On 01/06/2017 05:36 PM, Jeff Goddard wrote:
Thanks Flo,

I was able to add the host to the keytab once I found the correct
command and then was able to issue

[root@id-management-1 pki-tomcat]# ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful

Hi Jeff,

the "ipa-cacert-manage renew" command renews the CA certificate (the one with the alias caSigningCert cert-pki-ca) but not the expired ones. You need to follow the instructions linked in my previous e-mail to fix them first, basically go back in time by setting the system clock time and let certmonger renew them.

HTH,
Flo.

But the pki-tomcat still fails to start. From the logs I get:

[root@id-management-1 pki-tomcat]# cat localhost.2017-01-06.log  |less
Jan 06, 2017 7:23:44 AM org.apache.catalina.core.ApplicationContext log
SEVERE: StandardWrapper.Throwable
java.lang.NullPointerException
        at
com.netscape.cmscore.selftests.SelfTestSubsystem.shutdown(SelfTestSubsystem.java:1886)
        at
com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEngine.java:2115)
        at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:2010)
        at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1625)
        at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
        at javax.servlet.GenericServlet.init(GenericServlet.java:158)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
        at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
        at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
        at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
        at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
        at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
        at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
        at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
        at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
        at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
        at java.security.AccessController.doPrivileged(Native Method)
        at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
        at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
        at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
        at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
        at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)

I fond this thread:
https://www.redhat.com/archives/freeipa-users/2016-February/msg00125.html 
<https://www.redhat.com/archives/freeipa-users/2016-February/msg00125.html>
but I don't have self-test logs from today, only from yesterday. Here
are the relevant debug logs from the most recent restart:

06/Jan/2017:11:13:55][localhost-startStop-1]:
============================================
[06/Jan/2017:11:13:55][localhost-startStop-1]: =====  DEBUG SUBSYSTEM
INITIALIZED   =======
[06/Jan/2017:11:13:55][localhost-startStop-1]:
============================================
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: about to look
for cert for auto-shutdown support:auditSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: found
cert:auditSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: done init id=debug
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initialized debug
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initSubsystem
id=log
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: ready to init
id=log
[06/Jan/2017:11:13:55][localhost-startStop-1]: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit)
[06/Jan/2017:11:13:55][localhost-startStop-1]: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system)
[06/Jan/2017:11:13:55][localhost-startStop-1]: Creating
RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions)
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: about to look
for cert for auto-shutdown support:auditSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: found
cert:auditSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: done init id=log
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initialized log
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initSubsystem
id=jss
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: ready to init
id=jss
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: about to look
for cert for auto-shutdown support:auditSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: found
cert:auditSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: done init id=jss
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initialized jss
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initSubsystem
id=dbs
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: ready to init
id=dbs
[06/Jan/2017:11:13:55][localhost-startStop-1]: DBSubsystem: init()
mEnableSerialMgmt=true
[06/Jan/2017:11:13:55][localhost-startStop-1]: Creating
LdapBoundConnFactor(DBSubsystem)
[06/Jan/2017:11:13:55][localhost-startStop-1]: LdapBoundConnFactory: init
[06/Jan/2017:11:13:55][localhost-startStop-1]:
LdapBoundConnFactory:doCloning true
[06/Jan/2017:11:13:55][localhost-startStop-1]: LdapAuthInfo: init()
[06/Jan/2017:11:13:55][localhost-startStop-1]: LdapAuthInfo: init begins
[06/Jan/2017:11:13:55][localhost-startStop-1]: LdapAuthInfo: init ends
[06/Jan/2017:11:13:55][localhost-startStop-1]: init: before
makeConnection errorIfDown is true
[06/Jan/2017:11:13:55][localhost-startStop-1]: makeConnection:
errorIfDown true
[06/Jan/2017:11:13:55][localhost-startStop-1]:
SSLClientCertificateSelectionCB: Setting desired cert nickname to:
subsystemCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: LdapJssSSLSocket: set
client auth cert nickname subsystemCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]:
SSLClientCertificatSelectionCB: Entering!
[06/Jan/2017:11:13:55][localhost-startStop-1]: Candidate cert:
caSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]:
SSLClientCertificateSelectionCB: returning: null
[06/Jan/2017:11:13:55][localhost-startStop-1]: SSL handshake happened
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine.shutdown()

Is there something esle I should be looking at?

Jeff



On Fri, Jan 6, 2017 at 11:23 AM, Florence Blanc-Renaud <f...@redhat.com
<mailto:f...@redhat.com>> wrote:

    On 01/06/2017 04:47 PM, Jeff Goddard wrote:

        Sorry for the typo. here is the correct output:
        ldapsearch -h id-management-1.internal.emerlyn.com
        <http://id-management-1.internal.emerlyn.com>
        <http://id-management-1.internal.emerlyn.com
        <http://id-management-1.internal.emerlyn.com>>
        SASL/EXTERNAL authentication started
        ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
                additional info: SASL(-4): no mechanism available:




        When I look at the certificates I get errors regarding a host
        service in
        the keytab. Here is the output:

        [root@id-management-1 ca]# getcert list
        Number of certificates and requests being tracked: 8.
        Request ID '20150116161829':
                status: MONITORING
                ca-error: Error setting up ccache for "host" service on
        client
        using default keytab: Keytab contains no suitable keys for
        host/id-management-1.internal.emerlyn....@internal.emerlyn.com
        <mailto:id-management-1.internal.emerlyn....@internal.emerlyn.com>
        <mailto:id-management-1.internal.emerlyn....@internal.emerlyn.com 
<mailto:id-management-1.internal.emerlyn....@internal.emerlyn.com>>.
                stuck: no
                key pair storage:
        
type=NSSDB,location='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM',nickname='Server-Cert',token='NSS
        Certificate
        DB',pinfile='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM/pwdfile.txt'
                certificate:
        
type=NSSDB,location='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM',nickname='Server-Cert',token='NSS
        Certificate DB'
                CA: IPA
                issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
        <http://INTERNAL.EMERLYN.COM>
        <http://INTERNAL.EMERLYN.COM>
                subject: CN=id-management-1.internal.emerlyn.com
        <http://id-management-1.internal.emerlyn.com>
        <http://id-management-1.internal.emerlyn.com
        <http://id-management-1.internal.emerlyn.com>>,O=INTERNAL.EMERLYN.COM
        <http://INTERNAL.EMERLYN.COM>
        <http://INTERNAL.EMERLYN.COM>
                expires: 2017-01-16 16:18:29 UTC
                key usage:
        digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
                eku: id-kp-serverAuth,id-kp-clientAuth
                pre-save command:
                post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
        INTERNAL-EMERLYN-COM
                track: yes
                auto-renew: yes
        Request ID '20150116162120':
                status: MONITORING
                ca-error: Error setting up ccache for "host" service on
        client
        using default keytab: Keytab contains no suitable keys for
        host/id-management-1.internal.emerlyn....@internal.emerlyn.com
        <mailto:id-management-1.internal.emerlyn....@internal.emerlyn.com>
        <mailto:id-management-1.internal.emerlyn....@internal.emerlyn.com 
<mailto:id-management-1.internal.emerlyn....@internal.emerlyn.com>>.
                stuck: no
                key pair storage:
        type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
        Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
                certificate:
        type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
        Certificate DB'
                CA: IPA
                issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
        <http://INTERNAL.EMERLYN.COM>
        <http://INTERNAL.EMERLYN.COM>
                subject: CN=id-management-1.internal.emerlyn.com
        <http://id-management-1.internal.emerlyn.com>
        <http://id-management-1.internal.emerlyn.com
        <http://id-management-1.internal.emerlyn.com>>,O=INTERNAL.EMERLYN.COM
        <http://INTERNAL.EMERLYN.COM>
        <http://INTERNAL.EMERLYN.COM>
                expires: 2017-01-16 16:21:20 UTC
                key usage:
        digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
                eku: id-kp-serverAuth,id-kp-clientAuth
                pre-save command:
                post-save command: /usr/lib64/ipa/certmonger/restart_httpd
                track: yes
                auto-renew: yes
        Request ID '20151217174142':
                status: CA_UNREACHABLE
                ca-error: Internal error
                stuck: no
                key pair storage:
        
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
        cert-pki-ca',token='NSS Certificate DB',pin set
                certificate:
        
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
        cert-pki-ca',token='NSS Certificate DB'
                CA: dogtag-ipa-ca-renew-agent
                issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
        <http://INTERNAL.EMERLYN.COM>
        <http://INTERNAL.EMERLYN.COM>
                subject: CN=CA Audit,O=INTERNAL.EMERLYN.COM
        <http://INTERNAL.EMERLYN.COM>
        <http://INTERNAL.EMERLYN.COM>
                expires: 2017-01-05 16:18:01 UTC
                key usage: digitalSignature,nonRepudiation
                pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
                post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
        "auditSigningCert cert-pki-ca"
                track: yes
                auto-renew: yes
        Request ID '20151217174143':
                status: CA_UNREACHABLE
                ca-error: Internal error
                stuck: no
                key pair storage:
        
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
        cert-pki-ca',token='NSS
        Certificate DB',pin set
                certificate:
        
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
        cert-pki-ca',token='NSS
        Certificate DB'
                CA: dogtag-ipa-ca-renew-agent
                issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
        <http://INTERNAL.EMERLYN.COM>
        <http://INTERNAL.EMERLYN.COM>
                subject: CN=OCSP Subsystem,O=INTERNAL.EMERLYN.COM
        <http://INTERNAL.EMERLYN.COM>
        <http://INTERNAL.EMERLYN.COM>
                expires: 2017-01-05 16:17:58 UTC
                key usage:
        digitalSignature,nonRepudiation,keyCertSign,cRLSign
                eku: id-kp-OCSPSigning
                pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
                post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
        "ocspSigningCert cert-pki-ca"
                track: yes
                auto-renew: yes
        Request ID '20151217174144':
                status: CA_UNREACHABLE
                ca-error: Internal error
                stuck: no
                key pair storage:
        type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
        cert-pki-ca',token='NSS Certificate DB',pin set
                certificate:
        type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
        cert-pki-ca',token='NSS Certificate DB'
                CA: dogtag-ipa-ca-renew-agent
                issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
        <http://INTERNAL.EMERLYN.COM>
        <http://INTERNAL.EMERLYN.COM>
                subject: CN=CA Subsystem,O=INTERNAL.EMERLYN.COM
        <http://INTERNAL.EMERLYN.COM>
        <http://INTERNAL.EMERLYN.COM>
                expires: 2017-01-05 16:17:59 UTC
                key usage:
        digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
                eku: id-kp-serverAuth,id-kp-clientAuth
                pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
                post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
        "subsystemCert cert-pki-ca"
                track: yes
                auto-renew: yes
        Request ID '20151217174145':
                status: CA_UNREACHABLE
                ca-error: Internal error
                stuck: no
                key pair storage:
        type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
        cert-pki-ca',token='NSS Certificate DB',pin set
                certificate:
        type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
        cert-pki-ca',token='NSS Certificate DB'
                CA: dogtag-ipa-ca-renew-agent
                issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
        <http://INTERNAL.EMERLYN.COM>
        <http://INTERNAL.EMERLYN.COM>
                subject: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
        <http://INTERNAL.EMERLYN.COM>
        <http://INTERNAL.EMERLYN.COM>
                expires: 2035-01-16 16:17:57 UTC
                key usage:
        digitalSignature,nonRepudiation,keyCertSign,cRLSign
                pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
                post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
        "caSigningCert cert-pki-ca"
                track: yes
                auto-renew: yes
        Request ID '20151217174146':
                status: CA_UNREACHABLE
                ca-error: Internal error
                stuck: no
                key pair storage:
        type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
        Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
                certificate:
        type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
        Certificate DB'
                CA: dogtag-ipa-ca-renew-agent
                issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
        <http://INTERNAL.EMERLYN.COM>
        <http://INTERNAL.EMERLYN.COM>
                subject: CN=IPA RA,O=INTERNAL.EMERLYN.COM
        <http://INTERNAL.EMERLYN.COM>
        <http://INTERNAL.EMERLYN.COM>
                expires: 2017-01-05 16:18:23 UTC
                key usage:
        digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
                eku: id-kp-serverAuth,id-kp-clientAuth
                pre-save command:
        /usr/lib64/ipa/certmonger/renew_ra_cert_pre
                post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
                track: yes
                auto-renew: yes
        Request ID '20151217174147':
                status: CA_UNREACHABLE
                ca-error: Error 60 connecting to
        
https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileReview
        
<https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileReview>:
        Peer certificate cannot be authenticated with given CA certificates.
                stuck: no
                key pair storage:
        type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
        cert-pki-ca',token='NSS Certificate DB',pin set
                certificate:
        type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
        cert-pki-ca',token='NSS Certificate DB'
                CA: dogtag-ipa-renew-agent
                issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
        <http://INTERNAL.EMERLYN.COM>
        <http://INTERNAL.EMERLYN.COM>
                subject: CN=id-management-1.internal.emerlyn.com
        <http://id-management-1.internal.emerlyn.com>
        <http://id-management-1.internal.emerlyn.com
        <http://id-management-1.internal.emerlyn.com>>,O=INTERNAL.EMERLYN.COM
        <http://INTERNAL.EMERLYN.COM>
        <http://INTERNAL.EMERLYN.COM>
                expires: 2017-01-05 16:17:59 UTC
                key usage:
        digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
                eku: id-kp-serverAuth
                pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
                post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
        "Server-Cert cert-pki-ca"
                track: yes
                auto-renew: yes

        Looking at the content of /etc/krb5.keytab results in no host
        entry found:

        ktutil
        ktutil:  read_kt /etc/krb5.keytab
        ktutil:  list
        slot KVNO Principal
        ---- ----
        ---------------------------------------------------------------------
           1    1
        cifs/shares-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com>
        <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com>>
           2    1
        cifs/shares-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com>
        <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com>>
           3    1
        cifs/shares-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com>
        <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com>>
           4    1
        cifs/shares-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com>
        <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com>>
           5    1
        cifs/files-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>>
           6    1
        cifs/files-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>>
           7    1
        cifs/files-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>>
           8    1
        cifs/files-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>>
           9    2
        host/files-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>>
          10    2
        host/files-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>>
          11    2
        host/files-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>>
          12    2
        host/files-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com
        <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>>


        Trying to add a host entry:
        kadmin -q "ktadd -k /etc/krb5.keytab
        host/id-management-1.internal.emerlyn.com
        <http://id-management-1.internal.emerlyn.com>
        <http://id-management-1.internal.emerlyn.com
        <http://id-management-1.internal.emerlyn.com>>"
        Authenticating as principal admin/ad...@internal.emerlyn.com
        <mailto:ad...@internal.emerlyn.com>
        <mailto:ad...@internal.emerlyn.com
        <mailto:ad...@internal.emerlyn.com>> with password.
        kadmin: Client 'admin/ad...@internal.emerlyn.com
        <mailto:ad...@internal.emerlyn.com>
        <mailto:ad...@internal.emerlyn.com
        <mailto:ad...@internal.emerlyn.com>>' not found in Kerberos database
        while initializing kadmin interface

        Yet if I issue kinit admin I get a password prompt and appear to
        get a
        ticket. What am I missing?





        On Fri, Jan 6, 2017 at 10:19 AM, Rob Crittenden
        <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
        <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:

            Jeff Goddard wrote:
            > My environment is freeipa 4.4; centos 7.3. This system was
        upgraded as
            > of yesterday afternoon. I'm unable to start pki-tomcat.
        The debug log
            > show this entry:
            >
            > Internal Database Error encountered: Could not connect to
        LDAP server
            > host id-management-1.internal.emerlyn.com
        <http://id-management-1.internal.emerlyn.com>
            <http://id-management-1.internal.emerlyn.com
        <http://id-management-1.internal.emerlyn.com>>
            > <http://id-management-1.internal.emerlyn.com
        <http://id-management-1.internal.emerlyn.com>
            <http://id-management-1.internal.emerlyn.com
        <http://id-management-1.internal.emerlyn.com>>> port 636 Error
            > netscape.ldap.LDAPException: Authentication failed (48)
            >         at
            com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
            >         at
            >
        com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
            >         at
            >

        com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
            >         at
            com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
            >         at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
            >         at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
            >         at
            >

        
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
            >         at
        javax.servlet.GenericServlet.init(GenericServlet.java:158)
            >         at
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            >         at
            >

        
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
            >         at
            >

        
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
            >         at java.lang.reflect.Method.invoke(Method.java:498)
            >         at
            >
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
            >         at
            >
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
            >         at
        java.security.AccessController.doPrivileged(Native Method)
            >         at
            javax.security.auth.Subject.do
        <http://javax.security.auth.Subject.do>AsPrivileged(Subject.java:549)
            >         at
            >

        org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
            >         at
            >

        
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
            >         at
            >

        
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
            >         at
            >

        
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
            >         at
            >

        
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
            >         at
            >

        org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
            >         at
            >

        
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
            >         at
            >

        
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
            >         at
            >
        org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
            >         at
            >

        
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
            >         at
            >

        
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
            >         at
            >

        
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
            >         at
            >

        
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
            >         at
        java.security.AccessController.doPrivileged(Native Method)
            >         at
            >

        org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
            >         at
            >
        org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
            >         at
            >

        
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
            >         at
            >

        
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
            >         at
            >

        java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
            >         at
        java.util.concurrent.FutureTask.run(FutureTask.java:266)
            >         at
            >

        
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
            >         at
            >

        
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
            >         at java.lang.Thread.run(Thread.java:745)
            >
            >
            > I'm able to get a kerberos ticket using kinit but ldap search
            gives this
            > error:
            >
            >  ldapsearch -h id-manaement-1.internal.emerlyn.com
        <http://id-manaement-1.internal.emerlyn.com>
            <http://id-manaement-1.internal.emerlyn.com
        <http://id-manaement-1.internal.emerlyn.com>>
            > <http://id-manaement-1.internal.emerlyn.com
        <http://id-manaement-1.internal.emerlyn.com>
            <http://id-manaement-1.internal.emerlyn.com
        <http://id-manaement-1.internal.emerlyn.com>>> -x -b
            > "cn=CAcert,cn=ipa,cn=etc,dc=internal,dc=emerlyn,dc=com"
            > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
            >
            > adding the -d1 debugging tag results in:
            >
            > ldap_create
            >
        ldap_url_parse_ext(ldap://id-manaement-1.internal.emerlyn.com
        <http://id-manaement-1.internal.emerlyn.com>
            <http://id-manaement-1.internal.emerlyn.com
        <http://id-manaement-1.internal.emerlyn.com>>
            > <http://id-manaement-1.internal.emerlyn.com
        <http://id-manaement-1.internal.emerlyn.com>
            <http://id-manaement-1.internal.emerlyn.com
        <http://id-manaement-1.internal.emerlyn.com>>>)
            > ldap_sasl_bind
            > ldap_send_initial_request
            > ldap_new_connection 1 1 0
            > ldap_int_open_connection
            > ldap_connect_to_host: TCP
        id-manaement-1.internal.emerlyn.com:389
        <http://id-manaement-1.internal.emerlyn.com:389>
            <http://id-manaement-1.internal.emerlyn.com:389
        <http://id-manaement-1.internal.emerlyn.com:389>>
            > <http://id-manaement-1.internal.emerlyn.com:389
        <http://id-manaement-1.internal.emerlyn.com:389>
            <http://id-manaement-1.internal.emerlyn.com:389
        <http://id-manaement-1.internal.emerlyn.com:389>>>
            > ldap_connect_to_host: getaddrinfo failed: Name or service
        not known
            > ldap_err2string
            > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
            >
            > I'm able to resolve the hostname via nslookup and
        /etc/hosts has the
            > correct mapping entry.
            >
            > I'm kind of lost at this point and could use some help.
            >
            > Thanks in advance.

            You have a typo in the hostname you're trying to connect to,
        missing the
            'g' in management.

            I have a vague memory from other reports of this issue that
        the problem
            may be that the value of the certificate(s) in CS.cfg is
        different from
            the dogtag NSS database. I'd see if those line up.

            rob




        --
        Jeff



    Hi Jeff,

    according to the output of getcert list, many certificates expired
    just yesterday (auditSigningCert cert-pki-ca, ocspSigningCert
    cert-pki-ca, subsystemCert cert-pki-ca, Server-Cert cert-pki-ca in
    the PKI NSS DB and ipaCert in /etc/httpd/alias).

    You can refer to this page:
    https://access.redhat.com/solutions/643753
    <https://access.redhat.com/solutions/643753>
    to fix the issue.

    It is likely that dogtag cannot authenticate to LDAP because its
    certificate is expired, and hence refuses to start. IMHO the upgrade
    is just an unlucky coincidence (happening the same day as cert
    expiration) but not the root cause.

    HTH,
    Flo.




--


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to