[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] pki-tomcat failed. [SOLVED]



Hi Adam,

With the change to ldap instead of ldaps on the CA master that you
suggested I was able to move the system clock to before the certificate
expiry time then do

ipactl start --ignore-service-failures
systemctl start pki-tomcat pki-tomcat service
   then start the pki ca service manually as stated in "systemctl status
pki-tomcat pki-tomcat service -l"
service certmonger restart

I then ran "getcert list | more" and waited until all the certificates
had updated

After that "ipactl stop; ipactl start" completed without errors and I
could reenable ntpd and vmware tools timesync.

Finally ipa-certupdate seems to have been needed to propagate the new
certs to the other replicas.

Many thanks

Bob

On 10/01/2017 20:47, Adam Tkac wrote:
> Hello,
>
> we hit similar issue (although due to different conditions - we rotated
> root CA cert and then newly issued certificates were wrongly signed), we
> were also unable to start tomcat. If I remember correctly, we switched dogtag
> to use simple binds instead of TLS to connect to LDAP this way.
>
> 1. systemctl stop pki-tomcatd pki-tomcat service
> 2. backup /etc/pki/pki-tomcat/ca/CS.cfg and /etc/pki/pki-tomcat/password.conf
> 3. add directory manager password into password.conf file, it should be line
> like
>
> internaldb=my_directory_manager_password
>
> 4. tune CS.cfg a little, take this diff as an example
>
> +internaldb.ldapauth.authtype=BasicAuth
> +internaldb.ldapauth.bindDN=cn=Directory Manager
> +internaldb.ldapauth.bindPWPrompt=internaldb
> -internaldb.ldapauth.authtype=SslClientAuth
> -internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipaca
>  internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
>  internaldb.ldapconn.cloneReplicationPort=389
>  internaldb.ldapconn.masterReplicationPort=7389
> +internaldb.ldapconn.port=389
> -internaldb.ldapconn.port=636
>  internaldb.ldapconn.replicationSecurity=TLS
> +internaldb.ldapconn.secureConn=false
> -internaldb.ldapconn.secureConn=true
>
> 5. systemctl start pki-tomcatd pki-tomcat service
>
> Now tomcat should run correctly and you should be able to resubmit expired
> certs and you can start to experiment with switch dogtag back to TLS auth.
> Hope this helps you.
>
> Regards, Adam
>
> On Tue, Jan 10, 2017 at 07:27:04PM +0000, Bob Hinton wrote:
>> Hi,
>>
>> The pki-tomcatd services on our IPA servers seem to have stopped working.
>>
>> This seems to be related to the expiry of several certificates -
>>
>> [root ipa001 ~]# getcert list | more
>> Number of certificates and requests being tracked: 8.
>> Request ID '20161230150048':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-ca-renew-agent
>>         issuer: CN=Certificate Authority,O=LOCAL.COM
>>         subject: CN=CA Audit,O=LOCAL.COM
>>         expires: 2017-01-09 08:21:45 UTC
>>         key usage: digitalSignature,nonRepudiation
>>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>> Request ID '20161230150049':
>>         status: MONITORING
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-ca-renew-agent
>>         issuer: CN=Certificate Authority,O=LOCAL.COM
>>         subject: CN=OCSP Subsystem,O=LOCAL.COM
>>         expires: 2017-01-09 08:21:45 UTC
>>         key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>         eku: id-kp-OCSPSigning
>>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>>
>> These were originally in CA_WORKING state, but I moved the clock back
>> and restarted certmonger to try to renew them.
>>
>>
>> /var/log/pki/pki-tomcat/ca/debug contains
>>
>> [10/Jan/2017:18:35:37][localhost-startStop-1]: makeConnection:
>> errorIfDown true
>> [10/Jan/2017:18:35:37][localhost-startStop-1]:
>> SSLClientCertificateSelectionCB: Setting desired cert nickname to:
>> subsystemCert cert-pki-ca
>> [10/Jan/2017:18:35:37][localhost-startStop-1]: LdapJssSSLSocket: set
>> client auth cert nickname subsystemCert cert-pki-ca
>> [10/Jan/2017:18:35:37][localhost-startStop-1]:
>> SSLClientCertificatSelectionCB: Entering!
>> [10/Jan/2017:18:35:37][localhost-startStop-1]: Candidate cert:
>> caSigningCert cert-pki-ca
>> [10/Jan/2017:18:35:37][localhost-startStop-1]: Candidate cert:
>> Server-Cert cert-pki-ca
>> [10/Jan/2017:18:35:37][localhost-startStop-1]:
>> SSLClientCertificateSelectionCB: returning: null
>> [10/Jan/2017:18:35:37][localhost-startStop-1]: SSL handshake happened
>> Could not connect to LDAP server host ipa001.mgmt.local.com port 636
>> Error netscape.ldap.LDAPException: Authentication failed (48)
>>         at
>> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
>>         at
>> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
>>         at
>> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
>>         at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
>>         at
>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
>>         at
>> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
>>         at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
>>         at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>>         at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
>>         at
>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
>>         at javax.servlet.GenericServlet.init(GenericServlet.java:158)
>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>         at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>         at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>         at java.lang.reflect.Method.invoke(Method.java:498)
>>         at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
>>         at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
>>         at java.security.AccessController.doPrivileged(Native Method)
>>         at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>>         at
>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
>>         at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
>>         at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
>>         at
>> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
>>         at
>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
>>         at
>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
>>         at
>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
>>         at
>> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
>>         at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
>>         at
>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
>>         at
>> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>>         at
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
>>         at
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
>>         at java.security.AccessController.doPrivileged(Native Method)
>>         at
>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
>>         at
>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
>>         at
>> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
>>         at
>> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
>>         at
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>>         at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>>         at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>         at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>         at java.lang.Thread.run(Thread.java:745)
>> Internal Database Error encountered: Could not connect to LDAP server
>> host ipa001.mgmt.local.com port 636 Error netscape.ldap.LDAPException:
>> Authentication failed (48)
>>         at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
>>
>> The only connection attempt I can find relating to err=48 in the slapd
>> access log is -
>>
>>
>> [10/Jan/2017:18:21:08.884446519 +0000] conn=59668 fd=83 slot=83 SSL
>> connection from 10.220.6.250 to 10.220.6.250
>> [10/Jan/2017:18:21:08.898844561 +0000] conn=59668 TLS1.2 256-bit AES
>> [10/Jan/2017:18:21:08.917314723 +0000] conn=59668 op=0 BIND dn=""
>> method=sasl version=3 mech=EXTERNAL
>> [10/Jan/2017:18:21:08.919725280 +0000] conn=59668 op=0 RESULT err=48
>> tag=97 nentries=0 etime=0
>> [10/Jan/2017:18:21:09.590236408 +0000] conn=59637 op=88 EXT
>> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
>>
>> We recent upgraded ipa from 4.2 to 4.4 and I wonder if that broke something.
>>
>>  ipa --version
>> VERSION: 4.4.0, API_VERSION: 2.213
>>
>> The /etc/ca.crt cert was originally created on an ipa 3.3 server that no
>> longer exists, I don't know if that's relevant.
>>
>> Anyway, I'm stumped on how to fix this so could anyone please help.
>>
>> Many thanks
>>
>> Bob
>>
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]