[Freeipa-users] Impossible to renew certificate. pki-tomcat issue
Bertrand Rétif
bretif at phosphore.eu
Fri Nov 25 10:16:04 UTC 2016
--
Bertrand Rétif
Phosphore Services Informatiques - http://www.phosphore.eu
Tel: 04 66 51 87 73 / Mob: 06 61 87 03 30 / Fax: 09 72 12 61 44
----- Mail original -----
> De: "Florence Blanc-Renaud" <flo at redhat.com>
> À: "Bertrand Rétif" <bretif at phosphore.eu>, freeipa-users at redhat.com
> Envoyé: Vendredi 25 Novembre 2016 11:03:53
> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
> On 11/23/2016 02:25 PM, Bertrand Rétif wrote:
> >
> > ------------------------------------------------------------------------
> >
> > *De: *"Florence Blanc-Renaud" <flo at redhat.com>
> > *À: *"Bertrand Rétif" <bretif at phosphore.eu>, freeipa-users at redhat.com
> > *Envoyé: *Mercredi 23 Novembre 2016 08:49:28
> > *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
> > pki-tomcat issue
> >
> > On 11/22/2016 06:06 PM, Bertrand Rétif wrote:
> > > Hi Florence,
> > >
> > > Thanks for clarification.
> > > Your explanation was very clear and I better understand
> > >
> > > Now my issue is that I need to start tracking "auditSigningCert
> > > cert-pki-ca", "ocspSigningCert cert-pki-ca" and "subsystemCert
> > > cert-pki-ca" on a server.
> > >
> > > I take a look on another server where they are properly tracked.
> > However
> > > getcert list return me "pin set" and not a "pinfile" as described in
> > > your mail.
> > > In "/etc/pki/pki-tomcat/alias" I do not see any pwdfile.txt file,
> > so my
> > > question is where do I get the PIN?
> > >
> > Hi Bertrand,
> >
> > With IPA 4.2.0 I believe that the pin is stored in
> > /var/lib/pki/pki-tomcat/conf/password.conf, in the 'internal' field:
> > $ grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf
> > internal=0123456789101
> >
> > HTH,
> > Flo
> >
> > > Once again, thanks for your support, I tried to fix this issue for
> > days!
> > >
> > > Regards
> > > Bertrand
> > >
> > >
> > > --
> > > Bertrand Rétif
> > > Phosphore Services Informatiques - http://www.phosphore.eu
> > > Tel: 04 66 51 87 73 / Mob: 06 61 87 03 30 / Fax: 09 72 12 61 44
> > >
> > >
> > ------------------------------------------------------------------------
> > >
> > > *De: *"Florence Blanc-Renaud" <flo at redhat.com>
> > > *À: *"Bertrand Rétif" <bretif at phosphore.eu>,
> > freeipa-users at redhat.com
> > > *Envoyé: *Mardi 22 Novembre 2016 13:17:34
> > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
> > > pki-tomcat issue
> > >
> > > On 11/22/2016 11:50 AM, Bertrand Rétif wrote:
> > > >
> > > >
> > > > *De: *"Florence Blanc-Renaud" <flo at redhat.com>
> > > > *À: *"Bertrand Rétif" <bretif at phosphore.eu>,
> > > freeipa-users at redhat.com
> > > > *Envoyé: *Mardi 22 Novembre 2016 11:33:45
> > > > *Objet: *Re: [Freeipa-users] Impossible to renew
> > certificate.
> > > > pki-tomcat issue
> > > >
> > > > On 11/22/2016 10:07 AM, Bertrand Rétif wrote:
> > > > >
> > > >
> > >
> > ------------------------------------------------------------------------
> > > > >
> > > > > *De: *"Bertrand Rétif" <bretif at phosphore.eu>
> > > > > *À: *freeipa-users at redhat.com
> > > > > *Envoyé: *Mardi 25 Octobre 2016 17:51:09
> > > > > *Objet: *Re: [Freeipa-users] Impossible to renew
> > > certificate.
> > > > > pki-tomcat issue
> > > > >
> > > > >
> > > > >
> > > >
> > >
> > ------------------------------------------------------------------------
> > > > >
> > > > > *De: *"Florence Blanc-Renaud" <flo at redhat.com>
> > > > > *À: *"Bertrand Rétif" <bretif at phosphore.eu>,
> > > > > freeipa-users at redhat.com
> > > > > *Envoyé: *Jeudi 20 Octobre 2016 18:45:21
> > > > > *Objet: *Re: [Freeipa-users] Impossible to renew
> > > certificate.
> > > > > pki-tomcat issue
> > > > >
> > > > > On 10/19/2016 08:18 PM, Bertrand Rétif wrote:
> > > > > > *De: *"Bertrand Rétif" <bretif at phosphore.eu>
> > > > > >
> > > > > > *À: *freeipa-users at redhat.com
> > > > > > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07
> > > > > > *Objet: *Re: [Freeipa-users] Impossible
> > to renew
> > > > certificate.
> > > > > > pki-tomcat issue
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > ------------------------------------------------------------------------
> > > > > >
> > > > > > *De: *"Rob Crittenden"
> > <rcritten at redhat.com>
> > > > > > *À: *"Bertrand Rétif"
> > <bretif at phosphore.eu>,
> > > > > > freeipa-users at redhat.com
> > > > > > *Envoyé: *Mercredi 19 Octobre 2016
> > 15:30:14
> > > > > > *Objet: *Re: [Freeipa-users]
> > Impossible to
> > > renew
> > > > > certificate.
> > > > > > pki-tomcat issue
> > > > > >
> > > > > > Bertrand Rétif wrote:
> > > > > > >> De: "Martin Babinsky"
> > <mbabinsk at redhat.com>
> > > > > > >> À: freeipa-users at redhat.com
> > > > > > >> Envoyé: Mercredi 19 Octobre 2016
> > 08:45:49
> > > > > > >> Objet: Re: [Freeipa-users] Impossible
> > > to renew
> > > > > certificate.
> > > > > > pki-tomcat issue
> > > > > > >
> > > > > > >> On 10/18/2016 11:22 PM, Bertrand
> > Rétif
> > > wrote:
> > > > > > >>> Hello,
> > > > > > >>>
> > > > > > >>> I had an issue with pki-tomcat.
> > > > > > >>> I had serveral certificate that was
> > > expired and
> > > > > pki-tomcat
> > > > > > did not start
> > > > > > >>> anymore.
> > > > > > >>>
> > > > > > >>> I set the dateon the server before
> > > certificate
> > > > > expiration
> > > > > > and then
> > > > > > >>> pki-tomcat starts properly.
> > > > > > >>> Then I try to resubmit the
> > > certificate, but
> > > > I get
> > > > > below error:
> > > > > > >>> "Profile caServerCert Not Found"
> > > > > > >>>
> > > > > > >>> Do you have any idea how I could fix
> > > this issue.
> > > > > > >>>
> > > > > > >>> Please find below output of
> > commands:
> > > > > > >>>
> > > > > > >>>
> > > > > > >>> # getcert resubmit -i 20160108170324
> > > > > > >>>
> > > > > > >>> # getcert list -i 20160108170324
> > > > > > >>> Number of certificates and
> > requests being
> > > > tracked: 7.
> > > > > > >>> Request ID '20160108170324':
> > > > > > >>> status: MONITORING
> > > > > > >>> ca-error: Server at
> > > > > > >>>
> > > > >
> > > "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"
> > > > > > replied:
> > > > > > >>> Profile caServerCert Not Found
> > > > > > >>> stuck: no
> > > > > > >>> key pair storage:
> > > > > > >>>
> > > > > >
> > > > >
> > > >
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > > > > >>> Certificate
> > > > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > > > > >>> certificate:
> > > > > > >>>
> > > > > >
> > > > >
> > > >
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > > > > >>> Certificate DB'
> > > > > > >>> CA: dogtag-ipa-ca-renew-agent
> > > > > > >>> issuer: CN=Certificate
> > > Authority,O=A.SKINFRA.EU
> > > > > > >>> subject: CN=IPA RA,O=A.SKINFRA.EU
> > > > > > >>> expires: 2016-06-28 15:25:11 UTC
> > > > > > >>> key usage:
> > > > > > >>>
> > > > >
> > > >
> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > > > > >>> eku:
> > id-kp-serverAuth,id-kp-clientAuth
> > > > > > >>> pre-save command:
> > > > > /usr/lib64/ipa/certmonger/renew_ra_cert_pre
> > > > > > >>> post-save command:
> > > > > /usr/lib64/ipa/certmonger/renew_ra_cert
> > > > > > >>> track: yes
> > > > > > >>> auto-renew: yes
> > > > > > >>>
> > > > > > >>>
> > > > > > >>> Thanksby advance for your help.
> > > > > > >>> Bertrand
> > > > > > >>>
> > > > > > >>>
> > > > > > >>>
> > > > > > >>>
> > > > > > >
> > > > > > >> Hi Betrand,
> > > > > > >
> > > > > > >> what version of FreeIPA and
> > Dogtag are you
> > > > running?
> > > > > > >
> > > > > > >> Also perform the following search on
> > > the IPA
> > > > master
> > > > > and post
> > > > > > the result:
> > > > > > >
> > > > > > >> """
> > > > > > >> ldapsearch -D "cn=Directory
> > Manager" -W -b
> > > > > > >>
> > 'ou=certificateProfiles,ou=ca,o=ipaca'
> > > > > > '(objectClass=certProfile)'
> > > > > > >> """
> > > > > > >
> > > > > > > Hi Martin,
> > > > > > >
> > > > > > > Thanks for your reply.
> > > > > > >
> > > > > > > Here is version:
> > > > > > > - FreeIPA 4.2.0
> > > > > > > - Centos 7.2
> > > > > > >
> > > > > > > I have been able to fix the issue with
> > > "Profile
> > > > > caServerCert
> > > > > > Not Found" by editing
> > > > > /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> > > > > > > I replace below entry
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"
> > > > > > > by
> > > > > > >
> > > > >
> > > >
> > "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"
> > > > > > >
> > > > > > > and then launch
> > "ipa-server-upgrade" command
> > > > > > > I found this solution in this post:
> > > > > >
> > > > http://osdir.com/ml/freeipa-users/2016-03/msg00280.html
> > > > > > >
> > > > > > > Then I was able to renew my
> > certificate.
> > > > > > >
> > > > > > > However I reboot my server to and
> > pki-tomcat
> > > > do not
> > > > > start and
> > > > > > provide with a new erreor in
> > > > > /var/log/pki/pki-tomcat/ca/debug
> > > > > > >
> > > > > > >
> > > [19/Oct/2016:11:11:52][localhost-startStop-1]:
> > > > > CertUtils:
> > > > > > verifySystemCertByNickname() passed:
> > > > auditSigningCert
> > > > > cert-pki-ca
> > > > > > >
> > > [19/Oct/2016:11:11:52][localhost-startStop-1]:
> > > > > > SignedAuditEventFactory: create()
> > > > > >
> > > > message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$
> > > > > > >
> > > > System$][Outcome=Success][CertNickName=auditSigningCert
> > > > > > cert-pki-ca] CIMC certificate
> > verification
> > > > > > >
> > > > > > > java.lang.Exception:
> > > SystemCertsVerification:
> > > > system
> > > > > certs
> > > > > > verification failure
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148)
> > > > > > > at
> > > > com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
> > > > > > > at
> > > > com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
> > > > > > > at
> > > > >
> > > javax.servlet.GenericServlet.init(GenericServlet.java:158)
> > > > > > > at
> > > > >
> > sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> > > Method)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > > > > > at
> > > > java.lang.reflect.Method.invoke(Method.java:606)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
> > > > > > > at
> > > > > java.security.AccessController.doPrivileged(Native
> > > Method)
> > > > > > > at
> > > > >
> > > javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> > > > > > > at
> > > > > java.security.AccessController.doPrivileged(Native
> > > Method)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> > > > > > > at
> > > > >
> > java.util.concurrent.FutureTask.run(FutureTask.java:262)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > > > > > > at
> > java.lang.Thread.run(Thread.java:745)
> > > > > > >
> > > [19/Oct/2016:11:11:52][localhost-startStop-1]:
> > > > > > SignedAuditEventFactory: create()
> > > > > >
> > > > >
> > > >
> > >
> > message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure]
> > > > > > self tests execution (see selftests.log
> > > for details)
> > > > > > >
> > > [19/Oct/2016:11:11:52][localhost-startStop-1]:
> > > > > > CMSEngine.shutdown()
> > > > > > >
> > > > > > >
> > > > > > > I am currently stuck here.
> > > > > > > Thanks a lot for your help.
> > > > > >
> > > > > > I'm guessing at least one of the CA
> > subsystem
> > > > > certificates are
> > > > > > still
> > > > > > expired. Look at the "getcert list"
> > output
> > > to see if
> > > > > there are any
> > > > > > expired certificates.
> > > > > >
> > > > > > rob
> > > > > >
> > > > > > >
> > > > > > > Bertrand
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > Hello Rob,
> > > > > >
> > > > > > I check on my 2 servers and no
> > certificate is
> > > expired
> > > > > >
> > > > > > [root at sdkipa03 ~]# getcert list |grep expire
> > > > > > expires: 2018-06-22 22:02:26 UTC
> > > > > > expires: 2018-06-22 22:02:47 UTC
> > > > > > expires: 2034-07-09 15:24:34 UTC
> > > > > > expires: 2016-10-30 13:35:29 UTC
> > > > > >
> > > > > > [root at sdkipa01 conf]# getcert list |grep
> > expire
> > > > > > expires: 2018-06-12 23:38:01 UTC
> > > > > > expires: 2018-06-12 23:37:41 UTC
> > > > > > expires: 2018-06-11 22:53:57 UTC
> > > > > > expires: 2018-06-11 22:55:50 UTC
> > > > > > expires: 2018-06-11 22:57:47 UTC
> > > > > > expires: 2034-07-09 15:24:34 UTC
> > > > > > expires: 2018-06-11 22:59:55 UTC
> > > > > >
> > > > > > I see that one certificate is in status:
> > > CA_UNREACHABLE,
> > > > > maybe I
> > > > > > reboot to soon my server...
> > > > > >
> > > > > > I continue to investigate
> > > > > >
> > > > > > Thanks for your help.
> > > > > > Bertrand
> > > > > >
> > > > > > I fix my previous issue.
> > > > > > Now I have an issue with a server.
> > > > > > This server can not start pki-tomcatd, I get
> > this
> > > error in
> > > > > debug file:
> > > > > > "Error netscape.ldap.LDAPExceptio n: IO
> > Error creating
> > > > JSS SSL
> > > > > Socket (-1)"
> > > > > >
> > > > > > After investigation i see that I do not have
> > "ipaCert"
> > > > > certificat in
> > > > > > "/etc/httpd/alias"
> > > > > > cf below command:
> > > > > >
> > > > > > [root at sdkipa03 ~]# getcert list -d
> > /etc/httpd/alias
> > > > > > Number of certificates and requests being
> > tracked: 4.
> > > > > > Request ID '20141110133632':
> > > > > > status: MONITORING
> > > > > > stuck: no
> > > > > > key pair storage:
> > > > > >
> > > > >
> > > >
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > > > > Certificate
> > DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > > > > certificate:
> > > > > >
> > > > >
> > > >
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > > > > Certificate DB'
> > > > > > CA: IPA
> > > > > > issuer: CN=Certificate
> > Authority,O=A.SKINFRA.EU
> > > > > > subject:
> > CN=sdkipa03.skinfra.eu,O=A.SKINFRA.EU
> > > > > > expires: 2018-06-22 22:02:47 UTC
> > > > > > principal name:
> > > HTTP/sdkipa03.skinfra.eu at A.SKINFRA.EU
> > > > > > key usage:
> > > > > >
> > > >
> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > > > pre-save command:
> > > > > > post-save command:
> > > > /usr/lib64/ipa/certmonger/restart_httpd
> > > > > > track: yes
> > > > > > auto-renew: yes
> > > > > >
> > > > > >
> > > > > > How can I add the certificate to
> > /etc/httpd/alias?
> > > > > >
> > > > > Hi,
> > > > >
> > > > > for the record, the command getcert list that you
> > > supplied
> > > > shows
> > > > > the
> > > > > certificates in /etc/httpd/alias that are
> > tracked by
> > > > certmonger.
> > > > > If you
> > > > > want to display all the certificates contained in
> > > > /etc/httpd/alias
> > > > > (whether tracked or not), then you may want to use
> > > > certutil -L -d
> > > > > /etc/httpd/alias instead.
> > > > >
> > > > > If ipaCert is missing, you can export ipaCert
> > > certificate from
> > > > > another
> > > > > master, then import it to your server.
> > > > >
> > > > > On a master containing the cert:
> > > > > # certutil -d /etc/httpd/alias -L -n 'ipaCert'
> > -a >
> > > > > /tmp/newRAcert.crt
> > > > >
> > > > > Then copy the file /tmp/newRAcert.crt to your
> > server and
> > > > import
> > > > > the cert:
> > > > > # certutil -d /etc/httpd/alias -A -n 'ipaCert'
> > -a -i
> > > > > /tmp/newRAcert.crt
> > > > > -t u,u,u
> > > > >
> > > > > And finally you need to tell certmonger to
> > monitor the
> > > > cert using
> > > > > getcert start-tracking.
> > > > >
> > > > > Hope this helps,
> > > > > Flo.
> > > > >
> > > > > > Thanks fo ryour support.
> > > > > > Regards
> > > > > > Bertrand
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > > Hi,
> > > > >
> > > > > Florence, thanks for your help.
> > > > > I was able to import correctly ipaCert with your
> > commands.
> > > > > Now it seems that I also have an issue on one
> > server with
> > > > > "subsystemCert cert-pki-ca" in
> > /etc/pki/pki-tomcat/alias
> > > as I get
> > > > > below error when pki-tomcat try to start
> > > > >
> > > > >
> > > > > LdapJssSSLSocket set client auth cert nickname
> > subsystemCert
> > > > cert-pki-ca
> > > > > Could not connect to LDAP server host sdkipa03.XX.YY
> > > port 636
> > > > Error
> > > > > netscape.ldap.LDAPException: IO Error creating JSS SSL
> > > Socket (
> > > > > -1)
> > > > >
> > > > >
> > > > > Is there a way to restore a correct "subsystemCert
> > > cert-pki-ca"?
> > > > >
> > > > > Regards
> > > > > Bertrand
> > > > >
> > > > > Hello,
> > > > >
> > > > > I am still stuck with my IPA server.
> > > > > I have issues on both servers.
> > > > > On server1, below certificate is not renewed properly
> > > > > certutil -L -d /etc/httpd/alias/ -n "ipaCert"
> > > > >
> > > > > and on server 2 this is this certificate:
> > > > > certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n
> > "Server-Cert
> > > > cert-pki-ca"
> > > > >
> > > > > Could you provide me with the correct syntax with
> > start-tracking
> > > > command.
> > > > > I tried to laucnh this command but my certificat
> > remains in
> > > > > "NEWLY_ADDED_NEED_KEYINFO_READ_PIN" state.
> > > > > Here is the comnd I use:
> > > > > getcert start-tracking -c
> > dogtag-ipa-retrieve-agent-submit -d
> > > > > /var/lib/pki/pki-tomcat/alias -n 'Server-Cert
> > cert-pki-ca' -B
> > > > > /usr/lib64/ipa/certmonger/stop_pkicad -C
> > > > > '/usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert
> > > cert-pki-ca"' -T
> > > > > "Server-Cert cert-pki-ca" -P '20160614000000'
> > > > >
> > > > Hi Bertrand,
> > > >
> > > > to get the right command, you can check on a system
> > where the
> > > > certificate is properly monitored, this will show you
> > the right
> > > > parameters:
> > > > $ sudo getcert list -n ipaCert
> > > > Number of certificates and requests being tracked: 8.
> > > > Request ID '20161122095344':
> > > > [..] key pair storage:
> > > >
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > > [...]
> > > > CA: dogtag-ipa-ca-renew-agent
> > > > [...]
> > > > pre-save command:
> > > /usr/lib64/ipa/certmonger/renew_ra_cert_pre
> > > > post-save command:
> > /usr/lib64/ipa/certmonger/renew_ra_cert
> > > > [...]
> > > >
> > > > The relevant fields are NSSDB location, pinfile,
> > nickname, CA,
> > > pre and
> > > > post-save commands. So in order to monitor ipaCert, you will
> > > need to use
> > > > $ sudo getcert start-tracking -d /etc/httpd/alias -n
> > ipaCert \
> > > > -p /etc/httpd/alias/pwdfile.txt \
> > > > -c dogtag-ipa-ca-renew-agent \
> > > > -B /usr/lib64/ipa/certmonger/renew_ra_cert_pre \
> > > > -C /usr/lib64/ipa/certmonger/renew_ra_cert
> > > >
> > > > HTH,
> > > > Flo.
> > > >
> > > > > Thanks by advance for your help.
> > > > >
> > > > > Regards
> > > > > Bertrand
> > > >
> > > > Hello Florence,
> > > >
> > > > Thanks for your reply.
> > > > Before doing any mistakes, I just need some explanations as I
> > > think I do
> > > > not well understand how it should work.
> > > >
> > > > Do all the certificate need to be track by certmonger on all
> > > servers or
> > > > they should only be tracked on one server and FreeIPA will
> > update them
> > > > on other servers?
> > > >
> > > > In my case I have below certicates outdated and not track on
> > > "server 1":
> > > > - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n
> > > "auditSigningCert
> > > > cert-pki-ca"
> > > > - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n
> > "ocspSigningCert
> > > > cert-pki-ca"
> > > > - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n
> > "subsystemCert
> > > > cert-pki-ca"
> > > >
> > > > They are tracked by certmonger and have been correctly
> > renewed on
> > > "server 2"
> > > > Do I need to add them tracked by certmonger on "server 1"?
> > > > If not, it means FreeIPA failed to update them? Should I
> > delete and
> > > > import them manually on server 2?
> > > >
> > > > If you need more details, do not hesitate to ask.
> > > >
> > > Hi Bertrand,
> > >
> > > The certificate tracking depends on the type of certificate
> > and on the
> > > server you're considering. For instance, if IPA includes a
> > Certificate
> > > Authority, then ipaCert will be present on all the IPA servers
> > > (master/replicas) and tracked on all of them. The same ipaCert
> > > certificate is used on all the replicas. On the renewal
> > master, the
> > > renewal operation actually renews the certificate and uploads
> > the cert
> > > on LDAP, but on the other replicas the operation consists in
> > > downloading
> > > the new certificate from LDAP.
> > >
> > > The HTTP and LDAP server certificates are present and tracked
> > on all
> > > the
> > > IPA servers, but they are different on each server (you can
> > see that
> > > the
> > > Subject of the certificate contains the hostname). They can be
> > renewed
> > > independently on each IPA server.
> > >
> > > The certificates used by Dogtag (the component providing the
> > > Certificate
> > > System) are present and tracked only on the IPA servers where
> > the CA
> > > was
> > > setup (for instance if you installed a replica with --setup-ca
> > or if
> > > you
> > > ran ipa-ca-install later on). The same certificates are used
> > on all
> > > replicas containing a CA instance.
> > > They are: 'ocspSigningCert cert-pki-ca', 'subsystemCert
> > cert-pki-ca',
> > > 'caSigningCert cert-pki-ca' and 'Server-Cert cert-pki-ca'.
> > > The renewal operation renews them on the renewal master and
> > uploads
> > > them
> > > in LDAP, but just downloads them from LDAP on the other servers.
> > >
> > > In your example, if server1 also contains a CA instance then
> > it should
> > > also track the above certs.
> > >
> > > You can find the renewal master with the following ldapsearch
> > command:
> > > $ ldapsearch -h localhost -p 389 -D 'cn=Directory Manager' -w
> > password
> > > -b "cn=masters,cn=ipa,cn=etc,$BASEDN" -LLL
> > > '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn
> > > dn: cn=CA,cn=ipaserver.fqdn,cn=masters,cn=ipa,cn=etc,$BASEDN
> > >
> > > In this case the renewal master is ipaserver.fqdn
> > >
> > > Hope this clarifies,
> > > Flo.
> > >
> > > > Regards
> > > > Bertrand
> > > >
> > > >
> >
> > Hi Florence,
> >
> > Thanks.
> > All my certificate are now renewed and tracked. I set back current time
> > on my servers and everything is now running properly.
> >
> > However now I get an issue with ldap replication.
> > Here are details of my 3 servers S1, S2 S3
> >
> > All below commands are launched on S1 servers
> >
> > # ipa-replica-manage list
> > S1: master
> > S2: master
> > S3: master
> >
> > # ipa-replica-manage -v list S1
> > S2: replica
> > last init status: 0 Total update succeeded
> > last init ended: 2016-11-23 12:56:27+00:00
> > last update status: 0 Replica acquired successfully: Incremental
> > update succeeded
> > last update ended: 2016-11-23 13:12:00+00:00
> > S3: replica
> > last init status: 0 Total update succeeded
> > last init ended: 2016-11-23 12:54:51+00:00
> > last update status: 0 Replica acquired successfully: Incremental
> > update succeeded
> > last update ended: 2016-11-23 13:12:00+00:00
> >
> > # ipa-replica-manage -v S2
> > S1: replica
> > last init status: None
> > last init ended: 1970-01-01 00:00:00+00:00
> > last update status: -1 Incremental update has failed and requires
> > administrator actionLDAP error: Can't contact LDAP server
> > last update ended: 1970-01-01 00:00:00+00:00
> >
> >
> > # ipa-replica-manage -v S3
> > S3: replica
> > last init status: None
> > last init ended: 1970-01-01 00:00:00+00:00
> > last update status: -1 Incremental update has failed and requires
> > administrator actionLDAP error: Can't contact LDAP server
> > last update ended: 1970-01-01 00:00:00+00:00
> >
> >
> > I tried to reinitialize S2 server, however I still get the issue:
> > Command below is run on S2:
> >
> > S2# ipa-replica-manage re-initialize --from S1
> > ipa: INFO: Setting agreement
> > cn=meToS2.skinfra.eu,cn=replica,cn=dc\=a\,dc\=skinfra\,dc\=eu,cn=mapping
> > tree,cn=config schedule to 2358-2359 0 to force synch
> > ipa: INFO: Deleting schedule 2358-2359 0 from agreement
> > cn=meToS2,cn=replica,cn=dc\=a\,dc\=skinfra\,dc\=eu,cn=mapping
> > tree,cn=config
> > Update in progress, 2 seconds elapsed
> > Update succeeded
> >
> > On S2 server in /var/log/dirsrv/slapd-REALM/errors log I get
> >
> > [23/Nov/2016:13:54:51 +0100] agmt="cn=meToS1" (S1:389) - Can't locate
> > CSN 583669ee000a000f0000 in the changelog (DB rc=-30988). If replication
> > stops, the consumer may need to be reinitialized.
> > [23/Nov/2016:13:54:51 +0100] NSMMReplicationPlugin - changelog program -
> > agmt="cn=meToS1" (S1:389): CSN 583669ee000a000f0000 not found, we aren't
> > as up to date, or we purged
> > [23/Nov/2016:13:54:51 +0100] NSMMReplicationPlugin - agmt="cn=meToS1"
> > (S1:389): Data required to update replica has been purged. The replica
> > must be reinitialized.
> > [23/Nov/2016:13:54:51 +0100] NSMMReplicationPlugin - agmt="cn=meToS1"
> > (S1:389): Incremental update failed and requires administrator action
> > ..............
> > [23/Nov/2016:14:18:10 +0100] slapi_ldap_bind - Error: could not bind id
> > [cn=Replication Manager cloneAgreement1-S2,ou=csusers,cn=config]
> > authentication mechanism [SIMPLE]: error 32 (No such object) errno 0
> > (Success)
> >
> >
> > I search on google but I did not find any solution to fix issue and I do
> > not want to break everything
> >
> Hi Bertrand,
> Replication applies to 2 different suffixes: the domain suffix (that
> contains users and groups) and o=ipaca that contains the data for the
> Certificate System (see "Explaining Replication Agreements" [1]).
> The entry that is missing (cn=Replication Manager
> cloneAgreement1-S2,ou=csusers,cn=config) corresponds to the replication
> manager entry used for authenticating the replication of the CS
> component (for more information you can read "Replication Identity" [2]
> in Red Hat Directory Server Administration Guide).
> I don't know how the entry disappeared, but I would try the following to
> re-create it:
> - remove the CA replication agreement on S2 to S1 using
> ipa-csreplica-manage disconnect
> - re-create the CA replication agreement on S2 to S1 using
> ipa-csreplica-manage connect
> You need to be sure that S1 is the most up-to-date source of data though.
> Flo.
> [1]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-topology-old.html#replication-agreements
> [2]
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication.html#Replication_Overview-Replication_Identity
> > Regards
> > Bertrand
> >
> >
Florence,
I manage to have replication working between my 3 servers.
You right I had issue with that entry missing.
And I did what you say in your post.
After I also had issues with ruv entries that I had to delete.
This post https://www.redhat.com/archives/freeipa-users/2016-January/msg00257.html helped to fix all my replication issues.
Now everything seems to be working fine for 24hours!
My FreeIPA infra was really in a terrible shape and without your help I would certainly not to be able to fix all issues by myself.
So once again thanks a lot.
Hope this thread will help other people.
Brgds
Bertrand
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161125/a8f14b87/attachment.htm>
More information about the Freeipa-users
mailing list