAAEghplbWFpbDUuMS5xdWlldGZvdW50YWluLmNvbYcEwKiwBYcQ/AAQAAAADAAAAAAAAAAABYIaZW1haWw2LjEucXVpZXRmb3VudGFpbi5jb22HBMCosAaHEPwAEAAAAAwAAAAAAAAAAAaCGmVtYWlsNy4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLAHhxD8ABAAAAAMAAAAAAAAAAAHghplbWFpbDguMS5xdWlldGZvdW50YWluLmNvbYcEwKiwCIcQ/AAQAAAADAAAAAAAAAAACIIaZW1haWw5LjEucXVpZXRmb3VudGFpbi5jb22HBMCosAmHEPwAEAAAAAwAAAAAAAAAAAmCG2VtYWlsMTAuMS5xdWlldGZvdW50YWluLmNvbYcEwKiwCocQ/AAQAAAADAAAAAAAAAAACoIbZW1haWwxMS4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLALhxD8ABAAAAAMAAAAAAAAAAALghtlbWFpbDEyLjEucXVpZXRmb3VudGFpbi5jb22HBMCosAyHEPwAEAAAAAwAAAAAAAAAAAyCG2VtYWlsMTMuMS5xdWlldGZvdW50YWluLmNvbYcEwKiwDYcQ/AAQAAAADAAAAAAAAAAADYIbZW1haWwxNC4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLAOhxD8ABAAAAAMAAAAAAAAAAAOghtlbWFpbDE1LjEucXVpZXRmb3VudGFpbi5jb22HBMCosA+HEPwAEAAAAAwAAAAAAAAAAA+CG2VtYWlsMTYuMS5xdWlldGZvdW50YWluLmNvbYcEwKiwEIcQ/AAQAAAADAAAAAAAAAAAEIIbZW1haWwxNy4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLARhxD8ABAAAAAMAAAAAAAAAAARghtlbWFpbDE4LjEucXVpZXRmb3VudGFpbi5jb22HBMCosBKHEPwAEAAAAAwAAAAAAAAAABKCG2VtYWlsMTkuMS5xdWlldGZvdW50YWluLmNvbYcEwKiwE4cQ/AAQAAAADAAAAAAAAAAAE4IbZW1haWwyMC4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLAUhxD8ABAAAAAMAAAAAAAAAAAUghtlbWFpbDIxLjEucXVpZXRmb3VudGFpbi5jb22HBMCosBWHEPwAEAAAAAwAAAAAAAAAABWCG2VtYWlsMjIuMS5xdWlldGZvdW50YWluLmNvbYcEwKiwFocQ/AAQAAAADAAAAAAAAAAAFoIbZW1haWwyMy4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLAXhxD8ABAAAAAMAAAAAAAAAAAXghtlbWFpbDI0LjEucXVpZXRmb3VudGFpbi5jb22HBMCosBiHEPwAEAAAAAwAAAAAAAAAABiCG2VtYWlsMjUuMS5xdWlldGZvdW50YWluLmNvbYcEwKiwGYcQ/AAQAAAADAAAAAAAAAAAGYIbZW1haWwyNi4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLAahxD8ABAAAAAMAAAAAAAAAAAaghtlbWFpbDI3LjEucXVpZXRmb3VudGFpbi5jb22HBMCosBuHEPwAEAAAAAwAAAAAAAAAABuCG2VtYWlsMjguMS5xdWlldGZvdW50YWluLmNvbYcEwKiwHIcQ/AAQAAAADAAAAAAAAAAAHIIbZW1haWwyOS4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLAdhxD8ABAAAAAMAAAAAAAAAAAdghtlbWFpbDMwLjEucXVpZXRmb3VudGFpbi5jb22HBMCosB6HEPwAEAAAAAwAAAAAAAAAAB6CG2VtYWlsMzEuMS5xdWlldGZvdW50YWluLmNvbYcEwKiwH4cQ/AAQAAAADAAAAAAAAAAAH4IbZW1haWwzMi4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLAghxD8ABAAAAAMAAAAAAAAAAAgghtlbWFpbDMzLjEucXVpZXRmb3VudGFpbi5jb22HBMCosCGHEPwAEAAAAAwAAAAAAAAAACGCG2VtYWlsMzQuMS5xdWlldGZvdW50YWluLmNvbYcEwKiwIocQ/AAQAAAADAAAAAAAAAAAIoIbZW1haWwzNS4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLAjhxD8ABAAAAAMAAAAAAAAAAAjghtlbWFpbDM2LjEucXVpZXRmb3VudGFpbi5jb22HBMCosCSHEPwAEAAAAAwAAAAAAAAAACSCG2VtYWlsMzcuMS5xdWlldGZvdW50YWluLmNvbYcEwKiwJYcQ/AAQAAAADAAAAAAAAAAAJYIbZW1haWwzOC4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLAmhxD8ABAAAAAMAAAAAAAAAAAmghtlbWFpbDM5LjEucXVpZXRmb3VudGFpbi5jb22HBMCosCeHEPwAEAAAAAwAAAAAAAAAACeCG2VtYWlsNDAuMS5xdWlldGZvdW50YWluLmNvbYcEwKiwKIcQ/AAQAAAADAAAAAAAAAAAKIIbZW1haWw0MS4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLAphxD8ABAAAAAMAAAAAAAAAAApghtlbWFpbDQyLjEucXVpZXRmb3VudGFpbi5jb22HBMCosCqHEPwAEAAAAAwAAAAAAAAAACqCG2VtYWlsNDMuMS5xdWlldGZvdW50YWluLmNvbYcEwKiwK4cQ/AAQAAAADAAAAAAAAAAAK4IbZW1haWw0NC4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLAshxD8ABAAAAAMAAAAAAAAAAAsghtlbWFpbDQ1LjEucXVpZXRmb3VudGFpbi5jb22HBMCosC2HEPwAEAAAAAwAAAAAAAAAAC2CG2VtYWlsNDYuMS5xdWlldGZvdW50YWluLmNvbYcEwKiwLocQ/AAQAAAADAAAAAAAAAAALoIbZW1haWw0Ny4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLAvhxD8ABAAAAAMAAAAAAAAAAAvghtlbWFpbDQ4LjEucXVpZXRmb3VudGFpbi5jb22HBMCosDCHEPwAEAAAAAwAAAAAAAAAADCCG2VtYWlsNDkuMS5xdWlldGZvdW50YWluLmNvbYcEwKiwMYcQ/AAQAAAADAAAAAAAAAAAMYIbZW1haWw1MC4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLAyhxD8ABAAAAAMAAAAAAAAAAAyghtlbWFpbDUxLjEucXVpZXRmb3VudGFpbi5jb22HBMCosDOHEPwAEAAAAAwAAAAAAAAAADOCG2VtYWlsNTIuMS5xdWlldGZvdW50YWluLmNvbYcEwKiwNIcQ/AAQAAAADAAAAAAAAAAANIIbZW1haWw1My4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLA1hxD8ABAAAAAMAAAAAAAAAAA1ghtlbWFpbDU0LjEucXVpZXRmb3VudGFpbi5jb22HBMCosDaHEPwAEAAAAAwAAAAAAAAAADaCG2VtYWlsNTUuMS5xdWlldGZvdW50YWluLmNvbYcEwKiwN4cQ/AAQAAAADAAAAAAAAAAAN4IbZW1haWw1Ni4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLA4hxD8ABAAAAAMAAAAAAAAAAA4ghtlbWFpbDU3LjEucXVpZXRmb3VudGFpbi5jb22HBMCosDmHEPwAEAAAAAwAAAAAAAAAADmCG2VtYWlsNTguMS5xdWlldGZvdW50YWluLmNvbYcEwKiwOocQ/AAQAAAADAAAAAAAAAAAOoIbZW1haWw1OS4xLnF1aWV0Zm91bnRhaW4uY29thwTAqLA7hxD8ABAAAAAMAAAAAAAAAAA7ggVlbWFpbDANBgkqhkiG9w0BAQsFAAOCAYEARmUPkIKBTl6NmIIlLcnb5onhttHK7p3ymPeulQUTsZMtG1s4a/Yf7Zq8QOuFv/jVA9/FBbjy8SM/ioUlBpay3q1VL7KQIa1t8jUEY36uIqyFRD0YIcCmIkTU6jQ5EYplXt1QGdSMfSDs7+CcuoipNtlV8VS/5YZXP/hBsg8x6xqHvV988dONj3ekUihd4F+SLa2PYlsyW8WO1pZ/q1Zxcy7ADExeSleeI4EqOPIukSeMRNAmpdkwOIminlQW1+oyUhZfHEEWrxFoKQDg0CSIJ6uQz4XpCnHydmgnkhYoT2CtuUV7MsJ7+S+Ziv/EVEVV15DQBGnV324lhuB1As/tiygTa4P/E/FCXM0uJLcIGoU+gkOIDwt9sQSvrFJ9sYT+3mllLUxkBVeWlvgR+0goTqtjvmO5HbRlXiJ7ml4sjjlHSy7mLCnT/JYM/JYeSkDlvQVG1DFq84MPgh0+ZsGuKU8DKmTlaJPjtHC7zwyQsVT+8FgCPQV8FZet3rqwETVL
> Subject:
CN=email.1.quietfountain.com
> <
http://email.1.quietfountain.com>,O=1.QUIETFOUNTAIN.COM
> <
http://1.QUIETFOUNTAIN.COM>
> Subject DNS name:
email.1.quietfountain.com
> <
http://email.1.quietfountain.com>,
>
email1.1.quietfountain.com
> <
http://email1.1.quietfountain.com>,
>
email2.1.quietfountain.com <
http://email2.1.quietfountain.com>,
>
email3.1.quietfountain.com
> <
http://email3.1.quietfountain.com>,
>
email4.1.quietfountain.com <
http://email4.1.quietfountain.com>,
>
email5.1.quietfountain.com <
http://email5.1.quietfountain.com>,
>
email6.1.quietfountain.com
> <
http://email6.1.quietfountain.com>,
>
email7.1.quietfountain.com
> <
http://email7.1.quietfountain.com>,
>
email8.1.quietfountain.com <
http://email8.1.quietfountain.com>,
>
email9.1.quietfountain.com
> <
http://email9.1.quietfountain.com>,
>
email10.1.quietfountain.com <
http://email10.1.quietfountain.com>,
>
email11.1.quietfountain.com <
http://email11.1.quietfountain.com>,
>
email12.1.quietfountain.com
> <
http://email12.1.quietfountain.com>,
>
email13.1.quietfountain.com
> <
http://email13.1.quietfountain.com>,
>
email14.1.quietfountain.com <
http://email14.1.quietfountain.com>,
>
email15.1.quietfountain.com
> <
http://email15.1.quietfountain.com>,
>
email16.1.quietfountain.com <
http://email16.1.quietfountain.com>,
>
email17.1.quietfountain.com <
http://email17.1.quietfountain.com>,
>
email18.1.quietfountain.com
> <
http://email18.1.quietfountain.com>,
>
email19.1.quietfountain.com
> <
http://email19.1.quietfountain.com>,
>
email20.1.quietfountain.com <
http://email20.1.quietfountain.com>,
>
email21.1.quietfountain.com
> <
http://email21.1.quietfountain.com>,
>
email22.1.quietfountain.com <
http://email22.1.quietfountain.com>,
>
email23.1.quietfountain.com <
http://email23.1.quietfountain.com>,
>
email24.1.quietfountain.com
> <
http://email24.1.quietfountain.com>,
>
email25.1.quietfountain.com
> <
http://email25.1.quietfountain.com>,
>
email26.1.quietfountain.com <
http://email26.1.quietfountain.com>,
>
email27.1.quietfountain.com
> <
http://email27.1.quietfountain.com>,
>
email28.1.quietfountain.com <
http://email28.1.quietfountain.com>,
>
email29.1.quietfountain.com <
http://email29.1.quietfountain.com>,
>
email30.1.quietfountain.com
> <
http://email30.1.quietfountain.com>,
>
email31.1.quietfountain.com
> <
http://email31.1.quietfountain.com>,
>
email32.1.quietfountain.com <
http://email32.1.quietfountain.com>,
>
email33.1.quietfountain.com
> <
http://email33.1.quietfountain.com>,
>
email34.1.quietfountain.com <
http://email34.1.quietfountain.com>,
>
email35.1.quietfountain.com <
http://email35.1.quietfountain.com>,
>
email36.1.quietfountain.com
> <
http://email36.1.quietfountain.com>,
>
email37.1.quietfountain.com
> <
http://email37.1.quietfountain.com>,
>
email38.1.quietfountain.com <
http://email38.1.quietfountain.com>,
>
email39.1.quietfountain.com
> <
http://email39.1.quietfountain.com>,
>
email40.1.quietfountain.com <
http://email40.1.quietfountain.com>,
>
email41.1.quietfountain.com <
http://email41.1.quietfountain.com>,
>
email42.1.quietfountain.com
> <
http://email42.1.quietfountain.com>,
>
email43.1.quietfountain.com
> <
http://email43.1.quietfountain.com>,
>
email44.1.quietfountain.com <
http://email44.1.quietfountain.com>,
>
email45.1.quietfountain.com
> <
http://email45.1.quietfountain.com>,
>
email46.1.quietfountain.com <
http://email46.1.quietfountain.com>,
>
email47.1.quietfountain.com <
http://email47.1.quietfountain.com>,
>
email48.1.quietfountain.com
> <
http://email48.1.quietfountain.com>,
>
email49.1.quietfountain.com
> <
http://email49.1.quietfountain.com>,
>
email50.1.quietfountain.com <
http://email50.1.quietfountain.com>,
>
email51.1.quietfountain.com
> <
http://email51.1.quietfountain.com>,
>
email52.1.quietfountain.com <
http://email52.1.quietfountain.com>,
>
email53.1.quietfountain.com <
http://email53.1.quietfountain.com>,
>
email54.1.quietfountain.com
> <
http://email54.1.quietfountain.com>,
>
email55.1.quietfountain.com
> <
http://email55.1.quietfountain.com>,
>
email56.1.quietfountain.com <
http://email56.1.quietfountain.com>,
>
email57.1.quietfountain.com
> <
http://email57.1.quietfountain.com>,
>
email58.1.quietfountain.com <
http://email58.1.quietfountain.com>,
>
email59.1.quietfountain.com
> <
http://email59.1.quietfountain.com>, email
> Issuer: CN=Certificate
Authority,O=1.QUIETFOUNTAIN.COM
> <
http://1.QUIETFOUNTAIN.COM>
> Not Before: Sun Aug 15 23:03:52 2021 UTC
> Not After: Wed Aug 16 23:03:52 2023 UTC
> Serial number: 2000
> Serial number (hex): 0x7D0
> Revoked: False
> Owner service:
> HTTP/email.1.quietfountain.com(a)1.QUIETFOUNTAIN.COM
> <mailto:email.1.quietfountain.com@1.QUIETFOUNTAIN.COM>
> [root@registry1 ca]# echo $?
> 0
> [root@registry1 ca]#
>
> >
> >>
> >> detail:
> >>
> >> [root@registry1 ~]# ipa cert-show 1
> >> Issuing CA: ipa
> >> Certificate:
> >>
>
MIIEozCCAwugAwIBAgIBATANBgkqhkiG9w0BAQsFADA+MRwwGgYDVQQKDBMxLlFVSUVURk9VTlRBSU4uQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjEwNjEzMTkwNjA1WhcNNDEwNjEzMTkwNjA1WjA+MRwwGgYDVQQKDBMxLlFVSUVURk9VTlRBSU4uQ09NMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDGSq+Nim03HfChgq4uLuYh9JRZcGZQO08iUNGJRzFkBKehS1sZwbXlACSYC32SbqyHBiRXE4VlLmMuKwNzp0/HgLojgA+Cfx6/Ta+eiGq0M7qX2y2rKoZOGtrWo23uYqx02Xs/UKBzZ8EHZFc9rqDsU7muvCDcuniTH6r3Nc6aJyJs9ksa66BkSsEu3KnmTTvvu8Vfl5Wu8ZQwwaEEpLNDagNrN3dICD6zr+ysm4nr6cJlU+884ayUGdgyQRQXI28z173b14M1JhUbFeLsLpTOYIXAn0eQa5uaSrIi7YF5FUH6fczwt7PACzyPy5c7W8ayYgosKZCWKdo456ingv2kNbDh8lX5qmaK8163b3nqnk6VkO11FtwGwQQzzkMDUEkIDOxqisjqDtgNzRWx3XC/F1zojZjVKCQ6sRM2G26fY+qRHxxhPzeWrh6TD3HJLvVDBpMFAONrLSJeXXmaj+zkob4uBv7X8TYdVO8xPKVC1p+t9OqhFoE5r9pXD5SaWGUCAwEAAaOBqzCBqDAfBgNVHSMEGDAWgBRdbkmF2QnMBkVl/2zHw1FyAEtvmzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUXW5JhdkJzAZFZf9sx8NRcgBLb5swRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vaXBhLWNhLjEucXVpZXRmb3VudGFpbi5jb20vY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEAq86t5DfFgXEKWTyOH0TgGIW2fVNVoeThc7emUx3P0wxkFK05grDlAW+sTbNe8aw4h8BowixIfDQ8hfwZVn7LIXqbOohNs0AMPaRc5XYOqU/ciG11YiI6jgEMhtC5fBlT3Ni4U7JQlikI7xcLlpWleSQTp+KX2sEFnASxHWkzlX0iWOwIZAr9CHpo06HH1yukfvosIsfRpdbpXPRcLaZ1pUlCUlviDEsI+HIkU/5N8Jja13BSguT5daCMywtFTwtzWgWSKtMC2AoH2y7+Dufu3/YDpR0WhdzJSS0ZztJULUJw6DGKO03EtuIvGVwoOqDSo10GYPxwF4HQHXQBNzed9tRKkpbBCNNx1L6hHbH+OutGNGDc9Dl9PWRHu3OP0ME5NdAq0rW6+Ibao+Dv5R3jxV8R0ky+08jyqMSVzzYYGz10y5DWFkyQfFO2daX6DBlWPRIf7hZJv4NW9Dd3KQZKIduZMGScvBKy1QaPu1WJVftNU5J6F67xiTUBxFXfM+hm
> >> Subject: CN=Certificate
Authority,O=1.QUIETFOUNTAIN.COM
> <
http://1.QUIETFOUNTAIN.COM>
> >> Issuer: CN=Certificate
Authority,O=1.QUIETFOUNTAIN.COM
> <
http://1.QUIETFOUNTAIN.COM>
> >> Not Before: Sun Jun 13 19:06:05 2021 UTC
> >> Not After: Thu Jun 13 19:06:05 2041 UTC
> >> Serial number: 1
> >> Serial number (hex): 0x1
> >> Revoked: False
> >> [root@registry1 ~]# systemctl is-system-running
> >> running
> >> [root@registry1 ~]#
> >>
> >>
> >> notice /var/log/pki/pki-tomcat/ca/debug.2021-08-18.log
> >>
> >> ends with:
> >>
> >>
> >> 2021-08-18 16:42:16 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3]
> INFO:
> >> DBVirtualList: dn:
> cn=2000,ou=certificateRepository,ou=ca,o=ipaca
> >> 2021-08-18 16:42:16 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3]
> SEVERE:
> >> Operation Error - class netscape.ldap.LDAPException cannot
> be cast to
> >> class netscape.ldap.LDAPEntry (netscape.ldap.LDAPException and
> >> netscape.ldap.LDAPEntry are in unnamed module of loader
> >> java.net.URLClassLoader @5fcfe4b2)
> >> java.lang.ClassCastException: class
> netscape.ldap.LDAPException cannot
> >> be cast to class netscape.ldap.LDAPEntry
> (netscape.ldap.LDAPException
> >> and netscape.ldap.LDAPEntry are in unnamed module of loader
> >> java.net.URLClassLoader @5fcfe4b2)
> >> at
> >>
> com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477)
> >> at
> >>
> com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610)
> >> at
> >>
> com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602)
> >> at
> >>
> com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754)
> >> at
> >>
>
com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110)
> >> at
> >>
> org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:474)
> >> at
> >>
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> >> Method)
> >> at
> >>
>
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> >> at
> >>
>
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >> at
> java.base/java.lang.reflect.Method.invoke(Method.java:566)
> >> at
> >>
>
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> >> at
> >>
>
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> >> at
> >>
>
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> >> at
> >>
>
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
> >> at
> >>
>
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
> >> at
> >>
>
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
> >> at
> >>
>
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
> >> at
> >>
>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> >> at
> >>
>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> >> at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
> >> at
> jdk.internal.reflect.GeneratedMethodAccessor55.invoke(Unknown
> >> Source)
> >> at
> >>
>
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >> at
> java.base/java.lang.reflect.Method.invoke(Method.java:566)
> >> at
> >>
>
org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
> >> at
> java.base/java.security.AccessController.doPrivileged(Native
> >> Method)
> >> at
> >>
> java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
> >> at
> >>
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
> >> at
> >>
>
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
> >> at
> >>
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:221)
> >> at
> >>
>
org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146)
> >> at
> java.base/java.security.AccessController.doPrivileged(Native
> >> Method)
> >> at
> >>
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
> >> at
> >>
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
> >> at
> jdk.internal.reflect.GeneratedMethodAccessor49.invoke(Unknown
> >> Source)
> >> at
> >>
>
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >> at
> java.base/java.lang.reflect.Method.invoke(Method.java:566)
> >> at
> >>
>
org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
> >> at
> java.base/java.security.AccessController.doPrivileged(Native
> >> Method)
> >> at
> >>
> java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
> >> at
> >>
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
> >> at
> >>
>
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
> >> at
> >>
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187)
> >> at
> >>
>
org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146)
> >> at
> java.base/java.security.AccessController.doPrivileged(Native
> >> Method)
> >> at
> >>
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
> >> at
> >>
>
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
> >> at
> >>
>
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
> >> at
> >>
>
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
> >> at
> >>
>
com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
> >> at
> >>
>
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
> >> at
> >>
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
> >> at
> >>
>
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
> >> at
> >>
>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
> >> at
> >>
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
> >> at
> org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433)
> >> at
> >>
>
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
> >> at
> >>
>
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)
> >> at
> >>
org.apache.tomcat.util.net
>
<
http://org.apache.tomcat.util.net>.NioEndpoint$SocketProcessor.doRun(N...
> >> at
> >>
org.apache.tomcat.util.net
>
<
http://org.apache.tomcat.util.net>.SocketProcessorBase.run(SocketProce...
> >> at
> >>
>
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
> >> at
> >>
>
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
> >> at
> >>
>
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> >> at java.base/java.lang.Thread.run(Thread.java:829)
> >>
> >> 2021-08-18 16:42:16 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3]
> SEVERE: Unable
> >> to search for certificates: java.lang.ClassCastException:
> class
> >> netscape.ldap.LDAPException cannot be cast to class
> >> netscape.ldap.LDAPEntry (netscape.ldap.LDAPException and
> >> netscape.ldap.LDAPEntry are in unnamed module of loader
> >> java.net.URLClassLoader @5fcfe4b2)
> >> java.lang.RuntimeException: java.lang.ClassCastException:
> class
> >> netscape.ldap.LDAPException cannot be cast to class
> >> netscape.ldap.LDAPEntry (netscape.ldap.LDAPException and
> >> netscape.ldap.LDAPEntry are in unnamed module of loader
> >> java.net.URLClassLoader @5fcfe4b2)
> >> at
> >>
> com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:523)
> >> at
> >>
> com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:610)
> >> at
> >>
> com.netscape.cmscore.dbs.DBVirtualList.getPage(DBVirtualList.java:602)
> >> at
> >>
> com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754)
> >> at
> >>
>
com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110)
> >> at
> >>
> org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:474)
> >> at
> >>
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> >> Method)
> >> at
> >>
>
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> >> at
> >>
>
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >> at
> java.base/java.lang.reflect.Method.invoke(Method.java:566)
> >> at
> >>
>
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> >> at
> >>
>
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> >> at
> >>
>
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> >> at
> >>
>
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
> >> at
> >>
>
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
> >> at
> >>
>
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
> >> at
> >>
>
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
> >> at
> >>
>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> >> at
> >>
>
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> >> at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
> >> at
> jdk.internal.reflect.GeneratedMethodAccessor55.invoke(Unknown
> >> Source)
> >> at
> >>
>
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >> at
> java.base/java.lang.reflect.Method.invoke(Method.java:566)
> >> at
> >>
>
org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
> >> at
> java.base/java.security.AccessController.doPrivileged(Native
> >> Method)
> >> at
> >>
> java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
> >> at
> >>
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
> >> at
> >>
>
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
> >> at
> >>
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:221)
> >> at
> >>
>
org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146)
> >> at
> java.base/java.security.AccessController.doPrivileged(Native
> >> Method)
> >> at
> >>
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
> >> at
> >>
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
> >> at
> jdk.internal.reflect.GeneratedMethodAccessor49.invoke(Unknown
> >> Source)
> >> at
> >>
>
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >> at
> java.base/java.lang.reflect.Method.invoke(Method.java:566)
> >> at
> >>
>
org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280)
> >> at
> java.base/java.security.AccessController.doPrivileged(Native
> >> Method)
> >> at
> >>
> java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
> >> at
> >>
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
> >> at
> >>
>
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
> >> at
> >>
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187)
> >> at
> >>
>
org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:146)
> >> at
> java.base/java.security.AccessController.doPrivileged(Native
> >> Method)
> >> at
> >>
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
> >> at
> >>
>
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
> >> at
> >>
>
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
> >> at
> >>
>
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
> >> at
> >>
>
com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
> >> at
> >>
>
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
> >> at
> >>
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
> >> at
> >>
>
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
> >> at
> >>
>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
> >> at
> >>
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
> >> at
> org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433)
> >> at
> >>
>
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
> >> at
> >>
>
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)
> >> at
> >>
org.apache.tomcat.util.net
>
<
http://org.apache.tomcat.util.net>.NioEndpoint$SocketProcessor.doRun(N...
> >> at
> >>
org.apache.tomcat.util.net
>
<
http://org.apache.tomcat.util.net>.SocketProcessorBase.run(SocketProce...
> >> at
> >>
>
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
> >> at
> >>
>
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
> >> at
> >>
>
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> >> at java.base/java.lang.Thread.run(Thread.java:829)
> >> Caused by: java.lang.ClassCastException: class
> >> netscape.ldap.LDAPException cannot be cast to class
> >> netscape.ldap.LDAPEntry (netscape.ldap.LDAPException and
> >> netscape.ldap.LDAPEntry are in unnamed module of loader
> >> java.net.URLClassLoader @5fcfe4b2)
> >> at
> >>
> com.netscape.cmscore.dbs.DBVirtualList.getEntries(DBVirtualList.java:477)
> >> ... 62 more
> >>
> >>
> >>
> >> _______________________________________________
> >> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> >> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> >> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> <
https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
> >> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> <
https://fedoraproject.org/wiki/Mailing_list_guidelines>
> >> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >> Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure
> <
https://pagure.io/fedora-infrastructure>
> >>
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> <
https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> <
https://fedoraproject.org/wiki/Mailing_list_guidelines>
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure
> <
https://pagure.io/fedora-infrastructure>
>