[Freeipa-users] Re: CA Subsystem certificate

Tue, 02 Apr 2024 14:46:03 -0700 

Hi,

On Tue, Apr 2, 2024 at 8:50 PM Travis West via FreeIPA-users <
[email protected]> wrote:

> Okay, I've generated new certs that don't have the extra space.  Once
> those were imported to the NSS DB I also updated the CS.cfg with the new
> cert and certreq vaules for OCSP, Audit, and Subsystem.
> I also did an ldapsearch for the Subsystem certificate to make sure it
> matches.  I then tried to run ipa-server-upgrade, but it failed.
>
> Tracking Requests:
>
> Request ID '20190322032031':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=IPA.****.NET
>         subject: O=IPA.****.NET,CN=CA Subsystem
>
As Rob wrote, it's not a problem that getcert list, OpenssL and NSS
libraries show the subject in a DN order (RFC2253) or DN reverse order, but
I find it suspect that issuer and subject have picked inconsistent order.
In my f35 instance, getcert list shows the following:
issuer: CN=Certificate Authority,O=IPA.TEST
subject: CN=CA Subsystem,O=IPA.TEST

flo


        expires: 2034-03-31 17:57:15 UTC
>         key usage: digitalSignature,nonRepudiation
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
>
> Request ID '20190322032030':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=IPA.****.NET
>         subject: O=IPA.****.NET,CN=OCSP Subsystem
>         expires: 2034-03-31 18:02:29 UTC
>         key usage: digitalSignature,nonRepudiation
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
>
> Request ID '20190322032029':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=IPA.****.NET
>         subject: O=IPA.****.NET,CN=CA Audit
>         expires: 2034-03-31 18:00:11 UTC
>         key usage: digitalSignature,nonRepudiation
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
>
> Subsystem in LDAP matches the NSS DB
>
> # ldapsearch -LLL -D 'cn=directory manager' -W -b
> uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso
> Enter LDAP Password:
> dn: uid=pkidbuser,ou=people,o=ipaca
> userCertificate:: MIIDNjCCA...EyISxo3w==
> description: 2;4;CN=Certificate Authority,O=IPA.****.NET;CN=CA
> Subsystem,O=IPA.***.NET
> seeAlso: CN=CA Subsystem,O=IPA****.NET
>
> [root@ipa1-sea2 log]# certutil -L -d /etc/pki/pki-tomcat/alias -n
> 'subsystemCert cert-pki-ca' -a
> -----BEGIN CERTIFICATE-----
> MIIDNjCCA...EyISxo3w==
> -----END CERTIFICATE-----
> [root@ipa1-sea2 log]# certutil -L -d /etc/pki/pki-tomcat/alias -n
> 'subsystemCert cert-pki-ca' | grep Serial
>         Serial Number: 4 (0x4)
>
> *note the Serial in LDAP is '4' while in NSS DB it shows as 4 (0x4)  not
> sure if this is the issue.
>
> Output of ipa-server-upgrade
>
> # ipa-server-upgrade
> Upgrading IPA:. Estimated time: 1 minute 30 seconds
>   [1/11]: stopping directory server
>   [2/11]: saving configuration
>   [3/11]: disabling listeners
>   [4/11]: enabling DS global lock
>   [5/11]: disabling Schema Compat
>   [6/11]: starting directory server
>   [7/11]: updating schema
>   [8/11]: upgrading server
>   [9/11]: stopping directory server
>   [10/11]: restoring configuration
>   [11/11]: starting directory server
> Done.
> Update complete
> Upgrading IPA services
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> Publish directory already set to new location
> [Verifying that CA proxy configuration is correct]
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
> ipa-server-upgrade manually.
> CA did not start in 300.0s
>
> Output in the /var/log/pki/pki-tomcat/ca/system log while the ugprade was
> running
>
> 2024-04-02T18:30:11Z DEBUG response body '<html><head><title>Apache
> Tomcat/7.0.76 - Error report</title><style><!--H1
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
> H2
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
> H3
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
> BODY
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
> P
> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
> {color : black;}A.name {color : black;}HR {color : #525D76;}--></style>
> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><HR size="1"
> noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b>
> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server
> encountered an internal error that prevented it from fulfilling this requ
>  est.</u></p><p><b>exception</b> <pre>javax.ws.rs.ServiceUnavailableException:
> Subsystem
> unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThrea
>  
> d$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre></p><p><b>note</b>
> <u>The full stack trace of the root cause is available in the Apache
> Tomcat/7.0.76 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache
> Tomcat/7.0.76</h3></body></html>'
> 2024-04-02T18:30:11Z DEBUG The CA status is: check interrupted due to
> error: Retrieving CA status failed with status 500
> 2024-04-02T18:30:11Z DEBUG Waiting for CA to start...
> 2024-04-02T18:30:12Z DEBUG request POST http://ipa1-sea2.ipa.
> ****.net:8080/ca/admin/ca/getStatus
> 2024-04-02T18:30:12Z DEBUG request body ''
> 2024-04-02T18:30:12Z DEBUG response status 500
> 2024-04-02T18:30:12Z DEBUG response headers Server: Apache-Coyote/1.1
> Content-Type: text/html;charset=utf-8
> Content-Language: en
> Content-Length: 2208
> Date: Tue, 02 Apr 2024 18:30:12 GMT
> Connection: close
>
> 2024-04-02T18:30:12Z DEBUG response body '<html><head><title>Apache
> Tomcat/7.0.76 - Error report</title><style><!--H1
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
> H2
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
> H3
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
> BODY
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
> P
> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
> {color : black;}A.name {color : black;}HR {color : #525D76;}--></style>
> </head><body><h1>HTTP Status 500 - Subsystem unavailable</h1><HR size="1"
> noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b>
> <u>Subsystem unavailable</u></p><p><b>description</b> <u>The server
> encountered an internal error that prevented it from fulfilling this requ
>  est.</u></p><p><b>exception</b> <pre>javax.ws.rs.ServiceUnavailableException:
> Subsystem
> unavailable\n\tcom.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)\n\torg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:500)\n\torg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\n\torg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)\n\torg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)\n\torg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)\n\torg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\n\torg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\n\tjava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tjava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\torg.apache.tomcat.util.threads.TaskThrea
>  
> d$WrappingRunnable.run(TaskThread.java:61)\n\tjava.lang.Thread.run(Thread.java:748)\n</pre></p><p><b>note</b>
> <u>The full stack trace of the root cause is available in the Apache
> Tomcat/7.0.76 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache
> Tomcat/7.0.76</h3></body></html>'
> 2024-04-02T18:30:12Z DEBUG The CA status is: check interrupted due to
> error: Retrieving CA status failed with status 500
> 2024-04-02T18:30:12Z DEBUG Waiting for CA to start...
>
> --
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to