On Wed, May 09, 2018 at 03:12:37AM -0000, Henery Hawk via FreeIPA-users wrote:
I've followed what I thought were the instructions to install Let's Encrypt certs on my recent FreeIPA installation but when I restart the services I pki-tomcatd fails to restart.
During the installs I've tried various combinations of installing the CA certs but they all seem to result in the same problem
Logs are below and I tried to format to make it easier to read but I'm afraid this submission will lose formatting.
Any help would be greatly appreciated. Prior to these steps the instance runs fine but requires browser user to accept the security exception.
Joe
[root@prime]# cd /etc/letsencrypt/live/my.domain.org/ # I got LE certs separately using certbot & nginx [root@prime]# ls cert.pem README chain.pem fullchain.pem privkey.pem
[root@prime]# kinit admin Password for admin@MY.DOMAIN.ORG:
[root@prime]# sudo vi DTSRootCAX3.pem #get from https://www.identrust.com/certificates/trustid/root-download-x3.html
[root@prime]# # I got this from the Let's Encyrpt web site ISRG Root X1 (self-signed) [root@prime]# curl --output ISRG_Root_X1.crt https://letsencrypt.org/certs/isrgrootx1.pem.txt
[root@prime]# # I got this from the Let's Encyrpt web site Let’s Encrypt Authority X3 (IdenTrust cross-signed) [root@prime]# curl --output LetsEncryptX3CrossSigned.crt https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
[root@prime]# # I got this from the Let's Encyrpt web site Let’s Encrypt Authority X3 (Signed by ISRG Root X1) [root@prime]# curl --output LetsEncryptAuthX3a.crt https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
[root@prime]# ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful
[root@prime]# ipa-cacert-manage -n ISRG_Root_X1 -t C,, install ISRG_Root_X1.crt Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful
[root@prime]# ipa-cacert-manage -n LetsEncryptX3CrossSigned -t C,, install LetsEncryptX3CrossSigned.crt Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful
[root@prime]# ipa-cacert-manage -n LetsEncryptAuthX3a -t C,, install LetsEncryptAuthX3a.crt Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful
[root@prime]# ipa-cacert-manage -n LetsEncryptX3 -t C,, install chain.pem # this fails Installing CA certificate, please wait Failed to get LetsEncryptX3 The ipa-cacert-manage command failed.
[root@prime]# ipa-certupdate trying https://my.domain.org/ipa/json [try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://my.domain.org/ipa/json' [try 1]: Forwarding 'ca_find/1' to json server 'https://my.domain.org/ipa/json' Systemwide CA database updated. Systemwide CA database updated. The ipa-certupdate command was successful
[root@prime]# ipa-server-certinstall -w fullchain.pem privkey.pem Directory Manager password: Enter private key unlock password: Please restart ipa services after installing certificate (ipactl restart) The ipa-server-certinstall command was successful
[root@prime]# ipactl restart Stopping pki-tomcatd Service Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting pki-tomcatd Service Failed to restart pki-tomcatd Service Shutting down Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed Aborting ipactl
[root@prime]# certutil -L -d /etc/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI IPA.KKGPITT.ORG IPA CA CTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u DSTRootCAX3 C,, ISRG_Root_X1 C,, LetsEncryptX3CrossSigned C,, LetsEncryptX3CrossSigned C,,
Is the DS TLS handshake including all the required intermediate certificates? What is the output of `certutil -d /etc/dirsrv/slapd-YOUR-REALM -L` ?
Can you provide /var/log/pki/pki-tomcat/ca/debug log file?
Thanks, Fraser