[Freeipa-users] Yum update broke CA/CS - pki-tomcatd not starting
Jani West
jwest at iki.fi
Fri Dec 11 19:54:47 UTC 2015
Hello,
Seems like I indeed have expired certs. The problem is, how I can renew
these.
I tried to do:
---------------
root at ipa1 ca]# systemctl restart dirsrv.target
[root at ipa1 ca]# ipa-cacert-manage renew
Renewing CA certificate, please wait
Error resubmitting certmonger request '20150814121620', please check the
request manually
---------------
I still have old certs:
Request ID '20150814121606':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='654666959930'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
subject: CN=CA Audit,O=PLANWEE.LOCAL
expires: 2015-09-29 20:22:26 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150814121614':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
Certificate DB',pin='654666959930'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
subject: CN=OCSP Subsystem,O=PLANWEE.LOCAL
expires: 2015-09-29 20:22:25 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150814121618':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='654666959930'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
subject: CN=CA Subsystem,O=PLANWEE.LOCAL
expires: 2015-09-29 20:22:25 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20150814121621':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
subject: CN=IPA RA,O=PLANWEE.LOCAL
expires: 2015-09-29 20:23:10 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
On 12/11/2015 10:23 AM, Martin Kosek wrote:
> On 12/11/2015 08:31 AM, Jani West wrote:
>> Hello,
>>
>> Pki-tomcatd seems to have difficulties when connecting to CA. LDAP
>> server is starting ok when starting it directly with "systemctl start
>> dirsrv.target".
>>
>> When starting "systemctl start ipa" everything else will startup exept
>> the
>> pki-tomcatd.
>>
>> Obviously same thing happens when starting with ipactl directly:
>> [root at ipa1 ca]# ipactl start
>> Existing service file detected!
>> Assuming stale, cleaning and proceeding
>> Starting Directory Service
>> Starting krb5kdc Service
>> Starting kadmin Service
>> Starting named Service
>> Starting ipa_memcached Service
>> Starting httpd Service
>> Starting pki-tomcatd Service
>> Failed to start pki-tomcatd Service
>> Shutting down
>> Aborting ipactl
>>
>>
>> /var/log/pki/pki-tomcat/localhost.2015-12-11.log
>> SEVERE: Servlet.service() for servlet [caGetStatus] in context with
>> path [/ca]
>> threw exception java.io.IOException: CS server is not ready to serve.
>>
>>
>> /var/log/dirsrv/slapd-PLANWEE-LOCAL/errors
>> [11/Dec/2015:01:02:19 +0200] - slapd started. Listening on All
>> Interfaces port
>> 389 for LDAP requests
>> [11/Dec/2015:01:02:19 +0200] - Listening on All Interfaces port 636 for
>> LDAPS requests
>> [11/Dec/2015:01:02:19 +0200] - Listening on
>> /var/run/slapd-PLANWEE-LOCAL.socket
>> for LDAPI requests
>> [11/Dec/2015:01:02:19 +0200] slapd_ldap_sasl_interactive_bind - Error:
>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
>> -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint
>> is not
>> connected)
>> [11/Dec/2015:01:02:19 +0200] slapi_ldap_bind - Error: could not perform
>> interactive bind for id [] authentication mechanism [GSSAPI]: error -1
>> (Can't contact LDAP server)
>>
>> /var/log/pki/pki-tomcat/ca/debug
>> Internal Database Error encountered: Could not connect to LDAP server
>> host ipa1.backend.planwee.local port 636 Error
>> netscape.ldap.LDAPException: IO
>> Error creating JSS SSL Socket (-1)
>>
>> Environment:
>> CentOS 7
>> IPA 4.1
>>
>> The problem looks the same as this:
>> https://access.redhat.com/solutions/2022123
>>
>> Unfortunately I cannot view resolution.
>>
>> is this related to expired CA certificates?
>
> If you have expired certificates (you can check with "# getcert list |
> grep expires"), it could cause issues like that also.
>
> The article you are referring to is rather around wrong CA certificate
> trust attributes in /var/lib/pki/pki-tomcat/alias/ or
> /etc/dirsrv/slapd-EXAMPLE-COM/ NSS databases.
>
> You can check that with
> # certutil -L -d /var/lib/pki/pki-tomcat/alias/
> # certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/
>
> BTW, if you want to see the whole article or other articles from the
> large KB, I would suggest getting a subscription :-)
--
-- Jani West -- jwest at iki.fi --
More information about the Freeipa-users
mailing list