[Freeipa-users] pki-tomcatd fails to start
Jeff Goddard
jgoddard at emerlyn.com
Fri Jan 6 21:05:35 UTC 2017
Alan,
Thank you so VERY much. That resolved the issue for the CA signing
certificate. However I'm still seeing
ca-error: Server at "
https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileProcess"
replied: 1: Invalid Credential.
On multiple requests which have expiration dates in the past. Is there
something else I need to do?
Jeff
On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley <aheverle at redhat.com> wrote:
> Looks like you need to get the PIN associated to the cert.
>
> # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf
>
> Then replace <pin> with the PIN in the command above.
>
> # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
> cert-pki-ca' -P <pin> -c dogtag-ipa-ca-renew-agent
>
> On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard <jgoddard at emerlyn.com> wrote:
>
>> I think my problem is deeper than that. I was following this guide:
>> http://www.freeipa.org/page/Howto/CA_Certificate_Renew
>> al#Renew_CA_Certificate_on_CA_Servers and executed the commands related
>> to having an external CA - which we do not have. I now get this message for
>> the CA:
>>
>> Request ID '20170101055025':
>> status: NEED_KEY_GEN_PIN
>> stuck: yes
>> key pair storage: type=NSSDB,location='/etc/pki/
>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',pin set
>> certificate: type=NSSDB,location='/etc/pki/
>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>> Is there any way I can recover?
>>
>> Jeff
>>
>> On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden <rcritten at redhat.com>
>> wrote:
>>
>>> Jeff Goddard wrote:
>>> > I've done this.
>>> > [root at id-management-1 ipa]# date
>>> > Sun Jan 1 01:12:27 EST 2017
>>> >
>>> > getcert list give me this as the first entry:
>>> >
>>> > Request ID '20150116162120':
>>> > status: CA_UNREACHABLE
>>> > ca-error: Server at
>>> > https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
>>> > will retry: 4001 (RPC failed at server. ipa: Certificate Authority not
>>> > found).
>>> > stuck: no
>>> > key pair storage:
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>> ',token='NSS
>>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> > certificate:
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>> ',token='NSS
>>> > Certificate DB'
>>> > CA: IPA
>>> > issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>>> > <http://INTERNAL.EMERLYN.COM>
>>> > subject: CN=id-management-1.internal.emerlyn.com
>>> > <http://id-management-1.internal.emerlyn.com>,O=INTERNAL.EMERLYN.COM
>>> > <http://INTERNAL.EMERLYN.COM>
>>> > expires: 2017-01-16 16:21:20 UTC
>>> > key usage:
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> > eku: id-kp-serverAuth,id-kp-clientAuth
>>> > pre-save command:
>>> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>> > track: yes
>>> > auto-renew: yes
>>> >
>>> > Restarting cermonger multiple times doesn't help.
>>>
>>> Sorry, I missed a step. When you go back in time you first need to
>>> restart IPA. The CA isn't up.
>>>
>>> rob
>>>
>>> >
>>> > Jeff
>>> >
>>> >
>>> >
>>> >
>>> > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden <rcritten at redhat.com
>>> > <mailto:rcritten at redhat.com>> wrote:
>>> >
>>> > Jeff Goddard wrote:
>>> > > Flo,
>>> > >
>>> > > I'm not able to access the link you posted. I did find this
>>> thread
>>> > > though
>>> > >
>>> > https://www.redhat.com/archives/freeipa-users/2015-June/msg
>>> 00144.html <https://www.redhat.com/archives/freeipa-users/2015-June/msg
>>> 00144.html>
>>> > >
>>> > <https://www.redhat.com/archives/freeipa-users/2015-June/ms
>>> g00144.html
>>> > <https://www.redhat.com/archives/freeipa-users/2015-June/ms
>>> g00144.html>>
>>> > > and have set the time back and resubmitted a request. Still no
>>> > success.
>>> > > Any further hints?
>>> >
>>> > You need to stop ntpd, go back in time to when the certs are valid
>>> and
>>> > restart the certmonger service.
>>> >
>>> > Then use getcert list to monitor things. You really only care
>>> about the
>>> > CA subsystem certs are this point.
>>> >
>>> > You may need to restart certmonger more than once to get all the
>>> certs
>>> > updated (you can manually call getcert resubmit -i <id> if you'd
>>> > prefer).
>>> >
>>> > Once that is done return to present day, restart ntpd then ipactl
>>> > restart.
>>> >
>>> > rob
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> >
>>>
>>>
>>
>>
>> --
>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
>
> --
> Alan Heverley
>
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170106/f3f4961a/attachment.htm>
More information about the Freeipa-users
mailing list