----- Mail original ----- > De: "Rob Crittenden" <[email protected]> > À: "Bertrand Rétif" <[email protected]>, [email protected] > Envoyé: Mercredi 19 Octobre 2016 15:30:14 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
> Bertrand Rétif wrote: > >> De: "Martin Babinsky" <[email protected]> > >> À: [email protected] > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49 > >> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat > >> issue > > > >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote: > >>> Hello, > >>> > >>> I had an issue with pki-tomcat. > >>> I had serveral certificate that was expired and pki-tomcat did not start > >>> anymore. > >>> > >>> I set the dateon the server before certificate expiration and then > >>> pki-tomcat starts properly. > >>> Then I try to resubmit the certificate, but I get below error: > >>> "Profile caServerCert Not Found" > >>> > >>> Do you have any idea how I could fix this issue. > >>> > >>> Please find below output of commands: > >>> > >>> > >>> # getcert resubmit -i 20160108170324 > >>> > >>> # getcert list -i 20160108170324 > >>> Number of certificates and requests being tracked: 7. > >>> Request ID '20160108170324': > >>> status: MONITORING > >>> ca-error: Server at > >>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"; replied: > >>> Profile caServerCert Not Found > >>> stuck: no > >>> key pair storage: > >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > >>> certificate: > >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >>> Certificate DB' > >>> CA: dogtag-ipa-ca-renew-agent > >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU > >>> subject: CN=IPA RA,O=A.SKINFRA.EU > >>> expires: 2016-06-28 15:25:11 UTC > >>> key usage: > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >>> eku: id-kp-serverAuth,id-kp-clientAuth > >>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > >>> track: yes > >>> auto-renew: yes > >>> > >>> > >>> Thanksby advance for your help. > >>> Bertrand > >>> > >>> > >>> > >>> > > > >> Hi Betrand, > > > >> what version of FreeIPA and Dogtag are you running? > > > >> Also perform the following search on the IPA master and post the result: > > > >> """ > >> ldapsearch -D "cn=Directory Manager" -W -b > >> 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)' > >> """ > > > > Hi Martin, > > > > Thanks for your reply. > > > > Here is version: > > - FreeIPA 4.2.0 > > - Centos 7.2 > > > > I have been able to fix the issue with "Profile caServerCert Not Found" by > > editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > > I replace below entry > > "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem" > > by > > "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem" > > > > and then launch "ipa-server-upgrade" command > > I found this solution in this post: > > http://osdir.com/ml/freeipa-users/2016-03/msg00280.html > > > > Then I was able to renew my certificate. > > > > However I reboot my server to and pki-tomcat do not start and provide with > > a new erreor in /var/log/pki/pki-tomcat/ca/debug > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils: > > verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca > > [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: > > create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$ > > System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC > > certificate verification > > > > java.lang.Exception: SystemCertsVerification: system certs verification > > failure > > at > > com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198) > > at > > com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861) > > at > > com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797) > > at > > com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701) > > at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148) > > at com.netscape.certsrv.apps.CMS.startup(CMS.java:200) > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) > > at > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:606) > > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > > at > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > > at > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > > at > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > > at > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > > at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) > > at > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) > > at > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) > > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > at > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > > at > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > at > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > at > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > at java.security.AccessController.doPrivileged(Native Method) > > at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > > at > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) > > at > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) > > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > at java.lang.Thread.run(Thread.java:745) > > [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: > > create() > > message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] > > self tests execution (see selftests.log for details) > > [19/Oct/2016:11:11:52][localhost-startStop-1]: CMSEngine.shutdown() > > > > > > I am currently stuck here. > > Thanks a lot for your help. > I'm guessing at least one of the CA subsystem certificates are still > expired. Look at the "getcert list" output to see if there are any > expired certificates. > rob > > > > Bertrand > > > > Hello Rob, I check on my 2 servers and no certificate is expired [root@sdkipa03 ~]# getcert list |grep expire expires: 2018-06-22 22:02:26 UTC expires: 2018-06-22 22:02:47 UTC expires: 2034-07-09 15:24:34 UTC expires: 2016-10-30 13:35:29 UTC [root@sdkipa01 conf]# getcert list |grep expire expires: 2018-06-12 23:38:01 UTC expires: 2018-06-12 23:37:41 UTC expires: 2018-06-11 22:53:57 UTC expires: 2018-06-11 22:55:50 UTC expires: 2018-06-11 22:57:47 UTC expires: 2034-07-09 15:24:34 UTC expires: 2018-06-11 22:59:55 UTC I see that one certificate is in status: CA_UNREACHABLE, maybe I reboot to soon my server... I continue to investigate Thanks for your help. Bertrand
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
