[Freeipa-users] pki-tomcat won't start after CA certs updated, getcert still shows a lot of expired certs

[Schrier, William (Contractor) via FreeIPA-users]

Our FreeIPA CA cert (externally signed via a Microsoft AD CA) recently expired. 
 Unfortunately, I didn't notice it until after it expired.  After jumping 
through some hoops and some help from Florence's blog, I was able to get new 
certificates installed successfully (at least according to the 
ipa-cacert-manage and ipa-certupdate  commands).  However, at this point, 
pki-tomcat will not start and ipa-getcert and getcert don't really show what I 
would expect...

Oh - also, I should point out that I'm running on Oracle Linux 7.9 and FreeIPA 
VERSION: 4.6.8, API_VERSION: 2.237 - yes, I know I'm far from the latest out 
there, but until I can upgrade this server to a new OS, I'm kind of stuck... 
and unfortunately, my situation here is making upgrading the OS difficult, so 
please forgive me that I'm asking for assistance on such an old setup, but know 
that the goal is to upgrade, but that's not possible at this exact moment, so 
if I can fix this current setup to see me through until I can upgrade, that 
would be really good.

Any suggestions so we can get these certs installed properly and get pki-tomcat 
started would be appreciated!

When I run ipa-getcert list, I get the following (which is still showing the 
old cert):
# ipa-getcert list
Number of certificates and requests being tracked: 7.
Request ID '20210201172924':
        status: NEED_TO_SUBMIT
        ca-error: Server at https://[hostname]/ipa/xml failed request, will 
retry: 907 (RPC failed at server.  cannot connect to 
'https://[hostname]:443/ca/rest/account/login': [SSL: SSL_HANDSHAKE_FAILURE] 
ssl handshake failure (_ssl.c:1826)).
        stuck: no
        key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=[DOMAIN]
        subject: CN=[hostname],O=[DOMAIN]
        expires: 2025-05-31 15:41:32 UTC
        principal name: 
krbtgt/[DOMAIN@DOMAIN]<mailto:krbtgt/peacecorps....@peacecorps.gov>
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-pkinit-KPKdc
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
        track: yes
        auto-renew: yes

And running getcert list returns mostly the old expired cert, but with one 
entry with the new cert:
# getcert list | egrep "Request ID|status:|CA:|expires:"
Request ID '20210201172746':
        status: CA_UNREACHABLE
        CA: dogtag-ipa-ca-renew-agent
        expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172819':
        status: MONITORING
        CA: dogtag-ipa-ca-renew-agent
        expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172820':
        status: MONITORING
        CA: dogtag-ipa-ca-renew-agent
        expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172821':
        status: MONITORING
        CA: dogtag-ipa-ca-renew-agent
        expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172822':
        status: MONITORING
        CA: dogtag-ipa-ca-renew-agent
        expires: 2027-06-09 13:26:26 UTC
Request ID '20210201172823':
        status: MONITORING
        CA: dogtag-ipa-ca-renew-agent
        expires: 2025-05-31 15:41:32 UTC
Request ID '20210201172924':
        status: CA_UNREACHABLE
        CA: IPA
        expires: 2025-05-31 15:41:32 UTC

I do see the following in /var/log/pki/pki-tomcat/ca/debug:
Could not connect to LDAP server host [hostname] port 636 Error 
netscape.ldap.LDAPException: Authentication failed (48)
Internal Database Error encountered: Could not connect to LDAP server host 
[hostname] port 636 Error netscape.ldap.LDAPException: Authentication failed 
(48)

And /var/log/pki/pki-tomcat/localhost.[date].log gets tons of these:
SEVERE: Exception Processing /ca/admin/ca/getStatus
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
        at 
com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)
        at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
        at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
        at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
        at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:750)

SEVERE: Exception Processing /ca/ee/ca/profileSubmit
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
        at 
com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)
        at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
        at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
        at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
        at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:750)


-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue