<html><body><div style="font-family: arial,helvetica,sans-serif; font-size: 10pt; color: #000000"><div> </div><div> </div><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;">De: "Florence Blanc-Renaud" <flo@redhat.com> À: "Bertrand Rétif" <bretif@phosphore.eu>, freeipa-users@redhat.com Envoyé: Mardi 22 Novembre 2016 11:33:45 Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue <div> </div>On 11/22/2016 10:07 AM, Bertrand Rétif wrote: > ------------------------------------------------------------------------ > > *De: *"Bertrand Rétif" <bretif@phosphore.eu> > *À: *freeipa-users@redhat.com > *Envoyé: *Mardi 25 Octobre 2016 17:51:09 > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > pki-tomcat issue > > > ------------------------------------------------------------------------ > > *De: *"Florence Blanc-Renaud" <flo@redhat.com> > *À: *"Bertrand Rétif" <bretif@phosphore.eu>, > freeipa-users@redhat.com > *Envoyé: *Jeudi 20 Octobre 2016 18:45:21 > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > pki-tomcat issue > > On 10/19/2016 08:18 PM, Bertrand Rétif wrote: > > *De: *"Bertrand Rétif" <bretif@phosphore.eu> > > > > *À: *freeipa-users@redhat.com > > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07 > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > pki-tomcat issue > > > > > > > ------------------------------------------------------------------------ > > > > *De: *"Rob Crittenden" <rcritten@redhat.com> > > *À: *"Bertrand Rétif" <bretif@phosphore.eu>, > > freeipa-users@redhat.com > > *Envoyé: *Mercredi 19 Octobre 2016 15:30:14 > > *Objet: *Re: [Freeipa-users] Impossible to renew > certificate. > > pki-tomcat issue > > > > Bertrand Rétif wrote: > > >> De: "Martin Babinsky" <mbabinsk@redhat.com> > > >> À: freeipa-users@redhat.com > > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49 > > >> Objet: Re: [Freeipa-users] Impossible to renew > certificate. > > pki-tomcat issue > > > > > >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote: > > >>> Hello, > > >>> > > >>> I had an issue with pki-tomcat. > > >>> I had serveral certificate that was expired and > pki-tomcat > > did not start > > >>> anymore. > > >>> > > >>> I set the dateon the server before certificate > expiration > > and then > > >>> pki-tomcat starts properly. > > >>> Then I try to resubmit the certificate, but I get > below error: > > >>> "Profile caServerCert Not Found" > > >>> > > >>> Do you have any idea how I could fix this issue. > > >>> > > >>> Please find below output of commands: > > >>> > > >>> > > >>> # getcert resubmit -i 20160108170324 > > >>> > > >>> # getcert list -i 20160108170324 > > >>> Number of certificates and requests being tracked: 7. > > >>> Request ID '20160108170324': > > >>> status: MONITORING > > >>> ca-error: Server at > > >>> > "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit" > > replied: > > >>> Profile caServerCert Not Found > > >>> stuck: no > > >>> key pair storage: > > >>> > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > >>> certificate: > > >>> > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > >>> Certificate DB' > > >>> CA: dogtag-ipa-ca-renew-agent > > >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU > > >>> subject: CN=IPA RA,O=A.SKINFRA.EU > > >>> expires: 2016-06-28 15:25:11 UTC > > >>> key usage: > > >>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > >>> eku: id-kp-serverAuth,id-kp-clientAuth > > >>> pre-save command: > /usr/lib64/ipa/certmonger/renew_ra_cert_pre > > >>> post-save command: > /usr/lib64/ipa/certmonger/renew_ra_cert > > >>> track: yes > > >>> auto-renew: yes > > >>> > > >>> > > >>> Thanksby advance for your help. > > >>> Bertrand > > >>> > > >>> > > >>> > > >>> > > > > > >> Hi Betrand, > > > > > >> what version of FreeIPA and Dogtag are you running? > > > > > >> Also perform the following search on the IPA master > and post > > the result: > > > > > >> """ > > >> ldapsearch -D "cn=Directory Manager" -W -b > > >> 'ou=certificateProfiles,ou=ca,o=ipaca' > > '(objectClass=certProfile)' > > >> """ > > > > > > Hi Martin, > > > > > > Thanks for your reply. > > > > > > Here is version: > > > - FreeIPA 4.2.0 > > > - Centos 7.2 > > > > > > I have been able to fix the issue with "Profile > caServerCert > > Not Found" by editing > /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > > > I replace below entry > > > > > > "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem" > > > by > > > > "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem" > > > > > > and then launch "ipa-server-upgrade" command > > > I found this solution in this post: > > http://osdir.com/ml/freeipa-users/2016-03/msg00280.html > > > > > > Then I was able to renew my certificate. > > > > > > However I reboot my server to and pki-tomcat do not > start and > > provide with a new erreor in > /var/log/pki/pki-tomcat/ca/debug > > > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > CertUtils: > > verifySystemCertByNickname() passed: auditSigningCert > cert-pki-ca > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > SignedAuditEventFactory: create() > > message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$ > > > System$][Outcome=Success][CertNickName=auditSigningCert > > cert-pki-ca] CIMC certificate verification > > > > > > java.lang.Exception: SystemCertsVerification: system > certs > > verification failure > > > at > > > com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198) > > > at > > > com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861) > > > at > > > com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797) > > > at > > > com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701) > > > at > > > com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148) > > > at com.netscape.certsrv.apps.CMS.startup(CMS.java:200) > > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) > > > at > > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > > at > javax.servlet.GenericServlet.init(GenericServlet.java:158) > > > at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > at java.lang.reflect.Method.invoke(Method.java:606) > > > at > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > > > at > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > > > at > java.security.AccessController.doPrivileged(Native Method) > > > at > javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > > > at > > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > > > at > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > > > at > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > > > at > > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > > > at > > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > > > at > > > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) > > > at > > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) > > > at > > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) > > > at > > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > > at > > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > > > at > > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > > at > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > > at > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > > at > java.security.AccessController.doPrivileged(Native Method) > > > at > > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > > > at > > > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > > > at > > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) > > > at > > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) > > > at > > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > > > at > java.util.concurrent.FutureTask.run(FutureTask.java:262) > > > at > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > > at java.lang.Thread.run(Thread.java:745) > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > SignedAuditEventFactory: create() > > > message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] > > self tests execution (see selftests.log for details) > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > CMSEngine.shutdown() > > > > > > > > > I am currently stuck here. > > > Thanks a lot for your help. > > > > I'm guessing at least one of the CA subsystem > certificates are > > still > > expired. Look at the "getcert list" output to see if > there are any > > expired certificates. > > > > rob > > > > > > > > Bertrand > > > > > > > > > > Hello Rob, > > > > I check on my 2 servers and no certificate is expired > > > > [root@sdkipa03 ~]# getcert list |grep expire > > expires: 2018-06-22 22:02:26 UTC > > expires: 2018-06-22 22:02:47 UTC > > expires: 2034-07-09 15:24:34 UTC > > expires: 2016-10-30 13:35:29 UTC > > > > [root@sdkipa01 conf]# getcert list |grep expire > > expires: 2018-06-12 23:38:01 UTC > > expires: 2018-06-12 23:37:41 UTC > > expires: 2018-06-11 22:53:57 UTC > > expires: 2018-06-11 22:55:50 UTC > > expires: 2018-06-11 22:57:47 UTC > > expires: 2034-07-09 15:24:34 UTC > > expires: 2018-06-11 22:59:55 UTC > > > > I see that one certificate is in status: CA_UNREACHABLE, > maybe I > > reboot to soon my server... > > > > I continue to investigate > > > > Thanks for your help. > > Bertrand > > > > I fix my previous issue. > > Now I have an issue with a server. > > This server can not start pki-tomcatd, I get this error in > debug file: > > "Error netscape.ldap.LDAPExceptio n: IO Error creating JSS SSL > Socket (-1)" > > > > After investigation i see that I do not have "ipaCert" > certificat in > > "/etc/httpd/alias" > > cf below command: > > > > [root@sdkipa03 ~]# getcert list -d /etc/httpd/alias > > Number of certificates and requests being tracked: 4. > > Request ID '20141110133632': > > status: MONITORING > > stuck: no > > key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=A.SKINFRA.EU > > subject: CN=sdkipa03.skinfra.eu,O=A.SKINFRA.EU > > expires: 2018-06-22 22:02:47 UTC > > principal name: HTTP/sdkipa03.skinfra.eu@A.SKINFRA.EU > > key usage: > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > > track: yes > > auto-renew: yes > > > > > > How can I add the certificate to /etc/httpd/alias? > > > Hi, > > for the record, the command getcert list that you supplied shows > the > certificates in /etc/httpd/alias that are tracked by certmonger. > If you > want to display all the certificates contained in /etc/httpd/alias > (whether tracked or not), then you may want to use certutil -L -d > /etc/httpd/alias instead. > > If ipaCert is missing, you can export ipaCert certificate from > another > master, then import it to your server. > > On a master containing the cert: > # certutil -d /etc/httpd/alias -L -n 'ipaCert' -a > > /tmp/newRAcert.crt > > Then copy the file /tmp/newRAcert.crt to your server and import > the cert: > # certutil -d /etc/httpd/alias -A -n 'ipaCert' -a -i > /tmp/newRAcert.crt > -t u,u,u > > And finally you need to tell certmonger to monitor the cert using > getcert start-tracking. > > Hope this helps, > Flo. > > > Thanks fo ryour support. > > Regards > > Bertrand > > > > > > > > Hi, > > Florence, thanks for your help. > I was able to import correctly ipaCert with your commands. > Now it seems that I also have an issue on one server with > "subsystemCert cert-pki-ca" in /etc/pki/pki-tomcat/alias as I get > below error when pki-tomcat try to start > > > LdapJssSSLSocket set client auth cert nickname subsystemCert cert-pki-ca > Could not connect to LDAP server host sdkipa03.XX.YY port 636 Error > netscape.ldap.LDAPException: IO Error creating JSS SSL Socket ( > -1) > > > Is there a way to restore a correct "subsystemCert cert-pki-ca"? > > Regards > Bertrand > > Hello, > > I am still stuck with my IPA server. > I have issues on both servers. > On server1, below certificate is not renewed properly > certutil -L -d /etc/httpd/alias/ -n "ipaCert" > > and on server 2 this is this certificate: > certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "Server-Cert cert-pki-ca" > > Could you provide me with the correct syntax with start-tracking command. > I tried to laucnh this command but my certificat remains in > "NEWLY_ADDED_NEED_KEYINFO_READ_PIN" state. > Here is the comnd I use: > getcert start-tracking -c dogtag-ipa-retrieve-agent-submit -d > /var/lib/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' -B > /usr/lib64/ipa/certmonger/stop_pkicad -C > '/usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"' -T > "Server-Cert cert-pki-ca" -P '20160614000000' > Hi Bertrand, <div> </div>to get the right command, you can check on a system where the certificate is properly monitored, this will show you the right parameters: $ sudo getcert list -n ipaCert Number of certificates and requests being tracked: 8. Request ID '20161122095344': [..] key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' [...] CA: dogtag-ipa-ca-renew-agent [...] pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert [...] <div> </div>The relevant fields are NSSDB location, pinfile, nickname, CA, pre and post-save commands. So in order to monitor ipaCert, you will need to use $ sudo getcert start-tracking -d /etc/httpd/alias -n ipaCert \ -p /etc/httpd/alias/pwdfile.txt \ -c dogtag-ipa-ca-renew-agent \ -B /usr/lib64/ipa/certmonger/renew_ra_cert_pre \ -C /usr/lib64/ipa/certmonger/renew_ra_cert <div> </div>HTH, Flo. <div> </div>> Thanks by advance for your help. > > Regards > Bertrand </blockquote><div>Hello Florence, </div><div> </div><div>Thanks for your reply. </div><div>Before doing any mistakes, I just need some explanations as I think I do not well understand how it should work. </div><div> </div><div>Do all the certificate need to be track by certmonger on all servers or they should only be tracked on one server and FreeIPA will update them on other servers? </div><div> </div><div>In my case I have below certicates outdated and not track on "server 1":</div><div> - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "auditSigningCert cert-pki-ca" - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "ocspSigningCert cert-pki-ca" - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "subsystemCert cert-pki-ca" </div><div> </div><div>They are tracked by certmonger and have been correctly renewed on "server 2" </div><div>Do I need to add them tracked by certmonger on "server 1"? </div><div>If not, it means FreeIPA failed to update them? Should I delete and import them manually on server 2? </div><div> </div><div>If you need more details, do not hesitate to ask. </div><div> </div><div>Regards </div><div>Bertrand </div></div></body></html>