[Freeipa-users] Impossible to renew certificate. pki-tomcat issue
Florence Blanc-Renaud
flo at redhat.com
Tue Nov 22 12:17:34 UTC 2016
On 11/22/2016 11:50 AM, Bertrand Rétif wrote:
>
>
> *De: *"Florence Blanc-Renaud" <flo at redhat.com>
> *À: *"Bertrand Rétif" <bretif at phosphore.eu>, freeipa-users at redhat.com
> *Envoyé: *Mardi 22 Novembre 2016 11:33:45
> *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
> pki-tomcat issue
>
> On 11/22/2016 10:07 AM, Bertrand Rétif wrote:
> >
> ------------------------------------------------------------------------
> >
> > *De: *"Bertrand Rétif" <bretif at phosphore.eu>
> > *À: *freeipa-users at redhat.com
> > *Envoyé: *Mardi 25 Octobre 2016 17:51:09
> > *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
> > pki-tomcat issue
> >
> >
> >
> ------------------------------------------------------------------------
> >
> > *De: *"Florence Blanc-Renaud" <flo at redhat.com>
> > *À: *"Bertrand Rétif" <bretif at phosphore.eu>,
> > freeipa-users at redhat.com
> > *Envoyé: *Jeudi 20 Octobre 2016 18:45:21
> > *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
> > pki-tomcat issue
> >
> > On 10/19/2016 08:18 PM, Bertrand Rétif wrote:
> > > *De: *"Bertrand Rétif" <bretif at phosphore.eu>
> > >
> > > *À: *freeipa-users at redhat.com
> > > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07
> > > *Objet: *Re: [Freeipa-users] Impossible to renew
> certificate.
> > > pki-tomcat issue
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > *De: *"Rob Crittenden" <rcritten at redhat.com>
> > > *À: *"Bertrand Rétif" <bretif at phosphore.eu>,
> > > freeipa-users at redhat.com
> > > *Envoyé: *Mercredi 19 Octobre 2016 15:30:14
> > > *Objet: *Re: [Freeipa-users] Impossible to renew
> > certificate.
> > > pki-tomcat issue
> > >
> > > Bertrand Rétif wrote:
> > > >> De: "Martin Babinsky" <mbabinsk at redhat.com>
> > > >> À: freeipa-users at redhat.com
> > > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49
> > > >> Objet: Re: [Freeipa-users] Impossible to renew
> > certificate.
> > > pki-tomcat issue
> > > >
> > > >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
> > > >>> Hello,
> > > >>>
> > > >>> I had an issue with pki-tomcat.
> > > >>> I had serveral certificate that was expired and
> > pki-tomcat
> > > did not start
> > > >>> anymore.
> > > >>>
> > > >>> I set the dateon the server before certificate
> > expiration
> > > and then
> > > >>> pki-tomcat starts properly.
> > > >>> Then I try to resubmit the certificate, but
> I get
> > below error:
> > > >>> "Profile caServerCert Not Found"
> > > >>>
> > > >>> Do you have any idea how I could fix this issue.
> > > >>>
> > > >>> Please find below output of commands:
> > > >>>
> > > >>>
> > > >>> # getcert resubmit -i 20160108170324
> > > >>>
> > > >>> # getcert list -i 20160108170324
> > > >>> Number of certificates and requests being
> tracked: 7.
> > > >>> Request ID '20160108170324':
> > > >>> status: MONITORING
> > > >>> ca-error: Server at
> > > >>>
> > "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"
> > > replied:
> > > >>> Profile caServerCert Not Found
> > > >>> stuck: no
> > > >>> key pair storage:
> > > >>>
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > >>> Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > >>> certificate:
> > > >>>
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > >>> Certificate DB'
> > > >>> CA: dogtag-ipa-ca-renew-agent
> > > >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU
> > > >>> subject: CN=IPA RA,O=A.SKINFRA.EU
> > > >>> expires: 2016-06-28 15:25:11 UTC
> > > >>> key usage:
> > > >>>
> >
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > >>> eku: id-kp-serverAuth,id-kp-clientAuth
> > > >>> pre-save command:
> > /usr/lib64/ipa/certmonger/renew_ra_cert_pre
> > > >>> post-save command:
> > /usr/lib64/ipa/certmonger/renew_ra_cert
> > > >>> track: yes
> > > >>> auto-renew: yes
> > > >>>
> > > >>>
> > > >>> Thanksby advance for your help.
> > > >>> Bertrand
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >
> > > >> Hi Betrand,
> > > >
> > > >> what version of FreeIPA and Dogtag are you
> running?
> > > >
> > > >> Also perform the following search on the IPA
> master
> > and post
> > > the result:
> > > >
> > > >> """
> > > >> ldapsearch -D "cn=Directory Manager" -W -b
> > > >> 'ou=certificateProfiles,ou=ca,o=ipaca'
> > > '(objectClass=certProfile)'
> > > >> """
> > > >
> > > > Hi Martin,
> > > >
> > > > Thanks for your reply.
> > > >
> > > > Here is version:
> > > > - FreeIPA 4.2.0
> > > > - Centos 7.2
> > > >
> > > > I have been able to fix the issue with "Profile
> > caServerCert
> > > Not Found" by editing
> > /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> > > > I replace below entry
> > > >
> > >
> >
> "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"
> > > > by
> > > >
> >
> "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"
> > > >
> > > > and then launch "ipa-server-upgrade" command
> > > > I found this solution in this post:
> > >
> http://osdir.com/ml/freeipa-users/2016-03/msg00280.html
> > > >
> > > > Then I was able to renew my certificate.
> > > >
> > > > However I reboot my server to and pki-tomcat
> do not
> > start and
> > > provide with a new erreor in
> > /var/log/pki/pki-tomcat/ca/debug
> > > >
> > > > [19/Oct/2016:11:11:52][localhost-startStop-1]:
> > CertUtils:
> > > verifySystemCertByNickname() passed:
> auditSigningCert
> > cert-pki-ca
> > > > [19/Oct/2016:11:11:52][localhost-startStop-1]:
> > > SignedAuditEventFactory: create()
> > >
> message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$
> > > >
> System$][Outcome=Success][CertNickName=auditSigningCert
> > > cert-pki-ca] CIMC certificate verification
> > > >
> > > > java.lang.Exception: SystemCertsVerification:
> system
> > certs
> > > verification failure
> > > > at
> > >
> >
> com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
> > > > at
> > >
> >
> com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
> > > > at
> > >
> >
> com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
> > > > at
> > >
> >
> com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701)
> > > > at
> > >
> >
> com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148)
> > > > at
> com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
> > > > at
> com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
> > > > at
> > >
> >
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
> > > > at
> > javax.servlet.GenericServlet.init(GenericServlet.java:158)
> > > > at
> > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > > at
> > >
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> > > > at
> > >
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > > at
> java.lang.reflect.Method.invoke(Method.java:606)
> > > > at
> > >
> >
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
> > > > at
> > >
> >
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
> > > > at
> > java.security.AccessController.doPrivileged(Native Method)
> > > > at
> > javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
> > > > at
> > >
> >
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
> > > > at
> > >
> >
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
> > > > at
> > >
> >
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
> > > > at
> > >
> >
> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
> > > > at
> > >
> >
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
> > > > at
> > >
> >
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
> > > > at
> > >
> >
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
> > > > at
> > >
> >
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
> > > > at
> > >
> >
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> > > > at
> > >
> >
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
> > > > at
> > >
> >
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> > > > at
> > >
> >
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> > > > at
> > >
> >
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> > > > at
> > java.security.AccessController.doPrivileged(Native Method)
> > > > at
> > >
> >
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
> > > > at
> > >
> >
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
> > > > at
> > >
> >
> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
> > > > at
> > >
> >
> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
> > > > at
> > >
> >
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> > > > at
> > java.util.concurrent.FutureTask.run(FutureTask.java:262)
> > > > at
> > >
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > > > at
> > >
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > > > at java.lang.Thread.run(Thread.java:745)
> > > > [19/Oct/2016:11:11:52][localhost-startStop-1]:
> > > SignedAuditEventFactory: create()
> > >
> >
> message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure]
> > > self tests execution (see selftests.log for details)
> > > > [19/Oct/2016:11:11:52][localhost-startStop-1]:
> > > CMSEngine.shutdown()
> > > >
> > > >
> > > > I am currently stuck here.
> > > > Thanks a lot for your help.
> > >
> > > I'm guessing at least one of the CA subsystem
> > certificates are
> > > still
> > > expired. Look at the "getcert list" output to see if
> > there are any
> > > expired certificates.
> > >
> > > rob
> > >
> > > >
> > > > Bertrand
> > > >
> > > >
> > >
> > > Hello Rob,
> > >
> > > I check on my 2 servers and no certificate is expired
> > >
> > > [root at sdkipa03 ~]# getcert list |grep expire
> > > expires: 2018-06-22 22:02:26 UTC
> > > expires: 2018-06-22 22:02:47 UTC
> > > expires: 2034-07-09 15:24:34 UTC
> > > expires: 2016-10-30 13:35:29 UTC
> > >
> > > [root at sdkipa01 conf]# getcert list |grep expire
> > > expires: 2018-06-12 23:38:01 UTC
> > > expires: 2018-06-12 23:37:41 UTC
> > > expires: 2018-06-11 22:53:57 UTC
> > > expires: 2018-06-11 22:55:50 UTC
> > > expires: 2018-06-11 22:57:47 UTC
> > > expires: 2034-07-09 15:24:34 UTC
> > > expires: 2018-06-11 22:59:55 UTC
> > >
> > > I see that one certificate is in status: CA_UNREACHABLE,
> > maybe I
> > > reboot to soon my server...
> > >
> > > I continue to investigate
> > >
> > > Thanks for your help.
> > > Bertrand
> > >
> > > I fix my previous issue.
> > > Now I have an issue with a server.
> > > This server can not start pki-tomcatd, I get this error in
> > debug file:
> > > "Error netscape.ldap.LDAPExceptio n: IO Error creating
> JSS SSL
> > Socket (-1)"
> > >
> > > After investigation i see that I do not have "ipaCert"
> > certificat in
> > > "/etc/httpd/alias"
> > > cf below command:
> > >
> > > [root at sdkipa03 ~]# getcert list -d /etc/httpd/alias
> > > Number of certificates and requests being tracked: 4.
> > > Request ID '20141110133632':
> > > status: MONITORING
> > > stuck: no
> > > key pair storage:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=A.SKINFRA.EU
> > > subject: CN=sdkipa03.skinfra.eu,O=A.SKINFRA.EU
> > > expires: 2018-06-22 22:02:47 UTC
> > > principal name: HTTP/sdkipa03.skinfra.eu at A.SKINFRA.EU
> > > key usage:
> > >
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command:
> /usr/lib64/ipa/certmonger/restart_httpd
> > > track: yes
> > > auto-renew: yes
> > >
> > >
> > > How can I add the certificate to /etc/httpd/alias?
> > >
> > Hi,
> >
> > for the record, the command getcert list that you supplied
> shows
> > the
> > certificates in /etc/httpd/alias that are tracked by
> certmonger.
> > If you
> > want to display all the certificates contained in
> /etc/httpd/alias
> > (whether tracked or not), then you may want to use
> certutil -L -d
> > /etc/httpd/alias instead.
> >
> > If ipaCert is missing, you can export ipaCert certificate from
> > another
> > master, then import it to your server.
> >
> > On a master containing the cert:
> > # certutil -d /etc/httpd/alias -L -n 'ipaCert' -a >
> > /tmp/newRAcert.crt
> >
> > Then copy the file /tmp/newRAcert.crt to your server and
> import
> > the cert:
> > # certutil -d /etc/httpd/alias -A -n 'ipaCert' -a -i
> > /tmp/newRAcert.crt
> > -t u,u,u
> >
> > And finally you need to tell certmonger to monitor the
> cert using
> > getcert start-tracking.
> >
> > Hope this helps,
> > Flo.
> >
> > > Thanks fo ryour support.
> > > Regards
> > > Bertrand
> > >
> > >
> > >
> >
> > Hi,
> >
> > Florence, thanks for your help.
> > I was able to import correctly ipaCert with your commands.
> > Now it seems that I also have an issue on one server with
> > "subsystemCert cert-pki-ca" in /etc/pki/pki-tomcat/alias as I get
> > below error when pki-tomcat try to start
> >
> >
> > LdapJssSSLSocket set client auth cert nickname subsystemCert
> cert-pki-ca
> > Could not connect to LDAP server host sdkipa03.XX.YY port 636
> Error
> > netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (
> > -1)
> >
> >
> > Is there a way to restore a correct "subsystemCert cert-pki-ca"?
> >
> > Regards
> > Bertrand
> >
> > Hello,
> >
> > I am still stuck with my IPA server.
> > I have issues on both servers.
> > On server1, below certificate is not renewed properly
> > certutil -L -d /etc/httpd/alias/ -n "ipaCert"
> >
> > and on server 2 this is this certificate:
> > certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "Server-Cert
> cert-pki-ca"
> >
> > Could you provide me with the correct syntax with start-tracking
> command.
> > I tried to laucnh this command but my certificat remains in
> > "NEWLY_ADDED_NEED_KEYINFO_READ_PIN" state.
> > Here is the comnd I use:
> > getcert start-tracking -c dogtag-ipa-retrieve-agent-submit -d
> > /var/lib/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' -B
> > /usr/lib64/ipa/certmonger/stop_pkicad -C
> > '/usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"' -T
> > "Server-Cert cert-pki-ca" -P '20160614000000'
> >
> Hi Bertrand,
>
> to get the right command, you can check on a system where the
> certificate is properly monitored, this will show you the right
> parameters:
> $ sudo getcert list -n ipaCert
> Number of certificates and requests being tracked: 8.
> Request ID '20161122095344':
> [..] key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> [...]
> CA: dogtag-ipa-ca-renew-agent
> [...]
> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> [...]
>
> The relevant fields are NSSDB location, pinfile, nickname, CA, pre and
> post-save commands. So in order to monitor ipaCert, you will need to use
> $ sudo getcert start-tracking -d /etc/httpd/alias -n ipaCert \
> -p /etc/httpd/alias/pwdfile.txt \
> -c dogtag-ipa-ca-renew-agent \
> -B /usr/lib64/ipa/certmonger/renew_ra_cert_pre \
> -C /usr/lib64/ipa/certmonger/renew_ra_cert
>
> HTH,
> Flo.
>
> > Thanks by advance for your help.
> >
> > Regards
> > Bertrand
>
> Hello Florence,
>
> Thanks for your reply.
> Before doing any mistakes, I just need some explanations as I think I do
> not well understand how it should work.
>
> Do all the certificate need to be track by certmonger on all servers or
> they should only be tracked on one server and FreeIPA will update them
> on other servers?
>
> In my case I have below certicates outdated and not track on "server 1":
> - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "auditSigningCert
> cert-pki-ca"
> - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "ocspSigningCert
> cert-pki-ca"
> - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "subsystemCert
> cert-pki-ca"
>
> They are tracked by certmonger and have been correctly renewed on "server 2"
> Do I need to add them tracked by certmonger on "server 1"?
> If not, it means FreeIPA failed to update them? Should I delete and
> import them manually on server 2?
>
> If you need more details, do not hesitate to ask.
>
Hi Bertrand,
The certificate tracking depends on the type of certificate and on the
server you're considering. For instance, if IPA includes a Certificate
Authority, then ipaCert will be present on all the IPA servers
(master/replicas) and tracked on all of them. The same ipaCert
certificate is used on all the replicas. On the renewal master, the
renewal operation actually renews the certificate and uploads the cert
on LDAP, but on the other replicas the operation consists in downloading
the new certificate from LDAP.
The HTTP and LDAP server certificates are present and tracked on all the
IPA servers, but they are different on each server (you can see that the
Subject of the certificate contains the hostname). They can be renewed
independently on each IPA server.
The certificates used by Dogtag (the component providing the Certificate
System) are present and tracked only on the IPA servers where the CA was
setup (for instance if you installed a replica with --setup-ca or if you
ran ipa-ca-install later on). The same certificates are used on all
replicas containing a CA instance.
They are: 'ocspSigningCert cert-pki-ca', 'subsystemCert cert-pki-ca',
'caSigningCert cert-pki-ca' and 'Server-Cert cert-pki-ca'.
The renewal operation renews them on the renewal master and uploads them
in LDAP, but just downloads them from LDAP on the other servers.
In your example, if server1 also contains a CA instance then it should
also track the above certs.
You can find the renewal master with the following ldapsearch command:
$ ldapsearch -h localhost -p 389 -D 'cn=Directory Manager' -w password
-b "cn=masters,cn=ipa,cn=etc,$BASEDN" -LLL
'(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn
dn: cn=CA,cn=ipaserver.fqdn,cn=masters,cn=ipa,cn=etc,$BASEDN
In this case the renewal master is ipaserver.fqdn
Hope this clarifies,
Flo.
> Regards
> Bertrand
>
>
More information about the Freeipa-users
mailing list