Adam Kaczka wrote:
I found from [root@host pki-ca]# tail -n 100 /var/log/pki-ca/system that
CA chain is missing; so I am thinking I may have to use
|ipa-server-certinstall| to reinstall the two certs.


I really doubt it. I'm not sure what can't be found, maybe one of the dogtag devs has an idea.



5135.main - [27/Jan/2016:14:10:14 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2003.main - [27/Jan/2016:14:35:33 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2003.TP-Processor3 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2003.TP-Processor2 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2000.main - [28/Jan/2016:07:43:00 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2000.TP-Processor2 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2000.TP-Processor3 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2085.main - [03/Feb/2016:08:57:05 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2085.TP-Processor2 - [27/Jan/2016:14:05:03 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.


On Mon, May 16, 2016 at 11:45 AM, Adam Kaczka <akaczk...@gmail.com
<mailto:akaczk...@gmail.com>> wrote:

    Certmonger cannot communicate with CA; the result of getlist cert shows:

    RPC failed at server.  Certificate operation cannot be completed:
    Unable to communicate with CMS (Not Found)

    After setting time back, from /var/log/pki-ca/debug I get:

    [30/Dec/2015:08:10:25][main]: CMS:Caught EBaseException
    Certificate object not found
             at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
             at
    
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1205)
             at
    com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
             at
    com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
             at
    com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
             at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
             at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
             at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
             at
    com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
             at
    
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
             at
    org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
             at
    
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425)
             at
    org.apache.catalina.core.StandardContext.start(StandardContext.java:4738)
             at
    
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
             at
    org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
             at
    org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
             at
    org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
             at
    
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
             at
    org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
             at
    org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
             at
    org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
             at
    
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
             at
    org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
             at
    org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
             at
    org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
             at
    org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
             at
    org.apache.catalina.core.StandardService.start(StandardService.java:516)
             at
    org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
             at
    org.apache.catalina.startup.Catalina.start(Catalina.java:593)
             at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
             at
    
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
             at
    
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
             at java.lang.reflect.Method.invoke(Method.java:606)
             at
    org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
             at
    org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
    [30/Dec/2015:08:10:25][main]: CMSEngine.shutdown()
    [30/Dec/2015:08:10:32][http-9180-1]: according to ccMode,
    authorization for servlet: caProfileSubmit is LDAP based, not XML
    {1}, use default authz mgr: {2}.
    [30/Dec/2015:08:10:32][http-9180-1]: according to ccMode,
    authorization for servlet: caProfileSubmit is LDAP based, not XML
    {1}, use default authz mgr: {2}.
    [30/Dec/2015:08:10:33][TP-Processor2]: according to ccMode,
    authorization for servlet: caDisplayBySerial is LDAP based, not XML
    {1}, use default authz mgr: {2}.
    [30/Dec/2015:08:10:33][TP-Processor3]: according to ccMode,
    authorization for servlet: caDisplayBySerial is LDAP based, not XML
    {1}, use default authz mgr: {2}.


    On Mon, May 16, 2016 at 6:28 AM, Petr Vobornik <pvobo...@redhat.com
    <mailto:pvobo...@redhat.com>> wrote:

        On 05/14/2016 12:01 AM, Adam Kaczka wrote:
        > Hi all,
        >
        > I have inherited a IPA system that has an expired cert and the old 
admins have
        > left; I followed 
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but
        > running into errors when I try to renew the CA certs even after time 
is reset.
        > Also tried the troubleshooting under
        > (http://www.freeipa.org/page/Troubleshooting#Authentication_Errors);
        > specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a > 
/tmp/ra.crt"
        > to add the cert in the database.
        >
        >  From the output of getcert list, I see both CA_UNREACHABLE and
        > NEED_CSR_GEN_PIN.  I followed redhat article here
        > (https://access.redhat.com/solutions/1142913) which verified key
        file password
        > is correct and I have reset time.  However the NEED_CSR_GEN_PIN 
status remains.
        > My company actually has redhat support but when they built this IPA 
whoever
        > built it was using Centos 6 so I am out of luck here.
        >
        > Would really appreciate any help since I am stuck at this point?  
What else I
        > can do at this point?  e.g. Is generate a new CA cert necessary, etc.?

        Hi,

        you don't need to renew CA cert, it seems to be valid. But your
        server
        cert is expired. It expired on 2016-03-29.

        1. Move date back before this date, e.g., 2016-03-27.
        2. Verify that IPA is running `ipactl status`. Maybe restart
        will be needed.
        3. run `getcert list` to see if certmonger can communicate with CA
        4. if certmonger doesn't renew the certs automatically, run `getcert
        resubmit -i $certid` for the expired cert.

         >
         > Version:
         > ipa-pki-ca-theme.noarch                    9.0.3-7.el6
                         @base
         > ipa-pki-common-theme.noarch          9.0.3-7.el6
                   @base
         > ipa-pmincho-fonts.noarch             003.02-3.1.el6
                    @base
         > ipa-python.x86_64                    3.0.0-47.el6.centos.2
                   @updates
         > ipa-server.x86_64                    3.0.0-47.el6.centos.2
                   @updates
         > ipa-server-selinux.x86_64            3.0.0-47.el6.centos.2
                   @updates
         >
         > Part of error logs from /var/log/pki-ca/debug after I reset
        clock; I see these
         > errors which I think is relevlant?:
         > [27/Dec/2015:14:12:01][main]: SigningUnit init: debug
         > org.mozilla.jss.crypto.ObjectNotFoundException
         > Certificate object not found
         > [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException
         > Certificate object not found
         > [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown()
         >
         > Result seems to show key file password is correct:
         > certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f
         > /etc/dirsrv/slapd-REALM-NET/pwdfile.txt
         > certutil: Checking token "NSS Certificate DB" in slot "NSS
        User Private Key and
         > Certificate Services"
         > < 0> rsa      ############################   NSS Certificate
        DB:Server-Cert
         >
         >
         > certutil -L -d /var/lib/pki-ca/alias
         >
         > Certificate Nickname
          Trust Attributes
         >
          SSL,S/MIME,JAR/XPI
         >
         > ocspSigningCert cert-pki-ca
        u,u,u
         > subsystemCert cert-pki-ca
        u,u,u
         > Server-Cert cert-pki-ca
            u,u,u
         > auditSigningCert cert-pki-ca
          u,u,Pu
         > caSigningCert cert-pki-ca
        CTu,Cu,Cu
         >
         >
         > certutil -L -d /etc/httpd/alias
         >
         > Certificate Nickname
          Trust Attributes
         >
          SSL,S/MIME,JAR/XPI
         >
         > Server-Cert
             u,u,u
         > ipaCert
                u,u,u
         > REALM.COM <http://REALM.COM> <http://REALM.COM> IPA CA
                                       CT,C,
        >
        >
        > certutil -L -d /etc/dirsrv/slapd-REALM-COM
        >
        > Certificate Nickname                                         Trust 
Attributes
        >                                                               
SSL,S/MIME,JAR/XPI
        >
        > Server-Cert                                                          
u,u,u
         > REALM.COM <http://REALM.COM> <http://REALM.COM> IPA CA
                                           CT,C,C
        >
        >
        > Output of getcert list:
        >
        > Number of certificates and requests being tracked: 7.
        > Request ID '21135214223243':
        >          status: CA_UNREACHABLE
        >          ca-error: Server athttps://host.example.net/ipa/xml failed 
request,
        > will retry: 4301 (RPC failed at server.  Certificate oper
        > ation cannot be completed: Unable to communicate with CMS (Not 
Found)).
        >          stuck: no
        >          key pair storage:
        > 
type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
        > Certificate DB',pinfil
        > e='/etc/dirsrv/slapd-example-NET//pwdfile.txt'
        >          certificate:
        > 
type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
        > Certificate DB'
        >          CA: IPA
        >          issuer: CN=Certificate Authority,O=example.NET
         >          subject: CN=host.example.net
        <http://host.example.net> <http://host.example.net>,O=example.NET
        >          expires: 2016-03-29 14:09:46 UTC
        >          key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        >          eku: id-kp-serverAuth
        >          pre-save command:
        >          post-save command:
        >          track: yes
        >          auto-renew: yes
        > Request ID '21135214223300':
        >          status: CA_UNREACHABLE
        >          ca-error: Server athttps://host.example.net/ipa/xml failed 
request,
        > will retry: 4301 (RPC failed at server.  Certificate oper
        > ation cannot be completed: Unable to communicate with CMS (Not 
Found)).
        >          stuck: no
        >          key pair storage:
        > 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
Certificate
        > DB',pinfile='
        > /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
        >          certificate:
        > 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
Certificate
        > DB'
        >          CA: IPA
        >          issuer: CN=Certificate Authority,O=example.NET
         >          subject: CN=host.example.net
        <http://host.example.net> <http://host.example.net>,O=example.NET
         >          expires: 2016-03-29 14:09:45 UTC
         >          key usage:
        digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
         >          eku: id-kp-serverAuth
         >          pre-save command:
         >          post-save command:
         >          track: yes
         >          auto-renew: yes
         > Request ID '20130519130741':
         >          status: NEED_CSR_GEN_PIN
         >          ca-error: Internal error: no response to
         >
        
"http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-
         > pki-ca&serial_num=61&renewal=true&xml=true".
         >          stuck: yes
         >          key pair storage:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
         > cert-pki-ca',token='NSS Certificate
         > DB',pin set
         >          certificate:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
         > cert-pki-ca',token='NSS Certificate DB'
         >          CA: dogtag-ipa-renew-agent
         >          issuer: CN=Certificate Authority,O=example.NET
         >          subject: CN=CA Audit,O=example.NET
         >          expires: 2017-10-13 14:10:49 UTC
         >          key usage: digitalSignature,nonRepudiation
         >          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
         >          post-save command:
        /usr/lib64/ipa/certmonger/renew_ca_cert
         > "auditSigningCert cert-pki-ca"
         >          track: yes
         >          auto-renew: yes
         > Request ID '20130519130742':
         >          status: NEED_CSR_GEN_PIN
         >          ca-error: Internal error: no response to
         >
        
"http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
         > m=60&renewal=true&xml=true".
         >          stuck: yes
         >          key pair storage:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
         > cert-pki-ca',token='NSS Certificate D
         > B',pin set
         >          certificate:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
         > cert-pki-ca',token='NSS Certificate DB'
         >          CA: dogtag-ipa-renew-agent
         >          issuer: CN=Certificate Authority,O=example.NET
         >          subject: CN=OCSP Subsystem,O=example.NET
         >          expires: 2017-10-13 14:09:49 UTC
         >          eku: id-kp-OCSPSigning
         >          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
         >          post-save command:
        /usr/lib64/ipa/certmonger/renew_ca_cert
         > "ocspSigningCert cert-pki-ca"
         >          track: yes
         >          auto-renew: yes
         > Request ID '20130519130743':
         >          status: NEED_CSR_GEN_PIN
         >          ca-error: Internal error: no response to
         >
        
"http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
         > m=62&renewal=true&xml=true".
         >          stuck: yes
         >          key pair storage:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
         > cert-pki-ca',token='NSS Certificate DB'
         > ,pin set
         >          certificate:
         >
        type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
         > cert-pki-ca',token='NSS Certificate DB'
         >          CA: dogtag-ipa-renew-agent
         >          issuer: CN=Certificate Authority,O=example.NET
         >          subject: CN=CA Subsystem,O=example.NET
         >          expires: 2017-10-13 14:09:49 UTC
         >          key usage:
        digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
         >          eku: id-kp-serverAuth,id-kp-clientAuth
         >          pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
         >          post-save command:
        /usr/lib64/ipa/certmonger/renew_ca_cert
         > "subsystemCert cert-pki-ca"
         >          track: yes
         >          auto-renew: yes
         > Request ID '20130519130744':
         >          status: MONITORING
         >          ca-error: Internal error: no response to
         >
        
"http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
         > m=64&renewal=true&xml=true".
         >          stuck: no
         >          key pair storage:
         >
        type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
        Certificate
         > DB',pinfile='/etc/httpd/al
         > ias/pwdfile.txt'
         >          certificate:
         >
        type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
        Certificate DB'
         >          CA: dogtag-ipa-renew-agent
         >          issuer: CN=Certificate Authority,O=example.NET
         >          subject: CN=RA Subsystem,O=example.NET
         >          expires: 2017-10-13 14:09:49 UTC
         >          key usage:
        digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
         >          eku: id-kp-serverAuth,id-kp-clientAuth
         >          pre-save command:
         >          post-save command:
        /usr/lib64/ipa/certmonger/renew_ra_cert
         >          track: yes
         >          auto-renew: yes
         > Request ID '20130519130745':
         >          status: NEED_CSR_GEN_PIN
         >          ca-error: Internal error: no response to
         >
        
"http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
         > m=63&renewal=true&xml=true".
         >          stuck: yes
         >          key pair storage:
         > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
         > cert-pki-ca',token='NSS Certificate DB',p
         > in set
         >          certificate:
         > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
         > cert-pki-ca',token='NSS Certificate DB'
         >          CA: dogtag-ipa-renew-agent
         >          issuer: CN=Certificate Authority,O=example.NET
         >          subject: CN=host.example.net
        <http://host.example.net> <http://host.example.net>,O=example.NET
         >          expires: 2017-10-13 14:09:49 UTC
         >          key usage:
        digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
         >          eku: id-kp-serverAuth,id-kp-clientAuth
         >          pre-save command:
         >          post-save command:
         >          track: yes
         >          auto-renew: yes
         >
         >
         > Regards, Adam
         >
         >
         >


        --
        Petr Vobornik






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to