[Freeipa-users] pki-tomcatd fails to start
Jeff Goddard
jgoddard at emerlyn.com
Fri Jan 6 20:07:38 UTC 2017
Flo,
I'm not able to access the link you posted. I did find this thread though
https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html and
have set the time back and resubmitted a request. Still no success. Any
further hints?
On Fri, Jan 6, 2017 at 11:52 AM, Florence Blanc-Renaud <flo at redhat.com>
wrote:
> On 01/06/2017 05:36 PM, Jeff Goddard wrote:
>
>> Thanks Flo,
>>
>> I was able to add the host to the keytab once I found the correct
>> command and then was able to issue
>>
>> [root at id-management-1 pki-tomcat]# ipa-cacert-manage renew
>> Renewing CA certificate, please wait
>> CA certificate successfully renewed
>> The ipa-cacert-manage command was successful
>>
>> Hi Jeff,
>
> the "ipa-cacert-manage renew" command renews the CA certificate (the one
> with the alias caSigningCert cert-pki-ca) but not the expired ones. You
> need to follow the instructions linked in my previous e-mail to fix them
> first, basically go back in time by setting the system clock time and let
> certmonger renew them.
>
> HTH,
> Flo.
>
> But the pki-tomcat still fails to start. From the logs I get:
>>
>> [root at id-management-1 pki-tomcat]# cat localhost.2017-01-06.log |less
>> Jan 06, 2017 7:23:44 AM org.apache.catalina.core.ApplicationContext log
>> SEVERE: StandardWrapper.Throwable
>> java.lang.NullPointerException
>> at
>> com.netscape.cmscore.selftests.SelfTestSubsystem.shutdown(Se
>> lfTestSubsystem.java:1886)
>> at
>> com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEn
>> gine.java:2115)
>> at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:
>> 2010)
>> at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233)
>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1625)
>> at
>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS
>> ervlet.java:114)
>> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
>> at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>> at
>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
>> at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:175)
>> at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:124)
>> at
>> org.apache.catalina.core.StandardWrapper.initServlet(Standar
>> dWrapper.java:1270)
>> at
>> org.apache.catalina.core.StandardWrapper.loadServlet(Standar
>> dWrapper.java:1195)
>> at
>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
>> at
>> org.apache.catalina.core.StandardContext.loadOnStartup(Stand
>> ardContext.java:5318)
>> at
>> org.apache.catalina.core.StandardContext.startInternal(Stand
>> ardContext.java:5610)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
>> at
>> org.apache.catalina.core.ContainerBase.addChildInternal(Cont
>> ainerBase.java:899)
>> at
>> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>> at
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>> n(ContainerBase.java:156)
>> at
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>> n(ContainerBase.java:145)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at
>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
>> at
>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
>> at
>> org.apache.catalina.startup.HostConfig.deployDescriptor(Host
>> Config.java:679)
>> at
>> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(
>> HostConfig.java:1966)
>> at
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>>
>> I fond this thread:
>> https://www.redhat.com/archives/freeipa-users/2016-February/msg00125.html
>> <https://www.redhat.com/archives/freeipa-users/2016-February
>> /msg00125.html>
>> but I don't have self-test logs from today, only from yesterday. Here
>> are the relevant debug logs from the most recent restart:
>>
>> 06/Jan/2017:11:13:55][localhost-startStop-1]:
>> ============================================
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: ===== DEBUG SUBSYSTEM
>> INITIALIZED =======
>> [06/Jan/2017:11:13:55][localhost-startStop-1]:
>> ============================================
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: restart at
>> autoShutdown? false
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: autoShutdown
>> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: about to look
>> for cert for auto-shutdown support:auditSigningCert cert-pki-ca
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: found
>> cert:auditSigningCert cert-pki-ca
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: done init
>> id=debug
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initialized
>> debug
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initSubsystem
>> id=log
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: ready to init
>> id=log
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: Creating
>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: Creating
>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: Creating
>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions)
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: restart at
>> autoShutdown? false
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: autoShutdown
>> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: about to look
>> for cert for auto-shutdown support:auditSigningCert cert-pki-ca
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: found
>> cert:auditSigningCert cert-pki-ca
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: done init
>> id=log
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initialized log
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initSubsystem
>> id=jss
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: ready to init
>> id=jss
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: restart at
>> autoShutdown? false
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: autoShutdown
>> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: about to look
>> for cert for auto-shutdown support:auditSigningCert cert-pki-ca
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: found
>> cert:auditSigningCert cert-pki-ca
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: done init
>> id=jss
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initialized jss
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initSubsystem
>> id=dbs
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: ready to init
>> id=dbs
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: DBSubsystem: init()
>> mEnableSerialMgmt=true
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: Creating
>> LdapBoundConnFactor(DBSubsystem)
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: LdapBoundConnFactory: init
>> [06/Jan/2017:11:13:55][localhost-startStop-1]:
>> LdapBoundConnFactory:doCloning true
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: LdapAuthInfo: init()
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: LdapAuthInfo: init begins
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: LdapAuthInfo: init ends
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: init: before
>> makeConnection errorIfDown is true
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: makeConnection:
>> errorIfDown true
>> [06/Jan/2017:11:13:55][localhost-startStop-1]:
>> SSLClientCertificateSelectionCB: Setting desired cert nickname to:
>> subsystemCert cert-pki-ca
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: LdapJssSSLSocket: set
>> client auth cert nickname subsystemCert cert-pki-ca
>> [06/Jan/2017:11:13:55][localhost-startStop-1]:
>> SSLClientCertificatSelectionCB: Entering!
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: Candidate cert:
>> caSigningCert cert-pki-ca
>> [06/Jan/2017:11:13:55][localhost-startStop-1]:
>> SSLClientCertificateSelectionCB: returning: null
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: SSL handshake happened
>> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine.shutdown()
>>
>> Is there something else I should be looking at?
>>
>> Jeff
>>
>>
>>
>> On Fri, Jan 6, 2017 at 11:23 AM, Florence Blanc-Renaud <flo at redhat.com
>> <mailto:flo at redhat.com>> wrote:
>>
>> On 01/06/2017 04:47 PM, Jeff Goddard wrote:
>>
>> Sorry for the typo. here is the correct output:
>> ldapsearch -h id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>
>> <http://id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>>
>> SASL/EXTERNAL authentication started
>> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>> additional info: SASL(-4): no mechanism available:
>>
>>
>>
>>
>> When I look at the certificates I get errors regarding a host
>> service in
>> the keytab. Here is the output:
>>
>> [root at id-management-1 ca]# getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20150116161829':
>> status: MONITORING
>> ca-error: Error setting up ccache for "host" service on
>> client
>> using default keytab: Keytab contains no suitable keys for
>> host/id-management-1.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:id-management-1.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> >
>> <mailto:id-management-1.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:id-management-1.internal.emerlyn.com at INTERNAL.EMERLYN.COM>>.
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM'
>> ,nickname='Server-Cert',token='NSS
>> Certificate
>> DB',pinfile='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM'
>> ,nickname='Server-Cert',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>> <http://INTERNAL.EMERLYN.COM>
>> subject: CN=id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>
>> <http://id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>>,O=INTERNAL.EM
>> ERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>> <http://INTERNAL.EMERLYN.COM>
>> expires: 2017-01-16 16:18:29 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/rest
>> art_dirsrv
>> INTERNAL-EMERLYN-COM
>> track: yes
>> auto-renew: yes
>> Request ID '20150116162120':
>> status: MONITORING
>> ca-error: Error setting up ccache for "host" service on
>> client
>> using default keytab: Keytab contains no suitable keys for
>> host/id-management-1.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:id-management-1.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> >
>> <mailto:id-management-1.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:id-management-1.internal.emerlyn.com at INTERNAL.EMERLYN.COM>>.
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>> ',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>> ',token='NSS
>> Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>> <http://INTERNAL.EMERLYN.COM>
>> subject: CN=id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>
>> <http://id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>>,O=INTERNAL.EM
>> ERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>> <http://INTERNAL.EMERLYN.COM>
>> expires: 2017-01-16 16:21:20 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/lib64/ipa/certmonger/rest
>> art_httpd
>> track: yes
>> auto-renew: yes
>> Request ID '20151217174142':
>> status: CA_UNREACHABLE
>> ca-error: Internal error
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>> ditSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>> ditSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>> <http://INTERNAL.EMERLYN.COM>
>> subject: CN=CA Audit,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>> <http://INTERNAL.EMERLYN.COM>
>> expires: 2017-01-05 16:18:01 UTC
>> key usage: digitalSignature,nonRepudiation
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/rene
>> w_ca_cert
>> "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20151217174143':
>> status: CA_UNREACHABLE
>> ca-error: Internal error
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>> spSigningCert
>> cert-pki-ca',token='NSS
>> Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc
>> spSigningCert
>> cert-pki-ca',token='NSS
>> Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>> <http://INTERNAL.EMERLYN.COM>
>> subject: CN=OCSP Subsystem,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>> <http://INTERNAL.EMERLYN.COM>
>> expires: 2017-01-05 16:17:58 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyCertSign,cRLSign
>> eku: id-kp-OCSPSigning
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/rene
>> w_ca_cert
>> "ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20151217174144':
>> status: CA_UNREACHABLE
>> ca-error: Internal error
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>> bsystemCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su
>> bsystemCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>> <http://INTERNAL.EMERLYN.COM>
>> subject: CN=CA Subsystem,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>> <http://INTERNAL.EMERLYN.COM>
>> expires: 2017-01-05 16:17:59 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/rene
>> w_ca_cert
>> "subsystemCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20151217174145':
>> status: CA_UNREACHABLE
>> ca-error: Internal error
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>> SigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca
>> SigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>> <http://INTERNAL.EMERLYN.COM>
>> subject: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>> <http://INTERNAL.EMERLYN.COM>
>> expires: 2035-01-16 16:17:57 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyCertSign,cRLSign
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/rene
>> w_ca_cert
>> "caSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20151217174146':
>> status: CA_UNREACHABLE
>> ca-error: Internal error
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to
>> ken='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to
>> ken='NSS
>> Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>> <http://INTERNAL.EMERLYN.COM>
>> subject: CN=IPA RA,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>> <http://INTERNAL.EMERLYN.COM>
>> expires: 2017-01-05 16:18:23 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> /usr/lib64/ipa/certmonger/renew_ra_cert_pre
>> post-save command: /usr/lib64/ipa/certmonger/rene
>> w_ra_cert
>> track: yes
>> auto-renew: yes
>> Request ID '20151217174147':
>> status: CA_UNREACHABLE
>> ca-error: Error 60 connecting to
>> https://id-management-1.internal.emerlyn.com:8443/ca/agent/c
>> a/profileReview
>> <https://id-management-1.internal.emerlyn.com:8443/ca/agent/
>> ca/profileReview>:
>> Peer certificate cannot be authenticated with given CA
>> certificates.
>> stuck: no
>> key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>> rver-Cert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se
>> rver-Cert
>> cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>> <http://INTERNAL.EMERLYN.COM>
>> subject: CN=id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>
>> <http://id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>>,O=INTERNAL.EM
>> ERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>> <http://INTERNAL.EMERLYN.COM>
>> expires: 2017-01-05 16:17:59 UTC
>> key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth
>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> post-save command: /usr/lib64/ipa/certmonger/rene
>> w_ca_cert
>> "Server-Cert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>>
>> Looking at the content of /etc/krb5.keytab results in no host
>> entry found:
>>
>> ktutil
>> ktutil: read_kt /etc/krb5.keytab
>> ktutil: list
>> slot KVNO Principal
>> ---- ----
>> ------------------------------------------------------------
>> ---------
>> 1 1
>> cifs/shares-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:shares-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
>> <mailto:shares-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:shares-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>>
>> 2 1
>> cifs/shares-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:shares-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
>> <mailto:shares-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:shares-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>>
>> 3 1
>> cifs/shares-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:shares-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
>> <mailto:shares-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:shares-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>>
>> 4 1
>> cifs/shares-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:shares-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
>> <mailto:shares-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:shares-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>>
>> 5 1
>> cifs/files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>>
>> 6 1
>> cifs/files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>>
>> 7 1
>> cifs/files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>>
>> 8 1
>> cifs/files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>>
>> 9 2
>> host/files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>>
>> 10 2
>> host/files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>>
>> 11 2
>> host/files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>>
>> 12 2
>> host/files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM
>> <mailto:files-01.internal.emerlyn.com at INTERNAL.EMERLYN.COM>>
>>
>>
>> Trying to add a host entry:
>> kadmin -q "ktadd -k /etc/krb5.keytab
>> host/id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>
>> <http://id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>>"
>> Authenticating as principal admin/admin at INTERNAL.EMERLYN.COM
>> <mailto:admin at INTERNAL.EMERLYN.COM>
>> <mailto:admin at INTERNAL.EMERLYN.COM
>> <mailto:admin at INTERNAL.EMERLYN.COM>> with password.
>> kadmin: Client 'admin/admin at INTERNAL.EMERLYN.COM
>> <mailto:admin at INTERNAL.EMERLYN.COM>
>> <mailto:admin at INTERNAL.EMERLYN.COM
>> <mailto:admin at INTERNAL.EMERLYN.COM>>' not found in Kerberos
>> database
>> while initializing kadmin interface
>>
>> Yet if I issue kinit admin I get a password prompt and appear to
>> get a
>> ticket. What am I missing?
>>
>>
>>
>>
>>
>> On Fri, Jan 6, 2017 at 10:19 AM, Rob Crittenden
>> <rcritten at redhat.com <mailto:rcritten at redhat.com>
>> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>>
>> Jeff Goddard wrote:
>> > My environment is freeipa 4.4; centos 7.3. This system was
>> upgraded as
>> > of yesterday afternoon. I'm unable to start pki-tomcat.
>> The debug log
>> > show this entry:
>> >
>> > Internal Database Error encountered: Could not connect to
>> LDAP server
>> > host id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>
>> <http://id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>>
>> > <http://id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>
>> <http://id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>>> port 636 Error
>> > netscape.ldap.LDAPException: Authentication failed (48)
>> > at
>> com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:6
>> 76)
>> > at
>> >
>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.
>> java:1169)
>> > at
>> >
>>
>> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine
>> .java:1075)
>> > at
>> com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
>> > at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>> > at com.netscape.certsrv.apps.CMS.
>> start(CMS.java:1616)
>> > at
>> >
>>
>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS
>> ervlet.java:114)
>> > at
>> javax.servlet.GenericServlet.init(GenericServlet.java:158)
>> > at
>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> > at
>> >
>>
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>> > at
>> >
>>
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> > at java.lang.reflect.Method.invoke(Method.java:498)
>> > at
>> >
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>> .java:288)
>> > at
>> >
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>> .java:285)
>> > at
>> java.security.AccessController.doPrivileged(Native Method)
>> > at
>> javax.security.auth.Subject.do
>> <http://javax.security.auth.Subject.do>AsPrivileged(Subject.
>> java:549)
>> > at
>> >
>>
>> org.apache.catalina.security.SecurityUtil.execute(SecurityUt
>> il.java:320)
>> > at
>> >
>>
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:175)
>> > at
>> >
>>
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:124)
>> > at
>> >
>>
>> org.apache.catalina.core.StandardWrapper.initServlet(Standar
>> dWrapper.java:1270)
>> > at
>> >
>>
>> org.apache.catalina.core.StandardWrapper.loadServlet(Standar
>> dWrapper.java:1195)
>> > at
>> >
>>
>> org.apache.catalina.core.StandardWrapper.load(StandardWrappe
>> r.java:1085)
>> > at
>> >
>>
>> org.apache.catalina.core.StandardContext.loadOnStartup(Stand
>> ardContext.java:5318)
>> > at
>> >
>>
>> org.apache.catalina.core.StandardContext.startInternal(Stand
>> ardContext.java:5610)
>> > at
>> >
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.j
>> ava:147)
>> > at
>> >
>>
>> org.apache.catalina.core.ContainerBase.addChildInternal(Cont
>> ainerBase.java:899)
>> > at
>> >
>>
>> org.apache.catalina.core.ContainerBase.access$000(ContainerB
>> ase.java:133)
>> > at
>> >
>>
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>> n(ContainerBase.java:156)
>> > at
>> >
>>
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>> n(ContainerBase.java:145)
>> > at
>> java.security.AccessController.doPrivileged(Native Method)
>> > at
>> >
>>
>> org.apache.catalina.core.ContainerBase.addChild(ContainerBas
>> e.java:873)
>> > at
>> >
>> org.apache.catalina.core.StandardHost.addChild(StandardHost.
>> java:652)
>> > at
>> >
>>
>> org.apache.catalina.startup.HostConfig.deployDescriptor(Host
>> Config.java:679)
>> > at
>> >
>>
>> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(
>> HostConfig.java:1966)
>> > at
>> >
>>
>> java.util.concurrent.Executors$RunnableAdapter.call(Executor
>> s.java:511)
>> > at
>> java.util.concurrent.FutureTask.run(FutureTask.java:266)
>> > at
>> >
>>
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> > at
>> >
>>
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> > at java.lang.Thread.run(Thread.java:745)
>> >
>> >
>> > I'm able to get a kerberos ticket using kinit but ldap
>> search
>> gives this
>> > error:
>> >
>> > ldapsearch -h id-manaement-1.internal.emerlyn.com
>> <http://id-manaement-1.internal.emerlyn.com>
>> <http://id-manaement-1.internal.emerlyn.com
>> <http://id-manaement-1.internal.emerlyn.com>>
>> > <http://id-manaement-1.internal.emerlyn.com
>> <http://id-manaement-1.internal.emerlyn.com>
>> <http://id-manaement-1.internal.emerlyn.com
>> <http://id-manaement-1.internal.emerlyn.com>>> -x -b
>> > "cn=CAcert,cn=ipa,cn=etc,dc=internal,dc=emerlyn,dc=com"
>> > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>> >
>> > adding the -d1 debugging tag results in:
>> >
>> > ldap_create
>> >
>> ldap_url_parse_ext(ldap://id-manaement-1.internal.emerlyn.com
>> <http://id-manaement-1.internal.emerlyn.com>
>> <http://id-manaement-1.internal.emerlyn.com
>> <http://id-manaement-1.internal.emerlyn.com>>
>> > <http://id-manaement-1.internal.emerlyn.com
>> <http://id-manaement-1.internal.emerlyn.com>
>> <http://id-manaement-1.internal.emerlyn.com
>> <http://id-manaement-1.internal.emerlyn.com>>>)
>> > ldap_sasl_bind
>> > ldap_send_initial_request
>> > ldap_new_connection 1 1 0
>> > ldap_int_open_connection
>> > ldap_connect_to_host: TCP
>> id-manaement-1.internal.emerlyn.com:389
>> <http://id-manaement-1.internal.emerlyn.com:389>
>> <http://id-manaement-1.internal.emerlyn.com:389
>> <http://id-manaement-1.internal.emerlyn.com:389>>
>> > <http://id-manaement-1.internal.emerlyn.com:389
>> <http://id-manaement-1.internal.emerlyn.com:389>
>> <http://id-manaement-1.internal.emerlyn.com:389
>> <http://id-manaement-1.internal.emerlyn.com:389>>>
>> > ldap_connect_to_host: getaddrinfo failed: Name or service
>> not known
>> > ldap_err2string
>> > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>> >
>> > I'm able to resolve the hostname via nslookup and
>> /etc/hosts has the
>> > correct mapping entry.
>> >
>> > I'm kind of lost at this point and could use some help.
>> >
>> > Thanks in advance.
>>
>> You have a typo in the hostname you're trying to connect to,
>> missing the
>> 'g' in management.
>>
>> I have a vague memory from other reports of this issue that
>> the problem
>> may be that the value of the certificate(s) in CS.cfg is
>> different from
>> the dogtag NSS database. I'd see if those line up.
>>
>> rob
>>
>>
>>
>>
>> --
>> Jeff
>>
>>
>>
>> Hi Jeff,
>>
>> according to the output of getcert list, many certificates expired
>> just yesterday (auditSigningCert cert-pki-ca, ocspSigningCert
>> cert-pki-ca, subsystemCert cert-pki-ca, Server-Cert cert-pki-ca in
>> the PKI NSS DB and ipaCert in /etc/httpd/alias).
>>
>> You can refer to this page:
>> https://access.redhat.com/solutions/643753
>> <https://access.redhat.com/solutions/643753>
>> to fix the issue.
>>
>> It is likely that dogtag cannot authenticate to LDAP because its
>> certificate is expired, and hence refuses to start. IMHO the upgrade
>> is just an unlucky coincidence (happening the same day as cert
>> expiration) but not the root cause.
>>
>> HTH,
>> Flo.
>>
>>
>>
>>
>> --
>>
>>
>
--
Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170106/90986ec8/attachment.htm>
More information about the Freeipa-users
mailing list