Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
I have to confess I'm in over my head already. Another shot in the foot isn't going to help. Is there good documentation for solving the problem on the version I'm using? Jeff On Fri, Jan 6, 2017 at 5:44 PM, Rob Crittenden wrote: > Jeff Goddard wrote: > > Rob, > > > > I'm getting this error: ce

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden
Jeff Goddard wrote: > Rob, > > I'm getting this error: certutil -M -n "auditSigningCert cert-pki-ca" -d > /var/lib/pki-ca/alias -t u,u,Pu > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The > certificate/key database is in an old, unsupported format. The database is in /var/lib/pki/pki-to

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden
Jeff Goddard wrote: > Rob, > > I'm missing something in either the syntax of execution. I'm getting > this error: > > ldap_modify: Invalid DN syntax (34) > additional info: invalid dn > > Just as a reminder the version of ipa I'm on is 4.4. I'd need to see the ldif you're trying to appl

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
Rob, I'm getting this error: certutil -M -n "auditSigningCert cert-pki-ca" -d /var/lib/pki-ca/alias -t u,u,Pu certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. Jeff On Fri, Jan 6, 2017 at 4:32 PM, Rob Crittenden wrote: > Jeff

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
Rob, I'm missing something in either the syntax of execution. I'm getting this error: ldap_modify: Invalid DN syntax (34) additional info: invalid dn Just as a reminder the version of ipa I'm on is 4.4. Jeff On Fri, Jan 6, 2017 at 4:32 PM, Rob Crittenden wrote: > Jeff Goddard wrote:

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden
Jeff Goddard wrote: > I've followed the instructions related to my error here: > http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still > haven't found a solution. Look at these instructions http://www.freeipa.org/page/IPA_2x_Certificate_Renewal Look only at the ipaCert part, particul

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Alan Heverley
First we have to query the NSS database to get the current ipaCert certificate for the ipara user and store it into a file: # cd /tmp # certutil -a -d /etc/httpd/alias/ -n ipaCert -L | sed '/^-.*/d' | tr -d '\r\n' > ipaCert.cert Then we need to replace the userCertificate attribute with the conte

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
I've followed the instructions related to my error here: http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still haven't found a solution. Jeff On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard wrote: > Alan, > > Thank you so VERY much. That resolved the issue for the CA signing > certifi

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
Alan, Thank you so VERY much. That resolved the issue for the CA signing certificate. However I'm still seeing ca-error: Server at " https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileProcess"; replied: 1: Invalid Credential. On multiple requests which have expiration d

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Alan Heverley
Looks like you need to get the PIN associated to the cert. # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf Then replace with the PIN in the command above. # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' -P -c dogtag-ipa-ca-renew-agent On Fr

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
I think my problem is deeper than that. I was following this guide: http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers and executed the commands related to having an external CA - which we do not have. I now get this message for the CA: Request ID '20170101

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden
Jeff Goddard wrote: > I've done this. > [root@id-management-1 ipa]# date > Sun Jan 1 01:12:27 EST 2017 > > getcert list give me this as the first entry: > > Request ID '20150116162120': > status: CA_UNREACHABLE > ca-error: Server at > https://id-management-1.internal.emerlyn.com

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
I've done this. [root@id-management-1 ipa]# date Sun Jan 1 01:12:27 EST 2017 getcert list give me this as the first entry: Request ID '20150116162120': status: CA_UNREACHABLE ca-error: Server at https://id-management-1.internal.emerlyn.com/ipa/xml failed request, will retry: 400

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden
Jeff Goddard wrote: > Flo, > > I'm not able to access the link you posted. I did find this thread > though > https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html > > and have set the time back and resubmitted

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
Flo, I'm not able to access the link you posted. I did find this thread though https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html and have set the time back and resubmitted a request. Still no success. Any further hints? On Fri, Jan 6, 2017 at 11:52 AM, Florence Blanc-Renaud

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Florence Blanc-Renaud
On 01/06/2017 05:36 PM, Jeff Goddard wrote: Thanks Flo, I was able to add the host to the keytab once I found the correct command and then was able to issue [root@id-management-1 pki-tomcat]# ipa-cacert-manage renew Renewing CA certificate, please wait CA certificate successfully renewed The ip

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
Thanks Flo, I was able to add the host to the keytab once I found the correct command and then was able to issue [root@id-management-1 pki-tomcat]# ipa-cacert-manage renew Renewing CA certificate, please wait CA certificate successfully renewed The ipa-cacert-manage command was successful But th

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Florence Blanc-Renaud
On 01/06/2017 04:47 PM, Jeff Goddard wrote: Sorry for the typo. here is the correct output: ldapsearch -h id-management-1.internal.emerlyn.com SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6)

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
Sorry for the typo. here is the correct output: ldapsearch -h id-management-1.internal.emerlyn.com SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: When I look at the certificates I g

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden
Jeff Goddard wrote: > My environment is freeipa 4.4; centos 7.3. This system was upgraded as > of yesterday afternoon. I'm unable to start pki-tomcat. The debug log > show this entry: > > Internal Database Error encountered: Could not connect to LDAP server > host id-management-1.internal.emerlyn.

[Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
My environment is freeipa 4.4; centos 7.3. This system was upgraded as of yesterday afternoon. I'm unable to start pki-tomcat. The debug log show this entry: Internal Database Error encountered: Could not connect to LDAP server host id-management-1.internal.emerlyn.com port 636 Error netscape.ldap