Flo, I'm not able to access the link you posted. I did find this thread though https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html and have set the time back and resubmitted a request. Still no success. Any further hints?
On Fri, Jan 6, 2017 at 11:52 AM, Florence Blanc-Renaud <f...@redhat.com> wrote: > On 01/06/2017 05:36 PM, Jeff Goddard wrote: > >> Thanks Flo, >> >> I was able to add the host to the keytab once I found the correct >> command and then was able to issue >> >> [root@id-management-1 pki-tomcat]# ipa-cacert-manage renew >> Renewing CA certificate, please wait >> CA certificate successfully renewed >> The ipa-cacert-manage command was successful >> >> Hi Jeff, > > the "ipa-cacert-manage renew" command renews the CA certificate (the one > with the alias caSigningCert cert-pki-ca) but not the expired ones. You > need to follow the instructions linked in my previous e-mail to fix them > first, basically go back in time by setting the system clock time and let > certmonger renew them. > > HTH, > Flo. > > But the pki-tomcat still fails to start. From the logs I get: >> >> [root@id-management-1 pki-tomcat]# cat localhost.2017-01-06.log |less >> Jan 06, 2017 7:23:44 AM org.apache.catalina.core.ApplicationContext log >> SEVERE: StandardWrapper.Throwable >> java.lang.NullPointerException >> at >> com.netscape.cmscore.selftests.SelfTestSubsystem.shutdown(Se >> lfTestSubsystem.java:1886) >> at >> com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEn >> gine.java:2115) >> at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java: >> 2010) >> at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233) >> at com.netscape.certsrv.apps.CMS.start(CMS.java:1625) >> at >> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS >> ervlet.java:114) >> at javax.servlet.GenericServlet.init(GenericServlet.java:158) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >> ssorImpl.java:62) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >> thodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at >> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) >> at >> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) >> at java.security.AccessController.doPrivileged(Native Method) >> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) >> at >> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) >> at >> org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >> rityUtil.java:175) >> at >> org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >> rityUtil.java:124) >> at >> org.apache.catalina.core.StandardWrapper.initServlet(Standar >> dWrapper.java:1270) >> at >> org.apache.catalina.core.StandardWrapper.loadServlet(Standar >> dWrapper.java:1195) >> at >> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085) >> at >> org.apache.catalina.core.StandardContext.loadOnStartup(Stand >> ardContext.java:5318) >> at >> org.apache.catalina.core.StandardContext.startInternal(Stand >> ardContext.java:5610) >> at >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) >> at >> org.apache.catalina.core.ContainerBase.addChildInternal(Cont >> ainerBase.java:899) >> at >> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) >> at >> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru >> n(ContainerBase.java:156) >> at >> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru >> n(ContainerBase.java:145) >> at java.security.AccessController.doPrivileged(Native Method) >> at >> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) >> at >> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) >> at >> org.apache.catalina.startup.HostConfig.deployDescriptor(Host >> Config.java:679) >> at >> org.apache.catalina.startup.HostConfig$DeployDescriptor.run( >> HostConfig.java:1966) >> at >> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> >> I fond this thread: >> https://www.redhat.com/archives/freeipa-users/2016-February/msg00125.html >> <https://www.redhat.com/archives/freeipa-users/2016-February >> /msg00125.html> >> but I don't have self-test logs from today, only from yesterday. Here >> are the relevant debug logs from the most recent restart: >> >> 06/Jan/2017:11:13:55][localhost-startStop-1]: >> ============================================ >> [06/Jan/2017:11:13:55][localhost-startStop-1]: ===== DEBUG SUBSYSTEM >> INITIALIZED ======= >> [06/Jan/2017:11:13:55][localhost-startStop-1]: >> ============================================ >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: restart at >> autoShutdown? false >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: autoShutdown >> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: about to look >> for cert for auto-shutdown support:auditSigningCert cert-pki-ca >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: found >> cert:auditSigningCert cert-pki-ca >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: done init >> id=debug >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initialized >> debug >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initSubsystem >> id=log >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: ready to init >> id=log >> [06/Jan/2017:11:13:55][localhost-startStop-1]: Creating >> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) >> [06/Jan/2017:11:13:55][localhost-startStop-1]: Creating >> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) >> [06/Jan/2017:11:13:55][localhost-startStop-1]: Creating >> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: restart at >> autoShutdown? false >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: autoShutdown >> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: about to look >> for cert for auto-shutdown support:auditSigningCert cert-pki-ca >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: found >> cert:auditSigningCert cert-pki-ca >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: done init >> id=log >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initialized log >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initSubsystem >> id=jss >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: ready to init >> id=jss >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: restart at >> autoShutdown? false >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: autoShutdown >> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: about to look >> for cert for auto-shutdown support:auditSigningCert cert-pki-ca >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: found >> cert:auditSigningCert cert-pki-ca >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: done init >> id=jss >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initialized jss >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initSubsystem >> id=dbs >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: ready to init >> id=dbs >> [06/Jan/2017:11:13:55][localhost-startStop-1]: DBSubsystem: init() >> mEnableSerialMgmt=true >> [06/Jan/2017:11:13:55][localhost-startStop-1]: Creating >> LdapBoundConnFactor(DBSubsystem) >> [06/Jan/2017:11:13:55][localhost-startStop-1]: LdapBoundConnFactory: init >> [06/Jan/2017:11:13:55][localhost-startStop-1]: >> LdapBoundConnFactory:doCloning true >> [06/Jan/2017:11:13:55][localhost-startStop-1]: LdapAuthInfo: init() >> [06/Jan/2017:11:13:55][localhost-startStop-1]: LdapAuthInfo: init begins >> [06/Jan/2017:11:13:55][localhost-startStop-1]: LdapAuthInfo: init ends >> [06/Jan/2017:11:13:55][localhost-startStop-1]: init: before >> makeConnection errorIfDown is true >> [06/Jan/2017:11:13:55][localhost-startStop-1]: makeConnection: >> errorIfDown true >> [06/Jan/2017:11:13:55][localhost-startStop-1]: >> SSLClientCertificateSelectionCB: Setting desired cert nickname to: >> subsystemCert cert-pki-ca >> [06/Jan/2017:11:13:55][localhost-startStop-1]: LdapJssSSLSocket: set >> client auth cert nickname subsystemCert cert-pki-ca >> [06/Jan/2017:11:13:55][localhost-startStop-1]: >> SSLClientCertificatSelectionCB: Entering! >> [06/Jan/2017:11:13:55][localhost-startStop-1]: Candidate cert: >> caSigningCert cert-pki-ca >> [06/Jan/2017:11:13:55][localhost-startStop-1]: >> SSLClientCertificateSelectionCB: returning: null >> [06/Jan/2017:11:13:55][localhost-startStop-1]: SSL handshake happened >> [06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine.shutdown() >> >> Is there something else I should be looking at? >> >> Jeff >> >> >> >> On Fri, Jan 6, 2017 at 11:23 AM, Florence Blanc-Renaud <f...@redhat.com >> <mailto:f...@redhat.com>> wrote: >> >> On 01/06/2017 04:47 PM, Jeff Goddard wrote: >> >> Sorry for the typo. here is the correct output: >> ldapsearch -h id-management-1.internal.emerlyn.com >> <http://id-management-1.internal.emerlyn.com> >> <http://id-management-1.internal.emerlyn.com >> <http://id-management-1.internal.emerlyn.com>> >> SASL/EXTERNAL authentication started >> ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >> additional info: SASL(-4): no mechanism available: >> >> >> >> >> When I look at the certificates I get errors regarding a host >> service in >> the keytab. Here is the output: >> >> [root@id-management-1 ca]# getcert list >> Number of certificates and requests being tracked: 8. >> Request ID '20150116161829': >> status: MONITORING >> ca-error: Error setting up ccache for "host" service on >> client >> using default keytab: Keytab contains no suitable keys for >> host/id-management-1.internal.emerlyn....@internal.emerlyn.com >> <mailto:id-management-1.internal.emerlyn....@internal.emerlyn.com >> > >> <mailto:id-management-1.internal.emerlyn....@internal.emerlyn.com >> <mailto:id-management-1.internal.emerlyn....@internal.emerlyn.com>>. >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM' >> ,nickname='Server-Cert',token='NSS >> Certificate >> DB',pinfile='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM' >> ,nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM >> <http://INTERNAL.EMERLYN.COM> >> <http://INTERNAL.EMERLYN.COM> >> subject: CN=id-management-1.internal.emerlyn.com >> <http://id-management-1.internal.emerlyn.com> >> <http://id-management-1.internal.emerlyn.com >> <http://id-management-1.internal.emerlyn.com>>,O=INTERNAL.EM >> ERLYN.COM >> <http://INTERNAL.EMERLYN.COM> >> <http://INTERNAL.EMERLYN.COM> >> expires: 2017-01-16 16:18:29 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/rest >> art_dirsrv >> INTERNAL-EMERLYN-COM >> track: yes >> auto-renew: yes >> Request ID '20150116162120': >> status: MONITORING >> ca-error: Error setting up ccache for "host" service on >> client >> using default keytab: Keytab contains no suitable keys for >> host/id-management-1.internal.emerlyn....@internal.emerlyn.com >> <mailto:id-management-1.internal.emerlyn....@internal.emerlyn.com >> > >> <mailto:id-management-1.internal.emerlyn....@internal.emerlyn.com >> <mailto:id-management-1.internal.emerlyn....@internal.emerlyn.com>>. >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >> ',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >> ',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM >> <http://INTERNAL.EMERLYN.COM> >> <http://INTERNAL.EMERLYN.COM> >> subject: CN=id-management-1.internal.emerlyn.com >> <http://id-management-1.internal.emerlyn.com> >> <http://id-management-1.internal.emerlyn.com >> <http://id-management-1.internal.emerlyn.com>>,O=INTERNAL.EM >> ERLYN.COM >> <http://INTERNAL.EMERLYN.COM> >> <http://INTERNAL.EMERLYN.COM> >> expires: 2017-01-16 16:21:20 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/rest >> art_httpd >> track: yes >> auto-renew: yes >> Request ID '20151217174142': >> status: CA_UNREACHABLE >> ca-error: Internal error >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >> ditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >> ditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM >> <http://INTERNAL.EMERLYN.COM> >> <http://INTERNAL.EMERLYN.COM> >> subject: CN=CA Audit,O=INTERNAL.EMERLYN.COM >> <http://INTERNAL.EMERLYN.COM> >> <http://INTERNAL.EMERLYN.COM> >> expires: 2017-01-05 16:18:01 UTC >> key usage: digitalSignature,nonRepudiation >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/rene >> w_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20151217174143': >> status: CA_UNREACHABLE >> ca-error: Internal error >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >> spSigningCert >> cert-pki-ca',token='NSS >> Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >> spSigningCert >> cert-pki-ca',token='NSS >> Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM >> <http://INTERNAL.EMERLYN.COM> >> <http://INTERNAL.EMERLYN.COM> >> subject: CN=OCSP Subsystem,O=INTERNAL.EMERLYN.COM >> <http://INTERNAL.EMERLYN.COM> >> <http://INTERNAL.EMERLYN.COM> >> expires: 2017-01-05 16:17:58 UTC >> key usage: >> digitalSignature,nonRepudiation,keyCertSign,cRLSign >> eku: id-kp-OCSPSigning >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/rene >> w_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20151217174144': >> status: CA_UNREACHABLE >> ca-error: Internal error >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >> bsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >> bsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM >> <http://INTERNAL.EMERLYN.COM> >> <http://INTERNAL.EMERLYN.COM> >> subject: CN=CA Subsystem,O=INTERNAL.EMERLYN.COM >> <http://INTERNAL.EMERLYN.COM> >> <http://INTERNAL.EMERLYN.COM> >> expires: 2017-01-05 16:17:59 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/rene >> w_ca_cert >> "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20151217174145': >> status: CA_UNREACHABLE >> ca-error: Internal error >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >> SigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >> SigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM >> <http://INTERNAL.EMERLYN.COM> >> <http://INTERNAL.EMERLYN.COM> >> subject: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM >> <http://INTERNAL.EMERLYN.COM> >> <http://INTERNAL.EMERLYN.COM> >> expires: 2035-01-16 16:17:57 UTC >> key usage: >> digitalSignature,nonRepudiation,keyCertSign,cRLSign >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/rene >> w_ca_cert >> "caSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20151217174146': >> status: CA_UNREACHABLE >> ca-error: Internal error >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to >> ken='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to >> ken='NSS >> Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM >> <http://INTERNAL.EMERLYN.COM> >> <http://INTERNAL.EMERLYN.COM> >> subject: CN=IPA RA,O=INTERNAL.EMERLYN.COM >> <http://INTERNAL.EMERLYN.COM> >> <http://INTERNAL.EMERLYN.COM> >> expires: 2017-01-05 16:18:23 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> /usr/lib64/ipa/certmonger/renew_ra_cert_pre >> post-save command: /usr/lib64/ipa/certmonger/rene >> w_ra_cert >> track: yes >> auto-renew: yes >> Request ID '20151217174147': >> status: CA_UNREACHABLE >> ca-error: Error 60 connecting to >> https://id-management-1.internal.emerlyn.com:8443/ca/agent/c >> a/profileReview >> <https://id-management-1.internal.emerlyn.com:8443/ca/agent/ >> ca/profileReview>: >> Peer certificate cannot be authenticated with given CA >> certificates. >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >> rver-Cert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >> rver-Cert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM >> <http://INTERNAL.EMERLYN.COM> >> <http://INTERNAL.EMERLYN.COM> >> subject: CN=id-management-1.internal.emerlyn.com >> <http://id-management-1.internal.emerlyn.com> >> <http://id-management-1.internal.emerlyn.com >> <http://id-management-1.internal.emerlyn.com>>,O=INTERNAL.EM >> ERLYN.COM >> <http://INTERNAL.EMERLYN.COM> >> <http://INTERNAL.EMERLYN.COM> >> expires: 2017-01-05 16:17:59 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/rene >> w_ca_cert >> "Server-Cert cert-pki-ca" >> track: yes >> auto-renew: yes >> >> Looking at the content of /etc/krb5.keytab results in no host >> entry found: >> >> ktutil >> ktutil: read_kt /etc/krb5.keytab >> ktutil: list >> slot KVNO Principal >> ---- ---- >> ------------------------------------------------------------ >> --------- >> 1 1 >> cifs/shares-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com> >> <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com>> >> 2 1 >> cifs/shares-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com> >> <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com>> >> 3 1 >> cifs/shares-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com> >> <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com>> >> 4 1 >> cifs/shares-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com> >> <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:shares-01.internal.emerlyn....@internal.emerlyn.com>> >> 5 1 >> cifs/files-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com> >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>> >> 6 1 >> cifs/files-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com> >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>> >> 7 1 >> cifs/files-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com> >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>> >> 8 1 >> cifs/files-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com> >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>> >> 9 2 >> host/files-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com> >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>> >> 10 2 >> host/files-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com> >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>> >> 11 2 >> host/files-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com> >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>> >> 12 2 >> host/files-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com> >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com >> <mailto:files-01.internal.emerlyn....@internal.emerlyn.com>> >> >> >> Trying to add a host entry: >> kadmin -q "ktadd -k /etc/krb5.keytab >> host/id-management-1.internal.emerlyn.com >> <http://id-management-1.internal.emerlyn.com> >> <http://id-management-1.internal.emerlyn.com >> <http://id-management-1.internal.emerlyn.com>>" >> Authenticating as principal admin/ad...@internal.emerlyn.com >> <mailto:ad...@internal.emerlyn.com> >> <mailto:ad...@internal.emerlyn.com >> <mailto:ad...@internal.emerlyn.com>> with password. >> kadmin: Client 'admin/ad...@internal.emerlyn.com >> <mailto:ad...@internal.emerlyn.com> >> <mailto:ad...@internal.emerlyn.com >> <mailto:ad...@internal.emerlyn.com>>' not found in Kerberos >> database >> while initializing kadmin interface >> >> Yet if I issue kinit admin I get a password prompt and appear to >> get a >> ticket. What am I missing? >> >> >> >> >> >> On Fri, Jan 6, 2017 at 10:19 AM, Rob Crittenden >> <rcrit...@redhat.com <mailto:rcrit...@redhat.com> >> <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote: >> >> Jeff Goddard wrote: >> > My environment is freeipa 4.4; centos 7.3. This system was >> upgraded as >> > of yesterday afternoon. I'm unable to start pki-tomcat. >> The debug log >> > show this entry: >> > >> > Internal Database Error encountered: Could not connect to >> LDAP server >> > host id-management-1.internal.emerlyn.com >> <http://id-management-1.internal.emerlyn.com> >> <http://id-management-1.internal.emerlyn.com >> <http://id-management-1.internal.emerlyn.com>> >> > <http://id-management-1.internal.emerlyn.com >> <http://id-management-1.internal.emerlyn.com> >> <http://id-management-1.internal.emerlyn.com >> <http://id-management-1.internal.emerlyn.com>>> port 636 Error >> > netscape.ldap.LDAPException: Authentication failed (48) >> > at >> com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:6 >> 76) >> > at >> > >> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine. >> java:1169) >> > at >> > >> >> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine >> .java:1075) >> > at >> com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) >> > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) >> > at com.netscape.certsrv.apps.CMS. >> start(CMS.java:1616) >> > at >> > >> >> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS >> ervlet.java:114) >> > at >> javax.servlet.GenericServlet.init(GenericServlet.java:158) >> > at >> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> > at >> > >> >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >> ssorImpl.java:62) >> > at >> > >> >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >> thodAccessorImpl.java:43) >> > at java.lang.reflect.Method.invoke(Method.java:498) >> > at >> > >> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >> .java:288) >> > at >> > >> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >> .java:285) >> > at >> java.security.AccessController.doPrivileged(Native Method) >> > at >> javax.security.auth.Subject.do >> <http://javax.security.auth.Subject.do>AsPrivileged(Subject. >> java:549) >> > at >> > >> >> org.apache.catalina.security.SecurityUtil.execute(SecurityUt >> il.java:320) >> > at >> > >> >> org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >> rityUtil.java:175) >> > at >> > >> >> org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >> rityUtil.java:124) >> > at >> > >> >> org.apache.catalina.core.StandardWrapper.initServlet(Standar >> dWrapper.java:1270) >> > at >> > >> >> org.apache.catalina.core.StandardWrapper.loadServlet(Standar >> dWrapper.java:1195) >> > at >> > >> >> org.apache.catalina.core.StandardWrapper.load(StandardWrappe >> r.java:1085) >> > at >> > >> >> org.apache.catalina.core.StandardContext.loadOnStartup(Stand >> ardContext.java:5318) >> > at >> > >> >> org.apache.catalina.core.StandardContext.startInternal(Stand >> ardContext.java:5610) >> > at >> > >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.j >> ava:147) >> > at >> > >> >> org.apache.catalina.core.ContainerBase.addChildInternal(Cont >> ainerBase.java:899) >> > at >> > >> >> org.apache.catalina.core.ContainerBase.access$000(ContainerB >> ase.java:133) >> > at >> > >> >> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru >> n(ContainerBase.java:156) >> > at >> > >> >> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru >> n(ContainerBase.java:145) >> > at >> java.security.AccessController.doPrivileged(Native Method) >> > at >> > >> >> org.apache.catalina.core.ContainerBase.addChild(ContainerBas >> e.java:873) >> > at >> > >> org.apache.catalina.core.StandardHost.addChild(StandardHost. >> java:652) >> > at >> > >> >> org.apache.catalina.startup.HostConfig.deployDescriptor(Host >> Config.java:679) >> > at >> > >> >> org.apache.catalina.startup.HostConfig$DeployDescriptor.run( >> HostConfig.java:1966) >> > at >> > >> >> java.util.concurrent.Executors$RunnableAdapter.call(Executor >> s.java:511) >> > at >> java.util.concurrent.FutureTask.run(FutureTask.java:266) >> > at >> > >> >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> > at >> > >> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> > at java.lang.Thread.run(Thread.java:745) >> > >> > >> > I'm able to get a kerberos ticket using kinit but ldap >> search >> gives this >> > error: >> > >> > ldapsearch -h id-manaement-1.internal.emerlyn.com >> <http://id-manaement-1.internal.emerlyn.com> >> <http://id-manaement-1.internal.emerlyn.com >> <http://id-manaement-1.internal.emerlyn.com>> >> > <http://id-manaement-1.internal.emerlyn.com >> <http://id-manaement-1.internal.emerlyn.com> >> <http://id-manaement-1.internal.emerlyn.com >> <http://id-manaement-1.internal.emerlyn.com>>> -x -b >> > "cn=CAcert,cn=ipa,cn=etc,dc=internal,dc=emerlyn,dc=com" >> > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) >> > >> > adding the -d1 debugging tag results in: >> > >> > ldap_create >> > >> ldap_url_parse_ext(ldap://id-manaement-1.internal.emerlyn.com >> <http://id-manaement-1.internal.emerlyn.com> >> <http://id-manaement-1.internal.emerlyn.com >> <http://id-manaement-1.internal.emerlyn.com>> >> > <http://id-manaement-1.internal.emerlyn.com >> <http://id-manaement-1.internal.emerlyn.com> >> <http://id-manaement-1.internal.emerlyn.com >> <http://id-manaement-1.internal.emerlyn.com>>>) >> > ldap_sasl_bind >> > ldap_send_initial_request >> > ldap_new_connection 1 1 0 >> > ldap_int_open_connection >> > ldap_connect_to_host: TCP >> id-manaement-1.internal.emerlyn.com:389 >> <http://id-manaement-1.internal.emerlyn.com:389> >> <http://id-manaement-1.internal.emerlyn.com:389 >> <http://id-manaement-1.internal.emerlyn.com:389>> >> > <http://id-manaement-1.internal.emerlyn.com:389 >> <http://id-manaement-1.internal.emerlyn.com:389> >> <http://id-manaement-1.internal.emerlyn.com:389 >> <http://id-manaement-1.internal.emerlyn.com:389>>> >> > ldap_connect_to_host: getaddrinfo failed: Name or service >> not known >> > ldap_err2string >> > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) >> > >> > I'm able to resolve the hostname via nslookup and >> /etc/hosts has the >> > correct mapping entry. >> > >> > I'm kind of lost at this point and could use some help. >> > >> > Thanks in advance. >> >> You have a typo in the hostname you're trying to connect to, >> missing the >> 'g' in management. >> >> I have a vague memory from other reports of this issue that >> the problem >> may be that the value of the certificate(s) in CS.cfg is >> different from >> the dogtag NSS database. I'd see if those line up. >> >> rob >> >> >> >> >> -- >> Jeff >> >> >> >> Hi Jeff, >> >> according to the output of getcert list, many certificates expired >> just yesterday (auditSigningCert cert-pki-ca, ocspSigningCert >> cert-pki-ca, subsystemCert cert-pki-ca, Server-Cert cert-pki-ca in >> the PKI NSS DB and ipaCert in /etc/httpd/alias). >> >> You can refer to this page: >> https://access.redhat.com/solutions/643753 >> <https://access.redhat.com/solutions/643753> >> to fix the issue. >> >> It is likely that dogtag cannot authenticate to LDAP because its >> certificate is expired, and hence refuses to start. IMHO the upgrade >> is just an unlucky coincidence (happening the same day as cert >> expiration) but not the root cause. >> >> HTH, >> Flo. >> >> >> >> >> -- >> >> > -- Jeff
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project