On 1/8/20 3:30 AM, Ferdinand Babas via FreeIPA-users wrote:
Hi Flo,
Thanks for the response.
On 1/6/20 10:12 PM, Ferdinand Babas via FreeIPA-users wrote:
Hi,
this error usually happens when there are issues with the subsystemCert
cert-pki-ca. According to your certutil output, the cert is missing
u,u,u flags, can you check if the associated key is present?
- Get the password to access the key:
$ sudo grep internal /var/lib/pki/pki-tomcat/conf/password.conf | cut
-d= -f2 > /tmp/pwdfile.txt
- Check if the key is present in the NSSdb:
$ sudo certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt |
grep subsystemCert
If the key is there, you should see a line with
< id> rsa 81c..d04 subsystemCert cert-pki-ca
The above steps failed for me with the following:
Incorrect password/PIN entered.
certutil: could not authenticate to token NSS Certificate DB.:
SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
Do you have the file /var/lib/pki/pki-tomcat/conf/password.conf ? Its
content is usually:
internal=<password>
replicationdb=<number>
If it's empty/missing, you can also check if there is a
/etc/pki/pki-tomcat/alias/pwdfile.txt which should contain the password.
You really need this password if you want to manage the private keys
inside the NSS DB.
The above steps did work with the other 3 nodes however:
< 3> rsa 48f4a4...2c126e NSS Certificate DB:subsystemCert cert-pki-ca
If the key is missing you can recover it from another node where the CA
is installed.
How would I recover the key from the other nodes?
Export key + cert with pk12util from an other node, then import. But you
will need the NSSDB password.
The 'auditSigningCert cert-pki-ca' is the same on all the nodes with CA.
If you are able to get it from another machine, you can import the cert
on this master. First check if the key is present (with certutil -K),
and if needed also get the key from another node.
To export cert+key from a NSSDB to a p12file: pk12util -d
/etc/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' -o file.p12
To import cert.key from a p12 file to a NSSDB: pk12util -d
/etc/pki/pki-tomcat/alias -i file.p12
Regarding the 'auditSigningCert cert-pki-ca' I ran the export command you provided but
got stuck when prompted for the password (Enter Password or Pin for "NSS Certificate
DB":). What should I do if I have no idea what the password is?
The password is the NSS DB's password, stored in
/var/lib/pki/pki-tomcat/conf/password.conf or
/etc/pki/pki-tomcat/alias/pwdfile.txt.
flo
HTH,
flo
Thanks so much for your help!!
Ferdinand
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
