<div dir="ltr"><div>Flo,<br><br></div>I'm not able to access the link you posted. I did find this thread though <a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" target="_blank">https://www.redhat.com/archive<wbr>s/freeipa-users/2015-June/<wbr>msg00144.html</a> and have set the time back and resubmitted a request. Still no success. Any further hints?<br><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 6, 2017 at 11:52 AM, Florence Blanc-Renaud <span dir="ltr"><<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 01/06/2017 05:36 PM, Jeff Goddard wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks Flo,<br>
<br>
I was able to add the host to the keytab once I found the correct<br>
command and then was able to issue<br>
<br>
[root@id-management-1 pki-tomcat]# ipa-cacert-manage renew<br>
Renewing CA certificate, please wait<br>
CA certificate successfully renewed<br>
The ipa-cacert-manage command was successful<br>
<br>
</blockquote>
Hi Jeff,<br>
<br>
the "ipa-cacert-manage renew" command renews the CA certificate (the one with the alias caSigningCert cert-pki-ca) but not the expired ones. You need to follow the instructions linked in my previous e-mail to fix them first, basically go back in time by setting the system clock time and let certmonger renew them.<br>
<br>
HTH,<br>
Flo.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
But the pki-tomcat still fails to start. From the logs I get:<br>
<br>
[root@id-management-1 pki-tomcat]# cat localhost.2017-01-06.log |less<br>
Jan 06, 2017 7:23:44 AM org.apache.catalina.core.Appli<wbr>cationContext log<br>
SEVERE: StandardWrapper.Throwable<br>
java.lang.NullPointerException<br>
at<br>
com.netscape.cmscore.selftests<wbr>.SelfTestSubsystem.shutdown(Se<wbr>lfTestSubsystem.java:1886)<br>
at<br>
com.netscape.cmscore.apps.CMSE<wbr>ngine.shutdownSubsystems(CMSEn<wbr>gine.java:2115)<br>
at com.netscape.cmscore.apps.CMSE<wbr>ngine.shutdown(CMSEngine.java:<wbr>2010)<br>
at com.netscape.certsrv.apps.CMS.<wbr>shutdown(CMS.java:233)<br>
at com.netscape.certsrv.apps.CMS.<wbr>start(CMS.java:1625)<br>
at<br>
com.netscape.cms.servlet.base.<wbr>CMSStartServlet.init(CMSStartS<wbr>ervlet.java:114)<br>
at javax.servlet.GenericServlet.i<wbr>nit(GenericServlet.java:158)<br>
at sun.reflect.NativeMethodAccess<wbr>orImpl.invoke0(Native Method)<br>
at<br>
sun.reflect.NativeMethodAccess<wbr>orImpl.invoke(NativeMethodAcce<wbr>ssorImpl.java:62)<br>
at<br>
sun.reflect.DelegatingMethodAc<wbr>cessorImpl.invoke(DelegatingMe<wbr>thodAccessorImpl.java:43)<br>
at java.lang.reflect.Method.invok<wbr>e(Method.java:498)<br>
at<br>
org.apache.catalina.security.S<wbr>ecurityUtil$1.run(SecurityUtil<wbr>.java:288)<br>
at<br>
org.apache.catalina.security.S<wbr>ecurityUtil$1.run(SecurityUtil<wbr>.java:285)<br>
at java.security.AccessController<wbr>.doPrivileged(Native Method)<br>
at <a href="http://javax.security.auth.Subject.do" target="_blank">javax.security.auth.Subject.do</a><wbr>AsPrivileged(Subject.java:549)<br>
at<br>
org.apache.catalina.security.S<wbr>ecurityUtil.execute(SecurityUt<wbr>il.java:320)<br>
at<br>
org.apache.catalina.security.S<wbr>ecurityUtil.doAsPrivilege(Secu<wbr>rityUtil.java:175)<br>
at<br>
org.apache.catalina.security.S<wbr>ecurityUtil.doAsPrivilege(Secu<wbr>rityUtil.java:124)<br>
at<br>
org.apache.catalina.core.Stand<wbr>ardWrapper.initServlet(Standar<wbr>dWrapper.java:1270)<br>
at<br>
org.apache.catalina.core.Stand<wbr>ardWrapper.loadServlet(Standar<wbr>dWrapper.java:1195)<br>
at<br>
org.apache.catalina.core.Stand<wbr>ardWrapper.load(StandardWrappe<wbr>r.java:1085)<br>
at<br>
org.apache.catalina.core.Stand<wbr>ardContext.loadOnStartup(Stand<wbr>ardContext.java:5318)<br>
at<br>
org.apache.catalina.core.Stand<wbr>ardContext.startInternal(Stand<wbr>ardContext.java:5610)<br>
at<br>
org.apache.catalina.util.Lifec<wbr>ycleBase.start(LifecycleBase.j<wbr>ava:147)<br>
at<br>
org.apache.catalina.core.Conta<wbr>inerBase.addChildInternal(Cont<wbr>ainerBase.java:899)<br>
at<br>
org.apache.catalina.core.Conta<wbr>inerBase.access$000(ContainerB<wbr>ase.java:133)<br>
at<br>
org.apache.catalina.core.Conta<wbr>inerBase$PrivilegedAddChild.ru<wbr>n(ContainerBase.java:156)<br>
at<br>
org.apache.catalina.core.Conta<wbr>inerBase$PrivilegedAddChild.ru<wbr>n(ContainerBase.java:145)<br>
at java.security.AccessController<wbr>.doPrivileged(Native Method)<br>
at<br>
org.apache.catalina.core.Conta<wbr>inerBase.addChild(ContainerBas<wbr>e.java:873)<br>
at<br>
org.apache.catalina.core.Stand<wbr>ardHost.addChild(StandardHost.<wbr>java:652)<br>
at<br>
org.apache.catalina.startup.Ho<wbr>stConfig.deployDescriptor(Host<wbr>Config.java:679)<br>
at<br>
org.apache.catalina.startup.Ho<wbr>stConfig$DeployDescriptor.run(<wbr>HostConfig.java:1966)<br>
at<br>
java.util.concurrent.Executors<wbr>$RunnableAdapter.call(Executor<wbr>s.java:511)<br>
at java.util.concurrent.FutureTas<wbr>k.run(FutureTask.java:266)<br>
at<br>
java.util.concurrent.ThreadPoo<wbr>lExecutor.runWorker(ThreadPool<wbr>Executor.java:1142)<br>
at<br>
java.util.concurrent.ThreadPoo<wbr>lExecutor$Worker.run(ThreadPoo<wbr>lExecutor.java:617)<br>
at java.lang.Thread.run(Thread.ja<wbr>va:745)<br>
<br>
I fond this thread:<br>
<a href="https://www.redhat.com/archives/freeipa-users/2016-February/msg00125.html" rel="noreferrer" target="_blank">https://www.redhat.com/archive<wbr>s/freeipa-users/2016-February/<wbr>msg00125.html</a> <<a href="https://www.redhat.com/archives/freeipa-users/2016-February/msg00125.html" rel="noreferrer" target="_blank">https://www.redhat.com/archiv<wbr>es/freeipa-users/2016-February<wbr>/msg00125.html</a>><br>
but I don't have self-test logs from today, only from yesterday. Here<br>
are the relevant debug logs from the most recent restart:<br>
<br>
06/Jan/2017:11:13:55][localhos<wbr>t-startStop-1]:<br>
==============================<wbr>==============<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: ===== DEBUG SUBSYSTEM<br>
INITIALIZED =======<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]:<br>
==============================<wbr>==============<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: restart at<br>
autoShutdown? false<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: autoShutdown<br>
crumb file path? /var/lib/pki/pki-tomcat/logs/a<wbr>utoShutdown.crumb<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: about to look<br>
for cert for auto-shutdown support:auditSigningCert cert-pki-ca<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: found<br>
cert:auditSigningCert cert-pki-ca<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: done init id=debug<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: initialized debug<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: initSubsystem<br>
id=log<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: ready to init<br>
id=log<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: Creating<br>
RollingLogFile(/var/lib/pki/pk<wbr>i-tomcat/logs/ca/signedAudit/c<wbr>a_audit)<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: Creating<br>
RollingLogFile(/var/lib/pki/pk<wbr>i-tomcat/logs/ca/system)<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: Creating<br>
RollingLogFile(/var/lib/pki/pk<wbr>i-tomcat/logs/ca/transactions)<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: restart at<br>
autoShutdown? false<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: autoShutdown<br>
crumb file path? /var/lib/pki/pki-tomcat/logs/a<wbr>utoShutdown.crumb<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: about to look<br>
for cert for auto-shutdown support:auditSigningCert cert-pki-ca<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: found<br>
cert:auditSigningCert cert-pki-ca<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: done init id=log<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: initialized log<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: initSubsystem<br>
id=jss<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: ready to init<br>
id=jss<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: restart at<br>
autoShutdown? false<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: autoShutdown<br>
crumb file path? /var/lib/pki/pki-tomcat/logs/a<wbr>utoShutdown.crumb<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: about to look<br>
for cert for auto-shutdown support:auditSigningCert cert-pki-ca<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: found<br>
cert:auditSigningCert cert-pki-ca<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: done init id=jss<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: initialized jss<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: initSubsystem<br>
id=dbs<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine: ready to init<br>
id=dbs<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: DBSubsystem: init()<br>
mEnableSerialMgmt=true<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: Creating<br>
LdapBoundConnFactor(DBSubsyste<wbr>m)<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: LdapBoundConnFactory: init<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]:<br>
LdapBoundConnFactory:doCloning true<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: LdapAuthInfo: init()<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: LdapAuthInfo: init begins<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: LdapAuthInfo: init ends<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: init: before<br>
makeConnection errorIfDown is true<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: makeConnection:<br>
errorIfDown true<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]:<br>
SSLClientCertificateSelectionC<wbr>B: Setting desired cert nickname to:<br>
subsystemCert cert-pki-ca<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: LdapJssSSLSocket: set<br>
client auth cert nickname subsystemCert cert-pki-ca<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]:<br>
SSLClientCertificatSelectionCB<wbr>: Entering!<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: Candidate cert:<br>
caSigningCert cert-pki-ca<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]:<br>
SSLClientCertificateSelectionC<wbr>B: returning: null<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: SSL handshake happened<br>
[06/Jan/2017:11:13:55][localho<wbr>st-startStop-1]: CMSEngine.shutdown()<br>
<br>
Is there something else I should be looking at?<br>
<br>
Jeff<br>
<br>
<br>
<br>
On Fri, Jan 6, 2017 at 11:23 AM, Florence Blanc-Renaud <<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a><br>
<mailto:<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>>> wrote:<br>
<br>
On 01/06/2017 04:47 PM, Jeff Goddard wrote:<br>
<br>
Sorry for the typo. here is the correct output:<br>
ldapsearch -h <a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">id-management-1.internal.emerl<wbr>yn.com</a><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a>><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a>>><br>
SASL/EXTERNAL authentication started<br>
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)<br>
additional info: SASL(-4): no mechanism available:<br>
<br>
<br>
<br>
<br>
When I look at the certificates I get errors regarding a host<br>
service in<br>
the keytab. Here is the output:<br>
<br>
[root@id-management-1 ca]# getcert list<br>
Number of certificates and requests being tracked: 8.<br>
Request ID '20150116161829':<br>
status: MONITORING<br>
ca-error: Error setting up ccache for "host" service on<br>
client<br>
using default keytab: Keytab contains no suitable keys for<br>
host/<a href="mailto:id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-1.internal.<wbr>emerlyn.com@INTERNAL.EMERLYN.C<wbr>OM</a><br>
<mailto:<a href="mailto:id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-1.intern<wbr>al.emerlyn.com@INTERNAL.EMERLY<wbr>N.COM</a>><br>
<mailto:<a href="mailto:id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-1.intern<wbr>al.emerlyn.com@INTERNAL.EMERLY<wbr>N.COM</a> <mailto:<a href="mailto:id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-1.intern<wbr>al.emerlyn.com@INTERNAL.EMERLY<wbr>N.COM</a>>>.<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/dirs<wbr>rv/slapd-INTERNAL-EMERLYN-COM'<wbr>,nickname='Server-Cert',token=<wbr>'NSS<br>
Certificate<br>
DB',pinfile='/etc/dirsrv/slapd<wbr>-INTERNAL-EMERLYN-COM/pwdfile.<wbr>txt'<br>
certificate:<br>
type=NSSDB,location='/etc/dirs<wbr>rv/slapd-INTERNAL-EMERLYN-COM'<wbr>,nickname='Server-Cert',token=<wbr>'NSS<br>
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.C<wbr>OM</a><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
subject: CN=<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">id-management-1.internal.em<wbr>erlyn.com</a><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a>><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a>>>,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EM<wbr>ERLYN.COM</a><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
expires: 2017-01-16 16:18:29 UTC<br>
key usage:<br>
digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save command:<br>
post-save command: /usr/lib64/ipa/certmonger/rest<wbr>art_dirsrv<br>
INTERNAL-EMERLYN-COM<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20150116162120':<br>
status: MONITORING<br>
ca-error: Error setting up ccache for "host" service on<br>
client<br>
using default keytab: Keytab contains no suitable keys for<br>
host/<a href="mailto:id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-1.internal.<wbr>emerlyn.com@INTERNAL.EMERLYN.C<wbr>OM</a><br>
<mailto:<a href="mailto:id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-1.intern<wbr>al.emerlyn.com@INTERNAL.EMERLY<wbr>N.COM</a>><br>
<mailto:<a href="mailto:id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-1.intern<wbr>al.emerlyn.com@INTERNAL.EMERLY<wbr>N.COM</a> <mailto:<a href="mailto:id-management-1.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">id-management-1.intern<wbr>al.emerlyn.com@INTERNAL.EMERLY<wbr>N.COM</a>>>.<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS<br>
Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
certificate:<br>
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS<br>
Certificate DB'<br>
CA: IPA<br>
issuer: CN=Certificate Authority,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.C<wbr>OM</a><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
subject: CN=<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">id-management-1.internal.em<wbr>erlyn.com</a><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a>><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a>>>,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EM<wbr>ERLYN.COM</a><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
expires: 2017-01-16 16:21:20 UTC<br>
key usage:<br>
digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save command:<br>
post-save command: /usr/lib64/ipa/certmonger/rest<wbr>art_httpd<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20151217174142':<br>
status: CA_UNREACHABLE<br>
ca-error: Internal error<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='au<wbr>ditSigningCert<br>
cert-pki-ca',token='NSS Certificate DB',pin set<br>
certificate:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='au<wbr>ditSigningCert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-ca-renew-agent<br>
issuer: CN=Certificate Authority,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.C<wbr>OM</a><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
subject: CN=CA Audit,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.COM</a><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
expires: 2017-01-05 16:18:01 UTC<br>
key usage: digitalSignature,nonRepudiatio<wbr>n<br>
pre-save command: /usr/lib64/ipa/certmonger/stop<wbr>_pkicad<br>
post-save command: /usr/lib64/ipa/certmonger/rene<wbr>w_ca_cert<br>
"auditSigningCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20151217174143':<br>
status: CA_UNREACHABLE<br>
ca-error: Internal error<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='oc<wbr>spSigningCert<br>
cert-pki-ca',token='NSS<br>
Certificate DB',pin set<br>
certificate:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='oc<wbr>spSigningCert<br>
cert-pki-ca',token='NSS<br>
Certificate DB'<br>
CA: dogtag-ipa-ca-renew-agent<br>
issuer: CN=Certificate Authority,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.C<wbr>OM</a><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
subject: CN=OCSP Subsystem,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.C<wbr>OM</a><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
expires: 2017-01-05 16:17:58 UTC<br>
key usage:<br>
digitalSignature,nonRepudiatio<wbr>n,keyCertSign,cRLSign<br>
eku: id-kp-OCSPSigning<br>
pre-save command: /usr/lib64/ipa/certmonger/stop<wbr>_pkicad<br>
post-save command: /usr/lib64/ipa/certmonger/rene<wbr>w_ca_cert<br>
"ocspSigningCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20151217174144':<br>
status: CA_UNREACHABLE<br>
ca-error: Internal error<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='su<wbr>bsystemCert<br>
cert-pki-ca',token='NSS Certificate DB',pin set<br>
certificate:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='su<wbr>bsystemCert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-ca-renew-agent<br>
issuer: CN=Certificate Authority,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.C<wbr>OM</a><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
subject: CN=CA Subsystem,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.C<wbr>OM</a><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
expires: 2017-01-05 16:17:59 UTC<br>
key usage:<br>
digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save command: /usr/lib64/ipa/certmonger/stop<wbr>_pkicad<br>
post-save command: /usr/lib64/ipa/certmonger/rene<wbr>w_ca_cert<br>
"subsystemCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20151217174145':<br>
status: CA_UNREACHABLE<br>
ca-error: Internal error<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='ca<wbr>SigningCert<br>
cert-pki-ca',token='NSS Certificate DB',pin set<br>
certificate:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='ca<wbr>SigningCert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-ca-renew-agent<br>
issuer: CN=Certificate Authority,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.C<wbr>OM</a><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
subject: CN=Certificate Authority,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.C<wbr>OM</a><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
expires: 2035-01-16 16:17:57 UTC<br>
key usage:<br>
digitalSignature,nonRepudiatio<wbr>n,keyCertSign,cRLSign<br>
pre-save command: /usr/lib64/ipa/certmonger/stop<wbr>_pkicad<br>
post-save command: /usr/lib64/ipa/certmonger/rene<wbr>w_ca_cert<br>
"caSigningCert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20151217174146':<br>
status: CA_UNREACHABLE<br>
ca-error: Internal error<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS<br>
Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
certificate:<br>
type=NSSDB,location='/etc/http<wbr>d/alias',nickname='ipaCert',to<wbr>ken='NSS<br>
Certificate DB'<br>
CA: dogtag-ipa-ca-renew-agent<br>
issuer: CN=Certificate Authority,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.C<wbr>OM</a><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
subject: CN=IPA RA,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.COM</a><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
expires: 2017-01-05 16:18:23 UTC<br>
key usage:<br>
digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
pre-save command:<br>
/usr/lib64/ipa/certmonger/rene<wbr>w_ra_cert_pre<br>
post-save command: /usr/lib64/ipa/certmonger/rene<wbr>w_ra_cert<br>
track: yes<br>
auto-renew: yes<br>
Request ID '20151217174147':<br>
status: CA_UNREACHABLE<br>
ca-error: Error 60 connecting to<br>
<a href="https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileReview" rel="noreferrer" target="_blank">https://id-management-1.intern<wbr>al.emerlyn.com:8443/ca/agent/c<wbr>a/profileReview</a><br>
<<a href="https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileReview" rel="noreferrer" target="_blank">https://id-management-1.inter<wbr>nal.emerlyn.com:8443/ca/agent/<wbr>ca/profileReview</a>>:<br>
Peer certificate cannot be authenticated with given CA certificates.<br>
stuck: no<br>
key pair storage:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='Se<wbr>rver-Cert<br>
cert-pki-ca',token='NSS Certificate DB',pin set<br>
certificate:<br>
type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='Se<wbr>rver-Cert<br>
cert-pki-ca',token='NSS Certificate DB'<br>
CA: dogtag-ipa-renew-agent<br>
issuer: CN=Certificate Authority,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.C<wbr>OM</a><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
subject: CN=<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">id-management-1.internal.em<wbr>erlyn.com</a><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a>><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a>>>,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EM<wbr>ERLYN.COM</a><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
<<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
expires: 2017-01-05 16:17:59 UTC<br>
key usage:<br>
digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
eku: id-kp-serverAuth<br>
pre-save command: /usr/lib64/ipa/certmonger/stop<wbr>_pkicad<br>
post-save command: /usr/lib64/ipa/certmonger/rene<wbr>w_ca_cert<br>
"Server-Cert cert-pki-ca"<br>
track: yes<br>
auto-renew: yes<br>
<br>
Looking at the content of /etc/krb5.keytab results in no host<br>
entry found:<br>
<br>
ktutil<br>
ktutil: read_kt /etc/krb5.keytab<br>
ktutil: list<br>
slot KVNO Principal<br>
---- ----<br>
------------------------------<wbr>------------------------------<wbr>---------<br>
1 1<br>
cifs/<a href="mailto:shares-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">shares-01.internal.emerly<wbr>n.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:shares-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">shares-01.internal.eme<wbr>rlyn.com@INTERNAL.EMERLYN.COM</a>><br>
<mailto:<a href="mailto:shares-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">shares-01.internal.eme<wbr>rlyn.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:shares-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">shares-01.internal.eme<wbr>rlyn.com@INTERNAL.EMERLYN.COM</a>><wbr>><br>
2 1<br>
cifs/<a href="mailto:shares-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">shares-01.internal.emerly<wbr>n.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:shares-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">shares-01.internal.eme<wbr>rlyn.com@INTERNAL.EMERLYN.COM</a>><br>
<mailto:<a href="mailto:shares-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">shares-01.internal.eme<wbr>rlyn.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:shares-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">shares-01.internal.eme<wbr>rlyn.com@INTERNAL.EMERLYN.COM</a>><wbr>><br>
3 1<br>
cifs/<a href="mailto:shares-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">shares-01.internal.emerly<wbr>n.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:shares-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">shares-01.internal.eme<wbr>rlyn.com@INTERNAL.EMERLYN.COM</a>><br>
<mailto:<a href="mailto:shares-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">shares-01.internal.eme<wbr>rlyn.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:shares-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">shares-01.internal.eme<wbr>rlyn.com@INTERNAL.EMERLYN.COM</a>><wbr>><br>
4 1<br>
cifs/<a href="mailto:shares-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">shares-01.internal.emerly<wbr>n.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:shares-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">shares-01.internal.eme<wbr>rlyn.com@INTERNAL.EMERLYN.COM</a>><br>
<mailto:<a href="mailto:shares-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">shares-01.internal.eme<wbr>rlyn.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:shares-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">shares-01.internal.eme<wbr>rlyn.com@INTERNAL.EMERLYN.COM</a>><wbr>><br>
5 1<br>
cifs/<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emerlyn<wbr>.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a>><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a>>><br>
6 1<br>
cifs/<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emerlyn<wbr>.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a>><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a>>><br>
7 1<br>
cifs/<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emerlyn<wbr>.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a>><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a>>><br>
8 1<br>
cifs/<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emerlyn<wbr>.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a>><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a>>><br>
9 2<br>
host/<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emerlyn<wbr>.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a>><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a>>><br>
10 2<br>
host/<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emerlyn<wbr>.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a>><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a>>><br>
11 2<br>
host/<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emerlyn<wbr>.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a>><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a>>><br>
12 2<br>
host/<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emerlyn<wbr>.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a>><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a><br>
<mailto:<a href="mailto:files-01.internal.emerlyn.com@INTERNAL.EMERLYN.COM" target="_blank">files-01.internal.emer<wbr>lyn.com@INTERNAL.EMERLYN.COM</a>>><br>
<br>
<br>
Trying to add a host entry:<br>
kadmin -q "ktadd -k /etc/krb5.keytab<br>
host/<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">id-management-1.internal.<wbr>emerlyn.com</a><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a>><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a>>>"<br>
Authenticating as principal admin/<a href="mailto:admin@INTERNAL.EMERLYN.COM" target="_blank">admin@INTERNAL.EMERLYN.C<wbr>OM</a><br>
<mailto:<a href="mailto:admin@INTERNAL.EMERLYN.COM" target="_blank">admin@INTERNAL.EMERLYN<wbr>.COM</a>><br>
<mailto:<a href="mailto:admin@INTERNAL.EMERLYN.COM" target="_blank">admin@INTERNAL.EMERLYN<wbr>.COM</a><br>
<mailto:<a href="mailto:admin@INTERNAL.EMERLYN.COM" target="_blank">admin@INTERNAL.EMERLYN<wbr>.COM</a>>> with password.<br>
kadmin: Client 'admin/<a href="mailto:admin@INTERNAL.EMERLYN.COM" target="_blank">admin@INTERNAL.EMERLYN.<wbr>COM</a><br>
<mailto:<a href="mailto:admin@INTERNAL.EMERLYN.COM" target="_blank">admin@INTERNAL.EMERLYN<wbr>.COM</a>><br>
<mailto:<a href="mailto:admin@INTERNAL.EMERLYN.COM" target="_blank">admin@INTERNAL.EMERLYN<wbr>.COM</a><br>
<mailto:<a href="mailto:admin@INTERNAL.EMERLYN.COM" target="_blank">admin@INTERNAL.EMERLYN<wbr>.COM</a>>>' not found in Kerberos database<br>
while initializing kadmin interface<br>
<br>
Yet if I issue kinit admin I get a password prompt and appear to<br>
get a<br>
ticket. What am I missing?<br>
<br>
<br>
<br>
<br>
<br>
On Fri, Jan 6, 2017 at 10:19 AM, Rob Crittenden<br>
<<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>><br>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>> wrote:<br>
<br>
Jeff Goddard wrote:<br>
> My environment is freeipa 4.4; centos 7.3. This system was<br>
upgraded as<br>
> of yesterday afternoon. I'm unable to start pki-tomcat.<br>
The debug log<br>
> show this entry:<br>
><br>
> Internal Database Error encountered: Could not connect to<br>
LDAP server<br>
> host <a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">id-management-1.internal.emerl<wbr>yn.com</a><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a>><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a>>><br>
> <<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a>><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a><br>
<<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a>>>> port 636 Error<br>
> netscape.ldap.LDAPException: Authentication failed (48)<br>
> at<br>
com.netscape.cmscore.dbs.DBSub<wbr>system.init(DBSubsystem.java:6<wbr>76)<br>
> at<br>
><br>
com.netscape.cmscore.apps.CMSE<wbr>ngine.initSubsystem(CMSEngine.<wbr>java:1169)<br>
> at<br>
><br>
<br>
com.netscape.cmscore.apps.CMSE<wbr>ngine.initSubsystems(CMSEngine<wbr>.java:1075)<br>
> at<br>
com.netscape.cmscore.apps.CMSE<wbr>ngine.init(CMSEngine.java:571)<br>
> at com.netscape.certsrv.apps.CMS.<wbr>init(CMS.java:187)<br>
> at com.netscape.certsrv.apps.CMS.<wbr>start(CMS.java:1616)<br>
> at<br>
><br>
<br>
com.netscape.cms.servlet.base.<wbr>CMSStartServlet.init(CMSStartS<wbr>ervlet.java:114)<br>
> at<br>
javax.servlet.GenericServlet.i<wbr>nit(GenericServlet.java:158)<br>
> at<br>
sun.reflect.NativeMethodAccess<wbr>orImpl.invoke0(Native Method)<br>
> at<br>
><br>
<br>
sun.reflect.NativeMethodAccess<wbr>orImpl.invoke(NativeMethodAcce<wbr>ssorImpl.java:62)<br>
> at<br>
><br>
<br>
sun.reflect.DelegatingMethodAc<wbr>cessorImpl.invoke(DelegatingMe<wbr>thodAccessorImpl.java:43)<br>
> at java.lang.reflect.Method.invok<wbr>e(Method.java:498)<br>
> at<br>
><br>
org.apache.catalina.security.S<wbr>ecurityUtil$1.run(SecurityUtil<wbr>.java:288)<br>
> at<br>
><br>
org.apache.catalina.security.S<wbr>ecurityUtil$1.run(SecurityUtil<wbr>.java:285)<br>
> at<br>
java.security.AccessController<wbr>.doPrivileged(Native Method)<br>
> at<br>
<a href="http://javax.security.auth.Subject.do" rel="noreferrer" target="_blank">javax.security.auth.Subject.do</a><br>
<<a href="http://javax.security.auth.Subject.do" rel="noreferrer" target="_blank">http://javax.security.auth.Su<wbr>bject.do</a>>AsPrivileged(Subject.<wbr>java:549)<br>
> at<br>
><br>
<br>
org.apache.catalina.security.S<wbr>ecurityUtil.execute(SecurityUt<wbr>il.java:320)<br>
> at<br>
><br>
<br>
org.apache.catalina.security.S<wbr>ecurityUtil.doAsPrivilege(Secu<wbr>rityUtil.java:175)<br>
> at<br>
><br>
<br>
org.apache.catalina.security.S<wbr>ecurityUtil.doAsPrivilege(Secu<wbr>rityUtil.java:124)<br>
> at<br>
><br>
<br>
org.apache.catalina.core.Stand<wbr>ardWrapper.initServlet(Standar<wbr>dWrapper.java:1270)<br>
> at<br>
><br>
<br>
org.apache.catalina.core.Stand<wbr>ardWrapper.loadServlet(Standar<wbr>dWrapper.java:1195)<br>
> at<br>
><br>
<br>
org.apache.catalina.core.Stand<wbr>ardWrapper.load(StandardWrappe<wbr>r.java:1085)<br>
> at<br>
><br>
<br>
org.apache.catalina.core.Stand<wbr>ardContext.loadOnStartup(Stand<wbr>ardContext.java:5318)<br>
> at<br>
><br>
<br>
org.apache.catalina.core.Stand<wbr>ardContext.startInternal(Stand<wbr>ardContext.java:5610)<br>
> at<br>
><br>
org.apache.catalina.util.Lifec<wbr>ycleBase.start(LifecycleBase.j<wbr>ava:147)<br>
> at<br>
><br>
<br>
org.apache.catalina.core.Conta<wbr>inerBase.addChildInternal(Cont<wbr>ainerBase.java:899)<br>
> at<br>
><br>
<br>
org.apache.catalina.core.Conta<wbr>inerBase.access$000(ContainerB<wbr>ase.java:133)<br>
> at<br>
><br>
<br>
org.apache.catalina.core.Conta<wbr>inerBase$PrivilegedAddChild.ru<wbr>n(ContainerBase.java:156)<br>
> at<br>
><br>
<br>
org.apache.catalina.core.Conta<wbr>inerBase$PrivilegedAddChild.ru<wbr>n(ContainerBase.java:145)<br>
> at<br>
java.security.AccessController<wbr>.doPrivileged(Native Method)<br>
> at<br>
><br>
<br>
org.apache.catalina.core.Conta<wbr>inerBase.addChild(ContainerBas<wbr>e.java:873)<br>
> at<br>
><br>
org.apache.catalina.core.Stand<wbr>ardHost.addChild(StandardHost.<wbr>java:652)<br>
> at<br>
><br>
<br>
org.apache.catalina.startup.Ho<wbr>stConfig.deployDescriptor(Host<wbr>Config.java:679)<br>
> at<br>
><br>
<br>
org.apache.catalina.startup.Ho<wbr>stConfig$DeployDescriptor.run(<wbr>HostConfig.java:1966)<br>
> at<br>
><br>
<br>
java.util.concurrent.Executors<wbr>$RunnableAdapter.call(Executor<wbr>s.java:511)<br>
> at<br>
java.util.concurrent.FutureTas<wbr>k.run(FutureTask.java:266)<br>
> at<br>
><br>
<br>
java.util.concurrent.ThreadPoo<wbr>lExecutor.runWorker(ThreadPool<wbr>Executor.java:1142)<br>
> at<br>
><br>
<br>
java.util.concurrent.ThreadPoo<wbr>lExecutor$Worker.run(ThreadPoo<wbr>lExecutor.java:617)<br>
> at java.lang.Thread.run(Thread.ja<wbr>va:745)<br>
><br>
><br>
> I'm able to get a kerberos ticket using kinit but ldap search<br>
gives this<br>
> error:<br>
><br>
> ldapsearch -h <a href="http://id-manaement-1.internal.emerlyn.com" rel="noreferrer" target="_blank">id-manaement-1.internal.emerly<wbr>n.com</a><br>
<<a href="http://id-manaement-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com</a>><br>
<<a href="http://id-manaement-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com</a><br>
<<a href="http://id-manaement-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com</a>>><br>
> <<a href="http://id-manaement-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com</a><br>
<<a href="http://id-manaement-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com</a>><br>
<<a href="http://id-manaement-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com</a><br>
<<a href="http://id-manaement-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com</a>>>> -x -b<br>
> "cn=CAcert,cn=ipa,cn=etc,dc=in<wbr>ternal,dc=emerlyn,dc=com"<br>
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br>
><br>
> adding the -d1 debugging tag results in:<br>
><br>
> ldap_create<br>
><br>
ldap_url_parse_ext(ldap://<a href="http://id-manaement-1.internal.emerlyn.com" rel="noreferrer" target="_blank">id-m<wbr>anaement-1.internal.emerlyn.co<wbr>m</a><br>
<<a href="http://id-manaement-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com</a>><br>
<<a href="http://id-manaement-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com</a><br>
<<a href="http://id-manaement-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com</a>>><br>
> <<a href="http://id-manaement-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com</a><br>
<<a href="http://id-manaement-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com</a>><br>
<<a href="http://id-manaement-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com</a><br>
<<a href="http://id-manaement-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com</a>>>>)<br>
> ldap_sasl_bind<br>
> ldap_send_initial_request<br>
> ldap_new_connection 1 1 0<br>
> ldap_int_open_connection<br>
> ldap_connect_to_host: TCP<br>
<a href="http://id-manaement-1.internal.emerlyn.com:389" rel="noreferrer" target="_blank">id-manaement-1.internal.emerly<wbr>n.com:389</a><br>
<<a href="http://id-manaement-1.internal.emerlyn.com:389" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com:389</a>><br>
<<a href="http://id-manaement-1.internal.emerlyn.com:389" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com:389</a><br>
<<a href="http://id-manaement-1.internal.emerlyn.com:389" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com:389</a>>><br>
> <<a href="http://id-manaement-1.internal.emerlyn.com:389" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com:389</a><br>
<<a href="http://id-manaement-1.internal.emerlyn.com:389" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com:389</a>><br>
<<a href="http://id-manaement-1.internal.emerlyn.com:389" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com:389</a><br>
<<a href="http://id-manaement-1.internal.emerlyn.com:389" rel="noreferrer" target="_blank">http://id-manaement-1.interna<wbr>l.emerlyn.com:389</a>>>><br>
> ldap_connect_to_host: getaddrinfo failed: Name or service<br>
not known<br>
> ldap_err2string<br>
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br>
><br>
> I'm able to resolve the hostname via nslookup and<br>
/etc/hosts has the<br>
> correct mapping entry.<br>
><br>
> I'm kind of lost at this point and could use some help.<br>
><br>
> Thanks in advance.<br>
<br>
You have a typo in the hostname you're trying to connect to,<br>
missing the<br>
'g' in management.<br>
<br>
I have a vague memory from other reports of this issue that<br>
the problem<br>
may be that the value of the certificate(s) in CS.cfg is<br>
different from<br>
the dogtag NSS database. I'd see if those line up.<br>
<br>
rob<br>
<br>
<br>
<br>
<br>
--<br>
Jeff<br>
<br>
<br>
<br>
Hi Jeff,<br>
<br>
according to the output of getcert list, many certificates expired<br>
just yesterday (auditSigningCert cert-pki-ca, ocspSigningCert<br>
cert-pki-ca, subsystemCert cert-pki-ca, Server-Cert cert-pki-ca in<br>
the PKI NSS DB and ipaCert in /etc/httpd/alias).<br>
<br>
You can refer to this page:<br>
<a href="https://access.redhat.com/solutions/643753" rel="noreferrer" target="_blank">https://access.redhat.com/solu<wbr>tions/643753</a><br>
<<a href="https://access.redhat.com/solutions/643753" rel="noreferrer" target="_blank">https://access.redhat.com/sol<wbr>utions/643753</a>><br>
to fix the issue.<br>
<br>
It is likely that dogtag cannot authenticate to LDAP because its<br>
certificate is expired, and hence refuses to start. IMHO the upgrade<br>
is just an unlucky coincidence (happening the same day as cert<br>
expiration) but not the root cause.<br>
<br>
HTH,<br>
Flo.<br>
<br>
<br>
<br><span class="m_-2816439398676236180m_6621343680287564731HOEnZb"><font color="#888888">
<br>
--<br>
<br>
</font></span></blockquote>
<br>
</blockquote></div><br><br clear="all"><br>-- <br><div class="m_-2816439398676236180m_6621343680287564731gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Jeff<br></div><br></div></div>
</div></div>