As a note, I can see this in the debug file in var/log/pki-ca/debug
###

[main]: SigningUnit init: debug
java.security.cert.CertificateParsingException: java.io.IOException:
java.lang.NoClassDefFoundError: sun/io/CharToByteConverter

###

BR.

Lune

2018-04-11 20:17 GMT+02:00 lune voo <lune.voo1...@gmail.com>:

> hello Rob.
>
> I restarted the pki-cad service
> ###
> # service pki-cad restart
> Stopping pki-ca: waiting for processes 56678 to exit
> killing 56678 which did not stop after 30 seconds          [WARNING]
>                                                            [  OK  ]
> Starting pki-ca:                                           [  OK  ]
>
> ###
>
> Then I restarted certmonger :
> ###
> service certmonger restart
> Stopping certmonger:                                       [  OK  ]
> Starting certmonger:                                       [  OK  ]
> ###
>
> Then I tried tu resubmit the three certificates :
> ###
> ipa-getcert resubmit -i 20160321140609
> Resubmitting "20160321140609" to "IPA".
>
> ipa-getcert resubmit -i 20160321140642
> Resubmitting "20160321140642" to "IPA".
>
> ipa-getcert resubmit -i 20160321140750
> Resubmitting "20160321140750" to "IPA".
> ###
>
> But when I do an ipa-getcert list, I still have the same expiration date :
> ###
>
> ipa-getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20160321140609':
>         status: CA_UNREACHABLE
>         ca-error: Server at https://<HOST>/ipa/xml failed request, will
> retry: 4301 (RPC failed at server.  Certificate operation cannot be
> completed: Unable to communicate with CMS (Not Found)).
>         stuck: no
>         key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',
> nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/
> slapd-<REALM>/pwdfile.txt'
>         certificate: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',
> nickname='Server-Cert',token='NSS Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=<REALM>
>         subject: CN=<HOST>,O=<REALM>
>         expires: 2018-03-22 14:06:09 UTC
>         key usage: digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
> Request ID '20160321140642':
>         status: CA_UNREACHABLE
>         ca-error: Server at https://<HOST>/ipa/xml failed request, will
> retry: 4301 (RPC failed at server.  Certificate operation cannot be
> completed: Unable to communicate with CMS (Not Found)).
>         stuck: no
>         key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',
> nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/
> slapd-PKI-IPA/pwdfile.txt'
>         certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',
> nickname='Server-Cert',token='NSS Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=<REALM>
>         subject: CN=<HOST>,O=<REALM>
>         expires: 2018-03-22 14:06:41 UTC
>         key usage: digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
> Request ID '20160321140750':
>         status: CA_UNREACHABLE
>         ca-error: Server at https://<HOST>/ipa/xml failed request, will
> retry: 4301 (RPC failed at server.  Certificate operation cannot be
> completed: Unable to communicate with CMS (Not Found)).
>         stuck: no
>         key pair storage: type=NSSDB,location='/etc/
> httpd/alias',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>         certificate: type=NSSDB,location='/etc/
> httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=<REALM>
>         subject: CN=<HOST>,O=<REALM>
>         expires: 2018-03-22 14:07:50 UTC
>         key usage: digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:
>         post-save command:
>         track: yes
>         auto-renew: yes
> ###
>
> Best regards.
>
> Lune
>
> 2018-04-11 19:50 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:
>
>> lune voo via FreeIPA-users wrote:
>> > Hello.
>> >
>> > I contact you because I have a problem of expired certificates on my IPA
>> > servers.
>> >
>> > I'm still using IPA 3.0.0 for the moment.
>> >
>> > # ipa-getcert list
>> > Number of certificates and requests being tracked: 8.
>> > Request ID '20160321140609':
>> >         status: CA_UNREACHABLE
>> >         ca-error: Server at https://<HOST>/ipa/xml failed request, will
>> > retry: 4301 (RPC failed at server.  Certificate operation cannot be
>> > completed: Unable to communicate with CMS (Not Found)).
>> >         stuck: no
>> >         key pair storage:
>> > type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='
>> Server-Cert',token='NSS
>> > Certificate DB',pinfile='/etc/dirsrv/slapd-<REALM>/pwdfile.txt'
>> >         certificate:
>> > type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='
>> Server-Cert',token='NSS
>> > Certificate DB'
>> >         CA: IPA
>> >         issuer: CN=Certificate Authority,O=<REALM>
>> >         subject: CN=<HOST>,O=<REALM>
>> >         expires: 2018-03-22 14:06:09 UTC
>> >         key usage:
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> >         eku: id-kp-serverAuth,id-kp-clientAuth
>> >         pre-save command:
>> >         post-save command:
>> >         track: yes
>> >         auto-renew: yes
>> > Request ID '20160321140642':
>> >         status: CA_UNREACHABLE
>> >         ca-error: Server at https://<HOST>/ipa/xml failed request, will
>> > retry: 4301 (RPC failed at server.  Certificate operation cannot be
>> > completed: Unable to communicate with CMS (Not Found)).
>> >         stuck: no
>> >         key pair storage:
>> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='
>> Server-Cert',token='NSS
>> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>> >         certificate:
>> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='
>> Server-Cert',token='NSS
>> > Certificate DB'
>> >         CA: IPA
>> >         issuer: CN=Certificate Authority,O=<REALM>
>> >         subject: CN=<HOST>,O=<REALM>
>> >         expires: 2018-03-22 14:06:41 UTC
>> >         key usage:
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> >         eku: id-kp-serverAuth,id-kp-clientAuth
>> >         pre-save command:
>> >         post-save command:
>> >         track: yes
>> >         auto-renew: yes
>> > Request ID '20160321140750':
>> >         status: CA_UNREACHABLE
>> >         ca-error: Server at https://<HOST>/ipa/xml failed request, will
>> > retry: 4301 (RPC failed at server.  Certificate operation cannot be
>> > completed: Unable to communicate with CMS (Not Found)).
>> >         stuck: no
>> >         key pair storage:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>> ',token='NSS
>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> >         certificate:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>> ',token='NSS
>> > Certificate DB'
>> >         CA: IPA
>> >         issuer: CN=Certificate Authority,O=<REALM>
>> >         subject: CN=<HOST>,O=<REALM>
>> >         expires: 2018-03-22 14:07:50 UTC
>> >         key usage:
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> >         eku: id-kp-serverAuth,id-kp-clientAuth
>> >         pre-save command:
>> >         post-save command:
>> >         track: yes
>> >         auto-renew: yes
>> >
>> > Because of this, unfortunately, the commands ipa user-show etc.. does
>> > not work anymore. I wonder if IPA itself work well or not when we have
>> > this certificate problem ?
>> >
>> > Anyway, I came back in time, to before the certificates expire :
>> > ###
>> > service ntpd stop
>> > date --set="2018-03-10 10:00:00"
>> > ###
>> >
>> > And then I tried to renew these certificates with certmonger :
>> > ###
>> > # ipa-getcert resubmit -i 20160321140609
>> > Resubmitting "20160321140609" to "IPA".
>> > # ipa-getcert resubmit -i 20160321140642
>> > Resubmitting "20160321140642" to "IPA".
>> > # ipa-getcert resubmit -i 20160321140750
>> > Resubmitting "20160321140750" to "IPA".
>> > ###
>> >
>> > But, it didn't change anything, the certificate are still expired :(.
>> >
>> > I have the following error message in httpd log when I perform a
>> resubmit.
>> > ###
>> > [Sat Mar 10 11:29:18 2018] [error] ipa: ERROR:
>> > ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate
>> > with CMS (Not Found)
>> > [Sat Mar 10 11:29:18 2018] [error] ipa: INFO: host/<HOST>@<REALM>:
>> > cert_request(u'MIIDwjCCAqoCAQAwPTEQMA4GA1UEChMHQkRGREVWMjEpM
>> CcGA1UEAxMgZHZiZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwggEiM
>> A0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDr7BrPDFwenvnTLYPx29WEc
>> sELc94+XcCm8fZSnr749/OGcqfqwurwH6NehL0eZjW7+uwtl3l3SJ1XIrUL4
>> DDQ7b46EQh39hXRCepAIjfAFL2QVc1OEMtcGU2ahFk6Qoh+0ERr2zUMzV968
>> IaebICzsHFyDedbM1lekOZKCpmgdhKi4JJM2IRXQggFsJGfoePfh7inj5VsL
>> plC1Lkx22ka3I/8TiXdfUp0mzZQkXD3B3HTDy5hubhYeUXDwayqLQP6Wu0GH
>> Wwko2tlWZPCpg7Hfk+f1Wfu2XIb7JfbRscG/4C2bJNiTaGx7fqb3JDVnrOWEdEWZ2Lug+
>> h6aBNa18oZAgMBAAGgggE+MCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAH
>> IALQBDAGUAcgB0MIIBEwYJKoZIhvcNAQkOMYIBBDCCAQAwDgYDVR0PAQEABA
>> QDAgTwMIGbBgNVHREBAQAEgZAwgY2gPQYKKwYBBAGCNxQCA6AvDC1sZGFwL2
>> R2YmRma2IyMS5yb3Vlbi5mcmFuY2V0ZWxlY29tLmZyQEJERkRFVjKgTAYGKw
>> YBBQICoEIwQKAJGwdCREZERVYyoTMwMaADAgEBoSowKBsEbGRhcBsgZHZiZG
>> ZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwIAYDVR0lAQEABBYwFAYIKw
>> YBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFB
>> a5zjLzw1wh3+5Mask290q98ZOxMA0GCSqGSIb3DQEBCwUAA4IBAQBx55mJOa
>> AL0z4w8PzND8IgfdusTS2F1YsdfeMtoERl++n1kEvU0W0AmcQ9i9POiDx1+w
>> TvhiVkdvrc18r6FKxHUjKDPkdEZ61jW9vuXY+uzFdQzbezOQ842n2vhmapgL
>> X9WQrdv7iE+CLTn3sA3pNnbg4M6mL77CUPo7VJgiaNIuj4y7GCaAnUFrjyje
>> 93KBYDdsV2FLUoCblzE14DMmbxa1ApskYhskaPkbmvuiVWdsejsaPG3vYPZw
>> +mZhhoKKeB8eenVIFqLmj42Cc8nZghgw6gqDj9aB3vj+wVhba2jFFLMqp8NB
>> 9oohHSb4wAY8zceU6ygKyO1MhTaqy+GSPo',
>> > principal=u'ldap/<HOST>@<REALM>', add=True): CertificateOperationError
>> > ###
>> >
>> > The CA service is running :
>> > ###
>> > # service ipa status
>> > Directory Service: RUNNING
>> > KDC Service: RUNNING
>> > KPASSWD Service: RUNNING
>> > MEMCACHE Service: RUNNING
>> > HTTP Service: RUNNING
>> > CA Service: RUNNING
>> > ###
>> >
>> > I wonder what I could do ? Thank you in advance for your help.
>>
>> After going back in time restart the pki-cad service then restart
>> certmonger.
>>
>> rob
>>
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to