On Thu, Jun 28, 2018 at 06:01:18PM -0700, Thomas Letherby wrote:
> Hello all,
>
> Here's the info:
>
> certutil -d /etc/dirsrv/slapd-I-domain-NET -L
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Server-Cert u,u,u
> O=domain,ST=Arizona,C=US CT,C,C
> I.domain.NET IPA CA CT,C,C
>
> I.domain.NET IPA CA is out of date for those.
>
Try running ipa-certupdate. It will update the IPA CA certificate
in the various trust stores including the DS NSSDB.
It reads the certificates from
cn=YOUR.DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,{basedn}
so you should probably check that the certificate in that entry is
up to date also.
Cheers,
Fraser
> certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -a
> Not After : Fri Jun 05 01:32:01 2020
> Matches
> ldapsearch -Y GSSAPI -h `hostname` -p 389 -b
> uid=pkidbuser,ou=people,o=ipaca "(objectclass=*)" usercertificate
>
> Thomas
>
>
>
>
> On Thu, Jun 28, 2018 at 5:56 AM Rob Crittenden wrote:
>
> > Thomas Letherby via FreeIPA-users wrote:
> > > Hello Florence,
> > >
> > > It was the Signing-Cert and the I.domain.NET IPA
> > > CA cert. By setting the clock back I managed to get those to renew, now
> > > it seems I just need to get tomcat-pki to start.
> > >
> > > The error is:
> > >
> > > Internal Database Error encountered: Could not connect to LDAP server
> > > host xipa1.i.xrs444.net port 636 Error
> > > netscape.ldap.LDAPException: Unable to create socket:
> > > org.mozilla.jss.ssl.SSLSocketException:
> > > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed:
> > > (-12195) Peer does not recognize and trust the CA that issued your
> > > certificate. (-1)
> > >
> > > certutil -d /etc/pki/pki-tomcat/alias -L
> > >
> > > Certificate Nickname Trust
> > > Attributes
> > >
> > > SSL,S/MIME,JAR/XPI
> > >
> > > Server-Cert cert-pki-ca u,u,u
> > > ocspSigningCert cert-pki-ca u,u,u
> > > O=domain,ST=Arizona,C=US CT,C,C
> > > auditSigningCert cert-pki-ca u,u,Pu
> > > subsystemCert cert-pki-cau,u,u
> > > caSigningCert cert-pki-caCTu,Cu,Cu
> > >
> > > These are all set to expire in 2020 or beyond.
> > >
> > > certutil -d /etc/httpd/alias -L Server-Cert
> > >
> > > Certificate Nickname Trust
> > > Attributes
> > >
> > > SSL,S/MIME,JAR/XPI
> > >
> > > Signing-Cert u,u,u
> > > O=xrs444,ST=Arizona,C=US CT,C,C
> > > I.XRS444.NET IPA CA
> > > CT,C,C
> > > Server-Cert u,u,u
> > >
> > > I.XRS444.NET IPA CA and Signing-Cert are the
> > > expired certs here.
> >
> > Don't worry about Signing-Cert. It is the cert used to sign the jar file
> > used to autoconfigure Firefox. You should never need to re-sign one
> > again (and this method isn't allowed in modern Firefox anyway).
> >
> > rob
> >
> > >
> > > Thomas
> > >
> > >
> > >
> > >
> > > On Wed, Jun 27, 2018 at 12:20 AM Florence Blanc-Renaud > > > wrote:
> > >
> > > On 06/27/2018 07:02 AM, Thomas Letherby via FreeIPA-users wrote:
> > > > After some fiddling with dates some more I seem to have the HTTPD
> > > cert
> > > > in sync, however it appears the cert signing cert is expired.
> > > >
> > > > named also says it's starting, but doesn't seem to want to respond.
> > > >
> > > > I don't have time to dig into it more tonight, but let me know what
> > > > other information or tests I can run and I'll get them posted
> > > tomorrow.
> > > >
> > > > Thanks all.
> > > >
> > > > Thomas
> > > >
> > > > On Mon, Jun 25, 2018 at 5:11 PM Thomas Letherby > >
> > > > >> wrote:
> > > >
> > > > Hello,
> > > >
> > > > I think this is everything (domain name changed to protect the
> > > > guilty!):
> > > >
> > > > https://pastebin.com/bF1KR7VJ
> > > >
> > > Hi Thomas,
> > >
> > > in the provided pastebin, the error 'certutil: function failed:
> > > SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old,
> > > unsupported format' can be easily explained: there is a typo in the
> > > directory path.
> > > You can try with certutil -d /etc/pki/pki-tomcat/alias -L -n
> >
> > > (note the pki-tomcat instead of pki-tomcat*d*).
> > >
> > >
