Winfried de Heiden via FreeIPA-users wrote: > Hi All, > > Somewhere after an update (I guess) I have issues; > pki-tomcatd@pki-tomcat.service will not start since it cannot login to > LDAP. It seems I have some certificate isues: > > getcert list shows: > > Request ID '20170129002017': > status: CA_UNREACHABLE > ca-error: Server at https://ipa.example.com/ipa/xml failed request, > will retry: 4035 (RPC failed at server. Request failed with status 500: > Non-2xx response from CA REST API: 500. Policy Set Not Found). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-BLABLA-BLA/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650 > subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650 > expires: 2017-09-27 17:26:00 CEST > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv BLABLA-BLA > track: yes > auto-renew: yes > Request ID '20170129002024': > status: CA_UNREACHABLE > ca-error: Server at https://ipa.example.com/ipa/xml failed request, > will retry: 4035 (RPC failed at server. Request failed with status 500: > Non-2xx response from CA REST API: 500. Policy Set Not Found). > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650 > subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650 > expires: 2017-09-27 17:41:26 CEST > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > (I managed to start IPA by modifying /etc/pki/pki-tomcat/ca/CS.cfg) > How to fix this. Something seems wrong with de DIRSRV certificate and > http....:(
What did you modify? > How to fix? What could have caused this issue? This is likely not a problem with the certificates but with the certificate profiles. The dogtag debug log may have more information. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org