Thanks Flo,

I was able to add the host to the keytab once I found the correct command
and then was able to issue

[root@id-management-1 pki-tomcat]# ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful

But the pki-tomcat still fails to start. From the logs I get:

[root@id-management-1 pki-tomcat]# cat localhost.2017-01-06.log  |less
Jan 06, 2017 7:23:44 AM org.apache.catalina.core.ApplicationContext log
SEVERE: StandardWrapper.Throwable
java.lang.NullPointerException
        at com.netscape.cmscore.selftests.SelfTestSubsystem.
shutdown(SelfTestSubsystem.java:1886)
        at com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(
CMSEngine.java:2115)
        at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:2010)
        at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1625)
        at com.netscape.cms.servlet.base.CMSStartServlet.init(
CMSStartServlet.java:114)
        at javax.servlet.GenericServlet.init(GenericServlet.java:158)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(
NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.security.SecurityUtil$1.run(
SecurityUtil.java:288)
        at org.apache.catalina.security.SecurityUtil$1.run(
SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at org.apache.catalina.security.SecurityUtil.execute(
SecurityUtil.java:320)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(
SecurityUtil.java:175)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(
SecurityUtil.java:124)
        at org.apache.catalina.core.StandardWrapper.initServlet(
StandardWrapper.java:1270)
        at org.apache.catalina.core.StandardWrapper.loadServlet(
StandardWrapper.java:1195)
        at org.apache.catalina.core.StandardWrapper.load(
StandardWrapper.java:1085)
        at org.apache.catalina.core.StandardContext.loadOnStartup(
StandardContext.java:5318)
        at org.apache.catalina.core.StandardContext.startInternal(
StandardContext.java:5610)
        at org.apache.catalina.util.LifecycleBase.start(
LifecycleBase.java:147)
        at org.apache.catalina.core.ContainerBase.addChildInternal(
ContainerBase.java:899)
        at org.apache.catalina.core.ContainerBase.access$000(
ContainerBase.java:133)
        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(
ContainerBase.java:156)
        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(
ContainerBase.java:145)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ContainerBase.addChild(
ContainerBase.java:873)
        at org.apache.catalina.core.StandardHost.addChild(
StandardHost.java:652)
        at org.apache.catalina.startup.HostConfig.deployDescriptor(
HostConfig.java:679)
        at org.apache.catalina.startup.HostConfig$DeployDescriptor.
run(HostConfig.java:1966)
        at java.util.concurrent.Executors$RunnableAdapter.
call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)

I fond this thread: https://www.redhat.com/archives/freeipa-users/2016-
February/msg00125.html but I don't have self-test logs from today, only
from yesterday. Here are the relevant debug logs from the most recent
restart:

06/Jan/2017:11:13:55][localhost-startStop-1]:
============================================
[06/Jan/2017:11:13:55][localhost-startStop-1]: =====  DEBUG SUBSYSTEM
INITIALIZED   =======
[06/Jan/2017:11:13:55][localhost-startStop-1]:
============================================
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: about to look for
cert for auto-shutdown support:auditSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: found
cert:auditSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: done init id=debug
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initialized debug
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initSubsystem
id=log
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: ready to init
id=log
[06/Jan/2017:11:13:55][localhost-startStop-1]: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
[06/Jan/2017:11:13:55][localhost-startStop-1]: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
[06/Jan/2017:11:13:55][localhost-startStop-1]: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions)
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: about to look for
cert for auto-shutdown support:auditSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: found
cert:auditSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: done init id=log
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initialized log
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initSubsystem
id=jss
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: ready to init
id=jss
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: about to look for
cert for auto-shutdown support:auditSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: found
cert:auditSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: done init id=jss
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initialized jss
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initSubsystem
id=dbs
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: ready to init
id=dbs
[06/Jan/2017:11:13:55][localhost-startStop-1]: DBSubsystem: init()
mEnableSerialMgmt=true
[06/Jan/2017:11:13:55][localhost-startStop-1]: Creating
LdapBoundConnFactor(DBSubsystem)
[06/Jan/2017:11:13:55][localhost-startStop-1]: LdapBoundConnFactory: init
[06/Jan/2017:11:13:55][localhost-startStop-1]:
LdapBoundConnFactory:doCloning true
[06/Jan/2017:11:13:55][localhost-startStop-1]: LdapAuthInfo: init()
[06/Jan/2017:11:13:55][localhost-startStop-1]: LdapAuthInfo: init begins
[06/Jan/2017:11:13:55][localhost-startStop-1]: LdapAuthInfo: init ends
[06/Jan/2017:11:13:55][localhost-startStop-1]: init: before makeConnection
errorIfDown is true
[06/Jan/2017:11:13:55][localhost-startStop-1]: makeConnection: errorIfDown
true
[06/Jan/2017:11:13:55][localhost-startStop-1]:
SSLClientCertificateSelectionCB: Setting desired cert nickname to:
subsystemCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: LdapJssSSLSocket: set client
auth cert nickname subsystemCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]:
SSLClientCertificatSelectionCB: Entering!
[06/Jan/2017:11:13:55][localhost-startStop-1]: Candidate cert:
caSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]:
SSLClientCertificateSelectionCB: returning: null
[06/Jan/2017:11:13:55][localhost-startStop-1]: SSL handshake happened
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine.shutdown()

Is there something esle I should be looking at?

Jeff



On Fri, Jan 6, 2017 at 11:23 AM, Florence Blanc-Renaud <f...@redhat.com>
wrote:

> On 01/06/2017 04:47 PM, Jeff Goddard wrote:
>
>> Sorry for the typo. here is the correct output:
>> ldapsearch -h id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>
>> SASL/EXTERNAL authentication started
>> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>>         additional info: SASL(-4): no mechanism available:
>>
>>
>>
>>
>> When I look at the certificates I get errors regarding a host service in
>> the keytab. Here is the output:
>>
>> [root@id-management-1 ca]# getcert list
>> Number of certificates and requests being tracked: 8.
>> Request ID '20150116161829':
>>         status: MONITORING
>>         ca-error: Error setting up ccache for "host" service on client
>> using default keytab: Keytab contains no suitable keys for
>> host/id-management-1.internal.emerlyn....@internal.emerlyn.com
>> <mailto:id-management-1.internal.emerlyn....@internal.emerlyn.com>.
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM'
>> ,nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM/pwdfile.
>> txt'
>>         certificate:
>> type=NSSDB,location='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM'
>> ,nickname='Server-Cert',token='NSS
>> Certificate DB'
>>         CA: IPA
>>         issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>>         subject: CN=id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>>         expires: 2017-01-16 16:18:29 UTC
>>         key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command:
>>         post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
>> INTERNAL-EMERLYN-COM
>>         track: yes
>>         auto-renew: yes
>> Request ID '20150116162120':
>>         status: MONITORING
>>         ca-error: Error setting up ccache for "host" service on client
>> using default keytab: Keytab contains no suitable keys for
>> host/id-management-1.internal.emerlyn....@internal.emerlyn.com
>> <mailto:id-management-1.internal.emerlyn....@internal.emerlyn.com>.
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>         certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>>         CA: IPA
>>         issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>>         subject: CN=id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>>         expires: 2017-01-16 16:21:20 UTC
>>         key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command:
>>         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>         track: yes
>>         auto-renew: yes
>> Request ID '20151217174142':
>>         status: CA_UNREACHABLE
>>         ca-error: Internal error
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>> ditSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au
>> ditSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-ca-renew-agent
>>         issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>>         subject: CN=CA Audit,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>>         expires: 2017-01-05 16:18:01 UTC
>>         key usage: digitalSignature,nonRepudiation
>>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>> Request ID '20151217174143':
>>         status: CA_UNREACHABLE
>>         ca-error: Internal error
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS
>> Certificate DB',pin set
>>         certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>> cert-pki-ca',token='NSS
>> Certificate DB'
>>         CA: dogtag-ipa-ca-renew-agent
>>         issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>>         subject: CN=OCSP Subsystem,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>>         expires: 2017-01-05 16:17:58 UTC
>>         key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>         eku: id-kp-OCSPSigning
>>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>> Request ID '20151217174144':
>>         status: CA_UNREACHABLE
>>         ca-error: Internal error
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>> cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-ca-renew-agent
>>         issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>>         subject: CN=CA Subsystem,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>>         expires: 2017-01-05 16:17:59 UTC
>>         key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "subsystemCert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>> Request ID '20151217174145':
>>         status: CA_UNREACHABLE
>>         ca-error: Internal error
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>> cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-ca-renew-agent
>>         issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>>         subject: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>>         expires: 2035-01-16 16:17:57 UTC
>>         key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "caSigningCert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>> Request ID '20151217174146':
>>         status: CA_UNREACHABLE
>>         ca-error: Internal error
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>         certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>> Certificate DB'
>>         CA: dogtag-ipa-ca-renew-agent
>>         issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>>         subject: CN=IPA RA,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>>         expires: 2017-01-05 16:18:23 UTC
>>         key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth,id-kp-clientAuth
>>         pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
>>         post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>         track: yes
>>         auto-renew: yes
>> Request ID '20151217174147':
>>         status: CA_UNREACHABLE
>>         ca-error: Error 60 connecting to
>> https://id-management-1.internal.emerlyn.com:8443/ca/agent/c
>> a/profileReview:
>> Peer certificate cannot be authenticated with given CA certificates.
>>         stuck: no
>>         key pair storage:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB',pin set
>>         certificate:
>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>> cert-pki-ca',token='NSS Certificate DB'
>>         CA: dogtag-ipa-renew-agent
>>         issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>>         subject: CN=id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>,O=INTERNAL.EMERLYN.COM
>> <http://INTERNAL.EMERLYN.COM>
>>         expires: 2017-01-05 16:17:59 UTC
>>         key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>         eku: id-kp-serverAuth
>>         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>> "Server-Cert cert-pki-ca"
>>         track: yes
>>         auto-renew: yes
>>
>> Looking at the content of /etc/krb5.keytab results in no host entry found:
>>
>> ktutil
>> ktutil:  read_kt /etc/krb5.keytab
>> ktutil:  list
>> slot KVNO Principal
>> ---- ----
>> ---------------------------------------------------------------------
>>    1    1 cifs/shares-01.internal.emerlyn....@internal.emerlyn.com
>> <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com>
>>    2    1 cifs/shares-01.internal.emerlyn....@internal.emerlyn.com
>> <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com>
>>    3    1 cifs/shares-01.internal.emerlyn....@internal.emerlyn.com
>> <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com>
>>    4    1 cifs/shares-01.internal.emerlyn....@internal.emerlyn.com
>> <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com>
>>    5    1 cifs/files-01.internal.emerlyn....@internal.emerlyn.com
>> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>
>>    6    1 cifs/files-01.internal.emerlyn....@internal.emerlyn.com
>> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>
>>    7    1 cifs/files-01.internal.emerlyn....@internal.emerlyn.com
>> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>
>>    8    1 cifs/files-01.internal.emerlyn....@internal.emerlyn.com
>> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>
>>    9    2 host/files-01.internal.emerlyn....@internal.emerlyn.com
>> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>
>>   10    2 host/files-01.internal.emerlyn....@internal.emerlyn.com
>> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>
>>   11    2 host/files-01.internal.emerlyn....@internal.emerlyn.com
>> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>
>>   12    2 host/files-01.internal.emerlyn....@internal.emerlyn.com
>> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>
>>
>>
>> Trying to add a host entry:
>> kadmin -q "ktadd -k /etc/krb5.keytab
>> host/id-management-1.internal.emerlyn.com
>> <http://id-management-1.internal.emerlyn.com>"
>> Authenticating as principal admin/ad...@internal.emerlyn.com
>> <mailto:ad...@internal.emerlyn.com> with password.
>> kadmin: Client 'admin/ad...@internal.emerlyn.com
>> <mailto:ad...@internal.emerlyn.com>' not found in Kerberos database
>> while initializing kadmin interface
>>
>> Yet if I issue kinit admin I get a password prompt and appear to get a
>> ticket. What am I missing?
>>
>>
>>
>>
>>
>> On Fri, Jan 6, 2017 at 10:19 AM, Rob Crittenden <rcrit...@redhat.com
>> <mailto:rcrit...@redhat.com>> wrote:
>>
>>     Jeff Goddard wrote:
>>     > My environment is freeipa 4.4; centos 7.3. This system was upgraded
>> as
>>     > of yesterday afternoon. I'm unable to start pki-tomcat. The debug
>> log
>>     > show this entry:
>>     >
>>     > Internal Database Error encountered: Could not connect to LDAP
>> server
>>     > host id-management-1.internal.emerlyn.com
>>     <http://id-management-1.internal.emerlyn.com>
>>     > <http://id-management-1.internal.emerlyn.com
>>     <http://id-management-1.internal.emerlyn.com>> port 636 Error
>>     > netscape.ldap.LDAPException: Authentication failed (48)
>>     >         at
>>     com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
>>     >         at
>>     > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.
>> java:1169)
>>     >         at
>>     >
>>     com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine
>> .java:1075)
>>     >         at
>>     com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
>>     >         at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>>     >         at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
>>     >         at
>>     >
>>     com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS
>> ervlet.java:114)
>>     >         at javax.servlet.GenericServlet.i
>> nit(GenericServlet.java:158)
>>     >         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method)
>>     >         at
>>     >
>>     sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>>     >         at
>>     >
>>     sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>>     >         at java.lang.reflect.Method.invoke(Method.java:498)
>>     >         at
>>     > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>> .java:288)
>>     >         at
>>     > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil
>> .java:285)
>>     >         at java.security.AccessController.doPrivileged(Native
>> Method)
>>     >         at
>>     javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>>     >         at
>>     >
>>     org.apache.catalina.security.SecurityUtil.execute(SecurityUt
>> il.java:320)
>>     >         at
>>     >
>>     org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:175)
>>     >         at
>>     >
>>     org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:124)
>>     >         at
>>     >
>>     org.apache.catalina.core.StandardWrapper.initServlet(Standar
>> dWrapper.java:1270)
>>     >         at
>>     >
>>     org.apache.catalina.core.StandardWrapper.loadServlet(Standar
>> dWrapper.java:1195)
>>     >         at
>>     >
>>     org.apache.catalina.core.StandardWrapper.load(StandardWrappe
>> r.java:1085)
>>     >         at
>>     >
>>     org.apache.catalina.core.StandardContext.loadOnStartup(Stand
>> ardContext.java:5318)
>>     >         at
>>     >
>>     org.apache.catalina.core.StandardContext.startInternal(Stand
>> ardContext.java:5610)
>>     >         at
>>     > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.j
>> ava:147)
>>     >         at
>>     >
>>     org.apache.catalina.core.ContainerBase.addChildInternal(Cont
>> ainerBase.java:899)
>>     >         at
>>     >
>>     org.apache.catalina.core.ContainerBase.access$000(ContainerB
>> ase.java:133)
>>     >         at
>>     >
>>     org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>> n(ContainerBase.java:156)
>>     >         at
>>     >
>>     org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>> n(ContainerBase.java:145)
>>     >         at java.security.AccessController.doPrivileged(Native
>> Method)
>>     >         at
>>     >
>>     org.apache.catalina.core.ContainerBase.addChild(ContainerBas
>> e.java:873)
>>     >         at
>>     > org.apache.catalina.core.StandardHost.addChild(StandardHost.
>> java:652)
>>     >         at
>>     >
>>     org.apache.catalina.startup.HostConfig.deployDescriptor(Host
>> Config.java:679)
>>     >         at
>>     >
>>     org.apache.catalina.startup.HostConfig$DeployDescriptor.run(
>> HostConfig.java:1966)
>>     >         at
>>     >
>>     java.util.concurrent.Executors$RunnableAdapter.call(Executor
>> s.java:511)
>>     >         at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>>     >         at
>>     >
>>     java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>>     >         at
>>     >
>>     java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>>     >         at java.lang.Thread.run(Thread.java:745)
>>     >
>>     >
>>     > I'm able to get a kerberos ticket using kinit but ldap search
>>     gives this
>>     > error:
>>     >
>>     >  ldapsearch -h id-manaement-1.internal.emerlyn.com
>>     <http://id-manaement-1.internal.emerlyn.com>
>>     > <http://id-manaement-1.internal.emerlyn.com
>>     <http://id-manaement-1.internal.emerlyn.com>> -x -b
>>     > "cn=CAcert,cn=ipa,cn=etc,dc=internal,dc=emerlyn,dc=com"
>>     > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>     >
>>     > adding the -d1 debugging tag results in:
>>     >
>>     > ldap_create
>>     > ldap_url_parse_ext(ldap://id-manaement-1.internal.emerlyn.com
>>     <http://id-manaement-1.internal.emerlyn.com>
>>     > <http://id-manaement-1.internal.emerlyn.com
>>     <http://id-manaement-1.internal.emerlyn.com>>)
>>     > ldap_sasl_bind
>>     > ldap_send_initial_request
>>     > ldap_new_connection 1 1 0
>>     > ldap_int_open_connection
>>     > ldap_connect_to_host: TCP id-manaement-1.internal.emerlyn.com:389
>>     <http://id-manaement-1.internal.emerlyn.com:389>
>>     > <http://id-manaement-1.internal.emerlyn.com:389
>>     <http://id-manaement-1.internal.emerlyn.com:389>>
>>     > ldap_connect_to_host: getaddrinfo failed: Name or service not known
>>     > ldap_err2string
>>     > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>     >
>>     > I'm able to resolve the hostname via nslookup and /etc/hosts has the
>>     > correct mapping entry.
>>     >
>>     > I'm kind of lost at this point and could use some help.
>>     >
>>     > Thanks in advance.
>>
>>     You have a typo in the hostname you're trying to connect to, missing
>> the
>>     'g' in management.
>>
>>     I have a vague memory from other reports of this issue that the
>> problem
>>     may be that the value of the certificate(s) in CS.cfg is different
>> from
>>     the dogtag NSS database. I'd see if those line up.
>>
>>     rob
>>
>>
>>
>>
>> --
>> Jeff
>>
>>
>>
>> Hi Jeff,
>
> according to the output of getcert list, many certificates expired just
> yesterday (auditSigningCert cert-pki-ca, ocspSigningCert cert-pki-ca,
> subsystemCert cert-pki-ca, Server-Cert cert-pki-ca in the PKI NSS DB and
> ipaCert in /etc/httpd/alias).
>
> You can refer to this page:
> https://access.redhat.com/solutions/643753
> to fix the issue.
>
> It is likely that dogtag cannot authenticate to LDAP because its
> certificate is expired, and hence refuses to start. IMHO the upgrade is
> just an unlucky coincidence (happening the same day as cert expiration) but
> not the root cause.
>
> HTH,
> Flo.
>



--
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to