I also found that the certs don't match!  LDAP and certutil return
different certs when you query them.  The blog post didn't suggest a method
for fixing this and I don't want to make the problem worse by doing it the
wrong way.  Suggestions?

On Fri, Oct 27, 2017 at 1:35 PM, Kristian Petersen <nesre...@chem.byu.edu>
wrote:

> I followed some of the steps outlined in the blog post you liked to and
> when I got to the part where make sure that the private key can be read
> using the password found in /var/lib/pki/pki-tomcat/conf/password.conf
> using:
> sudo certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n
> 'subsystemCert cert-pki-ca'
>
> RESULT:
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
> Key and Certificate Services"
> certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized
> Object Identifier.
>
> So it looks like things aren't associated properly anymore. Not sure what
> my next steps would be though.
>
> On Fri, Oct 27, 2017 at 10:27 AM, Florence Blanc-Renaud <f...@redhat.com>
> wrote:
>
>> On 10/27/2017 12:55 AM, Kristian Petersen via FreeIPA-users wrote:
>>
>>> I checked the logs that turned up after running the find command
>>> suggested by Jochen and only a couple of them turned up anything that
>>> mention pki or pki-tomcat:
>>>
>>> from /var/log/audit/audit.log:
>>> type=SERVICE_START msg=audit(1508873851.623:163448): pid=1 uid=0
>>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>>> msg='unit=pki-tomcatd@pki-tomcat comm="systemd"
>>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
>>>
>>> from /var/log/messages:
>>> Oct 26 16:01:58 ipa1 ns-slapd: [26/Oct/2017:16:01:58.077129423 -0600] -
>>> ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication Manager
>>> cloneAgreement1-ipa2.chem.byu.edu-pki-tomcat,ou=csusers,cn=config]
>>> authentication mechanism [SIMPLE]: error 32 (No such object)
>>> Oct 26 16:01:58 ipa1 named-pkcs11[16463]: client 192.168.105.11#37937:
>>> request has invalid signature: TSIG DHCP_UPDATER: tsig verify failure
>>> (BADKEY)
>>>
>>>
>>> Hi,
>>
>> just a wild guess, but we saw issues during update related either to
>> certificates or IPv6.
>> - Is IPv6 enabled on your server? The server doesn't need an IPv6 address
>> but IPv6 should not be disabled.
>> - If selinux is in enforcing mode, there were known issues during
>> certificate renewals that could lead to pki-tomcat not able to start any
>> more. You can refer to this blog post [1] to check that the certificate
>> 'subsystemCert cert-pki-ca' is properly associated to the user
>> uid=pkidbuser,ou=people,o=ipaca. The certificate is stored in multiple
>> places (ldap server, nss dbs) and must be consistent.
>>
>> Flo
>>
>> [1] https://floblanc.wordpress.com/2017/09/11/troubleshooting-fr
>> eeipa-pki-tomcatd-fails-to-start/
>>
>>>
>>> On Thu, Oct 26, 2017 at 2:32 PM, Jochen Hein <joc...@jochen.org <mailto:
>>> joc...@jochen.org>> wrote:
>>>
>>>     Kristian Petersen via FreeIPA-users
>>>     <freeipa-users@lists.fedorahosted.org
>>>     <mailto:freeipa-users@lists.fedorahosted.org>> writes:
>>>
>>>     > The dirsrv log just shows a bunch of the following:
>>>     > [13/Oct/2017:14:32:07.132312021 -0600] - ERR - slapi_ldap_bind -
>>> Error:
>>>     > could not bind id [cn=Replication Manager cloneAgreement1-ipa
>>>     > 2.chem.byu.edu-pki-tomcat,ou=csusers,cn=config] authentication
>>> mechanism
>>>     > [SIMPLE]: error 32 (No such object)
>>>     >
>>>     > That makes sense though since pki-tomcat won't start.  Rob was
>>> asking what
>>>     > was in the logs located at /var/log/pki/pki-tomcat/ca/debug, but
>>> that path
>>>     > doesn't exist on any of my IPA servers.  He said that would
>>> normally be the
>>>     > first place to look.  Hence, I am looking for other solutions.
>>>
>>>     Brute force: reproduce the error and run "find /var/log -mmin -1
>>>     -type f -ls".
>>>     This finds the files changed in the last minute - one of these might
>>>     help.
>>>
>>>     Jochen
>>>
>>>     --
>>>     This space is intentionally left blank.
>>>
>>>
>>>
>>>
>>> --
>>> Kristian Petersen
>>> System Administrator
>>> Dept. of Chemistry and Biochemistry
>>>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>>> rahosted.org
>>>
>>>
>>
>
>
> --
> Kristian Petersen
> System Administrator
> Dept. of Chemistry and Biochemistry
>



-- 
Kristian Petersen
System Administrator
Dept. of Chemistry and Biochemistry
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to