On Mon, Apr 30, 2018 at 11:49:09AM -0400, Brian Weaver via FreeIPA-users wrote:
> After a recent power outage the IPA master server I built a few years ago
> is having some issues. I've done as much troubleshooting as I can and I
> think I've tracked down the issue to the certificate database in
> '/etc/pki/pki-tomcat/alias'. I can use 'certutil' to view a list of
> certificates. I can also view the key ID of the keys, when no nickname is
> used to specify a specific key. When I try to look at a specific key it
> fails.
>
> [root@ipa-server0 alias]# certutil -d $PWD -L
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> caSigningCert cert-pki-ca CTu,Cu,Cu
> subsystemCert cert-pki-ca u,u,u
> Server-Cert cert-pki-ca u,u,u
> auditSigningCert cert-pki-ca u,u,Pu
> ocspSigningCert cert-pki-ca u,u,u
>
> [root@ipa-server0 alias]# certutil -d $PWD -K -f /tmp/xxx
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
> and Certificate Services"
> < 0> rsa ab76588f20ba1e9d5f4dc4fe6f62dc70dc96484f NSS Certificate
> DB:auditSigningCert cert-pki-ca
> < 1> rsa ad2699ef775d3d685d08e6c34b64a02295d6bcef caSigningCert
> cert-pki-ca
> < 2> rsa a96b674224d50615416ef25644441887b410db3f (orphan)
> < 3> rsa 38b6a1d6d1be0dc2f80a2330cf52c73abd22d10d NSS Certificate
> DB:ocspSigningCert cert-pki-ca
> < 4> rsa 2beb83b689255e03be47430e204d34067fd873f8 NSS Certificate
> DB:Server-Cert cert-pki-ca
> < 5> rsa 0d733da9de0045c502dbb9f20ea8d4ba426afb47 NSS Certificate
> DB:subsystemCert cert-pki-ca
>
> [root@ipa-server0 alias]# for i in $(certutil -d $PWD -L | grep cert-pki |
> awk '{print $1}') ; do certutil -d $PWD -K -f /tmp/xxx -n "$i cert-pki-ca"
> ; done
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
> and Certificate Services"
> < 0> rsa ad2699ef775d3d685d08e6c34b64a02295d6bcef caSigningCert
> cert-pki-ca
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
> and Certificate Services"
> certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized
> Object Identifier.
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
> and Certificate Services"
> certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized
> Object Identifier.
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
> and Certificate Services"
> certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized
> Object Identifier.
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
> and Certificate Services"
> certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized
> Object Identifier.
>
> Does anyone have any suggestions on how to recover from this particular
> error. It would seem that some of the certificates were recently
> regenerated by certmonger based on these lines from the logging
>
> Mar 30 07:26:30 ipa-server0.ipa.sunbirddcim.com certmonger[19770]:
> Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate
> DB" in database "/etc/pki/pki-tomcat/alias" will no
> Mar 30 07:26:30 ipa-server0.ipa.sunbirddcim.com certmonger[19769]:
> Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate
> DB" in database "/etc/pki/pki-tomcat/alias" will n
> Mar 30 07:26:30 ipa-server0.ipa.sunbirddcim.com certmonger[19772]:
> Certificate named "ipaCert" in token "NSS Certificate DB" in database
> "/etc/httpd/alias" will not be valid after 201804261702
> Mar 30 07:26:30 ipa-server0.ipa.sunbirddcim.com certmonger[19773]:
> Certificate named "Server-Cert cert-pki-ca" in token "NSS Certificate DB"
> in database "/etc/pki/pki-tomcat/alias" will not be
> Mar 30 07:28:57 ipa-server0.ipa.sunbirddcim.com certmonger[20025]:
> Certificate named "ipaCert" in token "NSS Certificate DB" in database
> "/etc/httpd/alias" issued by CA and saved.
> Mar 30 07:29:48 ipa-server0.ipa.sunbirddcim.com certmonger[20102]:
> Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate
> DB" in database "/etc/pki/pki-tomcat/alias" issued
> Mar 30 07:30:03 ipa-server0.ipa.sunbirddcim.com certmonger[20125]:
> Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate
> DB" in database "/etc/pki/pki-tomcat/alias" issued
> Mar 30 07:30:20 ipa-server0.ipa.sunbirddcim.com certmonger[20148]:
> Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB"
> in database "/etc/pki/pki-tomcat/alias" issued by
> Apr 10 07:26:31 ipa-server0.ipa.sunbirddcim.com certmonger[23627]:
> Certificate named "Server-Cert" in token "NSS Certificate DB" in database
> "/etc/dirsrv/slapd-IPA-SUNBIRDDCIM-COM" will not be
> Apr 10 07:27:23 ipa-server0.ipa.sunbirddcim.com certmonger[23724]:
> Certificate named "Server-Cert" in token "NSS Certificate DB" in database
> "/etc/httpd/alias" issued by CA and saved.
> Apr 10 07:27:40 ipa-server0.ipa.sunbirddcim.com certmonger[23783]:
> Certificate named "Server-Cert" in token "NSS Certificate DB" in database
> "/etc/dirsrv/slapd-IPA-SUNBIRDDCIM-COM" issued by C
>
> I going to continue to try to muddle my way through it. I'm hoping someone
> with more knowledge than myself can help me find the correct path.
>
> The result of `ipa --version` is VERSION: 4.3.1, API_VERSION: 2.164. The
> system is running Fedora 23 and FreeIPA came from a COPR release
>
> name=Copr repo for freeipa-4-3 owned by @freeipa
> baseurl=
> https://copr-be.cloud.fedoraproject.org/results/@freeipa/freeipa-4-3/fedora-$releasever-$basearch/
>
> Any help would be greatly appreciated.
>
Hi Brian,
It is an interesting error. I've never seen it before (in this
context).
Is the pki-tomcatd instance functional, e.g. can you execute `ipa
cert-find`?
Can you print the certificates individually, i.e.
`certutil -L -n "nickname"` for each nickname? What do those certs
look like?
(After backing up the NSSDB) can you renew one of the problematic
certificates again, using certmonger (`getcert resubmit`)?
Thanks,
Fraser
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
