> De: "Florence Blanc-Renaud" <f...@redhat.com> > À: "Bertrand Rétif" <bre...@phosphore.eu>, freeipa-users@redhat.com > Envoyé: Mardi 22 Novembre 2016 11:33:45 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
> On 11/22/2016 10:07 AM, Bertrand Rétif wrote: > > ------------------------------------------------------------------------ > > > > *De: *"Bertrand Rétif" <bre...@phosphore.eu> > > *À: *freeipa-users@redhat.com > > *Envoyé: *Mardi 25 Octobre 2016 17:51:09 > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > pki-tomcat issue > > > > > > ------------------------------------------------------------------------ > > > > *De: *"Florence Blanc-Renaud" <f...@redhat.com> > > *À: *"Bertrand Rétif" <bre...@phosphore.eu>, > > freeipa-users@redhat.com > > *Envoyé: *Jeudi 20 Octobre 2016 18:45:21 > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > pki-tomcat issue > > > > On 10/19/2016 08:18 PM, Bertrand Rétif wrote: > > > *De: *"Bertrand Rétif" <bre...@phosphore.eu> > > > > > > *À: *freeipa-users@redhat.com > > > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07 > > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > > pki-tomcat issue > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > *De: *"Rob Crittenden" <rcrit...@redhat.com> > > > *À: *"Bertrand Rétif" <bre...@phosphore.eu>, > > > freeipa-users@redhat.com > > > *Envoyé: *Mercredi 19 Octobre 2016 15:30:14 > > > *Objet: *Re: [Freeipa-users] Impossible to renew > > certificate. > > > pki-tomcat issue > > > > > > Bertrand Rétif wrote: > > > >> De: "Martin Babinsky" <mbabi...@redhat.com> > > > >> À: freeipa-users@redhat.com > > > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49 > > > >> Objet: Re: [Freeipa-users] Impossible to renew > > certificate. > > > pki-tomcat issue > > > > > > > >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote: > > > >>> Hello, > > > >>> > > > >>> I had an issue with pki-tomcat. > > > >>> I had serveral certificate that was expired and > > pki-tomcat > > > did not start > > > >>> anymore. > > > >>> > > > >>> I set the dateon the server before certificate > > expiration > > > and then > > > >>> pki-tomcat starts properly. > > > >>> Then I try to resubmit the certificate, but I get > > below error: > > > >>> "Profile caServerCert Not Found" > > > >>> > > > >>> Do you have any idea how I could fix this issue. > > > >>> > > > >>> Please find below output of commands: > > > >>> > > > >>> > > > >>> # getcert resubmit -i 20160108170324 > > > >>> > > > >>> # getcert list -i 20160108170324 > > > >>> Number of certificates and requests being tracked: 7. > > > >>> Request ID '20160108170324': > > > >>> status: MONITORING > > > >>> ca-error: Server at > > > >>> > > "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"; > > > replied: > > > >>> Profile caServerCert Not Found > > > >>> stuck: no > > > >>> key pair storage: > > > >>> > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > >>> certificate: > > > >>> > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > >>> Certificate DB' > > > >>> CA: dogtag-ipa-ca-renew-agent > > > >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU > > > >>> subject: CN=IPA RA,O=A.SKINFRA.EU > > > >>> expires: 2016-06-28 15:25:11 UTC > > > >>> key usage: > > > >>> > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > >>> eku: id-kp-serverAuth,id-kp-clientAuth > > > >>> pre-save command: > > /usr/lib64/ipa/certmonger/renew_ra_cert_pre > > > >>> post-save command: > > /usr/lib64/ipa/certmonger/renew_ra_cert > > > >>> track: yes > > > >>> auto-renew: yes > > > >>> > > > >>> > > > >>> Thanksby advance for your help. > > > >>> Bertrand > > > >>> > > > >>> > > > >>> > > > >>> > > > > > > > >> Hi Betrand, > > > > > > > >> what version of FreeIPA and Dogtag are you running? > > > > > > > >> Also perform the following search on the IPA master > > and post > > > the result: > > > > > > > >> """ > > > >> ldapsearch -D "cn=Directory Manager" -W -b > > > >> 'ou=certificateProfiles,ou=ca,o=ipaca' > > > '(objectClass=certProfile)' > > > >> """ > > > > > > > > Hi Martin, > > > > > > > > Thanks for your reply. > > > > > > > > Here is version: > > > > - FreeIPA 4.2.0 > > > > - Centos 7.2 > > > > > > > > I have been able to fix the issue with "Profile > > caServerCert > > > Not Found" by editing > > /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > > > > I replace below entry > > > > > > > > > "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem" > > > > by > > > > > > "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem" > > > > > > > > and then launch "ipa-server-upgrade" command > > > > I found this solution in this post: > > > http://osdir.com/ml/freeipa-users/2016-03/msg00280.html > > > > > > > > Then I was able to renew my certificate. > > > > > > > > However I reboot my server to and pki-tomcat do not > > start and > > > provide with a new erreor in > > /var/log/pki/pki-tomcat/ca/debug > > > > > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > CertUtils: > > > verifySystemCertByNickname() passed: auditSigningCert > > cert-pki-ca > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > > SignedAuditEventFactory: create() > > > message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$ > > > > System$][Outcome=Success][CertNickName=auditSigningCert > > > cert-pki-ca] CIMC certificate verification > > > > > > > > java.lang.Exception: SystemCertsVerification: system > > certs > > > verification failure > > > > at > > > > > com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198) > > > > at > > > > > com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861) > > > > at > > > > > com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797) > > > > at > > > > > com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701) > > > > at > > > > > com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148) > > > > at com.netscape.certsrv.apps.CMS.startup(CMS.java:200) > > > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) > > > > at > > > > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > > > at > > javax.servlet.GenericServlet.init(GenericServlet.java:158) > > > > at > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > > at > > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > > > at > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > > at java.lang.reflect.Method.invoke(Method.java:606) > > > > at > > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) > > > > at > > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) > > > > at > > java.security.AccessController.doPrivileged(Native Method) > > > > at > > javax.security.auth.Subject.doAsPrivileged(Subject.java:536) > > > > at > > > > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) > > > > at > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) > > > > at > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) > > > > at > > > > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) > > > > at > > > > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) > > > > at > > > > > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) > > > > at > > > > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210) > > > > at > > > > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493) > > > > at > > > > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > > > at > > > > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901) > > > > at > > > > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > > > at > > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > > > at > > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > > > at > > java.security.AccessController.doPrivileged(Native Method) > > > > at > > > > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > > > > at > > > > > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632) > > > > at > > > > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672) > > > > at > > > > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862) > > > > at > > > > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > > > > at > > java.util.concurrent.FutureTask.run(FutureTask.java:262) > > > > at > > > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > > > at > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > > > at java.lang.Thread.run(Thread.java:745) > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > > SignedAuditEventFactory: create() > > > > > message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] > > > self tests execution (see selftests.log for details) > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: > > > CMSEngine.shutdown() > > > > > > > > > > > > I am currently stuck here. > > > > Thanks a lot for your help. > > > > > > I'm guessing at least one of the CA subsystem > > certificates are > > > still > > > expired. Look at the "getcert list" output to see if > > there are any > > > expired certificates. > > > > > > rob > > > > > > > > > > > Bertrand > > > > > > > > > > > > > > Hello Rob, > > > > > > I check on my 2 servers and no certificate is expired > > > > > > [root@sdkipa03 ~]# getcert list |grep expire > > > expires: 2018-06-22 22:02:26 UTC > > > expires: 2018-06-22 22:02:47 UTC > > > expires: 2034-07-09 15:24:34 UTC > > > expires: 2016-10-30 13:35:29 UTC > > > > > > [root@sdkipa01 conf]# getcert list |grep expire > > > expires: 2018-06-12 23:38:01 UTC > > > expires: 2018-06-12 23:37:41 UTC > > > expires: 2018-06-11 22:53:57 UTC > > > expires: 2018-06-11 22:55:50 UTC > > > expires: 2018-06-11 22:57:47 UTC > > > expires: 2034-07-09 15:24:34 UTC > > > expires: 2018-06-11 22:59:55 UTC > > > > > > I see that one certificate is in status: CA_UNREACHABLE, > > maybe I > > > reboot to soon my server... > > > > > > I continue to investigate > > > > > > Thanks for your help. > > > Bertrand > > > > > > I fix my previous issue. > > > Now I have an issue with a server. > > > This server can not start pki-tomcatd, I get this error in > > debug file: > > > "Error netscape.ldap.LDAPExceptio n: IO Error creating JSS SSL > > Socket (-1)" > > > > > > After investigation i see that I do not have "ipaCert" > > certificat in > > > "/etc/httpd/alias" > > > cf below command: > > > > > > [root@sdkipa03 ~]# getcert list -d /etc/httpd/alias > > > Number of certificates and requests being tracked: 4. > > > Request ID '20141110133632': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=A.SKINFRA.EU > > > subject: CN=sdkipa03.skinfra.eu,O=A.SKINFRA.EU > > > expires: 2018-06-22 22:02:47 UTC > > > principal name: HTTP/sdkipa03.skinfra...@a.skinfra.eu > > > key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > > > track: yes > > > auto-renew: yes > > > > > > > > > How can I add the certificate to /etc/httpd/alias? > > > > > Hi, > > > > for the record, the command getcert list that you supplied shows > > the > > certificates in /etc/httpd/alias that are tracked by certmonger. > > If you > > want to display all the certificates contained in /etc/httpd/alias > > (whether tracked or not), then you may want to use certutil -L -d > > /etc/httpd/alias instead. > > > > If ipaCert is missing, you can export ipaCert certificate from > > another > > master, then import it to your server. > > > > On a master containing the cert: > > # certutil -d /etc/httpd/alias -L -n 'ipaCert' -a > > > /tmp/newRAcert.crt > > > > Then copy the file /tmp/newRAcert.crt to your server and import > > the cert: > > # certutil -d /etc/httpd/alias -A -n 'ipaCert' -a -i > > /tmp/newRAcert.crt > > -t u,u,u > > > > And finally you need to tell certmonger to monitor the cert using > > getcert start-tracking. > > > > Hope this helps, > > Flo. > > > > > Thanks fo ryour support. > > > Regards > > > Bertrand > > > > > > > > > > > > > Hi, > > > > Florence, thanks for your help. > > I was able to import correctly ipaCert with your commands. > > Now it seems that I also have an issue on one server with > > "subsystemCert cert-pki-ca" in /etc/pki/pki-tomcat/alias as I get > > below error when pki-tomcat try to start > > > > > > LdapJssSSLSocket set client auth cert nickname subsystemCert cert-pki-ca > > Could not connect to LDAP server host sdkipa03.XX.YY port 636 Error > > netscape.ldap.LDAPException: IO Error creating JSS SSL Socket ( > > -1) > > > > > > Is there a way to restore a correct "subsystemCert cert-pki-ca"? > > > > Regards > > Bertrand > > > > Hello, > > > > I am still stuck with my IPA server. > > I have issues on both servers. > > On server1, below certificate is not renewed properly > > certutil -L -d /etc/httpd/alias/ -n "ipaCert" > > > > and on server 2 this is this certificate: > > certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "Server-Cert cert-pki-ca" > > > > Could you provide me with the correct syntax with start-tracking command. > > I tried to laucnh this command but my certificat remains in > > "NEWLY_ADDED_NEED_KEYINFO_READ_PIN" state. > > Here is the comnd I use: > > getcert start-tracking -c dogtag-ipa-retrieve-agent-submit -d > > /var/lib/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' -B > > /usr/lib64/ipa/certmonger/stop_pkicad -C > > '/usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"' -T > > "Server-Cert cert-pki-ca" -P '20160614000000' > > > Hi Bertrand, > to get the right command, you can check on a system where the > certificate is properly monitored, this will show you the right parameters: > $ sudo getcert list -n ipaCert > Number of certificates and requests being tracked: 8. > Request ID '20161122095344': > [..] key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > [...] > CA: dogtag-ipa-ca-renew-agent > [...] > pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > [...] > The relevant fields are NSSDB location, pinfile, nickname, CA, pre and > post-save commands. So in order to monitor ipaCert, you will need to use > $ sudo getcert start-tracking -d /etc/httpd/alias -n ipaCert \ > -p /etc/httpd/alias/pwdfile.txt \ > -c dogtag-ipa-ca-renew-agent \ > -B /usr/lib64/ipa/certmonger/renew_ra_cert_pre \ > -C /usr/lib64/ipa/certmonger/renew_ra_cert > HTH, > Flo. > > Thanks by advance for your help. > > > > Regards > > Bertrand Hello Florence, Thanks for your reply. Before doing any mistakes, I just need some explanations as I think I do not well understand how it should work. Do all the certificate need to be track by certmonger on all servers or they should only be tracked on one server and FreeIPA will update them on other servers? In my case I have below certicates outdated and not track on "server 1": - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "auditSigningCert cert-pki-ca" - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "ocspSigningCert cert-pki-ca" - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "subsystemCert cert-pki-ca" They are tracked by certmonger and have been correctly renewed on "server 2" Do I need to add them tracked by certmonger on "server 1"? If not, it means FreeIPA failed to update them? Should I delete and import them manually on server 2? If you need more details, do not hesitate to ask. Regards Bertrand
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
