[Freeipa-users] Yum update broke CA/CS - pki-tomcatd not starting

Jan Cholasta jcholast at redhat.com
Mon Dec 14 11:13:59 UTC 2015 

Hi,

On 14.12.2015 12:09, Martin Kosek wrote:
> ipa-cacert-manage only renews CA certificate. It does not fix expired CA
> subsystem certificates (#getcert list), IIRC.

Correct.

>
> I think the process was:
> - move system time to about 1-2 weeks before the oldest expired certificate
> expiry time
> - restart certmonnger
> - now certmonger itself should start renewing the certificates. Other
> alternative is to resubmit them with "getcert resubmit" command and see the results
> - when done, time can be moved back
>
> Honza (CCed), if I missed anything, please let me know.

This should work.

>
> Martin
>
> On 12/11/2015 08:54 PM, Jani West wrote:
>> Hello,
>>
>> Seems like I indeed have expired certs. The problem is, how I can renew these.
>>
>> I tried to do:
>> ---------------
>> root at ipa1 ca]# systemctl restart dirsrv.target
>> [root at ipa1 ca]# ipa-cacert-manage renew
>> Renewing CA certificate, please wait
>> Error resubmitting certmonger request '20150814121620', please check the
>> request manually
>> ---------------
>>
>> I still have old certs:
>>
>>
>>
>> Request ID '20150814121606':
>>      status: CA_WORKING
>>      stuck: no
>>      key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin='654666959930'
>>      certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>>      CA: dogtag-ipa-ca-renew-agent
>>      issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
>>      subject: CN=CA Audit,O=PLANWEE.LOCAL
>>      expires: 2015-09-29 20:22:26 UTC
>>      key usage: digitalSignature,nonRepudiation
>>      pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>      post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>>      track: yes
>>      auto-renew: yes
>> Request ID '20150814121614':
>>      status: CA_WORKING
>>      stuck: no
>>      key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin='654666959930'
>>      certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>>      CA: dogtag-ipa-ca-renew-agent
>>      issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
>>      subject: CN=OCSP Subsystem,O=PLANWEE.LOCAL
>>      expires: 2015-09-29 20:22:25 UTC
>>      key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>      eku: id-kp-OCSPSigning
>>      pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>      post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert
>> cert-pki-ca"
>>      track: yes
>>      auto-renew: yes
>> Request ID '20150814121618':
>>      status: CA_WORKING
>>      stuck: no
>>      key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB',pin='654666959930'
>>      certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB'
>>      CA: dogtag-ipa-ca-renew-agent
>>      issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
>>      subject: CN=CA Subsystem,O=PLANWEE.LOCAL
>>      expires: 2015-09-29 20:22:25 UTC
>>      key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>      eku: id-kp-serverAuth,id-kp-clientAuth
>>      pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>      post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert
>> cert-pki-ca"
>>      track: yes
>>      auto-renew: yes
>> Request ID '20150814121621':
>>      status: CA_WORKING
>>      stuck: no
>>      key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>      certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB'
>>      CA: dogtag-ipa-ca-renew-agent
>>      issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
>>      subject: CN=IPA RA,O=PLANWEE.LOCAL
>>      expires: 2015-09-29 20:23:10 UTC
>>      key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>      eku: id-kp-serverAuth,id-kp-clientAuth
>>      pre-save command:
>>      post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>      track: yes
>>      auto-renew: yes
>>
>> On 12/11/2015 10:23 AM, Martin Kosek wrote:
>>> On 12/11/2015 08:31 AM, Jani West wrote:
>>>> Hello,
>>>>
>>>> Pki-tomcatd seems to have difficulties when connecting to CA. LDAP
>>>> server is starting ok when starting it directly with "systemctl start
>>>> dirsrv.target".
>>>>
>>>> When starting "systemctl start ipa" everything else will startup exept
>>>> the
>>>> pki-tomcatd.
>>>>
>>>> Obviously same thing happens when starting with ipactl directly:
>>>> [root at ipa1 ca]# ipactl start
>>>> Existing service file detected!
>>>> Assuming stale, cleaning and proceeding
>>>> Starting Directory Service
>>>> Starting krb5kdc Service
>>>> Starting kadmin Service
>>>> Starting named Service
>>>> Starting ipa_memcached Service
>>>> Starting httpd Service
>>>> Starting pki-tomcatd Service
>>>> Failed to start pki-tomcatd Service
>>>> Shutting down
>>>> Aborting ipactl
>>>>
>>>>
>>>> /var/log/pki/pki-tomcat/localhost.2015-12-11.log
>>>> SEVERE: Servlet.service() for servlet [caGetStatus] in context with
>>>> path [/ca]
>>>> threw exception java.io.IOException: CS server is not ready to serve.
>>>>
>>>>
>>>> /var/log/dirsrv/slapd-PLANWEE-LOCAL/errors
>>>> [11/Dec/2015:01:02:19 +0200] - slapd started. Listening on All
>>>> Interfaces port
>>>> 389 for LDAP requests
>>>> [11/Dec/2015:01:02:19 +0200] - Listening on All Interfaces port 636 for
>>>> LDAPS requests
>>>> [11/Dec/2015:01:02:19 +0200] - Listening on
>>>> /var/run/slapd-PLANWEE-LOCAL.socket
>>>> for LDAPI requests
>>>> [11/Dec/2015:01:02:19 +0200] slapd_ldap_sasl_interactive_bind - Error:
>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
>>>> -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint
>>>> is not
>>>> connected)
>>>> [11/Dec/2015:01:02:19 +0200] slapi_ldap_bind - Error: could not perform
>>>> interactive bind for id [] authentication mechanism [GSSAPI]: error -1
>>>> (Can't contact LDAP server)
>>>>
>>>> /var/log/pki/pki-tomcat/ca/debug
>>>> Internal Database Error encountered: Could not connect to LDAP server
>>>> host ipa1.backend.planwee.local port 636 Error
>>>> netscape.ldap.LDAPException: IO
>>>> Error creating JSS SSL Socket (-1)
>>>>
>>>> Environment:
>>>> CentOS 7
>>>> IPA 4.1
>>>>
>>>> The problem looks the same as this:
>>>> https://access.redhat.com/solutions/2022123
>>>>
>>>> Unfortunately I cannot view resolution.
>>>>
>>>> is this related to expired CA certificates?
>>>
>>> If you have expired certificates (you can check with "# getcert list |
>>> grep expires"), it could cause issues like that also.
>>>
>>> The article you are referring to is rather around wrong CA certificate
>>> trust attributes in /var/lib/pki/pki-tomcat/alias/ or
>>> /etc/dirsrv/slapd-EXAMPLE-COM/ NSS databases.
>>>
>>> You can check that with
>>> # certutil -L -d /var/lib/pki/pki-tomcat/alias/
>>> # certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/
>>>
>>> BTW, if you want to see the whole article or other articles from the
>>> large KB, I would suggest getting a subscription :-)
>>
>>
>


-- 
Jan Cholasta

More information about the Freeipa-users mailing list