[Freeipa-users] pki-tomcatd fails to start

Alan Heverley aheverle at redhat.com
Fri Jan 6 20:56:57 UTC 2017 

Looks like you need to get the PIN associated to the cert.

 # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf

Then replace <pin> with the PIN in the command above.

 # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
cert-pki-ca' -P <pin> -c dogtag-ipa-ca-renew-agent

On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard <jgoddard at emerlyn.com> wrote:

> I think my problem is deeper than that. I was following this guide:
> http://www.freeipa.org/page/Howto/CA_Certificate_
> Renewal#Renew_CA_Certificate_on_CA_Servers and executed the commands
> related to having an external CA - which we do not have. I now get this
> message for the CA:
>
> Request ID '20170101055025':
>         status: NEED_KEY_GEN_PIN
>         stuck: yes
>         key pair storage: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',pin set
>         certificate: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer:
>         subject:
>         expires: unknown
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
>
> Is there any way I can recover?
>
> Jeff
>
> On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden <rcritten at redhat.com>
> wrote:
>
>> Jeff Goddard wrote:
>> > I've done this.
>> > [root at id-management-1 ipa]# date
>> > Sun Jan  1 01:12:27 EST 2017
>> >
>> >  getcert list give me this as the first entry:
>> >
>> > Request ID '20150116162120':
>> >         status: CA_UNREACHABLE
>> >         ca-error: Server at
>> > https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
>> > will retry: 4001 (RPC failed at server.  ipa: Certificate Authority not
>> > found).
>> >         stuck: no
>> >         key pair storage:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>> ',token='NSS
>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> >         certificate:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>> ',token='NSS
>> > Certificate DB'
>> >         CA: IPA
>> >         issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> > <http://INTERNAL.EMERLYN.COM>
>> >         subject: CN=id-management-1.internal.emerlyn.com
>> > <http://id-management-1.internal.emerlyn.com>,O=INTERNAL.EMERLYN.COM
>> > <http://INTERNAL.EMERLYN.COM>
>> >         expires: 2017-01-16 16:21:20 UTC
>> >         key usage:
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> >         eku: id-kp-serverAuth,id-kp-clientAuth
>> >         pre-save command:
>> >         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>> >         track: yes
>> >         auto-renew: yes
>> >
>> > Restarting cermonger multiple times doesn't help.
>>
>> Sorry, I missed a step. When you go back in time you first need to
>> restart IPA. The CA isn't up.
>>
>> rob
>>
>> >
>> > Jeff
>> >
>> >
>> >
>> >
>> > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden <rcritten at redhat.com
>> > <mailto:rcritten at redhat.com>> wrote:
>> >
>> >     Jeff Goddard wrote:
>> >     > Flo,
>> >     >
>> >     > I'm not able to access the link you posted. I did find this thread
>> >     > though
>> >     >
>> >     https://www.redhat.com/archives/freeipa-users/2015-June/
>> msg00144.html <https://www.redhat.com/archives/freeipa-users/2015-June/
>> msg00144.html>
>> >     >
>> >     <https://www.redhat.com/archives/freeipa-users/2015-June/
>> msg00144.html
>> >     <https://www.redhat.com/archives/freeipa-users/2015-June/
>> msg00144.html>>
>> >     > and have set the time back and resubmitted a request. Still no
>> >     success.
>> >     > Any further hints?
>> >
>> >     You need to stop ntpd, go back in time to when the certs are valid
>> and
>> >     restart the certmonger service.
>> >
>> >     Then use getcert list to monitor things. You really only care about
>> the
>> >     CA subsystem certs are this point.
>> >
>> >     You may need to restart certmonger more than once to get all the
>> certs
>> >     updated (you can manually call getcert resubmit -i <id> if you'd
>> >     prefer).
>> >
>> >     Once that is done return to present day, restart ntpd then ipactl
>> >     restart.
>> >
>> >     rob
>> >
>> >
>> >
>> >
>> > --
>> >
>>
>>
>
>
> --
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 
Alan Heverley
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170106/68867d91/attachment.htm>

More information about the Freeipa-users mailing list