[Freeipa-users] ipa-server-certinstall ruined pki-tomcatd startup

Vladimir Kulev me at lightoze.net
Thu Aug 15 13:24:30 UTC 2013 

On Thu, Aug 15, 2013 at 3:58 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Vladimir Kulev wrote:
>
>> Hello,
>>
>> After installing FreeIPA I followed instructions from
>> http://www.freeipa.org/page/**Using_3rd_part_certificates_**for_HTTP/LDAP<http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP>to
>> use globally trusted certificates for HTTP/LDAP server interface to
>> secure other systems provisioning.
>>
>
> What version of IPA?
>

FreeIPA version is 3.2.2-1.fc19, the latest for Fedora 19


>
>  Then it went out that pki-tomcatd is not able to start anymore because
>> of this:
>> | NFO: Deploying web application directory
>> /var/lib/pki/pki-tomcat/**webapps/ca
>> | SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback
>> | SSLAuthenticatorWithFallback: Setting container
>> | SSLAuthenticatorWithFallback: Initializing authenticators
>> | SSLAuthenticatorWithFallback: Starting authenticators
>> | 01:48:31,313 DEBUG
>> (org.jboss.resteasy.plugins.**providers.DocumentProvider:60) - Unable to
>> retrieve ServletContext: expandEntityReferences defaults to true
>> | 01:48:31,320 DEBUG
>> (org.jboss.resteasy.plugins.**providers.DocumentProvider:60) - Unable to
>> retrieve ServletContext: expandEntityReferences defaults to true
>> | Internal Database Error encountered: Could not connect to LDAP server
>> host ipa.mydomain.com <http://ipa.mydomain.com/> port 636 Error
>>
>> netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
>>
>> Meanwhile dirsrv tells me "Peer does not recognize and trust the CA that
>> issued your certificate."
>>
>> I tried to fix trust by adding various certificates with certutil
>> to /etc/dirsrv/slapd/ and /etc/pki/pki-tomcat/alias/, but nothing
>> helped. Does anyone have a suggestion how to fix the situation?
>>
>
> You shouldn't need to change anything on the 389-ds side assuming it
> trusts its own CA properly.
>
> You should just need to add the CA that signed the 389-ds cert to dogtag
> and restart. What is full certutil command you are using?


Here is a command:
certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t "CT,C,C" -n "External CA"
-i /root/ca.pem

Also I tried to add intermediate CA with the following:
certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t ",," -n "External Sub CA"
-i /root/sub.pem

External CA file is correct, I verified it with "openssl s_client -CAfile
/root/ca.pem -connect ipa.mydomain.com:636"


-- 

Best regards,

Vladimir Kulev


Mobile: +358400369346, +79215554422

Jabber: me at lightoze.net

Skype: lightoze
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130815/85a2e17d/attachment.htm>

More information about the Freeipa-users mailing list