[Freeipa-users] Stuck at CA_UNREACHABLE and NEED_CSR_GEN_PIN
Rob Crittenden
rcritten at redhat.com
Tue May 17 14:18:54 UTC 2016
Adam Kaczka wrote:
> I found from [root at host pki-ca]# tail -n 100 /var/log/pki-ca/system that
> CA chain is missing; so I am thinking I may have to use
> |ipa-server-certinstall| to reinstall the two certs.
I really doubt it. I'm not sure what can't be found, maybe one of the
dogtag devs has an idea.
>
> 5135.main - [27/Jan/2016:14:10:14 EST] [3] [3] CASigningUnit: Object
> certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
> 2003.main - [27/Jan/2016:14:35:33 EST] [3] [3] CASigningUnit: Object
> certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
> 2003.TP-Processor3 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet
> caDisplayBySerial: The CA chain is missing or could not be obtained from
> the remote Certificate Manager or Registr
> ation Manager. The remote server could be down.
> 2003.TP-Processor2 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet
> caDisplayBySerial: The CA chain is missing or could not be obtained from
> the remote Certificate Manager or Registr
> ation Manager. The remote server could be down.
> 2000.main - [28/Jan/2016:07:43:00 EST] [3] [3] CASigningUnit: Object
> certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
> 2000.TP-Processor2 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet
> caDisplayBySerial: The CA chain is missing or could not be obtained from
> the remote Certificate Manager or Registr
> ation Manager. The remote server could be down.
> 2000.TP-Processor3 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet
> caDisplayBySerial: The CA chain is missing or could not be obtained from
> the remote Certificate Manager or Registr
> ation Manager. The remote server could be down.
> 2085.main - [03/Feb/2016:08:57:05 EST] [3] [3] CASigningUnit: Object
> certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
> 2085.TP-Processor2 - [27/Jan/2016:14:05:03 EST] [20] [3] Servlet
> caDisplayBySerial: The CA chain is missing or could not be obtained from
> the remote Certificate Manager or Registr
> ation Manager. The remote server could be down.
>
>
> On Mon, May 16, 2016 at 11:45 AM, Adam Kaczka <akaczka86 at gmail.com
> <mailto:akaczka86 at gmail.com>> wrote:
>
> Certmonger cannot communicate with CA; the result of getlist cert shows:
>
> RPC failed at server. Certificate operation cannot be completed:
> Unable to communicate with CMS (Not Found)
>
> After setting time back, from /var/log/pki-ca/debug I get:
>
> [30/Dec/2015:08:10:25][main]: CMS:Caught EBaseException
> Certificate object not found
> at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
> at
> com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1205)
> at
> com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
> at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
> at
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
> at
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
> at
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
> at
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425)
> at
> org.apache.catalina.core.StandardContext.start(StandardContext.java:4738)
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
> at
> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
> at
> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
> at
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
> at
> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
> at
> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
> at
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
> at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
> at
> org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
> at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
> at
> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
> at
> org.apache.catalina.core.StandardService.start(StandardService.java:516)
> at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
> at
> org.apache.catalina.startup.Catalina.start(Catalina.java:593)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at
> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
> at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
> [30/Dec/2015:08:10:25][main]: CMSEngine.shutdown()
> [30/Dec/2015:08:10:32][http-9180-1]: according to ccMode,
> authorization for servlet: caProfileSubmit is LDAP based, not XML
> {1}, use default authz mgr: {2}.
> [30/Dec/2015:08:10:32][http-9180-1]: according to ccMode,
> authorization for servlet: caProfileSubmit is LDAP based, not XML
> {1}, use default authz mgr: {2}.
> [30/Dec/2015:08:10:33][TP-Processor2]: according to ccMode,
> authorization for servlet: caDisplayBySerial is LDAP based, not XML
> {1}, use default authz mgr: {2}.
> [30/Dec/2015:08:10:33][TP-Processor3]: according to ccMode,
> authorization for servlet: caDisplayBySerial is LDAP based, not XML
> {1}, use default authz mgr: {2}.
>
>
> On Mon, May 16, 2016 at 6:28 AM, Petr Vobornik <pvoborni at redhat.com
> <mailto:pvoborni at redhat.com>> wrote:
>
> On 05/14/2016 12:01 AM, Adam Kaczka wrote:
> > Hi all,
> >
> > I have inherited a IPA system that has an expired cert and the old admins have
> > left; I followed (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but
> > running into errors when I try to renew the CA certs even after time is reset.
> > Also tried the troubleshooting under
> > (http://www.freeipa.org/page/Troubleshooting#Authentication_Errors);
> > specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt"
> > to add the cert in the database.
> >
> > From the output of getcert list, I see both CA_UNREACHABLE and
> > NEED_CSR_GEN_PIN. I followed redhat article here
> > (https://access.redhat.com/solutions/1142913) which verified key
> file password
> > is correct and I have reset time. However the NEED_CSR_GEN_PIN status remains.
> > My company actually has redhat support but when they built this IPA whoever
> > built it was using Centos 6 so I am out of luck here.
> >
> > Would really appreciate any help since I am stuck at this point? What else I
> > can do at this point? e.g. Is generate a new CA cert necessary, etc.?
>
> Hi,
>
> you don't need to renew CA cert, it seems to be valid. But your
> server
> cert is expired. It expired on 2016-03-29.
>
> 1. Move date back before this date, e.g., 2016-03-27.
> 2. Verify that IPA is running `ipactl status`. Maybe restart
> will be needed.
> 3. run `getcert list` to see if certmonger can communicate with CA
> 4. if certmonger doesn't renew the certs automatically, run `getcert
> resubmit -i $certid` for the expired cert.
>
> >
> > Version:
> > ipa-pki-ca-theme.noarch 9.0.3-7.el6
> @base
> > ipa-pki-common-theme.noarch 9.0.3-7.el6
> @base
> > ipa-pmincho-fonts.noarch 003.02-3.1.el6
> @base
> > ipa-python.x86_64 3.0.0-47.el6.centos.2
> @updates
> > ipa-server.x86_64 3.0.0-47.el6.centos.2
> @updates
> > ipa-server-selinux.x86_64 3.0.0-47.el6.centos.2
> @updates
> >
> > Part of error logs from /var/log/pki-ca/debug after I reset
> clock; I see these
> > errors which I think is relevlant?:
> > [27/Dec/2015:14:12:01][main]: SigningUnit init: debug
> > org.mozilla.jss.crypto.ObjectNotFoundException
> > Certificate object not found
> > [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException
> > Certificate object not found
> > [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown()
> >
> > Result seems to show key file password is correct:
> > certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f
> > /etc/dirsrv/slapd-REALM-NET/pwdfile.txt
> > certutil: Checking token "NSS Certificate DB" in slot "NSS
> User Private Key and
> > Certificate Services"
> > < 0> rsa ############################ NSS Certificate
> DB:Server-Cert
> >
> >
> > certutil -L -d /var/lib/pki-ca/alias
> >
> > Certificate Nickname
> Trust Attributes
> >
> SSL,S/MIME,JAR/XPI
> >
> > ocspSigningCert cert-pki-ca
> u,u,u
> > subsystemCert cert-pki-ca
> u,u,u
> > Server-Cert cert-pki-ca
> u,u,u
> > auditSigningCert cert-pki-ca
> u,u,Pu
> > caSigningCert cert-pki-ca
> CTu,Cu,Cu
> >
> >
> > certutil -L -d /etc/httpd/alias
> >
> > Certificate Nickname
> Trust Attributes
> >
> SSL,S/MIME,JAR/XPI
> >
> > Server-Cert
> u,u,u
> > ipaCert
> u,u,u
> > REALM.COM <http://REALM.COM> <http://REALM.COM> IPA CA
> CT,C,
> >
> >
> > certutil -L -d /etc/dirsrv/slapd-REALM-COM
> >
> > Certificate Nickname Trust Attributes
> > SSL,S/MIME,JAR/XPI
> >
> > Server-Cert u,u,u
> > REALM.COM <http://REALM.COM> <http://REALM.COM> IPA CA
> CT,C,C
> >
> >
> > Output of getcert list:
> >
> > Number of certificates and requests being tracked: 7.
> > Request ID '21135214223243':
> > status: CA_UNREACHABLE
> > ca-error: Server athttps://host.example.net/ipa/xml failed request,
> > will retry: 4301 (RPC failed at server. Certificate oper
> > ation cannot be completed: Unable to communicate with CMS (Not Found)).
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfil
> > e='/etc/dirsrv/slapd-example-NET//pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=example.NET
> > subject: CN=host.example.net
> <http://host.example.net> <http://host.example.net>,O=example.NET
> > expires: 2016-03-29 14:09:46 UTC
> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '21135214223300':
> > status: CA_UNREACHABLE
> > ca-error: Server athttps://host.example.net/ipa/xml failed request,
> > will retry: 4301 (RPC failed at server. Certificate oper
> > ation cannot be completed: Unable to communicate with CMS (Not Found)).
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
> > DB',pinfile='
> > /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
> > DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=example.NET
> > subject: CN=host.example.net
> <http://host.example.net> <http://host.example.net>,O=example.NET
> > expires: 2016-03-29 14:09:45 UTC
> > key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130741':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> >
> "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-
> > pki-ca&serial_num=61&renewal=true&xml=true".
> > stuck: yes
> > key pair storage:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate
> > DB',pin set
> > certificate:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=example.NET
> > subject: CN=CA Audit,O=example.NET
> > expires: 2017-10-13 14:10:49 UTC
> > key usage: digitalSignature,nonRepudiation
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> > "auditSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130742':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> >
> "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> > m=60&renewal=true&xml=true".
> > stuck: yes
> > key pair storage:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate D
> > B',pin set
> > certificate:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=example.NET
> > subject: CN=OCSP Subsystem,O=example.NET
> > expires: 2017-10-13 14:09:49 UTC
> > eku: id-kp-OCSPSigning
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> > "ocspSigningCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130743':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> >
> "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> > m=62&renewal=true&xml=true".
> > stuck: yes
> > key pair storage:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB'
> > ,pin set
> > certificate:
> >
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=example.NET
> > subject: CN=CA Subsystem,O=example.NET
> > expires: 2017-10-13 14:09:49 UTC
> > key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> > post-save command:
> /usr/lib64/ipa/certmonger/renew_ca_cert
> > "subsystemCert cert-pki-ca"
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130744':
> > status: MONITORING
> > ca-error: Internal error: no response to
> >
> "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> > m=64&renewal=true&xml=true".
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate
> > DB',pinfile='/etc/httpd/al
> > ias/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=example.NET
> > subject: CN=RA Subsystem,O=example.NET
> > expires: 2017-10-13 14:09:49 UTC
> > key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> /usr/lib64/ipa/certmonger/renew_ra_cert
> > track: yes
> > auto-renew: yes
> > Request ID '20130519130745':
> > status: NEED_CSR_GEN_PIN
> > ca-error: Internal error: no response to
> >
> "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> > m=63&renewal=true&xml=true".
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB',p
> > in set
> > certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB'
> > CA: dogtag-ipa-renew-agent
> > issuer: CN=Certificate Authority,O=example.NET
> > subject: CN=host.example.net
> <http://host.example.net> <http://host.example.net>,O=example.NET
> > expires: 2017-10-13 14:09:49 UTC
> > key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> >
> >
> > Regards, Adam
> >
> >
> >
>
>
> --
> Petr Vobornik
>
>
>
>
>
More information about the Freeipa-users
mailing list