Ricardo Mendes wrote: > You're totally right. I feel dumb. > > Ok so I did the following: > > I edited the renew-le.sh and replaced the cert name but the line that > adds the cert again > "certutil -A -d ... -n Server-Cert" > > Edited /etc/httpd/conf.d/nss.conf and changed the NSSNickname > > But I still can't start pki-tomcatd: > > # systemctl status pki-tomcatd@pki-tomcat -l > ● [email protected] - PKI Tomcat Server pki-tomcat > Loaded: loaded (/lib/systemd/system/[email protected]; enabled; > vendor preset: disabled) > Active: active (running) since Wed 2020-06-17 17:24:46 WEST; 19s ago > Process: 4750 ExecStop=/usr/libexec/tomcat/server stop (code=exited, > status=0/SUCCESS) > Process: 4788 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited, > status=0/SUCCESS) > Main PID: 4916 (java) > CGroup: > /system.slice/system-pki\x2dtomcatd.slice/[email protected] > └─4916 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java > -DRESTEASY_LIB=/usr/share/java/resteasy-base > -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath > /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar > -Dcatalina.base=/var/lib/pki/pki-tomcat > -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= > -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp > -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > -Djava.security.manager > -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy > org.apache.catalina.startup.Bootstrap start > > Jun 17 17:24:48 main.domain.io server[4916]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'serverCertNickFile' to > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a > matching property. > Jun 17 17:24:48 main.domain.io server[4916]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not > find a matching property. > Jun 17 17:24:48 main.domain.io server[4916]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' > did not find a matching property. > Jun 17 17:24:48 main.domain.io server[4916]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching > property. > Jun 17 17:24:48 main.domain.io server[4916]: WARNING: > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > 'xmlValidation' to 'false' did not find a matching property. > Jun 17 17:24:48 main.domain.io server[4916]: WARNING: > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > 'xmlNamespaceAware' to 'false' did not find a matching property. > Jun 17 17:24:56 main.domain.io server[4916]: > CMSEngine.initializePasswordStore() begins > Jun 17 17:24:56 main.domain.io server[4916]: > CMSEngine.initializePasswordStore(): tag=internaldb > Jun 17 17:24:56 main.domain.io server[4916]: > CMSEngine.initializePasswordStore(): tag=replicationdb > Jun 17 17:24:56 main.domain.io server[4916]: Internal Database Error > encountered: Could not connect to LDAP server host main.domain.io port > 636 Error netscape.ldap.LDAPException: Unable to create socket: > java.net.ConnectException: Connection refused (Connection refused) (-1) > > Currently all other services appear to be ok. Do I have to install it > manually here now?
My guess is that the LE CA certificates are not trusted by the NSS database that dogtag uses. Assuming you've added those CA certificates to IPA using ipa-cacert-manage install then running ipa-certupdate should fix things for you. rob > >> You must have restored your git repo to HEAD. As I said before, the >> current HEAD does not work against anything < IPA 4.7.something. >> >> You need to get to the commit before "Move from mod_nss to mod_ssl" >> >> Then you'll see Server-Cert in renew-le.sh. >> >> --- >> >> We don't normally just dump code but it's a specific script for the >> demo. It seemed generally useful so it was shared. >> >> It has no branches and only supports that latest release of IPA that the >> demo runs. >> >> There are no plans to generalize or package it. You're free to tackle it >> if you'd like and include it in EPEL, for example. >> >> rob >> > I'm not skilled to do that, but maybe it is a fun project to learn how > somewhere in the future :) > Thanks for all the help so far! > > Ricardo > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
