[Freeipa-users] Impossible to renew certificate. pki-tomcat issue

Bertrand Rétif bretif at phosphore.eu
Wed Oct 19 18:18:10 UTC 2016 

De: "Bertrand Rétif" <bretif at phosphore.eu> 

> À: freeipa-users at redhat.com
> Envoyé: Mercredi 19 Octobre 2016 15:42:07
> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

> ----- Mail original -----

> > De: "Rob Crittenden" <rcritten at redhat.com>
> 
> > À: "Bertrand Rétif" <bretif at phosphore.eu>, freeipa-users at redhat.com
> 
> > Envoyé: Mercredi 19 Octobre 2016 15:30:14
> 
> > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat
> > issue
> 

> > Bertrand Rétif wrote:
> 
> > >> De: "Martin Babinsky" <mbabinsk at redhat.com>
> 
> > >> À: freeipa-users at redhat.com
> 
> > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49
> 
> > >> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat
> > >> issue
> 
> > >
> 
> > >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
> 
> > >>> Hello,
> 
> > >>>
> 
> > >>> I had an issue with pki-tomcat.
> 
> > >>> I had serveral certificate that was expired and pki-tomcat did not
> > >>> start
> 
> > >>> anymore.
> 
> > >>>
> 
> > >>> I set the dateon the server before certificate expiration and then
> 
> > >>> pki-tomcat starts properly.
> 
> > >>> Then I try to resubmit the certificate, but I get below error:
> 
> > >>> "Profile caServerCert Not Found"
> 
> > >>>
> 
> > >>> Do you have any idea how I could fix this issue.
> 
> > >>>
> 
> > >>> Please find below output of commands:
> 
> > >>>
> 
> > >>>
> 
> > >>> # getcert resubmit -i 20160108170324
> 
> > >>>
> 
> > >>> # getcert list -i 20160108170324
> 
> > >>> Number of certificates and requests being tracked: 7.
> 
> > >>> Request ID '20160108170324':
> 
> > >>> status: MONITORING
> 
> > >>> ca-error: Server at
> 
> > >>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit" replied:
> 
> > >>> Profile caServerCert Not Found
> 
> > >>> stuck: no
> 
> > >>> key pair storage:
> 
> > >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> 
> > >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> 
> > >>> certificate:
> 
> > >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> 
> > >>> Certificate DB'
> 
> > >>> CA: dogtag-ipa-ca-renew-agent
> 
> > >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU
> 
> > >>> subject: CN=IPA RA,O=A.SKINFRA.EU
> 
> > >>> expires: 2016-06-28 15:25:11 UTC
> 
> > >>> key usage:
> 
> > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> 
> > >>> eku: id-kp-serverAuth,id-kp-clientAuth
> 
> > >>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
> 
> > >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> 
> > >>> track: yes
> 
> > >>> auto-renew: yes
> 
> > >>>
> 
> > >>>
> 
> > >>> Thanksby advance for your help.
> 
> > >>> Bertrand
> 
> > >>>
> 
> > >>>
> 
> > >>>
> 
> > >>>
> 
> > >
> 
> > >> Hi Betrand,
> 
> > >
> 
> > >> what version of FreeIPA and Dogtag are you running?
> 
> > >
> 
> > >> Also perform the following search on the IPA master and post the result:
> 
> > >
> 
> > >> """
> 
> > >> ldapsearch -D "cn=Directory Manager" -W -b
> 
> > >> 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)'
> 
> > >> """
> 
> > >
> 
> > > Hi Martin,
> 
> > >
> 
> > > Thanks for your reply.
> 
> > >
> 
> > > Here is version:
> 
> > > - FreeIPA 4.2.0
> 
> > > - Centos 7.2
> 
> > >
> 
> > > I have been able to fix the issue with "Profile caServerCert Not Found"
> > > by
> > > editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> 
> > > I replace below entry
> 
> > > "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"
> 
> > > by
> 
> > > "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"
> 
> > >
> 
> > > and then launch "ipa-server-upgrade" command
> 
> > > I found this solution in this post:
> > > http://osdir.com/ml/freeipa-users/2016-03/msg00280.html
> 
> > >
> 
> > > Then I was able to renew my certificate.
> 
> > >
> 
> > > However I reboot my server to and pki-tomcat do not start and provide
> > > with
> > > a new erreor in /var/log/pki/pki-tomcat/ca/debug
> 
> > >
> 
> > > [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils:
> > > verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca
> 
> > > [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory:
> > > create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$
> 
> > > System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC
> > > certificate verification
> 
> > >
> 
> > > java.lang.Exception: SystemCertsVerification: system certs verification
> > > failure
> 
> > > at
> > > com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
> 
> > > at
> > > com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
> 
> > > at
> > > com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
> 
> > > at
> > > com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701)
> 
> > > at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148)
> 
> > > at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
> 
> > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
> 
> > > at
> > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
> 
> > > at javax.servlet.GenericServlet.init(GenericServlet.java:158)
> 
> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 
> > > at
> > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> 
> > > at
> > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 
> > > at java.lang.reflect.Method.invoke(Method.java:606)
> 
> > > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
> 
> > > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
> 
> > > at java.security.AccessController.doPrivileged(Native Method)
> 
> > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
> 
> > > at
> > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
> 
> > > at
> > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
> 
> > > at
> > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
> 
> > > at
> > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
> 
> > > at
> > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
> 
> > > at
> > > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
> 
> > > at
> > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
> 
> > > at
> > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
> 
> > > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> 
> > > at
> > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
> 
> > > at
> > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> 
> > > at
> > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> 
> > > at
> > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> 
> > > at java.security.AccessController.doPrivileged(Native Method)
> 
> > > at
> > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
> 
> > > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
> 
> > > at
> > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
> 
> > > at
> > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
> 
> > > at
> > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> 
> > > at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> 
> > > at
> > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> 
> > > at
> > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> 
> > > at java.lang.Thread.run(Thread.java:745)
> 
> > > [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory:
> > > create()
> > > message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure]
> > > self tests execution (see selftests.log for details)
> 
> > > [19/Oct/2016:11:11:52][localhost-startStop-1]: CMSEngine.shutdown()
> 
> > >
> 
> > >
> 
> > > I am currently stuck here.
> 
> > > Thanks a lot for your help.
> 

> > I'm guessing at least one of the CA subsystem certificates are still
> 
> > expired. Look at the "getcert list" output to see if there are any
> 
> > expired certificates.
> 

> > rob
> 

> > >
> 
> > > Bertrand
> 
> > >
> 
> > >
> 

> Hello Rob,

> I check on my 2 servers and no certificate is expired

> [root at sdkipa03 ~]# getcert list |grep expire
> expires: 2018-06-22 22:02:26 UTC
> expires: 2018-06-22 22:02:47 UTC
> expires: 2034-07-09 15:24:34 UTC
> expires: 2016-10-30 13:35:29 UTC

> [root at sdkipa01 conf]# getcert list |grep expire
> expires: 2018-06-12 23:38:01 UTC
> expires: 2018-06-12 23:37:41 UTC
> expires: 2018-06-11 22:53:57 UTC
> expires: 2018-06-11 22:55:50 UTC
> expires: 2018-06-11 22:57:47 UTC
> expires: 2034-07-09 15:24:34 UTC
> expires: 2018-06-11 22:59:55 UTC

> I see that one certificate is in status: CA_UNREACHABLE, maybe I reboot to
> soon my server...

> I continue to investigate

> Thanks for your help.
> Bertrand

I fix my previous issue. 
Now I have an issue with a server. 
This server can not start pki-tomcatd, I get this error in debug file: 
"Error netscape.ldap.LDAPExceptio n: IO Error creating JSS SSL Socket (-1)" 

After investigation i see that I do not have "ipaCert" certificat in "/etc/httpd/alias" 
cf below command: 

[root at sdkipa03 ~]# getcert list -d /etc/httpd/alias 
Number of certificates and requests being tracked: 4. 
Request ID '20141110133632': 
status: MONITORING 
stuck: no 
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' 
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' 
CA: IPA 
issuer: CN=Certificate Authority,O=A.SKINFRA.EU 
subject: CN=sdkipa03.skinfra.eu,O=A.SKINFRA.EU 
expires: 2018-06-22 22:02:47 UTC 
principal name: HTTP/sdkipa03.skinfra.eu at A.SKINFRA.EU 
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment 
eku: id-kp-serverAuth,id-kp-clientAuth 
pre-save command: 
post-save command: /usr/lib64/ipa/certmonger/restart_httpd 
track: yes 
auto-renew: yes 

How can I add the certificate to /etc/httpd/alias? 

Thanks fo ryour support. 
Regards 
Bertrand 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161019/27f99144/attachment.htm>

More information about the Freeipa-users mailing list