[Freeipa-users] pki-tomcatd fails to start
Jeff Goddard
jgoddard at emerlyn.com
Fri Jan 6 21:26:53 UTC 2017
I've followed the instructions related to my error here:
http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still haven't
found a solution.
Jeff
On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard <jgoddard at emerlyn.com> wrote:
> Alan,
>
> Thank you so VERY much. That resolved the issue for the CA signing
> certificate. However I'm still seeing
>
> ca-error: Server at "https://id-management-1.
> internal.emerlyn.com:8443/ca/agent/ca/profileProcess" replied: 1: Invalid
> Credential.
>
> On multiple requests which have expiration dates in the past. Is there
> something else I need to do?
>
> Jeff
>
> On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley <aheverle at redhat.com> wrote:
>
>> Looks like you need to get the PIN associated to the cert.
>>
>> # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf
>>
>> Then replace <pin> with the PIN in the command above.
>>
>> # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
>> cert-pki-ca' -P <pin> -c dogtag-ipa-ca-renew-agent
>>
>> On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard <jgoddard at emerlyn.com>
>> wrote:
>>
>>> I think my problem is deeper than that. I was following this guide:
>>> http://www.freeipa.org/page/Howto/CA_Certificate_Renew
>>> al#Renew_CA_Certificate_on_CA_Servers and executed the commands related
>>> to having an external CA - which we do not have. I now get this message for
>>> the CA:
>>>
>>> Request ID '20170101055025':
>>> status: NEED_KEY_GEN_PIN
>>> stuck: yes
>>> key pair storage: type=NSSDB,location='/etc/pki/
>>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',pin set
>>> certificate: type=NSSDB,location='/etc/pki/
>>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer:
>>> subject:
>>> expires: unknown
>>> pre-save command:
>>> post-save command:
>>> track: yes
>>> auto-renew: yes
>>>
>>> Is there any way I can recover?
>>>
>>> Jeff
>>>
>>> On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden <rcritten at redhat.com>
>>> wrote:
>>>
>>>> Jeff Goddard wrote:
>>>> > I've done this.
>>>> > [root at id-management-1 ipa]# date
>>>> > Sun Jan 1 01:12:27 EST 2017
>>>> >
>>>> > getcert list give me this as the first entry:
>>>> >
>>>> > Request ID '20150116162120':
>>>> > status: CA_UNREACHABLE
>>>> > ca-error: Server at
>>>> > https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
>>>> > will retry: 4001 (RPC failed at server. ipa: Certificate Authority
>>>> not
>>>> > found).
>>>> > stuck: no
>>>> > key pair storage:
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>>> ',token='NSS
>>>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> > certificate:
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>>> ',token='NSS
>>>> > Certificate DB'
>>>> > CA: IPA
>>>> > issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>>>> > <http://INTERNAL.EMERLYN.COM>
>>>> > subject: CN=id-management-1.internal.emerlyn.com
>>>> > <http://id-management-1.internal.emerlyn.com>,O=INTERNAL.EMERLYN.COM
>>>> > <http://INTERNAL.EMERLYN.COM>
>>>> > expires: 2017-01-16 16:21:20 UTC
>>>> > key usage:
>>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>> > eku: id-kp-serverAuth,id-kp-clientAuth
>>>> > pre-save command:
>>>> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>> > track: yes
>>>> > auto-renew: yes
>>>> >
>>>> > Restarting cermonger multiple times doesn't help.
>>>>
>>>> Sorry, I missed a step. When you go back in time you first need to
>>>> restart IPA. The CA isn't up.
>>>>
>>>> rob
>>>>
>>>> >
>>>> > Jeff
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden <rcritten at redhat.com
>>>> > <mailto:rcritten at redhat.com>> wrote:
>>>> >
>>>> > Jeff Goddard wrote:
>>>> > > Flo,
>>>> > >
>>>> > > I'm not able to access the link you posted. I did find this
>>>> thread
>>>> > > though
>>>> > >
>>>> > https://www.redhat.com/archives/freeipa-users/2015-June/msg
>>>> 00144.html <https://www.redhat.com/archives/freeipa-users/2015-June/msg
>>>> 00144.html>
>>>> > >
>>>> > <https://www.redhat.com/archives/freeipa-users/2015-June/ms
>>>> g00144.html
>>>> > <https://www.redhat.com/archives/freeipa-users/2015-June/ms
>>>> g00144.html>>
>>>> > > and have set the time back and resubmitted a request. Still no
>>>> > success.
>>>> > > Any further hints?
>>>> >
>>>> > You need to stop ntpd, go back in time to when the certs are
>>>> valid and
>>>> > restart the certmonger service.
>>>> >
>>>> > Then use getcert list to monitor things. You really only care
>>>> about the
>>>> > CA subsystem certs are this point.
>>>> >
>>>> > You may need to restart certmonger more than once to get all the
>>>> certs
>>>> > updated (you can manually call getcert resubmit -i <id> if you'd
>>>> > prefer).
>>>> >
>>>> > Once that is done return to present day, restart ntpd then ipactl
>>>> > restart.
>>>> >
>>>> > rob
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> >
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>>
>> --
>> Alan Heverley
>>
>
>
>
> --
>
>
--
Jeff Goddard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170106/654961d3/attachment.htm>
More information about the Freeipa-users
mailing list