[Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN
Adam Kaczka
akaczka86 at gmail.com
Mon May 16 15:45:27 UTC 2016
Certmonger cannot communicate with CA; the result of getlist cert shows:
RPC failed at server. Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)
After setting time back, from /var/log/pki-ca/debug I get:
[30/Dec/2015:08:10:25][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
at
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1205)
at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4738)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at
org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[30/Dec/2015:08:10:25][main]: CMSEngine.shutdown()
[30/Dec/2015:08:10:32][http-9180-1]: according to ccMode, authorization for
servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr:
{2}.
[30/Dec/2015:08:10:32][http-9180-1]: according to ccMode, authorization for
servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr:
{2}.
[30/Dec/2015:08:10:33][TP-Processor2]: according to ccMode, authorization
for servlet: caDisplayBySerial is LDAP based, not XML {1}, use default
authz mgr: {2}.
[30/Dec/2015:08:10:33][TP-Processor3]: according to ccMode, authorization
for servlet: caDisplayBySerial is LDAP based, not XML {1}, use default
authz mgr: {2}.
On Mon, May 16, 2016 at 6:28 AM, Petr Vobornik <pvoborni at redhat.com> wrote:
> On 05/14/2016 12:01 AM, Adam Kaczka wrote:
> > Hi all,
> >
> > I have inherited a IPA system that has an expired cert and the old
> admins have
> > left; I followed (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
> but
> > running into errors when I try to renew the CA certs even after time is
> reset.
> > Also tried the troubleshooting under
> > (http://www.freeipa.org/page/Troubleshooting#Authentication_Errors);
> > specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a >
> /tmp/ra.crt"
> > to add the cert in the database.
> >
> > From the output of getcert list, I see both CA_UNREACHABLE and
> > NEED_CSR_GEN_PIN. I followed redhat article here
> > (https://access.redhat.com/solutions/1142913) which verified key file
> password
> > is correct and I have reset time. However the NEED_CSR_GEN_PIN status
> remains.
> > My company actually has redhat support but when they built this IPA
> whoever
> > built it was using Centos 6 so I am out of luck here.
> >
> > Would really appreciate any help since I am stuck at this point? What
> else I
> > can do at this point? e.g. Is generate a new CA cert necessary, etc.?
>
> Hi,
>
> you don't need to renew CA cert, it seems to be valid. But your server
> cert is expired. It expired on 2016-03-29.
>
> 1. Move date back before this date, e.g., 2016-03-27.
> 2. Verify that IPA is running `ipactl status`. Maybe restart will be
> needed.
> 3. run `getcert list` to see if certmonger can communicate with CA
> 4. if certmonger doesn't renew the certs automatically, run `getcert
> resubmit -i $certid` for the expired cert.
>
> >
> > Version:
> > ipa-pki-ca-theme.noarch 9.0.3-7.el6
> @base
> > ipa-pki-common-theme.noarch 9.0.3-7.el6
> @base
> > ipa-pmincho-fonts.noarch 003.02-3.1.el6
> @base
> > ipa-python.x86_64 3.0.0-47.el6.centos.2
> @updates
> > ipa-server.x86_64 3.0.0-47.el6.centos.2
> @updates
> > ipa-server-selinux.x86_64 3.0.0-47.el6.centos.2
> @updates
> >
> > Part of error logs from /var/log/pki-ca/debug after I reset clock; I see
> these
> > errors which I think is relevlant?:
> > [27/Dec/2015:14:12:01][main]: SigningUnit init: debug
> > org.mozilla.jss.crypto.ObjectNotFoundException
> > Certificate object not found
> > [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException
> > Certificate object not found
> > [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown()
> >
> > Result seems to show key file password is correct:
> > certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f
> > /etc/dirsrv/slapd-REALM-NET/pwdfile.txt
> > certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
> Key and
> > Certificate Services"
> > < 0> rsa ############################ NSS Certificate
> DB:Server-Cert
> >
> >
> > certutil -L -d /var/lib/pki-ca/alias
> >
> > Certificate Nickname Trust
> Attributes
> >
> SSL,S/MIME,JAR/XPI
> >
> > ocspSigningCert cert-pki-ca u,u,u
> > subsystemCert cert-pki-ca u,u,u
> > Server-Cert cert-pki-ca u,u,u
> > auditSigningCert cert-pki-ca u,u,Pu
> > caSigningCert cert-pki-ca CTu,Cu,Cu
> >
> >
> > certutil -L -d /etc/httpd/alias
> >
> > Certificate Nickname Trust
> Attributes
> >
> SSL,S/MIME,JAR/XPI
> >
> > Server-Cert u,u,u
> > ipaCert u,u,u
> > REALM.COM <http://REALM.COM> IPA CA
> CT,C,
> >
> >
> > certutil -L -d /etc/dirsrv/slapd-REALM-COM
> >
> > Certificate Nickname Trust
> Attributes
> >
> SSL,S/MIME,JAR/XPI
> >
> > Server-Cert
> u,u,u
> > REALM.COM <http://REALM.COM> IPA CA
> CT,C,C
> >
> >
> > Output of getcert list:
> >
> > Number of certificates and requests being tracked: 7.
> > Request ID '21135214223243':
> > status: CA_UNREACHABLE
> > ca-error: Server at https://host.example.net/ipa/xml failed
> request,
> > will retry: 4301 (RPC failed at server. Certificate oper
> > ation cannot be completed: Unable to communicate with CMS (Not Found)).
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfil
> > e='/etc/dirsrv/slapd-example-NET//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=example.NET
> > subject: CN=host.example.net <http://host.example.net
> >,O=example.NET
> > expires: 2016-03-29 14:09:46 UTC
> > key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '21135214223300':
> > status: CA_UNREACHABLE
> > ca-error: Server at https://host.example.net/ipa/xml failed
> request,
> > will retry: 4301 (RPC failed at server. Certificate oper
> > ation cannot be completed: Unable to communicate with CMS (Not Found)).
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB',pinfile='
> > /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=example.NET
> > subject: CN=host.example.net <http://host.example.net
> >,O=example.NET
> > expires: 2016-03-29 14:09:45 UTC
> > key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130741':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> > "
> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-
> > pki-ca&serial_num=61&renewal=true&xml=true".
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate
> > DB',pin set
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=example.NET
> > subject: CN=CA Audit,O=example.NET
> > expires: 2017-10-13 14:10:49 UTC
> > key usage: digitalSignature,nonRepudiation
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "auditSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130742':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> > "
> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> > m=60&renewal=true&xml=true".
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate D
> > B',pin set
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=example.NET
> > subject: CN=OCSP Subsystem,O=example.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-OCSPSigning
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "ocspSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130743':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> > "
> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> > m=62&renewal=true&xml=true".
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB'
> > ,pin set
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=example.NET
> > subject: CN=CA Subsystem,O=example.NET
> > expires: 2017-10-13 14:09:49 UTC
> > key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "subsystemCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130744':
> > status: MONITORING
> > ca-error: Internal error: no response to
> > "
> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> > m=64&renewal=true&xml=true".
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate
> > DB',pinfile='/etc/httpd/al
> > ias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=example.NET
> > subject: CN=RA Subsystem,O=example.NET
> > expires: 2017-10-13 14:09:49 UTC
> > key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130745':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> > "
> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> > m=63&renewal=true&xml=true".
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB',p
> > in set
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=example.NET
> > subject: CN=host.example.net <http://host.example.net
> >,O=example.NET
> > expires: 2017-10-13 14:09:49 UTC
> > key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> >
> >
> > Regards, Adam
> >
> >
> >
>
>
> --
> Petr Vobornik
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160516/6d71bbcc/attachment.htm>
More information about the Freeipa-users
mailing list