subject:"\[Freeipa\-users\] pki\-tomcatd fails to start"

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard

I have to confess I'm in over my head already. Another shot in the foot
isn't going to help. Is there good documentation for solving the problem on
the version I'm using?

Jeff

On Fri, Jan 6, 2017 at 5:44 PM, Rob Crittenden  wrote:

> Jeff Goddard wrote:
> > Rob,
> >
> > I'm getting this error: certutil -M -n "auditSigningCert cert-pki-ca" -d
> > /var/lib/pki-ca/alias -t u,u,Pu
> > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> > certificate/key database is in an old, unsupported format.
>
> The database is in /var/lib/pki/pki-tomcat/alias
>
> I'd start by checking current trust.
>
> Be very wary about documents related to old versions of IPA and proceed
> cautiously and understand the changes you may make before applying them.
>
> rob
>



--
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden

Jeff Goddard wrote:
> Rob,
> 
> I'm getting this error: certutil -M -n "auditSigningCert cert-pki-ca" -d
> /var/lib/pki-ca/alias -t u,u,Pu
> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> certificate/key database is in an old, unsupported format.

The database is in /var/lib/pki/pki-tomcat/alias

I'd start by checking current trust.

Be very wary about documents related to old versions of IPA and proceed
cautiously and understand the changes you may make before applying them.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden

Jeff Goddard wrote:
> Rob,
> 
> I'm missing something in either the syntax of execution. I'm getting
> this error:
> 
> ldap_modify: Invalid DN syntax (34)
> additional info: invalid dn
> 
> Just as a reminder the version of ipa I'm on is 4.4.

I'd need to see the ldif you're trying to apply.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard

Rob,

I'm getting this error: certutil -M -n "auditSigningCert cert-pki-ca" -d
/var/lib/pki-ca/alias -t u,u,Pu
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key
database is in an old, unsupported format.

Jeff


On Fri, Jan 6, 2017 at 4:32 PM, Rob Crittenden  wrote:

> Jeff Goddard wrote:
> > I've followed the instructions related to my error here:
> > http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still
> > haven't found a solution.
>
> Look at these instructions
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>
> Look only at the ipaCert part, particularly the ou=people part and the
> description attribute.
>
> rob
>
> >
> > Jeff
> >
> > On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard  > > wrote:
> >
> > Alan,
> >
> > Thank you so VERY much. That resolved the issue for the CA signing
> > certificate. However I'm still seeing
> >
> > ca-error: Server at
> > "https://id-management-1.internal.emerlyn.com:8443/ca/
> agent/ca/profileProcess
> >  agent/ca/profileProcess>"
> > replied: 1: Invalid Credential.
> >
> > On multiple requests which have expiration dates in the past. Is
> > there something else I need to do?
> >
> > Jeff
> >
> > On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley  > > wrote:
> >
> > Looks like you need to get the PIN associated to the cert.|
> >
> >  # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf |
> >
> > Then replace  with the PIN in the command above.
> >
> >  # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
> > 'caSigningCert cert-pki-ca' -P  -c dogtag-ipa-ca-renew-agent
> >
> > On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard
> > > wrote:
> >
> > I think my problem is deeper than that. I was following this
> > guide:http://www.freeipa.org/page/Howto/CA_Certificate_
> Renewal#Renew_CA_Certificate_on_CA_Servers
> >  Renew_CA_Certificate_on_CA_Servers>
> > and executed the commands related to having an external CA -
> > which we do not have. I now get this message for the CA:
> >
> > Request ID '20170101055025':
> > status: NEED_KEY_GEN_PIN
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> > cert-pki-ca',pin set
> > certificate:
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> > cert-pki-ca'
> > CA: dogtag-ipa-ca-renew-agent
> > issuer:
> > subject:
> > expires: unknown
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> >
> > Is there any way I can recover?
> >
> > Jeff
> >
> > On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden
> > > wrote:
> >
> > Jeff Goddard wrote:
> > > I've done this.
> > > [root@id-management-1 ipa]# date
> > > Sun Jan  1 01:12:27 EST 2017
> > >
> > >  getcert list give me this as the first entry:
> > >
> > > Request ID '20150116162120':
> > > status: CA_UNREACHABLE
> > > ca-error: Server at
> > > https://id-management-1.internal.emerlyn.com/ipa/xml
> > 
> > failed request,
> > > will retry: 4001 (RPC failed at server.  ipa:
> > Certificate Authority not
> > > found).
> > > stuck: no
> > > key pair storage:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate
> > Authority,O=INTERNAL.EMERLYN.COM
> > 
> > > 
> > >

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard

Rob,

I'm missing something in either the syntax of execution. I'm getting this
error:

ldap_modify: Invalid DN syntax (34)
additional info: invalid dn

Just as a reminder the version of ipa I'm on is 4.4.

Jeff

On Fri, Jan 6, 2017 at 4:32 PM, Rob Crittenden  wrote:

> Jeff Goddard wrote:
> > I've followed the instructions related to my error here:
> > http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still
> > haven't found a solution.
>
> Look at these instructions
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>
> Look only at the ipaCert part, particularly the ou=people part and the
> description attribute.
>
> rob
>
> >
> > Jeff
> >
> > On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard  > > wrote:
> >
> > Alan,
> >
> > Thank you so VERY much. That resolved the issue for the CA signing
> > certificate. However I'm still seeing
> >
> > ca-error: Server at
> > "https://id-management-1.internal.emerlyn.com:8443/ca/
> agent/ca/profileProcess
> >  agent/ca/profileProcess>"
> > replied: 1: Invalid Credential.
> >
> > On multiple requests which have expiration dates in the past. Is
> > there something else I need to do?
> >
> > Jeff
> >
> > On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley  > > wrote:
> >
> > Looks like you need to get the PIN associated to the cert.|
> >
> >  # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf |
> >
> > Then replace  with the PIN in the command above.
> >
> >  # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
> > 'caSigningCert cert-pki-ca' -P  -c dogtag-ipa-ca-renew-agent
> >
> > On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard
> > > wrote:
> >
> > I think my problem is deeper than that. I was following this
> > guide:http://www.freeipa.org/page/Howto/CA_Certificate_
> Renewal#Renew_CA_Certificate_on_CA_Servers
> >  Renew_CA_Certificate_on_CA_Servers>
> > and executed the commands related to having an external CA -
> > which we do not have. I now get this message for the CA:
> >
> > Request ID '20170101055025':
> > status: NEED_KEY_GEN_PIN
> > stuck: yes
> > key pair storage:
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> > cert-pki-ca',pin set
> > certificate:
> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> > cert-pki-ca'
> > CA: dogtag-ipa-ca-renew-agent
> > issuer:
> > subject:
> > expires: unknown
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> >
> > Is there any way I can recover?
> >
> > Jeff
> >
> > On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden
> > > wrote:
> >
> > Jeff Goddard wrote:
> > > I've done this.
> > > [root@id-management-1 ipa]# date
> > > Sun Jan  1 01:12:27 EST 2017
> > >
> > >  getcert list give me this as the first entry:
> > >
> > > Request ID '20150116162120':
> > > status: CA_UNREACHABLE
> > > ca-error: Server at
> > > https://id-management-1.internal.emerlyn.com/ipa/xml
> > 
> > failed request,
> > > will retry: 4001 (RPC failed at server.  ipa:
> > Certificate Authority not
> > > found).
> > > stuck: no
> > > key pair storage:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > >
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate
> > Authority,O=INTERNAL.EMERLYN.COM
> > 
> > > 
> > > subject:
> >

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden

Jeff Goddard wrote:
> I've followed the instructions related to my error here:
> http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still
> haven't found a solution.

Look at these instructions
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal

Look only at the ipaCert part, particularly the ou=people part and the
description attribute.

rob

> 
> Jeff
> 
> On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard  > wrote:
> 
> Alan,
> 
> Thank you so VERY much. That resolved the issue for the CA signing
> certificate. However I'm still seeing
> 
> ca-error: Server at
> 
> "https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileProcess
> 
> "
> replied: 1: Invalid Credential.
> 
> On multiple requests which have expiration dates in the past. Is
> there something else I need to do?
> 
> Jeff
> 
> On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley  > wrote:
> 
> Looks like you need to get the PIN associated to the cert.|
> 
>  # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf |
> 
> Then replace  with the PIN in the command above.
>  
>  # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
> 'caSigningCert cert-pki-ca' -P  -c dogtag-ipa-ca-renew-agent
> 
> On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard
> > wrote:
> 
> I think my problem is deeper than that. I was following this
> 
> guide:http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers
> 
> 
> and executed the commands related to having an external CA -
> which we do not have. I now get this message for the CA:
> 
> Request ID '20170101055025':
> status: NEED_KEY_GEN_PIN
> stuck: yes
> key pair storage:
> 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',pin set
> certificate:
> 
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca'
> CA: dogtag-ipa-ca-renew-agent
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> 
> Is there any way I can recover?
> 
> Jeff
> 
> On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden
> > wrote:
> 
> Jeff Goddard wrote:
> > I've done this.
> > [root@id-management-1 ipa]# date
> > Sun Jan  1 01:12:27 EST 2017
> >
> >  getcert list give me this as the first entry:
> >
> > Request ID '20150116162120':
> > status: CA_UNREACHABLE
> > ca-error: Server at
> > https://id-management-1.internal.emerlyn.com/ipa/xml
> 
> failed request,
> > will retry: 4001 (RPC failed at server.  ipa:
> Certificate Authority not
> > found).
> > stuck: no
> > key pair storage:
> >
> 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> >
> 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate
> Authority,O=INTERNAL.EMERLYN.COM
> 
> > 
> > subject:
> CN=id-management-1.internal.emerlyn.com
> 
> >  
> >,O=INTERNAL.EMERLYN.COM
> 
> > 
> > expires: 2017-01-16 16:21:20 UTC
> > key usage:
> >
>

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Alan Heverley

First we have to query the NSS database to get the current ipaCert
certificate for the ipara user and store it into a file:
# cd /tmp
# certutil -a -d /etc/httpd/alias/ -n ipaCert -L | sed '/^-.*/d' | tr -d
'\r\n' > ipaCert.cert


Then we need to replace the userCertificate attribute with the content of
ipaCert.cert:

# ldapmodify -h localhost -D "cn=Directory Manager" -W
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
replace: userCertificate
userCertificate:: 


Next we modify the description attribute of the same entry.

# ldapmodify -h localhost -D "cn=Directory Manager" -W
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
replace: description
description: 2;267976771;CN=Certificate
Authority,O=EXAMPLE.LOCAL;CN=IPA RA,O=EXAMPLE.LOCAL

/var/log/pki/pki-tomcat/ca/system log file shows, that the
authentication of the ipara user failed:

0.http-bio-8443-exec-14 - [13/May/2015:22:04:26 CET] [6] [3] Cannot
authenticate agent with certificate Serial 0xff90043


The long number in the description represents the serial number of the
user certificate in decimal. It can be calculated with the help of bc:

# echo "ibase=16; FF90043"|bc  <--- 0xff90043 is the serial number
from the ca error log.
267976771

The following command verifies that all went well:

# ldapsearch -x -h localhost -b uid=ipara,ou=people,o=ipaca

If everything went ok, please resubmit the certificates and check if the
expiration date of the same has changed to a future date:

# getcert resubmit -d /etc/pki/pki-tomcat/alias -n "auditSigningCert
cert-pki-ca"
# getcert resubmit -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca"
# getcert resubmit -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca"



On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard  wrote:

> Alan,
>
> Thank you so VERY much. That resolved the issue for the CA signing
> certificate. However I'm still seeing
>
> ca-error: Server at "https://id-management-1.
> internal.emerlyn.com:8443/ca/agent/ca/profileProcess" replied: 1: Invalid
> Credential.
>
> On multiple requests which have expiration dates in the past. Is there
> something else I need to do?
>
> Jeff
>
> On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley  wrote:
>
>> Looks like you need to get the PIN associated to the cert.
>>
>>  # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf
>>
>> Then replace  with the PIN in the command above.
>>
>>  # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
>> cert-pki-ca' -P  -c dogtag-ipa-ca-renew-agent
>>
>> On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard 
>> wrote:
>>
>>> I think my problem is deeper than that. I was following this guide:
>>> http://www.freeipa.org/page/Howto/CA_Certificate_Renew
>>> al#Renew_CA_Certificate_on_CA_Servers and executed the commands related
>>> to having an external CA - which we do not have. I now get this message for
>>> the CA:
>>>
>>> Request ID '20170101055025':
>>> status: NEED_KEY_GEN_PIN
>>> stuck: yes
>>> key pair storage: type=NSSDB,location='/etc/pki/
>>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',pin set
>>> certificate: type=NSSDB,location='/etc/pki/
>>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer:
>>> subject:
>>> expires: unknown
>>> pre-save command:
>>> post-save command:
>>> track: yes
>>> auto-renew: yes
>>>
>>> Is there any way I can recover?
>>>
>>> Jeff
>>>
>>> On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden 
>>> wrote:
>>>
 Jeff Goddard wrote:
 > I've done this.
 > [root@id-management-1 ipa]# date
 > Sun Jan  1 01:12:27 EST 2017
 >
 >  getcert list give me this as the first entry:
 >
 > Request ID '20150116162120':
 > status: CA_UNREACHABLE
 > ca-error: Server at
 > https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
 > will retry: 4001 (RPC failed at server.  ipa: Certificate Authority
 not
 > found).
 > stuck: no
 > key pair storage:
 > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
 ',token='NSS
 > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 > certificate:
 > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
 ',token='NSS
 > Certificate DB'
 > CA: IPA
 > issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
 > 
 > subject: CN=id-management-1.internal.emerlyn.com
 > ,O=INTERNAL.EMERLYN.COM
 > 
 > expires: 2017-01-16 16:21:20 UTC
 > key usage:
 > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 > eku: id-kp-serverAuth,id-kp-clientAuth
 >

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard

I've followed the instructions related to my error here:
http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still haven't
found a solution.

Jeff

On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard  wrote:

> Alan,
>
> Thank you so VERY much. That resolved the issue for the CA signing
> certificate. However I'm still seeing
>
> ca-error: Server at "https://id-management-1.
> internal.emerlyn.com:8443/ca/agent/ca/profileProcess" replied: 1: Invalid
> Credential.
>
> On multiple requests which have expiration dates in the past. Is there
> something else I need to do?
>
> Jeff
>
> On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley  wrote:
>
>> Looks like you need to get the PIN associated to the cert.
>>
>>  # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf
>>
>> Then replace  with the PIN in the command above.
>>
>>  # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
>> cert-pki-ca' -P  -c dogtag-ipa-ca-renew-agent
>>
>> On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard 
>> wrote:
>>
>>> I think my problem is deeper than that. I was following this guide:
>>> http://www.freeipa.org/page/Howto/CA_Certificate_Renew
>>> al#Renew_CA_Certificate_on_CA_Servers and executed the commands related
>>> to having an external CA - which we do not have. I now get this message for
>>> the CA:
>>>
>>> Request ID '20170101055025':
>>> status: NEED_KEY_GEN_PIN
>>> stuck: yes
>>> key pair storage: type=NSSDB,location='/etc/pki/
>>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',pin set
>>> certificate: type=NSSDB,location='/etc/pki/
>>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer:
>>> subject:
>>> expires: unknown
>>> pre-save command:
>>> post-save command:
>>> track: yes
>>> auto-renew: yes
>>>
>>> Is there any way I can recover?
>>>
>>> Jeff
>>>
>>> On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden 
>>> wrote:
>>>
 Jeff Goddard wrote:
 > I've done this.
 > [root@id-management-1 ipa]# date
 > Sun Jan  1 01:12:27 EST 2017
 >
 >  getcert list give me this as the first entry:
 >
 > Request ID '20150116162120':
 > status: CA_UNREACHABLE
 > ca-error: Server at
 > https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
 > will retry: 4001 (RPC failed at server.  ipa: Certificate Authority
 not
 > found).
 > stuck: no
 > key pair storage:
 > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
 ',token='NSS
 > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
 > certificate:
 > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
 ',token='NSS
 > Certificate DB'
 > CA: IPA
 > issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
 > 
 > subject: CN=id-management-1.internal.emerlyn.com
 > ,O=INTERNAL.EMERLYN.COM
 > 
 > expires: 2017-01-16 16:21:20 UTC
 > key usage:
 > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
 > eku: id-kp-serverAuth,id-kp-clientAuth
 > pre-save command:
 > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
 > track: yes
 > auto-renew: yes
 >
 > Restarting cermonger multiple times doesn't help.

 Sorry, I missed a step. When you go back in time you first need to
 restart IPA. The CA isn't up.

 rob

 >
 > Jeff
 >
 >
 >
 >
 > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden  > wrote:
 >
 > Jeff Goddard wrote:
 > > Flo,
 > >
 > > I'm not able to access the link you posted. I did find this
 thread
 > > though
 > >
 > https://www.redhat.com/archives/freeipa-users/2015-June/msg
 00144.html 
 > >
 >  >
 > > and have set the time back and resubmitted a request. Still no
 > success.
 > > Any further hints?
 >
 > You need to stop ntpd, go back in time to when the certs are
 valid and
 > restart the certmonger service.
 >
 > Then use getcert list to monitor things. You really only care
 about the
 > CA subsystem certs are this point.
 >
 > You may need to restart certmonger more than once to get all the

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard

Alan,

Thank you so VERY much. That resolved the issue for the CA signing
certificate. However I'm still seeing

ca-error: Server at "
https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileProcess;
replied: 1: Invalid Credential.

On multiple requests which have expiration dates in the past. Is there
something else I need to do?

Jeff

On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley  wrote:

> Looks like you need to get the PIN associated to the cert.
>
>  # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf
>
> Then replace  with the PIN in the command above.
>
>  # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
> cert-pki-ca' -P  -c dogtag-ipa-ca-renew-agent
>
> On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard  wrote:
>
>> I think my problem is deeper than that. I was following this guide:
>> http://www.freeipa.org/page/Howto/CA_Certificate_Renew
>> al#Renew_CA_Certificate_on_CA_Servers and executed the commands related
>> to having an external CA - which we do not have. I now get this message for
>> the CA:
>>
>> Request ID '20170101055025':
>> status: NEED_KEY_GEN_PIN
>> stuck: yes
>> key pair storage: type=NSSDB,location='/etc/pki/
>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',pin set
>> certificate: type=NSSDB,location='/etc/pki/
>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>> Is there any way I can recover?
>>
>> Jeff
>>
>> On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden 
>> wrote:
>>
>>> Jeff Goddard wrote:
>>> > I've done this.
>>> > [root@id-management-1 ipa]# date
>>> > Sun Jan  1 01:12:27 EST 2017
>>> >
>>> >  getcert list give me this as the first entry:
>>> >
>>> > Request ID '20150116162120':
>>> > status: CA_UNREACHABLE
>>> > ca-error: Server at
>>> > https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
>>> > will retry: 4001 (RPC failed at server.  ipa: Certificate Authority not
>>> > found).
>>> > stuck: no
>>> > key pair storage:
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>> ',token='NSS
>>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> > certificate:
>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>>> ',token='NSS
>>> > Certificate DB'
>>> > CA: IPA
>>> > issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>>> > 
>>> > subject: CN=id-management-1.internal.emerlyn.com
>>> > ,O=INTERNAL.EMERLYN.COM
>>> > 
>>> > expires: 2017-01-16 16:21:20 UTC
>>> > key usage:
>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> > eku: id-kp-serverAuth,id-kp-clientAuth
>>> > pre-save command:
>>> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>> > track: yes
>>> > auto-renew: yes
>>> >
>>> > Restarting cermonger multiple times doesn't help.
>>>
>>> Sorry, I missed a step. When you go back in time you first need to
>>> restart IPA. The CA isn't up.
>>>
>>> rob
>>>
>>> >
>>> > Jeff
>>> >
>>> >
>>> >
>>> >
>>> > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden >> > > wrote:
>>> >
>>> > Jeff Goddard wrote:
>>> > > Flo,
>>> > >
>>> > > I'm not able to access the link you posted. I did find this
>>> thread
>>> > > though
>>> > >
>>> > https://www.redhat.com/archives/freeipa-users/2015-June/msg
>>> 00144.html >> 00144.html>
>>> > >
>>> > >> g00144.html
>>> > >> g00144.html>>
>>> > > and have set the time back and resubmitted a request. Still no
>>> > success.
>>> > > Any further hints?
>>> >
>>> > You need to stop ntpd, go back in time to when the certs are valid
>>> and
>>> > restart the certmonger service.
>>> >
>>> > Then use getcert list to monitor things. You really only care
>>> about the
>>> > CA subsystem certs are this point.
>>> >
>>> > You may need to restart certmonger more than once to get all the
>>> certs
>>> > updated (you can manually call getcert resubmit -i  if you'd
>>> > prefer).
>>> >
>>> > Once that is done return to present day, restart ntpd then ipactl
>>> > restart.
>>> >
>>> > rob
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> >
>>>
>>>
>>
>>
>> --
>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>>

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Alan Heverley

Looks like you need to get the PIN associated to the cert.

 # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf

Then replace  with the PIN in the command above.

 # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert
cert-pki-ca' -P  -c dogtag-ipa-ca-renew-agent

On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard  wrote:

> I think my problem is deeper than that. I was following this guide:
> http://www.freeipa.org/page/Howto/CA_Certificate_
> Renewal#Renew_CA_Certificate_on_CA_Servers and executed the commands
> related to having an external CA - which we do not have. I now get this
> message for the CA:
>
> Request ID '20170101055025':
> status: NEED_KEY_GEN_PIN
> stuck: yes
> key pair storage: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',pin set
> certificate: type=NSSDB,location='/etc/pki/
> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
> CA: dogtag-ipa-ca-renew-agent
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> Is there any way I can recover?
>
> Jeff
>
> On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden 
> wrote:
>
>> Jeff Goddard wrote:
>> > I've done this.
>> > [root@id-management-1 ipa]# date
>> > Sun Jan  1 01:12:27 EST 2017
>> >
>> >  getcert list give me this as the first entry:
>> >
>> > Request ID '20150116162120':
>> > status: CA_UNREACHABLE
>> > ca-error: Server at
>> > https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
>> > will retry: 4001 (RPC failed at server.  ipa: Certificate Authority not
>> > found).
>> > stuck: no
>> > key pair storage:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>> ',token='NSS
>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> > certificate:
>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
>> ',token='NSS
>> > Certificate DB'
>> > CA: IPA
>> > issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
>> > 
>> > subject: CN=id-management-1.internal.emerlyn.com
>> > ,O=INTERNAL.EMERLYN.COM
>> > 
>> > expires: 2017-01-16 16:21:20 UTC
>> > key usage:
>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> > eku: id-kp-serverAuth,id-kp-clientAuth
>> > pre-save command:
>> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>> > track: yes
>> > auto-renew: yes
>> >
>> > Restarting cermonger multiple times doesn't help.
>>
>> Sorry, I missed a step. When you go back in time you first need to
>> restart IPA. The CA isn't up.
>>
>> rob
>>
>> >
>> > Jeff
>> >
>> >
>> >
>> >
>> > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden > > > wrote:
>> >
>> > Jeff Goddard wrote:
>> > > Flo,
>> > >
>> > > I'm not able to access the link you posted. I did find this thread
>> > > though
>> > >
>> > https://www.redhat.com/archives/freeipa-users/2015-June/
>> msg00144.html > msg00144.html>
>> > >
>> > > msg00144.html
>> > > msg00144.html>>
>> > > and have set the time back and resubmitted a request. Still no
>> > success.
>> > > Any further hints?
>> >
>> > You need to stop ntpd, go back in time to when the certs are valid
>> and
>> > restart the certmonger service.
>> >
>> > Then use getcert list to monitor things. You really only care about
>> the
>> > CA subsystem certs are this point.
>> >
>> > You may need to restart certmonger more than once to get all the
>> certs
>> > updated (you can manually call getcert resubmit -i  if you'd
>> > prefer).
>> >
>> > Once that is done return to present day, restart ntpd then ipactl
>> > restart.
>> >
>> > rob
>> >
>> >
>> >
>> >
>> > --
>> >
>>
>>
>
>
> --
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 
Alan Heverley
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard

I think my problem is deeper than that. I was following this guide:
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers
and executed the commands related to having an external CA - which we do
not have. I now get this message for the CA:

Request ID '20170101055025':
status: NEED_KEY_GEN_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes

Is there any way I can recover?

Jeff

On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden  wrote:

> Jeff Goddard wrote:
> > I've done this.
> > [root@id-management-1 ipa]# date
> > Sun Jan  1 01:12:27 EST 2017
> >
> >  getcert list give me this as the first entry:
> >
> > Request ID '20150116162120':
> > status: CA_UNREACHABLE
> > ca-error: Server at
> > https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
> > will retry: 4001 (RPC failed at server.  ipa: Certificate Authority not
> > found).
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
> > 
> > subject: CN=id-management-1.internal.emerlyn.com
> > ,O=INTERNAL.EMERLYN.COM
> > 
> > expires: 2017-01-16 16:21:20 UTC
> > key usage:
> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> > track: yes
> > auto-renew: yes
> >
> > Restarting cermonger multiple times doesn't help.
>
> Sorry, I missed a step. When you go back in time you first need to
> restart IPA. The CA isn't up.
>
> rob
>
> >
> > Jeff
> >
> >
> >
> >
> > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden  > > wrote:
> >
> > Jeff Goddard wrote:
> > > Flo,
> > >
> > > I'm not able to access the link you posted. I did find this thread
> > > though
> > >
> > https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html  June/msg00144.html>
> > >
> >  June/msg00144.html
> >  June/msg00144.html>>
> > > and have set the time back and resubmitted a request. Still no
> > success.
> > > Any further hints?
> >
> > You need to stop ntpd, go back in time to when the certs are valid
> and
> > restart the certmonger service.
> >
> > Then use getcert list to monitor things. You really only care about
> the
> > CA subsystem certs are this point.
> >
> > You may need to restart certmonger more than once to get all the
> certs
> > updated (you can manually call getcert resubmit -i  if you'd
> > prefer).
> >
> > Once that is done return to present day, restart ntpd then ipactl
> > restart.
> >
> > rob
> >
> >
> >
> >
> > --
> >
>
>


--
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden

Jeff Goddard wrote:
> I've done this.
> [root@id-management-1 ipa]# date
> Sun Jan  1 01:12:27 EST 2017
> 
>  getcert list give me this as the first entry:
> 
> Request ID '20150116162120':
> status: CA_UNREACHABLE
> ca-error: Server at
> https://id-management-1.internal.emerlyn.com/ipa/xml failed request,
> will retry: 4001 (RPC failed at server.  ipa: Certificate Authority not
> found).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
> 
> subject: CN=id-management-1.internal.emerlyn.com
> ,O=INTERNAL.EMERLYN.COM
> 
> expires: 2017-01-16 16:21:20 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> 
> Restarting cermonger multiple times doesn't help.

Sorry, I missed a step. When you go back in time you first need to
restart IPA. The CA isn't up.

rob

> 
> Jeff
> 
> 
> 
> 
> On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden  > wrote:
> 
> Jeff Goddard wrote:
> > Flo,
> >
> > I'm not able to access the link you posted. I did find this thread
> > though
> >
> https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html 
> 
> >
>  >
> > and have set the time back and resubmitted a request. Still no
> success.
> > Any further hints?
> 
> You need to stop ntpd, go back in time to when the certs are valid and
> restart the certmonger service.
> 
> Then use getcert list to monitor things. You really only care about the
> CA subsystem certs are this point.
> 
> You may need to restart certmonger more than once to get all the certs
> updated (you can manually call getcert resubmit -i  if you'd
> prefer).
> 
> Once that is done return to present day, restart ntpd then ipactl
> restart.
> 
> rob
> 
> 
> 
> 
> -- 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard

I've done this.
[root@id-management-1 ipa]# date
Sun Jan  1 01:12:27 EST 2017

 getcert list give me this as the first entry:

Request ID '20150116162120':
status: CA_UNREACHABLE
ca-error: Server at
https://id-management-1.internal.emerlyn.com/ipa/xml failed request, will
retry: 4001 (RPC failed at server.  ipa: Certificate Authority not found).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
subject: CN=id-management-1.internal.emerlyn.com,O=
INTERNAL.EMERLYN.COM
expires: 2017-01-16 16:21:20 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes

Restarting cermonger multiple times doesn't help.

Jeff

On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden  wrote:

> Jeff Goddard wrote:
> > Flo,
> >
> > I'm not able to access the link you posted. I did find this thread
> > though
> > https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html
> > 
> > and have set the time back and resubmitted a request. Still no success.
> > Any further hints?
>
> You need to stop ntpd, go back in time to when the certs are valid and
> restart the certmonger service.
>
> Then use getcert list to monitor things. You really only care about the
> CA subsystem certs are this point.
>
> You may need to restart certmonger more than once to get all the certs
> updated (you can manually call getcert resubmit -i  if you'd prefer).
>
> Once that is done return to present day, restart ntpd then ipactl restart.
>
> rob
>

--
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden

Jeff Goddard wrote:
> Flo,
> 
> I'm not able to access the link you posted. I did find this thread
> though
> https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html
> 
> and have set the time back and resubmitted a request. Still no success.
> Any further hints?

You need to stop ntpd, go back in time to when the certs are valid and
restart the certmonger service.

Then use getcert list to monitor things. You really only care about the
CA subsystem certs are this point.

You may need to restart certmonger more than once to get all the certs
updated (you can manually call getcert resubmit -i  if you'd prefer).

Once that is done return to present day, restart ntpd then ipactl restart.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard

Flo,

I'm not able to access the link you posted. I did find this thread though
https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html and
have set the time back and resubmitted a request. Still no success. Any
further hints?


On Fri, Jan 6, 2017 at 11:52 AM, Florence Blanc-Renaud 
wrote:

> On 01/06/2017 05:36 PM, Jeff Goddard wrote:
>
>> Thanks Flo,
>>
>> I was able to add the host to the keytab once I found the correct
>> command and then was able to issue
>>
>> [root@id-management-1 pki-tomcat]# ipa-cacert-manage renew
>> Renewing CA certificate, please wait
>> CA certificate successfully renewed
>> The ipa-cacert-manage command was successful
>>
>> Hi Jeff,
>
> the "ipa-cacert-manage renew" command renews the CA certificate (the one
> with the alias caSigningCert cert-pki-ca) but not the expired ones. You
> need to follow the instructions linked in my previous e-mail to fix them
> first, basically go back in time by setting the system clock time and let
> certmonger renew them.
>
> HTH,
> Flo.
>
> But the pki-tomcat still fails to start. From the logs I get:
>>
>> [root@id-management-1 pki-tomcat]# cat localhost.2017-01-06.log  |less
>> Jan 06, 2017 7:23:44 AM org.apache.catalina.core.ApplicationContext log
>> SEVERE: StandardWrapper.Throwable
>> java.lang.NullPointerException
>> at
>> com.netscape.cmscore.selftests.SelfTestSubsystem.shutdown(Se
>> lfTestSubsystem.java:1886)
>> at
>> com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEn
>> gine.java:2115)
>> at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:
>> 2010)
>> at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233)
>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1625)
>> at
>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS
>> ervlet.java:114)
>> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
>> at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>> at
>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
>> at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:175)
>> at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
>> rityUtil.java:124)
>> at
>> org.apache.catalina.core.StandardWrapper.initServlet(Standar
>> dWrapper.java:1270)
>> at
>> org.apache.catalina.core.StandardWrapper.loadServlet(Standar
>> dWrapper.java:1195)
>> at
>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
>> at
>> org.apache.catalina.core.StandardContext.loadOnStartup(Stand
>> ardContext.java:5318)
>> at
>> org.apache.catalina.core.StandardContext.startInternal(Stand
>> ardContext.java:5610)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
>> at
>> org.apache.catalina.core.ContainerBase.addChildInternal(Cont
>> ainerBase.java:899)
>> at
>> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>> at
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>> n(ContainerBase.java:156)
>> at
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru
>> n(ContainerBase.java:145)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at
>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
>> at
>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
>> at
>> org.apache.catalina.startup.HostConfig.deployDescriptor(Host
>> Config.java:679)
>> at
>> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(
>> HostConfig.java:1966)
>> at
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>>
>> I fond this thread:
>> https://www.redhat.com/archives/freeipa-users/2016-February/msg00125.html
>> > /msg00125.html>
>> but I don't have self-test logs from today, only from yesterday. Here

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Florence Blanc-Renaud


On 01/06/2017 05:36 PM, Jeff Goddard wrote:

Thanks Flo,

I was able to add the host to the keytab once I found the correct
command and then was able to issue

[root@id-management-1 pki-tomcat]# ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful


Hi Jeff,

the "ipa-cacert-manage renew" command renews the CA certificate (the one 
with the alias caSigningCert cert-pki-ca) but not the expired ones. You 
need to follow the instructions linked in my previous e-mail to fix them 
first, basically go back in time by setting the system clock time and 
let certmonger renew them.


HTH,
Flo.


But the pki-tomcat still fails to start. From the logs I get:

[root@id-management-1 pki-tomcat]# cat localhost.2017-01-06.log  |less
Jan 06, 2017 7:23:44 AM org.apache.catalina.core.ApplicationContext log
SEVERE: StandardWrapper.Throwable
java.lang.NullPointerException
at
com.netscape.cmscore.selftests.SelfTestSubsystem.shutdown(SelfTestSubsystem.java:1886)
at
com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(CMSEngine.java:2115)
at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:2010)
at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1625)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

I fond this thread:
https://www.redhat.com/archives/freeipa-users/2016-February/msg00125.html 

but I don't have self-test logs from today, only from yesterday. Here
are the relevant debug logs from the most recent restart:

06/Jan/2017:11:13:55][localhost-startStop-1]:

[06/Jan/2017:11:13:55][localhost-startStop-1]: =  DEBUG SUBSYSTEM
INITIALIZED   ===
[06/Jan/2017:11:13:55][localhost-startStop-1]:

[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: about to look
for cert for auto-shutdown

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard

Thanks Flo,

I was able to add the host to the keytab once I found the correct command
and then was able to issue

[root@id-management-1 pki-tomcat]# ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful

But the pki-tomcat still fails to start. From the logs I get:

[root@id-management-1 pki-tomcat]# cat localhost.2017-01-06.log  |less
Jan 06, 2017 7:23:44 AM org.apache.catalina.core.ApplicationContext log
SEVERE: StandardWrapper.Throwable
java.lang.NullPointerException
at com.netscape.cmscore.selftests.SelfTestSubsystem.
shutdown(SelfTestSubsystem.java:1886)
at com.netscape.cmscore.apps.CMSEngine.shutdownSubsystems(
CMSEngine.java:2115)
at com.netscape.cmscore.apps.CMSEngine.shutdown(CMSEngine.java:2010)
at com.netscape.certsrv.apps.CMS.shutdown(CMS.java:233)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1625)
at com.netscape.cms.servlet.base.CMSStartServlet.init(
CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(
NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.security.SecurityUtil$1.run(
SecurityUtil.java:288)
at org.apache.catalina.security.SecurityUtil$1.run(
SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(
SecurityUtil.java:320)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(
SecurityUtil.java:175)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(
SecurityUtil.java:124)
at org.apache.catalina.core.StandardWrapper.initServlet(
StandardWrapper.java:1270)
at org.apache.catalina.core.StandardWrapper.loadServlet(
StandardWrapper.java:1195)
at org.apache.catalina.core.StandardWrapper.load(
StandardWrapper.java:1085)
at org.apache.catalina.core.StandardContext.loadOnStartup(
StandardContext.java:5318)
at org.apache.catalina.core.StandardContext.startInternal(
StandardContext.java:5610)
at org.apache.catalina.util.LifecycleBase.start(
LifecycleBase.java:147)
at org.apache.catalina.core.ContainerBase.addChildInternal(
ContainerBase.java:899)
at org.apache.catalina.core.ContainerBase.access$000(
ContainerBase.java:133)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(
ContainerBase.java:156)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(
ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(
ContainerBase.java:873)
at org.apache.catalina.core.StandardHost.addChild(
StandardHost.java:652)
at org.apache.catalina.startup.HostConfig.deployDescriptor(
HostConfig.java:679)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.
run(HostConfig.java:1966)
at java.util.concurrent.Executors$RunnableAdapter.
call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

I fond this thread: https://www.redhat.com/archives/freeipa-users/2016-
February/msg00125.html but I don't have self-test logs from today, only
from yesterday. Here are the relevant debug logs from the most recent
restart:

06/Jan/2017:11:13:55][localhost-startStop-1]:

[06/Jan/2017:11:13:55][localhost-startStop-1]: =  DEBUG SUBSYSTEM
INITIALIZED   ===
[06/Jan/2017:11:13:55][localhost-startStop-1]:

[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: restart at
autoShutdown? false
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: autoShutdown
crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: about to look for
cert for auto-shutdown support:auditSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: found
cert:auditSigningCert cert-pki-ca
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: done init id=debug
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initialized debug
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: initSubsystem
id=log
[06/Jan/2017:11:13:55][localhost-startStop-1]: CMSEngine: ready to init
id=log

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Florence Blanc-Renaud


On 01/06/2017 04:47 PM, Jeff Goddard wrote:

Sorry for the typo. here is the correct output:
ldapsearch -h id-management-1.internal.emerlyn.com

SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:




When I look at the certificates I get errors regarding a host service in
the keytab. Here is the output:

[root@id-management-1 ca]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20150116161829':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client
using default keytab: Keytab contains no suitable keys for
host/id-management-1.internal.emerlyn@internal.emerlyn.com
.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM

subject: CN=id-management-1.internal.emerlyn.com
,O=INTERNAL.EMERLYN.COM

expires: 2017-01-16 16:18:29 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
INTERNAL-EMERLYN-COM
track: yes
auto-renew: yes
Request ID '20150116162120':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client
using default keytab: Keytab contains no suitable keys for
host/id-management-1.internal.emerlyn@internal.emerlyn.com
.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM

subject: CN=id-management-1.internal.emerlyn.com
,O=INTERNAL.EMERLYN.COM

expires: 2017-01-16 16:21:20 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20151217174142':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM

subject: CN=CA Audit,O=INTERNAL.EMERLYN.COM

expires: 2017-01-05 16:18:01 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20151217174143':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS
Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM

subject: CN=OCSP Subsystem,O=INTERNAL.EMERLYN.COM

expires: 2017-01-05 16:17:58 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20151217174144':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard

Sorry for the typo. here is the correct output:
ldapsearch -h id-management-1.internal.emerlyn.com
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:




When I look at the certificates I get errors regarding a host service in
the keytab. Here is the output:

[root@id-management-1 ca]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20150116161829':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client
using default keytab: Keytab contains no suitable keys for host/
id-management-1.internal.emerlyn@internal.emerlyn.com.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-INTERNAL-EMERLYN-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
subject: CN=id-management-1.internal.emerlyn.com,O=
INTERNAL.EMERLYN.COM
expires: 2017-01-16 16:18:29 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
INTERNAL-EMERLYN-COM
track: yes
auto-renew: yes
Request ID '20150116162120':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client
using default keytab: Keytab contains no suitable keys for host/
id-management-1.internal.emerlyn@internal.emerlyn.com.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
subject: CN=id-management-1.internal.emerlyn.com,O=
INTERNAL.EMERLYN.COM
expires: 2017-01-16 16:21:20 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20151217174142':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
subject: CN=CA Audit,O=INTERNAL.EMERLYN.COM
expires: 2017-01-05 16:18:01 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20151217174143':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
subject: CN=OCSP Subsystem,O=INTERNAL.EMERLYN.COM
expires: 2017-01-05 16:17:58 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20151217174144':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM
subject: CN=CA Subsystem,O=INTERNAL.EMERLYN.COM
expires: 2017-01-05 16:17:59 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku:

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden

Jeff Goddard wrote:
> My environment is freeipa 4.4; centos 7.3. This system was upgraded as
> of yesterday afternoon. I'm unable to start pki-tomcat. The debug log
> show this entry:
> 
> Internal Database Error encountered: Could not connect to LDAP server
> host id-management-1.internal.emerlyn.com
>  port 636 Error
> netscape.ldap.LDAPException: Authentication failed (48)
> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
> at
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
> at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
> at
> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
> at
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
> at
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
> at
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
> at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
> at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
> at
> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
> at
> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> 
> 
> I'm able to get a kerberos ticket using kinit but ldap search gives this
> error:
> 
>  ldapsearch -h id-manaement-1.internal.emerlyn.com
>  -x -b
> "cn=CAcert,cn=ipa,cn=etc,dc=internal,dc=emerlyn,dc=com"
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>  
> adding the -d1 debugging tag results in:
> 
> ldap_create
> ldap_url_parse_ext(ldap://id-manaement-1.internal.emerlyn.com
> )
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP id-manaement-1.internal.emerlyn.com:389
> 
> ldap_connect_to_host: getaddrinfo failed: Name or service not known
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> 
> I'm able to resolve the hostname via nslookup and /etc/hosts has the
> correct mapping entry.
> 
> I'm kind of lost at this point and could use some help.
> 
> Thanks in advance.

You have a typo in the hostname you're trying to connect to, missing the
'g' in management.

I have a vague memory from other reports of this issue that the problem
may be that the value of the certificate(s) in CS.cfg is

[Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard

My environment is freeipa 4.4; centos 7.3. This system was upgraded as of
yesterday afternoon. I'm unable to start pki-tomcat. The debug log show
this entry:

Internal Database Error encountered: Could not connect to LDAP server host
id-management-1.internal.emerlyn.com port 636 Error
netscape.ldap.LDAPException: Authentication failed (48)
at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1616)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)


I'm able to get a kerberos ticket using kinit but ldap search gives this
error:

 ldapsearch -h id-manaement-1.internal.emerlyn.com -x -b
"cn=CAcert,cn=ipa,cn=etc,dc=internal,dc=emerlyn,dc=com"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

adding the -d1 debugging tag results in:

ldap_create
ldap_url_parse_ext(ldap://id-manaement-1.internal.emerlyn.com)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP id-manaement-1.internal.emerlyn.com:389
ldap_connect_to_host: getaddrinfo failed: Name or service not known
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I'm able to resolve the hostname via nslookup and /etc/hosts has the
correct mapping entry.

I'm kind of lost at this point and could use some help.

Thanks in advance.



Jeff
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

Re: [Freeipa-users] pki-tomcatd fails to start

[Freeipa-users] pki-tomcatd fails to start

21 matches

Site Navigation

Mail list logo

Footer information