[Freeipa-users] Impossible to renew certificate. pki-tomcat issue
Bertrand Rétif
bretif at phosphore.eu
Tue Nov 22 09:07:12 UTC 2016
----- Mail original -----
> De: "Bertrand Rétif" <bretif at phosphore.eu>
> À: freeipa-users at redhat.com
> Envoyé: Mardi 25 Octobre 2016 17:51:09
> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
> ----- Mail original -----
> > De: "Florence Blanc-Renaud" <flo at redhat.com>
>
> > À: "Bertrand Rétif" <bretif at phosphore.eu>, freeipa-users at redhat.com
>
> > Envoyé: Jeudi 20 Octobre 2016 18:45:21
>
> > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat
> > issue
>
> > On 10/19/2016 08:18 PM, Bertrand Rétif wrote:
>
> > > *De: *"Bertrand Rétif" <bretif at phosphore.eu>
>
> > >
>
> > > *À: *freeipa-users at redhat.com
>
> > > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07
>
> > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
>
> > > pki-tomcat issue
>
> > >
>
> > >
>
> > > ------------------------------------------------------------------------
>
> > >
>
> > > *De: *"Rob Crittenden" <rcritten at redhat.com>
>
> > > *À: *"Bertrand Rétif" <bretif at phosphore.eu>,
>
> > > freeipa-users at redhat.com
>
> > > *Envoyé: *Mercredi 19 Octobre 2016 15:30:14
>
> > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
>
> > > pki-tomcat issue
>
> > >
>
> > > Bertrand Rétif wrote:
>
> > > >> De: "Martin Babinsky" <mbabinsk at redhat.com>
>
> > > >> À: freeipa-users at redhat.com
>
> > > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49
>
> > > >> Objet: Re: [Freeipa-users] Impossible to renew certificate.
>
> > > pki-tomcat issue
>
> > > >
>
> > > >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
>
> > > >>> Hello,
>
> > > >>>
>
> > > >>> I had an issue with pki-tomcat.
>
> > > >>> I had serveral certificate that was expired and pki-tomcat
>
> > > did not start
>
> > > >>> anymore.
>
> > > >>>
>
> > > >>> I set the dateon the server before certificate expiration
>
> > > and then
>
> > > >>> pki-tomcat starts properly.
>
> > > >>> Then I try to resubmit the certificate, but I get below error:
>
> > > >>> "Profile caServerCert Not Found"
>
> > > >>>
>
> > > >>> Do you have any idea how I could fix this issue.
>
> > > >>>
>
> > > >>> Please find below output of commands:
>
> > > >>>
>
> > > >>>
>
> > > >>> # getcert resubmit -i 20160108170324
>
> > > >>>
>
> > > >>> # getcert list -i 20160108170324
>
> > > >>> Number of certificates and requests being tracked: 7.
>
> > > >>> Request ID '20160108170324':
>
> > > >>> status: MONITORING
>
> > > >>> ca-error: Server at
>
> > > >>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"
>
> > > replied:
>
> > > >>> Profile caServerCert Not Found
>
> > > >>> stuck: no
>
> > > >>> key pair storage:
>
> > > >>>
>
> > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>
> > > >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>
> > > >>> certificate:
>
> > > >>>
>
> > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>
> > > >>> Certificate DB'
>
> > > >>> CA: dogtag-ipa-ca-renew-agent
>
> > > >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU
>
> > > >>> subject: CN=IPA RA,O=A.SKINFRA.EU
>
> > > >>> expires: 2016-06-28 15:25:11 UTC
>
> > > >>> key usage:
>
> > > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> > > >>> eku: id-kp-serverAuth,id-kp-clientAuth
>
> > > >>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
>
> > > >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>
> > > >>> track: yes
>
> > > >>> auto-renew: yes
>
> > > >>>
>
> > > >>>
>
> > > >>> Thanksby advance for your help.
>
> > > >>> Bertrand
>
> > > >>>
>
> > > >>>
>
> > > >>>
>
> > > >>>
>
> > > >
>
> > > >> Hi Betrand,
>
> > > >
>
> > > >> what version of FreeIPA and Dogtag are you running?
>
> > > >
>
> > > >> Also perform the following search on the IPA master and post
>
> > > the result:
>
> > > >
>
> > > >> """
>
> > > >> ldapsearch -D "cn=Directory Manager" -W -b
>
> > > >> 'ou=certificateProfiles,ou=ca,o=ipaca'
>
> > > '(objectClass=certProfile)'
>
> > > >> """
>
> > > >
>
> > > > Hi Martin,
>
> > > >
>
> > > > Thanks for your reply.
>
> > > >
>
> > > > Here is version:
>
> > > > - FreeIPA 4.2.0
>
> > > > - Centos 7.2
>
> > > >
>
> > > > I have been able to fix the issue with "Profile caServerCert
>
> > > Not Found" by editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
>
> > > > I replace below entry
>
> > > >
>
> > > "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"
>
> > > > by
>
> > > > "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"
>
> > > >
>
> > > > and then launch "ipa-server-upgrade" command
>
> > > > I found this solution in this post:
>
> > > http://osdir.com/ml/freeipa-users/2016-03/msg00280.html
>
> > > >
>
> > > > Then I was able to renew my certificate.
>
> > > >
>
> > > > However I reboot my server to and pki-tomcat do not start and
>
> > > provide with a new erreor in /var/log/pki/pki-tomcat/ca/debug
>
> > > >
>
> > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils:
>
> > > verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca
>
> > > > [19/Oct/2016:11:11:52][localhost-startStop-1]:
>
> > > SignedAuditEventFactory: create()
>
> > > message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$
>
> > > > System$][Outcome=Success][CertNickName=auditSigningCert
>
> > > cert-pki-ca] CIMC certificate verification
>
> > > >
>
> > > > java.lang.Exception: SystemCertsVerification: system certs
>
> > > verification failure
>
> > > > at
>
> > > com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
>
> > > > at
>
> > > com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
>
> > > > at
>
> > > com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
>
> > > > at
>
> > > com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701)
>
> > > > at
>
> > > com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148)
>
> > > > at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
>
> > > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
>
> > > > at
>
> > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
>
> > > > at javax.servlet.GenericServlet.init(GenericServlet.java:158)
>
> > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> > > > at
>
> > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>
> > > > at
>
> > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> > > > at java.lang.reflect.Method.invoke(Method.java:606)
>
> > > > at
>
> > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>
> > > > at
>
> > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>
> > > > at java.security.AccessController.doPrivileged(Native Method)
>
> > > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
>
> > > > at
>
> > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>
> > > > at
>
> > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
>
> > > > at
>
> > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
>
> > > > at
>
> > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
>
> > > > at
>
> > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
>
> > > > at
>
> > > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
>
> > > > at
>
> > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
>
> > > > at
>
> > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
>
> > > > at
>
> > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
>
> > > > at
>
> > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
>
> > > > at
>
> > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>
> > > > at
>
> > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
>
> > > > at
>
> > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
>
> > > > at java.security.AccessController.doPrivileged(Native Method)
>
> > > > at
>
> > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
>
> > > > at
>
> > > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
>
> > > > at
>
> > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
>
> > > > at
>
> > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
>
> > > > at
>
> > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>
> > > > at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>
> > > > at
>
> > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>
> > > > at
>
> > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>
> > > > at java.lang.Thread.run(Thread.java:745)
>
> > > > [19/Oct/2016:11:11:52][localhost-startStop-1]:
>
> > > SignedAuditEventFactory: create()
>
> > > message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure]
>
> > > self tests execution (see selftests.log for details)
>
> > > > [19/Oct/2016:11:11:52][localhost-startStop-1]:
>
> > > CMSEngine.shutdown()
>
> > > >
>
> > > >
>
> > > > I am currently stuck here.
>
> > > > Thanks a lot for your help.
>
> > >
>
> > > I'm guessing at least one of the CA subsystem certificates are
>
> > > still
>
> > > expired. Look at the "getcert list" output to see if there are any
>
> > > expired certificates.
>
> > >
>
> > > rob
>
> > >
>
> > > >
>
> > > > Bertrand
>
> > > >
>
> > > >
>
> > >
>
> > > Hello Rob,
>
> > >
>
> > > I check on my 2 servers and no certificate is expired
>
> > >
>
> > > [root at sdkipa03 ~]# getcert list |grep expire
>
> > > expires: 2018-06-22 22:02:26 UTC
>
> > > expires: 2018-06-22 22:02:47 UTC
>
> > > expires: 2034-07-09 15:24:34 UTC
>
> > > expires: 2016-10-30 13:35:29 UTC
>
> > >
>
> > > [root at sdkipa01 conf]# getcert list |grep expire
>
> > > expires: 2018-06-12 23:38:01 UTC
>
> > > expires: 2018-06-12 23:37:41 UTC
>
> > > expires: 2018-06-11 22:53:57 UTC
>
> > > expires: 2018-06-11 22:55:50 UTC
>
> > > expires: 2018-06-11 22:57:47 UTC
>
> > > expires: 2034-07-09 15:24:34 UTC
>
> > > expires: 2018-06-11 22:59:55 UTC
>
> > >
>
> > > I see that one certificate is in status: CA_UNREACHABLE, maybe I
>
> > > reboot to soon my server...
>
> > >
>
> > > I continue to investigate
>
> > >
>
> > > Thanks for your help.
>
> > > Bertrand
>
> > >
>
> > > I fix my previous issue.
>
> > > Now I have an issue with a server.
>
> > > This server can not start pki-tomcatd, I get this error in debug file:
>
> > > "Error netscape.ldap.LDAPExceptio n: IO Error creating JSS SSL Socket
> > > (-1)"
>
> > >
>
> > > After investigation i see that I do not have "ipaCert" certificat in
>
> > > "/etc/httpd/alias"
>
> > > cf below command:
>
> > >
>
> > > [root at sdkipa03 ~]# getcert list -d /etc/httpd/alias
>
> > > Number of certificates and requests being tracked: 4.
>
> > > Request ID '20141110133632':
>
> > > status: MONITORING
>
> > > stuck: no
>
> > > key pair storage:
>
> > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>
> > > certificate:
>
> > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>
> > > Certificate DB'
>
> > > CA: IPA
>
> > > issuer: CN=Certificate Authority,O=A.SKINFRA.EU
>
> > > subject: CN=sdkipa03.skinfra.eu,O=A.SKINFRA.EU
>
> > > expires: 2018-06-22 22:02:47 UTC
>
> > > principal name: HTTP/sdkipa03.skinfra.eu at A.SKINFRA.EU
>
> > > key usage:
>
> > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> > > eku: id-kp-serverAuth,id-kp-clientAuth
>
> > > pre-save command:
>
> > > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>
> > > track: yes
>
> > > auto-renew: yes
>
> > >
>
> > >
>
> > > How can I add the certificate to /etc/httpd/alias?
>
> > >
>
> > Hi,
>
> > for the record, the command getcert list that you supplied shows the
>
> > certificates in /etc/httpd/alias that are tracked by certmonger. If you
>
> > want to display all the certificates contained in /etc/httpd/alias
>
> > (whether tracked or not), then you may want to use certutil -L -d
>
> > /etc/httpd/alias instead.
>
> > If ipaCert is missing, you can export ipaCert certificate from another
>
> > master, then import it to your server.
>
> > On a master containing the cert:
>
> > # certutil -d /etc/httpd/alias -L -n 'ipaCert' -a > /tmp/newRAcert.crt
>
> > Then copy the file /tmp/newRAcert.crt to your server and import the cert:
>
> > # certutil -d /etc/httpd/alias -A -n 'ipaCert' -a -i /tmp/newRAcert.crt
>
> > -t u,u,u
>
> > And finally you need to tell certmonger to monitor the cert using
>
> > getcert start-tracking.
>
> > Hope this helps,
>
> > Flo.
>
> > > Thanks fo ryour support.
>
> > > Regards
>
> > > Bertrand
>
> > >
>
> > >
>
> > >
>
> Hi,
> Florence, thanks for your help.
> I was able to import correctly ipaCert with your commands.
> Now it seems that I also have an issue on one server with "subsystemCert
> cert-pki-ca" in /etc/pki/pki-tomcat/alias as I get below error when
> pki-tomcat try to start
> LdapJssSSLSocket set client auth cert nickname subsystemCert cert-pki-ca
> Could not connect to LDAP server host sdkipa03.XX.YY port 636 Error
> netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (
> -1)
> Is there a way to restore a correct "subsystemCert cert-pki-ca"?
> Regards
> Bertrand
Hello,
I am still stuck with my IPA server.
I have issues on both servers.
On server1, below certificate is not renewed properly
certutil -L -d /etc/httpd/alias/ -n "ipaCert"
and on server 2 this is this certificate:
certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "Server-Cert cert-pki-ca"
Could you provide me with the correct syntax with start-tracking command.
I tried to laucnh this command but my certificat remains in "NEWLY_ADDED_NEED_KEYINFO_READ_PIN" state.
Here is the comnd I use:
getcert start-tracking -c dogtag-ipa-retrieve-agent-submit -d /var/lib/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' -B /usr/lib64/ipa/certmonger/stop_pkicad -C '/usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"' -T "Server-Cert cert-pki-ca" -P '20160614000000'
Thanks by advance for your help.
Regards
Bertrand
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161122/01a4a950/attachment.htm>
More information about the Freeipa-users
mailing list