Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
-- Bertrand Rétif Phosphore Services Informatiques - http://www.phosphore.eu Tel: 04 66 51 87 73 / Mob: 06 61 87 03 30 / Fax: 09 72 12 61 44 - Mail original - > De: "Florence Blanc-Renaud" > À: "Bertrand Rétif" , freeipa-users@redhat.com > Envoyé: Vendredi 25 Novembre 2016 11:03:53 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > On 11/23/2016 02:25 PM, Bertrand Rétif wrote: > > > > > > > > *De: *"Florence Blanc-Renaud" > > *À: *"Bertrand Rétif" , freeipa-users@redhat.com > > *Envoyé: *Mercredi 23 Novembre 2016 08:49:28 > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > pki-tomcat issue > > > > On 11/22/2016 06:06 PM, Bertrand Rétif wrote: > > > Hi Florence, > > > > > > Thanks for clarification. > > > Your explanation was very clear and I better understand > > > > > > Now my issue is that I need to start tracking "auditSigningCert > > > cert-pki-ca", "ocspSigningCert cert-pki-ca" and "subsystemCert > > > cert-pki-ca" on a server. > > > > > > I take a look on another server where they are properly tracked. > > However > > > getcert list return me "pin set" and not a "pinfile" as described in > > > your mail. > > > In "/etc/pki/pki-tomcat/alias" I do not see any pwdfile.txt file, > > so my > > > question is where do I get the PIN? > > > > > Hi Bertrand, > > > > With IPA 4.2.0 I believe that the pin is stored in > > /var/lib/pki/pki-tomcat/conf/password.conf, in the 'internal' field: > > $ grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf > > internal=0123456789101 > > > > HTH, > > Flo > > > > > Once again, thanks for your support, I tried to fix this issue for > > days! > > > > > > Regards > > > Bertrand > > > > > > > > > -- > > > Bertrand Rétif > > > Phosphore Services Informatiques - http://www.phosphore.eu > > > Tel: 04 66 51 87 73 / Mob: 06 61 87 03 30 / Fax: 09 72 12 61 44 > > > > > > > > ------------------------ > > > > > > *De: *"Florence Blanc-Renaud" > > > *À: *"Bertrand Rétif" , > > freeipa-users@redhat.com > > > *Envoyé: *Mardi 22 Novembre 2016 13:17:34 > > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > > pki-tomcat issue > > > > > > On 11/22/2016 11:50 AM, Bertrand Rétif wrote: > > > > > > > > > > > > *De: *"Florence Blanc-Renaud" > > > > *À: *"Bertrand Rétif" , > > > freeipa-users@redhat.com > > > > *Envoyé: *Mardi 22 Novembre 2016 11:33:45 > > > > *Objet: *Re: [Freeipa-users] Impossible to renew > > certificate. > > > > pki-tomcat issue > > > > > > > > On 11/22/2016 10:07 AM, Bertrand Rétif wrote: > > > > > > > > > > > > > > > > > > > > > > > > *De: *"Bertrand Rétif" > > > > > *À: *freeipa-users@redhat.com > > > > > *Envoyé: *Mardi 25 Octobre 2016 17:51:09 > > > > > *Objet: *Re: [Freeipa-users] Impossible to renew > > > certificate. > > > > > pki-tomcat issue > > > > > > > > > > > > > > > > > > > > > > > > ---------------- > > > > > > > > > > *De: *"Florence Blanc-Renaud" > > > > > *À: *"Bertrand Rétif" , > > > > > freeipa-users@redhat.com > > > > > *Envoyé: *Jeudi 20 Octobre 2016 18:45:21 > > > > > *Objet: *Re: [Freeipa-users] Impossible to renew > > > certificate. > > > > > pki-tomcat issue > > > > > > > > > > On 10/19/2016 08:18 PM, Bertrand Rétif wrote: > > > > > > *De: *"Bertrand Rétif" > > > > > > > > > > > > *À: *freeipa-users@redhat.com > > > > > > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07 > > > > > > *Objet: *Re: [Freeipa-users] Impossible > > to renew > > > > certificate. >
Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
On 11/23/2016 02:25 PM, Bertrand Rétif wrote:
*De: *"Florence Blanc-Renaud"
*À: *"Bertrand Rétif" , freeipa-users@redhat.com
*Envoyé: *Mercredi 23 Novembre 2016 08:49:28
*Objet: *Re: [Freeipa-users] Impossible to renew certificate.
pki-tomcat issue
On 11/22/2016 06:06 PM, Bertrand Rétif wrote:
> Hi Florence,
>
> Thanks for clarification.
> Your explanation was very clear and I better understand
>
> Now my issue is that I need to start tracking "auditSigningCert
> cert-pki-ca", "ocspSigningCert cert-pki-ca" and "subsystemCert
> cert-pki-ca" on a server.
>
> I take a look on another server where they are properly tracked.
However
> getcert list return me "pin set" and not a "pinfile" as described in
> your mail.
> In "/etc/pki/pki-tomcat/alias" I do not see any pwdfile.txt file,
so my
> question is where do I get the PIN?
>
Hi Bertrand,
With IPA 4.2.0 I believe that the pin is stored in
/var/lib/pki/pki-tomcat/conf/password.conf, in the 'internal' field:
$ grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf
internal=0123456789101
HTH,
Flo
> Once again, thanks for your support, I tried to fix this issue for
days!
>
> Regards
> Bertrand
>
>
> --
> Bertrand Rétif
> Phosphore Services Informatiques - http://www.phosphore.eu
> Tel: 04 66 51 87 73 / Mob: 06 61 87 03 30 / Fax: 09 72 12 61 44
>
>
>
> *De: *"Florence Blanc-Renaud"
> *À: *"Bertrand Rétif" ,
freeipa-users@redhat.com
> *Envoyé: *Mardi 22 Novembre 2016 13:17:34
> *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
> pki-tomcat issue
>
> On 11/22/2016 11:50 AM, Bertrand Rétif wrote:
> >
> >
> > *De: *"Florence Blanc-Renaud"
> > *À: *"Bertrand Rétif" ,
> freeipa-users@redhat.com
> > *Envoyé: *Mardi 22 Novembre 2016 11:33:45
> > *Objet: *Re: [Freeipa-users] Impossible to renew
certificate.
> > pki-tomcat issue
> >
> > On 11/22/2016 10:07 AM, Bertrand Rétif wrote:
> > >
> >
>
----------------
> > >
> > > *De: *"Bertrand Rétif"
> > > *À: *freeipa-users@redhat.com
> > > *Envoyé: *Mardi 25 Octobre 2016 17:51:09
> > > *Objet: *Re: [Freeipa-users] Impossible to renew
> certificate.
> > > pki-tomcat issue
> > >
> > >
> > >
> >
>
------------
> > >
> > > *De: *"Florence Blanc-Renaud"
> > > *À: *"Bertrand Rétif" ,
> > > freeipa-users@redhat.com
> > > *Envoyé: *Jeudi 20 Octobre 2016 18:45:21
> > > *Objet: *Re: [Freeipa-users] Impossible to renew
> certificate.
> > > pki-tomcat issue
> > >
> > > On 10/19/2016 08:18 PM, Bertrand Rétif wrote:
> > > > *De: *"Bertrand Rétif"
> > > >
> > > > *À: *freeipa-users@redhat.com
> > > > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07
> > > > *Objet: *Re: [Freeipa-users] Impossible
to renew
> > certificate.
> > > > pki-tomcat issue
> > > >
> > > >
> > > >
> > >
> >
>
> > > >
> > > > *De: *"Rob Crittenden"
> > > > *À: *"Bertrand Rétif"
,
> > > > freeipa-users@redhat.com
> > >
Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
- Mail original - > De: "Florence Blanc-Renaud" > À: "Bertrand Rétif" , freeipa-users@redhat.com > Envoyé: Mercredi 23 Novembre 2016 08:49:28 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > On 11/22/2016 06:06 PM, Bertrand Rétif wrote: > > Hi Florence, > > > > Thanks for clarification. > > Your explanation was very clear and I better understand > > > > Now my issue is that I need to start tracking "auditSigningCert > > cert-pki-ca", "ocspSigningCert cert-pki-ca" and "subsystemCert > > cert-pki-ca" on a server. > > > > I take a look on another server where they are properly tracked. However > > getcert list return me "pin set" and not a "pinfile" as described in > > your mail. > > In "/etc/pki/pki-tomcat/alias" I do not see any pwdfile.txt file, so my > > question is where do I get the PIN? > > > Hi Bertrand, > With IPA 4.2.0 I believe that the pin is stored in > /var/lib/pki/pki-tomcat/conf/password.conf, in the 'internal' field: > $ grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf > internal=0123456789101 > HTH, > Flo > > Once again, thanks for your support, I tried to fix this issue for days! > > > > Regards > > Bertrand > > > > > > -- > > Bertrand Rétif > > Phosphore Services Informatiques - http://www.phosphore.eu > > Tel: 04 66 51 87 73 / Mob: 06 61 87 03 30 / Fax: 09 72 12 61 44 > > > > > > > > *De: *"Florence Blanc-Renaud" > > *À: *"Bertrand Rétif" , freeipa-users@redhat.com > > *Envoyé: *Mardi 22 Novembre 2016 13:17:34 > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > pki-tomcat issue > > > > On 11/22/2016 11:50 AM, Bertrand Rétif wrote: > > > > > > > > > *De: *"Florence Blanc-Renaud" > > > *À: *"Bertrand Rétif" , > > freeipa-users@redhat.com > > > *Envoyé: *Mardi 22 Novembre 2016 11:33:45 > > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > > pki-tomcat issue > > > > > > On 11/22/2016 10:07 AM, Bertrand Rétif wrote: > > > > > > > > > > > > > > > > > *De: *"Bertrand Rétif" > > > > *À: *freeipa-users@redhat.com > > > > *Envoyé: *Mardi 25 Octobre 2016 17:51:09 > > > > *Objet: *Re: [Freeipa-users] Impossible to renew > > certificate. > > > > pki-tomcat issue > > > > > > > > > > > > > > > > > > > > > > > > > *De: *"Florence Blanc-Renaud" > > > > *À: *"Bertrand Rétif" , > > > > freeipa-users@redhat.com > > > > *Envoyé: *Jeudi 20 Octobre 2016 18:45:21 > > > > *Objet: *Re: [Freeipa-users] Impossible to renew > > certificate. > > > > pki-tomcat issue > > > > > > > > On 10/19/2016 08:18 PM, Bertrand Rétif wrote: > > > > > *De: *"Bertrand Rétif" > > > > > > > > > > *À: *freeipa-users@redhat.com > > > > > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07 > > > > > *Objet: *Re: [Freeipa-users] Impossible to renew > > > certificate. > > > > > pki-tomcat issue > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *De: *"Rob Crittenden" > > > > > *À: *"Bertrand Rétif" , > > > > > freeipa-users@redhat.com > > > > > *Envoyé: *Mercredi 19 Octobre 2016 15:30:14 > > > > > *Objet: *Re: [Freeipa-users] Impossible to > > renew > > > > certificate. > > > > > pki-tomcat issue > > > > > > > > > > Bertrand Rétif wrote: > > > > > >> De: "Martin Babinsky" > > > > > >> À: freeipa-users@redhat.com > > > > > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49 > > > > > >> Objet: Re: [Freeipa-users] Impossible > > to renew > > > > certificate. > > > > > pki-tomcat issue > >
Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
On 11/22/2016 06:06 PM, Bertrand Rétif wrote:
Hi Florence,
Thanks for clarification.
Your explanation was very clear and I better understand
Now my issue is that I need to start tracking "auditSigningCert
cert-pki-ca", "ocspSigningCert cert-pki-ca" and "subsystemCert
cert-pki-ca" on a server.
I take a look on another server where they are properly tracked. However
getcert list return me "pin set" and not a "pinfile" as described in
your mail.
In "/etc/pki/pki-tomcat/alias" I do not see any pwdfile.txt file, so my
question is where do I get the PIN?
Hi Bertrand,
With IPA 4.2.0 I believe that the pin is stored in
/var/lib/pki/pki-tomcat/conf/password.conf, in the 'internal' field:
$ grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf
internal=0123456789101
HTH,
Flo
Once again, thanks for your support, I tried to fix this issue for days!
Regards
Bertrand
--
Bertrand Rétif
Phosphore Services Informatiques - http://www.phosphore.eu
Tel: 04 66 51 87 73 / Mob: 06 61 87 03 30 / Fax: 09 72 12 61 44
*De: *"Florence Blanc-Renaud"
*À: *"Bertrand Rétif" , freeipa-users@redhat.com
*Envoyé: *Mardi 22 Novembre 2016 13:17:34
*Objet: *Re: [Freeipa-users] Impossible to renew certificate.
pki-tomcat issue
On 11/22/2016 11:50 AM, Bertrand Rétif wrote:
>
>
> *De: *"Florence Blanc-Renaud"
> *À: *"Bertrand Rétif" ,
freeipa-users@redhat.com
> *Envoyé: *Mardi 22 Novembre 2016 11:33:45
> *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
> pki-tomcat issue
>
> On 11/22/2016 10:07 AM, Bertrand Rétif wrote:
> >
>
> >
> > *De: *"Bertrand Rétif"
> > *À: *freeipa-users@redhat.com
> > *Envoyé: *Mardi 25 Octobre 2016 17:51:09
> > *Objet: *Re: [Freeipa-users] Impossible to renew
certificate.
> > pki-tomcat issue
> >
> >
> >
>
> >
> > *De: *"Florence Blanc-Renaud"
> > *À: *"Bertrand Rétif" ,
> > freeipa-users@redhat.com
> > *Envoyé: *Jeudi 20 Octobre 2016 18:45:21
> > *Objet: *Re: [Freeipa-users] Impossible to renew
certificate.
> > pki-tomcat issue
> >
> > On 10/19/2016 08:18 PM, Bertrand Rétif wrote:
> > > *De: *"Bertrand Rétif"
> > >
> > > *À: *freeipa-users@redhat.com
> > > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07
> > > *Objet: *Re: [Freeipa-users] Impossible to renew
> certificate.
> > > pki-tomcat issue
> > >
> > >
> > >
> >
>
------------
> > >
> > > *De: *"Rob Crittenden"
> > > *À: *"Bertrand Rétif" ,
> > > freeipa-users@redhat.com
> > > *Envoyé: *Mercredi 19 Octobre 2016 15:30:14
> > > *Objet: *Re: [Freeipa-users] Impossible to
renew
> > certificate.
> > > pki-tomcat issue
> > >
> > > Bertrand Rétif wrote:
> > > >> De: "Martin Babinsky"
> > > >> À: freeipa-users@redhat.com
> > > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49
> > > >> Objet: Re: [Freeipa-users] Impossible
to renew
> > certificate.
> > > pki-tomcat issue
> > > >
> > > >> On 10/18/2016 11:22 PM, Bertrand Rétif
wrote:
> > > >>> Hello,
> > > >>>
> > > >>> I had an issue with pki-tomcat.
> > > >>> I had serveral certificate that was
expired
Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
Hi Florence, Thanks for clarification. Your explanation was very clear and I better understand Now my issue is that I need to start tracking "auditSigningCert cert-pki-ca", "ocspSigningCert cert-pki-ca" and "subsystemCert cert-pki-ca" on a server. I take a look on another server where they are properly tracked. However getcert list return me "pin set" and not a "pinfile" as described in your mail. In "/etc/pki/pki-tomcat/alias" I do not see any pwdfile.txt file, so my question is where do I get the PIN? Once again, thanks for your support, I tried to fix this issue for days! Regards Bertrand -- Bertrand Rétif Phosphore Services Informatiques - http://www.phosphore.eu Tel: 04 66 51 87 73 / Mob: 06 61 87 03 30 / Fax: 09 72 12 61 44 - Mail original - > De: "Florence Blanc-Renaud" > À: "Bertrand Rétif" , freeipa-users@redhat.com > Envoyé: Mardi 22 Novembre 2016 13:17:34 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > On 11/22/2016 11:50 AM, Bertrand Rétif wrote: > > > > > > *De: *"Florence Blanc-Renaud" > > *À: *"Bertrand Rétif" , freeipa-users@redhat.com > > *Envoyé: *Mardi 22 Novembre 2016 11:33:45 > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > pki-tomcat issue > > > > On 11/22/2016 10:07 AM, Bertrand Rétif wrote: > > > > > ------------------------ > > > > > > *De: *"Bertrand Rétif" > > > *À: *freeipa-users@redhat.com > > > *Envoyé: *Mardi 25 Octobre 2016 17:51:09 > > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > > pki-tomcat issue > > > > > > > > > > > ------------ > > > > > > *De: *"Florence Blanc-Renaud" > > > *À: *"Bertrand Rétif" , > > > freeipa-users@redhat.com > > > *Envoyé: *Jeudi 20 Octobre 2016 18:45:21 > > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > > pki-tomcat issue > > > > > > On 10/19/2016 08:18 PM, Bertrand Rétif wrote: > > > > *De: *"Bertrand Rétif" > > > > > > > > *À: *freeipa-users@redhat.com > > > > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07 > > > > *Objet: *Re: [Freeipa-users] Impossible to renew > > certificate. > > > > pki-tomcat issue > > > > > > > > > > > > > > > > > ---------------------------- > > > > > > > > *De: *"Rob Crittenden" > > > > *À: *"Bertrand Rétif" , > > > > freeipa-users@redhat.com > > > > *Envoyé: *Mercredi 19 Octobre 2016 15:30:14 > > > > *Objet: *Re: [Freeipa-users] Impossible to renew > > > certificate. > > > > pki-tomcat issue > > > > > > > > Bertrand Rétif wrote: > > > > >> De: "Martin Babinsky" > > > > >> À: freeipa-users@redhat.com > > > > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49 > > > > >> Objet: Re: [Freeipa-users] Impossible to renew > > > certificate. > > > > pki-tomcat issue > > > > > > > > > >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote: > > > > >>> Hello, > > > > >>> > > > > >>> I had an issue with pki-tomcat. > > > > >>> I had serveral certificate that was expired and > > > pki-tomcat > > > > did not start > > > > >>> anymore. > > > > >>> > > > > >>> I set the dateon the server before certificate > > > expiration > > > > and then > > > > >>> pki-tomcat starts properly. > > > > >>> Then I try to resubmit the certificate, but > > I get > > > below error: > > > > >>> "Profile caServerCert Not Found" > > > > >>> > > > > >>> Do you have any idea how I could fix this issue. > > > > >>> > > > > >>> Please find below output of commands: > > > > >>> > > > > >>> > > > > >>> # getcert resubmit -i 20160108170324 > > > > >>> > > > > >>> # getcert list -i 20160108170324 > > > > >>> Number of certificate
Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
On 11/22/2016 11:50 AM, Bertrand Rétif wrote:
*De: *"Florence Blanc-Renaud"
*À: *"Bertrand Rétif" , freeipa-users@redhat.com
*Envoyé: *Mardi 22 Novembre 2016 11:33:45
*Objet: *Re: [Freeipa-users] Impossible to renew certificate.
pki-tomcat issue
On 11/22/2016 10:07 AM, Bertrand Rétif wrote:
>
>
> *De: *"Bertrand Rétif"
> *À: *freeipa-users@redhat.com
> *Envoyé: *Mardi 25 Octobre 2016 17:51:09
> *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
> pki-tomcat issue
>
>
>
>
> *De: *"Florence Blanc-Renaud"
> *À: *"Bertrand Rétif" ,
> freeipa-users@redhat.com
> *Envoyé: *Jeudi 20 Octobre 2016 18:45:21
> *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
> pki-tomcat issue
>
> On 10/19/2016 08:18 PM, Bertrand Rétif wrote:
> > *De: *"Bertrand Rétif"
> >
> > *À: *freeipa-users@redhat.com
> > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07
> > *Objet: *Re: [Freeipa-users] Impossible to renew
certificate.
> > pki-tomcat issue
> >
> >
> >
>
> >
> > *De: *"Rob Crittenden"
> > *À: *"Bertrand Rétif" ,
> > freeipa-users@redhat.com
> > *Envoyé: *Mercredi 19 Octobre 2016 15:30:14
> > *Objet: *Re: [Freeipa-users] Impossible to renew
> certificate.
> > pki-tomcat issue
> >
> > Bertrand Rétif wrote:
> > >> De: "Martin Babinsky"
> > >> À: freeipa-users@redhat.com
> > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49
> > >> Objet: Re: [Freeipa-users] Impossible to renew
> certificate.
> > pki-tomcat issue
> > >
> > >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
> > >>> Hello,
> > >>>
> > >>> I had an issue with pki-tomcat.
> > >>> I had serveral certificate that was expired and
> pki-tomcat
> > did not start
> > >>> anymore.
> > >>>
> > >>> I set the dateon the server before certificate
> expiration
> > and then
> > >>> pki-tomcat starts properly.
> > >>> Then I try to resubmit the certificate, but
I get
> below error:
> > >>> "Profile caServerCert Not Found"
> > >>>
> > >>> Do you have any idea how I could fix this issue.
> > >>>
> > >>> Please find below output of commands:
> > >>>
> > >>>
> > >>> # getcert resubmit -i 20160108170324
> > >>>
> > >>> # getcert list -i 20160108170324
> > >>> Number of certificates and requests being
tracked: 7.
> > >>> Request ID '20160108170324':
> > >>> status: MONITORING
> > >>> ca-error: Server at
> > >>>
> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit";
> > replied:
> > >>> Profile caServerCert Not Found
> > >>> stuck: no
> > >>> key pair storage:
> > >>>
> >
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > >>> Certif
Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
> De: "Florence Blanc-Renaud" > À: "Bertrand Rétif" , freeipa-users@redhat.com > Envoyé: Mardi 22 Novembre 2016 11:33:45 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > On 11/22/2016 10:07 AM, Bertrand Rétif wrote: > > > > > > *De: *"Bertrand Rétif" > > *À: *freeipa-users@redhat.com > > *Envoyé: *Mardi 25 Octobre 2016 17:51:09 > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > pki-tomcat issue > > > > > > > > > > *De: *"Florence Blanc-Renaud" > > *À: *"Bertrand Rétif" , > > freeipa-users@redhat.com > > *Envoyé: *Jeudi 20 Octobre 2016 18:45:21 > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > pki-tomcat issue > > > > On 10/19/2016 08:18 PM, Bertrand Rétif wrote: > > > *De: *"Bertrand Rétif" > > > > > > *À: *freeipa-users@redhat.com > > > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07 > > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > > pki-tomcat issue > > > > > > > > > > > ---------------- > > > > > > *De: *"Rob Crittenden" > > > *À: *"Bertrand Rétif" , > > > freeipa-users@redhat.com > > > *Envoyé: *Mercredi 19 Octobre 2016 15:30:14 > > > *Objet: *Re: [Freeipa-users] Impossible to renew > > certificate. > > > pki-tomcat issue > > > > > > Bertrand Rétif wrote: > > > >> De: "Martin Babinsky" > > > >> À: freeipa-users@redhat.com > > > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49 > > > >> Objet: Re: [Freeipa-users] Impossible to renew > > certificate. > > > pki-tomcat issue > > > > > > > >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote: > > > >>> Hello, > > > >>> > > > >>> I had an issue with pki-tomcat. > > > >>> I had serveral certificate that was expired and > > pki-tomcat > > > did not start > > > >>> anymore. > > > >>> > > > >>> I set the dateon the server before certificate > > expiration > > > and then > > > >>> pki-tomcat starts properly. > > > >>> Then I try to resubmit the certificate, but I get > > below error: > > > >>> "Profile caServerCert Not Found" > > > >>> > > > >>> Do you have any idea how I could fix this issue. > > > >>> > > > >>> Please find below output of commands: > > > >>> > > > >>> > > > >>> # getcert resubmit -i 20160108170324 > > > >>> > > > >>> # getcert list -i 20160108170324 > > > >>> Number of certificates and requests being tracked: 7. > > > >>> Request ID '20160108170324': > > > >>> status: MONITORING > > > >>> ca-error: Server at > > > >>> > > "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"; > > > replied: > > > >>> Profile caServerCert Not Found > > > >>> stuck: no > > > >>> key pair storage: > > > >>> > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > >>> certificate: > > > >>> > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > >>> Certificate DB' > > > >>> CA: dogtag-ipa-ca-renew-agent > > > >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU > > > >>> subject: CN=IPA RA,O=A.SKINFRA.EU > > > >>> expires: 2016-06-28 15:25:11 UTC > > > >>> key usage: > > > >>> > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > >>> eku: id-kp-serverAuth,id-kp-clientAuth > > > >>> pre-save command: > > /usr/lib64/ipa/certmonger/renew_ra_cert_pre > > > >>> post-save command: > > /usr/lib64/ipa/certmonger/renew_ra_cert > > &
Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
On 11/22/2016 10:07 AM, Bertrand Rétif wrote:
*De: *"Bertrand Rétif"
*À: *freeipa-users@redhat.com
*Envoyé: *Mardi 25 Octobre 2016 17:51:09
*Objet: *Re: [Freeipa-users] Impossible to renew certificate.
pki-tomcat issue
*De: *"Florence Blanc-Renaud"
*À: *"Bertrand Rétif" ,
freeipa-users@redhat.com
*Envoyé: *Jeudi 20 Octobre 2016 18:45:21
*Objet: *Re: [Freeipa-users] Impossible to renew certificate.
pki-tomcat issue
On 10/19/2016 08:18 PM, Bertrand Rétif wrote:
> *De: *"Bertrand Rétif"
>
> *À: *freeipa-users@redhat.com
> *Envoyé: *Mercredi 19 Octobre 2016 15:42:07
> *Objet: *Re: [Freeipa-users] Impossible to renew certificate.
> pki-tomcat issue
>
>
>
>
> *De: *"Rob Crittenden"
> *À: *"Bertrand Rétif" ,
> freeipa-users@redhat.com
> *Envoyé: *Mercredi 19 Octobre 2016 15:30:14
> *Objet: *Re: [Freeipa-users] Impossible to renew
certificate.
> pki-tomcat issue
>
> Bertrand Rétif wrote:
> >> De: "Martin Babinsky"
> >> À: freeipa-users@redhat.com
> >> Envoyé: Mercredi 19 Octobre 2016 08:45:49
> >> Objet: Re: [Freeipa-users] Impossible to renew
certificate.
> pki-tomcat issue
> >
> >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
> >>> Hello,
> >>>
> >>> I had an issue with pki-tomcat.
> >>> I had serveral certificate that was expired and
pki-tomcat
> did not start
> >>> anymore.
> >>>
> >>> I set the dateon the server before certificate
expiration
> and then
> >>> pki-tomcat starts properly.
> >>> Then I try to resubmit the certificate, but I get
below error:
> >>> "Profile caServerCert Not Found"
> >>>
> >>> Do you have any idea how I could fix this issue.
> >>>
> >>> Please find below output of commands:
> >>>
> >>>
> >>> # getcert resubmit -i 20160108170324
> >>>
> >>> # getcert list -i 20160108170324
> >>> Number of certificates and requests being tracked: 7.
> >>> Request ID '20160108170324':
> >>> status: MONITORING
> >>> ca-error: Server at
> >>>
"http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit";
> replied:
> >>> Profile caServerCert Not Found
> >>> stuck: no
> >>> key pair storage:
> >>>
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>> certificate:
> >>>
>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> >>> Certificate DB'
> >>> CA: dogtag-ipa-ca-renew-agent
> >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU
> >>> subject: CN=IPA RA,O=A.SKINFRA.EU
> >>> expires: 2016-06-28 15:25:11 UTC
> >>> key usage:
> >>>
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>> pre-save command:
/usr/lib64/ipa/certmonger/renew_ra_cert_pre
> >>> post-save command:
/usr/lib64/ipa/certmonger/renew_ra_cert
Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
- Mail original - > De: "Bertrand Rétif" > À: freeipa-users@redhat.com > Envoyé: Mardi 25 Octobre 2016 17:51:09 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > - Mail original - > > De: "Florence Blanc-Renaud" > > > À: "Bertrand Rétif" , freeipa-users@redhat.com > > > Envoyé: Jeudi 20 Octobre 2016 18:45:21 > > > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat > > issue > > > On 10/19/2016 08:18 PM, Bertrand Rétif wrote: > > > > *De: *"Bertrand Rétif" > > > > > > > > *À: *freeipa-users@redhat.com > > > > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07 > > > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > > > pki-tomcat issue > > > > > > > > > > > > ---------------- > > > > > > > > *De: *"Rob Crittenden" > > > > *À: *"Bertrand Rétif" , > > > > freeipa-users@redhat.com > > > > *Envoyé: *Mercredi 19 Octobre 2016 15:30:14 > > > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > > > pki-tomcat issue > > > > > > > > Bertrand Rétif wrote: > > > > >> De: "Martin Babinsky" > > > > >> À: freeipa-users@redhat.com > > > > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49 > > > > >> Objet: Re: [Freeipa-users] Impossible to renew certificate. > > > > pki-tomcat issue > > > > > > > > > >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote: > > > > >>> Hello, > > > > >>> > > > > >>> I had an issue with pki-tomcat. > > > > >>> I had serveral certificate that was expired and pki-tomcat > > > > did not start > > > > >>> anymore. > > > > >>> > > > > >>> I set the dateon the server before certificate expiration > > > > and then > > > > >>> pki-tomcat starts properly. > > > > >>> Then I try to resubmit the certificate, but I get below error: > > > > >>> "Profile caServerCert Not Found" > > > > >>> > > > > >>> Do you have any idea how I could fix this issue. > > > > >>> > > > > >>> Please find below output of commands: > > > > >>> > > > > >>> > > > > >>> # getcert resubmit -i 20160108170324 > > > > >>> > > > > >>> # getcert list -i 20160108170324 > > > > >>> Number of certificates and requests being tracked: 7. > > > > >>> Request ID '20160108170324': > > > > >>> status: MONITORING > > > > >>> ca-error: Server at > > > > >>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"; > > > > replied: > > > > >>> Profile caServerCert Not Found > > > > >>> stuck: no > > > > >>> key pair storage: > > > > >>> > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > > >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > > >>> certificate: > > > > >>> > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > > >>> Certificate DB' > > > > >>> CA: dogtag-ipa-ca-renew-agent > > > > >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU > > > > >>> subject: CN=IPA RA,O=A.SKINFRA.EU > > > > >>> expires: 2016-06-28 15:25:11 UTC > > > > >>> key usage: > > > > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > > >>> eku: id-kp-serverAuth,id-kp-clientAuth > > > > >>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > > > > >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > > > >>> track: yes > > > > >>> auto-renew: yes > > > > >>> > > > > >>> >
Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
- Mail original - > De: "Florence Blanc-Renaud" > À: "Bertrand Rétif" , freeipa-users@redhat.com > Envoyé: Jeudi 20 Octobre 2016 18:45:21 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > On 10/19/2016 08:18 PM, Bertrand Rétif wrote: > > *De: *"Bertrand Rétif" > > > > *À: *freeipa-users@redhat.com > > *Envoyé: *Mercredi 19 Octobre 2016 15:42:07 > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > pki-tomcat issue > > > > > > > > > > *De: *"Rob Crittenden" > > *À: *"Bertrand Rétif" , > > freeipa-users@redhat.com > > *Envoyé: *Mercredi 19 Octobre 2016 15:30:14 > > *Objet: *Re: [Freeipa-users] Impossible to renew certificate. > > pki-tomcat issue > > > > Bertrand Rétif wrote: > > >> De: "Martin Babinsky" > > >> À: freeipa-users@redhat.com > > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49 > > >> Objet: Re: [Freeipa-users] Impossible to renew certificate. > > pki-tomcat issue > > > > > >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote: > > >>> Hello, > > >>> > > >>> I had an issue with pki-tomcat. > > >>> I had serveral certificate that was expired and pki-tomcat > > did not start > > >>> anymore. > > >>> > > >>> I set the dateon the server before certificate expiration > > and then > > >>> pki-tomcat starts properly. > > >>> Then I try to resubmit the certificate, but I get below error: > > >>> "Profile caServerCert Not Found" > > >>> > > >>> Do you have any idea how I could fix this issue. > > >>> > > >>> Please find below output of commands: > > >>> > > >>> > > >>> # getcert resubmit -i 20160108170324 > > >>> > > >>> # getcert list -i 20160108170324 > > >>> Number of certificates and requests being tracked: 7. > > >>> Request ID '20160108170324': > > >>> status: MONITORING > > >>> ca-error: Server at > > >>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"; > > replied: > > >>> Profile caServerCert Not Found > > >>> stuck: no > > >>> key pair storage: > > >>> > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > >>> certificate: > > >>> > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > >>> Certificate DB' > > >>> CA: dogtag-ipa-ca-renew-agent > > >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU > > >>> subject: CN=IPA RA,O=A.SKINFRA.EU > > >>> expires: 2016-06-28 15:25:11 UTC > > >>> key usage: > > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > >>> eku: id-kp-serverAuth,id-kp-clientAuth > > >>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > > >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > >>> track: yes > > >>> auto-renew: yes > > >>> > > >>> > > >>> Thanksby advance for your help. > > >>> Bertrand > > >>> > > >>> > > >>> > > >>> > > > > > >> Hi Betrand, > > > > > >> what version of FreeIPA and Dogtag are you running? > > > > > >> Also perform the following search on the IPA master and post > > the result: > > > > > >> """ > > >> ldapsearch -D "cn=Directory Manager" -W -b > > >> 'ou=certificateProfiles,ou=ca,o=ipaca' > > '(objectClass=certProfile)' > > >> """ > > > > > > Hi Martin, > > > > > > Thanks for your reply. > > > > > > Here is version: > > > - FreeIPA 4.2.0 > > > - Centos 7.2 > > > > > > I have been able to fix the issue with "Profile caServerCert > > Not Found" by editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > >
Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
On 10/19/2016 08:18 PM, Bertrand Rétif wrote:
*De: *"Bertrand Rétif"
*À: *freeipa-users@redhat.com
*Envoyé: *Mercredi 19 Octobre 2016 15:42:07
*Objet: *Re: [Freeipa-users] Impossible to renew certificate.
pki-tomcat issue
*De: *"Rob Crittenden"
*À: *"Bertrand Rétif" ,
freeipa-users@redhat.com
*Envoyé: *Mercredi 19 Octobre 2016 15:30:14
*Objet: *Re: [Freeipa-users] Impossible to renew certificate.
pki-tomcat issue
Bertrand Rétif wrote:
>> De: "Martin Babinsky"
>> À: freeipa-users@redhat.com
>> Envoyé: Mercredi 19 Octobre 2016 08:45:49
>> Objet: Re: [Freeipa-users] Impossible to renew certificate.
pki-tomcat issue
>
>> On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
>>> Hello,
>>>
>>> I had an issue with pki-tomcat.
>>> I had serveral certificate that was expired and pki-tomcat
did not start
>>> anymore.
>>>
>>> I set the dateon the server before certificate expiration
and then
>>> pki-tomcat starts properly.
>>> Then I try to resubmit the certificate, but I get below error:
>>> "Profile caServerCert Not Found"
>>>
>>> Do you have any idea how I could fix this issue.
>>>
>>> Please find below output of commands:
>>>
>>>
>>> # getcert resubmit -i 20160108170324
>>>
>>> # getcert list -i 20160108170324
>>> Number of certificates and requests being tracked: 7.
>>> Request ID '20160108170324':
>>> status: MONITORING
>>> ca-error: Server at
>>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit";
replied:
>>> Profile caServerCert Not Found
>>> stuck: no
>>> key pair storage:
>>>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>> certificate:
>>>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
>>> Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU
>>> subject: CN=IPA RA,O=A.SKINFRA.EU
>>> expires: 2016-06-28 15:25:11 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>> track: yes
>>> auto-renew: yes
>>>
>>>
>>> Thanksby advance for your help.
>>> Bertrand
>>>
>>>
>>>
>>>
>
>> Hi Betrand,
>
>> what version of FreeIPA and Dogtag are you running?
>
>> Also perform the following search on the IPA master and post
the result:
>
>> """
>> ldapsearch -D "cn=Directory Manager" -W -b
>> 'ou=certificateProfiles,ou=ca,o=ipaca'
'(objectClass=certProfile)'
>> """
>
> Hi Martin,
>
> Thanks for your reply.
>
> Here is version:
> - FreeIPA 4.2.0
> - Centos 7.2
>
> I have been able to fix the issue with "Profile caServerCert
Not Found" by editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
> I replace below entry
>
"subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem"
> by
> "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem"
>
> and then launch "ipa-server-upgrade" command
> I found this solution in this post:
http://osdir.com/ml/freeipa-users/2016-03/msg00280.html
>
> Then I was able to renew my certificate.
>
> However I reboot my server to and pki-tom
Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
De: "Bertrand Rétif" > À: freeipa-users@redhat.com > Envoyé: Mercredi 19 Octobre 2016 15:42:07 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > - Mail original - > > De: "Rob Crittenden" > > > À: "Bertrand Rétif" , freeipa-users@redhat.com > > > Envoyé: Mercredi 19 Octobre 2016 15:30:14 > > > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat > > issue > > > Bertrand Rétif wrote: > > > >> De: "Martin Babinsky" > > > >> À: freeipa-users@redhat.com > > > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49 > > > >> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat > > >> issue > > > > > > > >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote: > > > >>> Hello, > > > >>> > > > >>> I had an issue with pki-tomcat. > > > >>> I had serveral certificate that was expired and pki-tomcat did not > > >>> start > > > >>> anymore. > > > >>> > > > >>> I set the dateon the server before certificate expiration and then > > > >>> pki-tomcat starts properly. > > > >>> Then I try to resubmit the certificate, but I get below error: > > > >>> "Profile caServerCert Not Found" > > > >>> > > > >>> Do you have any idea how I could fix this issue. > > > >>> > > > >>> Please find below output of commands: > > > >>> > > > >>> > > > >>> # getcert resubmit -i 20160108170324 > > > >>> > > > >>> # getcert list -i 20160108170324 > > > >>> Number of certificates and requests being tracked: 7. > > > >>> Request ID '20160108170324': > > > >>> status: MONITORING > > > >>> ca-error: Server at > > > >>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"; replied: > > > >>> Profile caServerCert Not Found > > > >>> stuck: no > > > >>> key pair storage: > > > >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > >>> certificate: > > > >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > >>> Certificate DB' > > > >>> CA: dogtag-ipa-ca-renew-agent > > > >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU > > > >>> subject: CN=IPA RA,O=A.SKINFRA.EU > > > >>> expires: 2016-06-28 15:25:11 UTC > > > >>> key usage: > > > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > >>> eku: id-kp-serverAuth,id-kp-clientAuth > > > >>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > > > >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > > >>> track: yes > > > >>> auto-renew: yes > > > >>> > > > >>> > > > >>> Thanksby advance for your help. > > > >>> Bertrand > > > >>> > > > >>> > > > >>> > > > >>> > > > > > > > >> Hi Betrand, > > > > > > > >> what version of FreeIPA and Dogtag are you running? > > > > > > > >> Also perform the following search on the IPA master and post the result: > > > > > > > >> """ > > > >> ldapsearch -D "cn=Directory Manager" -W -b > > > >> 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)' > > > >> """ > > > > > > > > Hi Martin, > > > > > > > > Thanks for your reply. > > > > > > > > Here is version: > > > > - FreeIPA 4.2.0 > > > > - Centos 7.2 > > > > > > > > I have been able to fix the issue with "Profile caServerCert Not Found" > > > by > > > editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > > > > I replac
Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
- Mail original - > De: "Rob Crittenden" > À: "Bertrand Rétif" , freeipa-users@redhat.com > Envoyé: Mercredi 19 Octobre 2016 15:30:14 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > Bertrand Rétif wrote: > >> De: "Martin Babinsky" > >> À: freeipa-users@redhat.com > >> Envoyé: Mercredi 19 Octobre 2016 08:45:49 > >> Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat > >> issue > > > >> On 10/18/2016 11:22 PM, Bertrand Rétif wrote: > >>> Hello, > >>> > >>> I had an issue with pki-tomcat. > >>> I had serveral certificate that was expired and pki-tomcat did not start > >>> anymore. > >>> > >>> I set the dateon the server before certificate expiration and then > >>> pki-tomcat starts properly. > >>> Then I try to resubmit the certificate, but I get below error: > >>> "Profile caServerCert Not Found" > >>> > >>> Do you have any idea how I could fix this issue. > >>> > >>> Please find below output of commands: > >>> > >>> > >>> # getcert resubmit -i 20160108170324 > >>> > >>> # getcert list -i 20160108170324 > >>> Number of certificates and requests being tracked: 7. > >>> Request ID '20160108170324': > >>> status: MONITORING > >>> ca-error: Server at > >>> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"; replied: > >>> Profile caServerCert Not Found > >>> stuck: no > >>> key pair storage: > >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > >>> certificate: > >>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >>> Certificate DB' > >>> CA: dogtag-ipa-ca-renew-agent > >>> issuer: CN=Certificate Authority,O=A.SKINFRA.EU > >>> subject: CN=IPA RA,O=A.SKINFRA.EU > >>> expires: 2016-06-28 15:25:11 UTC > >>> key usage: > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >>> eku: id-kp-serverAuth,id-kp-clientAuth > >>> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > >>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > >>> track: yes > >>> auto-renew: yes > >>> > >>> > >>> Thanksby advance for your help. > >>> Bertrand > >>> > >>> > >>> > >>> > > > >> Hi Betrand, > > > >> what version of FreeIPA and Dogtag are you running? > > > >> Also perform the following search on the IPA master and post the result: > > > >> """ > >> ldapsearch -D "cn=Directory Manager" -W -b > >> 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)' > >> """ > > > > Hi Martin, > > > > Thanks for your reply. > > > > Here is version: > > - FreeIPA 4.2.0 > > - Centos 7.2 > > > > I have been able to fix the issue with "Profile caServerCert Not Found" by > > editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg > > I replace below entry > > "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem" > > by > > "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem" > > > > and then launch "ipa-server-upgrade" command > > I found this solution in this post: > > http://osdir.com/ml/freeipa-users/2016-03/msg00280.html > > > > Then I was able to renew my certificate. > > > > However I reboot my server to and pki-tomcat do not start and provide with > > a new erreor in /var/log/pki/pki-tomcat/ca/debug > > > > [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils: > > verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca > > [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: > > create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$ > > System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC > > certificate verification > > > > java.lang.Exception: SystemCertsVerification: system certs verification > > failure > > at &
Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
Bertrand Rétif wrote: De: "Martin Babinsky" À: freeipa-users@redhat.com Envoyé: Mercredi 19 Octobre 2016 08:45:49 Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue On 10/18/2016 11:22 PM, Bertrand Rétif wrote: Hello, I had an issue with pki-tomcat. I had serveral certificate that was expired and pki-tomcat did not start anymore. I set the dateon the server before certificate expiration and then pki-tomcat starts properly. Then I try to resubmit the certificate, but I get below error: "Profile caServerCert Not Found" Do you have any idea how I could fix this issue. Please find below output of commands: # getcert resubmit -i 20160108170324 # getcert list -i 20160108170324 Number of certificates and requests being tracked: 7. Request ID '20160108170324': status: MONITORING ca-error: Server at "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"; replied: Profile caServerCert Not Found stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=A.SKINFRA.EU subject: CN=IPA RA,O=A.SKINFRA.EU expires: 2016-06-28 15:25:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Thanksby advance for your help. Bertrand Hi Betrand, what version of FreeIPA and Dogtag are you running? Also perform the following search on the IPA master and post the result: """ ldapsearch -D "cn=Directory Manager" -W -b 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)' """ Hi Martin, Thanks for your reply. Here is version: - FreeIPA 4.2.0 - Centos 7.2 I have been able to fix the issue with "Profile caServerCert Not Found" by editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg I replace below entry "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem" by "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem" and then launch "ipa-server-upgrade" command I found this solution in this post: http://osdir.com/ml/freeipa-users/2016-03/msg00280.html Then I was able to renew my certificate. However I reboot my server to and pki-tomcat do not start and provide with a new erreor in /var/log/pki/pki-tomcat/ca/debug [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$ System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC certificate verification java.lang.Exception: SystemCertsVerification: system certs verification failure at com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198) at com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861) at com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797) at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701) at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148) at com.netscape.certsrv.apps.CMS.startup(CMS.java:200) at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087) at org.a
Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
> De: "Martin Babinsky" > À: freeipa-users@redhat.com > Envoyé: Mercredi 19 Octobre 2016 08:45:49 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > On 10/18/2016 11:22 PM, Bertrand Rétif wrote: > > Hello, > > > > I had an issue with pki-tomcat. > > I had serveral certificate that was expired and pki-tomcat did not start > > anymore. > > > > I set the dateon the server before certificate expiration and then > > pki-tomcat starts properly. > > Then I try to resubmit the certificate, but I get below error: > > "Profile caServerCert Not Found" > > > > Do you have any idea how I could fix this issue. > > > > Please find below output of commands: > > > > > > # getcert resubmit -i 20160108170324 > > > > # getcert list -i 20160108170324 > > Number of certificates and requests being tracked: 7. > > Request ID '20160108170324': > > status: MONITORING > > ca-error: Server at > > "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"; replied: > > Profile caServerCert Not Found > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=A.SKINFRA.EU > > subject: CN=IPA RA,O=A.SKINFRA.EU > > expires: 2016-06-28 15:25:11 UTC > > key usage: > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > > > > > Thanksby advance for your help. > > Bertrand > > > > > > > > > Hi Betrand, > what version of FreeIPA and Dogtag are you running? > Also perform the following search on the IPA master and post the result: > """ > ldapsearch -D "cn=Directory Manager" -W -b > 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)' > """ Hi Martin, Thanks for your reply. Here is version: - FreeIPA 4.2.0 - Centos 7.2 I have been able to fix the issue with "Profile caServerCert Not Found" by editing /var/lib/pki/pki-tomcat/ca/conf/CS.cfg I replace below entry "subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem" by "subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem" and then launch "ipa-server-upgrade" command I found this solution in this post: http://osdir.com/ml/freeipa-users/2016-03/msg00280.html Then I was able to renew my certificate. However I reboot my server to and pki-tomcat do not start and provide with a new erreor in /var/log/pki/pki-tomcat/ca/debug [19/Oct/2016:11:11:52][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() passed: auditSigningCert cert-pki-ca [19/Oct/2016:11:11:52][localhost-startStop-1]: SignedAuditEventFactory: create() message=[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID=$ System$][Outcome=Success][CertNickName=auditSigningCert cert-pki-ca] CIMC certificate verification java.lang.Exception: SystemCertsVerification: system certs verification failure at com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:198) at com.netscape.cmscore.selftests.SelfTestSubsystem.runSelfTestsAtStartup(SelfTestSubsystem.java:861) at com.netscape.cmscore.selftests.SelfTestSubsystem.startup(SelfTestSubsystem.java:1797) at com.netscape.cmscore.apps.CMSEngine.startupSubsystems(CMSEngine.java:1701) at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1148) at com.netscape.certsrv.apps.CMS.startup(CMS.java:200) at com.netscape.certsrv.apps.CMS.start(CMS.java:1602) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) at java.security.AccessController.doPrivileged(Native Method) at
Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue
On 10/18/2016 11:22 PM, Bertrand Rétif wrote: Hello, I had an issue with pki-tomcat. I had serveral certificate that was expired and pki-tomcat did not start anymore. I set the dateon the server before certificate expiration and then pki-tomcat starts properly. Then I try to resubmit the certificate, but I get below error: "Profile caServerCert Not Found" Do you have any idea how I could fix this issue. Please find below output of commands: # getcert resubmit -i 20160108170324 # getcert list -i 20160108170324 Number of certificates and requests being tracked: 7. Request ID '20160108170324': status: MONITORING ca-error: Server at "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"; replied: Profile caServerCert Not Found stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=A.SKINFRA.EU subject: CN=IPA RA,O=A.SKINFRA.EU expires: 2016-06-28 15:25:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Thanksby advance for your help. Bertrand Hi Betrand, what version of FreeIPA and Dogtag are you running? Also perform the following search on the IPA master and post the result: """ ldapsearch -D "cn=Directory Manager" -W -b 'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)' """ -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
