[Freeipa-users] pki-tomcatd fails to start
Rob Crittenden
rcritten at redhat.com
Fri Jan 6 21:32:38 UTC 2017
Jeff Goddard wrote:
> I've followed the instructions related to my error here:
> http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still
> haven't found a solution.
Look at these instructions
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
Look only at the ipaCert part, particularly the ou=people part and the
description attribute.
rob
>
> Jeff
>
> On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard <jgoddard at emerlyn.com
> <mailto:jgoddard at emerlyn.com>> wrote:
>
> Alan,
>
> Thank you so VERY much. That resolved the issue for the CA signing
> certificate. However I'm still seeing
>
> ca-error: Server at
> "https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileProcess
> <https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileProcess>"
> replied: 1: Invalid Credential.
>
> On multiple requests which have expiration dates in the past. Is
> there something else I need to do?
>
> Jeff
>
> On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley <aheverle at redhat.com
> <mailto:aheverle at redhat.com>> wrote:
>
> Looks like you need to get the PIN associated to the cert.|
>
> # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf |
>
> Then replace <pin> with the PIN in the command above.
>
> # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
> 'caSigningCert cert-pki-ca' -P <pin> -c dogtag-ipa-ca-renew-agent
>
> On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard
> <jgoddard at emerlyn.com <mailto:jgoddard at emerlyn.com>> wrote:
>
> I think my problem is deeper than that. I was following this
> guide:http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers
> <http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers>
> and executed the commands related to having an external CA -
> which we do not have. I now get this message for the CA:
>
> Request ID '20170101055025':
> status: NEED_KEY_GEN_PIN
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',pin set
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca'
> CA: dogtag-ipa-ca-renew-agent
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> Is there any way I can recover?
>
> Jeff
>
> On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>
> Jeff Goddard wrote:
> > I've done this.
> > [root at id-management-1 ipa]# date
> > Sun Jan 1 01:12:27 EST 2017
> >
> > getcert list give me this as the first entry:
> >
> > Request ID '20150116162120':
> > status: CA_UNREACHABLE
> > ca-error: Server at
> > https://id-management-1.internal.emerlyn.com/ipa/xml
> <https://id-management-1.internal.emerlyn.com/ipa/xml>
> failed request,
> > will retry: 4001 (RPC failed at server. ipa:
> Certificate Authority not
> > found).
> > stuck: no
> > key pair storage:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate
> Authority,O=INTERNAL.EMERLYN.COM
> <http://INTERNAL.EMERLYN.COM>
> > <http://INTERNAL.EMERLYN.COM>
> > subject:
> CN=id-management-1.internal.emerlyn.com
> <http://id-management-1.internal.emerlyn.com>
> > <http://id-management-1.internal.emerlyn.com
> <http://id-management-1.internal.emerlyn.com>>,O=INTERNAL.EMERLYN.COM
> <http://INTERNAL.EMERLYN.COM>
> > <http://INTERNAL.EMERLYN.COM>
> > expires: 2017-01-16 16:21:20 UTC
> > key usage:
> >
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command:
> /usr/lib64/ipa/certmonger/restart_httpd
> > track: yes
> > auto-renew: yes
> >
> > Restarting cermonger multiple times doesn't help.
>
> Sorry, I missed a step. When you go back in time you
> first need to
> restart IPA. The CA isn't up.
>
> rob
>
> >
> > Jeff
> >
> >
> >
> >
> > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> > <mailto:rcritten at redhat.com
> <mailto:rcritten at redhat.com>>> wrote:
> >
> > Jeff Goddard wrote:
> > > Flo,
> > >
> > > I'm not able to access the link you posted. I
> did find this thread
> > > though
> > >
> >
> https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html
> <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html>
> <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html
> <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html>>
> > >
> >
> <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html
> <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html>
> >
> <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html
> <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html>>>
> > > and have set the time back and resubmitted a
> request. Still no
> > success.
> > > Any further hints?
> >
> > You need to stop ntpd, go back in time to when the
> certs are valid and
> > restart the certmonger service.
> >
> > Then use getcert list to monitor things. You
> really only care about the
> > CA subsystem certs are this point.
> >
> > You may need to restart certmonger more than once
> to get all the certs
> > updated (you can manually call getcert resubmit -i
> <id> if you'd
> > prefer).
> >
> > Once that is done return to present day, restart
> ntpd then ipactl
> > restart.
> >
> > rob
> >
> >
> >
> >
> > --
> >
>
>
>
>
> --
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
> Go to http://freeipa.org for more info on the project
>
>
>
>
> --
> Alan Heverley
>
>
>
>
> --
>
>
>
>
> --
> Jeff Goddard
>
>
More information about the Freeipa-users
mailing list