On 09/12/2017 09:10 AM, Winfried de Heiden via FreeIPA-users wrote:
Hi all,

I'll try my using the link provided. However: what is causing "CA_UNREACHABLE"?

Request ID '20170129002017':
     status: CA_UNREACHABLE
    ca-error: Server at https://ipa.blabla.bla/ipa/xml failed request, will retry: 4035 (RPC failed at server.  Request failed with status 500: Non-2xx response from CA REST API: 500. Policy Set Not Found).
     stuck: no

Hi Winfried,

certmonger is using the CA 'IPA' for the Server-Cert used by httpd and ldap. This CA helper is communicating with FreeIPA server, and FreeIPA in turn communicates with Dogtag. You will probably find more information in FreeIPA server logs (in /var/log/httpd/error_log) and in Dogtag logs (/var/log/pki/pki-tomcat/ca/debug).

Flo

Winfried

Op 11-09-17 om 17:12 schreef Florence Blanc-Renaud via FreeIPA-users:
On 09/11/2017 04:53 PM, Winfried de Heiden via FreeIPA-users wrote:
CS.cfg was modified so pki-tomcat can login using a password and non-secure LDAP. At least it is working now....:

< internaldb.ldapauth.authtype=BasicAuth
< internaldb.ldapauth.bindDN=cn=Directory Manager
---
 > internaldb.ldapauth.authtype=SslClientAuth
 > internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca
780,781c780,781
< internaldb.ldapconn.port=389
< internaldb.ldapconn.secureConn=false
---
 > internaldb.ldapconn.port=636
 > internaldb.ldapconn.secureConn=true

Reversed to the old config, stop/started ipa, debug  shows pki-tomcatd cannot login:

11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [11/Sep/2017:16:51:41][localhost-startStop-1]: Candidate cert: subsystemCert cert-pki-ca [11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert cert-pki-ca [11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca
[11/Sep/2017:16:51:42][localhost-startStop-1]: SSL handshake happened
Could not connect to LDAP server host ipa.blabla.bla port 636 Error netscape.ldap.LDAPException: Authentication failed (49)      at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)      at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)      at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
     at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
     at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172)      at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078)
     at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570)
     at com.netscape.certsrv.apps.CMS.init(CMS.java:188)
     at com.netscape.certsrv.apps.CMS.start(CMS.java:1621)

Winfried

Op 11-09-17 om 16:18 schreef Rob Crittenden via FreeIPA-users:
Winfried de Heiden via FreeIPA-users wrote:
Hi All,

Somewhere after an update (I guess) I have issues;
pki-tomcatd@pki-tomcat.service  will not start since it cannot login to
LDAP. It seems I have some certificate isues:

getcert list shows:

Request ID '20170129002017':
     status: CA_UNREACHABLE
     ca-error: Server athttps://ipa.example.com/ipa/xml failed request, will retry: 4035 (RPC failed at server.  Request failed with status 500:
Non-2xx response from CA REST API: 500. Policy Set Not Found).
     stuck: no
     key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-BLABLA-BLA/pwdfile.txt'
     certificate:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
Certificate DB'
     CA: IPA
     issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
     subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
     expires: 2017-09-27 17:26:00 CEST
     key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command:
     post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv BLABLA-BLA
     track: yes
     auto-renew: yes
Request ID '20170129002024':
     status: CA_UNREACHABLE
     ca-error: Server athttps://ipa.example.com/ipa/xml failed request, will retry: 4035 (RPC failed at server.  Request failed with status 500:
Non-2xx response from CA REST API: 500. Policy Set Not Found).
     stuck: no
     key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
     certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
     CA: IPA
     issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650
     subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650
     expires: 2017-09-27 17:41:26 CEST
     key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command:
     post-save command: /usr/libexec/ipa/certmonger/restart_httpd
     track: yes
     auto-renew: yes

(I managed to start IPA by modifying /etc/pki/pki-tomcat/ca/CS.cfg)
How to fix this. Something seems wrong with de DIRSRV certificate and
http....:(
What did you modify?

How to fix? What could have caused this issue?
This is likely not a problem with the certificates but with the
certificate profiles. The dogtag debug log may have more information.

rob
_______________________________________________
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


Hi Winfried,

the issue is likely to come from the renewal of subsystemCert. You can find more info in this blog [1]. If you are running with selinux in enforcing mode, the renewal may fail but gets undetected.

You can check if the ldap entry uid=pkidbuser,ou=people,o=ipaca contains the same certificate 'subsystemCert cert-pki-ca' as the NSSDB /etc/pki/pki-tomcat/alias. If it is not the case, simply modify the LDAP entry to contain the right userCertificate and description attributes.

HTH,
Flo

[1] https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to