[Freeipa-users] Impossible to renew certificate. pki-tomcat issue

Rob Crittenden rcritten at redhat.com
Wed Oct 19 13:30:14 UTC 2016 

Bertrand Rétif wrote:
>> De: "Martin Babinsky" <mbabinsk at redhat.com>
>> À: freeipa-users at redhat.com
>> Envoyé: Mercredi 19 Octobre 2016 08:45:49
>> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
>
>> On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
>>> Hello,
>>>
>>> I had an issue with pki-tomcat.
>>> I had serveral certificate that was expired and pki-tomcat did not start
>>> anymore.
>>>
>>> I set the dateon the server before certificate expiration and then
>>> pki-tomcat starts properly.
>>> Then I try to resubmit the certificate, but I get below error:
>>> "Profile caServerCert Not Found"
>>>
>>> Do you have any idea how I could fix this issue.
>>>
>>> Please find below output of commands:
>>>
>>>
>>> # getcert resubmit -i 20160108170324
>>>
>>> # getcert list -i 20160108170324
>>> Number of certificates and requests being tracked: 7.
>>> Request ID '20160108170324':
>>> status: MONITORING
>>> ca-error: Server at
>>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit" replied:
>>> Profile caServerCert Not Found
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU
>>> subject: CN=IPA RA,O=A.SKINFRA.EU
>>> expires: 2016-06-28 15:25:11 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>> track: yes
>>> auto-renew: yes
>>>
>>>
>>> Thanksby advance for your help.
>>> Bertrand
>>>
>>>
>>>
>>>
>
>> Hi Betrand,
>
>> what version of FreeIPA and Dogtag are you running?
>
>> Also perform the following search on the IPA master and post the result:
>
>> """
>> ldapsearch -D "cn=Directory Manager" -W -b
>> 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)'
>> """
>
> Hi Martin,
>
> Thanks for your reply.
>
> Here is version:
> - FreeIPA 4.2.0
> - Centos 7.2
>
> I have been able to fix the issue with "Profile caServerCert Not Found" by editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> I replace below entry
> "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"
> by
> "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"
>
> and then launch "ipa-server-upgrade" command
> I found this solution in this post: http://osdir.com/ml/freeipa-users/2016-03/msg00280.html
>
> Then I was able to renew my certificate.
>
> However I reboot my server to and pki-tomcat do not start and provide with a new erreor in /var/log/pki/pki-tomcat/ca/debug
>
> [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca
> [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$
> System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC certificate verification
>
> java.lang.Exception: SystemCertsVerification: system certs verification failure
> at com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
> at com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
> at com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
> at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701)
> at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148)
> at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
> at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
> at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
> at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
> at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
> at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
> at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> at java.security.AccessController.doPrivileged(Native Method)
> at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
> at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
> at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self tests execution (see selftests.log for details)
> [19/Oct/2016:11:11:52][localhost-startStop-1]: CMSEngine.shutdown()
>
>
> I am currently stuck here.
> Thanks a lot for your help.

I'm guessing at least one of the CA subsystem certificates are still 
expired. Look at the "getcert list" output to see if there are any 
expired certificates.

rob

>
> Bertrand
>
>

More information about the Freeipa-users mailing list