5135.main - [27/Jan/2016:14:10:14 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2003.main - [27/Jan/2016:14:35:33 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2003.TP-Processor3 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2003.TP-Processor2 - [27/Jan/2016:14:35:40 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2000.main - [28/Jan/2016:07:43:00 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2000.TP-Processor2 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2000.TP-Processor3 - [28/Jan/2016:07:43:07 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
2085.main - [03/Feb/2016:08:57:05 EST] [3] [3] CASigningUnit: Object
certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException
2085.TP-Processor2 - [27/Jan/2016:14:05:03 EST] [20] [3] Servlet
caDisplayBySerial: The CA chain is missing or could not be obtained from
the remote Certificate Manager or Registr
ation Manager. The remote server could be down.
On Mon, May 16, 2016 at 11:45 AM, Adam Kaczka <[email protected]
<mailto:[email protected]>> wrote:
Certmonger cannot communicate with CA; the result of getlist cert shows:
RPC failed at server. Certificate operation cannot be completed:
Unable to communicate with CMS (Not Found)
After setting time back, from /var/log/pki-ca/debug I get:
[30/Dec/2015:08:10:25][main]: CMS:Caught EBaseException
Certificate object not found
at com.netscape.ca.SigningUnit.init(SigningUnit.java:190)
at
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1205)
at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:260)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:316)
at com.netscape.certsrv.apps.CMS.init(CMS.java:153)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1530)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4425)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4738)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526)
at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041)
at
org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at
org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at
org.apache.catalina.core.StandardService.start(StandardService.java:516)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at
org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
[30/Dec/2015:08:10:25][main]: CMSEngine.shutdown()
[30/Dec/2015:08:10:32][http-9180-1]: according to ccMode,
authorization for servlet: caProfileSubmit is LDAP based, not XML
{1}, use default authz mgr: {2}.
[30/Dec/2015:08:10:32][http-9180-1]: according to ccMode,
authorization for servlet: caProfileSubmit is LDAP based, not XML
{1}, use default authz mgr: {2}.
[30/Dec/2015:08:10:33][TP-Processor2]: according to ccMode,
authorization for servlet: caDisplayBySerial is LDAP based, not XML
{1}, use default authz mgr: {2}.
[30/Dec/2015:08:10:33][TP-Processor3]: according to ccMode,
authorization for servlet: caDisplayBySerial is LDAP based, not XML
{1}, use default authz mgr: {2}.
On Mon, May 16, 2016 at 6:28 AM, Petr Vobornik <[email protected]
<mailto:[email protected]>> wrote:
On 05/14/2016 12:01 AM, Adam Kaczka wrote:
> Hi all,
>
> I have inherited a IPA system that has an expired cert and the old
admins have
> left; I followed
(http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but
> running into errors when I try to renew the CA certs even after time
is reset.
> Also tried the troubleshooting under
> (http://www.freeipa.org/page/Troubleshooting#Authentication_Errors);
> specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a >
/tmp/ra.crt"
> to add the cert in the database.
>
> From the output of getcert list, I see both CA_UNREACHABLE and
> NEED_CSR_GEN_PIN. I followed redhat article here
> (https://access.redhat.com/solutions/1142913) which verified key
file password
> is correct and I have reset time. However the NEED_CSR_GEN_PIN
status remains.
> My company actually has redhat support but when they built this IPA
whoever
> built it was using Centos 6 so I am out of luck here.
>
> Would really appreciate any help since I am stuck at this point?
What else I
> can do at this point? e.g. Is generate a new CA cert necessary, etc.?
Hi,
you don't need to renew CA cert, it seems to be valid. But your
server
cert is expired. It expired on 2016-03-29.
1. Move date back before this date, e.g., 2016-03-27.
2. Verify that IPA is running `ipactl status`. Maybe restart
will be needed.
3. run `getcert list` to see if certmonger can communicate with CA
4. if certmonger doesn't renew the certs automatically, run `getcert
resubmit -i $certid` for the expired cert.
>
> Version:
> ipa-pki-ca-theme.noarch 9.0.3-7.el6
@base
> ipa-pki-common-theme.noarch 9.0.3-7.el6
@base
> ipa-pmincho-fonts.noarch 003.02-3.1.el6
@base
> ipa-python.x86_64 3.0.0-47.el6.centos.2
@updates
> ipa-server.x86_64 3.0.0-47.el6.centos.2
@updates
> ipa-server-selinux.x86_64 3.0.0-47.el6.centos.2
@updates
>
> Part of error logs from /var/log/pki-ca/debug after I reset
clock; I see these
> errors which I think is relevlant?:
> [27/Dec/2015:14:12:01][main]: SigningUnit init: debug
> org.mozilla.jss.crypto.ObjectNotFoundException
> Certificate object not found
> [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException
> Certificate object not found
> [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown()
>
> Result seems to show key file password is correct:
> certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f
> /etc/dirsrv/slapd-REALM-NET/pwdfile.txt
> certutil: Checking token "NSS Certificate DB" in slot "NSS
User Private Key and
> Certificate Services"
> < 0> rsa ############################ NSS Certificate
DB:Server-Cert
>
>
> certutil -L -d /var/lib/pki-ca/alias
>
> Certificate Nickname
Trust Attributes
>
SSL,S/MIME,JAR/XPI
>
> ocspSigningCert cert-pki-ca
u,u,u
> subsystemCert cert-pki-ca
u,u,u
> Server-Cert cert-pki-ca
u,u,u
> auditSigningCert cert-pki-ca
u,u,Pu
> caSigningCert cert-pki-ca
CTu,Cu,Cu
>
>
> certutil -L -d /etc/httpd/alias
>
> Certificate Nickname
Trust Attributes
>
SSL,S/MIME,JAR/XPI
>
> Server-Cert
u,u,u
> ipaCert
u,u,u
> REALM.COM <http://REALM.COM> <http://REALM.COM> IPA CA
CT,C,
>
>
> certutil -L -d /etc/dirsrv/slapd-REALM-COM
>
> Certificate Nickname Trust
Attributes
>
SSL,S/MIME,JAR/XPI
>
> Server-Cert
u,u,u
> REALM.COM <http://REALM.COM> <http://REALM.COM> IPA CA
CT,C,C
>
>
> Output of getcert list:
>
> Number of certificates and requests being tracked: 7.
> Request ID '21135214223243':
> status: CA_UNREACHABLE
> ca-error: Server athttps://host.example.net/ipa/xml failed
request,
> will retry: 4301 (RPC failed at server. Certificate oper
> ation cannot be completed: Unable to communicate with CMS (Not
Found)).
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
> Certificate DB',pinfil
> e='/etc/dirsrv/slapd-example-NET//pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=example.NET
> subject: CN=host.example.net
<http://host.example.net> <http://host.example.net>,O=example.NET
> expires: 2016-03-29 14:09:46 UTC
> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '21135214223300':
> status: CA_UNREACHABLE
> ca-error: Server athttps://host.example.net/ipa/xml failed
request,
> will retry: 4301 (RPC failed at server. Certificate oper
> ation cannot be completed: Unable to communicate with CMS (Not
Found)).
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
> DB',pinfile='
> /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate
> DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=example.NET
> subject: CN=host.example.net
<http://host.example.net> <http://host.example.net>,O=example.NET
> expires: 2016-03-29 14:09:45 UTC
> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130519130741':
> status: NEED_CSR_GEN_PIN
> ca-error: Internal error: no response to
>
"http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-
> pki-ca&serial_num=61&renewal=true&xml=true".
> stuck: yes
> key pair storage:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate
> DB',pin set
> certificate:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=example.NET
> subject: CN=CA Audit,O=example.NET
> expires: 2017-10-13 14:10:49 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130742':
> status: NEED_CSR_GEN_PIN
> ca-error: Internal error: no response to
>
"http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> m=60&renewal=true&xml=true".
> stuck: yes
> key pair storage:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate D
> B',pin set
> certificate:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=example.NET
> subject: CN=OCSP Subsystem,O=example.NET
> expires: 2017-10-13 14:09:49 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130743':
> status: NEED_CSR_GEN_PIN
> ca-error: Internal error: no response to
>
"http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> m=62&renewal=true&xml=true".
> stuck: yes
> key pair storage:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> ,pin set
> certificate:
>
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=example.NET
> subject: CN=CA Subsystem,O=example.NET
> expires: 2017-10-13 14:09:49 UTC
> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
> post-save command:
/usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20130519130744':
> status: MONITORING
> ca-error: Internal error: no response to
>
"http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> m=64&renewal=true&xml=true".
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate
> DB',pinfile='/etc/httpd/al
> ias/pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=example.NET
> subject: CN=RA Subsystem,O=example.NET
> expires: 2017-10-13 14:09:49 UTC
> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
/usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20130519130745':
> status: NEED_CSR_GEN_PIN
> ca-error: Internal error: no response to
>
"http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
> m=63&renewal=true&xml=true".
> stuck: yes
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',p
> in set
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=example.NET
> subject: CN=host.example.net
<http://host.example.net> <http://host.example.net>,O=example.NET
> expires: 2017-10-13 14:09:49 UTC
> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
>
> Regards, Adam
>
>
>
--
Petr Vobornik
