<html><body><div style="font-family: arial,helvetica,sans-serif; font-size: 10pt; color: #000000"><hr id="zwchr"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>De: </b>"Bertrand Rétif" <bretif@phosphore.eu><br><b>À: </b>freeipa-users@redhat.com<br><b>Envoyé: </b>Mardi 25 Octobre 2016 17:51:09<br><b>Objet: </b>Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue<br><div><br></div><div style="font-family: arial,helvetica,sans-serif; font-size: 10pt; color: #000000"><div><span></span><div>
<title></title>
</div><div>
</div><br style="font-size: small; font-family: 'comic sans ms', 'comic sans', sans-serif;"></div><hr id="zwchr"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>De: </b>"Florence Blanc-Renaud" <flo@redhat.com><br><b>À: </b>"Bertrand Rétif" <bretif@phosphore.eu>, freeipa-users@redhat.com<br><b>Envoyé: </b>Jeudi 20 Octobre 2016 18:45:21<br><b>Objet: </b>Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue<br><div><br></div>On 10/19/2016 08:18 PM, Bertrand Rétif wrote:<br>> *De: *"Bertrand Rétif" <bretif@phosphore.eu><br>><br>> *À: *freeipa-users@redhat.com<br>> *Envoyé: *Mercredi 19 Octobre 2016 15:42:07<br>> *Objet: *Re: [Freeipa-users] Impossible to renew certificate.<br>> pki-tomcat issue<br>><br>><br>> ------------------------------------------------------------------------<br>><br>> *De: *"Rob Crittenden" <rcritten@redhat.com><br>> *À: *"Bertrand Rétif" <bretif@phosphore.eu>,<br>> freeipa-users@redhat.com<br>> *Envoyé: *Mercredi 19 Octobre 2016 15:30:14<br>> *Objet: *Re: [Freeipa-users] Impossible to renew certificate.<br>> pki-tomcat issue<br>><br>> Bertrand Rétif wrote:<br>> >> De: "Martin Babinsky" <mbabinsk@redhat.com><br>> >> À: freeipa-users@redhat.com<br>> >> Envoyé: Mercredi 19 Octobre 2016 08:45:49<br>> >> Objet: Re: [Freeipa-users] Impossible to renew certificate.<br>> pki-tomcat issue<br>> ><br>> >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote:<br>> >>> Hello,<br>> >>><br>> >>> I had an issue with pki-tomcat.<br>> >>> I had serveral certificate that was expired and pki-tomcat<br>> did not start<br>> >>> anymore.<br>> >>><br>> >>> I set the dateon the server before certificate expiration<br>> and then<br>> >>> pki-tomcat starts properly.<br>> >>> Then I try to resubmit the certificate, but I get below error:<br>> >>> "Profile caServerCert Not Found"<br>> >>><br>> >>> Do you have any idea how I could fix this issue.<br>> >>><br>> >>> Please find below output of commands:<br>> >>><br>> >>><br>> >>> # getcert resubmit -i 20160108170324<br>> >>><br>> >>> # getcert list -i 20160108170324<br>> >>> Number of certificates and requests being tracked: 7.<br>> >>> Request ID '20160108170324':<br>> >>> status: MONITORING<br>> >>> ca-error: Server at<br>> >>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"<br>> replied:<br>> >>> Profile caServerCert Not Found<br>> >>> stuck: no<br>> >>> key pair storage:<br>> >>><br>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>> >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>> >>> certificate:<br>> >>><br>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>> >>> Certificate DB'<br>> >>> CA: dogtag-ipa-ca-renew-agent<br>> >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU<br>> >>> subject: CN=IPA RA,O=A.SKINFRA.EU<br>> >>> expires: 2016-06-28 15:25:11 UTC<br>> >>> key usage:<br>> >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>> >>> eku: id-kp-serverAuth,id-kp-clientAuth<br>> >>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre<br>> >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert<br>> >>> track: yes<br>> >>> auto-renew: yes<br>> >>><br>> >>><br>> >>> Thanksby advance for your help.<br>> >>> Bertrand<br>> >>><br>> >>><br>> >>><br>> >>><br>> ><br>> >> Hi Betrand,<br>> ><br>> >> what version of FreeIPA and Dogtag are you running?<br>> ><br>> >> Also perform the following search on the IPA master and post<br>> the result:<br>> ><br>> >> """<br>> >> ldapsearch -D "cn=Directory Manager" -W -b<br>> >> 'ou=certificateProfiles,ou=ca,o=ipaca'<br>> '(objectClass=certProfile)'<br>> >> """<br>> ><br>> > Hi Martin,<br>> ><br>> > Thanks for your reply.<br>> ><br>> > Here is version:<br>> > - FreeIPA 4.2.0<br>> > - Centos 7.2<br>> ><br>> > I have been able to fix the issue with "Profile caServerCert<br>> Not Found" by editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg<br>> > I replace below entry<br>> ><br>> "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"<br>> > by<br>> > "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"<br>> ><br>> > and then launch "ipa-server-upgrade" command<br>> > I found this solution in this post:<br>> http://osdir.com/ml/freeipa-users/2016-03/msg00280.html<br>> ><br>> > Then I was able to renew my certificate.<br>> ><br>> > However I reboot my server to and pki-tomcat do not start and<br>> provide with a new erreor in /var/log/pki/pki-tomcat/ca/debug<br>> ><br>> > [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils:<br>> verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca<br>> > [19/Oct/2016:11:11:52][localhost-startStop-1]:<br>> SignedAuditEventFactory: create()<br>> message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$<br>> > System$][Outcome=Success][CertNickName=auditSigningCert<br>> cert-pki-ca] CIMC certificate verification<br>> ><br>> > java.lang.Exception: SystemCertsVerification: system certs<br>> verification failure<br>> > at<br>> com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)<br>> > at<br>> com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)<br>> > at<br>> com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)<br>> > at<br>> com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701)<br>> > at<br>> com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148)<br>> > at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)<br>> > at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)<br>> > at<br>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)<br>> > at javax.servlet.GenericServlet.init(GenericServlet.java:158)<br>> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br>> > at<br>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)<br>> > at<br>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br>> > at java.lang.reflect.Method.invoke(Method.java:606)<br>> > at<br>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)<br>> > at<br>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)<br>> > at java.security.AccessController.doPrivileged(Native Method)<br>> > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)<br>> > at<br>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)<br>> > at<br>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)<br>> > at<br>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)<br>> > at<br>> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)<br>> > at<br>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)<br>> > at<br>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)<br>> > at<br>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)<br>> > at<br>> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)<br>> > at<br>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)<br>> > at<br>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)<br>> > at<br>> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)<br>> > at<br>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)<br>> > at<br>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)<br>> > at java.security.AccessController.doPrivileged(Native Method)<br>> > at<br>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)<br>> > at<br>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)<br>> > at<br>> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)<br>> > at<br>> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)<br>> > at<br>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)<br>> > at java.util.concurrent.FutureTask.run(FutureTask.java:262)<br>> > at<br>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)<br>> > at<br>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)<br>> > at java.lang.Thread.run(Thread.java:745)<br>> > [19/Oct/2016:11:11:52][localhost-startStop-1]:<br>> SignedAuditEventFactory: create()<br>> message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure]<br>> self tests execution (see selftests.log for details)<br>> > [19/Oct/2016:11:11:52][localhost-startStop-1]:<br>> CMSEngine.shutdown()<br>> ><br>> ><br>> > I am currently stuck here.<br>> > Thanks a lot for your help.<br>><br>> I'm guessing at least one of the CA subsystem certificates are<br>> still<br>> expired. Look at the "getcert list" output to see if there are any<br>> expired certificates.<br>><br>> rob<br>><br>> ><br>> > Bertrand<br>> ><br>> ><br>><br>> Hello Rob,<br>><br>> I check on my 2 servers and no certificate is expired<br>><br>> [root@sdkipa03 ~]# getcert list |grep expire<br>> expires: 2018-06-22 22:02:26 UTC<br>> expires: 2018-06-22 22:02:47 UTC<br>> expires: 2034-07-09 15:24:34 UTC<br>> expires: 2016-10-30 13:35:29 UTC<br>><br>> [root@sdkipa01 conf]# getcert list |grep expire<br>> expires: 2018-06-12 23:38:01 UTC<br>> expires: 2018-06-12 23:37:41 UTC<br>> expires: 2018-06-11 22:53:57 UTC<br>> expires: 2018-06-11 22:55:50 UTC<br>> expires: 2018-06-11 22:57:47 UTC<br>> expires: 2034-07-09 15:24:34 UTC<br>> expires: 2018-06-11 22:59:55 UTC<br>><br>> I see that one certificate is in status: CA_UNREACHABLE, maybe I<br>> reboot to soon my server...<br>><br>> I continue to investigate<br>><br>> Thanks for your help.<br>> Bertrand<br>><br>> I fix my previous issue.<br>> Now I have an issue with a server.<br>> This server can not start pki-tomcatd, I get this error in debug file:<br>> "Error netscape.ldap.LDAPExceptio n: IO Error creating JSS SSL Socket (-1)"<br>><br>> After investigation i see that I do not have "ipaCert" certificat in<br>> "/etc/httpd/alias"<br>> cf below command:<br>><br>> [root@sdkipa03 ~]# getcert list -d /etc/httpd/alias<br>> Number of certificates and requests being tracked: 4.<br>> Request ID '20141110133632':<br>> status: MONITORING<br>> stuck: no<br>> key pair storage:<br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>> certificate:<br>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS<br>> Certificate DB'<br>> CA: IPA<br>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU<br>> subject: CN=sdkipa03.skinfra.eu,O=A.SKINFRA.EU<br>> expires: 2018-06-22 22:02:47 UTC<br>> principal name: HTTP/sdkipa03.skinfra.eu@A.SKINFRA.EU<br>> key usage:<br>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>> eku: id-kp-serverAuth,id-kp-clientAuth<br>> pre-save command:<br>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd<br>> track: yes<br>> auto-renew: yes<br>><br>><br>> How can I add the certificate to /etc/httpd/alias?<br>><br>Hi,<br><div><br></div>for the record, the command getcert list that you supplied shows the <br>certificates in /etc/httpd/alias that are tracked by certmonger. If you <br>want to display all the certificates contained in /etc/httpd/alias <br>(whether tracked or not), then you may want to use certutil -L -d <br>/etc/httpd/alias instead.<br><div><br></div>If ipaCert is missing, you can export ipaCert certificate from another <br>master, then import it to your server.<br><div><br></div>On a master containing the cert:<br># certutil -d /etc/httpd/alias -L -n 'ipaCert' -a > /tmp/newRAcert.crt<br><div><br></div>Then copy the file /tmp/newRAcert.crt to your server and import the cert:<br># certutil -d /etc/httpd/alias -A -n 'ipaCert' -a -i /tmp/newRAcert.crt <br>-t u,u,u<br><div><br></div>And finally you need to tell certmonger to monitor the cert using <br>getcert start-tracking.<br><div><br></div>Hope this helps,<br>Flo.<br><div><br></div>> Thanks fo ryour support.<br>> Regards<br>> Bertrand<br>><br>><br>><br></blockquote><div>Hi,<br></div><div><br></div><div>Florence, thanks for your help.<br></div><div>I was able to import correctly ipaCert with your commands.<br></div><div>Now it seems that I also have an issue on one server with "subsystemCert cert-pki-ca" in /etc/pki/pki-tomcat/alias as I get below error when pki-tomcat try to start<br></div><div><br></div><div><br></div><div>LdapJssSSLSocket set client auth cert nickname subsystemCert cert-pki-ca<br>Could not connect to LDAP server host sdkipa03.XX.YY port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (<br>-1)<br><div><br></div></div><div><br></div><div>Is there a way to restore a correct "subsystemCert cert-pki-ca"?<br></div><div><br></div><div>Regards<br></div><div>Bertrand<br></div></div></blockquote><div>Hello,<br></div><div><br></div><div>I am still stuck with my IPA server.<br></div><div>I have issues on both servers.<br></div><div>On server1, below certificate is not renewed properly<br></div><div> certutil -L -d /etc/httpd/alias/ -n "ipaCert"<br></div><div><br></div><div>and on server 2 this is this certificate:<br> certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "Server-Cert cert-pki-ca"<br><br></div><div>Could you provide me with the correct syntax with start-tracking command.<br></div><div>I tried to laucnh this command but my certificat remains in "NEWLY_ADDED_NEED_KEYINFO_READ_PIN" state.<br></div><div><div><div>Here is the comnd I use:<br></div><div>getcert start-tracking -c dogtag-ipa-retrieve-agent-submit -d /var/lib/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' -B /usr/lib64/ipa/certmonger/stop_pkicad -C '/usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"' -T "Server-Cert cert-pki-ca" -P '20160614000000'</div><div><br></div><div>Thanks by advance for your help.<br></div><div><br></div><div>Regards<br></div><div>Bertrand<br></div></div></div><div><br></div><div><br></div></div></body></html>