On 10/19/2016 08:18 PM, Bertrand Rétif wrote:
*De: *"Bertrand Rétif" <bre...@phosphore.eu>
*À: *freeipa-users@redhat.com
*Envoyé: *Mercredi 19 Octobre 2016 15:42:07
*Objet: *Re: [Freeipa-users] Impossible to renew certificate.
pki-tomcat issue
------------------------------------------------------------------------
*De: *"Rob Crittenden" <rcrit...@redhat.com>
*À: *"Bertrand Rétif" <bre...@phosphore.eu>,
freeipa-users@redhat.com
*Envoyé: *Mercredi 19 Octobre 2016 15:30:14
*Objet: *Re: [Freeipa-users] Impossible to renew certificate.
pki-tomcat issue
Bertrand Rétif wrote:
>> De: "Martin Babinsky" <mbabi...@redhat.com>
>> À: freeipa-users@redhat.com
>> Envoyé: Mercredi 19 Octobre 2016 08:45:49
>> Objet: Re: [Freeipa-users] Impossible to renew certificate.
pki-tomcat issue
>
>> On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
>>> Hello,
>>>
>>> I had an issue with pki-tomcat.
>>> I had serveral certificate that was expired and pki-tomcat
did not start
>>> anymore.
>>>
>>> I set the dateon the server before certificate expiration
and then
>>> pki-tomcat starts properly.
>>> Then I try to resubmit the certificate, but I get below error:
>>> "Profile caServerCert Not Found"
>>>
>>> Do you have any idea how I could fix this issue.
>>>
>>> Please find below output of commands:
>>>
>>>
>>> # getcert resubmit -i 20160108170324
>>>
>>> # getcert list -i 20160108170324
>>> Number of certificates and requests being tracked: 7.
>>> Request ID '20160108170324':
>>> status: MONITORING
>>> ca-error: Server at
>>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"
replied:
>>> Profile caServerCert Not Found
>>> stuck: no
>>> key pair storage:
>>>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate:
>>>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU
>>> subject: CN=IPA RA,O=A.SKINFRA.EU
>>> expires: 2016-06-28 15:25:11 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>> track: yes
>>> auto-renew: yes
>>>
>>>
>>> Thanksby advance for your help.
>>> Bertrand
>>>
>>>
>>>
>>>
>
>> Hi Betrand,
>
>> what version of FreeIPA and Dogtag are you running?
>
>> Also perform the following search on the IPA master and post
the result:
>
>> """
>> ldapsearch -D "cn=Directory Manager" -W -b
>> 'ou=certificateProfiles,ou=ca,o=ipaca'
'(objectClass=certProfile)'
>> """
>
> Hi Martin,
>
> Thanks for your reply.
>
> Here is version:
> - FreeIPA 4.2.0
> - Centos 7.2
>
> I have been able to fix the issue with "Profile caServerCert
Not Found" by editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> I replace below entry
>
"subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"
> by
> "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"
>
> and then launch "ipa-server-upgrade" command
> I found this solution in this post:
http://osdir.com/ml/freeipa-users/2016-03/msg00280.html
>
> Then I was able to renew my certificate.
>
> However I reboot my server to and pki-tomcat do not start and
provide with a new erreor in /var/log/pki/pki-tomcat/ca/debug
>
> [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils:
verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca
> [19/Oct/2016:11:11:52][localhost-startStop-1]:
SignedAuditEventFactory: create()
message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$
> System$][Outcome=Success][CertNickName=auditSigningCert
cert-pki-ca] CIMC certificate verification
>
> java.lang.Exception: SystemCertsVerification: system certs
verification failure
> at
com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
> at
com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
> at
com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
> at
com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701)
> at
com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148)
> at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
> at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
> at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
> at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
> at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
> at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
> at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
> at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
> at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
> at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
> at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
> at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
> at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> at java.security.AccessController.doPrivileged(Native Method)
> at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
> at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
> at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
> at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
> at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> [19/Oct/2016:11:11:52][localhost-startStop-1]:
SignedAuditEventFactory: create()
message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure]
self tests execution (see selftests.log for details)
> [19/Oct/2016:11:11:52][localhost-startStop-1]:
CMSEngine.shutdown()
>
>
> I am currently stuck here.
> Thanks a lot for your help.
I'm guessing at least one of the CA subsystem certificates are
still
expired. Look at the "getcert list" output to see if there are any
expired certificates.
rob
>
> Bertrand
>
>
Hello Rob,
I check on my 2 servers and no certificate is expired
[root@sdkipa03 ~]# getcert list |grep expire
expires: 2018-06-22 22:02:26 UTC
expires: 2018-06-22 22:02:47 UTC
expires: 2034-07-09 15:24:34 UTC
expires: 2016-10-30 13:35:29 UTC
[root@sdkipa01 conf]# getcert list |grep expire
expires: 2018-06-12 23:38:01 UTC
expires: 2018-06-12 23:37:41 UTC
expires: 2018-06-11 22:53:57 UTC
expires: 2018-06-11 22:55:50 UTC
expires: 2018-06-11 22:57:47 UTC
expires: 2034-07-09 15:24:34 UTC
expires: 2018-06-11 22:59:55 UTC
I see that one certificate is in status: CA_UNREACHABLE, maybe I
reboot to soon my server...
I continue to investigate
Thanks for your help.
Bertrand
I fix my previous issue.
Now I have an issue with a server.
This server can not start pki-tomcatd, I get this error in debug file:
"Error netscape.ldap.LDAPExceptio n: IO Error creating JSS SSL Socket (-1)"
After investigation i see that I do not have "ipaCert" certificat in
"/etc/httpd/alias"
cf below command:
[root@sdkipa03 ~]# getcert list -d /etc/httpd/alias
Number of certificates and requests being tracked: 4.
Request ID '20141110133632':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=A.SKINFRA.EU
subject: CN=sdkipa03.skinfra.eu,O=A.SKINFRA.EU
expires: 2018-06-22 22:02:47 UTC
principal name: HTTP/sdkipa03.skinfra...@a.skinfra.eu
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
How can I add the certificate to /etc/httpd/alias?
Hi,
for the record, the command getcert list that you supplied shows the
certificates in /etc/httpd/alias that are tracked by certmonger. If you
want to display all the certificates contained in /etc/httpd/alias
(whether tracked or not), then you may want to use certutil -L -d
/etc/httpd/alias instead.
If ipaCert is missing, you can export ipaCert certificate from another
master, then import it to your server.
On a master containing the cert:
# certutil -d /etc/httpd/alias -L -n 'ipaCert' -a > /tmp/newRAcert.crt
Then copy the file /tmp/newRAcert.crt to your server and import the cert:
# certutil -d /etc/httpd/alias -A -n 'ipaCert' -a -i /tmp/newRAcert.crt
-t u,u,u
And finally you need to tell certmonger to monitor the cert using
getcert start-tracking.
Hope this helps,
Flo.
Thanks fo ryour support.
Regards
Bertrand
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project