Ian Pilcher via FreeIPA-users wrote: > After rebooting my CentOS 7 IdM server, pki-tomcatd is failing to start. > > I see this (repeated many times) in the journal: > > WARNING: Exception processing realm > com.netscape.cms.tomcat.ProxyRealm@383171f8 background process > javax.ws.rs.ServiceUnavailableException: Subsystem unavailable > at > com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137) > at > org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1357) > > at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1543) > > at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1553) > > at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1553) > > at > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1521) > > at java.lang.Thread.run(Thread.java:748) > > getcert list shows a number of expired certificates (which is EXTREMELY > frustrating, as I thought that certmonger, which is running, was > supposed to take care of these renewals): > > > Request ID '20170306100908': > status: CA_UNREACHABLE > ca-error: Error 60 connecting to > https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer > certificate cannot be authenticated with given CA certificates. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=PENURIO.US > subject: CN=CA Audit,O=PENURIO.US > expires: 2017-06-19 16:27:30 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20170306100911': > status: CA_UNREACHABLE > ca-error: Error 60 connecting to > https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer > certificate cannot be authenticated with given CA certificates. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS > Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=PENURIO.US > subject: CN=OCSP Subsystem,O=PENURIO.US > expires: 2017-06-19 16:26:30 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20170306100914': > status: CA_UNREACHABLE > ca-error: Error 60 connecting to > https://asterisk.penurio.us:8443/ca/agent/ca/profileReview: Peer > certificate cannot be authenticated with given CA certificates. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=PENURIO.US > subject: CN=CA Subsystem,O=PENURIO.US > expires: 2017-06-19 16:26:30 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > > I have tried setting the clock back 48 hours, but certmonger is still > unable to renew the certificates -- still with the same error. > > I have checked the certificates returned when connecting to > asterisk.penurio.us:8443, and they look correct. The CA certificate > doesn't expire until 2033, and the server certificate (whose CN is > asterisk.penurio.us) expires in 2019. >
Are these three the only expired certs? What version of IPA? Did you restart IPA after going back in time? If not, try that, then restart certmonger and it should renew the certs. Given certmonger didn't fire in the very recent past can you check the syslog for any certmonger-related messages? I assume it renewed some, but not all of the certs? rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
