[Freeipa-users] Full certificate renewal
Andrea Bontempi
abontempi at dbmsrl.com
Thu Dec 19 16:57:06 UTC 2013
What I want to do is a bit borderline :-)
The scenario is:
FreeIPA 3.0.0 (external-ca) with all certificates expired (also Root CA)
Certmonger can't proceed to automatically renew the certificates.
We can't release a certificate valid in the past (so we can't set the date in the past)
What i did:
I proceed to replace all certificate in the various nss db, included the re-sign of the certificate, where is needed.
It partial works, the FreeIPA instance return up, but non completely.
That is the issue:
[root at ipa config]# ipa cert-show
Serial number: 1
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
[root at ipa config]#getcert list
[...]
Request ID '20131115101732':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)).
stuck: yes
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DBMSRL.COM
subject: CN=ipa.intra.dbmsrl.com,O=INTRA.DBMSRL.COM
expires: 2014-03-19 11:01:14 UTC
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
track: yes
auto-renew: yes
Request ID '20131115101901':
status: NEED_CSR
ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'INTRA.DBMSRL.COM'.
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTRA.DBMSRL.COM
subject: CN=ipa.intra.dbmsrl.com,O=INTRA.DBMSRL.COM
expires: 2013-12-14 15:27:08 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
And in the pki-ca log i found this exception:
Failed to create jss service: java.lang.SecurityException: Unable to initialize security library
at com.netscape.cmscore.security.JssSubsystem.init(JssSubsystem.java:272)
at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:306)
at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4496)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:622)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
I have no idea what is missing, can someone help me?
Thank you
Andrea Bontempi
More information about the Freeipa-users
mailing list