[Freeipa-users] pki-tomcatd fails to start
Jeff Goddard
jgoddard at emerlyn.com
Fri Jan 6 22:02:04 UTC 2017
Rob,
I'm missing something in either the syntax of execution. I'm getting this
error:
ldap_modify: Invalid DN syntax (34)
additional info: invalid dn
Just as a reminder the version of ipa I'm on is 4.4.
Jeff
On Fri, Jan 6, 2017 at 4:32 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Jeff Goddard wrote:
> > I've followed the instructions related to my error here:
> > http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still
> > haven't found a solution.
>
> Look at these instructions
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>
> Look only at the ipaCert part, particularly the ou=people part and the
> description attribute.
>
> rob
>
> >
> > Jeff
> >
> > On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard <jgoddard at emerlyn.com
> > <mailto:jgoddard at emerlyn.com>> wrote:
> >
> > Alan,
> >
> > Thank you so VERY much. That resolved the issue for the CA signing
> > certificate. However I'm still seeing
> >
> > ca-error: Server at
> > "https://id-management-1.internal.emerlyn.com:8443/ca/
> agent/ca/profileProcess
> > <https://id-management-1.internal.emerlyn.com:8443/ca/
> agent/ca/profileProcess>"
> > replied: 1: Invalid Credential.
> >
> > On multiple requests which have expiration dates in the past. Is
> > there something else I need to do?
> >
> > Jeff
> >
> > On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley <aheverle at redhat.com
> > <mailto:aheverle at redhat.com>> wrote:
> >
> > Looks like you need to get the PIN associated to the cert.|
> >
> > # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf |
> >
> > Then replace <pin> with the PIN in the command above.
> >
> > # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
> > 'caSigningCert cert-pki-ca' -P <pin> -c dogtag-ipa-ca-renew-agent
> >
> > On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard
> > <jgoddard at emerlyn.com <mailto:jgoddard at emerlyn.com>> wrote:
> >
> > I think my problem is deeper than that. I was following this
> > guide:http://www.freeipa.org/page/Howto/CA_Certificate_
> Renewal#Renew_CA_Certificate_on_CA_Servers
> > <http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#
> Renew_CA_Certificate_on_CA_Servers>
> > and executed the commands related to having an external CA -
> > which we do not have. I now get this message for the CA:
> >
> > Request ID '20170101055025':
> > status: NEED_KEY_GEN_PIN
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> > cert-pki-ca',pin set
> > certificate:
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> > cert-pki-ca'
> > CA: dogtag-ipa-ca-renew-agent
> > issuer:
> > subject:
> > expires: unknown
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> >
> > Is there any way I can recover?
> >
> > Jeff
> >
> > On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden
> > <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
> >
> > Jeff Goddard wrote:
> > > I've done this.
> > > [root at id-management-1 ipa]# date
> > > Sun Jan 1 01:12:27 EST 2017
> > >
> > > getcert list give me this as the first entry:
> > >
> > > Request ID '20150116162120':
> > > status: CA_UNREACHABLE
> > > ca-error: Server at
> > > https://id-management-1.internal.emerlyn.com/ipa/xml
> > <https://id-management-1.internal.emerlyn.com/ipa/xml>
> > failed request,
> > > will retry: 4001 (RPC failed at server. ipa:
> > Certificate Authority not
> > > found).
> > > stuck: no
> > > key pair storage:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate
> > Authority,O=INTERNAL.EMERLYN.COM
> > <http://INTERNAL.EMERLYN.COM>
> > > <http://INTERNAL.EMERLYN.COM>
> > > subject:
> > CN=id-management-1.internal.emerlyn.com
> > <http://id-management-1.internal.emerlyn.com>
> > > <http://id-management-1.internal.emerlyn.com
> > <http://id-management-1.internal.emerlyn.com>>,O=INTER
> NAL.EMERLYN.COM
> > <http://INTERNAL.EMERLYN.COM>
> > > <http://INTERNAL.EMERLYN.COM>
> > > expires: 2017-01-16 16:21:20 UTC
> > > key usage:
> > >
> > digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command:
> > /usr/lib64/ipa/certmonger/restart_httpd
> > > track: yes
> > > auto-renew: yes
> > >
> > > Restarting cermonger multiple times doesn't help.
> >
> > Sorry, I missed a step. When you go back in time you
> > first need to
> > restart IPA. The CA isn't up.
> >
> > rob
> >
> > >
> > > Jeff
> > >
> > >
> > >
> > >
> > > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden
> > <rcritten at redhat.com <mailto:rcritten at redhat.com>
> > > <mailto:rcritten at redhat.com
> > <mailto:rcritten at redhat.com>>> wrote:
> > >
> > > Jeff Goddard wrote:
> > > > Flo,
> > > >
> > > > I'm not able to access the link you posted. I
> > did find this thread
> > > > though
> > > >
> > >
> > https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html
> > <https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html>
> > <https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html
> > <https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html>>
> > > >
> > >
> > <https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html
> > <https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html>
> > >
> > <https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html
> > <https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html>>>
> > > > and have set the time back and resubmitted a
> > request. Still no
> > > success.
> > > > Any further hints?
> > >
> > > You need to stop ntpd, go back in time to when the
> > certs are valid and
> > > restart the certmonger service.
> > >
> > > Then use getcert list to monitor things. You
> > really only care about the
> > > CA subsystem certs are this point.
> > >
> > > You may need to restart certmonger more than once
> > to get all the certs
> > > updated (you can manually call getcert resubmit -i
> > <id> if you'd
> > > prefer).
> > >
> > > Once that is done return to present day, restart
> > ntpd then ipactl
> > > restart.
> > >
> > > rob
> > >
> > >
> > >
> > >
> > > --
> > >
> >
> >
> >
> >
> > --
> >
> >
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > <https://www.redhat.com/mailman/listinfo/freeipa-users>
> > Go to http://freeipa.org for more info on the project
> >
> >
> >
> >
> > --
> > Alan Heverley
> >
> >
> >
> >
> > --
> >
> >
> >
> >
> > --
> > Jeff Goddard
> >
> >
>
>
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170106/0ddd51d4/attachment.htm>
More information about the Freeipa-users
mailing list