[Freeipa-users] Re: Request failed with status 500: Non-2xx response from CA REST API: 500. - pki-tomcatd fails to start
Winfried de Heiden wrote: > Hi all, > > Yes, there was a discrepancy in de certificates and was fixed by using > https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/. > > Thanks for that! > > Now, getcert ist still shows errors. The certmonger logs shows: > > De certmonger log shows: > > Sep 12 14:05:35 ipa.blabla.bla certmonger[11551]: 2017-09-12 14:05:35 > [11551] Server at https://ipa.blabla.bla/ipa/xml failed request, will > retry: 4035 (RPC failed at server. Request failed with status 500: > Non-2xx response from CA REST API: 500. *Policy Set Not Found*). > > Sep 12 14:05:59 ipa.blabla.bla certmonger[11551]: 2017-09-12 14:05:59 > [11551] Server at https://ipa.blabla.bla/ipa/xml failed request, will > retry: 4035 (RPC failed at server. Request failed with status 500: > Non-2xx response from CA REST API: 500. *Policy Set Not Found*). > > It looks like 2 certificates cannot be renewed but are about to > expire What's happening and how to fix? Look at the dogtag debug log for more information on why it is failing the request. You'll want to restart certmonger or resubmit the request manually while watching the debug log to get the times correlated. rob > > Winfried > > > Op 12-09-17 om 10:04 schreef Florence Blanc-Renaud via FreeIPA-users: >> On 09/12/2017 09:10 AM, Winfried de Heiden via FreeIPA-users wrote: >>> Hi all, >>> >>> I'll try my using the link provided. However: what is causing >>> "CA_UNREACHABLE"? >>> >>> Request ID '20170129002017': >>> status: CA_UNREACHABLE >>> ca-error: Server at https://ipa.blabla.bla/ipa/xml failed >>> request, will retry: 4035 (RPC failed at server. Request failed with >>> status 500: Non-2xx response from CA REST API: 500. Policy Set Not >>> Found). >>> stuck: no >>> >> Hi Winfried, >> >> certmonger is using the CA 'IPA' for the Server-Cert used by httpd and >> ldap. This CA helper is communicating with FreeIPA server, and FreeIPA >> in turn communicates with Dogtag. >> You will probably find more information in FreeIPA server logs (in >> /var/log/httpd/error_log) and in Dogtag logs >> (/var/log/pki/pki-tomcat/ca/debug). >> >> Flo >> >>> Winfried >>> >>> Op 11-09-17 om 17:12 schreef Florence Blanc-Renaud via FreeIPA-users: On 09/11/2017 04:53 PM, Winfried de Heiden via FreeIPA-users wrote: > CS.cfg was modified so pki-tomcat can login using a password and > non-secure LDAP. At least it is working now: > > < internaldb.ldapauth.authtype=BasicAuth > < internaldb.ldapauth.bindDN=cn=Directory Manager > --- > > internaldb.ldapauth.authtype=SslClientAuth > > internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca > 780,781c780,781 > < internaldb.ldapconn.port=389 > < internaldb.ldapconn.secureConn=false > --- > > internaldb.ldapconn.port=636 > > internaldb.ldapconn.secureConn=true > > Reversed to the old config, stop/started ipa, debug shows > pki-tomcatd cannot login: > > 11/Sep/2017:16:51:41][localhost-startStop-1]: > SSLClientCertificatSelectionCB: Entering! > [11/Sep/2017:16:51:41][localhost-startStop-1]: Candidate cert: > subsystemCert cert-pki-ca > [11/Sep/2017:16:51:41][localhost-startStop-1]: > SSLClientCertificateSelectionCB: desired cert found in list: > subsystemCert cert-pki-ca > [11/Sep/2017:16:51:41][localhost-startStop-1]: > SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca > [11/Sep/2017:16:51:42][localhost-startStop-1]: SSL handshake happened > Could not connect to LDAP server host ipa.blabla.bla port 636 Error > netscape.ldap.LDAPException: Authentication failed (49) > at > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) > at > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) > at > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) > at > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078) > > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570) > at com.netscape.certsrv.apps.CMS.init(CMS.java:188) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1621) > > Winfried > > Op 11-09-17 om 16:18 schreef Rob Crittenden via FreeIPA-users: >> Winfried de Heiden via FreeIPA-users wrote: >>> Hi All, >>> >>> Somewhere after an update (I guess) I have issues; >>> pki-tomcatd@pki-tomcat.service will not start since it cannot >>> login to >>> LDAP. It seems I have some certificate isues: >>> >>> getcert list shows: >>> >>> Request ID '20170129002017': >>> status:
[Freeipa-users] Re: Request failed with status 500: Non-2xx response from CA REST API: 500. - pki-tomcatd fails to start
Hi all, Yes, there was a discrepancy in de certificates and was fixed by using https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/. Thanks for that! Now, getcert ist still shows errors. The certmonger logs shows: De certmonger log shows: Sep 12 14:05:35 ipa.blabla.bla certmonger[11551]: 2017-09-12 14:05:35 [11551] Server at https://ipa.blabla.bla/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. Policy Set Not Found). Sep 12 14:05:59 ipa.blabla.bla certmonger[11551]: 2017-09-12 14:05:59 [11551] Server at https://ipa.blabla.bla/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. Policy Set Not Found). It looks like 2 certificates cannot be renewed but are about to expire What's happening and how to fix? Winfried Op 12-09-17 om 10:04 schreef Florence Blanc-Renaud via FreeIPA-users: On 09/12/2017 09:10 AM, Winfried de Heiden via FreeIPA-users wrote: Hi all, I'll try my using the link provided. However: what is causing "CA_UNREACHABLE"? Request ID '20170129002017': status: CA_UNREACHABLE ca-error: Server at https://ipa.blabla.bla/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. Policy Set Not Found). stuck: no Hi Winfried, certmonger is using the CA 'IPA' for the Server-Cert used by httpd and ldap. This CA helper is communicating with FreeIPA server, and FreeIPA in turn communicates with Dogtag. You will probably find more information in FreeIPA server logs (in /var/log/httpd/error_log) and in Dogtag logs (/var/log/pki/pki-tomcat/ca/debug). Flo Winfried Op 11-09-17 om 17:12 schreef Florence Blanc-Renaud via FreeIPA-users: On 09/11/2017 04:53 PM, Winfried de Heiden via FreeIPA-users wrote: CS.cfg was modified so pki-tomcat can login using a password and non-secure LDAP. At least it is working now: < internaldb.ldapauth.authtype=BasicAuth < internaldb.ldapauth.bindDN=cn=Directory Manager --- > internaldb.ldapauth.authtype=SslClientAuth > internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca 780,781c780,781 < internaldb.ldapconn.port=389 < internaldb.ldapconn.secureConn=false --- > internaldb.ldapconn.port=636 > internaldb.ldapconn.secureConn=true Reversed to the old config, stop/started ipa, debug shows pki-tomcatd cannot login: 11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [11/Sep/2017:16:51:41][localhost-startStop-1]: Candidate cert: subsystemCert cert-pki-ca [11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert cert-pki-ca [11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca [11/Sep/2017:16:51:42][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host ipa.blabla.bla port 636 Error netscape.ldap.LDAPException: Authentication failed (49) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172) at
[Freeipa-users] Re: Request failed with status 500: Non-2xx response from CA REST API: 500. - pki-tomcatd fails to start
On 09/12/2017 09:10 AM, Winfried de Heiden via FreeIPA-users wrote: Hi all, I'll try my using the link provided. However: what is causing "CA_UNREACHABLE"? Request ID '20170129002017': status: CA_UNREACHABLE ca-error: Server at https://ipa.blabla.bla/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. Policy Set Not Found). stuck: no Hi Winfried, certmonger is using the CA 'IPA' for the Server-Cert used by httpd and ldap. This CA helper is communicating with FreeIPA server, and FreeIPA in turn communicates with Dogtag. You will probably find more information in FreeIPA server logs (in /var/log/httpd/error_log) and in Dogtag logs (/var/log/pki/pki-tomcat/ca/debug). Flo Winfried Op 11-09-17 om 17:12 schreef Florence Blanc-Renaud via FreeIPA-users: On 09/11/2017 04:53 PM, Winfried de Heiden via FreeIPA-users wrote: CS.cfg was modified so pki-tomcat can login using a password and non-secure LDAP. At least it is working now: < internaldb.ldapauth.authtype=BasicAuth < internaldb.ldapauth.bindDN=cn=Directory Manager --- > internaldb.ldapauth.authtype=SslClientAuth > internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca 780,781c780,781 < internaldb.ldapconn.port=389 < internaldb.ldapconn.secureConn=false --- > internaldb.ldapconn.port=636 > internaldb.ldapconn.secureConn=true Reversed to the old config, stop/started ipa, debug shows pki-tomcatd cannot login: 11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [11/Sep/2017:16:51:41][localhost-startStop-1]: Candidate cert: subsystemCert cert-pki-ca [11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert cert-pki-ca [11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca [11/Sep/2017:16:51:42][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host ipa.blabla.bla port 636 Error netscape.ldap.LDAPException: Authentication failed (49) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570) at com.netscape.certsrv.apps.CMS.init(CMS.java:188) at com.netscape.certsrv.apps.CMS.start(CMS.java:1621) Winfried Op 11-09-17 om 16:18 schreef Rob Crittenden via FreeIPA-users: Winfried de Heiden via FreeIPA-users wrote: Hi All, Somewhere after an update (I guess) I have issues; pki-tomcatd@pki-tomcat.service will not start since it cannot login to LDAP. It seems I have some certificate isues: getcert list shows: Request ID '20170129002017': status: CA_UNREACHABLE ca-error: Server athttps://ipa.example.com/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. Policy Set Not Found). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-BLABLA-BLA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650 subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650 expires: 2017-09-27 17:26:00 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv BLABLA-BLA track: yes auto-renew: yes Request ID '20170129002024': status: CA_UNREACHABLE ca-error: Server athttps://ipa.example.com/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. Policy Set Not Found). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650 subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650 expires: 2017-09-27 17:41:26 CEST key usage:
[Freeipa-users] Re: Request failed with status 500: Non-2xx response from CA REST API: 500. - pki-tomcatd fails to start
Hi all, I'll try my using the link provided. However: what is causing "CA_UNREACHABLE"? Request ID '20170129002017': status: CA_UNREACHABLE ca-error: Server at https://ipa.blabla.bla/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. Policy Set Not Found). stuck: no Winfried Op 11-09-17 om 17:12 schreef Florence Blanc-Renaud via FreeIPA-users: On 09/11/2017 04:53 PM, Winfried de Heiden via FreeIPA-users wrote: CS.cfg was modified so pki-tomcat can login using a password and non-secure LDAP. At least it is working now: < internaldb.ldapauth.authtype=BasicAuth < internaldb.ldapauth.bindDN=cn=Directory Manager --- > internaldb.ldapauth.authtype=SslClientAuth > internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipa-ca 780,781c780,781 < internaldb.ldapconn.port=389 < internaldb.ldapconn.secureConn=false --- > internaldb.ldapconn.port=636 > internaldb.ldapconn.secureConn=true Reversed to the old config, stop/started ipa, debug shows pki-tomcatd cannot login: 11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [11/Sep/2017:16:51:41][localhost-startStop-1]: Candidate cert: subsystemCert cert-pki-ca [11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificateSelectionCB: desired cert found in list: subsystemCert cert-pki-ca [11/Sep/2017:16:51:41][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: subsystemCert cert-pki-ca [11/Sep/2017:16:51:42][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host ipa.blabla.bla port 636 Error netscape.ldap.LDAPException: Authentication failed (49) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1172) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1078) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:570) at com.netscape.certsrv.apps.CMS.init(CMS.java:188) at com.netscape.certsrv.apps.CMS.start(CMS.java:1621) Winfried Op 11-09-17 om 16:18 schreef Rob Crittenden via FreeIPA-users: Winfried de Heiden via FreeIPA-users wrote: Hi All, Somewhere after an update (I guess) I have issues; pki-tomcatd@pki-tomcat.service will not start since it cannot login to LDAP. It seems I have some certificate isues: getcert list shows: Request ID '20170129002017': status: CA_UNREACHABLE ca-error: Server athttps://ipa.example.com/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. Policy Set Not Found). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-BLABLA-BLA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-BLABLA-BLA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.LOCAL 201509271650 subject: CN=ipa.example.com,O=IPA.LOCAL 201509271650 expires: 2017-09-27 17:26:00 CEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
[Freeipa-users] Re: AD trust setup woes
On ti, 12 syys 2017, Igor Sever via FreeIPA-users wrote: Unfortunately, I cannot upgrade systems and packages as I want because of legacy applications. Is there somewhere information how would I approach to configure SSSD to use FreeIPA as Kerberos and LDAP provider and for policies to work? I can only find where access is enforced with LDAP filter in SSSD configuration in that case. Thanks. If SUSE version of SSSD is built without IPA provider, then HBAC rules wouldn't be available. Part of functionality is implemented in the IPA provider and does not exist in a pure LDAP provider. -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: AD trust setup woes
Unfortunately, I cannot upgrade systems and packages as I want because of legacy applications. Is there somewhere information how would I approach to configure SSSD to use FreeIPA as Kerberos and LDAP provider and for policies to work? I can only find where access is enforced with LDAP filter in SSSD configuration in that case. Thanks. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org