[Pki-users] How to update old/incorrect certificates on Dirsrv so Dogtag can connect to it?
Vladyslav Frolov
frolvlad at gmail.com
Wed Nov 2 22:35:52 UTC 2016
Hi,
I have a problem with FreeIPA state. At some point, PKI certificates were
regenerated from scratch, but Dirsrv and HTTPD are still using old
certificates, and Dogtag cannot connect to them because of this, here is
`/var/log/pki/pki-tomcat/ca/debug`:
```
[02/Nov/2016:22:18:53][localhost-startStop-1]: ===== DEBUG SUBSYSTEM
INITIALIZED =======
[02/Nov/2016:22:18:53][localhost-startStop-1]:
============================================
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: about to look for
cert for auto-shutdown support:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: found
cert:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: done init id=debug
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initialized debug
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initSubsystem
id=log
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: ready to init
id=log
[02/Nov/2016:22:18:53][localhost-startStop-1]: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
[02/Nov/2016:22:18:53][localhost-startStop-1]: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
[02/Nov/2016:22:18:53][localhost-startStop-1]: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions)
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: about to look for
cert for auto-shutdown support:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: found
cert:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: done init id=log
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initialized log
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initSubsystem
id=jss
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: ready to init
id=jss
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: about to look for
cert for auto-shutdown support:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: found
cert:auditSigningCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: done init id=jss
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initialized jss
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: initSubsystem
id=dbs
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine: ready to init
id=dbs
[02/Nov/2016:22:18:53][localhost-startStop-1]: DBSubsystem: init()
mEnableSerialMgmt=false
[02/Nov/2016:22:18:53][localhost-startStop-1]: Creating
LdapBoundConnFactor(DBSubsystem)
[02/Nov/2016:22:18:53][localhost-startStop-1]: LdapBoundConnFactory: init
[02/Nov/2016:22:18:53][localhost-startStop-1]:
LdapBoundConnFactory:doCloning true
[02/Nov/2016:22:18:53][localhost-startStop-1]: LdapAuthInfo: init()
[02/Nov/2016:22:18:53][localhost-startStop-1]: LdapAuthInfo: init begins
[02/Nov/2016:22:18:53][localhost-startStop-1]: LdapAuthInfo: init ends
[02/Nov/2016:22:18:53][localhost-startStop-1]: init: before makeConnection
errorIfDown is true
[02/Nov/2016:22:18:53][localhost-startStop-1]: makeConnection: errorIfDown
true
[02/Nov/2016:22:18:53][localhost-startStop-1]:
SSLClientCertificateSelectionCB: Setting desired cert nickname to:
subsystemCert cert-pki-ca
[02/Nov/2016:22:18:53][localhost-startStop-1]: LdapJssSSLSocket: set client
auth cert nickname subsystemCert cert-pki-ca
Internal Database Error encountered: Could not connect to LDAP server host
freeipa.sparky.salford-systems.com port 636 Error
netscape.ldap.LDAPException: IO Error creating JSS SSL Socket: org
.mozilla.jss.ssl.SSLSocketException:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8179)
Peer's Certificate issuer is not recognized. (-1)
at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:293)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:290)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:325)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:176)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1226)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1151)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1038)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5027)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5337)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
[02/Nov/2016:22:18:53][localhost-startStop-1]: CMSEngine.shutdown()
```
I am running FreeIPA in a Docker container with Fedora 24:
pki-base-10.3.5-6.fc24.noarch
pki-base-java-10.3.5-6.fc24.noarch
pki-kra-10.3.5-6.fc24.noarch
pki-tools-10.3.5-6.fc24.x86_64
pki-ca-10.3.5-6.fc24.noarch
pki-server-10.3.5-6.fc24.noarch
How can I regenerate and push the certificates for Dirsrv and HTTPD?
Thank you in advance,
Vlad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20161103/ae3b573d/attachment.htm>
More information about the Pki-users
mailing list