Once again, thanks for your support, I tried to fix this issue for days!
Regards
Bertrand
--
Bertrand Rétif
Phosphore Services Informatiques - http://www.phosphore.eu
Tel: 04 66 51 87 73 / Mob: 06 61 87 03 30 / Fax: 09 72 12 61 44
------------------------------------------------------------------------
*De: *"Florence Blanc-Renaud" <f...@redhat.com>
*À: *"Bertrand Rétif" <bre...@phosphore.eu>, freeipa-users@redhat.com
*Envoyé: *Mardi 22 Novembre 2016 13:17:34
*Objet: *Re: [Freeipa-users] Impossible to renew certificate.
pki-tomcat issue
On 11/22/2016 11:50 AM, Bertrand Rétif wrote:
>
>
> *De: *"Florence Blanc-Renaud" <f...@redhat.com>
> *À: *"Bertrand Rétif" <bre...@phosphore.eu>,
freeipa-users@redhat.com
> *Envoyé: *Mardi 22 Novembre 2016 11:33:45
> *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
> pki-tomcat issue
>
> On 11/22/2016 10:07 AM, Bertrand Rétif wrote:
> >
>
------------------------------------------------------------------------
> >
> > *De: *"Bertrand Rétif" <bre...@phosphore.eu>
> > *À: *freeipa-users@redhat.com
> > *Envoyé: *Mardi 25 Octobre 2016 17:51:09
> > *Objet: *Re: [Freeipa-users] Impossible to renew
certificate.
> > pki-tomcat issue
> >
> >
> >
>
------------------------------------------------------------------------
> >
> > *De: *"Florence Blanc-Renaud" <f...@redhat.com>
> > *À: *"Bertrand Rétif" <bre...@phosphore.eu>,
> > freeipa-users@redhat.com
> > *Envoyé: *Jeudi 20 Octobre 2016 18:45:21
> > *Objet: *Re: [Freeipa-users] Impossible to renew
certificate.
> > pki-tomcat issue
> >
> > On 10/19/2016 08:18 PM, Bertrand Rétif wrote:
> > > *De: *"Bertrand Rétif" <bre...@phosphore.eu>
> > >
> > > *À: *freeipa-users@redhat.com
> > > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07
> > > *Objet: *Re: [Freeipa-users] Impossible to renew
> certificate.
> > > pki-tomcat issue
> > >
> > >
> > >
> >
>
------------------------------------------------------------------------
> > >
> > > *De: *"Rob Crittenden" <rcrit...@redhat.com>
> > > *À: *"Bertrand Rétif" <bre...@phosphore.eu>,
> > > freeipa-users@redhat.com
> > > *Envoyé: *Mercredi 19 Octobre 2016 15:30:14
> > > *Objet: *Re: [Freeipa-users] Impossible to
renew
> > certificate.
> > > pki-tomcat issue
> > >
> > > Bertrand Rétif wrote:
> > > >> De: "Martin Babinsky" <mbabi...@redhat.com>
> > > >> À: freeipa-users@redhat.com
> > > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49
> > > >> Objet: Re: [Freeipa-users] Impossible
to renew
> > certificate.
> > > pki-tomcat issue
> > > >
> > > >> On 10/18/2016 11:22 PM, Bertrand Rétif
wrote:
> > > >>> Hello,
> > > >>>
> > > >>> I had an issue with pki-tomcat.
> > > >>> I had serveral certificate that was
expired and
> > pki-tomcat
> > > did not start
> > > >>> anymore.
> > > >>>
> > > >>> I set the dateon the server before
certificate
> > expiration
> > > and then
> > > >>> pki-tomcat starts properly.
> > > >>> Then I try to resubmit the
certificate, but
> I get
> > below error:
> > > >>> "Profile caServerCert Not Found"
> > > >>>
> > > >>> Do you have any idea how I could fix
this issue.
> > > >>>
> > > >>> Please find below output of commands:
> > > >>>
> > > >>>
> > > >>> # getcert resubmit -i 20160108170324
> > > >>>
> > > >>> # getcert list -i 20160108170324
> > > >>> Number of certificates and requests being
> tracked: 7.
> > > >>> Request ID '20160108170324':
> > > >>> status: MONITORING
> > > >>> ca-error: Server at
> > > >>>
> >
"http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit";
> > > replied:
> > > >>> Profile caServerCert Not Found
> > > >>> stuck: no
> > > >>> key pair storage:
> > > >>>
> > >
> >
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > >>> Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > >>> certificate:
> > > >>>
> > >
> >
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > >>> Certificate DB'
> > > >>> CA: dogtag-ipa-ca-renew-agent
> > > >>> issuer: CN=Certificate
Authority,O=A.SKINFRA.EU
> > > >>> subject: CN=IPA RA,O=A.SKINFRA.EU
> > > >>> expires: 2016-06-28 15:25:11 UTC
> > > >>> key usage:
> > > >>>
> >
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > >>> eku: id-kp-serverAuth,id-kp-clientAuth
> > > >>> pre-save command:
> > /usr/lib64/ipa/certmonger/renew_ra_cert_pre
> > > >>> post-save command:
> > /usr/lib64/ipa/certmonger/renew_ra_cert
> > > >>> track: yes
> > > >>> auto-renew: yes
> > > >>>
> > > >>>
> > > >>> Thanksby advance for your help.
> > > >>> Bertrand
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >
> > > >> Hi Betrand,
> > > >
> > > >> what version of FreeIPA and Dogtag are you
> running?
> > > >
> > > >> Also perform the following search on
the IPA
> master
> > and post
> > > the result:
> > > >
> > > >> """
> > > >> ldapsearch -D "cn=Directory Manager" -W -b
> > > >> 'ou=certificateProfiles,ou=ca,o=ipaca'
> > > '(objectClass=certProfile)'
> > > >> """
> > > >
> > > > Hi Martin,
> > > >
> > > > Thanks for your reply.
> > > >
> > > > Here is version:
> > > > - FreeIPA 4.2.0
> > > > - Centos 7.2
> > > >
> > > > I have been able to fix the issue with
"Profile
> > caServerCert
> > > Not Found" by editing
> > /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> > > > I replace below entry
> > > >
> > >
> >
>
"subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"
> > > > by
> > > >
> >
> "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"
> > > >
> > > > and then launch "ipa-server-upgrade" command
> > > > I found this solution in this post:
> > >
> http://osdir.com/ml/freeipa-users/2016-03/msg00280.html
> > > >
> > > > Then I was able to renew my certificate.
> > > >
> > > > However I reboot my server to and pki-tomcat
> do not
> > start and
> > > provide with a new erreor in
> > /var/log/pki/pki-tomcat/ca/debug
> > > >
> > > >
[19/Oct/2016:11:11:52][localhost-startStop-1]:
> > CertUtils:
> > > verifySystemCertByNickname() passed:
> auditSigningCert
> > cert-pki-ca
> > > >
[19/Oct/2016:11:11:52][localhost-startStop-1]:
> > > SignedAuditEventFactory: create()
> > >
> message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$
> > > >
> System$][Outcome=Success][CertNickName=auditSigningCert
> > > cert-pki-ca] CIMC certificate verification
> > > >
> > > > java.lang.Exception:
SystemCertsVerification:
> system
> > certs
> > > verification failure
> > > > at
> > >
> >
>
com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198)
> > > > at
> > >
> >
>
com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861)
> > > > at
> > >
> >
>
com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797)
> > > > at
> > >
> >
>
com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701)
> > > > at
> > >
> >
> com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148)
> > > > at
> com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
> > > > at
> com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
> > > > at
> > >
> >
>
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
> > > > at
> >
javax.servlet.GenericServlet.init(GenericServlet.java:158)
> > > > at
> > sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
> > > > at
> > >
> >
>
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> > > > at
> > >
> >
>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > > at
> java.lang.reflect.Method.invoke(Method.java:606)
> > > > at
> > >
> >
>
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
> > > > at
> > >
> >
>
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
> > > > at
> > java.security.AccessController.doPrivileged(Native
Method)
> > > > at
> >
javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
> > > > at
> > >
> >
>
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
> > > > at
> > >
> >
>
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
> > > > at
> > >
> >
>
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
> > > > at
> > >
> >
>
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
> > > > at
> > >
> >
>
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
> > > > at
> > >
> >
>
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
> > > > at
> > >
> >
>
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
> > > > at
> > >
> >
>
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
> > > > at
> > >
> >
>
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> > > > at
> > >
> >
>
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
> > > > at
> > >
> >
>
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> > > > at
> > >
> >
>
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> > > > at
> > >
> >
>
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> > > > at
> > java.security.AccessController.doPrivileged(Native
Method)
> > > > at
> > >
> >
>
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
> > > > at
> > >
> >
>
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
> > > > at
> > >
> >
>
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
> > > > at
> > >
> >
>
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
> > > > at
> > >
> >
>
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> > > > at
> > java.util.concurrent.FutureTask.run(FutureTask.java:262)
> > > > at
> > >
> >
>
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > > > at
> > >
> >
>
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > > > at java.lang.Thread.run(Thread.java:745)
> > > >
[19/Oct/2016:11:11:52][localhost-startStop-1]:
> > > SignedAuditEventFactory: create()
> > >
> >
>
message=[AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure]
> > > self tests execution (see selftests.log
for details)
> > > >
[19/Oct/2016:11:11:52][localhost-startStop-1]:
> > > CMSEngine.shutdown()
> > > >
> > > >
> > > > I am currently stuck here.
> > > > Thanks a lot for your help.
> > >
> > > I'm guessing at least one of the CA subsystem
> > certificates are
> > > still
> > > expired. Look at the "getcert list" output
to see if
> > there are any
> > > expired certificates.
> > >
> > > rob
> > >
> > > >
> > > > Bertrand
> > > >
> > > >
> > >
> > > Hello Rob,
> > >
> > > I check on my 2 servers and no certificate is
expired
> > >
> > > [root@sdkipa03 ~]# getcert list |grep expire
> > > expires: 2018-06-22 22:02:26 UTC
> > > expires: 2018-06-22 22:02:47 UTC
> > > expires: 2034-07-09 15:24:34 UTC
> > > expires: 2016-10-30 13:35:29 UTC
> > >
> > > [root@sdkipa01 conf]# getcert list |grep expire
> > > expires: 2018-06-12 23:38:01 UTC
> > > expires: 2018-06-12 23:37:41 UTC
> > > expires: 2018-06-11 22:53:57 UTC
> > > expires: 2018-06-11 22:55:50 UTC
> > > expires: 2018-06-11 22:57:47 UTC
> > > expires: 2034-07-09 15:24:34 UTC
> > > expires: 2018-06-11 22:59:55 UTC
> > >
> > > I see that one certificate is in status:
CA_UNREACHABLE,
> > maybe I
> > > reboot to soon my server...
> > >
> > > I continue to investigate
> > >
> > > Thanks for your help.
> > > Bertrand
> > >
> > > I fix my previous issue.
> > > Now I have an issue with a server.
> > > This server can not start pki-tomcatd, I get this
error in
> > debug file:
> > > "Error netscape.ldap.LDAPExceptio n: IO Error creating
> JSS SSL
> > Socket (-1)"
> > >
> > > After investigation i see that I do not have "ipaCert"
> > certificat in
> > > "/etc/httpd/alias"
> > > cf below command:
> > >
> > > [root@sdkipa03 ~]# getcert list -d /etc/httpd/alias
> > > Number of certificates and requests being tracked: 4.
> > > Request ID '20141110133632':
> > > status: MONITORING
> > > stuck: no
> > > key pair storage:
> > >
> >
>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> >
>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=A.SKINFRA.EU
> > > subject: CN=sdkipa03.skinfra.eu,O=A.SKINFRA.EU
> > > expires: 2018-06-22 22:02:47 UTC
> > > principal name:
HTTP/sdkipa03.skinfra...@a.skinfra.eu
> > > key usage:
> > >
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > pre-save command:
> > > post-save command:
> /usr/lib64/ipa/certmonger/restart_httpd
> > > track: yes
> > > auto-renew: yes
> > >
> > >
> > > How can I add the certificate to /etc/httpd/alias?
> > >
> > Hi,
> >
> > for the record, the command getcert list that you
supplied
> shows
> > the
> > certificates in /etc/httpd/alias that are tracked by
> certmonger.
> > If you
> > want to display all the certificates contained in
> /etc/httpd/alias
> > (whether tracked or not), then you may want to use
> certutil -L -d
> > /etc/httpd/alias instead.
> >
> > If ipaCert is missing, you can export ipaCert
certificate from
> > another
> > master, then import it to your server.
> >
> > On a master containing the cert:
> > # certutil -d /etc/httpd/alias -L -n 'ipaCert' -a >
> > /tmp/newRAcert.crt
> >
> > Then copy the file /tmp/newRAcert.crt to your server and
> import
> > the cert:
> > # certutil -d /etc/httpd/alias -A -n 'ipaCert' -a -i
> > /tmp/newRAcert.crt
> > -t u,u,u
> >
> > And finally you need to tell certmonger to monitor the
> cert using
> > getcert start-tracking.
> >
> > Hope this helps,
> > Flo.
> >
> > > Thanks fo ryour support.
> > > Regards
> > > Bertrand
> > >
> > >
> > >
> >
> > Hi,
> >
> > Florence, thanks for your help.
> > I was able to import correctly ipaCert with your commands.
> > Now it seems that I also have an issue on one server with
> > "subsystemCert cert-pki-ca" in /etc/pki/pki-tomcat/alias
as I get
> > below error when pki-tomcat try to start
> >
> >
> > LdapJssSSLSocket set client auth cert nickname subsystemCert
> cert-pki-ca
> > Could not connect to LDAP server host sdkipa03.XX.YY
port 636
> Error
> > netscape.ldap.LDAPException: IO Error creating JSS SSL
Socket (
> > -1)
> >
> >
> > Is there a way to restore a correct "subsystemCert
cert-pki-ca"?
> >
> > Regards
> > Bertrand
> >
> > Hello,
> >
> > I am still stuck with my IPA server.
> > I have issues on both servers.
> > On server1, below certificate is not renewed properly
> > certutil -L -d /etc/httpd/alias/ -n "ipaCert"
> >
> > and on server 2 this is this certificate:
> > certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "Server-Cert
> cert-pki-ca"
> >
> > Could you provide me with the correct syntax with start-tracking
> command.
> > I tried to laucnh this command but my certificat remains in
> > "NEWLY_ADDED_NEED_KEYINFO_READ_PIN" state.
> > Here is the comnd I use:
> > getcert start-tracking -c dogtag-ipa-retrieve-agent-submit -d
> > /var/lib/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' -B
> > /usr/lib64/ipa/certmonger/stop_pkicad -C
> > '/usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"' -T
> > "Server-Cert cert-pki-ca" -P '20160614000000'
> >
> Hi Bertrand,
>
> to get the right command, you can check on a system where the
> certificate is properly monitored, this will show you the right
> parameters:
> $ sudo getcert list -n ipaCert
> Number of certificates and requests being tracked: 8.
> Request ID '20161122095344':
> [..] key pair storage:
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> [...]
> CA: dogtag-ipa-ca-renew-agent
> [...]
> pre-save command:
/usr/lib64/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> [...]
>
> The relevant fields are NSSDB location, pinfile, nickname, CA,
pre and
> post-save commands. So in order to monitor ipaCert, you will
need to use
> $ sudo getcert start-tracking -d /etc/httpd/alias -n ipaCert \
> -p /etc/httpd/alias/pwdfile.txt \
> -c dogtag-ipa-ca-renew-agent \
> -B /usr/lib64/ipa/certmonger/renew_ra_cert_pre \
> -C /usr/lib64/ipa/certmonger/renew_ra_cert
>
> HTH,
> Flo.
>
> > Thanks by advance for your help.
> >
> > Regards
> > Bertrand
>
> Hello Florence,
>
> Thanks for your reply.
> Before doing any mistakes, I just need some explanations as I
think I do
> not well understand how it should work.
>
> Do all the certificate need to be track by certmonger on all
servers or
> they should only be tracked on one server and FreeIPA will update them
> on other servers?
>
> In my case I have below certicates outdated and not track on
"server 1":
> - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n
"auditSigningCert
> cert-pki-ca"
> - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "ocspSigningCert
> cert-pki-ca"
> - certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "subsystemCert
> cert-pki-ca"
>
> They are tracked by certmonger and have been correctly renewed on
"server 2"
> Do I need to add them tracked by certmonger on "server 1"?
> If not, it means FreeIPA failed to update them? Should I delete and
> import them manually on server 2?
>
> If you need more details, do not hesitate to ask.
>
Hi Bertrand,
The certificate tracking depends on the type of certificate and on the
server you're considering. For instance, if IPA includes a Certificate
Authority, then ipaCert will be present on all the IPA servers
(master/replicas) and tracked on all of them. The same ipaCert
certificate is used on all the replicas. On the renewal master, the
renewal operation actually renews the certificate and uploads the cert
on LDAP, but on the other replicas the operation consists in
downloading
the new certificate from LDAP.
The HTTP and LDAP server certificates are present and tracked on all
the
IPA servers, but they are different on each server (you can see that
the
Subject of the certificate contains the hostname). They can be renewed
independently on each IPA server.
The certificates used by Dogtag (the component providing the
Certificate
System) are present and tracked only on the IPA servers where the CA
was
setup (for instance if you installed a replica with --setup-ca or if
you
ran ipa-ca-install later on). The same certificates are used on all
replicas containing a CA instance.
They are: 'ocspSigningCert cert-pki-ca', 'subsystemCert cert-pki-ca',
'caSigningCert cert-pki-ca' and 'Server-Cert cert-pki-ca'.
The renewal operation renews them on the renewal master and uploads
them
in LDAP, but just downloads them from LDAP on the other servers.
In your example, if server1 also contains a CA instance then it should
also track the above certs.
You can find the renewal master with the following ldapsearch command:
$ ldapsearch -h localhost -p 389 -D 'cn=Directory Manager' -w password
-b "cn=masters,cn=ipa,cn=etc,$BASEDN" -LLL
'(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn
dn: cn=CA,cn=ipaserver.fqdn,cn=masters,cn=ipa,cn=etc,$BASEDN
In this case the renewal master is ipaserver.fqdn
Hope this clarifies,
Flo.
> Regards
> Bertrand
>
>
