[Freeipa-users] Yum update broke CA/CS - pki-tomcatd not starting
Jani West
jwest at iki.fi
Fri Dec 11 09:07:25 UTC 2015
Hello,
Seems like I indeed have expired certs. The problem is, how I can renew
these.
I tried to do:
---------------
root at ipa1 ca]# systemctl restart dirsrv.target
[root at ipa1 ca]# ipa-cacert-manage renew
Renewing CA certificate, please wait
Error resubmitting certmonger request '20150814121620', please check the
request manually
---------------
I still have old certs:
Request ID '20150814121606':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='654666959930'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
subject: CN=CA Audit,O=PLANWEE.LOCAL
expires: 2015-09-29 20:22:26 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150814121614':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
Certificate DB',pin='654666959930'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
subject: CN=OCSP Subsystem,O=PLANWEE.LOCAL
expires: 2015-09-29 20:22:25 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150814121618':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='654666959930'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
subject: CN=CA Subsystem,O=PLANWEE.LOCAL
expires: 2015-09-29 20:22:25 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150814121621':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
subject: CN=IPA RA,O=PLANWEE.LOCAL
expires: 2015-09-29 20:23:10 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
On 12/11/2015 10:23 AM, Martin Kosek wrote:
> On 12/11/2015 08:31 AM, Jani West wrote:
>> Hello,
>>
>> Pki-tomcatd seems to have difficulties when connecting to CA. LDAP
>> server is starting ok when starting it directly with "systemctl start
>> dirsrv.target".
>>
>> When starting "systemctl start ipa" everything else will startup exept
>> the
>> pki-tomcatd.
>>
>> Obviously same thing happens when starting with ipactl directly:
>> [root at ipa1 ca]# ipactl start
>> Existing service file detected!
>> Assuming stale, cleaning and proceeding
>> Starting Directory Service
>> Starting krb5kdc Service
>> Starting kadmin Service
>> Starting named Service
>> Starting ipa_memcached Service
>> Starting httpd Service
>> Starting pki-tomcatd Service
>> Failed to start pki-tomcatd Service
>> Shutting down
>> Aborting ipactl
>>
>>
>> /var/log/pki/pki-tomcat/localhost.2015-12-11.log
>> SEVERE: Servlet.service() for servlet [caGetStatus] in context with
>> path [/ca]
>> threw exception java.io.IOException: CS server is not ready to serve.
>>
>>
>> /var/log/dirsrv/slapd-PLANWEE-LOCAL/errors
>> [11/Dec/2015:01:02:19 +0200] - slapd started. Listening on All
>> Interfaces port
>> 389 for LDAP requests
>> [11/Dec/2015:01:02:19 +0200] - Listening on All Interfaces port 636 for
>> LDAPS requests
>> [11/Dec/2015:01:02:19 +0200] - Listening on
>> /var/run/slapd-PLANWEE-LOCAL.socket
>> for LDAPI requests
>> [11/Dec/2015:01:02:19 +0200] slapd_ldap_sasl_interactive_bind - Error:
>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
>> -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint
>> is not
>> connected)
>> [11/Dec/2015:01:02:19 +0200] slapi_ldap_bind - Error: could not perform
>> interactive bind for id [] authentication mechanism [GSSAPI]: error -1
>> (Can't contact LDAP server)
>>
>> /var/log/pki/pki-tomcat/ca/debug
>> Internal Database Error encountered: Could not connect to LDAP server
>> host ipa1.backend.planwee.local port 636 Error
>> netscape.ldap.LDAPException: IO
>> Error creating JSS SSL Socket (-1)
>>
>> Environment:
>> CentOS 7
>> IPA 4.1
>>
>> The problem looks the same as this:
>> https://access.redhat.com/solutions/2022123
>>
>> Unfortunately I cannot view resolution.
>>
>> is this related to expired CA certificates?
>
> If you have expired certificates (you can check with "# getcert list |
> grep expires"), it could cause issues like that also.
>
> The article you are referring to is rather around wrong CA certificate
> trust attributes in /var/lib/pki/pki-tomcat/alias/ or
> /etc/dirsrv/slapd-EXAMPLE-COM/ NSS databases.
>
> You can check that with
> # certutil -L -d /var/lib/pki/pki-tomcat/alias/
> # certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/
>
> BTW, if you want to see the whole article or other articles from the
> large KB, I would suggest getting a subscription :-)
--
-- Jani West -- jwest at iki.fi -- +358 40 5010914 --
-- Liinalahdentie 4 -- 01800 KLAUKKALA -- FINLAND --
"Haluaisin, että Suomi olisi paljon monikulttuurisempi.
Tänne tulee muualta paljon ihmisiä, mutta heitä ei tuoda
tarpeeksi esille. Jotenkin me pidämme heidät verhojen takana.
On tärkeää, että Suomesta saataisiin avoin ja suvaitsevainen.
Sulkeutunut ajattelutapa on Suomen ongelma. Ehkä me
pelkäämme mielenosoituksia, joita esimerkiksi Ruotsin
lähiöissä on ollut ja sitä, että jotain kauheaa tapahtuu.
Ei ymmärretä, että maahanmuuttajat voivat tuoda
Suomeen myös paljon hyvää. Toivoisin hallitukselta sitä,
että koko kansaa kuullaan, myös eri kulttuureista
tulevia. Hallituksen pitäisi rahoittaa ja tukea enemmän
Suomen kansainvälistämistä. Myös eduskunta voisi kuunnella
maahanmuuttajia enemmän."
HS 8.6.2013: Essi, 16 v. Etu-Töölön lukio.
More information about the Freeipa-users
mailing list