Hi Rob,

Please see below.  Notice "Failed to create jss service:
java.lang.SecurityException: Unable to initialize security library".

# getcert list | grep expires
        expires: 2018-10-23 09:34:16 UTC
        expires: 2018-10-23 09:33:16 UTC
        expires: 2018-10-23 09:33:16 UTC
        expires: 2018-10-24 09:33:15 UTC
        expires: 2018-10-23 09:33:16 UTC
        expires: 2019-03-03 19:54:22 UTC
        expires: 2019-03-03 19:54:22 UTC
        expires: 2019-03-03 19:54:22 UTC
        expires: unknown
root bioldap-p1  /var/log/pki-ca

                                                                                
                                 
 # ps -ef | grep tomcat                                                         
                                 
 pkiuser 18739 1 0 13:02 ? 00:00:04 
/usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java                               
 -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory  
                                 
 -classpath 
:/usr/share/tomcat6/bin/bootstrap.jar:/usr/share/tomcat6/bin/tomcat-juli.jar:/usr/share/java/commons
 
 -daemon.jar -Dcatalina.base=/var/lib/pki-ca -Dcatalina.home=/usr/share/tomcat6 
-Djava.endorsed.dirs=            
 -Djava.io.tmpdir=/var/cache/tomcat6/temp                                       
                                 
 -Djava.util.logging.config.file=/var/lib/pki-ca/conf/logging.properties        
                                 
 -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 
org.apache.catalina.startup.Bootstrap start   
 root 20364 14505 0 13:23 pts/3 00:00:00 grep tomcat                            
                                 
 root bioldap-p1 /var/log/pki-ca                                                
                                 
 #                                                                              
                                 
                                                                                
                                 



                                                                                
                  
 [31/May/2017:13:02:04][main]: ============================================     
                  
 [31/May/2017:13:02:04][main]: ===== DEBUG SUBSYSTEM INITIALIZED =======        
                  
 [31/May/2017:13:02:04][main]: ============================================     
                  
 Failed to create jss service: java.lang.SecurityException: Unable to 
initialize security library 
 at com.netscape.cmscore.security.JssSubsystem.init(JssSubsystem.java:272)      
                  
 at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)       
                  
 at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)      
                  
 at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:306)                
                  
 at com.netscape.certsrv.apps.CMS.init(CMS.java:153)                            
                  
 at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)                          
                  
 at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) 
                  
 at 
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) 
              
 at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)     
                  
 at 
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425)
             
 at org.apache.catalina.core.StandardContext.start(StandardContext.java:4738)   
                  
 at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) 
              
 at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)     
                  
 at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)       
                  
 at 
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)    
              
 at 
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)   
              
 at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)      
                  
 at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)          
                  
 at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)  
                  
 at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
       
 at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)       
                  
 at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)          
                  
 at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)       
                  
 at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)      
                  
 at org.apache.catalina.core.StandardService.start(StandardService.java:516)    
                  
 at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)      
                  
 at org.apache.catalina.startup.Catalina.start(Catalina.java:593)               
                  
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)                 
                  
 at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)   
              
 at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         
 at java.lang.reflect.Method.invoke(Method.java:606)                            
                  
 at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)             
                  
 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)              
                  
                                                                                
                  





# getcert list (notice the last one)
Number of certificates and requests being tracked: 9.
Request ID '20141211093329':
        status: CA_UNREACHABLE
        ca-error: Error 35 connecting to
https://bioldap-p1.DOMAIN.COM:9443/ca/agent/ca/profileReview: SSL connect
error.
        stuck: no
        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin
 set
        certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=DOMAIN.COM
        subject: CN=CA Audit,O=DOMAIN.COM
        expires: 2018-10-23 09:34:16 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20141211093330':
        status: CA_UNREACHABLE
...
...
        Request ID '20161223074657':
        status: CA_UNCONFIGURED
        ca-error: Unable to determine principal name for signing request.
        stuck: yes
        key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS
Certificate DB'
        certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert'
        CA: IPA
        issuer:
        subject:
        expires: unknown
        pre-save command:


                                                                                
                                                              
 # tail -f access                                                               
                                                              
 [31/May/2017:12:55:13 -0500] conn=3 op=0 BIND dn="cn=Directory Manager" 
method=128 version=2                                                 
 [31/May/2017:12:55:13 -0500] conn=3 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn="cn=directory manager"                                    
 [31/May/2017:12:55:13 -0500] conn=3 op=1 SRCH base="ou=sessions,ou=Security 
Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessi 
 onEntry)" attrs="cn"                                                           
                                                              
 [31/May/2017:12:55:13 -0500] conn=3 op=1 RESULT err=0 tag=101 nentries=0 
etime=0                                                             
 [31/May/2017:12:55:13 -0500] conn=3 op=2 UNBIND                                
                                                              
 [31/May/2017:12:55:13 -0500] conn=3 op=2 fd=64 closed - U1                     
                                                              
 [31/May/2017:12:57:03 -0500] conn=4 fd=64 slot=64 connection from 
10.106.178.59 to 10.106.178.56                                             
 [31/May/2017:12:57:03 -0500] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" 
name="startTLS"                                                    
 [31/May/2017:12:57:03 -0500] conn=4 op=0 RESULT err=0 tag=120 nentries=0 
etime=0                                                             
 [31/May/2017:12:57:03 -0500] conn=4 op=-1 fd=64 closed - SSL peer cannot 
verify your certificate.                                            
                                                                                
                                                              




                                                                                
                                           
 # tail -f errors                                                               
                                           
 [31/May/2017:12:48:42 -0500] - slapd started. Listening on All Interfaces port 
7389 for LDAP requests                     
 [31/May/2017:12:48:42 -0500] - Listening on All Interfaces port 7390 for LDAPS 
requests                                   
 [31/May/2017:12:48:42 -0500] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0  
 [31/May/2017:12:48:42 -0500] NSMMReplicationPlugin - 
agmt="cn=masterAgreement1-biogendb-p2.wgap.ibm.com-pki-ca" (biogend  
 ion bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error 
-8054:You are attempting to import a cert wi  
 erial as an existing cert, but that is not the same cert.)                     
                                           
 [31/May/2017:12:48:45 -0500] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0  
 [31/May/2017:12:48:51 -0500] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0  
 [31/May/2017:12:49:03 -0500] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0  
 [31/May/2017:12:49:27 -0500] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0  
 [31/May/2017:12:50:15 -0500] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0  
 [31/May/2017:12:51:51 -0500] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0  
 ^C                                                                             
                                           
                                                                                
                                           






From:   Rob Crittenden via FreeIPA-users
            <freeipa-users@lists.fedorahosted.org>
To:     FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc:     Vinny Del Signore <v...@us.ibm.com>, Rob Crittenden
            <rcrit...@redhat.com>
Date:   05/31/2017 01:07 PM
Subject:        [Freeipa-users] Re: cannot connect ...Encountered end of file.



Vinny Del Signore via FreeIPA-users wrote:
> Hello all,
>
> Has anyone seen this issue? We've tried to generate a new CA and SSL
Cert.
>
> *IPA v.3.0.0-50 *
>
> # *rpm -qa | grep ipa-server*
> ipa-server-selinux-3.0.0-50.el6.1.x86_64
> ipa-server-3.0.0-50.el6.1.x86_64
>
> root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
> #*ipa-replica-prepare --ip-address=10.10.xx.xx rtlvxl0055.test.local*
> Directory Manager (existing master) password:
>
> Preparing replica for rtlvxl0055.test.local from ldap-srv.domain.com
> Creating SSL certificate for the Directory Server
> *preparation of replica failed: cannot connect to
> 'https://ldap-srv.domain..com:9444/ca/ee/ca/profileSubmitSSLClient':
> (PR_END_OF_FILE_ERROR) Encountered end of file.*
> *cannot connect to
> 'https://ldap-srv.domain..com:xxxx/ca/ee/ca/profileSubmitSSLClient':
> (PR_END_OF_FILE_ERROR) Encountered end of file.*
> File "/usr/sbin/ipa-replica-prepare", line 490, in <module>
> main()
>
> File "/usr/sbin/ipa-replica-prepare", line 361, in main
> export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
> replica_fqdn, subject_base)
>
> File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
> raise e
>
> root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
> #
> root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
> # rpm -qa | grep ipa-server
> ipa-server-selinux-3.0.0-50.el6.1.x86_64
> ipa-server-3.0.0-50.el6.1.x86_64
> root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
> # uname -r
> 2.6.32-642.3.1.el6.x86_64
> root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
> # cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 6.6 (Santiago)
> root ldap-srv /var/log/dirsrv/slapd-DOMAIN-COM
> #

See if your CA is up, look for a running tomcat process, ensure that the
certs aren't expired: getcert list | grep expires, check the debug log
in /var/log/pki/<something>/debug

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to