Hi, On Fri, Sep 15, 2023 at 7:43 PM Russ Long via FreeIPA-users < [email protected]> wrote:
> I have a single-server IPA environment in my homelab. I noticed today > that I was unable to delete a host from IPA, and found that pki-tomcatd was > down and unable to start. > > I found that several certificates had expired for some reason. I tried > `ipa-cert-fix`, but that failed as pki-tomcat will not start. > > I attempted to set the server date/time to a date 24 hours before the > certificates expired, and was able to get tomcat to start, however the > `ipa-cert-fix` now fails with this error: > > CalledProcessError(Command ['pki-server', 'cert-fix', '--ldapi-socket', > '/run/slapd-IPA-DOMAIN-CO.socket', '--agent-uid', 'ipara', '--cert', > 'sslserver', '--cert', 'subsystem', '--cert', 'ca_ocsp_signing', '--cert', > 'ca_audit_signing', '--extra-cert', '16'] returned non-zero exit status 1: > "INFO: Loading instance type: pki-tomcatd\nINFO: Loading instance: > pki-tomcat\nINFO: Loading global Tomcat config: > /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: > /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config: > /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: > /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config: > /etc/pki/pki-tomcat/ca/CS.cfg\nINFO: Loading subsystem registry: > /etc/pki/pki-tomcat/ca/registry.cfg\nINFO: Loading instance registry: > /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: Fixing the following > system certs: ['sslserver', 'subsystem', 'ca_ocsp_signing', > 'ca_audit_signing']\nINFO: Renewing the following additional c > erts: ['16']\nINFO: Stopping the instance to proceed with system cert > renewal\nINFO: Configuring LDAP connection for CA\nINFO: Setting pkidbuser > password via ldappasswd\nSASL/EXTERNAL authentication started\nSASL > username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL > SSF: 0\n") > > mixing ipa-cert-fix method with the date manipulation often leads to more issues if ipa-cert-fix was able to fix some of the certs but not all of them (the first execution creates a cert valid from present date only, and as soon as you go in the past this cert is not considered valid yet). To provide any advice we would need to have an exact description of the current situation. Can you provide the output of "getcert list" executed as root? This will show the "valid from" and "valid to" dates for each certificate. Is your system still in the past or did you move back to current date? I reviewed the blog at > https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ > (Thanks Flo!) but was still unable to get anything working. The > Certificate password test fails with these errors: > > [root@master ca]# certutil -K -d /etc/pki/pki-tomcat/alias -f > /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca' > certutil: Checking token "NSS Certificate DB" in slot "NSS User Private > Key and Certificate Services" > certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: > invalid arguments. > [root@master ca]# certutil -K -d /etc/pki/pki-tomcat/alias -f > /tmp/pwdfile.txt -n 'NSS Certificate DB: subsystemCert cert-pki-ca' > certutil: Checking token "NSS Certificate DB" in slot "NSS User Private > Key and Certificate Services" > certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: > invalid arguments. > > If you run the same command without -n <alias>, you should be able to see all the keys stored in the NSS database: # certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt Is there an entry for something like 'subsystemCert cert-pki-ca'? flo Any ideas what I can try? > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
