[Freeipa-users] pki-tomcatd fails to start

Alan Heverley aheverle at redhat.com
Fri Jan 6 21:31:22 UTC 2017 

First we have to query the NSS database to get the current ipaCert
certificate for the ipara user and store it into a file:
# cd /tmp
# certutil -a -d /etc/httpd/alias/ -n ipaCert -L | sed '/^-.*/d' | tr -d
'\r\n' > ipaCert.cert


Then we need to replace the userCertificate attribute with the content of
ipaCert.cert:

# ldapmodify -h localhost -D "cn=Directory Manager" -W
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
replace: userCertificate
userCertificate:: <please paste here the content of ipaCert.cert>


Next we modify the description attribute of the same entry.

# ldapmodify -h localhost -D "cn=Directory Manager" -W
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
replace: description
description: 2;267976771;CN=Certificate
Authority,O=EXAMPLE.LOCAL;CN=IPA RA,O=EXAMPLE.LOCAL

/var/log/pki/pki-tomcat/ca/system log file shows, that the
authentication of the ipara user failed:

0.http-bio-8443-exec-14 - [13/May/2015:22:04:26 CET] [6] [3] Cannot
authenticate agent with certificate Serial 0xff90043


The long number in the description represents the serial number of the
user certificate in decimal. It can be calculated with the help of bc:

# echo "ibase=16; FF90043"|bc  <--- 0xff90043 is the serial number
from the ca error log.
267976771

The following command verifies that all went well:

# ldapsearch -x -h localhost -b uid=ipara,ou=people,o=ipaca

If everything went ok, please resubmit the certificates and check if the
expiration date of the same has changed to a future date:

# getcert resubmit -d /etc/pki/pki-tomcat/alias -n "auditSigningCert
cert-pki-ca"
# getcert resubmit -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca"
# getcert resubmit -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca"



On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard <jgoddard at emerlyn.com> wrote:

> Alan,
>
> Thank you so VERY much. That resolved the issue for the CA signing
> certificate. However I'm still seeing
>
>         ca-error: Server at "https://id-management-1.
> internal.emerlyn.com:8443/ca/agent/ca/profileProcess" replied: 1: Invalid
> Credential.
>
> On multiple requests which have expiration dates in the past. Is there
> something else I need to do?
>
> Jeff
>
> On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley <aheverle at redhat.com> wrote:
>
>> Looks like you need to get the PIN associated to the cert.
>>
>>  # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf
>>
>> Then replace <pin> with the PIN in the command above.
>>
>>  # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
>> cert-pki-ca' -P <pin> -c dogtag-ipa-ca-renew-agent
>>
>> On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard <jgoddard at emerlyn.com>
>> wrote:
>>
>>> I think my problem is deeper than that. I was following this guide:
>>> http://www.freeipa.org/page/Howto/CA_Certificate_Renew
>>> al#Renew_CA_Certificate_on_CA_Servers and executed the commands related
>>> to having an external CA - which we do not have. I now get this message for
>>> the CA:
>>>
>>> Request ID '20170101055025':
>>>         status: NEED_KEY_GEN_PIN
>>>         stuck: yes
>>>         key pair storage: type=NSSDB,location='/etc/pki/
>>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',pin set
>>>         certificate: type=NSSDB,location='/etc/pki/
>>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
>>>         CA: dogtag-ipa-ca-renew-agent
>>>         issuer:
>>>         subject:
>>>         expires: unknown
>>>         pre-save command:
>>>         post-save command:
>>>         track: yes
>>>         auto-renew: yes
>>>
>>> Is there any way I can recover?
>>>
>>> Jeff
>>>
>>> On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden <rcritten at redhat.com>
>>> wrote:
>>>
>>>> Jeff Goddard wrote:
>>>> > I've done this.
>>>> > [root at id-management-1 ipa]# date
>>>> > Sun Jan  1 01:12:27 EST 2017
>>>> >
>>>> >  getcert list give me this as the first entry:
>>>> >
>>>> > Request ID '20150116162120':
>>>> >         status: CA_UNREACHABLE
>>>> >         ca-error: Server at
>>>> > https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
>>>> > will retry: 4001 (RPC failed at server.  ipa: Certificate Authority
>>>> not
>>>> > found).
>>>> >         stuck: no
>>>> >         key pair storage:
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>>> ',token='NSS
>>>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>>> >         certificate:
>>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>>> ',token='NSS
>>>> > Certificate DB'
>>>> >         CA: IPA
>>>> >         issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>>>> > <http://INTERNAL.EMERLYN.COM>
>>>> >         subject: CN=id-management-1.internal.emerlyn.com
>>>> > <http://id-management-1.internal.emerlyn.com>,O=INTERNAL.EMERLYN.COM
>>>> > <http://INTERNAL.EMERLYN.COM>
>>>> >         expires: 2017-01-16 16:21:20 UTC
>>>> >         key usage:
>>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>> >         eku: id-kp-serverAuth,id-kp-clientAuth
>>>> >         pre-save command:
>>>> >         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>> >         track: yes
>>>> >         auto-renew: yes
>>>> >
>>>> > Restarting cermonger multiple times doesn't help.
>>>>
>>>> Sorry, I missed a step. When you go back in time you first need to
>>>> restart IPA. The CA isn't up.
>>>>
>>>> rob
>>>>
>>>> >
>>>> > Jeff
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden <rcritten at redhat.com
>>>> > <mailto:rcritten at redhat.com>> wrote:
>>>> >
>>>> >     Jeff Goddard wrote:
>>>> >     > Flo,
>>>> >     >
>>>> >     > I'm not able to access the link you posted. I did find this
>>>> thread
>>>> >     > though
>>>> >     >
>>>> >     https://www.redhat.com/archives/freeipa-users/2015-June/msg
>>>> 00144.html <https://www.redhat.com/archives/freeipa-users/2015-June/msg
>>>> 00144.html>
>>>> >     >
>>>> >     <https://www.redhat.com/archives/freeipa-users/2015-June/ms
>>>> g00144.html
>>>> >     <https://www.redhat.com/archives/freeipa-users/2015-June/ms
>>>> g00144.html>>
>>>> >     > and have set the time back and resubmitted a request. Still no
>>>> >     success.
>>>> >     > Any further hints?
>>>> >
>>>> >     You need to stop ntpd, go back in time to when the certs are
>>>> valid and
>>>> >     restart the certmonger service.
>>>> >
>>>> >     Then use getcert list to monitor things. You really only care
>>>> about the
>>>> >     CA subsystem certs are this point.
>>>> >
>>>> >     You may need to restart certmonger more than once to get all the
>>>> certs
>>>> >     updated (you can manually call getcert resubmit -i <id> if you'd
>>>> >     prefer).
>>>> >
>>>> >     Once that is done return to present day, restart ntpd then ipactl
>>>> >     restart.
>>>> >
>>>> >     rob
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> >
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>
>>
>> --
>> Alan Heverley
>>
>
>
>
> --
>
>


-- 
Alan Heverley
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170106/4d5a11ca/attachment.htm>

More information about the Freeipa-users mailing list