Bertrand Rétif wrote:
De: "Martin Babinsky" <mbabi...@redhat.com>
À: freeipa-users@redhat.com
Envoyé: Mercredi 19 Octobre 2016 08:45:49
Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue


On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
Hello,

I had an issue with pki-tomcat.
I had serveral certificate that was expired and pki-tomcat did not start
anymore.

I set the dateon the server before certificate expiration and then
pki-tomcat starts properly.
Then I try to resubmit the certificate, but I get below error:
"Profile caServerCert Not Found"

Do you have any idea how I could fix this issue.

Please find below output of commands:


# getcert resubmit -i 20160108170324

# getcert list -i 20160108170324
Number of certificates and requests being tracked: 7.
Request ID '20160108170324':
status: MONITORING
ca-error: Server at
"http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"; replied:
Profile caServerCert Not Found
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=A.SKINFRA.EU
subject: CN=IPA RA,O=A.SKINFRA.EU
expires: 2016-06-28 15:25:11 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes


Thanksby advance for your help.
Bertrand





Hi Betrand,

what version of FreeIPA and Dogtag are you running?

Also perform the following search on the IPA master and post the result:

"""
ldapsearch -D "cn=Directory Manager" -W -b
'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)'
"""

Hi Martin,

Thanks for your reply.

Here is version:
- FreeIPA 4.2.0
- Centos 7.2

I have been able to fix the issue with "Profile caServerCert Not Found" by 
editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
I replace below entry
"subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"
by
"subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"

and then launch "ipa-server-upgrade" command
I found this solution in this post: 
http://osdir.com/ml/freeipa-users/2016-03/msg00280.html

Then I was able to renew my certificate.

However I reboot my server to and pki-tomcat do not start and provide with a 
new erreor in /var/log/pki/pki-tomcat/ca/debug

[19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils: 
verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca
[19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: 
create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$
System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC 
certificate verification

java.lang.Exception: SystemCertsVerification: system certs verification failure
at 
com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
at 
com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
at 
com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701)
at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148)
at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at 
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at 
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
at 
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
at 
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
at 
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: 
create() 
message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] 
self tests execution (see selftests.log for details)
[19/Oct/2016:11:11:52][localhost-startStop-1]: CMSEngine.shutdown()


I am currently stuck here.
Thanks a lot for your help.

I'm guessing at least one of the CA subsystem certificates are still expired. Look at the "getcert list" output to see if there are any expired certificates.

rob


Bertrand



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to