[Freeipa-users] ipa-server-certinstall ruined pki-tomcatd startup
Rob Crittenden
rcritten at redhat.com
Thu Aug 15 12:58:57 UTC 2013
Vladimir Kulev wrote:
> Hello,
>
> After installing FreeIPA I followed instructions from
> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP to
> use globally trusted certificates for HTTP/LDAP server interface to
> secure other systems provisioning.
What version of IPA?
> Then it went out that pki-tomcatd is not able to start anymore because
> of this:
> | NFO: Deploying web application directory
> /var/lib/pki/pki-tomcat/webapps/ca
> | SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback
> | SSLAuthenticatorWithFallback: Setting container
> | SSLAuthenticatorWithFallback: Initializing authenticators
> | SSLAuthenticatorWithFallback: Starting authenticators
> | 01:48:31,313 DEBUG
> (org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to
> retrieve ServletContext: expandEntityReferences defaults to true
> | 01:48:31,320 DEBUG
> (org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to
> retrieve ServletContext: expandEntityReferences defaults to true
> | Internal Database Error encountered: Could not connect to LDAP server
> host ipa.mydomain.com <http://ipa.mydomain.com/> port 636 Error
> netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
>
> Meanwhile dirsrv tells me "Peer does not recognize and trust the CA that
> issued your certificate."
>
> I tried to fix trust by adding various certificates with certutil
> to /etc/dirsrv/slapd/ and /etc/pki/pki-tomcat/alias/, but nothing
> helped. Does anyone have a suggestion how to fix the situation?
You shouldn't need to change anything on the 389-ds side assuming it
trusts its own CA properly.
You should just need to add the CA that signed the 389-ds cert to dogtag
and restart. What is full certutil command you are using?
rob
More information about the Freeipa-users
mailing list