On 11/22/2016 10:07 AM, Bertrand Rétif wrote:
------------------------------------------------------------------------
*De: *"Bertrand Rétif" <bre...@phosphore.eu>
*À: *freeipa-users@redhat.com
*Envoyé: *Mardi 25 Octobre 2016 17:51:09
*Objet: *Re: [Freeipa-users] Impossible to renew certificate.
pki-tomcat issue
------------------------------------------------------------------------
*De: *"Florence Blanc-Renaud" <f...@redhat.com>
*À: *"Bertrand Rétif" <bre...@phosphore.eu>,
freeipa-users@redhat.com
*Envoyé: *Jeudi 20 Octobre 2016 18:45:21
*Objet: *Re: [Freeipa-users] Impossible to renew certificate.
pki-tomcat issue
On 10/19/2016 08:18 PM, Bertrand Rétif wrote:
> *De: *"Bertrand Rétif" <bre...@phosphore.eu>
>
> *À: *freeipa-users@redhat.com
> *Envoyé: *Mercredi 19 Octobre 2016 15:42:07
> *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
> pki-tomcat issue
>
>
>
------------------------------------------------------------------------
>
> *De: *"Rob Crittenden" <rcrit...@redhat.com>
> *À: *"Bertrand Rétif" <bre...@phosphore.eu>,
> freeipa-users@redhat.com
> *Envoyé: *Mercredi 19 Octobre 2016 15:30:14
> *Objet: *Re: [Freeipa-users] Impossible to renew
certificate.
> pki-tomcat issue
>
> Bertrand Rétif wrote:
> >> De: "Martin Babinsky" <mbabi...@redhat.com>
> >> À: freeipa-users@redhat.com
> >> Envoyé: Mercredi 19 Octobre 2016 08:45:49
> >> Objet: Re: [Freeipa-users] Impossible to renew
certificate.
> pki-tomcat issue
> >
> >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
> >>> Hello,
> >>>
> >>> I had an issue with pki-tomcat.
> >>> I had serveral certificate that was expired and
pki-tomcat
> did not start
> >>> anymore.
> >>>
> >>> I set the dateon the server before certificate
expiration
> and then
> >>> pki-tomcat starts properly.
> >>> Then I try to resubmit the certificate, but I get
below error:
> >>> "Profile caServerCert Not Found"
> >>>
> >>> Do you have any idea how I could fix this issue.
> >>>
> >>> Please find below output of commands:
> >>>
> >>>
> >>> # getcert resubmit -i 20160108170324
> >>>
> >>> # getcert list -i 20160108170324
> >>> Number of certificates and requests being tracked: 7.
> >>> Request ID '20160108170324':
> >>> status: MONITORING
> >>> ca-error: Server at
> >>>
"http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"
> replied:
> >>> Profile caServerCert Not Found
> >>> stuck: no
> >>> key pair storage:
> >>>
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>> certificate:
> >>>
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> >>> Certificate DB'
> >>> CA: dogtag-ipa-ca-renew-agent
> >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU
> >>> subject: CN=IPA RA,O=A.SKINFRA.EU
> >>> expires: 2016-06-28 15:25:11 UTC
> >>> key usage:
> >>>
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>> pre-save command:
/usr/lib64/ipa/certmonger/renew_ra_cert_pre
> >>> post-save command:
/usr/lib64/ipa/certmonger/renew_ra_cert
> >>> track: yes
> >>> auto-renew: yes
> >>>
> >>>
> >>> Thanksby advance for your help.
> >>> Bertrand
> >>>
> >>>
> >>>
> >>>
> >
> >> Hi Betrand,
> >
> >> what version of FreeIPA and Dogtag are you running?
> >
> >> Also perform the following search on the IPA master
and post
> the result:
> >
> >> """
> >> ldapsearch -D "cn=Directory Manager" -W -b
> >> 'ou=certificateProfiles,ou=ca,o=ipaca'
> '(objectClass=certProfile)'
> >> """
> >
> > Hi Martin,
> >
> > Thanks for your reply.
> >
> > Here is version:
> > - FreeIPA 4.2.0
> > - Centos 7.2
> >
> > I have been able to fix the issue with "Profile
caServerCert
> Not Found" by editing
/var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> > I replace below entry
> >
>
"subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"
> > by
> >
"subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"
> >
> > and then launch "ipa-server-upgrade" command
> > I found this solution in this post:
> http://osdir.com/ml/freeipa-users/2016-03/msg00280.html
> >
> > Then I was able to renew my certificate.
> >
> > However I reboot my server to and pki-tomcat do not
start and
> provide with a new erreor in
/var/log/pki/pki-tomcat/ca/debug
> >
> > [19/Oct/2016:11:11:52][localhost-startStop-1]:
CertUtils:
> verifySystemCertByNickname() passed: auditSigningCert
cert-pki-ca
> > [19/Oct/2016:11:11:52][localhost-startStop-1]:
> SignedAuditEventFactory: create()
> message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$
> > System$][Outcome=Success][CertNickName=auditSigningCert
> cert-pki-ca] CIMC certificate verification
> >
> > java.lang.Exception: SystemCertsVerification: system
certs
> verification failure
> > at
>
com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
> > at
>
com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
> > at
>
com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
> > at
>
com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701)
> > at
>
com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148)
> > at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
> > at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
> > at
>
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
> > at
javax.servlet.GenericServlet.init(GenericServlet.java:158)
> > at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
>
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> > at
>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:606)
> > at
>
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
> > at
>
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
> > at
java.security.AccessController.doPrivileged(Native Method)
> > at
javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
> > at
>
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
> > at
>
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
> > at
>
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
> > at
>
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
> > at
>
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
> > at
>
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
> > at
>
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
> > at
>
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
> > at
>
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> > at
>
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
> > at
>
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> > at
>
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> > at
>
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> > at
java.security.AccessController.doPrivileged(Native Method)
> > at
>
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
> > at
>
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
> > at
>
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
> > at
>
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
> > at
>
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> > at
java.util.concurrent.FutureTask.run(FutureTask.java:262)
> > at
>
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > at
>
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > at java.lang.Thread.run(Thread.java:745)
> > [19/Oct/2016:11:11:52][localhost-startStop-1]:
> SignedAuditEventFactory: create()
>
message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure]
> self tests execution (see selftests.log for details)
> > [19/Oct/2016:11:11:52][localhost-startStop-1]:
> CMSEngine.shutdown()
> >
> >
> > I am currently stuck here.
> > Thanks a lot for your help.
>
> I'm guessing at least one of the CA subsystem
certificates are
> still
> expired. Look at the "getcert list" output to see if
there are any
> expired certificates.
>
> rob
>
> >
> > Bertrand
> >
> >
>
> Hello Rob,
>
> I check on my 2 servers and no certificate is expired
>
> [root@sdkipa03 ~]# getcert list |grep expire
> expires: 2018-06-22 22:02:26 UTC
> expires: 2018-06-22 22:02:47 UTC
> expires: 2034-07-09 15:24:34 UTC
> expires: 2016-10-30 13:35:29 UTC
>
> [root@sdkipa01 conf]# getcert list |grep expire
> expires: 2018-06-12 23:38:01 UTC
> expires: 2018-06-12 23:37:41 UTC
> expires: 2018-06-11 22:53:57 UTC
> expires: 2018-06-11 22:55:50 UTC
> expires: 2018-06-11 22:57:47 UTC
> expires: 2034-07-09 15:24:34 UTC
> expires: 2018-06-11 22:59:55 UTC
>
> I see that one certificate is in status: CA_UNREACHABLE,
maybe I
> reboot to soon my server...
>
> I continue to investigate
>
> Thanks for your help.
> Bertrand
>
> I fix my previous issue.
> Now I have an issue with a server.
> This server can not start pki-tomcatd, I get this error in
debug file:
> "Error netscape.ldap.LDAPExceptio n: IO Error creating JSS SSL
Socket (-1)"
>
> After investigation i see that I do not have "ipaCert"
certificat in
> "/etc/httpd/alias"
> cf below command:
>
> [root@sdkipa03 ~]# getcert list -d /etc/httpd/alias
> Number of certificates and requests being tracked: 4.
> Request ID '20141110133632':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=A.SKINFRA.EU
> subject: CN=sdkipa03.skinfra.eu,O=A.SKINFRA.EU
> expires: 2018-06-22 22:02:47 UTC
> principal name: HTTP/sdkipa03.skinfra...@a.skinfra.eu
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
>
> How can I add the certificate to /etc/httpd/alias?
>
Hi,
for the record, the command getcert list that you supplied shows
the
certificates in /etc/httpd/alias that are tracked by certmonger.
If you
want to display all the certificates contained in /etc/httpd/alias
(whether tracked or not), then you may want to use certutil -L -d
/etc/httpd/alias instead.
If ipaCert is missing, you can export ipaCert certificate from
another
master, then import it to your server.
On a master containing the cert:
# certutil -d /etc/httpd/alias -L -n 'ipaCert' -a >
/tmp/newRAcert.crt
Then copy the file /tmp/newRAcert.crt to your server and import
the cert:
# certutil -d /etc/httpd/alias -A -n 'ipaCert' -a -i
/tmp/newRAcert.crt
-t u,u,u
And finally you need to tell certmonger to monitor the cert using
getcert start-tracking.
Hope this helps,
Flo.
> Thanks fo ryour support.
> Regards
> Bertrand
>
>
>
Hi,
Florence, thanks for your help.
I was able to import correctly ipaCert with your commands.
Now it seems that I also have an issue on one server with
"subsystemCert cert-pki-ca" in /etc/pki/pki-tomcat/alias as I get
below error when pki-tomcat try to start
LdapJssSSLSocket set client auth cert nickname subsystemCert cert-pki-ca
Could not connect to LDAP server host sdkipa03.XX.YY port 636 Error
netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (
-1)
Is there a way to restore a correct "subsystemCert cert-pki-ca"?
Regards
Bertrand
Hello,
I am still stuck with my IPA server.
I have issues on both servers.
On server1, below certificate is not renewed properly
certutil -L -d /etc/httpd/alias/ -n "ipaCert"
and on server 2 this is this certificate:
certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "Server-Cert cert-pki-ca"
Could you provide me with the correct syntax with start-tracking command.
I tried to laucnh this command but my certificat remains in
"NEWLY_ADDED_NEED_KEYINFO_READ_PIN" state.
Here is the comnd I use:
getcert start-tracking -c dogtag-ipa-retrieve-agent-submit -d
/var/lib/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' -B
/usr/lib64/ipa/certmonger/stop_pkicad -C
'/usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"' -T
"Server-Cert cert-pki-ca" -P '20160614000000'
Hi Bertrand,
to get the right command, you can check on a system where the
certificate is properly monitored, this will show you the right parameters:
$ sudo getcert list -n ipaCert
Number of certificates and requests being tracked: 8.
Request ID '20161122095344':
[..] key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
[...]
CA: dogtag-ipa-ca-renew-agent
[...]
pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
[...]
The relevant fields are NSSDB location, pinfile, nickname, CA, pre and
post-save commands. So in order to monitor ipaCert, you will need to use
$ sudo getcert start-tracking -d /etc/httpd/alias -n ipaCert \
-p /etc/httpd/alias/pwdfile.txt \
-c dogtag-ipa-ca-renew-agent \
-B /usr/lib64/ipa/certmonger/renew_ra_cert_pre \
-C /usr/lib64/ipa/certmonger/renew_ra_cert
HTH,
Flo.
Thanks by advance for your help.
Regards
Bertrand
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project