[Freeipa-users] Re: pki-tomcatd not starting

[girish f via FreeIPA-users]

Hi Omar,

can you help with me with simialar issue ?

My httpd.crt is expired, i have new one ready, but my tomcatd is working if i 
change back in time, and current date it's failing.

Regards,
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: pki-tomcatd not starting

[Omar via FreeIPA-users]

Rob and Flo,

I got it working now, I had to convert my crt to a pkcs12 cert in order to
add.  All good now.  Thanks,

//omar

On Tue, Mar 12, 2024 at 2:56 PM Rob Crittenden  wrote:

> Omar wrote:
> > roger that.  I thought about doing the:
> > ipa-cacert-manager, but that would be wrong, correct?
>
> Correct, assuming your updated cert is from the same CA.
>
> >
> > if I do the ipa-server-certinstall, do I need to specify either -d / -w
> > / or -k?  Thanks,
>
> You want -d (directory server)
>
> rob
>
> >
> > On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden  > > wrote:
> >
> > Omar via FreeIPA-users wrote:
> > > okay, so I think you found the issue:
> > >
> > > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> > > 'CN=ldap.app.uaap.maxar.com 
> > > ,OU=UAAP,O=Maxar Technologies
> > > Inc,L=Herndon,ST=Virginia,C=US' | grep Not
> > > Not Before: Fri Jan 06 19:36:22 2023
> > > Not After : Sat Jan 06 19:36:22 2024
> > >
> > > Where's the actual location of the server certificate?  Thanks,
> >
> > It is stored in the NSS database at
> /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
> >
> > You should be able to use ipa-server-certinstall to add a renewed
> > certificate in a similar way that this one was added.
> >
> > rob
> >
> > >
> > >
> > > On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud
> > mailto:f...@redhat.com>
> > > >> wrote:
> > >
> > > Hi,
> > >
> > > On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users
> > >  > 
> > >  > >> wrote:
> > >
> > > [root @ ldap01]
> > > $ openssl x509 -noout -text -in
> /var/lib/ipa/certs/httpd.crt |
> > > grep Not
> > > Not Before: Jan 12 15:30:18 2024 GMT
> > > Not After : Jan 11 15:30:18 2025 GMT
> > >
> > > So httpd server cert is still valid.
> > >
> > >
> > > also, am I looking at the correct one here?:
> > > [root @ ldap01]
> > > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
> > >
> > > Certificate Nickname
> > >  Trust Attributes
> > >
> > >  SSL,S/MIME,JAR/XPI
> > >
> > > APP.UAAP.MAXAR.COM 
> >  IPA CA
> > > CT,C,C
> > >
> > > ^^ this one is IPA CA, not the server certificate for LDAP.
> > >
> > > CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com
> >   C,,
> > > CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com
> >   C,,
> > > CN=Maxar Policy CA East,DC=Maxar,DC=com
> >   C,,
> > > CN=Maxar Policy CA West,DC=Maxar,DC=com
> >   C,,
> > > CN=Maxar Root CA,CN=Maxar,CN=com
> >C,,
> > > CN=ldap.app.uaap.maxar.com  >
> > > ,OU=UAAP,O=Maxar
> Technologies
> > > Inc,L=Herndon,ST=Virginia,C=US u,u,u
> > >
> > > [root @ ldap01]
> > > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> > > 'APP.UAAP.MAXAR.COM 
> >  IPA CA' | grep Not
> > > Not Before: Thu Feb 02 14:06:44 2023
> > > Not After : Mon Feb 02 14:06:44 2043
> > >
> > > Based on the nicknames, I would check
> > 'CN=ldap.app.uaap.maxar.com 
> > > ,OU=UAAP,O=Maxar Technologies
> > > Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert
> > name in
> > > /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored
> > in the
> > > entry cn=RSA,cn=encryption,cn=configin the attribute
> > > nsSSLPersonalitySSL.
> > > For instance in my server I have:
> > >
> > > dn: cn=RSA,cn=encryption,cn=config
> > > cn: RSA
> > > modifiersName: cn=Directory Manager
> > > modifyTimestamp: 20220121155703Z
> > > nsSSLActivation: on
> > > *nsSSLPersonalitySSL: Server-Cert*
> > > nsSSLToken: internal (software)
> > > objectClass: top
> > > objectClass: nsEncryptionModule
> > >
> > > HTH,
> > > flo
> > >
> > >
> > > --
> > > ___
> > > FreeIPA-users mailing list --
> > > freeipa-users@lists.fedorahosted.org
> > 

[Freeipa-users] Re: pki-tomcatd not starting

[Omar via FreeIPA-users]

What flag should I use to specify the cert.key file?

On Tue, Mar 12, 2024 at 2:56 PM Rob Crittenden  wrote:

> Omar wrote:
> > roger that.  I thought about doing the:
> > ipa-cacert-manager, but that would be wrong, correct?
>
> Correct, assuming your updated cert is from the same CA.
>
> >
> > if I do the ipa-server-certinstall, do I need to specify either -d / -w
> > / or -k?  Thanks,
>
> You want -d (directory server)
>
> rob
>
> >
> > On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden  > > wrote:
> >
> > Omar via FreeIPA-users wrote:
> > > okay, so I think you found the issue:
> > >
> > > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> > > 'CN=ldap.app.uaap.maxar.com 
> > > ,OU=UAAP,O=Maxar Technologies
> > > Inc,L=Herndon,ST=Virginia,C=US' | grep Not
> > > Not Before: Fri Jan 06 19:36:22 2023
> > > Not After : Sat Jan 06 19:36:22 2024
> > >
> > > Where's the actual location of the server certificate?  Thanks,
> >
> > It is stored in the NSS database at
> /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
> >
> > You should be able to use ipa-server-certinstall to add a renewed
> > certificate in a similar way that this one was added.
> >
> > rob
> >
> > >
> > >
> > > On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud
> > mailto:f...@redhat.com>
> > > >> wrote:
> > >
> > > Hi,
> > >
> > > On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users
> > >  > 
> > >  > >> wrote:
> > >
> > > [root @ ldap01]
> > > $ openssl x509 -noout -text -in
> /var/lib/ipa/certs/httpd.crt |
> > > grep Not
> > > Not Before: Jan 12 15:30:18 2024 GMT
> > > Not After : Jan 11 15:30:18 2025 GMT
> > >
> > > So httpd server cert is still valid.
> > >
> > >
> > > also, am I looking at the correct one here?:
> > > [root @ ldap01]
> > > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
> > >
> > > Certificate Nickname
> > >  Trust Attributes
> > >
> > >  SSL,S/MIME,JAR/XPI
> > >
> > > APP.UAAP.MAXAR.COM 
> >  IPA CA
> > > CT,C,C
> > >
> > > ^^ this one is IPA CA, not the server certificate for LDAP.
> > >
> > > CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com
> >   C,,
> > > CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com
> >   C,,
> > > CN=Maxar Policy CA East,DC=Maxar,DC=com
> >   C,,
> > > CN=Maxar Policy CA West,DC=Maxar,DC=com
> >   C,,
> > > CN=Maxar Root CA,CN=Maxar,CN=com
> >C,,
> > > CN=ldap.app.uaap.maxar.com  >
> > > ,OU=UAAP,O=Maxar
> Technologies
> > > Inc,L=Herndon,ST=Virginia,C=US u,u,u
> > >
> > > [root @ ldap01]
> > > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> > > 'APP.UAAP.MAXAR.COM 
> >  IPA CA' | grep Not
> > > Not Before: Thu Feb 02 14:06:44 2023
> > > Not After : Mon Feb 02 14:06:44 2043
> > >
> > > Based on the nicknames, I would check
> > 'CN=ldap.app.uaap.maxar.com 
> > > ,OU=UAAP,O=Maxar Technologies
> > > Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert
> > name in
> > > /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored
> > in the
> > > entry cn=RSA,cn=encryption,cn=configin the attribute
> > > nsSSLPersonalitySSL.
> > > For instance in my server I have:
> > >
> > > dn: cn=RSA,cn=encryption,cn=config
> > > cn: RSA
> > > modifiersName: cn=Directory Manager
> > > modifyTimestamp: 20220121155703Z
> > > nsSSLActivation: on
> > > *nsSSLPersonalitySSL: Server-Cert*
> > > nsSSLToken: internal (software)
> > > objectClass: top
> > > objectClass: nsEncryptionModule
> > >
> > > HTH,
> > > flo
> > >
> > >
> > > --
> > > ___
> > > FreeIPA-users mailing list --
> > > freeipa-users@lists.fedorahosted.org
> > 
> > > 

[Freeipa-users] Re: pki-tomcatd not starting

[Omar via FreeIPA-users]

Hey Rob,

Have you seen this before?:
ipa-server-certinstall -p  -d --cert-name=ldap
./ldap.app.uaap.maxar.com.crt
Enter private key unlock password:

*No server certificates found in ./ldap.app.uaap.maxar.com.crt*
The ipa-server-certinstall command failed.

On Tue, Mar 12, 2024 at 2:56 PM Rob Crittenden  wrote:

> Omar wrote:
> > roger that.  I thought about doing the:
> > ipa-cacert-manager, but that would be wrong, correct?
>
> Correct, assuming your updated cert is from the same CA.
>
> >
> > if I do the ipa-server-certinstall, do I need to specify either -d / -w
> > / or -k?  Thanks,
>
> You want -d (directory server)
>
> rob
>
> >
> > On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden  > > wrote:
> >
> > Omar via FreeIPA-users wrote:
> > > okay, so I think you found the issue:
> > >
> > > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> > > 'CN=ldap.app.uaap.maxar.com 
> > > ,OU=UAAP,O=Maxar Technologies
> > > Inc,L=Herndon,ST=Virginia,C=US' | grep Not
> > > Not Before: Fri Jan 06 19:36:22 2023
> > > Not After : Sat Jan 06 19:36:22 2024
> > >
> > > Where's the actual location of the server certificate?  Thanks,
> >
> > It is stored in the NSS database at
> /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
> >
> > You should be able to use ipa-server-certinstall to add a renewed
> > certificate in a similar way that this one was added.
> >
> > rob
> >
> > >
> > >
> > > On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud
> > mailto:f...@redhat.com>
> > > >> wrote:
> > >
> > > Hi,
> > >
> > > On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users
> > >  > 
> > >  > >> wrote:
> > >
> > > [root @ ldap01]
> > > $ openssl x509 -noout -text -in
> /var/lib/ipa/certs/httpd.crt |
> > > grep Not
> > > Not Before: Jan 12 15:30:18 2024 GMT
> > > Not After : Jan 11 15:30:18 2025 GMT
> > >
> > > So httpd server cert is still valid.
> > >
> > >
> > > also, am I looking at the correct one here?:
> > > [root @ ldap01]
> > > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
> > >
> > > Certificate Nickname
> > >  Trust Attributes
> > >
> > >  SSL,S/MIME,JAR/XPI
> > >
> > > APP.UAAP.MAXAR.COM 
> >  IPA CA
> > > CT,C,C
> > >
> > > ^^ this one is IPA CA, not the server certificate for LDAP.
> > >
> > > CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com
> >   C,,
> > > CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com
> >   C,,
> > > CN=Maxar Policy CA East,DC=Maxar,DC=com
> >   C,,
> > > CN=Maxar Policy CA West,DC=Maxar,DC=com
> >   C,,
> > > CN=Maxar Root CA,CN=Maxar,CN=com
> >C,,
> > > CN=ldap.app.uaap.maxar.com  >
> > > ,OU=UAAP,O=Maxar
> Technologies
> > > Inc,L=Herndon,ST=Virginia,C=US u,u,u
> > >
> > > [root @ ldap01]
> > > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> > > 'APP.UAAP.MAXAR.COM 
> >  IPA CA' | grep Not
> > > Not Before: Thu Feb 02 14:06:44 2023
> > > Not After : Mon Feb 02 14:06:44 2043
> > >
> > > Based on the nicknames, I would check
> > 'CN=ldap.app.uaap.maxar.com 
> > > ,OU=UAAP,O=Maxar Technologies
> > > Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert
> > name in
> > > /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored
> > in the
> > > entry cn=RSA,cn=encryption,cn=configin the attribute
> > > nsSSLPersonalitySSL.
> > > For instance in my server I have:
> > >
> > > dn: cn=RSA,cn=encryption,cn=config
> > > cn: RSA
> > > modifiersName: cn=Directory Manager
> > > modifyTimestamp: 20220121155703Z
> > > nsSSLActivation: on
> > > *nsSSLPersonalitySSL: Server-Cert*
> > > nsSSLToken: internal (software)
> > > objectClass: top
> > > objectClass: nsEncryptionModule
> > >
> > > HTH,
> > > flo
> > >
> > >
> > > --
> > > 

[Freeipa-users] Re: pki-tomcatd not starting

[Rob Crittenden via FreeIPA-users]

Omar wrote:
> roger that.  I thought about doing the:
> ipa-cacert-manager, but that would be wrong, correct?

Correct, assuming your updated cert is from the same CA.

> 
> if I do the ipa-server-certinstall, do I need to specify either -d / -w
> / or -k?  Thanks,

You want -d (directory server)

rob

> 
> On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden  > wrote:
> 
> Omar via FreeIPA-users wrote:
> > okay, so I think you found the issue:
> >
> > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> > 'CN=ldap.app.uaap.maxar.com 
> > ,OU=UAAP,O=Maxar Technologies
> > Inc,L=Herndon,ST=Virginia,C=US' | grep Not
> >             Not Before: Fri Jan 06 19:36:22 2023
> >             Not After : Sat Jan 06 19:36:22 2024
> >
> > Where's the actual location of the server certificate?  Thanks,
> 
> It is stored in the NSS database at /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
> 
> You should be able to use ipa-server-certinstall to add a renewed
> certificate in a similar way that this one was added.
> 
> rob
> 
> >
> >
> > On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud
> mailto:f...@redhat.com>
> > >> wrote:
> >
> >     Hi,
> >
> >     On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users
> >      
> >      >> wrote:
> >
> >         [root @ ldap01]
> >         $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt |
> >         grep Not
> >                     Not Before: Jan 12 15:30:18 2024 GMT
> >                     Not After : Jan 11 15:30:18 2025 GMT
> >
> >     So httpd server cert is still valid.
> >
> >
> >         also, am I looking at the correct one here?:
> >         [root @ ldap01]
> >         $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
> >
> >         Certificate Nickname                                       
> >          Trust Attributes
> >                                                                    
> >          SSL,S/MIME,JAR/XPI
> >
> >         APP.UAAP.MAXAR.COM 
>  IPA CA           
> >                                 CT,C,C
> >
> >     ^^ this one is IPA CA, not the server certificate for LDAP.
> >
> >         CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com         
>   C,,
> >         CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com         
>   C,,
> >         CN=Maxar Policy CA East,DC=Maxar,DC=com                   
>   C,,
> >         CN=Maxar Policy CA West,DC=Maxar,DC=com                   
>   C,,
> >         CN=Maxar Root CA,CN=Maxar,CN=com                         
>    C,,
> >         CN=ldap.app.uaap.maxar.com 
> >         ,OU=UAAP,O=Maxar Technologies
> >         Inc,L=Herndon,ST=Virginia,C=US u,u,u
> >
> >         [root @ ldap01]
> >         $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> >         'APP.UAAP.MAXAR.COM 
>  IPA CA' | grep Not
> >                     Not Before: Thu Feb 02 14:06:44 2023
> >                     Not After : Mon Feb 02 14:06:44 2043
> >
> >     Based on the nicknames, I would check
> 'CN=ldap.app.uaap.maxar.com 
> >     ,OU=UAAP,O=Maxar Technologies
> >     Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert
> name in
> >     /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored
> in the
> >     entry cn=RSA,cn=encryption,cn=configin the attribute
> >     nsSSLPersonalitySSL.
> >     For instance in my server I have:
> >
> >     dn: cn=RSA,cn=encryption,cn=config
> >     cn: RSA
> >     modifiersName: cn=Directory Manager
> >     modifyTimestamp: 20220121155703Z
> >     nsSSLActivation: on
> >     *nsSSLPersonalitySSL: Server-Cert*
> >     nsSSLToken: internal (software)
> >     objectClass: top
> >     objectClass: nsEncryptionModule
> >
> >     HTH,
> >     flo
> >
> >
> >         --
> >         ___
> >         FreeIPA-users mailing list --
> >         freeipa-users@lists.fedorahosted.org
> 
> >          >
> >         To unsubscribe send an email to
> >         

[Freeipa-users] Re: pki-tomcatd not starting

[Omar via FreeIPA-users]

roger that.  I thought about doing the:
ipa-cacert-manager, but that would be wrong, correct?

if I do the ipa-server-certinstall, do I need to specify either -d / -w /
or -k?  Thanks,

On Tue, Mar 12, 2024 at 2:41 PM Rob Crittenden  wrote:

> Omar via FreeIPA-users wrote:
> > okay, so I think you found the issue:
> >
> > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> > 'CN=ldap.app.uaap.maxar.com
> > ,OU=UAAP,O=Maxar Technologies
> > Inc,L=Herndon,ST=Virginia,C=US' | grep Not
> > Not Before: Fri Jan 06 19:36:22 2023
> > Not After : Sat Jan 06 19:36:22 2024
> >
> > Where's the actual location of the server certificate?  Thanks,
>
> It is stored in the NSS database at /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM
>
> You should be able to use ipa-server-certinstall to add a renewed
> certificate in a similar way that this one was added.
>
> rob
>
> >
> >
> > On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud  > > wrote:
> >
> > Hi,
> >
> > On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users
> >  > > wrote:
> >
> > [root @ ldap01]
> > $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt |
> > grep Not
> > Not Before: Jan 12 15:30:18 2024 GMT
> > Not After : Jan 11 15:30:18 2025 GMT
> >
> > So httpd server cert is still valid.
> >
> >
> > also, am I looking at the correct one here?:
> > [root @ ldap01]
> > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
> >
> > Certificate Nickname
> >  Trust Attributes
> >
> >  SSL,S/MIME,JAR/XPI
> >
> > APP.UAAP.MAXAR.COM  IPA CA
> > CT,C,C
> >
> > ^^ this one is IPA CA, not the server certificate for LDAP.
> >
> > CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=comC,,
> > CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=comC,,
> > CN=Maxar Policy CA East,DC=Maxar,DC=com  C,,
> > CN=Maxar Policy CA West,DC=Maxar,DC=com  C,,
> > CN=Maxar Root CA,CN=Maxar,CN=com C,,
> > CN=ldap.app.uaap.maxar.com
> > ,OU=UAAP,O=Maxar Technologies
> > Inc,L=Herndon,ST=Virginia,C=US u,u,u
> >
> > [root @ ldap01]
> > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> > 'APP.UAAP.MAXAR.COM  IPA CA' | grep
> Not
> > Not Before: Thu Feb 02 14:06:44 2023
> > Not After : Mon Feb 02 14:06:44 2043
> >
> > Based on the nicknames, I would check 'CN=ldap.app.uaap.maxar.com
> > ,OU=UAAP,O=Maxar Technologies
> > Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert name in
> > /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in the
> > entry cn=RSA,cn=encryption,cn=configin the attribute
> > nsSSLPersonalitySSL.
> > For instance in my server I have:
> >
> > dn: cn=RSA,cn=encryption,cn=config
> > cn: RSA
> > modifiersName: cn=Directory Manager
> > modifyTimestamp: 20220121155703Z
> > nsSSLActivation: on
> > *nsSSLPersonalitySSL: Server-Cert*
> > nsSSLToken: internal (software)
> > objectClass: top
> > objectClass: nsEncryptionModule
> >
> > HTH,
> > flo
> >
> >
> > --
> > ___
> > FreeIPA-users mailing list --
> > freeipa-users@lists.fedorahosted.org
> > 
> > To unsubscribe send an email to
> > freeipa-users-le...@lists.fedorahosted.org
> > 
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> >
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > Do not reply to spam, report it:
> > https://pagure.io/fedora-infrastructure/new_issue
> >
> >
> > --
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
> >
>
>
--

[Freeipa-users] Re: pki-tomcatd not starting

[Rob Crittenden via FreeIPA-users]

Omar via FreeIPA-users wrote:
> okay, so I think you found the issue:
> 
> $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> 'CN=ldap.app.uaap.maxar.com
> ,OU=UAAP,O=Maxar Technologies
> Inc,L=Herndon,ST=Virginia,C=US' | grep Not
>             Not Before: Fri Jan 06 19:36:22 2023
>             Not After : Sat Jan 06 19:36:22 2024
> 
> Where's the actual location of the server certificate?  Thanks,

It is stored in the NSS database at /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM

You should be able to use ipa-server-certinstall to add a renewed
certificate in a similar way that this one was added.

rob

> 
> 
> On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud  > wrote:
> 
> Hi,
> 
> On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users
>  > wrote:
> 
> [root @ ldap01]
> $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt |
> grep Not
>             Not Before: Jan 12 15:30:18 2024 GMT
>             Not After : Jan 11 15:30:18 2025 GMT
> 
> So httpd server cert is still valid.
> 
> 
> also, am I looking at the correct one here?:
> [root @ ldap01]
> $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
> 
> Certificate Nickname                                       
>  Trust Attributes
>                                                            
>  SSL,S/MIME,JAR/XPI
> 
> APP.UAAP.MAXAR.COM  IPA CA           
>                         CT,C,C
> 
> ^^ this one is IPA CA, not the server certificate for LDAP.
> 
> CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=com            C,,
> CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=com            C,,
> CN=Maxar Policy CA East,DC=Maxar,DC=com                      C,,
> CN=Maxar Policy CA West,DC=Maxar,DC=com                      C,,
> CN=Maxar Root CA,CN=Maxar,CN=com                             C,,
> CN=ldap.app.uaap.maxar.com
> ,OU=UAAP,O=Maxar Technologies
> Inc,L=Herndon,ST=Virginia,C=US u,u,u
> 
> [root @ ldap01]
> $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n
> 'APP.UAAP.MAXAR.COM  IPA CA' | grep Not
>             Not Before: Thu Feb 02 14:06:44 2023
>             Not After : Mon Feb 02 14:06:44 2043
> 
> Based on the nicknames, I would check 'CN=ldap.app.uaap.maxar.com
> ,OU=UAAP,O=Maxar Technologies
> Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert name in
> /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in the
> entry cn=RSA,cn=encryption,cn=configin the attribute
> nsSSLPersonalitySSL.
> For instance in my server I have:
> 
> dn: cn=RSA,cn=encryption,cn=config
> cn: RSA
> modifiersName: cn=Directory Manager
> modifyTimestamp: 20220121155703Z
> nsSSLActivation: on
> *nsSSLPersonalitySSL: Server-Cert*
> nsSSLToken: internal (software)
> objectClass: top
> objectClass: nsEncryptionModule
> 
> HTH,
> flo
> 
> 
> --
> ___
> FreeIPA-users mailing list --
> freeipa-users@lists.fedorahosted.org
> 
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> 
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
> 
> 
> --
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
> 
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: 

[Freeipa-users] Re: pki-tomcatd not starting

[Omar via FreeIPA-users]

okay, so I think you found the issue:

$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n 'CN=
ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies
Inc,L=Herndon,ST=Virginia,C=US' | grep Not
Not Before: Fri Jan 06 19:36:22 2023
Not After : Sat Jan 06 19:36:22 2024

Where's the actual location of the server certificate?  Thanks,


On Tue, Mar 12, 2024 at 1:47 PM Florence Blanc-Renaud 
wrote:

> Hi,
>
> On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> [root @ ldap01]
>> $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt | grep Not
>> Not Before: Jan 12 15:30:18 2024 GMT
>> Not After : Jan 11 15:30:18 2025 GMT
>>
> So httpd server cert is still valid.
>
>
>> also, am I looking at the correct one here?:
>> [root @ ldap01]
>> $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
>>
>> Certificate Nickname Trust
>> Attributes
>>
>>  SSL,S/MIME,JAR/XPI
>>
>> APP.UAAP.MAXAR.COM IPA CACT,C,C
>>
> ^^ this one is IPA CA, not the server certificate for LDAP.
>
> CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=comC,,
>> CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=comC,,
>> CN=Maxar Policy CA East,DC=Maxar,DC=com  C,,
>> CN=Maxar Policy CA West,DC=Maxar,DC=com  C,,
>> CN=Maxar Root CA,CN=Maxar,CN=com C,,
>> CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies
>> Inc,L=Herndon,ST=Virginia,C=US u,u,u
>>
>> [root @ ldap01]
>> $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n '
>> APP.UAAP.MAXAR.COM IPA CA' | grep Not
>> Not Before: Thu Feb 02 14:06:44 2023
>> Not After : Mon Feb 02 14:06:44 2043
>>
> Based on the nicknames, I would check 
> 'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
> Technologies Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert
> name in /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in
> the entry cn=RSA,cn=encryption,cn=config in the attribute
> nsSSLPersonalitySSL.
> For instance in my server I have:
>
> dn: cn=RSA,cn=encryption,cn=config
> cn: RSA
> modifiersName: cn=Directory Manager
> modifyTimestamp: 20220121155703Z
> nsSSLActivation: on
> *nsSSLPersonalitySSL: Server-Cert*
> nsSSLToken: internal (software)
> objectClass: top
> objectClass: nsEncryptionModule
>
> HTH,
> flo
>
>
> --
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: pki-tomcatd not starting

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> [root @ ldap01]
> $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt | grep Not
> Not Before: Jan 12 15:30:18 2024 GMT
> Not After : Jan 11 15:30:18 2025 GMT
>
So httpd server cert is still valid.


> also, am I looking at the correct one here?:
> [root @ ldap01]
> $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/
>
> Certificate Nickname Trust
> Attributes
>
>  SSL,S/MIME,JAR/XPI
>
> APP.UAAP.MAXAR.COM IPA CACT,C,C
>
^^ this one is IPA CA, not the server certificate for LDAP.

CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=comC,,
> CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=comC,,
> CN=Maxar Policy CA East,DC=Maxar,DC=com  C,,
> CN=Maxar Policy CA West,DC=Maxar,DC=com  C,,
> CN=Maxar Root CA,CN=Maxar,CN=com C,,
> CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies
> Inc,L=Herndon,ST=Virginia,C=US u,u,u
>
> [root @ ldap01]
> $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n '
> APP.UAAP.MAXAR.COM IPA CA' | grep Not
> Not Before: Thu Feb 02 14:06:44 2023
> Not After : Mon Feb 02 14:06:44 2043
>
Based on the nicknames, I would check
'CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar
Technologies Inc,L=Herndon,ST=Virginia,C=US' but you can verify the cert
name in /etc/dirsrv/slapd-YOURDOMAIN/dse.ldif. The nickname is stored in
the entry cn=RSA,cn=encryption,cn=config in the attribute
nsSSLPersonalitySSL.
For instance in my server I have:

dn: cn=RSA,cn=encryption,cn=config
cn: RSA
modifiersName: cn=Directory Manager
modifyTimestamp: 20220121155703Z
nsSSLActivation: on
*nsSSLPersonalitySSL: Server-Cert*
nsSSLToken: internal (software)
objectClass: top
objectClass: nsEncryptionModule

HTH,
flo


--
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: pki-tomcatd not starting

[Omar Pagan via FreeIPA-users]

[root @ ldap01] 
$ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt | grep Not
Not Before: Jan 12 15:30:18 2024 GMT
Not After : Jan 11 15:30:18 2025 GMT

also, am I looking at the correct one here?:
[root @ ldap01] 
$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM/

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

APP.UAAP.MAXAR.COM IPA CACT,C,C
CN=Maxar DS Issuing CA East,DC=DS,DC=Maxar,DC=comC,,
CN=Maxar DS Issuing CA West,DC=DS,DC=Maxar,DC=comC,,
CN=Maxar Policy CA East,DC=Maxar,DC=com  C,,
CN=Maxar Policy CA West,DC=Maxar,DC=com  C,,
CN=Maxar Root CA,CN=Maxar,CN=com C,,
CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar Technologies 
Inc,L=Herndon,ST=Virginia,C=US u,u,u

[root @ ldap01] 
$ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n 'APP.UAAP.MAXAR.COM 
IPA CA' | grep Not
Not Before: Thu Feb 02 14:06:44 2023
Not After : Mon Feb 02 14:06:44 2043
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: pki-tomcatd not starting

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

in your first email you pasted the output of getcert list, and it's
reporting only 7 certificates. It's likely that your server is using
certmonger for the pkinit cert, the 5 certs for PKI and the RA cert,
meaning that the HTTP and LDAP server certificates are externally signed
and not tracked by certmonger.

You need to check the LDAP server cert:
certutil -L -d /etc/dirsrv/slapd-YOUR-DOMAIN -n 'Server-Cert'
and the HTTP server cert:
openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt

If they are expired they need to be renewed with your external CA and
replaced.
flo

On Tue, Mar 12, 2024 at 3:27 AM Omar Pagan via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> and this is from the ca/debug file:
> 2024-03-12 02:18:41 [main] SEVERE: Unable to start CA engine: Unable to
> connect to LDAP server: Unable to create socket:
> org.mozilla.jss.ssl.SSLSocketException:
> org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181)
> Peer's Certificate has expired.
> Unable to connect to LDAP server: Unable to create socket:
> org.mozilla.jss.ssl.SSLSocketException:
> org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8181)
> Peer's Certificate has expired.
> at
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:305)
> at
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:263)
> at
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:226)
> at
> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:195)
> at org.dogtagpki.server.ca
> .CAEngine.initDatabase(CAEngine.java:199)
> at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1105)
> at
> com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1688)
> at
> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4685)
> at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5146)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
> at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
> at
> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631)
> at
> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831)
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at
> org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
> at
> java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
> at
> org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526)
> at
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:425)
> at
> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576)
> at
> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309)
> at
> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
> at
> org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
> at
> org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
> at
> org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936)
> at
> org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> at
> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384)
> at
> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at
> org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
> at
> java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134)
> at
> org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909)
> at
> org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>

[Freeipa-users] Re: pki-tomcatd not starting

[Omar Pagan via FreeIPA-users]

and this is from the ca/debug file:
2024-03-12 02:18:41 [main] SEVERE: Unable to start CA engine: Unable to connect 
to LDAP server: Unable to create socket: 
org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: 
SSL_ForceHandshake failed: (-8181) Peer's Certificate has expired.
Unable to connect to LDAP server: Unable to create socket: 
org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: 
SSL_ForceHandshake failed: (-8181) Peer's Certificate has expired.
at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:305)
at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:263)
at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:226)
at 
com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:195)
at org.dogtagpki.server.ca.CAEngine.initDatabase(CAEngine.java:199)
at com.netscape.cmscore.apps.CMSEngine.start(CMSEngine.java:1105)
at 
com.netscape.cmscore.apps.CMSEngine.contextInitialized(CMSEngine.java:1688)
at 
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4685)
at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5146)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
at 
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
at 
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
at java.security.AccessController.doPrivileged(Native Method)
at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
at 
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:631)
at 
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1831)
at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at 
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at 
java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
at 
org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:526)
at 
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:425)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576)
at 
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309)
at 
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at 
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
at 
org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
at 
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936)
at 
org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at 
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384)
at 
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at 
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at 
java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134)
at 
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909)
at 
org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at 
org.apache.catalina.core.StandardService.startInternal(StandardService.java:421)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at 
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
at 

[Freeipa-users] Re: pki-tomcatd not starting

[Omar Pagan via FreeIPA-users]

also, here is more in the journal:

-- Logs begin at Mon 2024-03-11 19:39:50 UTC, end at Tue 2024-03-12 02:11:21 
UTC. --
Mar 11 19:40:19 ldap01.app.uaap.maxar.com systemd[1]: Starting PKI Tomcat 
Server pki-tomcat...
Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: Java virtual machine 
used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: classpath used: 
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/ant.jar:/usr/share/java/ant-launcher.jar:/usr/lib/jvm/java/lib/tools.jar
Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: main class used: 
org.apache.catalina.startup.Bootstrap
Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: flags used: 
-Dcom.redhat.fips=false
Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: options used: 
-Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat 
-Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp 
-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties 
-Dj>
Mar 11 19:40:22 ldap01.app.uaap.maxar.com server[1937]: arguments used: start
Mar 11 19:40:22 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]: 
pki.client: /usr/libexec/ipa/ipa-pki-wait-running:64: The subsystem in 
PKIConnection.__init__() has been deprecated 
(https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes).
Mar 11 19:40:22 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]: 
ipa-pki-wait-running: Created connection 
http://ldap01.app.uaap.maxar.com:8080/ca
Mar 11 19:40:22 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]: 
ipa-pki-wait-running: Connection failed: 
HTTPConnectionPool(host='ldap01.app.uaap.maxar.com', port=8080): Max retries 
exceeded with url: /ca/admin/ca/getStatus (Caused by 
NewConnectionError('
Mar 11 19:40:23 ldap01.app.uaap.maxar.com server[1937]: WARNING: Some of the 
specified [protocols] are not supported by the SSL engine and have been 
skipped: [[TLSv1, TLSv1.1]]
Mar 11 19:40:24 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]: 
ipa-pki-wait-running: Connection failed: 
HTTPConnectionPool(host='ldap01.app.uaap.maxar.com', port=8080): Read timed 
out. (read timeout=1.0)
Mar 11 19:40:26 ldap01.app.uaap.maxar.com server[1937]: SEVERE: One or more 
listeners failed to start. Full details will be found in the appropriate 
container log file
Mar 11 19:40:26 ldap01.app.uaap.maxar.com server[1937]: SEVERE: Context [/ca] 
startup failed due to previous errors
Mar 11 19:40:26 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]: 
ipa-pki-wait-running: Connection failed: 
HTTPConnectionPool(host='ldap01.app.uaap.maxar.com', port=8080): Read timed 
out. (read timeout=1.0)
Mar 11 19:40:27 ldap01.app.uaap.maxar.com server[1937]: SEVERE: One or more 
listeners failed to start. Full details will be found in the appropriate 
container log file
Mar 11 19:40:27 ldap01.app.uaap.maxar.com server[1937]: SEVERE: Context [/acme] 
startup failed due to previous errors
Mar 11 19:40:27 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]: 
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error:  for url: 
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStatus
Mar 11 19:40:28 ldap01.app.uaap.maxar.com ipa-pki-wait-running[1938]: 
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error:  for url: 
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStatus
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: pki-tomcatd not starting

[Omar Pagan via FreeIPA-users]

[root @ ldap01] /home/rocky
$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
1 service(s) are not running

starting ipa is failing for the pki-tomcatd, here are the errors I'm seeing:
Mar 12 02:10:02 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]: 
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error:  for url: 
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat>
Mar 12 02:10:03 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]: 
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error:  for url: 
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat>
Mar 12 02:10:04 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]: 
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error:  for url: 
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat>
Mar 12 02:10:05 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]: 
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error:  for url: 
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat>
Mar 12 02:10:06 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]: 
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error:  for url: 
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat>
Mar 12 02:10:07 ldap01.app.uaap.maxar.com ipa-pki-wait-running[8783]: 
ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error:  for url: 
http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat>
Mar 12 02:10:08 ldap01.app.uaap.maxar.com systemd[1]: 
pki-tomcatd@pki-tomcat.service: Start-post operation timed out. Stopping.
Mar 12 02:10:08 ldap01.app.uaap.maxar.com systemd[1]: 
pki-tomcatd@pki-tomcat.service: Failed with result 'timeout'.
Mar 12 02:10:08 ldap01.app.uaap.maxar.com systemd[1]: Failed to start PKI 
Tomcat Server pki-tomcat.

$ ipa cert-find --sizelimit 10
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate 
with CMS (503)

The catalina logs are empty, but when I run the 'ipactl start' I see port 8080 
running, not sure why it can't connect.  Thoughts? 
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: pki-tomcatd not starting

[Rob Crittenden via FreeIPA-users]

Omar Pagan via FreeIPA-users wrote:
> Hello,
> 
> I came back from vacation and noticed that the pki-tomcatd was not running.  
> All other services are running fine, I can kinit admin and search for users, 
> I can also log into the UI and see everything.  When I try to start the 
> service I see the following errors:
> Mar 11 20:44:44 ldap01.app.uaap.maxar.com ipa-pki-wait-running[7903]: 
> ipa-pki-wait-running: Request failed unexpectedly, 404 Client Error:  for 
> url: http://ldap01.app.uaap.maxar.com:8080/ca/admin/ca/getStat>
> Mar 11 20:44:44 ldap01.app.uaap.maxar.com systemd[1]: 
> pki-tomcatd@pki-tomcat.service: Start-post operation timed out. Stopping.
> 
> I have checked all the certs and everything is in order:
> $ getcert list | grep expire
>   expires: 2025-01-22 14:07:35 UTC
>   expires: 2025-01-22 14:06:46 UTC
>   expires: 2025-01-22 14:06:45 UTC
>   expires: 2025-01-22 14:06:45 UTC
>   expires: 2043-02-02 14:06:44 UTC
>   expires: 2025-01-22 14:06:45 UTC
>   expires: 2025-02-02 14:08:10 UTC
> 
> I also have checked this:
> $ klist -ekt /etc/dirsrv/ds.keytab
> Keytab name: FILE:/etc/dirsrv/ds.keytab
> KVNO Timestamp   Principal
>  --- 
> --
>2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar@app.uaap.maxar.com 
> (aes256-cts-hmac-sha1-96)
>2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar@app.uaap.maxar.com 
> (aes128-cts-hmac-sha1-96)
>2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar@app.uaap.maxar.com 
> (aes128-cts-hmac-sha256-128)
>2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar@app.uaap.maxar.com 
> (aes256-cts-hmac-sha384-192)
>2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar@app.uaap.maxar.com 
> (camellia128-cts-cmac)
>2 02/02/2023 14:06:06 ldap/ldap01.app.uaap.maxar@app.uaap.maxar.com 
> (camellia256-cts-cmac)
> 
> not sure if that's correct or not.  Please help, I don't see why pki-tomcatd 
> would just die on me for no reason.  I haven't run any updates / upgrades on 
> the system and it was working fine before I left.  Thanks

The keytab is unrelated.

I'd start with: ipactl status

Confirm that it isn't running. Then try ipactl start and it will try to
restart it. Maybe it was reaped by the OOM killer. The journal should
tell you.

If it starts then ipa cert-find --sizelimit 10 is a pretty lightweight
way to confirm that it is reachable and at least sort of working.

Otherwise PKI runs as a webapp so a 404 means it wasn't loaded by
tomcat. I'd suggest checking the logs in /var/log/pki. There may be
something in catalina or in ca/debug-. The latter most likely. Be
wary that there be dragons. PKI often charges on after hitting an error
so the last one is often a red herring.

rob
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: pki-tomcatd not starting

[Scott Z. via FreeIPA-users]

... and just to show that I am a man of my word...
[cid:e4d4f3fa-c56a-4e3a-b5af-12ed7a7d90ab]

Thanks again for all the help guys!
Scott


From: Scott Z. 
Sent: Thursday, August 13, 2020 9:58 AM
To: Fraser Tweedale ; FreeIPA users list 

Cc: Rob Crittenden ; Florence Blanc-Renaud 
; Alexander Scheel 
Subject: Re: [Freeipa-users] Re: pki-tomcatd not starting

Taking it from the top again this morning 
1) Stopped NTPD
2) Checked status of certmonger (running, several "Error 60 connecting to 
: Peer certificate cannot be authenticated with given CA certificates)
3) Checked that debug.level=0 in CS.cfg (it was already set there)
4) Checked the 'not after' dates for auditSigningCert, ocspSigningCert, 
subsystemSigningCert, and Server-Cert... all are still valid except for 
Server-Cert (Not After Sep. 26 2019), so I set the system date back to Sept. 
25, 2019.
5) Stopped all ipa services (ipactl stop)
6) Restated IPA services manually in the specified order (dirsrv@domain, 
krb5kdc, kadmin, named-pkcs11, httpd, pki-tomcatd@pki-tomcat)
7) Checked the status of all those services to make sure they were showing the 
new, older date of Sept. 25, 2019.
8) Ran the curl command to make sure it would work (curl --cacert 
/etc/ipa/ca.crt -v https://`hostname`:8443/ca/ee/ca/getCertChain)
9) Ran "ipa-getcert resubmi -i " for the Server-Cert cert-pki-ca cert I 
was trying to renew.
10) Ran "getcert list" a couple of times; first saw that it was showing 
"SUBMITTING", the it switched after several seconds to "POST_SAVED_CERT" - 
WOW!!!  SOMETHING NEW!  Then, a few seconds later still, it's showing as 
"MONITORING".  Checking the "expires" date, it's FINALLY updated to Sept. 14, 
2021!!

I cannot tell you how exciting this is for me.  What a journey.  Now, I assume 
I just need to "ipactl stop" and then "ipactl start", and all should be well I 
guess.  I'm afraid to do it though, I'm scared of the cert reverting or 
something funky 






From: Fraser Tweedale 
Sent: Wednesday, August 12, 2020 6:02 PM
To: FreeIPA users list 
Cc: Rob Crittenden ; Florence Blanc-Renaud 
; Alexander Scheel ; Scott Z. 

Subject: Re: [Freeipa-users] Re: pki-tomcatd not starting

On Thu, Aug 13, 2020 at 02:43:33AM +, Scott Z. via FreeIPA-users wrote:
> Just in case it helps to narrow things down a bit or answers questions...
> 1) The problem IdM server is the CA Master as far as I can tell (ran the 
> command "ipa config-show", saw that the IPA CA renewal master: was the same 
> server with the bad cert.
>
In any case, the CA renewal master setting shouldn't affect renewal
of the Dogtag "Server-Cert cert-pki-ca" certificate.  This is
because the TLS server certificates are not shared; each server
needs their own certificate.

> 2) Followed the steps in the Red Hat knowledge article at 
> https://access.redhat.com/solutions/3357261
> 3) As noted at the bottom of that page, I had pretty good success up until 
> the end.
>
> My current status is that I've done an ipactl restart 
> --ignore-service-failure, my timedate value is once again current, and when I 
> do a "getcert list" I see the offending cert (Server-Cert cert-pki-ca) listed 
> as CA_UNREACHABLE, with a ca-error value of Internal Error and of course 
> still showing an expiration date of Sep. 26, 2019.
>
> If I do a status check on the certmonger service I see lots of "Internal 
> Error" messages along with "Unspecified GSS failure.  Minor code may provide 
> more information, Minor (2529639068): Cannot contact any KDC for realm 
> ''."
>
Was the KDC running at the time those certmonger GSS errors were
produced?  That could explain this error.

It would help to see the /etc/pki/pki-tomcat/ca/debug log:

- for the startup failures, that may indicate why Dogtag does not
  start up properly
- and for the time period during which renewal of the problematic
  certificate is attempted

Ensure PKI debug logging is at a verbose level.  In
/etc/pki/pki-tomcat/ca/CS.cfg, change the config:

debug.level=0

It is counterintuitive but /lower/ number = higher verbosity.

It would help to see certmonger journal output (`journalctl -u
certmonger') covering the time period of the renewal attempt.

Also, just seeing the all the certificates in the various location
(especially Dogtag and dirsrv NSSDBs, including the CA certificates)
would be helpful.

I understand that you have security policies that may prevent you
share all this in a public list (or making extra work for you to
redact sensitive data).  If it would allow you to share more
logs/data, perhaps you could consider a commercial support
subscription with Red Hat.

Thanks,
Fraser

___
FreeIPA-users mailing list -- freeipa-users@li

[Freeipa-users] Re: pki-tomcatd not starting

[Scott Z. via FreeIPA-users]

Taking it from the top again this morning 
1) Stopped NTPD
2) Checked status of certmonger (running, several "Error 60 connecting to 
: Peer certificate cannot be authenticated with given CA certificates)
3) Checked that debug.level=0 in CS.cfg (it was already set there)
4) Checked the 'not after' dates for auditSigningCert, ocspSigningCert, 
subsystemSigningCert, and Server-Cert... all are still valid except for 
Server-Cert (Not After Sep. 26 2019), so I set the system date back to Sept. 
25, 2019.
5) Stopped all ipa services (ipactl stop)
6) Restated IPA services manually in the specified order (dirsrv@domain, 
krb5kdc, kadmin, named-pkcs11, httpd, pki-tomcatd@pki-tomcat)
7) Checked the status of all those services to make sure they were showing the 
new, older date of Sept. 25, 2019.
8) Ran the curl command to make sure it would work (curl --cacert 
/etc/ipa/ca.crt -v https://`hostname`:8443/ca/ee/ca/getCertChain)
9) Ran "ipa-getcert resubmi -i " for the Server-Cert cert-pki-ca cert I 
was trying to renew.
10) Ran "getcert list" a couple of times; first saw that it was showing 
"SUBMITTING", the it switched after several seconds to "POST_SAVED_CERT" - 
WOW!!!  SOMETHING NEW!  Then, a few seconds later still, it's showing as 
"MONITORING".  Checking the "expires" date, it's FINALLY updated to Sept. 14, 
2021!!

I cannot tell you how exciting this is for me.  What a journey.  Now, I assume 
I just need to "ipactl stop" and then "ipactl start", and all should be well I 
guess.  I'm afraid to do it though, I'm scared of the cert reverting or 
something funky 






From: Fraser Tweedale 
Sent: Wednesday, August 12, 2020 6:02 PM
To: FreeIPA users list 
Cc: Rob Crittenden ; Florence Blanc-Renaud 
; Alexander Scheel ; Scott Z. 

Subject: Re: [Freeipa-users] Re: pki-tomcatd not starting

On Thu, Aug 13, 2020 at 02:43:33AM +, Scott Z. via FreeIPA-users wrote:
> Just in case it helps to narrow things down a bit or answers questions...
> 1) The problem IdM server is the CA Master as far as I can tell (ran the 
> command "ipa config-show", saw that the IPA CA renewal master: was the same 
> server with the bad cert.
>
In any case, the CA renewal master setting shouldn't affect renewal
of the Dogtag "Server-Cert cert-pki-ca" certificate.  This is
because the TLS server certificates are not shared; each server
needs their own certificate.

> 2) Followed the steps in the Red Hat knowledge article at 
> https://access.redhat.com/solutions/3357261
> 3) As noted at the bottom of that page, I had pretty good success up until 
> the end.
>
> My current status is that I've done an ipactl restart 
> --ignore-service-failure, my timedate value is once again current, and when I 
> do a "getcert list" I see the offending cert (Server-Cert cert-pki-ca) listed 
> as CA_UNREACHABLE, with a ca-error value of Internal Error and of course 
> still showing an expiration date of Sep. 26, 2019.
>
> If I do a status check on the certmonger service I see lots of "Internal 
> Error" messages along with "Unspecified GSS failure.  Minor code may provide 
> more information, Minor (2529639068): Cannot contact any KDC for realm 
> ''."
>
Was the KDC running at the time those certmonger GSS errors were
produced?  That could explain this error.

It would help to see the /etc/pki/pki-tomcat/ca/debug log:

- for the startup failures, that may indicate why Dogtag does not
  start up properly
- and for the time period during which renewal of the problematic
  certificate is attempted

Ensure PKI debug logging is at a verbose level.  In
/etc/pki/pki-tomcat/ca/CS.cfg, change the config:

debug.level=0

It is counterintuitive but /lower/ number = higher verbosity.

It would help to see certmonger journal output (`journalctl -u
certmonger') covering the time period of the renewal attempt.

Also, just seeing the all the certificates in the various location
(especially Dogtag and dirsrv NSSDBs, including the CA certificates)
would be helpful.

I understand that you have security policies that may prevent you
share all this in a public list (or making extra work for you to
redact sensitive data).  If it would allow you to share more
logs/data, perhaps you could consider a commercial support
subscription with Red Hat.

Thanks,
Fraser

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: pki-tomcatd not starting

[Fraser Tweedale via FreeIPA-users]

On Thu, Aug 13, 2020 at 02:43:33AM +, Scott Z. via FreeIPA-users wrote:
> Just in case it helps to narrow things down a bit or answers questions...
> 1) The problem IdM server is the CA Master as far as I can tell (ran the 
> command "ipa config-show", saw that the IPA CA renewal master: was the same 
> server with the bad cert.
>
In any case, the CA renewal master setting shouldn't affect renewal
of the Dogtag "Server-Cert cert-pki-ca" certificate.  This is
because the TLS server certificates are not shared; each server
needs their own certificate.

> 2) Followed the steps in the Red Hat knowledge article at 
> https://access.redhat.com/solutions/3357261
> 3) As noted at the bottom of that page, I had pretty good success up until 
> the end.
> 
> My current status is that I've done an ipactl restart 
> --ignore-service-failure, my timedate value is once again current, and when I 
> do a "getcert list" I see the offending cert (Server-Cert cert-pki-ca) listed 
> as CA_UNREACHABLE, with a ca-error value of Internal Error and of course 
> still showing an expiration date of Sep. 26, 2019.
> 
> If I do a status check on the certmonger service I see lots of "Internal 
> Error" messages along with "Unspecified GSS failure.  Minor code may provide 
> more information, Minor (2529639068): Cannot contact any KDC for realm 
> ''."
> 
Was the KDC running at the time those certmonger GSS errors were
produced?  That could explain this error.

It would help to see the /etc/pki/pki-tomcat/ca/debug log:

- for the startup failures, that may indicate why Dogtag does not
  start up properly
- and for the time period during which renewal of the problematic
  certificate is attempted

Ensure PKI debug logging is at a verbose level.  In
/etc/pki/pki-tomcat/ca/CS.cfg, change the config:

debug.level=0

It is counterintuitive but /lower/ number = higher verbosity.

It would help to see certmonger journal output (`journalctl -u
certmonger') covering the time period of the renewal attempt.

Also, just seeing the all the certificates in the various location
(especially Dogtag and dirsrv NSSDBs, including the CA certificates)
would be helpful.

I understand that you have security policies that may prevent you
share all this in a public list (or making extra work for you to
redact sensitive data).  If it would allow you to share more
logs/data, perhaps you could consider a commercial support
subscription with Red Hat.

Thanks,
Fraser
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: pki-tomcatd not starting

[Jochen Kellner via FreeIPA-users]

"Scott Z. via FreeIPA-users" 
writes:

> My current status is that I've done an ipactl restart
> --ignore-service-failure, my timedate value is once again current,

Your IDM server has the ntp role enables, so you can't go back in time
and user "ipactl start", because that is setting the time to current
again. So do the following:

- ipctl stop
- stop ntp if it is still running
- go back in time
- start each service manually that ipactl would do but skip ntp.

See if the CA is running. Then restart certmonger or resubmit the
requests. That should work.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: pki-tomcatd not starting

[Scott Z. via FreeIPA-users]

Just in case it helps to narrow things down a bit or answers questions...
1) The problem IdM server is the CA Master as far as I can tell (ran the 
command "ipa config-show", saw that the IPA CA renewal master: was the same 
server with the bad cert.
2) Followed the steps in the Red Hat knowledge article at 
https://access.redhat.com/solutions/3357261
3) As noted at the bottom of that page, I had pretty good success up until the 
end.

My current status is that I've done an ipactl restart --ignore-service-failure, 
my timedate value is once again current, and when I do a "getcert list" I see 
the offending cert (Server-Cert cert-pki-ca) listed as CA_UNREACHABLE, with a 
ca-error value of Internal Error and of course still showing an expiration date 
of Sep. 26, 2019.

If I do a status check on the certmonger service I see lots of "Internal Error" 
messages along with "Unspecified GSS failure.  Minor code may provide more 
information, Minor (2529639068): Cannot contact any KDC for realm ''."
Scott



From: Rob Crittenden 
Sent: Tuesday, August 11, 2020 4:01 PM
To: FreeIPA users list ; Florence 
Blanc-Renaud 
Cc: Scott Z. ; Alexander Scheel 
Subject: Re: [Freeipa-users] Re: pki-tomcatd not starting

Scott Z. via FreeIPA-users wrote:
> Just so I'm not confusing the various servers and roles they play in
> case it impacts what I'm doing (also, in case it matters, these are
> VMs), so I ran the command "ipa config-show" and here is what I got back:
> IPA masters: 
> IPA CA servers: 
> IPA NTP servers: 
> IPA CA renewal master: 
>
> To take things 'from the top' I went ahead and did a full-on "ipactl
> stop" and then "ipactl start --ignore-service-failure".  This of course
> resets the date to present time.  After it started (minus pki-tomcat
> that is) I did a "kinit admin" and then "getcert list".  This list now
> shows the 'bad' cert with the expired date from last September and the
> status now is MONITORING.  Hopeful, I ran "ipa-getcert resubmit -i
> " but this didn't seem to have any affect.
>
> Is there any particular place to look log-wise to see what is happening
> when I try to do a 'getcert resubmit' or 'ipa-getcert resubmit'
> command?  They seem to go through, but there's no change in status to
> the certificate (well, it changes from MONITORING to SUBMITTING but then
> right back to MONITORING with no change to the expiration) so I'm
> wondering if I can see where the request is either dying or being
> rejected or what.
>
> If I read things correctly, the bad server with the expired cert *is*
> the CA renewal server, correct?  So it needs to make a request to itself
> to renew the expired cert... which I'm assuming it's having a problem
> doing because its own cert is already expired?

Exactly. The tomcat TLS cert is expired so the CA is likely not starting
at all. When you go back in time I'm assuming there is no time overlap
between the tomcat Server-Cert and the other CA subsystem certs so you
can either have tomcat work with TLS or the CA but not both.

If you have the ipa-cert-fix command try that. It can do offline renewals.

I'm cc'ing a CA developer, maybe he'll have some additional ideas.

rob

> Scott
>
> ----------------------------
> *From:* Rob Crittenden 
> *Sent:* Tuesday, August 11, 2020 9:07 AM
> *To:* FreeIPA users list ;
> Florence Blanc-Renaud 
> *Cc:* Scott Z. 
> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
>
> Scott Z. via FreeIPA-users wrote:
>> Adding the "NSSEnforceValidCerts off" definitely got me past the HTTPD
>> error.  It started up and then I ran the systemctl start
>> pki-tomcatd@pki-tomcat which seemed to start up without any errors (it
>> didn't throw any on the command line), but checking the debug log I see
>> I'm still getting the same, original "Peer's Certificate has expired"
>> message for "Server-Cert cert-pki-ca".  I just can't win 
>> It's expired, I know it's expired, why does FreeIPA fight me so hard on
>> just trying to renew it?!  LOL!
>>
>> Just for fun I then ran the "getcert renew -i " command.  But per
>> "getcert list", it's still showing as CA_UNREACHABLE and Internal Error.
>
> The CA is a servlet so tomcat can start without the CA starting. I'd
> look in the CA logs under /var/log/pki-tomcat/
>
> certmonger logs to syslog so use journalctl to see if it provided any
> more details on the failure, but it sounds like an issue with the CA.
>
> rob
>
>> Scott
>>
>>
>> 
>> *From:* Rob Crittenden 
>>

[Freeipa-users] Re: pki-tomcatd not starting

[Scott Z. via FreeIPA-users]

Thank you, I had tried to go back in time to a point where *all* certs on the 
problem server were valid but I didn't have any luck renewing the cert.  I also 
tried the "ipa-cert-fix" command, but apparently this doesn't exist in my 
version of FreeIPA (4.5.4).
Scott


From: Rob Crittenden 
Sent: Tuesday, August 11, 2020 4:01 PM
To: FreeIPA users list ; Florence 
Blanc-Renaud 
Cc: Scott Z. ; Alexander Scheel 
Subject: Re: [Freeipa-users] Re: pki-tomcatd not starting

Scott Z. via FreeIPA-users wrote:
> Just so I'm not confusing the various servers and roles they play in
> case it impacts what I'm doing (also, in case it matters, these are
> VMs), so I ran the command "ipa config-show" and here is what I got back:
> IPA masters: 
> IPA CA servers: 
> IPA NTP servers: 
> IPA CA renewal master: 
>
> To take things 'from the top' I went ahead and did a full-on "ipactl
> stop" and then "ipactl start --ignore-service-failure".  This of course
> resets the date to present time.  After it started (minus pki-tomcat
> that is) I did a "kinit admin" and then "getcert list".  This list now
> shows the 'bad' cert with the expired date from last September and the
> status now is MONITORING.  Hopeful, I ran "ipa-getcert resubmit -i
> " but this didn't seem to have any affect.
>
> Is there any particular place to look log-wise to see what is happening
> when I try to do a 'getcert resubmit' or 'ipa-getcert resubmit'
> command?  They seem to go through, but there's no change in status to
> the certificate (well, it changes from MONITORING to SUBMITTING but then
> right back to MONITORING with no change to the expiration) so I'm
> wondering if I can see where the request is either dying or being
> rejected or what.
>
> If I read things correctly, the bad server with the expired cert *is*
> the CA renewal server, correct?  So it needs to make a request to itself
> to renew the expired cert... which I'm assuming it's having a problem
> doing because its own cert is already expired?

Exactly. The tomcat TLS cert is expired so the CA is likely not starting
at all. When you go back in time I'm assuming there is no time overlap
between the tomcat Server-Cert and the other CA subsystem certs so you
can either have tomcat work with TLS or the CA but not both.

If you have the ipa-cert-fix command try that. It can do offline renewals.

I'm cc'ing a CA developer, maybe he'll have some additional ideas.

rob

> Scott
>
> --------
> *From:* Rob Crittenden 
> *Sent:* Tuesday, August 11, 2020 9:07 AM
> *To:* FreeIPA users list ;
> Florence Blanc-Renaud 
> *Cc:* Scott Z. 
> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
>
> Scott Z. via FreeIPA-users wrote:
>> Adding the "NSSEnforceValidCerts off" definitely got me past the HTTPD
>> error.  It started up and then I ran the systemctl start
>> pki-tomcatd@pki-tomcat which seemed to start up without any errors (it
>> didn't throw any on the command line), but checking the debug log I see
>> I'm still getting the same, original "Peer's Certificate has expired"
>> message for "Server-Cert cert-pki-ca".  I just can't win 
>> It's expired, I know it's expired, why does FreeIPA fight me so hard on
>> just trying to renew it?!  LOL!
>>
>> Just for fun I then ran the "getcert renew -i " command.  But per
>> "getcert list", it's still showing as CA_UNREACHABLE and Internal Error.
>
> The CA is a servlet so tomcat can start without the CA starting. I'd
> look in the CA logs under /var/log/pki-tomcat/
>
> certmonger logs to syslog so use journalctl to see if it provided any
> more details on the failure, but it sounds like an issue with the CA.
>
> rob
>
>> Scott
>>
>>
>> 
>> *From:* Rob Crittenden 
>> *Sent:* Tuesday, August 11, 2020 8:07 AM
>> *To:* FreeIPA users list ;
>> Florence Blanc-Renaud 
>> *Cc:* Scott Z. 
>> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
>>
>> Scott Z. via FreeIPA-users wrote:
>>> Forgot to reply again - ugh!
>>> H, so my domain is actually "idm.project.its.srv2", so I was
>>> literally typing "systemctl start dir...@idm.project.its.srv2"Â  I see
>>> what you're saying, I need to put in dashes instead of periods!  DOH!Â
>>> Done.  Moving on...
>>> 4) Ran systemctl start krb5kdc
>>> 5) Ran systemctl start kadmin
>>> 6) Ran systemctl start named-pkcs11
>>> 7) Ran systemctl start ht

[Freeipa-users] Re: pki-tomcatd not starting

[Rob Crittenden via FreeIPA-users]

Scott Z. via FreeIPA-users wrote:
> Just so I'm not confusing the various servers and roles they play in
> case it impacts what I'm doing (also, in case it matters, these are
> VMs), so I ran the command "ipa config-show" and here is what I got back:
> IPA masters: 
> IPA CA servers: 
> IPA NTP servers: 
> IPA CA renewal master: 
> 
> To take things 'from the top' I went ahead and did a full-on "ipactl
> stop" and then "ipactl start --ignore-service-failure".  This of course
> resets the date to present time.  After it started (minus pki-tomcat
> that is) I did a "kinit admin" and then "getcert list".  This list now
> shows the 'bad' cert with the expired date from last September and the
> status now is MONITORING.  Hopeful, I ran "ipa-getcert resubmit -i
> " but this didn't seem to have any affect. 
> 
> Is there any particular place to look log-wise to see what is happening
> when I try to do a 'getcert resubmit' or 'ipa-getcert resubmit'
> command?  They seem to go through, but there's no change in status to
> the certificate (well, it changes from MONITORING to SUBMITTING but then
> right back to MONITORING with no change to the expiration) so I'm
> wondering if I can see where the request is either dying or being
> rejected or what.
> 
> If I read things correctly, the bad server with the expired cert *is*
> the CA renewal server, correct?  So it needs to make a request to itself
> to renew the expired cert... which I'm assuming it's having a problem
> doing because its own cert is already expired? 

Exactly. The tomcat TLS cert is expired so the CA is likely not starting
at all. When you go back in time I'm assuming there is no time overlap
between the tomcat Server-Cert and the other CA subsystem certs so you
can either have tomcat work with TLS or the CA but not both.

If you have the ipa-cert-fix command try that. It can do offline renewals.

I'm cc'ing a CA developer, maybe he'll have some additional ideas.

rob

> Scott
> 
> 
> *From:* Rob Crittenden 
> *Sent:* Tuesday, August 11, 2020 9:07 AM
> *To:* FreeIPA users list ;
> Florence Blanc-Renaud 
> *Cc:* Scott Z. 
> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
>  
> Scott Z. via FreeIPA-users wrote:
>> Adding the "NSSEnforceValidCerts off" definitely got me past the HTTPD
>> error.  It started up and then I ran the systemctl start
>> pki-tomcatd@pki-tomcat which seemed to start up without any errors (it
>> didn't throw any on the command line), but checking the debug log I see
>> I'm still getting the same, original "Peer's Certificate has expired"
>> message for "Server-Cert cert-pki-ca".  I just can't win  
>> It's expired, I know it's expired, why does FreeIPA fight me so hard on
>> just trying to renew it?!  LOL!
>> 
>> Just for fun I then ran the "getcert renew -i " command.  But per
>> "getcert list", it's still showing as CA_UNREACHABLE and Internal Error.
> 
> The CA is a servlet so tomcat can start without the CA starting. I'd
> look in the CA logs under /var/log/pki-tomcat/
> 
> certmonger logs to syslog so use journalctl to see if it provided any
> more details on the failure, but it sounds like an issue with the CA.
> 
> rob
> 
>> Scott
>> 
>> 
>> 
>> *From:* Rob Crittenden 
>> *Sent:* Tuesday, August 11, 2020 8:07 AM
>> *To:* FreeIPA users list ;
>> Florence Blanc-Renaud 
>> *Cc:* Scott Z. 
>> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
>>  
>> Scott Z. via FreeIPA-users wrote:
>>> Forgot to reply again - ugh!
>>> H, so my domain is actually "idm.project.its.srv2", so I was
>>> literally typing "systemctl start dir...@idm.project.its.srv2"  I see
>>> what you're saying, I need to put in dashes instead of periods!  DOH! 
>>> Done.  Moving on...
>>> 4) Ran systemctl start krb5kdc
>>> 5) Ran systemctl start kadmin
>>> 6) Ran systemctl start named-pkcs11
>>> 7) Ran systemctl start httpd  -  got an error here, nothing really
>>> useful in the logs or journalctl, it says it's starting the Apache HTTP
>>> server, then throws "httpd.service: main process exited, code=exited,
>>> status=1/FAILURE", and "Failed to start The Apache HTTP Server". 
>>> Finally there is a mention of 'too much time skew'.  I assume the
>>> problem is that I'm trying to start HTTPD on a system where the date is
>>> almost a

[Freeipa-users] Re: pki-tomcatd not starting

[Scott Z. via FreeIPA-users]

Just so I'm not confusing the various servers and roles they play in case it 
impacts what I'm doing (also, in case it matters, these are VMs), so I ran the 
command "ipa config-show" and here is what I got back:
IPA masters: 
IPA CA servers: 
IPA NTP servers: 
IPA CA renewal master: 

To take things 'from the top' I went ahead and did a full-on "ipactl stop" and 
then "ipactl start --ignore-service-failure".  This of course resets the date 
to present time.  After it started (minus pki-tomcat that is) I did a "kinit 
admin" and then "getcert list".  This list now shows the 'bad' cert with the 
expired date from last September and the status now is MONITORING.  Hopeful, I 
ran "ipa-getcert resubmit -i " but this didn't seem to have any affect.

Is there any particular place to look log-wise to see what is happening when I 
try to do a 'getcert resubmit' or 'ipa-getcert resubmit' command?  They seem to 
go through, but there's no change in status to the certificate (well, it 
changes from MONITORING to SUBMITTING but then right back to MONITORING with no 
change to the expiration) so I'm wondering if I can see where the request is 
either dying or being rejected or what.

If I read things correctly, the bad server with the expired cert *is* the CA 
renewal server, correct?  So it needs to make a request to itself to renew the 
expired cert... which I'm assuming it's having a problem doing because its own 
cert is already expired?
Scott


From: Rob Crittenden 
Sent: Tuesday, August 11, 2020 9:07 AM
To: FreeIPA users list ; Florence 
Blanc-Renaud 
Cc: Scott Z. 
Subject: Re: [Freeipa-users] Re: pki-tomcatd not starting

Scott Z. via FreeIPA-users wrote:
> Adding the "NSSEnforceValidCerts off" definitely got me past the HTTPD
> error.  It started up and then I ran the systemctl start
> pki-tomcatd@pki-tomcat which seemed to start up without any errors (it
> didn't throw any on the command line), but checking the debug log I see
> I'm still getting the same, original "Peer's Certificate has expired"
> message for "Server-Cert cert-pki-ca".  I just can't win 
> It's expired, I know it's expired, why does FreeIPA fight me so hard on
> just trying to renew it?!  LOL!
>
> Just for fun I then ran the "getcert renew -i " command.  But per
> "getcert list", it's still showing as CA_UNREACHABLE and Internal Error.

The CA is a servlet so tomcat can start without the CA starting. I'd
look in the CA logs under /var/log/pki-tomcat/

certmonger logs to syslog so use journalctl to see if it provided any
more details on the failure, but it sounds like an issue with the CA.

rob

> Scott
>
>
> 
> *From:* Rob Crittenden 
> *Sent:* Tuesday, August 11, 2020 8:07 AM
> *To:* FreeIPA users list ;
> Florence Blanc-Renaud 
> *Cc:* Scott Z. 
> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
>
> Scott Z. via FreeIPA-users wrote:
>> Forgot to reply again - ugh!
>> H, so my domain is actually "idm.project.its.srv2", so I was
>> literally typing "systemctl start dir...@idm.project.its.srv2"Â  I see
>> what you're saying, I need to put in dashes instead of periods!  DOH!Â
>> Done.  Moving on...
>> 4) Ran systemctl start krb5kdc
>> 5) Ran systemctl start kadmin
>> 6) Ran systemctl start named-pkcs11
>> 7) Ran systemctl start httpd  -  got an error here, nothing really
>> useful in the logs or journalctl, it says it's starting the Apache HTTP
>> server, then throws "httpd.service: main process exited, code=exited,
>> status=1/FAILURE", and "Failed to start The Apache HTTP Server".Â
>> Finally there is a mention of 'too much time skew'.  I assume the
>> problem is that I'm trying to start HTTPD on a system where the date is
>> almost a year old.Â
>> Although now that I'm looking at /var/log/httpd/error_log, I see mention
>> of "SSL Library Error: -8181 Certificate has expired".  CERTIFICATES!!!
>> "Unable to verify certificate 'Server-Cert'.  Add "NSSEnfroceValideCerts
>> off" to nss.conf so the server can start until the problem can be
>> resolved", so maybe I'll try that.
>
> That can work, just remember to revert it, but it just bypasses the
> start up check. Clients will still require cert validity.
>
> I don't think it will matter either way as the CA certs renew directly
> against the CA so Apache not running shouldn't be an issue.
>
> rob
>
>> Scott
>>
>> 
>> *From:* Florence Blanc-Renaud 
>> *Sent:* Tuesday, Augu

[Freeipa-users] Re: pki-tomcatd not starting

[Scott Z. via FreeIPA-users]

I do see in the /var/log/pki/pki-tomcat/ca/debug log "Could not connect to LDAP 
server host  port 636 Error netscape.ldap.LDAPException: Unable 
to create socket: java.net.ConnectException: Connection refused (Connection 
refused) (-1)

/var/log/pki/pki-tomcat/ca/system has similar messages, "In Ldap (bound) 
connection pool to hot  port 636, Cannot connect to LDAP server. 
 Error: netscape.ldap.LDAPException: Unable to create socket: 
java.net.ConnectException: connection refused (Connection refused) (-1)

Scott


From: Rob Crittenden 
Sent: Tuesday, August 11, 2020 9:07 AM
To: FreeIPA users list ; Florence 
Blanc-Renaud 
Cc: Scott Z. 
Subject: Re: [Freeipa-users] Re: pki-tomcatd not starting

Scott Z. via FreeIPA-users wrote:
> Adding the "NSSEnforceValidCerts off" definitely got me past the HTTPD
> error.  It started up and then I ran the systemctl start
> pki-tomcatd@pki-tomcat which seemed to start up without any errors (it
> didn't throw any on the command line), but checking the debug log I see
> I'm still getting the same, original "Peer's Certificate has expired"
> message for "Server-Cert cert-pki-ca".  I just can't win 
> It's expired, I know it's expired, why does FreeIPA fight me so hard on
> just trying to renew it?!  LOL!
>
> Just for fun I then ran the "getcert renew -i " command.  But per
> "getcert list", it's still showing as CA_UNREACHABLE and Internal Error.

The CA is a servlet so tomcat can start without the CA starting. I'd
look in the CA logs under /var/log/pki-tomcat/

certmonger logs to syslog so use journalctl to see if it provided any
more details on the failure, but it sounds like an issue with the CA.

rob

> Scott
>
>
> 
> *From:* Rob Crittenden 
> *Sent:* Tuesday, August 11, 2020 8:07 AM
> *To:* FreeIPA users list ;
> Florence Blanc-Renaud 
> *Cc:* Scott Z. 
> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
>
> Scott Z. via FreeIPA-users wrote:
>> Forgot to reply again - ugh!
>> H, so my domain is actually "idm.project.its.srv2", so I was
>> literally typing "systemctl start dir...@idm.project.its.srv2"Â  I see
>> what you're saying, I need to put in dashes instead of periods!  DOH!Â
>> Done.  Moving on...
>> 4) Ran systemctl start krb5kdc
>> 5) Ran systemctl start kadmin
>> 6) Ran systemctl start named-pkcs11
>> 7) Ran systemctl start httpd  -  got an error here, nothing really
>> useful in the logs or journalctl, it says it's starting the Apache HTTP
>> server, then throws "httpd.service: main process exited, code=exited,
>> status=1/FAILURE", and "Failed to start The Apache HTTP Server".Â
>> Finally there is a mention of 'too much time skew'.  I assume the
>> problem is that I'm trying to start HTTPD on a system where the date is
>> almost a year old.Â
>> Although now that I'm looking at /var/log/httpd/error_log, I see mention
>> of "SSL Library Error: -8181 Certificate has expired".  CERTIFICATES!!!
>> "Unable to verify certificate 'Server-Cert'.  Add "NSSEnfroceValideCerts
>> off" to nss.conf so the server can start until the problem can be
>> resolved", so maybe I'll try that.
>
> That can work, just remember to revert it, but it just bypasses the
> start up check. Clients will still require cert validity.
>
> I don't think it will matter either way as the CA certs renew directly
> against the CA so Apache not running shouldn't be an issue.
>
> rob
>
>> Scott
>>
>> 
>> *From:* Florence Blanc-Renaud 
>> *Sent:* Tuesday, August 11, 2020 6:55 AM
>> *To:* Scott Z. ; FreeIPA users list
>> ; Rob Crittenden 
>> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
>> Â
>> On 8/11/20 6:39 PM, Scott Z. wrote:
>>> First thing I did when I logged in this morning (I'm on Hawaii Standard
>>> Time) was run "ipactl status".  The return was "Directory Services:
>>> STOPPED", and "Directory Service must running in order to obtain status
>>> of other services".
>>> 1) Ran "getcert list", and it shows the 9 certs being tracked (all the
>>> previous 8 plus the 1 expired guy I added yesterday).  All look good
>>> except of course my problem child, who's status is CA_UNREACHABLE and
>>> ca-error is Internal error.
>>> 2) Ran "ipa stop", looks like all service stopped successfully.
>>> 2) Changed date back to Sept. 1, 2019.
>>>

[Freeipa-users] Re: pki-tomcatd not starting

[Scott Z. via FreeIPA-users]

Adding the "NSSEnforceValidCerts off" definitely got me past the HTTPD error.  
It started up and then I ran the systemctl start pki-tomcatd@pki-tomcat which 
seemed to start up without any errors (it didn't throw any on the command 
line), but checking the debug log I see I'm still getting the same, original 
"Peer's Certificate has expired" message for "Server-Cert cert-pki-ca".  I just 
can't win 
It's expired, I know it's expired, why does FreeIPA fight me so hard on just 
trying to renew it?!  LOL!

Just for fun I then ran the "getcert renew -i " command.  But per 
"getcert list", it's still showing as CA_UNREACHABLE and Internal Error.
Scott



From: Rob Crittenden 
Sent: Tuesday, August 11, 2020 8:07 AM
To: FreeIPA users list ; Florence 
Blanc-Renaud 
Cc: Scott Z. 
Subject: Re: [Freeipa-users] Re: pki-tomcatd not starting

Scott Z. via FreeIPA-users wrote:
> Forgot to reply again - ugh!
> H, so my domain is actually "idm.project.its.srv2", so I was
> literally typing "systemctl start dir...@idm.project.its.srv2"Â  I see
> what you're saying, I need to put in dashes instead of periods!  DOH!Â
> Done.  Moving on...
> 4) Ran systemctl start krb5kdc
> 5) Ran systemctl start kadmin
> 6) Ran systemctl start named-pkcs11
> 7) Ran systemctl start httpd  -  got an error here, nothing really
> useful in the logs or journalctl, it says it's starting the Apache HTTP
> server, then throws "httpd.service: main process exited, code=exited,
> status=1/FAILURE", and "Failed to start The Apache HTTP Server".Â
> Finally there is a mention of 'too much time skew'.  I assume the
> problem is that I'm trying to start HTTPD on a system where the date is
> almost a year old.Â
> Although now that I'm looking at /var/log/httpd/error_log, I see mention
> of "SSL Library Error: -8181 Certificate has expired".  CERTIFICATES!!!
> "Unable to verify certificate 'Server-Cert'.  Add "NSSEnfroceValideCerts
> off" to nss.conf so the server can start until the problem can be
> resolved", so maybe I'll try that.

That can work, just remember to revert it, but it just bypasses the
start up check. Clients will still require cert validity.

I don't think it will matter either way as the CA certs renew directly
against the CA so Apache not running shouldn't be an issue.

rob

> Scott
>
> ----------------------------
> *From:* Florence Blanc-Renaud 
> *Sent:* Tuesday, August 11, 2020 6:55 AM
> *To:* Scott Z. ; FreeIPA users list
> ; Rob Crittenden 
> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
> Â
> On 8/11/20 6:39 PM, Scott Z. wrote:
>> First thing I did when I logged in this morning (I'm on Hawaii Standard
>> Time) was run "ipactl status".  The return was "Directory Services:
>> STOPPED", and "Directory Service must running in order to obtain status
>> of other services".
>> 1) Ran "getcert list", and it shows the 9 certs being tracked (all the
>> previous 8 plus the 1 expired guy I added yesterday).  All look good
>> except of course my problem child, who's status is CA_UNREACHABLE and
>> ca-error is Internal error.
>> 2) Ran "ipa stop", looks like all service stopped successfully.
>> 2) Changed date back to Sept. 1, 2019.
>> 3) Ran the "systemctl start dirsrv@ and got back "Job for
>> dirsrv@ failed because a configured resource limit was exceeded."
>>       a. when I looked at "journalctl -xe", I just see a couple 
>>of
>> messages that don't tell me much... "Registered Authentication Agent for
>> unix-process:", followed by "Failed to load environment files:
>> no such files or directory".  Then, "dirsrv@ filed to run
>> 'start-pre' task: No such files or directory" and finally "Failed to
>> start 389 Directory Server ".
>>
> If your domain is domain.com, you need to run
> systemctl start dirsrv@DOMAIN-COM
>
> I suspect that you ran instead systemctl start dirsrv@slapd-DOMAIN-COM
> which would produce the error you're seeing.
>
> flo
>
>> Not sure now how to proceed at this point.
>>
>> BTW, I have decided that once I get through this slog and have a working
>> server again, I'm going to donate $50 to the Hawaiian Food Bank or the
>> charity of your choice in appreciation.
>> Scott
>>
>>
>> 
>> *From:* Florence Blanc-Renaud 
>> *Sent:* Monday, August 10, 2020 8:55 PM
>> *To:* FreeIPA users list ; Rob
>

[Freeipa-users] Re: pki-tomcatd not starting

[Rob Crittenden via FreeIPA-users]

Scott Z. via FreeIPA-users wrote:
> Forgot to reply again - ugh!
> H, so my domain is actually "idm.project.its.srv2", so I was
> literally typing "systemctl start dir...@idm.project.its.srv2"  I see
> what you're saying, I need to put in dashes instead of periods!  DOH! 
> Done.  Moving on...
> 4) Ran systemctl start krb5kdc
> 5) Ran systemctl start kadmin
> 6) Ran systemctl start named-pkcs11
> 7) Ran systemctl start httpd  -  got an error here, nothing really
> useful in the logs or journalctl, it says it's starting the Apache HTTP
> server, then throws "httpd.service: main process exited, code=exited,
> status=1/FAILURE", and "Failed to start The Apache HTTP Server". 
> Finally there is a mention of 'too much time skew'.  I assume the
> problem is that I'm trying to start HTTPD on a system where the date is
> almost a year old. 
> Although now that I'm looking at /var/log/httpd/error_log, I see mention
> of "SSL Library Error: -8181 Certificate has expired".  CERTIFICATES!!!
> "Unable to verify certificate 'Server-Cert'.  Add "NSSEnfroceValideCerts
> off" to nss.conf so the server can start until the problem can be
> resolved", so maybe I'll try that.

That can work, just remember to revert it, but it just bypasses the
start up check. Clients will still require cert validity.

I don't think it will matter either way as the CA certs renew directly
against the CA so Apache not running shouldn't be an issue.

rob

> Scott
> 
> 
> *From:* Florence Blanc-Renaud 
> *Sent:* Tuesday, August 11, 2020 6:55 AM
> *To:* Scott Z. ; FreeIPA users list
> ; Rob Crittenden 
> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
>  
> On 8/11/20 6:39 PM, Scott Z. wrote:
>> First thing I did when I logged in this morning (I'm on Hawaii Standard 
>> Time) was run "ipactl status".  The return was "Directory Services: 
>> STOPPED", and "Directory Service must running in order to obtain status 
>> of other services".
>> 1) Ran "getcert list", and it shows the 9 certs being tracked (all the 
>> previous 8 plus the 1 expired guy I added yesterday).  All look good 
>> except of course my problem child, who's status is CA_UNREACHABLE and 
>> ca-error is Internal error.
>> 2) Ran "ipa stop", looks like all service stopped successfully.
>> 2) Changed date back to Sept. 1, 2019.
>> 3) Ran the "systemctl start dirsrv@ and got back "Job for 
>> dirsrv@ failed because a configured resource limit was exceeded."
>>       a. when I looked at "journalctl -xe", I just see a couple 
>>of 
>> messages that don't tell me much... "Registered Authentication Agent for 
>> unix-process:", followed by "Failed to load environment files: 
>> no such files or directory".  Then, "dirsrv@ filed to run 
>> 'start-pre' task: No such files or directory" and finally "Failed to 
>> start 389 Directory Server ".
>> 
> If your domain is domain.com, you need to run
> systemctl start dirsrv@DOMAIN-COM
> 
> I suspect that you ran instead systemctl start dirsrv@slapd-DOMAIN-COM
> which would produce the error you're seeing.
> 
> flo
> 
>> Not sure now how to proceed at this point.
>> 
>> BTW, I have decided that once I get through this slog and have a working 
>> server again, I'm going to donate $50 to the Hawaiian Food Bank or the 
>> charity of your choice in appreciation.
>> Scott
>> 
>> 
>> 
>> *From:* Florence Blanc-Renaud 
>> *Sent:* Monday, August 10, 2020 8:55 PM
>> *To:* FreeIPA users list ; Rob 
>> Crittenden 
>> *Cc:* Scott Z. 
>> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
>> On 8/10/20 11:46 PM, Scott Z. via FreeIPA-users wrote:
>>> I stopped the ntp service with the command "timedatectl set_ntp 0"
>>> I set the new date to be Sept. 1st, 2019 with "timedatectl set-time 
>>> 2019-09-01"
>>> I waiting a minute and then checked with the "date" command; the problem 
>>> server believes it is Sept. 1st, 2019.
>>> 
>>> Now when you say 'restart services', I assume you're only referring to 
>>> the ipactl services?  In that case I ran "ipactl start 
>>> --ignore-service-failures".  Interestingly, when I ran this command 
>>> it 
>>> not only failed to start pki-tomcatd (which I expected), but actu

[Freeipa-users] Re: pki-tomcatd not starting

[Scott Z. via FreeIPA-users]

Forgot to reply again - ugh!
H, so my domain is actually "idm.project.its.srv2", so I was literally 
typing "systemctl start dir...@idm.project.its.srv2"  I see what you're saying, 
I need to put in dashes instead of periods!  DOH!  Done.  Moving on...
4) Ran systemctl start krb5kdc
5) Ran systemctl start kadmin
6) Ran systemctl start named-pkcs11
7) Ran systemctl start httpd  -  got an error here, nothing really useful in 
the logs or journalctl, it says it's starting the Apache HTTP server, then 
throws "httpd.service: main process exited, code=exited, status=1/FAILURE", and 
"Failed to start The Apache HTTP Server".  Finally there is a mention of 'too 
much time skew'.  I assume the problem is that I'm trying to start HTTPD on a 
system where the date is almost a year old.
Although now that I'm looking at /var/log/httpd/error_log, I see mention of 
"SSL Library Error: -8181 Certificate has expired".  CERTIFICATES!!!
"Unable to verify certificate 'Server-Cert'.  Add "NSSEnfroceValideCerts off" 
to nss.conf so the server can start until the problem can be resolved", so 
maybe I'll try that.
Scott


From: Florence Blanc-Renaud 
Sent: Tuesday, August 11, 2020 6:55 AM
To: Scott Z. ; FreeIPA users list 
; Rob Crittenden 
Subject: Re: [Freeipa-users] Re: pki-tomcatd not starting

On 8/11/20 6:39 PM, Scott Z. wrote:
> First thing I did when I logged in this morning (I'm on Hawaii Standard
> Time) was run "ipactl status".  The return was "Directory Services:
> STOPPED", and "Directory Service must running in order to obtain status
> of other services".
> 1) Ran "getcert list", and it shows the 9 certs being tracked (all the
> previous 8 plus the 1 expired guy I added yesterday).  All look good
> except of course my problem child, who's status is CA_UNREACHABLE and
> ca-error is Internal error.
> 2) Ran "ipa stop", looks like all service stopped successfully.
> 2) Changed date back to Sept. 1, 2019.
> 3) Ran the "systemctl start dirsrv@ and got back "Job for
> dirsrv@ failed because a configured resource limit was exceeded."
>  Â Â Â Â  a. when I looked at "journalctl -xe", I just see a couple of
> messages that don't tell me much... "Registered Authentication Agent for
> unix-process:", followed by "Failed to load environment files:
> no such files or directory".  Then, "dirsrv@ filed to run
> 'start-pre' task: No such files or directory" and finally "Failed to
> start 389 Directory Server ".
>
If your domain is domain.com, you need to run
systemctl start dirsrv@DOMAIN-COM

I suspect that you ran instead systemctl start dirsrv@slapd-DOMAIN-COM
which would produce the error you're seeing.

flo

> Not sure now how to proceed at this point.
>
> BTW, I have decided that once I get through this slog and have a working
> server again, I'm going to donate $50 to the Hawaiian Food Bank or the
> charity of your choice in appreciation.
> Scott
>
>
> ----
> *From:* Florence Blanc-Renaud 
> *Sent:* Monday, August 10, 2020 8:55 PM
> *To:* FreeIPA users list ; Rob
> Crittenden 
> *Cc:* Scott Z. 
> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
> On 8/10/20 11:46 PM, Scott Z. via FreeIPA-users wrote:
>> I stopped the ntp service with the command "timedatectl set_ntp 0"
>> I set the new date to be Sept. 1st, 2019 with "timedatectl set-time
>> 2019-09-01"
>> I waiting a minute and then checked with the "date" command; the problem
>> server believes it is Sept. 1st, 2019.
>>
>> Now when you say 'restart services', I assume you're only referring to
>> the ipactl services?  In that case I ran "ipactl start
>> --ignore-service-failures".  Interestingly, when I ran this command it
>> not only failed to start pki-tomcatd (which I expected), but actually
>> reset the date back to the present/correct time and date.  Thus, I
>> re-ran the command to set it back to Sept. 1st, 2019.
>>
> If the server was configured with ntp, "ipactl start" will also restart
> ntpd. You need to do the following:
> ipactl stop
> change date in the past
> systemctl start dirsrv@DOMAIN-COM (replace with your domain name)
> systemctl start krb5kdc
> systemctl start kadmin
> systemctl start named-pkcs11 (if IPA is hosting the DNS server)
> systemctl start httpd
> systemctl start pki-tomcatd@pki-tomcat
>
> Then try getcert resubmit.
>
>> I then ran the "getcert resubmit -i  command.  I just now went
>> through these steps again, and it's sh

[Freeipa-users] Re: pki-tomcatd not starting

[Florence Blanc-Renaud via FreeIPA-users]

On 8/11/20 6:39 PM, Scott Z. wrote:
First thing I did when I logged in this morning (I'm on Hawaii Standard 
Time) was run "ipactl status".  The return was "Directory Services: 
STOPPED", and "Directory Service must running in order to obtain status 
of other services".
1) Ran "getcert list", and it shows the 9 certs being tracked (all the 
previous 8 plus the 1 expired guy I added yesterday).  All look good 
except of course my problem child, who's status is CA_UNREACHABLE and 
ca-error is Internal error.

2) Ran "ipa stop", looks like all service stopped successfully.
2) Changed date back to Sept. 1, 2019.
3) Ran the "systemctl start dirsrv@ and got back "Job for 
dirsrv@ failed because a configured resource limit was exceeded."
      a. when I looked at "journalctl -xe", I just see a couple of 
messages that don't tell me much... "Registered Authentication Agent for 
unix-process:", followed by "Failed to load environment files: 
no such files or directory".  Then, "dirsrv@ filed to run 
'start-pre' task: No such files or directory" and finally "Failed to 
start 389 Directory Server ".



If your domain is domain.com, you need to run
systemctl start dirsrv@DOMAIN-COM

I suspect that you ran instead systemctl start dirsrv@slapd-DOMAIN-COM 
which would produce the error you're seeing.


flo


Not sure now how to proceed at this point.

BTW, I have decided that once I get through this slog and have a working 
server again, I'm going to donate $50 to the Hawaiian Food Bank or the 
charity of your choice in appreciation.

Scott



*From:* Florence Blanc-Renaud 
*Sent:* Monday, August 10, 2020 8:55 PM
*To:* FreeIPA users list ; Rob 
Crittenden 

*Cc:* Scott Z. 
*Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
On 8/10/20 11:46 PM, Scott Z. via FreeIPA-users wrote:

I stopped the ntp service with the command "timedatectl set_ntp 0"
I set the new date to be Sept. 1st, 2019 with "timedatectl set-time 
2019-09-01"
I waiting a minute and then checked with the "date" command; the problem 
server believes it is Sept. 1st, 2019.


Now when you say 'restart services', I assume you're only referring to 
the ipactl services?  In that case I ran "ipactl start 
--ignore-service-failures".  Interestingly, when I ran this command it 
not only failed to start pki-tomcatd (which I expected), but actually 
reset the date back to the present/correct time and date.  Thus, I 
re-ran the command to set it back to Sept. 1st, 2019.



If the server was configured with ntp, "ipactl start" will also restart
ntpd. You need to do the following:
ipactl stop
change date in the past
systemctl start dirsrv@DOMAIN-COM (replace with your domain name)
systemctl start krb5kdc
systemctl start kadmin
systemctl start named-pkcs11 (if IPA is hosting the DNS server)
systemctl start httpd
systemctl start pki-tomcatd@pki-tomcat

Then try getcert resubmit.

I then ran the "getcert resubmit -i  command.  I just now went 
through these steps again, and it's showing "status: CA_UNREACHABLE" and 
"ca-error: Internal Error".  Stuck now shows 'no'.
Re-running "certutil -L -d /etc/pki/pki-tomcat/alias -n 'ServerCert 
cert-pki-ca' now yields a new error message, "certutil: could not find 
cert: ServerCert cert-pki-ca", and ": PR_FILE_NOT_FOUND_ERROR: File not 
found"

The cert nickname should contain a dash: "Server-Cert cert-pki-ca"

HTH,
flo


Many Mahalos for your continued support and patience!
Scott




----------------
*From:* Rob Crittenden 
*Sent:* Monday, August 10, 2020 11:36 AM
*To:* FreeIPA users list ; 
Florence Blanc-Renaud 

*Cc:* Scott Z. 
*Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
Scott Z. via FreeIPA-users wrote:

Whoops!  Using the additional command to start tracking this paritcular
cert that you included in a different message, I got it in the "getcert"
list (with the "getcert start-tracking -n 'Server-Cert cert-pki-ca' -d
/etc/pki/pki-tomcat/alias -c dogtag-ipa-ca-renew-agent -B
/usr/libexec/ipa/certmonger/stop_pkicad -C
'/usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"' -P
" command).

I have the date rolled back to Sept. 1st, 2019.  I guess I have 'some'
progress now at least, but still have an issue;  checking on the cert
with "getcert list -i ", it shows "status: CA_REJECTED", and
"stuck: yes". 


How did you roll the date back? Did you restart services? What date did
you pick and does it overlap so that all certs are valid?

rob



Any additional thoughts or help would be greatly appreciated!  And
thanks for the help so far.

[Freeipa-users] Re: pki-tomcatd not starting

[Scott Z. via FreeIPA-users]

First thing I did when I logged in this morning (I'm on Hawaii Standard Time) 
was run "ipactl status".  The return was "Directory Services: STOPPED", and 
"Directory Service must running in order to obtain status of other services".
1) Ran "getcert list", and it shows the 9 certs being tracked (all the previous 
8 plus the 1 expired guy I added yesterday).  All look good except of course my 
problem child, who's status is CA_UNREACHABLE and ca-error is Internal error.
2) Ran "ipa stop", looks like all service stopped successfully.
2) Changed date back to Sept. 1, 2019.
3) Ran the "systemctl start dirsrv@ and got back "Job for 
dirsrv@ failed because a configured resource limit was exceeded."
 a. when I looked at "journalctl -xe", I just see a couple of messages that 
don't tell me much... "Registered Authentication Agent for 
unix-process:", followed by "Failed to load environment files: no 
such files or directory".  Then, "dirsrv@ filed to run 'start-pre' 
task: No such files or directory" and finally "Failed to start 389 Directory 
Server ".

Not sure now how to proceed at this point.

BTW, I have decided that once I get through this slog and have a working server 
again, I'm going to donate $50 to the Hawaiian Food Bank or the charity of your 
choice in appreciation.
Scott



From: Florence Blanc-Renaud 
Sent: Monday, August 10, 2020 8:55 PM
To: FreeIPA users list ; Rob Crittenden 

Cc: Scott Z. 
Subject: Re: [Freeipa-users] Re: pki-tomcatd not starting

On 8/10/20 11:46 PM, Scott Z. via FreeIPA-users wrote:
> I stopped the ntp service with the command "timedatectl set_ntp 0"
> I set the new date to be Sept. 1st, 2019 with "timedatectl set-time
> 2019-09-01"
> I waiting a minute and then checked with the "date" command; the problem
> server believes it is Sept. 1st, 2019.
>
> Now when you say 'restart services', I assume you're only referring to
> the ipactl services?  In that case I ran "ipactl start
> --ignore-service-failures".  Interestingly, when I ran this command it
> not only failed to start pki-tomcatd (which I expected), but actually
> reset the date back to the present/correct time and date.  Thus, I
> re-ran the command to set it back to Sept. 1st, 2019.
>
If the server was configured with ntp, "ipactl start" will also restart
ntpd. You need to do the following:
ipactl stop
change date in the past
systemctl start dirsrv@DOMAIN-COM (replace with your domain name)
systemctl start krb5kdc
systemctl start kadmin
systemctl start named-pkcs11 (if IPA is hosting the DNS server)
systemctl start httpd
systemctl start pki-tomcatd@pki-tomcat

Then try getcert resubmit.

> I then ran the "getcert resubmit -i  command.  I just now went
> through these steps again, and it's showing "status: CA_UNREACHABLE" and
> "ca-error: Internal Error".  Stuck now shows 'no'.
> Re-running "certutil -L -d /etc/pki/pki-tomcat/alias -n 'ServerCert
> cert-pki-ca' now yields a new error message, "certutil: could not find
> cert: ServerCert cert-pki-ca", and ": PR_FILE_NOT_FOUND_ERROR: File not
> found"
The cert nickname should contain a dash: "Server-Cert cert-pki-ca"

HTH,
flo
>
> Many Mahalos for your continued support and patience!
> Scott
>
>
>
>
> 
> *From:* Rob Crittenden 
> *Sent:* Monday, August 10, 2020 11:36 AM
> *To:* FreeIPA users list ;
> Florence Blanc-Renaud 
> *Cc:* Scott Z. 
> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
> Scott Z. via FreeIPA-users wrote:
>> Whoops!  Using the additional command to start tracking this paritcular
>> cert that you included in a different message, I got it in the "getcert"
>> list (with the "getcert start-tracking -n 'Server-Cert cert-pki-ca' -d
>> /etc/pki/pki-tomcat/alias -c dogtag-ipa-ca-renew-agent -B
>> /usr/libexec/ipa/certmonger/stop_pkicad -C
>> '/usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"' -P
>> " command).
>>
>> I have the date rolled back to Sept. 1st, 2019.  I guess I have 'some'
>> progress now at least, but still have an issue;  checking on the cert
>> with "getcert list -i ", it shows "status: CA_REJECTED", and
>> "stuck: yes".
>
> How did you roll the date back? Did you restart services? What date did
> you pick and does it overlap so that all certs are valid?
>
> rob
>
>>
>> Any additional thoughts or help would be greatly appreciated!  And
>> thanks for the help so far.
>> Scott
>>
&g

[Freeipa-users] Re: pki-tomcatd not starting

[Florence Blanc-Renaud via FreeIPA-users]

On 8/10/20 11:46 PM, Scott Z. via FreeIPA-users wrote:

I stopped the ntp service with the command "timedatectl set_ntp 0"
I set the new date to be Sept. 1st, 2019 with "timedatectl set-time 
2019-09-01"
I waiting a minute and then checked with the "date" command; the problem 
server believes it is Sept. 1st, 2019.


Now when you say 'restart services', I assume you're only referring to 
the ipactl services?  In that case I ran "ipactl start 
--ignore-service-failures".  Interestingly, when I ran this command it 
not only failed to start pki-tomcatd (which I expected), but actually 
reset the date back to the present/correct time and date.  Thus, I 
re-ran the command to set it back to Sept. 1st, 2019.


If the server was configured with ntp, "ipactl start" will also restart 
ntpd. You need to do the following:

ipactl stop
change date in the past
systemctl start dirsrv@DOMAIN-COM (replace with your domain name)
systemctl start krb5kdc
systemctl start kadmin
systemctl start named-pkcs11 (if IPA is hosting the DNS server)
systemctl start httpd
systemctl start pki-tomcatd@pki-tomcat

Then try getcert resubmit.

I then ran the "getcert resubmit -i  command.  I just now went 
through these steps again, and it's showing "status: CA_UNREACHABLE" and 
"ca-error: Internal Error".  Stuck now shows 'no'.
Re-running "certutil -L -d /etc/pki/pki-tomcat/alias -n 'ServerCert 
cert-pki-ca' now yields a new error message, "certutil: could not find 
cert: ServerCert cert-pki-ca", and ": PR_FILE_NOT_FOUND_ERROR: File not 
found"

The cert nickname should contain a dash: "Server-Cert cert-pki-ca"

HTH,
flo


Many Mahalos for your continued support and patience!
Scott





*From:* Rob Crittenden 
*Sent:* Monday, August 10, 2020 11:36 AM
*To:* FreeIPA users list ; 
Florence Blanc-Renaud 

*Cc:* Scott Z. 
*Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
Scott Z. via FreeIPA-users wrote:

Whoops!  Using the additional command to start tracking this paritcular
cert that you included in a different message, I got it in the "getcert"
list (with the "getcert start-tracking -n 'Server-Cert cert-pki-ca' -d
/etc/pki/pki-tomcat/alias -c dogtag-ipa-ca-renew-agent -B
/usr/libexec/ipa/certmonger/stop_pkicad -C
'/usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"' -P
" command).

I have the date rolled back to Sept. 1st, 2019.  I guess I have 'some'
progress now at least, but still have an issue;  checking on the cert
with "getcert list -i ", it shows "status: CA_REJECTED", and
"stuck: yes". 


How did you roll the date back? Did you restart services? What date did
you pick and does it overlap so that all certs are valid?

rob



Any additional thoughts or help would be greatly appreciated!  And
thanks for the help so far.
Scott

--------
*From:* Scott Z. via FreeIPA-users 
*Sent:* Monday, August 10, 2020 10:37 AM
*To:* Florence Blanc-Renaud 
*Cc:* FreeIPA users list ; Scott
Z. 
*Subject:* [Freeipa-users] Re: pki-tomcatd not starting
 
Sorry, I didn't realize I had dropped the mailing list - my mistake!


I backed up the files/directories you mentioned below, then I checked on
the ra-agent.pem to see if it was still valid (openssl x509 -in
/path/to/ra-agent.pem -text -noout), and the ra-agent.pem cert is indeed
currently valid (Not before: Aug 21 17:20:41 2019 GMT, Not After:  Aug
10 17:20:41 2021 GMT).

Based on that information, and knowing that the bad cert is valid from
Oct. 6th 2017 to Sep. 26 2019, I'm going with Sept. 1st of this 2019
since all certs will see that date as valid.

The only issue I have now is getting the request ID for the expired
cert; it doesn't show up in the list of certs when I do "getcert -list",
I can only see it by running "certutil -L -d
/var/lib/pki/pki-tomcat/ca/alias -n 'ServerCert cert-pki-ca'", and when
I run that it does not show any Request ID associated for it?
Scott


----------------------------
*From:* Florence Blanc-Renaud 
*Sent:* Monday, August 10, 2020 8:45 AM
*To:* Scott Z. 
*Cc:* FreeIPA users list 
*Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
 
Hi,


re-adding the mailing list as the conversation could also help others.

On 8/8/20 12:06 AM, Scott Z. wrote:
I did notice when I compare it to another IdM server in the environment, 
if I do a "certutil -L -d /etc.httdp/alias" the non-working server has a 
 IPA CA certificate and a Server-Cert, but the other one that 
I'm comparing against has a "Signing-Cert" certificate in addition.  Is 
this because it's the 'Master' or whatever?  Should my 'bad' server have 
this same Signing

[Freeipa-users] Re: pki-tomcatd not starting

[Scott Z. via FreeIPA-users]

I stopped the ntp service with the command "timedatectl set_ntp 0"
I set the new date to be Sept. 1st, 2019 with "timedatectl set-time 2019-09-01"
I waiting a minute and then checked with the "date" command; the problem server 
believes it is Sept. 1st, 2019.

Now when you say 'restart services', I assume you're only referring to the 
ipactl services?  In that case I ran "ipactl start --ignore-service-failures".  
Interestingly, when I ran this command it not only failed to start pki-tomcatd 
(which I expected), but actually reset the date back to the present/correct 
time and date.  Thus, I re-ran the command to set it back to Sept. 1st, 2019.

I then ran the "getcert resubmit -i  command.  I just now went through 
these steps again, and it's showing "status: CA_UNREACHABLE" and "ca-error: 
Internal Error".  Stuck now shows 'no'.
Re-running "certutil -L -d /etc/pki/pki-tomcat/alias -n 'ServerCert 
cert-pki-ca' now yields a new error message, "certutil: could not find cert: 
ServerCert cert-pki-ca", and ": PR_FILE_NOT_FOUND_ERROR: File not found"

Many Mahalos for your continued support and patience!
Scott





From: Rob Crittenden 
Sent: Monday, August 10, 2020 11:36 AM
To: FreeIPA users list ; Florence 
Blanc-Renaud 
Cc: Scott Z. 
Subject: Re: [Freeipa-users] Re: pki-tomcatd not starting

Scott Z. via FreeIPA-users wrote:
> Whoops!  Using the additional command to start tracking this paritcular
> cert that you included in a different message, I got it in the "getcert"
> list (with the "getcert start-tracking -n 'Server-Cert cert-pki-ca' -d
> /etc/pki/pki-tomcat/alias -c dogtag-ipa-ca-renew-agent -B
> /usr/libexec/ipa/certmonger/stop_pkicad -C
> '/usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"' -P
> " command).
>
> I have the date rolled back to Sept. 1st, 2019.  I guess I have 'some'
> progress now at least, but still have an issue;Â  checking on the cert
> with "getcert list -i ", it shows "status: CA_REJECTED", and
> "stuck: yes".

How did you roll the date back? Did you restart services? What date did
you pick and does it overlap so that all certs are valid?

rob

>
> Any additional thoughts or help would be greatly appreciated!  And
> thanks for the help so far.
> Scott
>
> --------------------
> *From:* Scott Z. via FreeIPA-users 
> *Sent:* Monday, August 10, 2020 10:37 AM
> *To:* Florence Blanc-Renaud 
> *Cc:* FreeIPA users list ; Scott
> Z. 
> *Subject:* [Freeipa-users] Re: pki-tomcatd not starting
> Â
> Sorry, I didn't realize I had dropped the mailing list - my mistake!
>
> I backed up the files/directories you mentioned below, then I checked on
> the ra-agent.pem to see if it was still valid (openssl x509 -in
> /path/to/ra-agent.pem -text -noout), and the ra-agent.pem cert is indeed
> currently valid (Not before: Aug 21 17:20:41 2019 GMT, Not After:Â  Aug
> 10 17:20:41 2021 GMT).
>
> Based on that information, and knowing that the bad cert is valid from
> Oct. 6th 2017 to Sep. 26 2019, I'm going with Sept. 1st of this 2019
> since all certs will see that date as valid.
>
> The only issue I have now is getting the request ID for the expired
> cert; it doesn't show up in the list of certs when I do "getcert -list",
> I can only see it by running "certutil -L -d
> /var/lib/pki/pki-tomcat/ca/alias -n 'ServerCert cert-pki-ca'", and when
> I run that it does not show any Request ID associated for it?
> Scott
>
>
> 
> *From:* Florence Blanc-Renaud 
> *Sent:* Monday, August 10, 2020 8:45 AM
> *To:* Scott Z. 
> *Cc:* FreeIPA users list 
> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
> Â
> Hi,
>
> re-adding the mailing list as the conversation could also help others.
>
> On 8/8/20 12:06 AM, Scott Z. wrote:
>> I did notice when I compare it to another IdM server in the environment,
>> if I do a "certutil -L -d /etc.httdp/alias" the non-working server has a
>>  IPA CA certificate and a Server-Cert, but the other one that
>> I'm comparing against has a "Signing-Cert" certificate in addition.  Is
>> this because it's the 'Master' or whatever?  Should my 'bad' server have
>> this same Signing-Cert listed?
>
> /etc/httpd/alias only needs its own Server-Cert + IPA CA.
>
>> Scott
>>
>> 
>> *From:* Scott Z. 
>> *Sent:* Friday, August 7, 2020 10:44 AM
>> *To:* Florence Blanc-Renaud 
>> *Subject:* Re: [F

[Freeipa-users] Re: pki-tomcatd not starting

[Rob Crittenden via FreeIPA-users]

Scott Z. via FreeIPA-users wrote:
> Whoops!  Using the additional command to start tracking this paritcular
> cert that you included in a different message, I got it in the "getcert"
> list (with the "getcert start-tracking -n 'Server-Cert cert-pki-ca' -d
> /etc/pki/pki-tomcat/alias -c dogtag-ipa-ca-renew-agent -B
> /usr/libexec/ipa/certmonger/stop_pkicad -C
> '/usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"' -P
> " command).
> 
> I have the date rolled back to Sept. 1st, 2019.  I guess I have 'some'
> progress now at least, but still have an issue;  checking on the cert
> with "getcert list -i ", it shows "status: CA_REJECTED", and
> "stuck: yes". 

How did you roll the date back? Did you restart services? What date did
you pick and does it overlap so that all certs are valid?

rob

> 
> Any additional thoughts or help would be greatly appreciated!  And
> thanks for the help so far.
> Scott
> 
> 
> *From:* Scott Z. via FreeIPA-users 
> *Sent:* Monday, August 10, 2020 10:37 AM
> *To:* Florence Blanc-Renaud 
> *Cc:* FreeIPA users list ; Scott
> Z. 
> *Subject:* [Freeipa-users] Re: pki-tomcatd not starting
>  
> Sorry, I didn't realize I had dropped the mailing list - my mistake!
> 
> I backed up the files/directories you mentioned below, then I checked on
> the ra-agent.pem to see if it was still valid (openssl x509 -in
> /path/to/ra-agent.pem -text -noout), and the ra-agent.pem cert is indeed
> currently valid (Not before: Aug 21 17:20:41 2019 GMT, Not After:  Aug
> 10 17:20:41 2021 GMT).
> 
> Based on that information, and knowing that the bad cert is valid from
> Oct. 6th 2017 to Sep. 26 2019, I'm going with Sept. 1st of this 2019
> since all certs will see that date as valid.
> 
> The only issue I have now is getting the request ID for the expired
> cert; it doesn't show up in the list of certs when I do "getcert -list",
> I can only see it by running "certutil -L -d
> /var/lib/pki/pki-tomcat/ca/alias -n 'ServerCert cert-pki-ca'", and when
> I run that it does not show any Request ID associated for it?
> Scott
> 
> 
> --------------------
> *From:* Florence Blanc-Renaud 
> *Sent:* Monday, August 10, 2020 8:45 AM
> *To:* Scott Z. 
> *Cc:* FreeIPA users list 
> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
>  
> Hi,
> 
> re-adding the mailing list as the conversation could also help others.
> 
> On 8/8/20 12:06 AM, Scott Z. wrote:
>> I did notice when I compare it to another IdM server in the environment, 
>> if I do a "certutil -L -d /etc.httdp/alias" the non-working server has a 
>>  IPA CA certificate and a Server-Cert, but the other one that 
>> I'm comparing against has a "Signing-Cert" certificate in addition.  Is 
>> this because it's the 'Master' or whatever?  Should my 'bad' server have 
>> this same Signing-Cert listed?
> 
> /etc/httpd/alias only needs its own Server-Cert + IPA CA.
> 
>> Scott
>> 
>> 
>> *From:* Scott Z. 
>> *Sent:* Friday, August 7, 2020 10:44 AM
>> *To:* Florence Blanc-Renaud 
>> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
>> /"The interesting part is the list of expired certs on the failing node
>> (is the RA cert /var/lib/ipa/ra-agent.pem expired?). Detailed
>> instructions are available here:
>> https://access.redhat.com/solutions/3357331 How do I manually renew
>> Identity Management (IPA) certificates on RHEL7 after they have expired?
>> (Replica IPA Server)"/
> 
> Start by making a backup of /etc/dirsrv/slapd-*/*.db, /etc/httpd/alias,
> /etc/pki/pki-tomcat/alias and /var/lib/ipa/ra-agent.* (the places where
> the certificates are stored).
> 
> If the RA cert is valid, you need to find a time window during which the
> RA cert is already valid (date > notbefore) and the other certs are not
> expired yet (date < notafter). When you have identified a proper date,
> stop ntpd (or chronyd, depending on which service is used for time
> synchronization), move the date back in time to the identified date,
> start all the services except ntpd, then call "getcert resubmit -i
> " for the expired cert(s).
> 
> Check that the cert has been renewed with "getcert list -i  id>", the state should display MONITORING. When all the certs are good,
> you can restart ntpd and the clock will go back to the current date.
> 
> It's really important to find a date w

[Freeipa-users] Re: pki-tomcatd not starting

[Scott Z. via FreeIPA-users]

Whoops!  Using the additional command to start tracking this paritcular cert 
that you included in a different message, I got it in the "getcert" list (with 
the "getcert start-tracking -n 'Server-Cert cert-pki-ca' -d 
/etc/pki/pki-tomcat/alias -c dogtag-ipa-ca-renew-agent -B 
/usr/libexec/ipa/certmonger/stop_pkicad -C 
'/usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"' -P " 
command).

I have the date rolled back to Sept. 1st, 2019.  I guess I have 'some' progress 
now at least, but still have an issue;  checking on the cert with "getcert list 
-i ", it shows "status: CA_REJECTED", and "stuck: yes".

Any additional thoughts or help would be greatly appreciated!  And thanks for 
the help so far.
Scott


From: Scott Z. via FreeIPA-users 
Sent: Monday, August 10, 2020 10:37 AM
To: Florence Blanc-Renaud 
Cc: FreeIPA users list ; Scott Z. 

Subject: [Freeipa-users] Re: pki-tomcatd not starting

Sorry, I didn't realize I had dropped the mailing list - my mistake!

I backed up the files/directories you mentioned below, then I checked on the 
ra-agent.pem to see if it was still valid (openssl x509 -in 
/path/to/ra-agent.pem -text -noout), and the ra-agent.pem cert is indeed 
currently valid (Not before: Aug 21 17:20:41 2019 GMT, Not After:  Aug 10 
17:20:41 2021 GMT).

Based on that information, and knowing that the bad cert is valid from Oct. 6th 
2017 to Sep. 26 2019, I'm going with Sept. 1st of this 2019 since all certs 
will see that date as valid.

The only issue I have now is getting the request ID for the expired cert; it 
doesn't show up in the list of certs when I do "getcert -list", I can only see 
it by running "certutil -L -d /var/lib/pki/pki-tomcat/ca/alias -n 'ServerCert 
cert-pki-ca'", and when I run that it does not show any Request ID associated 
for it?
Scott



From: Florence Blanc-Renaud 
Sent: Monday, August 10, 2020 8:45 AM
To: Scott Z. 
Cc: FreeIPA users list 
Subject: Re: [Freeipa-users] Re: pki-tomcatd not starting

Hi,

re-adding the mailing list as the conversation could also help others.

On 8/8/20 12:06 AM, Scott Z. wrote:
> I did notice when I compare it to another IdM server in the environment,
> if I do a "certutil -L -d /etc.httdp/alias" the non-working server has a
>  IPA CA certificate and a Server-Cert, but the other one that
> I'm comparing against has a "Signing-Cert" certificate in addition.  Is
> this because it's the 'Master' or whatever?  Should my 'bad' server have
> this same Signing-Cert listed?

/etc/httpd/alias only needs its own Server-Cert + IPA CA.

> Scott
>
> ------------
> *From:* Scott Z. 
> *Sent:* Friday, August 7, 2020 10:44 AM
> *To:* Florence Blanc-Renaud 
> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
> /"The interesting part is the list of expired certs on the failing node
> (is the RA cert /var/lib/ipa/ra-agent.pem expired?). Detailed
> instructions are available here:
> https://access.redhat.com/solutions/3357331 How do I manually renew
> Identity Management (IPA) certificates on RHEL7 after they have expired?
> (Replica IPA Server)"/

Start by making a backup of /etc/dirsrv/slapd-*/*.db, /etc/httpd/alias,
/etc/pki/pki-tomcat/alias and /var/lib/ipa/ra-agent.* (the places where
the certificates are stored).

If the RA cert is valid, you need to find a time window during which the
RA cert is already valid (date > notbefore) and the other certs are not
expired yet (date < notafter). When you have identified a proper date,
stop ntpd (or chronyd, depending on which service is used for time
synchronization), move the date back in time to the identified date,
start all the services except ntpd, then call "getcert resubmit -i
" for the expired cert(s).

Check that the cert has been renewed with "getcert list -i ", the state should display MONITORING. When all the certs are good,
you can restart ntpd and the clock will go back to the current date.

It's really important to find a date where all the certs are valid
because this ensures that the services are able to start and the RA cert
allows the authentication that is mandatory for certificate renewal.

HTH,
flo
>
> Sadly, after I log in, it's only telling me that it's "Subscriber
> Exclusive Content".  Not sure what happened with my account, I used to
> be able to access these docs with no problem but since I took a RHEL
> class a couple of weeks back now it's not working any more.  I guess
> they did something to screw up my account when I took the class. Gr!!!
> Scott
>
> ------------
> *From:* Florence Blanc-Renaud 
> *Sent:* Thursday, August 6

[Freeipa-users] Re: pki-tomcatd not starting

[Scott Z. via FreeIPA-users]

Sorry, I didn't realize I had dropped the mailing list - my mistake!

I backed up the files/directories you mentioned below, then I checked on the 
ra-agent.pem to see if it was still valid (openssl x509 -in 
/path/to/ra-agent.pem -text -noout), and the ra-agent.pem cert is indeed 
currently valid (Not before: Aug 21 17:20:41 2019 GMT, Not After:  Aug 10 
17:20:41 2021 GMT).

Based on that information, and knowing that the bad cert is valid from Oct. 6th 
2017 to Sep. 26 2019, I'm going with Sept. 1st of this 2019 since all certs 
will see that date as valid.

The only issue I have now is getting the request ID for the expired cert; it 
doesn't show up in the list of certs when I do "getcert -list", I can only see 
it by running "certutil -L -d /var/lib/pki/pki-tomcat/ca/alias -n 'ServerCert 
cert-pki-ca'", and when I run that it does not show any Request ID associated 
for it?
Scott



From: Florence Blanc-Renaud 
Sent: Monday, August 10, 2020 8:45 AM
To: Scott Z. 
Cc: FreeIPA users list 
Subject: Re: [Freeipa-users] Re: pki-tomcatd not starting

Hi,

re-adding the mailing list as the conversation could also help others.

On 8/8/20 12:06 AM, Scott Z. wrote:
> I did notice when I compare it to another IdM server in the environment,
> if I do a "certutil -L -d /etc.httdp/alias" the non-working server has a
>  IPA CA certificate and a Server-Cert, but the other one that
> I'm comparing against has a "Signing-Cert" certificate in addition.  Is
> this because it's the 'Master' or whatever?  Should my 'bad' server have
> this same Signing-Cert listed?

/etc/httpd/alias only needs its own Server-Cert + IPA CA.

> Scott
>
> 
> *From:* Scott Z. 
> *Sent:* Friday, August 7, 2020 10:44 AM
> *To:* Florence Blanc-Renaud 
> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
> /"The interesting part is the list of expired certs on the failing node
> (is the RA cert /var/lib/ipa/ra-agent.pem expired?). Detailed
> instructions are available here:
> https://access.redhat.com/solutions/3357331 How do I manually renew
> Identity Management (IPA) certificates on RHEL7 after they have expired?
> (Replica IPA Server)"/

Start by making a backup of /etc/dirsrv/slapd-*/*.db, /etc/httpd/alias,
/etc/pki/pki-tomcat/alias and /var/lib/ipa/ra-agent.* (the places where
the certificates are stored).

If the RA cert is valid, you need to find a time window during which the
RA cert is already valid (date > notbefore) and the other certs are not
expired yet (date < notafter). When you have identified a proper date,
stop ntpd (or chronyd, depending on which service is used for time
synchronization), move the date back in time to the identified date,
start all the services except ntpd, then call "getcert resubmit -i
" for the expired cert(s).

Check that the cert has been renewed with "getcert list -i ", the state should display MONITORING. When all the certs are good,
you can restart ntpd and the clock will go back to the current date.

It's really important to find a date where all the certs are valid
because this ensures that the services are able to start and the RA cert
allows the authentication that is mandatory for certificate renewal.

HTH,
flo
>
> Sadly, after I log in, it's only telling me that it's "Subscriber
> Exclusive Content".  Not sure what happened with my account, I used to
> be able to access these docs with no problem but since I took a RHEL
> class a couple of weeks back now it's not working any more.  I guess
> they did something to screw up my account when I took the class. Gr!!!
> Scott
>
> ------------------------
> *From:* Florence Blanc-Renaud 
> *Sent:* Thursday, August 6, 2020 2:46 AM
> *To:* FreeIPA users list 
> *Cc:* Scott Z. 
> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
> On 8/6/20 12:53 AM, Scott Z. via FreeIPA-users wrote:
>> Thanks much for the assistance.  Here is where I am with your suggestions:
>> 1) Checked on the cert with "certutil -L -d /etc/pki/pki-tomcat/alias -n
>> 'Server-Cert cert-pki-ca' and I see that the Validity is indeed old
>> (almost a year old actually, I assume IPA only checks it when it first
>> starts up so it didn't care that it was expired until the server was
>> rebooted?)
>
> certmonger checks the certificate validity periodically (configurable in
> certmonger.conf) and tries multiple times to renew soon-to-expire certs.
> The system probably had an issue that was not detected and the cert
> reached its expiration date.
>
>>
>> 2) ran ipactl start --ignore-service-failures
>>         a. most services started, ob

[Freeipa-users] Re: pki-tomcatd not starting

[Rob Crittenden via FreeIPA-users]

-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> 
> Request ID '<###>':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=
> subject: CN=,O=
> expires: 2021-09-09 19:53:33 UTC
> principal name: ldap/
> key usage:
> digitialSignature,nonRepudiation,keyEnchipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv 
> track: yes
> auto-renew: yes
> 
> Request ID '<###>':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=
> subject: CN=,O=
> expires: 2021-09-09 19:51:45 UTC
> principal name: HTTP/
> key usage:
> digitialSignature,nonRepudiation,keyEnchipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
> 
> Thank you so much again!
> Scot
> 
> 
> 
> 
> *From:* Florence Blanc-Renaud 
> *Sent:* Thursday, August 6, 2020 2:46 AM
> *To:* FreeIPA users list 
> *Cc:* Scott Z. 
> *Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
>  
> On 8/6/20 12:53 AM, Scott Z. via FreeIPA-users wrote:
>> Thanks much for the assistance.  Here is where I am with your suggestions:
>> 1) Checked on the cert with "certutil -L -d /etc/pki/pki-tomcat/alias -n 
>> 'Server-Cert cert-pki-ca' and I see that the Validity is indeed old 
>> (almost a year old actually, I assume IPA only checks it when it first 
>> starts up so it didn't care that it was expired until the server was 
>> rebooted?)
> 
> certmonger checks the certificate validity periodically (configurable in
> certmonger.conf) and tries multiple times to renew soon-to-expire certs.
> The system probably had an issue that was not detected and the cert
> reached its expiration date.
> 
>> 
>> 2) ran ipactl start --ignore-service-failures
>>         a. most services started, obviously pki-tomcatd 
>>did not
>> 3) ran "kinit admin"
>>         a. was forced to change the password, but 
>>otherwise nothing happened
>> 4) Ran "ipa config-show |grep -i master
>>        a. I see that the IPA CA renewal master is a 
>>different idm machine.
>> 5) Ran "getcert list | grep -E "Request|certificate:|expires:"
>>        a.I see all certs are currently valid (none expired)
>> 6) Ran the command "getcert list" on the problem server, but I cannot 
>> paste the output here because it's on an airgaped environment so while I 
>> apologize for this and realize it makes things more difficult, perhaps 
>> if you tell me what I should be looking for or more specifically what 
>> you're interested in I can pluck that out and manually include it here?
>> So in summary, it is indeed an expired "Server-Cert cert-pki-ca' 
>> certificate on the problem server, and it can theoretically be renew by 
>> the Master at this time.
> The interesting part is the list of expired certs on the failing node
> (is the RA cert /var/lib/ipa/ra-agent.pem expired?). Detailed
> instructions are available here:
> https://access.redhat.com/solutions/3357331 How do I manually renew
> Identity Management (IPA) certificates on RHEL7 after they have expired?
> (Replica IPA Server)
> 
> flo
> 
>> Many thanks!
>> Scott
>> 
>> 
>> *From:* Florence Blanc-Renaud 
>> *Sent:* Monday, August 3, 2020 9:34 PM
>> *To:* FreeIPA users list 
>> *Cc:* Scott Z. 
>> *Subject:* Re: [Freeipa-users] pki-tomcatd not starting
>> On 8/3/20 10:14 PM, Scott Z. via FreeIPA-users wrote:
>>> Not sure I'm sending this to the right place, but here it goes.  I 
>>> inherited a FreeIPA/Identity Manager setup in an enclave (no internet 
>>> access) environment that is running into probl

[Freeipa-users] Re: pki-tomcatd not starting

[Florence Blanc-Renaud via FreeIPA-users]

/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=
subject: CN=,O=
expires: 2021-09-09 19:53:33 UTC
principal name: ldap/
key usage: 
digitialSignature,nonRepudiation,keyEnchipherment,dataEncipherment

eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv 
track: yes
auto-renew: yes

Request ID '<###>':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=
subject: CN=,O=
expires: 2021-09-09 19:51:45 UTC
principal name: HTTP/
key usage: 
digitialSignature,nonRepudiation,keyEnchipherment,dataEncipherment

eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes

Thank you so much again!
Scot




*From:* Florence Blanc-Renaud 
*Sent:* Thursday, August 6, 2020 2:46 AM
*To:* FreeIPA users list 
*Cc:* Scott Z. 
*Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
On 8/6/20 12:53 AM, Scott Z. via FreeIPA-users wrote:

Thanks much for the assistance.  Here is where I am with your suggestions:
1) Checked on the cert with "certutil -L -d /etc/pki/pki-tomcat/alias -n 
'Server-Cert cert-pki-ca' and I see that the Validity is indeed old 
(almost a year old actually, I assume IPA only checks it when it first 
starts up so it didn't care that it was expired until the server was 
rebooted?)


certmonger checks the certificate validity periodically (configurable in
certmonger.conf) and tries multiple times to renew soon-to-expire certs.
The system probably had an issue that was not detected and the cert
reached its expiration date.



2) ran ipactl start --ignore-service-failures
         a. most services started, obviously pki-tomcatd did 
not
3) ran "kinit admin"
         a. was forced to change the password, but otherwise 
nothing happened
4) Ran "ipa config-show |grep -i master
        a. I see that the IPA CA renewal master is a different 
idm machine.
5) Ran "getcert list | grep -E "Request|certificate:|expires:"
        a.I see all certs are currently valid (none expired)
6) Ran the command "getcert list" on the problem server, but I cannot 
paste the output here because it's on an airgaped environment so while I 
apologize for this and realize it makes things more difficult, perhaps 
if you tell me what I should be looking for or more specifically what 
you're interested in I can pluck that out and manually include it here?
So in summary, it is indeed an expired "Server-Cert cert-pki-ca' 
certificate on the problem server, and it can theoretically be renew by 
the Master at this time.

The interesting part is the list of expired certs on the failing node
(is the RA cert /var/lib/ipa/ra-agent.pem expired?). Detailed
instructions are available here:
https://access.redhat.com/solutions/3357331 How do I manually renew
Identity Management (IPA) certificates on RHEL7 after they have expired?
(Replica IPA Server)

flo


Many thanks!
Scott

------------------------
*From:* Florence Blanc-Renaud 
*Sent:* Monday, August 3, 2020 9:34 PM
*To:* FreeIPA users list 
*Cc:* Scott Z. 
*Subject:* Re: [Freeipa-users] pki-tomcatd not starting
On 8/3/20 10:14 PM, Scott Z. via FreeIPA-users wrote:
Not sure I'm sending this to the right place, but here it goes.  I 
inherited a FreeIPA/Identity Manager setup in an enclave (no internet 
access) environment that is running into problems.  There are at least 3 
different IdM servers running in the environment spread out across 
different geographical areas.  One of those areas suffered an unschedule 
power outage recently, and ever since we brought everything back up, the 
IdM server for this region is having an issue.  Please bear with me as I 
have zero formal experience, training, or real knowledge with IdM.


Logging in to the serverv (it's a VM server, running Centos 7.5), I run 
"ipactl status" and it shows "Directory Service: STOPPED".  I then run 
"ipactl restart", and things go fine until it gets to "Starting 
pki-tomcatd Service", where it hangs for quite some time before failing 
to start and killing all the other services.  I check the log at 
/var/log/pki/pki-tomcat/ca/debug and I see various errors such as 
(forgive any mistypings, I have to manually type these in as I can't 
import or screen capure th

[Freeipa-users] Re: pki-tomcatd not starting

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

re-adding the mailing list as the conversation could also help others.

On 8/8/20 12:06 AM, Scott Z. wrote:
I did notice when I compare it to another IdM server in the environment, 
if I do a "certutil -L -d /etc.httdp/alias" the non-working server has a 
 IPA CA certificate and a Server-Cert, but the other one that 
I'm comparing against has a "Signing-Cert" certificate in addition.  Is 
this because it's the 'Master' or whatever?  Should my 'bad' server have 
this same Signing-Cert listed?


/etc/httpd/alias only needs its own Server-Cert + IPA CA.


Scott


*From:* Scott Z. 
*Sent:* Friday, August 7, 2020 10:44 AM
*To:* Florence Blanc-Renaud 
*Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
/"The interesting part is the list of expired certs on the failing node
(is the RA cert /var/lib/ipa/ra-agent.pem expired?). Detailed
instructions are available here:
https://access.redhat.com/solutions/3357331 How do I manually renew
Identity Management (IPA) certificates on RHEL7 after they have expired?
(Replica IPA Server)"/


Start by making a backup of /etc/dirsrv/slapd-*/*.db, /etc/httpd/alias, 
/etc/pki/pki-tomcat/alias and /var/lib/ipa/ra-agent.* (the places where 
the certificates are stored).


If the RA cert is valid, you need to find a time window during which the 
RA cert is already valid (date > notbefore) and the other certs are not 
expired yet (date < notafter). When you have identified a proper date, 
stop ntpd (or chronyd, depending on which service is used for time 
synchronization), move the date back in time to the identified date, 
start all the services except ntpd, then call "getcert resubmit -i 
" for the expired cert(s).


Check that the cert has been renewed with "getcert list -i id>", the state should display MONITORING. When all the certs are good, 
you can restart ntpd and the clock will go back to the current date.


It's really important to find a date where all the certs are valid 
because this ensures that the services are able to start and the RA cert 
allows the authentication that is mandatory for certificate renewal.


HTH,
flo


Sadly, after I log in, it's only telling me that it's "Subscriber 
Exclusive Content".  Not sure what happened with my account, I used to 
be able to access these docs with no problem but since I took a RHEL 
class a couple of weeks back now it's not working any more.  I guess 
they did something to screw up my account when I took the class. Gr!!!

Scott


*From:* Florence Blanc-Renaud 
*Sent:* Thursday, August 6, 2020 2:46 AM
*To:* FreeIPA users list 
*Cc:* Scott Z. 
*Subject:* Re: [Freeipa-users] Re: pki-tomcatd not starting
On 8/6/20 12:53 AM, Scott Z. via FreeIPA-users wrote:

Thanks much for the assistance.  Here is where I am with your suggestions:
1) Checked on the cert with "certutil -L -d /etc/pki/pki-tomcat/alias -n 
'Server-Cert cert-pki-ca' and I see that the Validity is indeed old 
(almost a year old actually, I assume IPA only checks it when it first 
starts up so it didn't care that it was expired until the server was 
rebooted?)


certmonger checks the certificate validity periodically (configurable in
certmonger.conf) and tries multiple times to renew soon-to-expire certs.
The system probably had an issue that was not detected and the cert
reached its expiration date.



2) ran ipactl start --ignore-service-failures
         a. most services started, obviously pki-tomcatd did 
not
3) ran "kinit admin"
         a. was forced to change the password, but otherwise 
nothing happened
4) Ran "ipa config-show |grep -i master
        a. I see that the IPA CA renewal master is a different 
idm machine.
5) Ran "getcert list | grep -E "Request|certificate:|expires:"
        a.I see all certs are currently valid (none expired)
6) Ran the command "getcert list" on the problem server, but I cannot 
paste the output here because it's on an airgaped environment so while I 
apologize for this and realize it makes things more difficult, perhaps 
if you tell me what I should be looking for or more specifically what 
you're interested in I can pluck that out and manually include it here?
So in summary, it is indeed an expired "Server-Cert cert-pki-ca' 
certificate on the problem server, and it can theoretically be renew by 
the Master at this time.

The interesting part is the list of expired certs on the failing node
(is the RA cert /var/lib/ipa/ra-agent.pem expired?). Detailed
instructions are available here:
https://access.redhat.com/solutions/3357331 How do I manually renew
Identity Management (IPA) certificates on RHEL7 after they have expired?
(Replica IPA Server)

flo


Many thanks!
Scott

[Freeipa-users] Re: pki-tomcatd not starting

[Scott Z. via FreeIPA-users]

pd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-',nickname='Server-Cert',token='NSS
 Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=
subject: CN=,O=
expires: 2021-09-09 19:51:45 UTC
principal name: HTTP/
key usage: digitialSignature,nonRepudiation,keyEnchipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes

Thank you so much again!
Scot




From: Florence Blanc-Renaud 
Sent: Thursday, August 6, 2020 2:46 AM
To: FreeIPA users list 
Cc: Scott Z. 
Subject: Re: [Freeipa-users] Re: pki-tomcatd not starting

On 8/6/20 12:53 AM, Scott Z. via FreeIPA-users wrote:
> Thanks much for the assistance.  Here is where I am with your suggestions:
> 1) Checked on the cert with "certutil -L -d /etc/pki/pki-tomcat/alias -n
> 'Server-Cert cert-pki-ca' and I see that the Validity is indeed old
> (almost a year old actually, I assume IPA only checks it when it first
> starts up so it didn't care that it was expired until the server was
> rebooted?)

certmonger checks the certificate validity periodically (configurable in
certmonger.conf) and tries multiple times to renew soon-to-expire certs.
The system probably had an issue that was not detected and the cert
reached its expiration date.

>
> 2) ran ipactl start --ignore-service-failures
>  Â Â Â Â Â Â  a. most services started, obviously pki-tomcatd did not
> 3) ran "kinit admin"
>  Â Â Â Â Â Â  a. was forced to change the password, but otherwise nothing 
> happened
> 4) Ran "ipa config-show |grep -i master
>  Â Â Â Â Â  a. I see that the IPA CA renewal master is a different idm 
> machine.
> 5) Ran "getcert list | grep -E "Request|certificate:|expires:"
>  Â Â Â Â Â  a.I see all certs are currently valid (none expired)
> 6) Ran the command "getcert list" on the problem server, but I cannot
> paste the output here because it's on an airgaped environment so while I
> apologize for this and realize it makes things more difficult, perhaps
> if you tell me what I should be looking for or more specifically what
> you're interested in I can pluck that out and manually include it here?
> So in summary, it is indeed an expired "Server-Cert cert-pki-ca'
> certificate on the problem server, and it can theoretically be renew by
> the Master at this time.
The interesting part is the list of expired certs on the failing node
(is the RA cert /var/lib/ipa/ra-agent.pem expired?). Detailed
instructions are available here:
https://access.redhat.com/solutions/3357331 How do I manually renew
Identity Management (IPA) certificates on RHEL7 after they have expired?
(Replica IPA Server)

flo

> Many thanks!
> Scott
>
> ----
> *From:* Florence Blanc-Renaud 
> *Sent:* Monday, August 3, 2020 9:34 PM
> *To:* FreeIPA users list 
> *Cc:* Scott Z. 
> *Subject:* Re: [Freeipa-users] pki-tomcatd not starting
> On 8/3/20 10:14 PM, Scott Z. via FreeIPA-users wrote:
>> Not sure I'm sending this to the right place, but here it goes.  I
>> inherited a FreeIPA/Identity Manager setup in an enclave (no internet
>> access) environment that is running into problems.  There are at least 3
>> different IdM servers running in the environment spread out across
>> different geographical areas.  One of those areas suffered an unschedule
>> power outage recently, and ever since we brought everything back up, the
>> IdM server for this region is having an issue.  Please bear with me as I
>> have zero formal experience, training, or real knowledge with IdM.
>>
>> Logging in to the serverv (it's a VM server, running Centos 7.5), I run
>> "ipactl status" and it shows "Directory Service: STOPPED".  I then run
>> "ipactl restart", and things go fine until it gets to "Starting
>> pki-tomcatd Service", where it hangs for quite some time before failing
>> to start and killing all the other services.  I check the log at
>> /var/log/pki/pki-tomcat/ca/debug and I see various errors such as
>> (forgive any mistypings, I have to manually type these in as I can't
>> import or screen capure the logs and put them in this message):
>> "/java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid:
>> Invalid certificate: (-8181) Peer's Certificate has expired/"
>> And slightly further down in the same log:
>> "/Cannot reset factory: connections not all returned/"
>> "/CertificateAuthority.shutdown: failed to reset dbFactory: Cannot reset
>> LDAP connection factory because some connections are still outstanding/"

[Freeipa-users] Re: pki-tomcatd not starting

[Florence Blanc-Renaud via FreeIPA-users]

On 8/6/20 12:53 AM, Scott Z. via FreeIPA-users wrote:

Thanks much for the assistance.  Here is where I am with your suggestions:
1) Checked on the cert with "certutil -L -d /etc/pki/pki-tomcat/alias -n 
'Server-Cert cert-pki-ca' and I see that the Validity is indeed old 
(almost a year old actually, I assume IPA only checks it when it first 
starts up so it didn't care that it was expired until the server was 
rebooted?)


certmonger checks the certificate validity periodically (configurable in 
certmonger.conf) and tries multiple times to renew soon-to-expire certs. 
The system probably had an issue that was not detected and the cert 
reached its expiration date.




2) ran ipactl start --ignore-service-failures
        a. most services started, obviously pki-tomcatd did not
3) ran "kinit admin"
        a. was forced to change the password, but otherwise nothing 
happened
4) Ran "ipa config-show |grep -i master
       a. I see that the IPA CA renewal master is a different idm machine.
5) Ran "getcert list | grep -E "Request|certificate:|expires:"
       a.I see all certs are currently valid (none expired)
6) Ran the command "getcert list" on the problem server, but I cannot 
paste the output here because it's on an airgaped environment so while I 
apologize for this and realize it makes things more difficult, perhaps 
if you tell me what I should be looking for or more specifically what 
you're interested in I can pluck that out and manually include it here?
So in summary, it is indeed an expired "Server-Cert cert-pki-ca' 
certificate on the problem server, and it can theoretically be renew by 
the Master at this time.
The interesting part is the list of expired certs on the failing node 
(is the RA cert /var/lib/ipa/ra-agent.pem expired?). Detailed 
instructions are available here:
https://access.redhat.com/solutions/3357331 How do I manually renew 
Identity Management (IPA) certificates on RHEL7 after they have expired? 
(Replica IPA Server)


flo


Many thanks!
Scott


*From:* Florence Blanc-Renaud 
*Sent:* Monday, August 3, 2020 9:34 PM
*To:* FreeIPA users list 
*Cc:* Scott Z. 
*Subject:* Re: [Freeipa-users] pki-tomcatd not starting
On 8/3/20 10:14 PM, Scott Z. via FreeIPA-users wrote:
Not sure I'm sending this to the right place, but here it goes.  I 
inherited a FreeIPA/Identity Manager setup in an enclave (no internet 
access) environment that is running into problems.  There are at least 3 
different IdM servers running in the environment spread out across 
different geographical areas.  One of those areas suffered an unschedule 
power outage recently, and ever since we brought everything back up, the 
IdM server for this region is having an issue.  Please bear with me as I 
have zero formal experience, training, or real knowledge with IdM.


Logging in to the serverv (it's a VM server, running Centos 7.5), I run 
"ipactl status" and it shows "Directory Service: STOPPED".  I then run 
"ipactl restart", and things go fine until it gets to "Starting 
pki-tomcatd Service", where it hangs for quite some time before failing 
to start and killing all the other services.  I check the log at 
/var/log/pki/pki-tomcat/ca/debug and I see various errors such as 
(forgive any mistypings, I have to manually type these in as I can't 
import or screen capure the logs and put them in this message):
"/java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid: 
Invalid certificate: (-8181) Peer's Certificate has expired/"

And slightly further down in the same log:
"/Cannot reset factory: connections not all returned/"
"/CertificateAuthority.shutdown: failed to reset dbFactory: Cannot reset 
LDAP connection factory because some connections are still outstanding/"

... still further down"
"/returnConn:mNumConns now 3 Invalid class name repositorytop/"

Assuming I have some weird certificate issue with this server in 
particular, I try to run a few more commands:
"certutil -L -d /etc/httpd/alias"  --> returns a Server-Cert listing 
with u,u,u as it's trust attributes, and  IPA CA with CT,C,C 
for it's attributes.  Comparing to a second IdM server in this 
environment, it seems to be missing a "Signing-Cert"?



Hi,
PKI is using the NSSDB in /etc/pki/pki-tomcat/alias, and its server cert
has the nickname 'Server-Cert cert-pki-ca'. You should check that this
one is not expired with:
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca'
| grep 'Not '

If the certificate is indeed expired, it will have to be renewed but you
need first to find which IPA server is the CA renewal master. On your
server, force a service start and check the CA renewal master:
# ipactl start --ignore-service-failures
# kinit admin
# ipa c

[Freeipa-users] Re: pki-tomcatd not starting

[Scott Z. via FreeIPA-users]

Thanks much for the assistance.  Here is where I am with your suggestions:
1) Checked on the cert with "certutil -L -d /etc/pki/pki-tomcat/alias -n 
'Server-Cert cert-pki-ca' and I see that the Validity is indeed old (almost a 
year old actually, I assume IPA only checks it when it first starts up so it 
didn't care that it was expired until the server was rebooted?)

2) ran ipactl start --ignore-service-failures
   a. most services started, obviously pki-tomcatd did not
3) ran "kinit admin"
   a. was forced to change the password, but otherwise nothing happened
4) Ran "ipa config-show |grep -i master
  a. I see that the IPA CA renewal master is a different idm machine.
5) Ran "getcert list | grep -E "Request|certificate:|expires:"
  a.I see all certs are currently valid (none expired)
6) Ran the command "getcert list" on the problem server, but I cannot paste the 
output here because it's on an airgaped environment so while I apologize for 
this and realize it makes things more difficult, perhaps if you tell me what I 
should be looking for or more specifically what you're interested in I can 
pluck that out and manually include it here?
So in summary, it is indeed an expired "Server-Cert cert-pki-ca' certificate on 
the problem server, and it can theoretically be renew by the Master at this 
time.
Many thanks!
Scott


From: Florence Blanc-Renaud 
Sent: Monday, August 3, 2020 9:34 PM
To: FreeIPA users list 
Cc: Scott Z. 
Subject: Re: [Freeipa-users] pki-tomcatd not starting

On 8/3/20 10:14 PM, Scott Z. via FreeIPA-users wrote:
> Not sure I'm sending this to the right place, but here it goes.  I
> inherited a FreeIPA/Identity Manager setup in an enclave (no internet
> access) environment that is running into problems.  There are at least 3
> different IdM servers running in the environment spread out across
> different geographical areas.  One of those areas suffered an unschedule
> power outage recently, and ever since we brought everything back up, the
> IdM server for this region is having an issue.  Please bear with me as I
> have zero formal experience, training, or real knowledge with IdM.
>
> Logging in to the serverv (it's a VM server, running Centos 7.5), I run
> "ipactl status" and it shows "Directory Service: STOPPED".  I then run
> "ipactl restart", and things go fine until it gets to "Starting
> pki-tomcatd Service", where it hangs for quite some time before failing
> to start and killing all the other services.  I check the log at
> /var/log/pki/pki-tomcat/ca/debug and I see various errors such as
> (forgive any mistypings, I have to manually type these in as I can't
> import or screen capure the logs and put them in this message):
> "/java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid:
> Invalid certificate: (-8181) Peer's Certificate has expired/"
> And slightly further down in the same log:
> "/Cannot reset factory: connections not all returned/"
> "/CertificateAuthority.shutdown: failed to reset dbFactory: Cannot reset
> LDAP connection factory because some connections are still outstanding/"
> ... still further down"
> "/returnConn:mNumConns now 3 Invalid class name repositorytop/"
>
> Assuming I have some weird certificate issue with this server in
> particular, I try to run a few more commands:
> "certutil -L -d /etc/httpd/alias"Â  --> returns a Server-Cert listing
> with u,u,u as it's trust attributes, and  IPA CA with CT,C,C
> for it's attributes.  Comparing to a second IdM server in this
> environment, it seems to be missing a "Signing-Cert"?
>
Hi,
PKI is using the NSSDB in /etc/pki/pki-tomcat/alias, and its server cert
has the nickname 'Server-Cert cert-pki-ca'. You should check that this
one is not expired with:
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca'
| grep 'Not '

If the certificate is indeed expired, it will have to be renewed but you
need first to find which IPA server is the CA renewal master. On your
server, force a service start and check the CA renewal master:
# ipactl start --ignore-service-failures
# kinit admin
# ipa config-show | grep "renewal master"
   IPA CA renewal master: server.domain.com

You need to make sure that all the certificates are valid on the CA
renewal master:
(on the CA renewal master)# getcert list | grep -E
"Request|certificate:|expires:"

- if the CA renewal master is not OK, please post the output of "#
getcert list" (without the grep) on the CA renewal master. This node
will have to be repaired first.
- if the CA renewal master is OK, please post the output of "# getcert
list" (also without the grep) on the failing node.

We'll be able to h

[Freeipa-users] Re: pki-tomcatd not starting

[Florence Blanc-Renaud via FreeIPA-users]

On 8/3/20 10:14 PM, Scott Z. via FreeIPA-users wrote:
Not sure I'm sending this to the right place, but here it goes.  I 
inherited a FreeIPA/Identity Manager setup in an enclave (no internet 
access) environment that is running into problems.  There are at least 3 
different IdM servers running in the environment spread out across 
different geographical areas.  One of those areas suffered an unschedule 
power outage recently, and ever since we brought everything back up, the 
IdM server for this region is having an issue.  Please bear with me as I 
have zero formal experience, training, or real knowledge with IdM.


Logging in to the serverv (it's a VM server, running Centos 7.5), I run 
"ipactl status" and it shows "Directory Service: STOPPED".  I then run 
"ipactl restart", and things go fine until it gets to "Starting 
pki-tomcatd Service", where it hangs for quite some time before failing 
to start and killing all the other services.  I check the log at 
/var/log/pki/pki-tomcat/ca/debug and I see various errors such as 
(forgive any mistypings, I have to manually type these in as I can't 
import or screen capure the logs and put them in this message):
"/java.lang.Exception: Certificate Server-Cert cert-pki-ca is invalid: 
Invalid certificate: (-8181) Peer's Certificate has expired/"

And slightly further down in the same log:
"/Cannot reset factory: connections not all returned/"
"/CertificateAuthority.shutdown: failed to reset dbFactory: Cannot reset 
LDAP connection factory because some connections are still outstanding/"

... still further down"
"/returnConn:mNumConns now 3 Invalid class name repositorytop/"

Assuming I have some weird certificate issue with this server in 
particular, I try to run a few more commands:
"certutil -L -d /etc/httpd/alias"  --> returns a Server-Cert listing 
with u,u,u as it's trust attributes, and  IPA CA with CT,C,C 
for it's attributes.  Comparing to a second IdM server in this 
environment, it seems to be missing a "Signing-Cert"?



Hi,
PKI is using the NSSDB in /etc/pki/pki-tomcat/alias, and its server cert 
has the nickname 'Server-Cert cert-pki-ca'. You should check that this 
one is not expired with:
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' 
| grep 'Not '


If the certificate is indeed expired, it will have to be renewed but you 
need first to find which IPA server is the CA renewal master. On your 
server, force a service start and check the CA renewal master:

# ipactl start --ignore-service-failures
# kinit admin
# ipa config-show | grep "renewal master"
  IPA CA renewal master: server.domain.com

You need to make sure that all the certificates are valid on the CA 
renewal master:
(on the CA renewal master)# getcert list | grep -E 
"Request|certificate:|expires:"


- if the CA renewal master is not OK, please post the output of "# 
getcert list" (without the grep) on the CA renewal master. This node 
will have to be repaired first.
- if the CA renewal master is OK, please post the output of "# getcert 
list" (also without the grep) on the failing node.


We'll be able to help based on this information.
flo

I also did a "getcert list", and all certs it has show that they expire 
in the future (nothing shows as bein currently expired).


I'm confused; it seems to that it is seeing an expired cert *somewhere*, 
but how do I track down which 'peer' the log file is talking about that 
has an expired cert?  Meanwhile none of the linux clients that point to 
this IdM server are allowing people to log in/authenticate.

Many thanks for any help!
Scott


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: pki-tomcatd not starting / wrong internal password

[Christopher Young via FreeIPA-users]

Actually, I'm replying to my own post.

I think I was using some incomplete options on the certutil command
for listing the keys without realizing it.  This might be similar to
some other issues I've briefly skimmed from the past on this list.

I'll post more when I spend more time reading if I'm still having
trouble.  I do think I may end up confused about how to the fix the
actual problem once I identify it, but at least I'm making some type
of progress.  I apologize for anyone's time wasted here.


On Mon, Dec 3, 2018 at 2:55 PM Christopher Young  wrote:
>
> So, I did alot of reading after noticing that one of my IPA servers
> was not starting correctly.  I was working from the guide here:
>
> https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
>
> (Honestly, THANK YOU to the people contributing to that guide because
> it really has been helpful)
>
> I didn't get very far down the guide before testing my NSSDB password
> and noticing that it does NOT appear to work.  I have no idea how that
> may have happened or when but this obviously puts me in a weird spot
> with this particular server.
>
> [root@-prod-ipaXX ca]# cat
> /var/lib/pki/pki-tomcat/conf/password.conf | grep internal
> internal=
>
> I tried using the password there to open the /etc/pki/pki-tomcat/alias
> NSS DB with no success.  Though, I think my problem is something else.
> I get the following error:
>
> 
> [root@X-prod-ipaXX alias]# certutil -K -d
> /etc/pki/pki-tomcat/alias -n -r /tmp/pwdfile.txt
> certutil: Checking token "NSS Certificate DB" in slot "NSS User
> Private Key and Certificate Services"
> Enter Password or Pin for "NSS Certificate DB":
> certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
> Unrecognized Object Identifier.
> 
>
> I'm just getting into this, but I feel like MAYBE this is part of my
> problem.  If anyone has any ideas here, I'd be grateful for the help!
>
> ADDED NOTE:
> I actually notice that I have this same issue on BOTH IPA servers
> which makes me ever more nervous about the situation.
> 
> [root@X-prod-ipaXx ~]# sudo certutil -K -d
> /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert
> cert-pki-ca'
> certutil: Checking token "NSS Certificate DB" in slot "NSS User
> Private Key and Certificate Services"
> certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
> Unrecognized Object Identifier.
> 
>
> Any thoughts?  Many thanks in advance!
>
> -- Chris
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org