You're totally right. I feel dumb.
Ok so I did the following:
I edited the renew-le.sh and replaced the cert name but the line that
adds the cert again
"certutil -A -d ... -n Server-Cert"
Edited /etc/httpd/conf.d/nss.conf and changed the NSSNickname
But I still can't start pki-tomcatd:
# systemctl status pki-tomcatd@pki-tomcat -l
● [email protected] - PKI Tomcat Server pki-tomcat
Loaded: loaded (/lib/systemd/system/[email protected]; enabled;
vendor preset: disabled)
Active: active (running) since Wed 2020-06-17 17:24:46 WEST; 19s ago
Process: 4750 ExecStop=/usr/libexec/tomcat/server stop (code=exited,
status=0/SUCCESS)
Process: 4788 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited,
status=0/SUCCESS)
Main PID: 4916 (java)
CGroup:
/system.slice/system-pki\x2dtomcatd.slice/[email protected]
└─4916 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
-DRESTEASY_LIB=/usr/share/java/resteasy-base
-Djava.library.path=/usr/lib64/nuxwdog-jni -classpath
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/var/lib/pki/pki-tomcat
-Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs=
-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.security.manager
-Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy
org.apache.catalina.startup.Bootstrap start
Jun 17 17:24:48 main.domain.io server[4916]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'serverCertNickFile' to
'/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a
matching property.
Jun 17 17:24:48 main.domain.io server[4916]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not
find a matching property.
Jun 17 17:24:48 main.domain.io server[4916]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile'
did not find a matching property.
Jun 17 17:24:48 main.domain.io server[4916]: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching
property.
Jun 17 17:24:48 main.domain.io server[4916]: WARNING:
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlValidation' to 'false' did not find a matching property.
Jun 17 17:24:48 main.domain.io server[4916]: WARNING:
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlNamespaceAware' to 'false' did not find a matching property.
Jun 17 17:24:56 main.domain.io server[4916]:
CMSEngine.initializePasswordStore() begins
Jun 17 17:24:56 main.domain.io server[4916]:
CMSEngine.initializePasswordStore(): tag=internaldb
Jun 17 17:24:56 main.domain.io server[4916]:
CMSEngine.initializePasswordStore(): tag=replicationdb
Jun 17 17:24:56 main.domain.io server[4916]: Internal Database Error
encountered: Could not connect to LDAP server host main.domain.io port
636 Error netscape.ldap.LDAPException: Unable to create socket:
java.net.ConnectException: Connection refused (Connection refused) (-1)
Currently all other services appear to be ok. Do I have to install it
manually here now?
You must have restored your git repo to HEAD. As I said before, the
current HEAD does not work against anything < IPA 4.7.something.
You need to get to the commit before "Move from mod_nss to mod_ssl"
Then you'll see Server-Cert in renew-le.sh.
---
We don't normally just dump code but it's a specific script for the
demo. It seemed generally useful so it was shared.
It has no branches and only supports that latest release of IPA that the
demo runs.
There are no plans to generalize or package it. You're free to tackle it
if you'd like and include it in EPEL, for example.
rob
I'm not skilled to do that, but maybe it is a fun project to learn how
somewhere in the future :)
Thanks for all the help so far!
Ricardo
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
