[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable

Thu, 05 Apr 2018 01:27:07 -0700 

On 04/04/2018 04:16 PM, lejeczek via FreeIPA-users wrote:



On 04/04/18 12:43, Florence Blanc-Renaud wrote:

You need to check which server is your renewal master (ipa config-show 
| grep 'IPA CA renewal master'), then make sure that the certs were 
properly renewed on this master (check consistency between 
/etc/pki/pki-tomcat/alias, the certs in 
cn=certificates,cn=ipa,cn=etc,$BASEDN, and the content in 
/etc/pki/pki-tomcat/ca/CS.cfg). 



I have only one cert, a ipaCertSubject: CN=Certificate 
Authority,O=PRIVATE.CCNR.CEB.PRIVATE.CAM.AC.UK

which seems to correspond with:

$ certutil -L -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 
'caSigningCert cert-pki-ca'



The renewed certificates (if any) can be found in LDAP below 
cn=ca_renewal,cn=ipa,cn=etc,$BASEDN. If your replication got broken at 
one point, you need to check on different masters.



which is also in /etc/pki/pki-tomcat/ca/CS.cfg, and that is: 
ca.signing.cert which is different from ca.subsystem.cert

But I'd imagine that's expected(?)

New CA master renewing server still fails:
...

[04/Apr/2018:15:14:44][localhost-startStop-1]: 
SSLClientCertificatSelectionCB: Entering!
[04/Apr/2018:15:14:44][localhost-startStop-1]: Candidate cert: 
Server-Cert cert-pki-ca
[04/Apr/2018:15:14:44][localhost-startStop-1]: Candidate cert: 
caSigningCert cert-pki-ca
[04/Apr/2018:15:14:44][localhost-startStop-1]: 
SSLClientCertificateSelectionCB: returning: null

[04/Apr/2018:15:14:44][localhost-startStop-1]: SSL handshake happened

Could not connect to LDAP server host whale port 636 Error 
netscape.ldap.LDAPException: Authentication failed (48)

...


It seems that these certs are as they should be. How can troubleshoot it 
further? Can logs verbosity be upped?


You can add verbosity by creating this file:
$ cat /etc/ipa/server.conf
[global]
debug=True

then restart ipa stack. This will add information in httpd's logs.

HTH,
Flo

Many thanks, L.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
























					Reply via email to