Hi, On Mon, Apr 17, 2023 at 3:32 PM Justin Sanderson < [email protected]> wrote:
> > Hey Flo - thanks for the quick response and input. > > > I stumbled across the link you referenced this past weekend. For now, I'm > ok with using BasicAuth to keep the system running. > > However, that is indicative of an underlying cert issue and may be related > to the other issues mentioned in the post. > > > My biggest/most-pressing issue is that I have an UNREACHABLE CA ... Is > this problem due to the tomcat-pki not being able to login?? I would think > that after switching over to binddn/password that the UNREACHABLE would > resolve itself if that were the case. > > Basically, I think I'm having 2 issues. > > 1) the dogtag pki --> ldap auth which i think i have fixed for now. > > 2) I don't know how to fix the UNREACHABLE for the certs on the NSSDB (see > below) > Can you check if the PKI server is responsive using the following commands? # kinit admin # ipa cert-show 1 - If the command properly returns something then it means PKI is reachable and you can retry the renewal with # getcert resubmit -i <request id> with <request id> corresponding to the ID for auditSigningCert cert-pki-ca / ocspSigningCert cert-pki-ca. Wait for one renewal to complete successfully (getcert list -i <request id> displays MONITORING when the renewal is done) before launching the next one. You can observe the journal for additional logs. - If the command fails additional debugging will be needed, the first step would be to create /etc/ipa/server.conf with the following content: [global] debug=True and restart the stack with "ipactl restart". Then check the content of /var/log/httpd/error_log when you run "ipa cert-show 1", it will contain additional messages. By the way, which IPA version is installed? rpm -qa | grep ipa-server flo > I know I'm missing something but I'm so new to this platform that I > literally don't know where/how to fix. > > > Thanks again. > > > On 4/17/2023 4:03 AM, Florence Blanc-Renaud wrote: > > Hi, > > On Mon, Apr 17, 2023 at 5:42 AM Justin Sanderson via FreeIPA-users < > [email protected]> wrote: > >> THANKS IN ADVANCE FOR ANY HELP INFO YOU CAN PROVIDE!! >> >> Greatly Appreciate!! >> >> >> Ok. So after doing a LOT of reading and learning about FreeIPA the past 2 >> days (yep, I inherited), I was able to fix my problem of pki-tomcatd >> (DogTAG i think its called) so that it would start. >> >> The pki-tomcatd service wouldn't start due to some cert issues. I was >> fortunate enough to figure out how to enable BasicAuth for now to get the >> service to start.. so thats a win. >> > So it means that PKI was not able to authenticate to the LDAP server using > the certificate subsystemCert cert-pki-ca and you switched from > certificate-based authentication to simple bind using DN/password. > > There are some troubleshooting hints here for this specific issue: > https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ > > HTH, > flo > > >> My SETUP: >> >> I have a single server instance as a VM. There are no replicas. >> >> The FreeIPA configuration is: >> >> 1) No DNS BIND server - using external DNS via AD in /etc/resolv.conf >> >> 2) We ARE running all other services >> >> 3) Self-Signed CA configuration using DogTag i think its called. there >> are not external certs being used. >> >> >> ipactl start has no issues now after I fixed the pki-tomcatd start >> problem using BasicAuth (workaround) >> >> >> PROBLEM : >> >> When i run "getcert list" I have 3 that have status CA_UNREACHABLE and >> ALL of them are related to /etc/pki/pki-tomcat/alias NSSDB. >> >> They are set to expire in a few weeks so I need to figure this out.. >> needing some help. >> >> The getcert list outputs a total of 9 or 10 certs so I don't think I'm >> missing anything.. Based off what I was able to find, it's common to have >> 8-10 certs in the output...? >> >> >> Below are 2 of 3 certs that are going to expire soon and their CA is in >> an UNREACHABLE state. They all use the same NSSDB >> >> **I have no idea where to start looking to fix this problem... which log >> file... how is it supposed to talk to the NSSDB. it's not a socket...? ** >> >> I'm worried that the certs will expire and I won't know how to fix it. or >> where to even look. HELP*!*! >> >> I've seen several people posting already about certmonger not succesfully >> tracking/renewing some certs so Im a bit concerned espicially since the >> CA_UNREAHABLE error. >> >> How do I fix this: >> >> 1) manually generate new certs and wth do I put them? >> >> 2) why is the CA_UNREACHABLE on a NSSDB ..? The files are there and >> intact. I can view the contents no prob. >> >> >> ============ getcert list output ============================ >> >> Request ID '20190621200128': >> >> status: CA_UNREACHABLE >> >> ca-error: Internal error >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set >> >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' >> >> CA: dogtag-ipa-ca-renew-agent >> >> issuer: CN=Certificate Authority,O=[SANITIZED DNS NAME] >> >> subject: CN=CA Audit,O=[SANITIZED DNS NAME] >> >> expires: 2023-05-04 12:52:47 UTC >> >> key usage: digitalSignature,nonRepudiation >> >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> >> track: yes >> >> auto-renew: yes >> >> Request ID '20190621200129': >> >> status: CA_UNREACHABLE >> >> ca-error: Internal error >> >> stuck: no >> >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set >> >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' >> >> CA: dogtag-ipa-ca-renew-agent >> >> issuer: CN=Certificate Authority,O=[SANITIZED DNS NAME] >> >> subject: CN=OCSP Subsystem,O=[SANITIZED DNS NAME] >> >> expires: 2023-05-04 12:53:17 UTC >> >> eku: id-kp-OCSPSigning >> >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> >> track: yes >> >> auto-renew: yes >> >> >> >> =================================================================================================================================== >> >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
