Hi all,
Yes, there was a discrepancy in de certificates and was fixed by
using https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/.
Thanks for that!
Now, getcert ist still shows errors. The certmonger logs shows:
De certmonger log shows:
Sep 12 14:05:35 ipa.blabla.bla certmonger[11551]: 2017-09-12
14:05:35 [11551] Server at https://ipa.blabla.bla/ipa/xml failed
request, will retry: 4035 (RPC failed at server. Request failed
with status 500: Non-2xx response from CA REST API: 500. Policy
Set Not Found).
Sep 12 14:05:59 ipa.blabla.bla certmonger[11551]: 2017-09-12
14:05:59 [11551] Server at https://ipa.blabla.bla/ipa/xml failed
request, will retry: 4035 (RPC failed at server. Request failed
with status 500: Non-2xx response from CA REST API: 500. Policy
Set Not Found).
It looks like 2 certificates cannot be renewed but are about to
expire.... What's happening and how to fix?
Winfried
Op 12-09-17 om 10:04 schreef Florence
Blanc-Renaud via FreeIPA-users:
On
09/12/2017 09:10 AM, Winfried de Heiden via FreeIPA-users wrote:
Hi all,
I'll try my using the link provided. However: what is causing
"CA_UNREACHABLE"?
Request ID '20170129002017':
status: CA_UNREACHABLE
ca-error: Server at https://ipa.blabla.bla/ipa/xml failed
request, will retry: 4035 (RPC failed at server. Request failed
with status 500: Non-2xx response from CA REST API: 500. Policy
Set Not Found).
stuck: no
Hi Winfried,
certmonger is using the CA 'IPA' for the Server-Cert used by httpd
and ldap. This CA helper is communicating with FreeIPA server, and
FreeIPA in turn communicates with Dogtag.
You will probably find more information in FreeIPA server logs (in
/var/log/httpd/error_log) and in Dogtag logs
(/var/log/pki/pki-tomcat/ca/debug).
Flo
Winfried
Op 11-09-17 om 17:12 schreef Florence Blanc-Renaud via
FreeIPA-users:
On 09/11/2017 04:53 PM, Winfried de
Heiden via FreeIPA-users wrote:
CS.cfg was modified so pki-tomcat can
login using a password and non-secure LDAP. At least it is
working now....:
< internaldb.ldapauth.authtype=BasicAuth
< internaldb.ldapauth.bindDN=cn=Directory Manager
---
> internaldb.ldapauth.authtype=SslClientAuth
>
internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca
780,781c780,781
< internaldb.ldapconn.port=389
< internaldb.ldapconn.secureConn=false
---
> internaldb.ldapconn.port=636
> internaldb.ldapconn.secureConn=true
Reversed to the old config, stop/started ipa, debug shows
pki-tomcatd cannot login:
11/Sep/2017:16:51:41][localhost-startStop-1]:
SSLClientCertificatSelectionCB: Entering!
[11/Sep/2017:16:51:41][localhost-startStop-1]: Candidate
cert: subsystemCert cert-pki-ca
[11/Sep/2017:16:51:41][localhost-startStop-1]:
SSLClientCertificateSelectionCB: desired cert found in list:
subsystemCert cert-pki-ca
[11/Sep/2017:16:51:41][localhost-startStop-1]:
SSLClientCertificateSelectionCB: returning: subsystemCert
cert-pki-ca
[11/Sep/2017:16:51:42][localhost-startStop-1]: SSL handshake
happened
Could not connect to LDAP server host ipa.blabla.bla port
636 Error netscape.ldap.LDAPException: Authentication failed
(49)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166)
at
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130)
at
com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078)
at
com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570)
at com.netscape.certsrv.apps.CMS.init(CMS.java:188)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1621)
Winfried
Op 11-09-17 om 16:18 schreef Rob Crittenden via
FreeIPA-users:
Winfried de Heiden via FreeIPA-users
wrote:
Hi All,
Somewhere after an update (I guess) I have issues;
pki-tomcatd@pki-tomcat.service will not start since it
cannot login to
LDAP. It seems I have some certificate isues:
getcert list shows:
Request ID '20170129002017':
status: CA_UNREACHABLE
ca-error: Server athttps://ipa.example.com/ipa/xml
failed request,
will retry: 4035 (RPC failed at server. Request failed
with status 500:
Non-2xx response from CA REST API: 500. Policy Set Not
Found).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-BLABLA-BLA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.LOCAL
201509271650
subject: CN=ipa.example.com,O=IPA.LOCAL
201509271650
expires: 2017-09-27 17:26:00 CEST
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
/usr/libexec/ipa/certmonger/restart_dirsrv BLABLA-BLA
track: yes
auto-renew: yes
Request ID '20170129002024':
status: CA_UNREACHABLE
ca-error: Server athttps://ipa.example.com/ipa/xml
failed request,
will retry: 4035 (RPC failed at server. Request failed
with status 500:
Non-2xx response from CA REST API: 500. Policy Set Not
Found).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.LOCAL
201509271650
subject: CN=ipa.example.com,O=IPA.LOCAL
201509271650
expires: 2017-09-27 17:41:26 CEST
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
/usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
(I managed to start IPA by modifying
/etc/pki/pki-tomcat/ca/CS.cfg)
How to fix this. Something seems wrong with de DIRSRV
certificate and
http....:(
What did you modify?
How to fix? What could have caused
this issue?
This is likely not a problem with the certificates but
with the
certificate profiles. The dogtag debug log may have more
information.
rob
_______________________________________________
FreeIPA-users mailing list
--freeipa-users@lists.fedorahosted.org
To unsubscribe send an email
tofreeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Hi Winfried,
the issue is likely to come from the renewal of subsystemCert.
You can find more info in this blog [1]. If you are running
with selinux in enforcing mode, the renewal may fail but gets
undetected.
You can check if the ldap entry
uid=pkidbuser,ou=people,o=ipaca contains the same certificate
'subsystemCert cert-pki-ca' as the NSSDB
/etc/pki/pki-tomcat/alias.
If it is not the case, simply modify the LDAP entry to contain
the right userCertificate and description attributes.
HTH,
Flo
[1]
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
|