I found from [root@host pki-ca]# tail -n 100 /var/log/pki-ca/system that CA
chain is missing; so I am thinking I may have to use ipa-server-certinstall
to reinstall the two certs.
5135.main - [27/Jan/2016:14:10:14 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2003.main - [27/Jan/2016:14:35:33 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2003.TP-Processor3 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2003.TP-Processor2 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2000.main - [28/Jan/2016:07:43:00 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2000.TP-Processor2 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2000.TP-Processor3 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2085.main - [03/Feb/2016:08:57:05 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2085.TP-Processor2 - [27/Jan/2016:14:05:03 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
On Mon, May 16, 2016 at 11:45 AM, Adam Kaczka <akaczk...@gmail.com> wrote:
> Certmonger cannot communicate with CA; the result of getlist cert shows:
>
> RPC failed at server. Certificate operation cannot be completed: Unable
> to communicate with CMS (Not Found)
>
> After setting time back, from /var/log/pki-ca/debug I get:
>
> [30/Dec/2015:08:10:25][main]: CMS:Caught EBaseException
> Certificate object not found
> at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
> at
> com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1205)
> at
> com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
> at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
> at
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
> at
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
> at
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
> at
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425)
> at
> org.apache.catalina.core.StandardContext.start(StandardContext.java:4738)
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
> at
> org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
> at
> org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
> at
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
> at
> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
> at
> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
> at
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
> at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
> at
> org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
> at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
> at
> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
> at
> org.apache.catalina.core.StandardService.start(StandardService.java:516)
> at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
> [30/Dec/2015:08:10:25][main]: CMSEngine.shutdown()
> [30/Dec/2015:08:10:32][http-9180-1]: according to ccMode, authorization
> for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz
> mgr: {2}.
> [30/Dec/2015:08:10:32][http-9180-1]: according to ccMode, authorization
> for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz
> mgr: {2}.
> [30/Dec/2015:08:10:33][TP-Processor2]: according to ccMode, authorization
> for servlet: caDisplayBySerial is LDAP based, not XML {1}, use default
> authz mgr: {2}.
> [30/Dec/2015:08:10:33][TP-Processor3]: according to ccMode, authorization
> for servlet: caDisplayBySerial is LDAP based, not XML {1}, use default
> authz mgr: {2}.
>
>
> On Mon, May 16, 2016 at 6:28 AM, Petr Vobornik <pvobo...@redhat.com>
> wrote:
>
>> On 05/14/2016 12:01 AM, Adam Kaczka wrote:
>> > Hi all,
>> >
>> > I have inherited a IPA system that has an expired cert and the old
>> admins have
>> > left; I followed (
>> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but
>> > running into errors when I try to renew the CA certs even after time is
>> reset.
>> > Also tried the troubleshooting under
>> > (http://www.freeipa.org/page/Troubleshooting#Authentication_Errors);
>> > specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a >
>> /tmp/ra.crt"
>> > to add the cert in the database.
>> >
>> > From the output of getcert list, I see both CA_UNREACHABLE and
>> > NEED_CSR_GEN_PIN. I followed redhat article here
>> > (https://access.redhat.com/solutions/1142913) which verified key file
>> password
>> > is correct and I have reset time. However the NEED_CSR_GEN_PIN status
>> remains.
>> > My company actually has redhat support but when they built this IPA
>> whoever
>> > built it was using Centos 6 so I am out of luck here.
>> >
>> > Would really appreciate any help since I am stuck at this point? What
>> else I
>> > can do at this point? e.g. Is generate a new CA cert necessary, etc.?
>>
>> Hi,
>>
>> you don't need to renew CA cert, it seems to be valid. But your server
>> cert is expired. It expired on 2016-03-29.
>>
>> 1. Move date back before this date, e.g., 2016-03-27.
>> 2. Verify that IPA is running `ipactl status`. Maybe restart will be
>> needed.
>> 3. run `getcert list` to see if certmonger can communicate with CA
>> 4. if certmonger doesn't renew the certs automatically, run `getcert
>> resubmit -i $certid` for the expired cert.
>>
>> >
>> > Version:
>> > ipa-pki-ca-theme.noarch 9.0.3-7.el6
>> @base
>> > ipa-pki-common-theme.noarch 9.0.3-7.el6
>> @base
>> > ipa-pmincho-fonts.noarch 003.02-3.1.el6
>> @base
>> > ipa-python.x86_64 3.0.0-47.el6.centos.2
>> @updates
>> > ipa-server.x86_64 3.0.0-47.el6.centos.2
>> @updates
>> > ipa-server-selinux.x86_64 3.0.0-47.el6.centos.2
>> @updates
>> >
>> > Part of error logs from /var/log/pki-ca/debug after I reset clock; I
>> see these
>> > errors which I think is relevlant?:
>> > [27/Dec/2015:14:12:01][main]: SigningUnit init: debug
>> > org.mozilla.jss.crypto.ObjectNotFoundException
>> > Certificate object not found
>> > [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException
>> > Certificate object not found
>> > [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown()
>> >
>> > Result seems to show key file password is correct:
>> > certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f
>> > /etc/dirsrv/slapd-REALM-NET/pwdfile.txt
>> > certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
>> Key and
>> > Certificate Services"
>> > < 0> rsa ############################ NSS Certificate
>> DB:Server-Cert
>> >
>> >
>> > certutil -L -d /var/lib/pki-ca/alias
>> >
>> > Certificate Nickname Trust
>> Attributes
>> >
>> SSL,S/MIME,JAR/XPI
>> >
>> > ocspSigningCert cert-pki-ca u,u,u
>> > subsystemCert cert-pki-ca u,u,u
>> > Server-Cert cert-pki-ca u,u,u
>> > auditSigningCert cert-pki-ca u,u,Pu
>> > caSigningCert cert-pki-ca CTu,Cu,Cu
>> >
>> >
>> > certutil -L -d /etc/httpd/alias
>> >
>> > Certificate Nickname Trust
>> Attributes
>> >
>> SSL,S/MIME,JAR/XPI
>> >
>> > Server-Cert u,u,u
>> > ipaCert
>> u,u,u
>> > REALM.COM <http://REALM.COM> IPA CA
>> CT,C,
>> >
>> >
>> > certutil -L -d /etc/dirsrv/slapd-REALM-COM
>> >
>> > Certificate Nickname Trust
>> Attributes
>> >
>> SSL,S/MIME,JAR/XPI
>> >
>> > Server-Cert
>> u,u,u
>> > REALM.COM <http://REALM.COM> IPA CA
>> CT,C,C
>> >
>> >
>> > Output of getcert list:
>> >
>> > Number of certificates and requests being tracked: 7.
>> > Request ID '21135214223243':
>> > status: CA_UNREACHABLE
>> > ca-error: Server at https://host.example.net/ipa/xml failed
>> request,
>> > will retry: 4301 (RPC failed at server. Certificate oper
>> > ation cannot be completed: Unable to communicate with CMS (Not Found)).
>> > stuck: no
>> > key pair storage:
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
>> > Certificate DB',pinfil
>> > e='/etc/dirsrv/slapd-example-NET//pwdfile.txt'
>> > certificate:
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
>> > Certificate DB'
>> > CA: IPA
>> > issuer: CN=Certificate Authority,O=example.NET
>> > subject: CN=host.example.net <http://host.example.net
>> >,O=example.NET
>> > expires: 2016-03-29 14:09:46 UTC
>> > key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> > eku: id-kp-serverAuth
>> > pre-save command:
>> > post-save command:
>> > track: yes
>> > auto-renew: yes
>> > Request ID '21135214223300':
>> > status: CA_UNREACHABLE
>> > ca-error: Server at https://host.example.net/ipa/xml failed
>> request,
>> > will retry: 4301 (RPC failed at server. Certificate oper
>> > ation cannot be completed: Unable to communicate with CMS (Not Found)).
>> > stuck: no
>> > key pair storage:
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate
>> > DB',pinfile='
>> > /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>> > certificate:
>> >
>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
>> Certificate
>> > DB'
>> > CA: IPA
>> > issuer: CN=Certificate Authority,O=example.NET
>> > subject: CN=host.example.net <http://host.example.net
>> >,O=example.NET
>> > expires: 2016-03-29 14:09:45 UTC
>> > key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> > eku: id-kp-serverAuth
>> > pre-save command:
>> > post-save command:
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130741':
>> > status: NEED_CSR_GEN_PIN
>> > ca-error: Internal error: no response to
>> > "
>> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-
>> > pki-ca&serial_num=61&renewal=true&xml=true".
>> > stuck: yes
>> > key pair storage:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> > cert-pki-ca',token='NSS Certificate
>> > DB',pin set
>> > certificate:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
>> > cert-pki-ca',token='NSS Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=example.NET
>> > subject: CN=CA Audit,O=example.NET
>> > expires: 2017-10-13 14:10:49 UTC
>> > key usage: digitalSignature,nonRepudiation
>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> > "auditSigningCert cert-pki-ca"
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130742':
>> > status: NEED_CSR_GEN_PIN
>> > ca-error: Internal error: no response to
>> > "
>> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
>> > m=60&renewal=true&xml=true".
>> > stuck: yes
>> > key pair storage:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> > cert-pki-ca',token='NSS Certificate D
>> > B',pin set
>> > certificate:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
>> > cert-pki-ca',token='NSS Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=example.NET
>> > subject: CN=OCSP Subsystem,O=example.NET
>> > expires: 2017-10-13 14:09:49 UTC
>> > eku: id-kp-OCSPSigning
>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> > "ocspSigningCert cert-pki-ca"
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130743':
>> > status: NEED_CSR_GEN_PIN
>> > ca-error: Internal error: no response to
>> > "
>> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
>> > m=62&renewal=true&xml=true".
>> > stuck: yes
>> > key pair storage:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> > cert-pki-ca',token='NSS Certificate DB'
>> > ,pin set
>> > certificate:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
>> > cert-pki-ca',token='NSS Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=example.NET
>> > subject: CN=CA Subsystem,O=example.NET
>> > expires: 2017-10-13 14:09:49 UTC
>> > key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> > eku: id-kp-serverAuth,id-kp-clientAuth
>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> > "subsystemCert cert-pki-ca"
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130744':
>> > status: MONITORING
>> > ca-error: Internal error: no response to
>> > "
>> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
>> > m=64&renewal=true&xml=true".
>> > stuck: no
>> > key pair storage:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate
>> > DB',pinfile='/etc/httpd/al
>> > ias/pwdfile.txt'
>> > certificate:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=example.NET
>> > subject: CN=RA Subsystem,O=example.NET
>> > expires: 2017-10-13 14:09:49 UTC
>> > key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> > eku: id-kp-serverAuth,id-kp-clientAuth
>> > pre-save command:
>> > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>> > track: yes
>> > auto-renew: yes
>> > Request ID '20130519130745':
>> > status: NEED_CSR_GEN_PIN
>> > ca-error: Internal error: no response to
>> > "
>> http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
>> > m=63&renewal=true&xml=true".
>> > stuck: yes
>> > key pair storage:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> > cert-pki-ca',token='NSS Certificate DB',p
>> > in set
>> > certificate:
>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
>> > cert-pki-ca',token='NSS Certificate DB'
>> > CA: dogtag-ipa-renew-agent
>> > issuer: CN=Certificate Authority,O=example.NET
>> > subject: CN=host.example.net <http://host.example.net
>> >,O=example.NET
>> > expires: 2017-10-13 14:09:49 UTC
>> > key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> > eku: id-kp-serverAuth,id-kp-clientAuth
>> > pre-save command:
>> > post-save command:
>> > track: yes
>> > auto-renew: yes
>> >
>> >
>> > Regards, Adam
>> >
>> >
>> >
>>
>>
>> --
>> Petr Vobornik
>>
>
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
