Hi,
On Wed, Jun 18, 2025 at 5:32 PM Schrier, William (Contractor) via
FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
> Our FreeIPA CA cert (externally signed via a Microsoft AD CA) recently
> expired. Unfortunately, I didn’t notice it until after it expired. After
> jumping through some hoops and some help from Florence’s blog, I was able
> to get new certificates installed successfully (at least according to the
> ipa-cacert-manage and ipa-certupdate commands). However, at this point,
> pki-tomcat will not start and ipa-getcert and getcert don’t really show
> what I would expect…
>
>
>
> Oh – also, I should point out that I’m running on Oracle Linux 7.9 and
> FreeIPA VERSION: 4.6.8, API_VERSION: 2.237 – yes, I know I’m far from the
> latest out there, but until I can upgrade this server to a new OS, I’m kind
> of stuck… and unfortunately, my situation here is making upgrading the OS
> difficult, so please forgive me that I’m asking for assistance on such an
> old setup, but know that the goal is to upgrade, but that’s not possible at
> this exact moment, so if I can fix this current setup to see me through
> until I can upgrade, that would be really good.
>
>
>
> Any suggestions so we can get these certs installed properly and get
> pki-tomcat started would be appreciated!
>
>
>
> When I run ipa-getcert list, I get the following (which is still showing
> the old cert):
>
> # ipa-getcert list
>
> Number of certificates and requests being tracked: 7.
>
7 certificates are tracked, so I guess they are:
- certificate: type=FILE,location='*/var/lib/ipa/ra-agent.pem*'
- certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='*auditSigningCert
cert-pki-ca*',token='NSS Certificate DB'
- certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='*ocspSigningCert
cert-pki-ca*',token='NSS Certificate DB'
- certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='*subsystemCert
cert-pki-ca*',token='NSS Certificate DB'
- certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='*caSigningCert
cert-pki-ca*',token='NSS Certificate DB'
- certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='*Server-Cert
cert-pki-ca*',token='NSS Certificate DB'
- certificate: type=FILE,location='*/var/kerberos/krb5kdc/kdc.crt*'
And the following ones are not tracked: the HTTPd server cert (stored
in /etc/httpd/alias) and the LDAP server cert (stored
in /etc/dirsrv/slapd-XXX).
You need to:
- check if they are still valid
- find their nickname using certutil -L -d
/etc/dirsrv/slapd-IPA-TEST/ and certutil -L -d /etc/httpd/alias (usually
it's Server-Cert but it may differ)
# certutil -L -d /etc/dirsrv/slapd-IPA-TEST/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
IPA.TEST IPA CA CT,C,C
*Server-Cert* u,u,u
- check if they are still valid: certutil -L
-d /etc/dirsrv/slapd-IPA-TEST/ -n Server-Cert | grep -C2 "Validity:"
# certutil -L -d /etc/dirsrv/slapd-IPA-TEST/ -n Server-Cert | grep -C2
"Validity:"
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
*Issuer: "CN=Certificate Authority,O=IPA.TEST"*
Validity:
*Not Before*: Tue Apr 08 09:27:53 2025
*Not After* : Fri Apr 09 09:27:53 2027
- check if their issuer is known by IPA (it should be present in
/etc/ipa/ca.crt and in the various NSS databases). If not, you
need to add
the whole chain with intermediate certs if any.
- when you are sure that the HTTPd and LDAP certs are good, restart IPA
services with ipactl start --ignore-service-failures
- then we'll re-assess the situation and fix the other certs.
flo
Request ID '20210201172924':
>
> status: NEED_TO_SUBMIT
>
> ca-error: Server at https://[hostname]/ipa/xml failed request,
> will retry: 907 (RPC failed at server. cannot connect to
> 'https://[hostname]:443/ca/rest/account/login':
> [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1826)).
>
> stuck: no
>
> key pair storage:
> type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
>
> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O=[DOMAIN]
>
> subject: CN=[hostname],O=[DOMAIN]
>
> expires: 2025-05-31 15:41:32 UTC
>
> principal name: krbtgt/[DOMAIN@DOMAIN]
> <krbtgt/peacecorps....@peacecorps.gov>
>
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> eku: id-kp-serverAuth,id-pkinit-KPKdc
>
> pre-save command:
>
> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
>
> track: yes
>
> auto-renew: yes
>
>
>
> And running getcert list returns mostly the old expired cert, but with one
> entry with the new cert:
>
> # getcert list | egrep "Request ID|status:|CA:|expires:"
>
> Request ID '20210201172746':
>
> status: CA_UNREACHABLE
>
> CA: dogtag-ipa-ca-renew-agent
>
> expires: 2025-05-31 15:41:32 UTC
>
> Request ID '20210201172819':
>
> status: MONITORING
>
> CA: dogtag-ipa-ca-renew-agent
>
> expires: 2025-05-31 15:41:32 UTC
>
> Request ID '20210201172820':
>
> status: MONITORING
>
> CA: dogtag-ipa-ca-renew-agent
>
> expires: 2025-05-31 15:41:32 UTC
>
> Request ID '20210201172821':
>
> status: MONITORING
>
> CA: dogtag-ipa-ca-renew-agent
>
> expires: 2025-05-31 15:41:32 UTC
>
> Request ID '20210201172822':
>
> status: MONITORING
>
> CA: dogtag-ipa-ca-renew-agent
>
> expires: 2027-06-09 13:26:26 UTC
>
> Request ID '20210201172823':
>
> status: MONITORING
>
> CA: dogtag-ipa-ca-renew-agent
>
> expires: 2025-05-31 15:41:32 UTC
>
> Request ID '20210201172924':
>
> status: CA_UNREACHABLE
>
> CA: IPA
>
> expires: 2025-05-31 15:41:32 UTC
>
>
>
> I do see the following in /var/log/pki/pki-tomcat/ca/debug:
>
> Could not connect to LDAP server host [hostname] port 636 Error
> netscape.ldap.LDAPException: Authentication failed (48)
>
> Internal Database Error encountered: Could not connect to LDAP server host
> [hostname] port 636 Error netscape.ldap.LDAPException: Authentication
> failed (48)
>
>
>
> And /var/log/pki/pki-tomcat/localhost.[date].log gets tons of these:
>
> SEVERE: Exception Processing /ca/admin/ca/getStatus
>
> javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
>
> at
> com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)
>
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
>
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
>
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
>
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
>
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>
> at java.lang.Thread.run(Thread.java:750)
>
>
>
> SEVERE: Exception Processing /ca/ee/ca/profileSubmit
>
> javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
>
> at
> com.netscape.cms.tomcat.ProxyRealm.findSecurityConstraints(ProxyRealm.java:145)
>
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
>
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
>
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
>
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
>
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>
> at java.lang.Thread.run(Thread.java:750)
>
>
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
