[Freeipa-users] Impossible to renew certificate. pki-tomcat issue
Bertrand Rétif
bretif at phosphore.eu
Wed Oct 19 12:09:54 UTC 2016
> De: "Martin Babinsky" <mbabinsk at redhat.com>
> À: freeipa-users at redhat.com
> Envoyé: Mercredi 19 Octobre 2016 08:45:49
> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
> On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
> > Hello,
> >
> > I had an issue with pki-tomcat.
> > I had serveral certificate that was expired and pki-tomcat did not start
> > anymore.
> >
> > I set the dateon the server before certificate expiration and then
> > pki-tomcat starts properly.
> > Then I try to resubmit the certificate, but I get below error:
> > "Profile caServerCert Not Found"
> >
> > Do you have any idea how I could fix this issue.
> >
> > Please find below output of commands:
> >
> >
> > # getcert resubmit -i 20160108170324
> >
> > # getcert list -i 20160108170324
> > Number of certificates and requests being tracked: 7.
> > Request ID '20160108170324':
> > status: MONITORING
> > ca-error: Server at
> > "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit" replied:
> > Profile caServerCert Not Found
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > Certificate DB'
> > CA: dogtag-ipa-ca-renew-agent
> > issuer: CN=Certificate Authority,O=A.SKINFRA.EU
> > subject: CN=IPA RA,O=A.SKINFRA.EU
> > expires: 2016-06-28 15:25:11 UTC
> > key usage:
> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> > track: yes
> > auto-renew: yes
> >
> >
> > Thanksby advance for your help.
> > Bertrand
> >
> >
> >
> >
> Hi Betrand,
> what version of FreeIPA and Dogtag are you running?
> Also perform the following search on the IPA master and post the result:
> """
> ldapsearch -D "cn=Directory Manager" -W -b
> 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)'
> """
Hi Martin,
Thanks for your reply.
Here is version:
- FreeIPA 4.2.0
- Centos 7.2
I have been able to fix the issue with "Profile caServerCert Not Found" by editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
I replace below entry
"subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"
by
"subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"
and then launch "ipa-server-upgrade" command
I found this solution in this post: http://osdir.com/ml/freeipa-users/2016-03/msg00280.html
Then I was able to renew my certificate.
However I reboot my server to and pki-tomcat do not start and provide with a new erreor in /var/log/pki/pki-tomcat/ca/debug
[19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca
[19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$
System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC certificate verification
java.lang.Exception: SystemCertsVerification: system certs verification failure
at com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
at com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
at com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701)
at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148)
at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self tests execution (see selftests.log for details)
[19/Oct/2016:11:11:52][localhost-startStop-1]: CMSEngine.shutdown()
I am currently stuck here.
Thanks a lot for your help.
Bertrand
More information about the Freeipa-users
mailing list