On 09/11/2017 04:53 PM, Winfried de Heiden via FreeIPA-users wrote:
CS.cfg was modified so pki-tomcat can login using a password and non-secure LDAP. At least it is working now....:


< internaldb.ldapauth.authtype=BasicAuth
< internaldb.ldapauth.bindDN=cn=Directory Manager
---
 > internaldb.ldapauth.authtype=SslClientAuth
 > internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca
780,781c780,781
< internaldb.ldapconn.port=389
< internaldb.ldapconn.secureConn=false
---
 > internaldb.ldapconn.port=636
 > internaldb.ldapconn.secureConn=true

Reversed to the old config, stop/started ipa, debug  shows pki-tomcatd cannot login:

11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [11/Sep/2017:16:51:41][localhost-startStop-1]: Candidate cert: subsystemCert cert-pki-ca [11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert cert-pki-ca [11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca
[11/Sep/2017:16:51:42][localhost-startStop-1]: SSL handshake happened
Could not connect to LDAP server host ipa.blabla.bla port 636 Error netscape.ldap.LDAPException: Authentication failed (49)     at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)     at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)     at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
     at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
    at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172)     at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078)
     at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570)
     at com.netscape.certsrv.apps.CMS.init(CMS.java:188)
     at com.netscape.certsrv.apps.CMS.start(CMS.java:1621)

Winfried

Op 11-09-17 om 16:18 schreef Rob Crittenden via FreeIPA-users:
Winfried de Heiden via FreeIPA-users wrote:
Hi All,

Somewhere after an update (I guess) I have issues;
pki-tomcatd@pki-tomcat.service  will not start since it cannot login to
LDAP. It seems I have some certificate isues:

getcert list shows:

Request ID '20170129002017':
     status: CA_UNREACHABLE
     ca-error: Server athttps://ipa.example.com/ipa/xml  failed request,
will retry: 4035 (RPC failed at server.  Request failed with status 500:
Non-2xx response from CA REST API: 500. Policy Set Not Found).
     stuck: no
     key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-BLABLA-BLA/pwdfile.txt'
     certificate:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
Certificate DB'
     CA: IPA
     issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
     subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
     expires: 2017-09-27 17:26:00 CEST
     key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command:
     post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv BLABLA-BLA
     track: yes
     auto-renew: yes
Request ID '20170129002024':
     status: CA_UNREACHABLE
     ca-error: Server athttps://ipa.example.com/ipa/xml  failed request,
will retry: 4035 (RPC failed at server.  Request failed with status 500:
Non-2xx response from CA REST API: 500. Policy Set Not Found).
     stuck: no
     key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
     CA: IPA
     issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
     subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
     expires: 2017-09-27 17:41:26 CEST
     key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command:
     post-save command: /usr/libexec/ipa/certmonger/restart_httpd
     track: yes
     auto-renew: yes

(I managed to start IPA by modifying /etc/pki/pki-tomcat/ca/CS.cfg)
How to fix this. Something seems wrong with de DIRSRV certificate and
http....:(
What did you modify?

How to fix? What could have caused this issue?
This is likely not a problem with the certificates but with the
certificate profiles. The dogtag debug log may have more information.

rob
_______________________________________________
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


Hi Winfried,

the issue is likely to come from the renewal of subsystemCert. You can find more info in this blog [1]. If you are running with selinux in enforcing mode, the renewal may fail but gets undetected.

You can check if the ldap entry uid=pkidbuser,ou=people,o=ipaca contains the same certificate 'subsystemCert cert-pki-ca' as the NSSDB /etc/pki/pki-tomcat/alias. If it is not the case, simply modify the LDAP entry to contain the right userCertificate and description attributes.

HTH,
Flo

[1] https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to