Certmonger cannot communicate with CA; the result of getlist cert shows:

RPC failed at server.  Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)

After setting time back, from /var/log/pki-ca/debug I get:

[30/Dec/2015:08:10:25][main]: CMS:Caught EBaseException
Certificate object not found
        at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
        at
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1205)
        at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
        at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
        at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
        at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
        at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
        at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
        at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
        at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
        at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425)
        at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4738)
        at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
        at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
        at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
        at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
        at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
        at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
        at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
        at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
        at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
        at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
        at
org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
        at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
        at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
        at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
        at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[30/Dec/2015:08:10:25][main]: CMSEngine.shutdown()
[30/Dec/2015:08:10:32][http-9180-1]: according to ccMode, authorization for
servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr:
{2}.
[30/Dec/2015:08:10:32][http-9180-1]: according to ccMode, authorization for
servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr:
{2}.
[30/Dec/2015:08:10:33][TP-Processor2]: according to ccMode, authorization
for servlet: caDisplayBySerial is LDAP based, not XML {1}, use default
authz mgr: {2}.
[30/Dec/2015:08:10:33][TP-Processor3]: according to ccMode, authorization
for servlet: caDisplayBySerial is LDAP based, not XML {1}, use default
authz mgr: {2}.


On Mon, May 16, 2016 at 6:28 AM, Petr Vobornik <pvobo...@redhat.com> wrote:

> On 05/14/2016 12:01 AM, Adam Kaczka wrote:
> > Hi all,
> >
> > I have inherited a IPA system that has an expired cert and the old
> admins have
> > left; I followed (http://www.freeipa.org/page/IPA_2x_Certificate_Renewal)
> but
> > running into errors when I try to renew the CA certs even after time is
> reset.
> > Also tried the troubleshooting under
> > (http://www.freeipa.org/page/Troubleshooting#Authentication_Errors);
> > specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a >
> /tmp/ra.crt"
> > to add the cert in the database.
> >
> >  From the output of getcert list, I see both CA_UNREACHABLE and
> > NEED_CSR_GEN_PIN.  I followed redhat article here
> > (https://access.redhat.com/solutions/1142913) which verified key file
> password
> > is correct and I have reset time.  However the NEED_CSR_GEN_PIN status
> remains.
> > My company actually has redhat support but when they built this IPA
> whoever
> > built it was using Centos 6 so I am out of luck here.
> >
> > Would really appreciate any help since I am stuck at this point?  What
> else I
> > can do at this point?  e.g. Is generate a new CA cert necessary, etc.?
>
> Hi,
>
> you don't need to renew CA cert, it seems to be valid. But your server
> cert is expired. It expired on 2016-03-29.
>
> 1. Move date back before this date, e.g., 2016-03-27.
> 2. Verify that IPA is running `ipactl status`. Maybe restart will be
> needed.
> 3. run `getcert list` to see if certmonger can communicate with CA
> 4. if certmonger doesn't renew the certs automatically, run `getcert
> resubmit -i $certid` for the expired cert.
>
> >
> > Version:
> > ipa-pki-ca-theme.noarch                    9.0.3-7.el6
>       @base
> > ipa-pki-common-theme.noarch          9.0.3-7.el6
> @base
> > ipa-pmincho-fonts.noarch             003.02-3.1.el6
>  @base
> > ipa-python.x86_64                    3.0.0-47.el6.centos.2
> @updates
> > ipa-server.x86_64                    3.0.0-47.el6.centos.2
> @updates
> > ipa-server-selinux.x86_64            3.0.0-47.el6.centos.2
> @updates
> >
> > Part of error logs from /var/log/pki-ca/debug after I reset clock; I see
> these
> > errors which I think is relevlant?:
> > [27/Dec/2015:14:12:01][main]: SigningUnit init: debug
> > org.mozilla.jss.crypto.ObjectNotFoundException
> > Certificate object not found
> > [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException
> > Certificate object not found
> > [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown()
> >
> > Result seems to show key file password is correct:
> > certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f
> > /etc/dirsrv/slapd-REALM-NET/pwdfile.txt
> > certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
> Key and
> > Certificate Services"
> > < 0> rsa      ############################   NSS Certificate
> DB:Server-Cert
> >
> >
> > certutil -L -d /var/lib/pki-ca/alias
> >
> > Certificate Nickname                                         Trust
> Attributes
> >
>  SSL,S/MIME,JAR/XPI
> >
> > ocspSigningCert cert-pki-ca                                  u,u,u
> > subsystemCert cert-pki-ca                                    u,u,u
> > Server-Cert cert-pki-ca                                         u,u,u
> > auditSigningCert cert-pki-ca                                 u,u,Pu
> > caSigningCert cert-pki-ca                                    CTu,Cu,Cu
> >
> >
> > certutil -L -d /etc/httpd/alias
> >
> > Certificate Nickname                                         Trust
> Attributes
> >
>  SSL,S/MIME,JAR/XPI
> >
> > Server-Cert                                                      u,u,u
> > ipaCert                                                             u,u,u
> > REALM.COM <http://REALM.COM> IPA CA
>   CT,C,
> >
> >
> > certutil -L -d /etc/dirsrv/slapd-REALM-COM
> >
> > Certificate Nickname                                         Trust
> Attributes
> >
>  SSL,S/MIME,JAR/XPI
> >
> > Server-Cert
> u,u,u
> > REALM.COM <http://REALM.COM> IPA CA
>       CT,C,C
> >
> >
> > Output of getcert list:
> >
> > Number of certificates and requests being tracked: 7.
> > Request ID '21135214223243':
> >          status: CA_UNREACHABLE
> >          ca-error: Server at https://host.example.net/ipa/xml failed
> request,
> > will retry: 4301 (RPC failed at server.  Certificate oper
> > ation cannot be completed: Unable to communicate with CMS (Not Found)).
> >          stuck: no
> >          key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfil
> > e='/etc/dirsrv/slapd-example-NET//pwdfile.txt'
> >          certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
> > Certificate DB'
> >          CA: IPA
> >          issuer: CN=Certificate Authority,O=example.NET
> >          subject: CN=host.example.net <http://host.example.net
> >,O=example.NET
> >          expires: 2016-03-29 14:09:46 UTC
> >          key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >          eku: id-kp-serverAuth
> >          pre-save command:
> >          post-save command:
> >          track: yes
> >          auto-renew: yes
> > Request ID '21135214223300':
> >          status: CA_UNREACHABLE
> >          ca-error: Server at https://host.example.net/ipa/xml failed
> request,
> > will retry: 4301 (RPC failed at server.  Certificate oper
> > ation cannot be completed: Unable to communicate with CMS (Not Found)).
> >          stuck: no
> >          key pair storage:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB',pinfile='
> > /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> >          certificate:
> >
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate
> > DB'
> >          CA: IPA
> >          issuer: CN=Certificate Authority,O=example.NET
> >          subject: CN=host.example.net <http://host.example.net
> >,O=example.NET
> >          expires: 2016-03-29 14:09:45 UTC
> >          key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >          eku: id-kp-serverAuth
> >          pre-save command:
> >          post-save command:
> >          track: yes
> >          auto-renew: yes
> > Request ID '20130519130741':
> >          status: NEED_CSR_GEN_PIN
> >          ca-error: Internal error: no response to
> > "
> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-
> > pki-ca&serial_num=61&renewal=true&xml=true".
> >          stuck: yes
> >          key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate
> > DB',pin set
> >          certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> >          CA: dogtag-ipa-renew-agent
> >          issuer: CN=Certificate Authority,O=example.NET
> >          subject: CN=CA Audit,O=example.NET
> >          expires: 2017-10-13 14:10:49 UTC
> >          key usage: digitalSignature,nonRepudiation
> >          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> >          post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "auditSigningCert cert-pki-ca"
> >          track: yes
> >          auto-renew: yes
> > Request ID '20130519130742':
> >          status: NEED_CSR_GEN_PIN
> >          ca-error: Internal error: no response to
> > "
> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> > m=60&renewal=true&xml=true".
> >          stuck: yes
> >          key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate D
> > B',pin set
> >          certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> > cert-pki-ca',token='NSS Certificate DB'
> >          CA: dogtag-ipa-renew-agent
> >          issuer: CN=Certificate Authority,O=example.NET
> >          subject: CN=OCSP Subsystem,O=example.NET
> >          expires: 2017-10-13 14:09:49 UTC
> >          eku: id-kp-OCSPSigning
> >          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> >          post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "ocspSigningCert cert-pki-ca"
> >          track: yes
> >          auto-renew: yes
> > Request ID '20130519130743':
> >          status: NEED_CSR_GEN_PIN
> >          ca-error: Internal error: no response to
> > "
> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> > m=62&renewal=true&xml=true".
> >          stuck: yes
> >          key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB'
> > ,pin set
> >          certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> > cert-pki-ca',token='NSS Certificate DB'
> >          CA: dogtag-ipa-renew-agent
> >          issuer: CN=Certificate Authority,O=example.NET
> >          subject: CN=CA Subsystem,O=example.NET
> >          expires: 2017-10-13 14:09:49 UTC
> >          key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >          eku: id-kp-serverAuth,id-kp-clientAuth
> >          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> >          post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> > "subsystemCert cert-pki-ca"
> >          track: yes
> >          auto-renew: yes
> > Request ID '20130519130744':
> >          status: MONITORING
> >          ca-error: Internal error: no response to
> > "
> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> > m=64&renewal=true&xml=true".
> >          stuck: no
> >          key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate
> > DB',pinfile='/etc/httpd/al
> > ias/pwdfile.txt'
> >          certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> >          CA: dogtag-ipa-renew-agent
> >          issuer: CN=Certificate Authority,O=example.NET
> >          subject: CN=RA Subsystem,O=example.NET
> >          expires: 2017-10-13 14:09:49 UTC
> >          key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >          eku: id-kp-serverAuth,id-kp-clientAuth
> >          pre-save command:
> >          post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> >          track: yes
> >          auto-renew: yes
> > Request ID '20130519130745':
> >          status: NEED_CSR_GEN_PIN
> >          ca-error: Internal error: no response to
> > "
> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> > m=63&renewal=true&xml=true".
> >          stuck: yes
> >          key pair storage:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB',p
> > in set
> >          certificate:
> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> > cert-pki-ca',token='NSS Certificate DB'
> >          CA: dogtag-ipa-renew-agent
> >          issuer: CN=Certificate Authority,O=example.NET
> >          subject: CN=host.example.net <http://host.example.net
> >,O=example.NET
> >          expires: 2017-10-13 14:09:49 UTC
> >          key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >          eku: id-kp-serverAuth,id-kp-clientAuth
> >          pre-save command:
> >          post-save command:
> >          track: yes
> >          auto-renew: yes
> >
> >
> > Regards, Adam
> >
> >
> >
>
>
> --
> Petr Vobornik
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to