Hello Florence, It was the Signing-Cert and the I.domain.NET IPA CA cert. By setting the clock back I managed to get those to renew, now it seems I just need to get tomcat-pki to start.
The error is: Internal Database Error encountered: Could not connect to LDAP server host xipa1.i.xrs444.net port 636 Error netscape.ldap.LDAPException: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12195) Peer does not recognize and trust the CA that issued your certificate. (-1) certutil -d /etc/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert cert-pki-ca u,u,u ocspSigningCert cert-pki-ca u,u,u O=domain,ST=Arizona,C=US CT,C,C auditSigningCert cert-pki-ca u,u,Pu subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu These are all set to expire in 2020 or beyond. certutil -d /etc/httpd/alias -L Server-Cert Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u O=xrs444,ST=Arizona,C=US CT,C,C I.XRS444.NET IPA CA CT,C,C Server-Cert u,u,u I.XRS444.NET IPA CA and Signing-Cert are the expired certs here. Thomas On Wed, Jun 27, 2018 at 12:20 AM Florence Blanc-Renaud <f...@redhat.com> wrote: > On 06/27/2018 07:02 AM, Thomas Letherby via FreeIPA-users wrote: > > After some fiddling with dates some more I seem to have the HTTPD cert > > in sync, however it appears the cert signing cert is expired. > > > > named also says it's starting, but doesn't seem to want to respond. > > > > I don't have time to dig into it more tonight, but let me know what > > other information or tests I can run and I'll get them posted tomorrow. > > > > Thanks all. > > > > Thomas > > > > On Mon, Jun 25, 2018 at 5:11 PM Thomas Letherby <xrs...@xrs444.net > > <mailto:xrs...@xrs444.net>> wrote: > > > > Hello, > > > > I think this is everything (domain name changed to protect the > > guilty!): > > > > https://pastebin.com/bF1KR7VJ > > > Hi Thomas, > > in the provided pastebin, the error 'certutil: function failed: > SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, > unsupported format' can be easily explained: there is a typo in the > directory path. > You can try with certutil -d /etc/pki/pki-tomcat/alias -L -n <nickname> > (note the pki-tomcat instead of pki-tomcat*d*). > > You mention that the cert signing cert is expired, can you clarify which > certificate this is? Please provide the subject name, certificate > nickname and location. > > Flo > > I pulled the same on the replica, which appears to be playing up too > > in a similar fashion. > > > > I did just notice the date on the replica is out, I never set it > > back when I was trying to get the cert to renew. > > > > Let me know if you need anything else. > > > > Thanks, > > > > Thomas > > > > On Sun, Jun 24, 2018 at 8:43 PM Fraser Tweedale <ftwee...@redhat.com > > <mailto:ftwee...@redhat.com>> wrote: > > > > On Fri, Jun 22, 2018 at 11:16:21PM -0700, Thomas Letherby via > > FreeIPA-users wrote: > > > Hello all, > > > I had an issue a short while ago with a replica which turned > > out to be an > > > expired certificate which I renewed and all seemed good. > > > > > > Seemed... > > > > > > It now appears that although the certificate renewed as seen > > by getcert > > > -list, it didn't update /etc/httpd/alias and so the httpd and > > tomcat-pki > > > services won't start unless I set the date to before the > > certificate > > > expired, and even then sometimes the httpd error_log shows: > > > Unable to verify certificate 'Server-Cert'. Add > > "NSSEnforceValidCerts off" > > > to nss.conf so the server can start until the problem can be > > resolved. > > > and the service fails to start. > > > > > Hi Thomas, > > > > Can you please show `getcert list` output on the server in > question, > > as well as the output of > > > > certutil -d /etc/httpd/alias -L Server-Cert > > > > and > > > > certutil -d /etc/pki/pki-tomcatd/alias -L <nickname> > > > > for each nickname in the /etc/pki/pki-tomcatd/alias NSSDB. > > > > And Certmonger journal output. And pki debug log > > /var/log/pki/pki-tomcat/ca/debug. > > > > It is strange that `getcert list' shows an up to date certificate > > while the actual certificate that is being tracked is expired... > > > > Thanks, > > Fraser > > > > > I've tried resubmitting the certificate, and it doesn't seem > > to throw an > > > error, but it doesn't update /alias either. > > > Trying to access the server via the web page shows the old > > certificate > > > still in use. > > > I see the same certificate error with the replica server, > > which was freshly > > > rebuilt and added last week. > > > I've doubtless dug further into the hole trying to > > troubleshoot this, so I > > > probably need to start from the beginning again, and a > > pointer in the right > > > direction would be a great help! > > > > > > A getcert list shows all the certificates expiry dates well > > into the future. > > > > > > How can I get the certs back in sync? I've found a few guides > > and most seem > > > to be for earlier versions, and I'm not sure if they're still > > current. > > > > > > I can post whatever logs you think will help, I'm afraid I'm > > not familiar > > > enough with them all to tell which are the most relevant. Is > > there a guide > > > for the logs? > > > > > > Thanks for any help you can give, > > > > > > Thomas > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- > > freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > Fedora Code of Conduct: > > https://getfedora.org/code-of-conduct.html > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/CAXKCVP42DLWJQV2TAJFFCR2NG2CBO27/ > > > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RAEH5S7INPORXEK7ZKGQTLXEHH3CH4S4/ > > > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GTA5E2BV7VO24KL25TST5DTDXRAYOKDG/