subject:"\[Freeipa\-users\] ipa\-server\-certinstall ruined pki\-tomcatd startup"

Re: [Freeipa-users] ipa-server-certinstall ruined pki-tomcatd startup

2013-08-15 Thread Rob Crittenden


Vladimir Kulev wrote:


On Thu, Aug 15, 2013 at 6:23 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote:

Here is a command:
certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t "CT,C,C" -n
"External
CA" -i /root/ca.pem

Also I tried to add intermediate CA with the following:
certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t ",," -n
"External Sub
CA" -i /root/sub.pem

External CA file is correct, I verified it with "openssl s_client
-CAfile /root/ca.pem -connect ipa.mydomain.com:636

"


You should drop the sql prefix. This is creating a new cert and key
database (you'll see a new cert9 and key4.db there). I don't believe
that dogtag uses the sql prefix yet so it won't see the new certs
you added.

You should also set the trust flags on all intermediate certs as well.


You are right, lsof shows that java process opens only cert8.db and key3.db
I did as you say, and dirsrv log output changed to "Netscape Portable
Runtime error -8179 (Peer's Certificate issuer is not recognized.);
unauthenticated client"

Then I in addition ran this command:
certutil -d /etc/dirsrv/slapd-MYDOMAIN-COM/ -A -t "CT,C,C" -n "IPA CA"
-i /etc/ipa/ca.crt

And eventually it worked!

So there were two problems:
1) ipa-server-certinstall removed IPA CA from dirsrv nssdb (by replacing it)
2) ipa-server-certinstall did not add new dirsrv CA into pki-tomcatd nssdb

Hope you can fix that either in documentation or tools :)


https://fedorahosted.org/freeipa/ticket/3862

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-server-certinstall ruined pki-tomcatd startup

2013-08-15 Thread Vladimir Kulev

On Thu, Aug 15, 2013 at 6:23 PM, Rob Crittenden  wrote:

> Here is a command:
>> certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t "CT,C,C" -n "External
>> CA" -i /root/ca.pem
>>
>> Also I tried to add intermediate CA with the following:
>> certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t ",," -n "External Sub
>> CA" -i /root/sub.pem
>>
>> External CA file is correct, I verified it with "openssl s_client
>> -CAfile /root/ca.pem -connect ipa.mydomain.com:636
>> "
>>
>
> You should drop the sql prefix. This is creating a new cert and key
> database (you'll see a new cert9 and key4.db there). I don't believe that
> dogtag uses the sql prefix yet so it won't see the new certs you added.
>
> You should also set the trust flags on all intermediate certs as well.


You are right, lsof shows that java process opens only cert8.db and key3.db
I did as you say, and dirsrv log output changed to "Netscape Portable
Runtime error -8179 (Peer's Certificate issuer is not recognized.);
unauthenticated client"

Then I in addition ran this command:
certutil -d /etc/dirsrv/slapd-MYDOMAIN-COM/ -A -t "CT,C,C" -n "IPA CA" -i
/etc/ipa/ca.crt

And eventually it worked!

So there were two problems:
1) ipa-server-certinstall removed IPA CA from dirsrv nssdb (by replacing it)
2) ipa-server-certinstall did not add new dirsrv CA into pki-tomcatd nssdb

Hope you can fix that either in documentation or tools :)


-- 

Best regards,

Vladimir Kulev


Mobile: +358400369346, +79215554422

Jabber: m...@lightoze.net

Skype: lightoze
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-server-certinstall ruined pki-tomcatd startup

2013-08-15 Thread Rob Crittenden


Vladimir Kulev wrote:


On Thu, Aug 15, 2013 at 3:58 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote:

Vladimir Kulev wrote:

Hello,

After installing FreeIPA I followed instructions from

http://www.freeipa.org/page/__Using_3rd_part_certificates___for_HTTP/LDAP

to
use globally trusted certificates for HTTP/LDAP server interface to
secure other systems provisioning.


What version of IPA?


FreeIPA version is 3.2.2-1.fc19, the latest for Fedora 19


Then it went out that pki-tomcatd is not able to start anymore
because
of this:
| NFO: Deploying web application directory
/var/lib/pki/pki-tomcat/__webapps/ca
| SSLAuthenticatorWithFallback: Creating SSL authenticator with
fallback
| SSLAuthenticatorWithFallback: Setting container
| SSLAuthenticatorWithFallback: Initializing authenticators
| SSLAuthenticatorWithFallback: Starting authenticators
| 01:48:31,313 DEBUG
(org.jboss.resteasy.plugins.__providers.DocumentProvider:60) -
Unable to
retrieve ServletContext: expandEntityReferences defaults to true
| 01:48:31,320 DEBUG
(org.jboss.resteasy.plugins.__providers.DocumentProvider:60) -
Unable to
retrieve ServletContext: expandEntityReferences defaults to true
| Internal Database Error encountered: Could not connect to LDAP
server
host ipa.mydomain.com 
 port 636 Error

netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)

Meanwhile dirsrv tells me "Peer does not recognize and trust the
CA that
issued your certificate."

I tried to fix trust by adding various certificates with certutil
to /etc/dirsrv/slapd/ and /etc/pki/pki-tomcat/alias/, but nothing
helped. Does anyone have a suggestion how to fix the situation?


You shouldn't need to change anything on the 389-ds side assuming it
trusts its own CA properly.

You should just need to add the CA that signed the 389-ds cert to
dogtag and restart. What is full certutil command you are using?


Here is a command:
certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t "CT,C,C" -n "External
CA" -i /root/ca.pem

Also I tried to add intermediate CA with the following:
certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t ",," -n "External Sub
CA" -i /root/sub.pem

External CA file is correct, I verified it with "openssl s_client
-CAfile /root/ca.pem -connect ipa.mydomain.com:636
"


You should drop the sql prefix. This is creating a new cert and key 
database (you'll see a new cert9 and key4.db there). I don't believe 
that dogtag uses the sql prefix yet so it won't see the new certs you added.


You should also set the trust flags on all intermediate certs as well.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-server-certinstall ruined pki-tomcatd startup

2013-08-15 Thread Vladimir Kulev

On Thu, Aug 15, 2013 at 3:58 PM, Rob Crittenden  wrote:

> Vladimir Kulev wrote:
>
>> Hello,
>>
>> After installing FreeIPA I followed instructions from
>> http://www.freeipa.org/page/**Using_3rd_part_certificates_**for_HTTP/LDAPto
>> use globally trusted certificates for HTTP/LDAP server interface to
>> secure other systems provisioning.
>>
>
> What version of IPA?
>

FreeIPA version is 3.2.2-1.fc19, the latest for Fedora 19


>
>  Then it went out that pki-tomcatd is not able to start anymore because
>> of this:
>> | NFO: Deploying web application directory
>> /var/lib/pki/pki-tomcat/**webapps/ca
>> | SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback
>> | SSLAuthenticatorWithFallback: Setting container
>> | SSLAuthenticatorWithFallback: Initializing authenticators
>> | SSLAuthenticatorWithFallback: Starting authenticators
>> | 01:48:31,313 DEBUG
>> (org.jboss.resteasy.plugins.**providers.DocumentProvider:60) - Unable to
>> retrieve ServletContext: expandEntityReferences defaults to true
>> | 01:48:31,320 DEBUG
>> (org.jboss.resteasy.plugins.**providers.DocumentProvider:60) - Unable to
>> retrieve ServletContext: expandEntityReferences defaults to true
>> | Internal Database Error encountered: Could not connect to LDAP server
>> host ipa.mydomain.com  port 636 Error
>>
>> netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)
>>
>> Meanwhile dirsrv tells me "Peer does not recognize and trust the CA that
>> issued your certificate."
>>
>> I tried to fix trust by adding various certificates with certutil
>> to /etc/dirsrv/slapd/ and /etc/pki/pki-tomcat/alias/, but nothing
>> helped. Does anyone have a suggestion how to fix the situation?
>>
>
> You shouldn't need to change anything on the 389-ds side assuming it
> trusts its own CA properly.
>
> You should just need to add the CA that signed the 389-ds cert to dogtag
> and restart. What is full certutil command you are using?


Here is a command:
certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t "CT,C,C" -n "External CA"
-i /root/ca.pem

Also I tried to add intermediate CA with the following:
certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t ",," -n "External Sub CA"
-i /root/sub.pem

External CA file is correct, I verified it with "openssl s_client -CAfile
/root/ca.pem -connect ipa.mydomain.com:636"


-- 

Best regards,

Vladimir Kulev


Mobile: +358400369346, +79215554422

Jabber: m...@lightoze.net

Skype: lightoze
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-server-certinstall ruined pki-tomcatd startup

2013-08-15 Thread Rob Crittenden


Vladimir Kulev wrote:

Hello,

After installing FreeIPA I followed instructions from
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP to
use globally trusted certificates for HTTP/LDAP server interface to
secure other systems provisioning.


What version of IPA?


Then it went out that pki-tomcatd is not able to start anymore because
of this:
| NFO: Deploying web application directory
/var/lib/pki/pki-tomcat/webapps/ca
| SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback
| SSLAuthenticatorWithFallback: Setting container
| SSLAuthenticatorWithFallback: Initializing authenticators
| SSLAuthenticatorWithFallback: Starting authenticators
| 01:48:31,313 DEBUG
(org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to
retrieve ServletContext: expandEntityReferences defaults to true
| 01:48:31,320 DEBUG
(org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to
retrieve ServletContext: expandEntityReferences defaults to true
| Internal Database Error encountered: Could not connect to LDAP server
host ipa.mydomain.com  port 636 Error
netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1)

Meanwhile dirsrv tells me "Peer does not recognize and trust the CA that
issued your certificate."

I tried to fix trust by adding various certificates with certutil
to /etc/dirsrv/slapd/ and /etc/pki/pki-tomcat/alias/, but nothing
helped. Does anyone have a suggestion how to fix the situation?


You shouldn't need to change anything on the 389-ds side assuming it 
trusts its own CA properly.


You should just need to add the CA that signed the 389-ds cert to dogtag 
and restart. What is full certutil command you are using?


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] ipa-server-certinstall ruined pki-tomcatd startup

2013-08-14 Thread Vladimir Kulev

Hello,

After installing FreeIPA I followed instructions from
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP to
use globally trusted certificates for HTTP/LDAP server interface to secure
other systems provisioning.

Then it went out that pki-tomcatd is not able to start anymore because of
this:
| NFO: Deploying web application directory
/var/lib/pki/pki-tomcat/webapps/ca
| SSLAuthenticatorWithFallback: Creating SSL authenticator with fallback
| SSLAuthenticatorWithFallback: Setting container
| SSLAuthenticatorWithFallback: Initializing authenticators
| SSLAuthenticatorWithFallback: Starting authenticators
| 01:48:31,313 DEBUG
(org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to
retrieve ServletContext: expandEntityReferences defaults to true
| 01:48:31,320 DEBUG
(org.jboss.resteasy.plugins.providers.DocumentProvider:60) - Unable to
retrieve ServletContext: expandEntityReferences defaults to true
| Internal Database Error encountered: Could not connect to LDAP server
host ipa.mydomain.com port 636 Error netscape.ldap.LDAPException: IO Error
creating JSS SSL Socket (-1)

Meanwhile dirsrv tells me "Peer does not recognize and trust the CA that
issued your certificate."

I tried to fix trust by adding various certificates with certutil
to /etc/dirsrv/slapd/ and /etc/pki/pki-tomcat/alias/, but nothing helped.
Does anyone have a suggestion how to fix the situation?


-- 

Best regards,

Vladimir Kulev


Mobile: +358400369346, +79215554422

Jabber: m...@lightoze.net

Skype: lightoze
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-server-certinstall ruined pki-tomcatd startup

Re: [Freeipa-users] ipa-server-certinstall ruined pki-tomcatd startup

Re: [Freeipa-users] ipa-server-certinstall ruined pki-tomcatd startup

Re: [Freeipa-users] ipa-server-certinstall ruined pki-tomcatd startup

Re: [Freeipa-users] ipa-server-certinstall ruined pki-tomcatd startup

[Freeipa-users] ipa-server-certinstall ruined pki-tomcatd startup

6 matches

Site Navigation

Mail list logo

Footer information