<html><body><div style="font-family: arial,helvetica,sans-serif; font-size: 10pt; color: #000000"><div>Hi Florence, </div><div> </div><div>Thanks for clarification. </div><div>Your explanation was very clear and I better understand </div><div> </div><div><div><meta http-equiv="Content-Type" content="text/html; charset=Windows-1252"><meta name="Generator" content="MS Exchange Server version 14.02.5004.000"><title></title></div><div>Now my issue is that I need to start tracking "auditSigningCert cert-pki-ca", "ocspSigningCert cert-pki-ca" and "subsystemCert cert-pki-ca" on a server. </div><div> </div><div>I take a look on another server where they are properly tracked. However getcert list return me "pin set" and not a "pinfile" as described in your mail. </div><div>In "/etc/pki/pki-tomcat/alias" I do not see any pwdfile.txt file, so my question is where do I get the PIN? </div><div> </div><div>Once again, thanks for your support, I tried to fix this issue for days! </div><div> </div><div>Regards </div><div>Bertrand </div><div> </div><div> </div><div>--</div><div>Bertrand Rétif</div><div> Phosphore Services Informatiques - <a href="http://www.phosphore.eu" data-mce-href="http://www.phosphore.eu" title="http://www.phosphore.eu" target="_blank">http://www.phosphore.eu</a> Tel: 04 66 51 87 73 / Mob: 06 61 87 03 30 / Fax: 09 72 12 61 44 </div> </div><hr id="zwchr"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;" data-mce-style="border-left: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;">De: "Florence Blanc-Renaud" <flo@redhat.com> À: "Bertrand Rétif" <bretif@phosphore.eu>, freeipa-users@redhat.com Envoyé: Mardi 22 Novembre 2016 13:17:34 Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue <div> </div>On 11/22/2016 11:50 AM, Bertrand Rétif wrote: > > > *De: *"Florence Blanc-Renaud" <flo@redhat.com> > *À: *"Bertrand Rétif" <bretif@phosphore.eu>, freeipa-users@redhat.com > *Envoyé: *Mardi 22 Novembre 2016 11:33:45 > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > pki-tomcat issue > > On 11/22/2016 10:07 AM, Bertrand Rétif wrote: > > > ------------------------------------------------------------------------ > > > > *De: *"Bertrand Rétif" <bretif@phosphore.eu> > > *À: *freeipa-users@redhat.com > > *Envoyé: *Mardi 25 Octobre 2016 17:51:09 > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > pki-tomcat issue > > > > > > > ------------------------------------------------------------------------ > > > > *De: *"Florence Blanc-Renaud" <flo@redhat.com> > > *À: *"Bertrand Rétif" <bretif@phosphore.eu>, > > freeipa-users@redhat.com > > *Envoyé: *Jeudi 20 Octobre 2016 18:45:21 > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > pki-tomcat issue > > > > On 10/19/2016 08:18 PM, Bertrand Rétif wrote: > > > *De: *"Bertrand Rétif" <bretif@phosphore.eu> > > > > > > *À: *freeipa-users@redhat.com > > > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07 > > > *Objet: *Re: [Freeipa-users] Impossible to renew > certificate. > > > pki-tomcat issue > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > *De: *"Rob Crittenden" <rcritten@redhat.com> > > > *À: *"Bertrand Rétif" <bretif@phosphore.eu>, > > > freeipa-users@redhat.com > > > *Envoyé: *Mercredi 19 Octobre 2016 15:30:14 > > > *Objet: *Re: [Freeipa-users] Impossible to renew > > certificate. > > > pki-tomcat issue > > > > > > Bertrand Rétif wrote: > > > >> De: "Martin Babinsky" <mbabinsk@redhat.com> > > > >> À: freeipa-users@redhat.com > > > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49 > > > >> Objet: Re: [Freeipa-users] Impossible to renew > > certificate. > > > pki-tomcat issue > > > > > > > >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote: > > > >>> Hello, > > > >>> > > > >>> I had an issue with pki-tomcat. > > > >>> I had serveral certificate that was expired and > > pki-tomcat > > > did not start > > > >>> anymore. > > > >>> > > > >>> I set the dateon the server before certificate > > expiration > > > and then > > > >>> pki-tomcat starts properly. > > > >>> Then I try to resubmit the certificate, but > I get > > below error: > > > >>> "Profile caServerCert Not Found" > > > >>> > > > >>> Do you have any idea how I could fix this issue. > > > >>> > > > >>> Please find below output of commands: > > > >>> > > > >>> > > > >>> # getcert resubmit -i 20160108170324 > > > >>> > > > >>> # getcert list -i 20160108170324 > > > >>> Number of certificates and requests being > tracked: 7. > > > >>> Request ID '20160108170324': > > > >>> status: MONITORING > > > >>> ca-error: Server at > > > >>> > > "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit" > > > replied: > > > >>> Profile caServerCert Not Found > > > >>> stuck: no > > > >>> key pair storage: > > > >>> > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > >>> Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > >>> certificate: > > > >>> > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > >>> Certificate DB' > > > >>> CA: dogtag-ipa-ca-renew-agent > > > >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU > > > >>> subject: CN=IPA RA,O=A.SKINFRA.EU > > > >>> expires: 2016-06-28 15:25:11 UTC > > > >>> key usage: > > > >>> > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > >>> eku: id-kp-serverAuth,id-kp-clientAuth > > > >>> pre-save command: > > /usr/lib64/ipa/certmonger/renew_ra_cert_pre > > > >>> post-save command: > > /usr/lib64/ipa/certmonger/renew_ra_cert > > > >>> track: yes > > > >>> auto-renew: yes > > > >>> > > > >>> > > > >>> Thanksby advance for your help. > > > >>> Bertrand > > > >>> > > > >>> > > > >>> > > > >>> > > > > > > > >> Hi Betrand, > > > > > > > >> what version of FreeIPA and Dogtag are you > running? > > > > > > > >> Also perform the following search on the IPA > master > > and post > > > the result: > > > > > > > >> """ > > > >> ldapsearch -D "cn=Directory Manager" -W -b > > > >> 'ou=certificateProfiles,ou=ca,o=ipaca' > > > '(objectClass=certProfile)' > > > >> """ > > > > > > > > Hi Martin, > > > > > > > > Thanks for your reply. > > > > > > > > Here is version: > > > > - FreeIPA 4.2.0 > > > > - Centos 7.2 > > > > > > > > I have been able to fix the issue with "Profile > > caServerCert > > > Not Found" by editing > > /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > > > > I replace below entry > > > > > > > > > > "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem" > > > > by > > > > > > > "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem" > > > > > > > > and then launch "ipa-server-upgrade" command > > > > I found this solution in this post: > > > > http://osdir.com/ml/freeipa-users/2016-03/msg00280.html > > > > > > > > Then I was able to renew my certificate. > > > > > > > > However I reboot my server to and pki-tomcat > do not > > start and > > > provide with a new erreor in > > /var/log/pki/pki-tomcat/ca/debug > > > > > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > CertUtils: > > > verifySystemCertByNickname() passed: > auditSigningCert > > cert-pki-ca > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > > SignedAuditEventFactory: create() > > > > message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$ > > > > > System$][Outcome=Success][CertNickName=auditSigningCert > > > cert-pki-ca] CIMC certificate verification > > > > > > > > java.lang.Exception: SystemCertsVerification: > system > > certs > > > verification failure > > > > at > > > > > > com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198) > > > > at > > > > > > com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861) > > > > at > > > > > > com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797) > > > > at > > > > > > com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701) > > > > at > > > > > > com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148) > > > > at > com.netscape.certsrv.apps.CMS.startup(CMS.java:200) > > > > at > com.netscape.certsrv.apps.CMS.start(CMS.java:1602) > > > > at > > > > > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > > > at > > javax.servlet.GenericServlet.init(GenericServlet.java:158) > > > > at > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > > at > > > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > > > at > > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > > at > java.lang.reflect.Method.invoke(Method.java:606) > > > > at > > > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > > > > at > > > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > > > > at > > java.security.AccessController.doPrivileged(Native Method) > > > > at > > javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > > > > at > > > > > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > > > > at > > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > > > > at > > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > > > > at > > > > > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > > > > at > > > > > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > > > > at > > > > > > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) > > > > at > > > > > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) > > > > at > > > > > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) > > > > at > > > > > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > > > at > > > > > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > > > > at > > > > > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > > > at > > > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > > > at > > > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > > > at > > java.security.AccessController.doPrivileged(Native Method) > > > > at > > > > > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > > > > at > > > > > > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > > > > at > > > > > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) > > > > at > > > > > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) > > > > at > > > > > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > > > > at > > java.util.concurrent.FutureTask.run(FutureTask.java:262) > > > > at > > > > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > > > at > > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > > > at java.lang.Thread.run(Thread.java:745) > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > > SignedAuditEventFactory: create() > > > > > > message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] > > > self tests execution (see selftests.log for details) > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > > CMSEngine.shutdown() > > > > > > > > > > > > I am currently stuck here. > > > > Thanks a lot for your help. > > > > > > I'm guessing at least one of the CA subsystem > > certificates are > > > still > > > expired. Look at the "getcert list" output to see if > > there are any > > > expired certificates. > > > > > > rob > > > > > > > > > > > Bertrand > > > > > > > > > > > > > > Hello Rob, > > > > > > I check on my 2 servers and no certificate is expired > > > > > > [root@sdkipa03 ~]# getcert list |grep expire > > > expires: 2018-06-22 22:02:26 UTC > > > expires: 2018-06-22 22:02:47 UTC > > > expires: 2034-07-09 15:24:34 UTC > > > expires: 2016-10-30 13:35:29 UTC > > > > > > [root@sdkipa01 conf]# getcert list |grep expire > > > expires: 2018-06-12 23:38:01 UTC > > > expires: 2018-06-12 23:37:41 UTC > > > expires: 2018-06-11 22:53:57 UTC > > > expires: 2018-06-11 22:55:50 UTC > > > expires: 2018-06-11 22:57:47 UTC > > > expires: 2034-07-09 15:24:34 UTC > > > expires: 2018-06-11 22:59:55 UTC > > > > > > I see that one certificate is in status: CA_UNREACHABLE, > > maybe I > > > reboot to soon my server... > > > > > > I continue to investigate > > > > > > Thanks for your help. > > > Bertrand > > > > > > I fix my previous issue. > > > Now I have an issue with a server. > > > This server can not start pki-tomcatd, I get this error in > > debug file: > > > "Error netscape.ldap.LDAPExceptio n: IO Error creating > JSS SSL > > Socket (-1)" > > > > > > After investigation i see that I do not have "ipaCert" > > certificat in > > > "/etc/httpd/alias" > > > cf below command: > > > > > > [root@sdkipa03 ~]# getcert list -d /etc/httpd/alias > > > Number of certificates and requests being tracked: 4. > > > Request ID '20141110133632': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=A.SKINFRA.EU > > > subject: CN=sdkipa03.skinfra.eu,O=A.SKINFRA.EU > > > expires: 2018-06-22 22:02:47 UTC > > > principal name: HTTP/sdkipa03.skinfra.eu@A.SKINFRA.EU > > > key usage: > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > /usr/lib64/ipa/certmonger/restart_httpd > > > track: yes > > > auto-renew: yes > > > > > > > > > How can I add the certificate to /etc/httpd/alias? > > > > > Hi, > > > > for the record, the command getcert list that you supplied > shows > > the > > certificates in /etc/httpd/alias that are tracked by > certmonger. > > If you > > want to display all the certificates contained in > /etc/httpd/alias > > (whether tracked or not), then you may want to use > certutil -L -d > > /etc/httpd/alias instead. > > > > If ipaCert is missing, you can export ipaCert certificate from > > another > > master, then import it to your server. > > > > On a master containing the cert: > > # certutil -d /etc/httpd/alias -L -n 'ipaCert' -a > > > /tmp/newRAcert.crt > > > > Then copy the file /tmp/newRAcert.crt to your server and > import > > the cert: > > # certutil -d /etc/httpd/alias -A -n 'ipaCert' -a -i > > /tmp/newRAcert.crt > > -t u,u,u > > > > And finally you need to tell certmonger to monitor the > cert using > > getcert start-tracking. > > > > Hope this helps, > > Flo. > > > > > Thanks fo ryour support. > > > Regards > > > Bertrand > > > > > > > > > > > > > Hi, > > > > Florence, thanks for your help. > > I was able to import correctly ipaCert with your commands. > > Now it seems that I also have an issue on one server with > > "subsystemCert cert-pki-ca" in /etc/pki/pki-tomcat/alias as I get > > below error when pki-tomcat try to start > > > > > > LdapJssSSLSocket set client auth cert nickname subsystemCert > cert-pki-ca > > Could not connect to LDAP server host sdkipa03.XX.YY port 636 > Error > > netscape.ldap.LDAPException: IO Error creating JSS SSL Socket ( > > -1) > > > > > > Is there a way to restore a correct "subsystemCert cert-pki-ca"? > > > > Regards > > Bertrand > > > > Hello, > > > > I am still stuck with my IPA server. > > I have issues on both servers. > > On server1, below certificate is not renewed properly > > certutil -L -d /etc/httpd/alias/ -n "ipaCert" > > > > and on server 2 this is this certificate: > > certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "Server-Cert > cert-pki-ca" > > > > Could you provide me with the correct syntax with start-tracking > command. > > I tried to laucnh this command but my certificat remains in > > "NEWLY_ADDED_NEED_KEYINFO_READ_PIN" state. > > Here is the comnd I use: > > getcert start-tracking -c dogtag-ipa-retrieve-agent-submit -d > > /var/lib/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' -B > > /usr/lib64/ipa/certmonger/stop_pkicad -C > > '/usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"' -T > > "Server-Cert cert-pki-ca" -P '20160614000000' > > > Hi Bertrand, > > to get the right command, you can check on a system where the > certificate is properly monitored, this will show you the right > parameters: > $ sudo getcert list -n ipaCert > Number of certificates and requests being tracked: 8. > Request ID '20161122095344': > [..] key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > [...] > CA: dogtag-ipa-ca-renew-agent > [...] > pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > [...] > > The relevant fields are NSSDB location, pinfile, nickname, CA, pre and > post-save commands. So in order to monitor ipaCert, you will need to use > $ sudo getcert start-tracking -d /etc/httpd/alias -n ipaCert \ > -p /etc/httpd/alias/pwdfile.txt \ > -c dogtag-ipa-ca-renew-agent \ > -B /usr/lib64/ipa/certmonger/renew_ra_cert_pre \ > -C /usr/lib64/ipa/certmonger/renew_ra_cert > > HTH, > Flo. > > > Thanks by advance for your help. > > > > Regards > > Bertrand > > Hello Florence, > > Thanks for your reply. > Before doing any mistakes, I just need some explanations as I think I do > not well understand how it should work. > > Do all the certificate need to be track by certmonger on all servers or > they should only be tracked on one server and FreeIPA will update them > on other servers? > > In my case I have below certicates outdated and not track on "server 1": > - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "auditSigningCert > cert-pki-ca" > - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "ocspSigningCert > cert-pki-ca" > - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "subsystemCert > cert-pki-ca" > > They are tracked by certmonger and have been correctly renewed on "server 2" > Do I need to add them tracked by certmonger on "server 1"? > If not, it means FreeIPA failed to update them? Should I delete and > import them manually on server 2? > > If you need more details, do not hesitate to ask. > Hi Bertrand, <div> </div>The certificate tracking depends on the type of certificate and on the server you're considering. For instance, if IPA includes a Certificate Authority, then ipaCert will be present on all the IPA servers (master/replicas) and tracked on all of them. The same ipaCert certificate is used on all the replicas. On the renewal master, the renewal operation actually renews the certificate and uploads the cert on LDAP, but on the other replicas the operation consists in downloading the new certificate from LDAP. <div> </div>The HTTP and LDAP server certificates are present and tracked on all the IPA servers, but they are different on each server (you can see that the Subject of the certificate contains the hostname). They can be renewed independently on each IPA server. <div> </div>The certificates used by Dogtag (the component providing the Certificate System) are present and tracked only on the IPA servers where the CA was setup (for instance if you installed a replica with --setup-ca or if you ran ipa-ca-install later on). The same certificates are used on all replicas containing a CA instance. They are: 'ocspSigningCert cert-pki-ca', 'subsystemCert cert-pki-ca', 'caSigningCert cert-pki-ca' and 'Server-Cert cert-pki-ca'. The renewal operation renews them on the renewal master and uploads them in LDAP, but just downloads them from LDAP on the other servers. <div> </div>In your example, if server1 also contains a CA instance then it should also track the above certs. <div> </div>You can find the renewal master with the following ldapsearch command: $ ldapsearch -h localhost -p 389 -D 'cn=Directory Manager' -w password -b "cn=masters,cn=ipa,cn=etc,$BASEDN" -LLL '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn dn: cn=CA,cn=ipaserver.fqdn,cn=masters,cn=ipa,cn=etc,$BASEDN <div> </div>In this case the renewal master is ipaserver.fqdn <div> </div>Hope this clarifies, Flo. <div> </div>> Regards > Bertrand > > <div> </div></blockquote><div> </div></div></body></html>