[Freeipa-users] ipa-server-certinstall ruined pki-tomcatd startup

Rob Crittenden rcritten at redhat.com
Thu Aug 15 15:23:24 UTC 2013 

Vladimir Kulev wrote:
>
> On Thu, Aug 15, 2013 at 3:58 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>     Vladimir Kulev wrote:
>
>         Hello,
>
>         After installing FreeIPA I followed instructions from
>         http://www.freeipa.org/page/__Using_3rd_part_certificates___for_HTTP/LDAP
>         <http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP>
>         to
>         use globally trusted certificates for HTTP/LDAP server interface to
>         secure other systems provisioning.
>
>
>     What version of IPA?
>
>
> FreeIPA version is 3.2.2-1.fc19, the latest for Fedora 19
>
>
>         Then it went out that pki-tomcatd is not able to start anymore
>         because
>         of this:
>         | NFO: Deploying web application directory
>         /var/lib/pki/pki-tomcat/__webapps/ca
>         | SSLAuthenticatorWithFallback: Creating SSL authenticator with
>         fallback
>         | SSLAuthenticatorWithFallback: Setting container
>         | SSLAuthenticatorWithFallback: Initializing authenticators
>         | SSLAuthenticatorWithFallback: Starting authenticators
>         | 01:48:31,313 DEBUG
>         (org.jboss.resteasy.plugins.__providers.DocumentProvider:60) -
>         Unable to
>         retrieve ServletContext: expandEntityReferences defaults to true
>         | 01:48:31,320 DEBUG
>         (org.jboss.resteasy.plugins.__providers.DocumentProvider:60) -
>         Unable to
>         retrieve ServletContext: expandEntityReferences defaults to true
>         | Internal Database Error encountered: Could not connect to LDAP
>         server
>         host ipa.mydomain.com <http://ipa.mydomain.com>
>         <http://ipa.mydomain.com/> port 636 Error
>
>         netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
>
>         Meanwhile dirsrv tells me "Peer does not recognize and trust the
>         CA that
>         issued your certificate."
>
>         I tried to fix trust by adding various certificates with certutil
>         to /etc/dirsrv/slapd/ and /etc/pki/pki-tomcat/alias/, but nothing
>         helped. Does anyone have a suggestion how to fix the situation?
>
>
>     You shouldn't need to change anything on the 389-ds side assuming it
>     trusts its own CA properly.
>
>     You should just need to add the CA that signed the 389-ds cert to
>     dogtag and restart. What is full certutil command you are using?
>
>
> Here is a command:
> certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t "CT,C,C" -n "External
> CA" -i /root/ca.pem
>
> Also I tried to add intermediate CA with the following:
> certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t ",," -n "External Sub
> CA" -i /root/sub.pem
>
> External CA file is correct, I verified it with "openssl s_client
> -CAfile /root/ca.pem -connect ipa.mydomain.com:636
> <http://ipa.mydomain.com:636>"

You should drop the sql prefix. This is creating a new cert and key 
database (you'll see a new cert9 and key4.db there). I don't believe 
that dogtag uses the sql prefix yet so it won't see the new certs you added.

You should also set the trust flags on all intermediate certs as well.

rob

More information about the Freeipa-users mailing list