Hello everyone.

I tried an alternatives -config java et saw that there was a JAVA8
installed on the master.

I stopped ipa service and I uninstalled JAVA8 from this node.
Then I restarted IPA service and retried to renew the certificate with the
same command I already used.

And it worked :)

So then I stopped IPA, turned back the time to normal and restarted IPA.

Do you know if IPA4 on RHEL7 is compatible with JAVA8 Rob ?

Thanks for the help.

BR.

Lune




2018-04-11 20:25 GMT+02:00 lune voo <lune.voo1...@gmail.com>:

> As a note, I can see this in the debug file in var/log/pki-ca/debug
> ###
>
> [main]: SigningUnit init: debug 
> java.security.cert.CertificateParsingException: java.io.IOException: 
> java.lang.NoClassDefFoundError: sun/io/CharToByteConverter
>
> ###
>
> BR.
>
> Lune
>
> 2018-04-11 20:17 GMT+02:00 lune voo <lune.voo1...@gmail.com>:
>
>> hello Rob.
>>
>> I restarted the pki-cad service
>> ###
>> # service pki-cad restart
>> Stopping pki-ca: waiting for processes 56678 to exit
>> killing 56678 which did not stop after 30 seconds          [WARNING]
>>                                                            [  OK  ]
>> Starting pki-ca:                                           [  OK  ]
>>
>> ###
>>
>> Then I restarted certmonger :
>> ###
>> service certmonger restart
>> Stopping certmonger:                                       [  OK  ]
>> Starting certmonger:                                       [  OK  ]
>> ###
>>
>> Then I tried tu resubmit the three certificates :
>> ###
>> ipa-getcert resubmit -i 20160321140609
>> Resubmitting "20160321140609" to "IPA".
>>
>> ipa-getcert resubmit -i 20160321140642
>> Resubmitting "20160321140642" to "IPA".
>>
>> ipa-getcert resubmit -i 20160321140750
>> Resubmitting "20160321140750" to "IPA".
>> ###
>>
>> But when I do an ipa-getcert list, I still have the same expiration date :
>> ###
>>
>> ipa-getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20160321140609':
>>         status: CA_UNREACHABLE
>>         ca-error: Server at https://<HOST>/ipa/xml failed request, will
>> retry: 4301 (RPC failed at server.  Certificate operation cannot be
>> completed: Unable to communicate with CMS (Not Found)).
>>         stuck: no
>>         key pair storage: type=NSSDB,location='/etc/dirs
>> rv/slapd-<REALM>',nickname='Server-Cert',token='NSS Certificate
>> DB',pinfile='/etc/dirsrv/slapd-<REALM>/pwdfile.txt'
>>         certificate: type=NSSDB,location='/etc/dirs
>> rv/slapd-<REALM>',nickname='Server-Cert',token='NSS Certificate DB'
>>         CA: IPA
>>         issuer: CN=Certificate Authority,O=<REALM>
>>         subject: CN=<HOST>,O=<REALM>
>>         expires: 2018-03-22 14:06:09 UTC
>>         key usage: digitalSignature,nonRepudiatio
>> n,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command:
>>         post-save command:
>>         track: yes
>>         auto-renew: yes
>> Request ID '20160321140642':
>>         status: CA_UNREACHABLE
>>         ca-error: Server at https://<HOST>/ipa/xml failed request, will
>> retry: 4301 (RPC failed at server.  Certificate operation cannot be
>> completed: Unable to communicate with CMS (Not Found)).
>>         stuck: no
>>         key pair storage: type=NSSDB,location='/etc/dirs
>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate
>> DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>>         certificate: type=NSSDB,location='/etc/dirs
>> rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
>>         CA: IPA
>>         issuer: CN=Certificate Authority,O=<REALM>
>>         subject: CN=<HOST>,O=<REALM>
>>         expires: 2018-03-22 14:06:41 UTC
>>         key usage: digitalSignature,nonRepudiatio
>> n,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command:
>>         post-save command:
>>         track: yes
>>         auto-renew: yes
>> Request ID '20160321140750':
>>         status: CA_UNREACHABLE
>>         ca-error: Server at https://<HOST>/ipa/xml failed request, will
>> retry: 4301 (RPC failed at server.  Certificate operation cannot be
>> completed: Unable to communicate with CMS (Not Found)).
>>         stuck: no
>>         key pair storage: type=NSSDB,location='/etc/http
>> d/alias',nickname='Server-Cert',token='NSS Certificate
>> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>         certificate: type=NSSDB,location='/etc/http
>> d/alias',nickname='Server-Cert',token='NSS Certificate DB'
>>         CA: IPA
>>         issuer: CN=Certificate Authority,O=<REALM>
>>         subject: CN=<HOST>,O=<REALM>
>>         expires: 2018-03-22 14:07:50 UTC
>>         key usage: digitalSignature,nonRepudiatio
>> n,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command:
>>         post-save command:
>>         track: yes
>>         auto-renew: yes
>> ###
>>
>> Best regards.
>>
>> Lune
>>
>> 2018-04-11 19:50 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:
>>
>>> lune voo via FreeIPA-users wrote:
>>> > Hello.
>>> >
>>> > I contact you because I have a problem of expired certificates on my
>>> IPA
>>> > servers.
>>> >
>>> > I'm still using IPA 3.0.0 for the moment.
>>> >
>>> > # ipa-getcert list
>>> > Number of certificates and requests being tracked: 8.
>>> > Request ID '20160321140609':
>>> >         status: CA_UNREACHABLE
>>> >         ca-error: Server at https://<HOST>/ipa/xml failed request,
>>> will
>>> > retry: 4301 (RPC failed at server.  Certificate operation cannot be
>>> > completed: Unable to communicate with CMS (Not Found)).
>>> >         stuck: no
>>> >         key pair storage:
>>> > type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='Se
>>> rver-Cert',token='NSS
>>> > Certificate DB',pinfile='/etc/dirsrv/slapd-<REALM>/pwdfile.txt'
>>> >         certificate:
>>> > type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='Se
>>> rver-Cert',token='NSS
>>> > Certificate DB'
>>> >         CA: IPA
>>> >         issuer: CN=Certificate Authority,O=<REALM>
>>> >         subject: CN=<HOST>,O=<REALM>
>>> >         expires: 2018-03-22 14:06:09 UTC
>>> >         key usage:
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> >         eku: id-kp-serverAuth,id-kp-clientAuth
>>> >         pre-save command:
>>> >         post-save command:
>>> >         track: yes
>>> >         auto-renew: yes
>>> > Request ID '20160321140642':
>>> >         status: CA_UNREACHABLE
>>> >         ca-error: Server at https://<HOST>/ipa/xml failed request,
>>> will
>>> > retry: 4301 (RPC failed at server.  Certificate operation cannot be
>>> > completed: Unable to communicate with CMS (Not Found)).
>>> >         stuck: no
>>> >         key pair storage:
>>> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Se
>>> rver-Cert',token='NSS
>>> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>>> >         certificate:
>>> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Se
>>> rver-Cert',token='NSS
>>> > Certificate DB'
>>> >         CA: IPA
>>> >         issuer: CN=Certificate Authority,O=<REALM>
>>> >         subject: CN=<HOST>,O=<REALM>
>>> >         expires: 2018-03-22 14:06:41 UTC
>>> >         key usage:
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> >         eku: id-kp-serverAuth,id-kp-clientAuth
>>> >         pre-save command:
>>> >         post-save command:
>>> >         track: yes
>>> >         auto-renew: yes
>>> > Request ID '20160321140750':
>>> >         status: CA_UNREACHABLE
>>> >         ca-error: Server at https://<HOST>/ipa/xml failed request,
>>> will
>>> > retry: 4301 (RPC failed at server.  Certificate operation cannot be
>>> > completed: Unable to communicate with CMS (Not Found)).
>>> >         stuck: no
>>> >         key pair storage:
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>> ',token='NSS
>>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> >         certificate:
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>> ',token='NSS
>>> > Certificate DB'
>>> >         CA: IPA
>>> >         issuer: CN=Certificate Authority,O=<REALM>
>>> >         subject: CN=<HOST>,O=<REALM>
>>> >         expires: 2018-03-22 14:07:50 UTC
>>> >         key usage:
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> >         eku: id-kp-serverAuth,id-kp-clientAuth
>>> >         pre-save command:
>>> >         post-save command:
>>> >         track: yes
>>> >         auto-renew: yes
>>> >
>>> > Because of this, unfortunately, the commands ipa user-show etc.. does
>>> > not work anymore. I wonder if IPA itself work well or not when we have
>>> > this certificate problem ?
>>> >
>>> > Anyway, I came back in time, to before the certificates expire :
>>> > ###
>>> > service ntpd stop
>>> > date --set="2018-03-10 10:00:00"
>>> > ###
>>> >
>>> > And then I tried to renew these certificates with certmonger :
>>> > ###
>>> > # ipa-getcert resubmit -i 20160321140609
>>> > Resubmitting "20160321140609" to "IPA".
>>> > # ipa-getcert resubmit -i 20160321140642
>>> > Resubmitting "20160321140642" to "IPA".
>>> > # ipa-getcert resubmit -i 20160321140750
>>> > Resubmitting "20160321140750" to "IPA".
>>> > ###
>>> >
>>> > But, it didn't change anything, the certificate are still expired :(.
>>> >
>>> > I have the following error message in httpd log when I perform a
>>> resubmit.
>>> > ###
>>> > [Sat Mar 10 11:29:18 2018] [error] ipa: ERROR:
>>> > ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate
>>> > with CMS (Not Found)
>>> > [Sat Mar 10 11:29:18 2018] [error] ipa: INFO: host/<HOST>@<REALM>:
>>> > cert_request(u'MIIDwjCCAqoCAQAwPTEQMA4GA1UEChMHQkRGREVWMjEpM
>>> CcGA1UEAxMgZHZiZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwggEiM
>>> A0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDr7BrPDFwenvnTLYPx29WEc
>>> sELc94+XcCm8fZSnr749/OGcqfqwurwH6NehL0eZjW7+uwtl3l3SJ1XIrUL4
>>> DDQ7b46EQh39hXRCepAIjfAFL2QVc1OEMtcGU2ahFk6Qoh+0ERr2zUMzV968
>>> IaebICzsHFyDedbM1lekOZKCpmgdhKi4JJM2IRXQggFsJGfoePfh7inj5VsL
>>> plC1Lkx22ka3I/8TiXdfUp0mzZQkXD3B3HTDy5hubhYeUXDwayqLQP6Wu0GH
>>> Wwko2tlWZPCpg7Hfk+f1Wfu2XIb7JfbRscG/4C2bJNiTaGx7fqb3JDVnrOWE
>>> dEWZ2Lug+h6aBNa18oZAgMBAAGgggE+MCUGCSqGSIb3DQEJFDEYHhYAUwBlA
>>> HIAdgBlAHIALQBDAGUAcgB0MIIBEwYJKoZIhvcNAQkOMYIBBDCCAQAwDgYDV
>>> R0PAQEABAQDAgTwMIGbBgNVHREBAQAEgZAwgY2gPQYKKwYBBAGCNxQCA6AvD
>>> C1sZGFwL2R2YmRma2IyMS5yb3Vlbi5mcmFuY2V0ZWxlY29tLmZyQEJERkRFV
>>> jKgTAYGKwYBBQICoEIwQKAJGwdCREZERVYyoTMwMaADAgEBoSowKBsEbGRhc
>>> BsgZHZiZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwIAYDVR0lAQEAB
>>> BYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/
>>> wQCMAAwIAYDVR0OAQEABBYEFBa5zjLzw1wh3+5Mask290q98ZOxMA0GCSqGS
>>> Ib3DQEBCwUAA4IBAQBx55mJOaAL0z4w8PzND8IgfdusTS2F1YsdfeMtoERl+
>>> +n1kEvU0W0AmcQ9i9POiDx1+wTvhiVkdvrc18r6FKxHUjKDPkdEZ61jW9vuX
>>> Y+uzFdQzbezOQ842n2vhmapgLX9WQrdv7iE+CLTn3sA3pNnbg4M6mL77CUPo
>>> 7VJgiaNIuj4y7GCaAnUFrjyje93KBYDdsV2FLUoCblzE14DMmbxa1ApskYhs
>>> kaPkbmvuiVWdsejsaPG3vYPZw+mZhhoKKeB8eenVIFqLmj42Cc8nZghg
>>> w6gqDj9aB3vj+wVhba2jFFLMqp8NB9oohHSb4wAY8zceU6ygKyO1MhTaqy+GSPo',
>>> > principal=u'ldap/<HOST>@<REALM>', add=True): CertificateOperationError
>>> > ###
>>> >
>>> > The CA service is running :
>>> > ###
>>> > # service ipa status
>>> > Directory Service: RUNNING
>>> > KDC Service: RUNNING
>>> > KPASSWD Service: RUNNING
>>> > MEMCACHE Service: RUNNING
>>> > HTTP Service: RUNNING
>>> > CA Service: RUNNING
>>> > ###
>>> >
>>> > I wonder what I could do ? Thank you in advance for your help.
>>>
>>> After going back in time restart the pki-cad service then restart
>>> certmonger.
>>>
>>> rob
>>>
>>
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to