[Freeipa-users] Yum update broke CA/CS - pki-tomcatd not starting
Martin Kosek
mkosek at redhat.com
Mon Dec 14 11:09:54 UTC 2015
ipa-cacert-manage only renews CA certificate. It does not fix expired CA
subsystem certificates (#getcert list), IIRC.
I think the process was:
- move system time to about 1-2 weeks before the oldest expired certificate
expiry time
- restart certmonnger
- now certmonger itself should start renewing the certificates. Other
alternative is to resubmit them with "getcert resubmit" command and see the results
- when done, time can be moved back
Honza (CCed), if I missed anything, please let me know.
Martin
On 12/11/2015 08:54 PM, Jani West wrote:
> Hello,
>
> Seems like I indeed have expired certs. The problem is, how I can renew these.
>
> I tried to do:
> ---------------
> root at ipa1 ca]# systemctl restart dirsrv.target
> [root at ipa1 ca]# ipa-cacert-manage renew
> Renewing CA certificate, please wait
> Error resubmitting certmonger request '20150814121620', please check the
> request manually
> ---------------
>
> I still have old certs:
>
>
>
> Request ID '20150814121606':
> status: CA_WORKING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='654666959930'
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
> subject: CN=CA Audit,O=PLANWEE.LOCAL
> expires: 2015-09-29 20:22:26 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20150814121614':
> status: CA_WORKING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='654666959930'
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
> subject: CN=OCSP Subsystem,O=PLANWEE.LOCAL
> expires: 2015-09-29 20:22:25 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert
> cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20150814121618':
> status: CA_WORKING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='654666959930'
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
> subject: CN=CA Subsystem,O=PLANWEE.LOCAL
> expires: 2015-09-29 20:22:25 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert
> cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20150814121621':
> status: CA_WORKING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
> subject: CN=IPA RA,O=PLANWEE.LOCAL
> expires: 2015-09-29 20:23:10 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
>
> On 12/11/2015 10:23 AM, Martin Kosek wrote:
>> On 12/11/2015 08:31 AM, Jani West wrote:
>>> Hello,
>>>
>>> Pki-tomcatd seems to have difficulties when connecting to CA. LDAP
>>> server is starting ok when starting it directly with "systemctl start
>>> dirsrv.target".
>>>
>>> When starting "systemctl start ipa" everything else will startup exept
>>> the
>>> pki-tomcatd.
>>>
>>> Obviously same thing happens when starting with ipactl directly:
>>> [root at ipa1 ca]# ipactl start
>>> Existing service file detected!
>>> Assuming stale, cleaning and proceeding
>>> Starting Directory Service
>>> Starting krb5kdc Service
>>> Starting kadmin Service
>>> Starting named Service
>>> Starting ipa_memcached Service
>>> Starting httpd Service
>>> Starting pki-tomcatd Service
>>> Failed to start pki-tomcatd Service
>>> Shutting down
>>> Aborting ipactl
>>>
>>>
>>> /var/log/pki/pki-tomcat/localhost.2015-12-11.log
>>> SEVERE: Servlet.service() for servlet [caGetStatus] in context with
>>> path [/ca]
>>> threw exception java.io.IOException: CS server is not ready to serve.
>>>
>>>
>>> /var/log/dirsrv/slapd-PLANWEE-LOCAL/errors
>>> [11/Dec/2015:01:02:19 +0200] - slapd started. Listening on All
>>> Interfaces port
>>> 389 for LDAP requests
>>> [11/Dec/2015:01:02:19 +0200] - Listening on All Interfaces port 636 for
>>> LDAPS requests
>>> [11/Dec/2015:01:02:19 +0200] - Listening on
>>> /var/run/slapd-PLANWEE-LOCAL.socket
>>> for LDAPI requests
>>> [11/Dec/2015:01:02:19 +0200] slapd_ldap_sasl_interactive_bind - Error:
>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
>>> -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint
>>> is not
>>> connected)
>>> [11/Dec/2015:01:02:19 +0200] slapi_ldap_bind - Error: could not perform
>>> interactive bind for id [] authentication mechanism [GSSAPI]: error -1
>>> (Can't contact LDAP server)
>>>
>>> /var/log/pki/pki-tomcat/ca/debug
>>> Internal Database Error encountered: Could not connect to LDAP server
>>> host ipa1.backend.planwee.local port 636 Error
>>> netscape.ldap.LDAPException: IO
>>> Error creating JSS SSL Socket (-1)
>>>
>>> Environment:
>>> CentOS 7
>>> IPA 4.1
>>>
>>> The problem looks the same as this:
>>> https://access.redhat.com/solutions/2022123
>>>
>>> Unfortunately I cannot view resolution.
>>>
>>> is this related to expired CA certificates?
>>
>> If you have expired certificates (you can check with "# getcert list |
>> grep expires"), it could cause issues like that also.
>>
>> The article you are referring to is rather around wrong CA certificate
>> trust attributes in /var/lib/pki/pki-tomcat/alias/ or
>> /etc/dirsrv/slapd-EXAMPLE-COM/ NSS databases.
>>
>> You can check that with
>> # certutil -L -d /var/lib/pki/pki-tomcat/alias/
>> # certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/
>>
>> BTW, if you want to see the whole article or other articles from the
>> large KB, I would suggest getting a subscription :-)
>
>
More information about the Freeipa-users
mailing list