Re: [Freeipa-users] Freeipa-users Digest, Vol 96, Issue 125

[Rob Crittenden]

mohammad sereshki wrote:
hi
I did some changes not I get below werror when I open HTTP service in
web interface

What changes did you do?

From a previous e-mail the problem is that the CA couldn't validate its 
own certificates. This is sometimes an issue with certificate trust. To 
look at it run:

# certutil -L -d /var/lib/pki-ca/alias

The auditSigningCert should have a trust of u,u,Pu. If it doesn't you 
can fix it with:

# certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca' 
-t u,u,Pu

Certificate operation cannot be completed: EXCEPTION (Certificate serial
number 0x276 not found)

Do you have other CA masters (if not you should, but do that once things 
are stable)?

rob



------------------------------------------------------------------------
*From:* "freeipa-users-requ...@redhat.com"
<freeipa-users-requ...@redhat.com>
*To:* freeipa-users@redhat.com
*Sent:* Thursday, July 21, 2016 11:38 PM
*Subject:* Freeipa-users Digest, Vol 96, Issue 125

Send Freeipa-users mailing list submissions to
freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>

To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/freeipa-users
or, via email, send a message with subject or body 'help' to
freeipa-users-requ...@redhat.com <mailto:freeipa-users-requ...@redhat.com>

You can reach the person managing the list at
freeipa-users-ow...@redhat.com <mailto:freeipa-users-ow...@redhat.com>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeipa-users digest..."


Today's Topics:

   1. Re: regenerate certificate (mohammad sereshki)


----------------------------------------------------------------------

Message: 1
Date: Thu, 21 Jul 2016 19:08:16 +0000 (UTC)
From: mohammad sereshki <mohammadseres...@yahoo.com
<mailto:mohammadseres...@yahoo.com>>
To: Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>,    Florence Blanc-Renaud
     <f...@redhat.com <mailto:f...@redhat.com>>,    Freeipa-users
<freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>
Subject: Re: [Freeipa-users] regenerate certificate
Message-ID:
     <1119368990.3296955.1469128096522.javamail.ya...@mail.yahoo.com
<mailto:1119368990.3296955.1469128096522.javamail.ya...@mail.yahoo.com>>
Content-Type: text/plain; charset="utf-8"

and this is for catalina.out

SEVERE: A web application created a ThreadLocal with key of type [null]
(value [com.netscape.cmscore.util.Debug$1@39139da8 <mailto:1@39139da8>])
and a
value of type [java.text.SimpleDateFormat] (value
[java.text.SimpleDateFormat@d1b317c9
<mailto:java.text.SimpleDateFormat@d1b317c9>]) but failed to remove it
when the web appli
cation was stopped. To prevent a memory leak, the ThreadLocal has been
forcibly removed.
Jul 21, 2016 11:10:10 PM org.apache.catalina.loader.WebappClassLoader
clearThreadLocalMap
SEVERE: A web application created a ThreadLocal with key of type [null]
(value [com.netscape.cmscore.util.Debug$1@39139da8 <mailto:1@39139da8>])
and a
value of type [java.text.SimpleDateFormat] (value
[java.text.SimpleDateFormat@d1b317c9
<mailto:java.text.SimpleDateFormat@d1b317c9>]) but failed to remove it
when the web appli
cation was stopped. To prevent a memory leak, the ThreadLocal has been
forcibly removed.
Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9180
Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9443
Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9445
Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9444
Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-9446
Exception in thread "Timer-0" java.lang.NullPointerException
??????? at com.netscape.certsrv.apps.CMS.getConfigStore(CMS.java:771)
??????? at
com.netscape.cms.servlet.csadmin.LDAPSecurityDomainSessionTable.getSessionIds(LDAPSecurityDomainSessionTable.java:156)
??????? at
com.netscape.cms.servlet.csadmin.SessionTimer.run(SessionTimer.java:33)
??????? at java.util.TimerThread.mainLoop(Timer.java:555)
??????? at java.util.TimerThread.run(Timer.java:505)
Jul 21, 2016 11:10:43 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path:
/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Jul 21, 2016 11:10:43 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-9180
Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has been
installed.
Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
unsupported by NSS. This is probably O.K. unless ECC support has been
installed.
:



       From: mohammad sereshki <mohammadseres...@yahoo.com
<mailto:mohammadseres...@yahoo.com>>
To: Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>>;
Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>>;
Freeipa-users <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>
Sent: Thursday, July 21, 2016 11:36 PM
Subject: Re: [Freeipa-users] regenerate certificate

and below is for selftests.log

3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem:
Running self test plugins specified to be executed at startup:
3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] CAPresence:? CA is present
3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1]
SystemCertsVerification: system certs verification failure
3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup
FAILED!
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:
Initializing self test plugins:
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:?
loading all self test plugin logger parameters
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:?
loading all self test plugin instances
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:?
loading all self test plugin instance parameters
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:?
loading self test plugins in on-demand order
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:?
loading self test plugins in startup order
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Self
test plugins have been successfully loaded!
1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem:
Running self test plugins specified to be executed at startup:
1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] CAPresence:? CA is present
1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1]
SystemCertsVerification: system certs verification failure
1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup
FAILED!
(END)



       From: mohammad sereshki <mohammadseres...@yahoo.com
<mailto:mohammadseres...@yahoo.com>>
To: Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>>;
Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>>;
Freeipa-users <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>
Sent: Thursday, July 21, 2016 11:34 PM
Subject: Re: [Freeipa-users] regenerate certificate

hiI find below in debug file under /var/log/pki-cawhat is your comment?

21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization
for servlet: caDisplayBySerial is LD
AP based, not XML {1}, use default authz mgr: {2}.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password
store initialized before.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password
store initialized.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password
store initialized before.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password
store initialized.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password
store initialized before.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password
store initialized.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password
store initialized before.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password
store initialized.
[21/Jul/2016:23:20:45][CertStatusUpdateThread]: About to start
updateCertStatus
[21/Jul/2016:23:20:45][CertStatusUpdateThread]: Starting
updateCertStatus (entered lock)



       From: Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>
To: mohammad sereshki <mohammadseres...@yahoo.com
<mailto:mohammadseres...@yahoo.com>>; Florence Blanc-Renaud
<f...@redhat.com <mailto:f...@redhat.com>>; Freeipa-users
<freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>
Sent: Thursday, July 21, 2016 11:21 PM
Subject: Re: [Freeipa-users] regenerate certificate

mohammad sereshki wrote:
 > hi
 > would you please explain more
 > ?

Your CA (dogtag) is not running. The CA is written in java and deployed
as a WAR in tomcat. If something goes wrong during initialization the CA
will exit but tomcat will not.

Requests to the CA are returning 404 Not Found because the application
is not running in dogtag.

You need to look at the logs in /var/log/pki-ca to see what is going on.

I'd start with selftests.log then move onto catalina.out and debug.

rob

 >
 >
 > ------------------------------------------------------------------------
 > *From:* Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
 > *To:* mohammad sereshki <mohammadseres...@yahoo.com
<mailto:mohammadseres...@yahoo.com>>; Florence
 > Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>>; Freeipa-users
<freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>
 > *Sent:* Thursday, July 21, 2016 11:09 PM
 > *Subject:* Re: [Freeipa-users] regenerate certificate
 >
 > mohammad sereshki wrote:
 >? > hi
 >? > it is result of command, seems issue is another thing
 >? >
 >? >
 >? >? ipa cert-show 1
 >? > ipa: ERROR: Certificate operation cannot be completed: Unable to
 >? > communicate with CMS (Not Found)
 >
 > Which means that the CA still isn't up. You're going to need to look at
 > the dogtag logs in /var/log/pki*. debug is probably the place to start.
 >
 > rob
 >
 >? >
 >? >
 >? >
 >? >
------------------------------------------------------------------------
 >? > *From:* Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com
<mailto:rcrit...@redhat.com>>>
 >? > *To:* mohammad sereshki <mohammadseres...@yahoo.com
<mailto:mohammadseres...@yahoo.com>
 > <mailto:mohammadseres...@yahoo.com
<mailto:mohammadseres...@yahoo.com>>>; Florence
 >? > Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>
<mailto:f...@redhat.com <mailto:f...@redhat.com>>>; Freeipa-users
 > <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
<mailto:freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>>
 >? > *Sent:* Thursday, July 21, 2016 8:08 PM
 >? > *Subject:* Re: [Freeipa-users] regenerate certificate
 >? >
 >? > mohammad sereshki wrote:
 >? >? > dear
 >? >? > thanks, but would you please check below and let me know what
is your
 >? >? > idea?I checked your command but it did not work.
 >? >
 >? > The Not Found suggests that the CA is not up. I'd try restarting the
 >? > pki-cad process to see if that helps.
 >? >
 >? > A simple test that communication is working is: ipa cert-show 1
 >? >
 >? > The output isn't important as long as it isn't an error.
 >? >
 >? > rob
 >? >
 >? >
 >? >? >
 >? >? >
 >? >? >
 >? >? > Number of certificates and requests being tracked: 8.
 >? >? > Request ID '20140817123525':
 >? >? >? ? ? ? ? status: MONITORING
 >? >? >? ? ? ? ? ca-error: Unable to determine principal name for signing
 >? > request.
 >? >? >? ? ? ? ? stuck: no
 >? >? >? ? ? ? ? key paCOM storage:
 >? >? >
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
 >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 >? >? >? ? ? ? ? certificate:
 >? >? >
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
 >? >? > Certificate DB'
 >? >? >? ? ? ? ? CA: IPA
 >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM
 >? >? >? ? ? ? ? subject: CN=IPA RA,O=EXAMPLE.COM
 >? >? >? ? ? ? ? expCOMes: 2018-06-30 07:56:06 UTC
 >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth
 >? >? >? ? ? ? ? pre-save command:
 >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
 >? >? >? ? ? ? ? track: yes
 >? >? >? ? ? ? ? auto-renew: yes
 >? >? > Request ID '20140817123534':
 >? >? >? ? ? ? ? status: CA_UNREACHABLE
 >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC
failed
 >? >? > at server.? Certificate operation cannot be completed: Unable to
 >? >? > communicate with CMS (Not Found)).
 >? >? >? ? ? ? ? stuck: yes
 >? >? >? ? ? ? ? key paCOM storage:
 >? >? >
 >? >
 >
type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
 >? >? > Certificate
DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt'
 >? >? >? ? ? ? ? certificate:
 >? >? >
 >? >
 >
type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS
 >? >? > Certificate DB'
 >? >? >? ? ? ? ? CA: IPA
 >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM
 >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
 >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:35:34 UTC
 >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth
 >? >? >? ? ? ? ? pre-save command:
 >? >? >? ? ? ? ? post-save command:
/usr/lib64/ipa/certmonger/restart_dCOMsrv
 >? >? > EXAMPLE.-COM
 >? >? >? ? ? ? ? track: yes
 >? >? >? ? ? ? ? auto-renew: yes
 >? >? > Request ID '20140817123602':
 >? >? >? ? ? ? ? status: CA_UNREACHABLE
 >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC
failed
 >? >? > at server.? Certificate operation cannot be completed: Unable to
 >? >? > communicate with CMS (Not Found)).
 >? >? >? ? ? ? ? stuck: yes
 >? >? >? ? ? ? ? key paCOM storage:
 >? >? >
 >? >
 >
type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 >? >? > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt'
 >? >? >? ? ? ? ? certificate:
 >? >? >
 >? >
 >
type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 >? >? > Certificate DB'
 >? >? >? ? ? ? ? CA: IPA
 >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM
 >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
 >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:36:02 UTC
 >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth
 >? >? >? ? ? ? ? pre-save command:
 >? >? >? ? ? ? ? post-save command:
/usr/lib64/ipa/certmonger/restart_dCOMsrv
 >? >? > PKI-IPA
 >? >? >? ? ? ? ? track: yes
 >? >? >? ? ? ? ? auto-renew: yes
 >? >? > Request ID '20140817123752':
 >? >? >? ? ? ? ? status: CA_UNREACHABLE
 >? >? >? ? ? ? ? ca-error: Server failed request, will retry: 4301 (RPC
failed
 >? >? > at server.? Certificate operation cannot be completed: Unable to
 >? >? > communicate with CMS (Not Found)).
 >? >? >? ? ? ? ? stuck: yes
 >? >? >? ? ? ? ? key paCOM storage:
 >? >? >
 > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
 >? >? > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 >? >? >? ? ? ? ? certificate:
 >? >? >
 > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
 >? >? > Certificate DB'
 >? >? >? ? ? ? ? CA: IPA
 >? >? >? ? ? ? ? issuer: CN=Certificate Authority,O=EXAMPLE.COM
 >? >? >? ? ? ? ? subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM
 >? >? >? ? ? ? ? expCOMes: 2016-08-17 12:37:51 UTC
 >? >? >? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth
 >? >? >? ? ? ? ? pre-save command:
 >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_httpd
 >? >? >? ? ? ? ? track: yes
 >? >? >? ? ? ? ? auto-renew: yes
 >? >? > You have new mail in /var/spool/mail/root
 >? >? >
 >? >? >
 >? >? >
 > ------------------------------------------------------------------------
 >? >? > *From:* Florence Blanc-Renaud <f...@redhat.com
<mailto:f...@redhat.com>
 > <mailto:f...@redhat.com <mailto:f...@redhat.com>>
<mailto:f...@redhat.com <mailto:f...@redhat.com> <mailto:f...@redhat.com
<mailto:f...@redhat.com>>>>
 >? >? > *To:* mohammad sereshki <mohammadseres...@yahoo.com
<mailto:mohammadseres...@yahoo.com>
 > <mailto:mohammadseres...@yahoo.com <mailto:mohammadseres...@yahoo.com>>
 >? > <mailto:mohammadseres...@yahoo.com <mailto:mohammadseres...@yahoo.com>
 > <mailto:mohammadseres...@yahoo.com
<mailto:mohammadseres...@yahoo.com>>>>; Freeipa-users
 >? >? > <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
<mailto:freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>
 > <mailto:freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
<mailto:freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>>>
 >
 >? >? > *Sent:* Thursday, July 21, 2016 11:30 AM
 >? >? > *Subject:* Re: [Freeipa-users] regenerate certificate
 >? >? >
 >? >? > On 07/20/2016 10:04 PM, mohammad sereshki wrote:
 >? >? >? > hi
 >? >? >? > I check my IPA server which is version ipa-server-3.0.0-25 ,
 > command
 >? >? >? > "ipa-get-cert list" show, my certificate will be expired in next
 >? > 20 days,
 >? >? >? > I do not know how to regenerate them
 >? >? >? > but command "getcert list" shows epirtion certificates are
related
 >? > just
 >? >? >? > to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" ,? has
 >? > enough
 >? >? >? > time .
 >? >? >? > would you please help me to know how to regenerate CA:IPA
 >? > certificates?
 >? >? >? >
 >? >? >? > Best Regards
 >? >? >? >
 >? >? >? >
 >? >? >? >
 >? >? >
 >? >? > Hi Mohammad,
 >? >? >
 >? >? > the certificates issued by IPA CA are normally tracked by
 > certmonger and
 >? >? > automatically renewed when they are near their expiration date. To
 > make
 >? >? > sure that your certificates are tracked, you can issue
 >? >? >
 >? >? > $ ipa-getcert list
 >? >? >
 >? >? > and check the "status:" field for each certificate. It should
display
 >? >? > "MONITORING".
 >? >? >
 >? >? > If you want to manually renew them, you must note their request
ID and
 >? >? > use the command
 >? >? > $ ipa-getcert resubmit -i $REQUEST_ID
 >? >? >
 >? >? > Hope this helps,
 >? >? > Flo.
 >? >? >
 >? >? >
 >? >? >
 >? >? >
 >? >? >
 >? >
 >? >
 >? >
 >
 >
 >








-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://www.redhat.com/archives/freeipa-users/attachments/20160721/ef74f106/attachment.html>

------------------------------

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users

End of Freeipa-users Digest, Vol 96, Issue 125
**********************************************





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project