Hey Flo - thanks for the quick response and input.
I stumbled across the link you referenced this past weekend. For now,
I'm ok with using BasicAuth to keep the system running.
However, that is indicative of an underlying cert issue and may be
related to the other issues mentioned in the post.
My biggest/most-pressing issue is that I have an UNREACHABLE CA ... Is
this problem due to the tomcat-pki not being able to login?? I would
think that after switching over to binddn/password that the UNREACHABLE
would resolve itself if that were the case.
Basically, I think I'm having 2 issues.
1) the dogtag pki --> ldap auth which i think i have fixed for now.
2) I don't know how to fix the UNREACHABLE for the certs on the NSSDB
(see below)
I know I'm missing something but I'm so new to this platform that I
literally don't know where/how to fix.
Thanks again.
On 4/17/2023 4:03 AM, Florence Blanc-Renaud wrote:
Hi,
On Mon, Apr 17, 2023 at 5:42 AM Justin Sanderson via FreeIPA-users
<[email protected]> wrote:
THANKS IN ADVANCE FOR ANY HELP INFO YOU CAN PROVIDE!!
Greatly Appreciate!!
Ok. So after doing a LOT of reading and learning about FreeIPA the
past 2 days (yep, I inherited), I was able to fix my problem of
pki-tomcatd (DogTAG i think its called) so that it would start.
The pki-tomcatd service wouldn't start due to some cert issues. I
was fortunate enough to figure out how to enable BasicAuth for now
to get the service to start.. so thats a win.
So it means that PKI was not able to authenticate to the LDAP server
using the certificate subsystemCert cert-pki-ca and you switched from
certificate-based authentication to simple bind using DN/password.
There are some troubleshooting hints here for this specific issue:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
HTH,
flo
My SETUP:
I have a single server instance as a VM. There are no replicas.
The FreeIPA configuration is:
1) No DNS BIND server - using external DNS via AD in /etc/resolv.conf
2) We ARE running all other services
3) Self-Signed CA configuration using DogTag i think its called.
there are not external certs being used.
ipactl start has no issues now after I fixed the pki-tomcatd start
problem using BasicAuth (workaround)
PROBLEM :
When i run "getcert list" I have 3 that have status CA_UNREACHABLE
and ALL of them are related to /etc/pki/pki-tomcat/alias NSSDB.
They are set to expire in a few weeks so I need to figure this
out.. needing some help.
The getcert list outputs a total of 9 or 10 certs so I don't think
I'm missing anything.. Based off what I was able to find, it's
common to have 8-10 certs in the output...?
Below are 2 of 3 certs that are going to expire soon and their CA
is in an UNREACHABLE state. They all use the same NSSDB
**I have no idea where to start looking to fix this problem...
which log file... how is it supposed to talk to the NSSDB. it's
not a socket...? **
I'm worried that the certs will expire and I won't know how to fix
it. or where to even look. HELP*!*!
I've seen several people posting already about certmonger not
succesfully tracking/renewing some certs so Im a bit concerned
espicially since the CA_UNREAHABLE error.
How do I fix this:
1) manually generate new certs and wth do I put them?
2) why is the CA_UNREACHABLE on a NSSDB ..? The files are there
and intact. I can view the contents no prob.
============ getcert list output ============================
Request ID '20190621200128':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[SANITIZED DNS NAME]
subject: CN=CA Audit,O=[SANITIZED DNS NAME]
expires: 2023-05-04 12:52:47 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190621200129':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[SANITIZED DNS NAME]
subject: CN=OCSP Subsystem,O=[SANITIZED DNS NAME]
expires: 2023-05-04 12:53:17 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
===================================================================================================================================
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to
[email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
