I have a freeipa with two nodes. I have no problem with one of them but on the other one pki-tomcat can't start. ipacts starts with --ignore-service-failure and pki-tomcatd Service: STOPPED
The first thing I found a certificate expired and I changed date back in time before expiration date. ipa-cacert-manage renew says ok but certificate for pki-tomcat doesn't work.
getcert list shows all certificates are well but this one no: Request ID '20171110140549': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa0.domain.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=ipa0.domain.com,O=DOMAIN.COM expires: 2019-10-31 14:05:23 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
[root@ipa0 pki-tomcat]# curl https://ipa0.domain.com:8443/ca/agent/ca/profileReview
<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.46 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 404 - /ca/agent/ca/profileReview</h1><div class="line"></div><p><b>type</b> Status report</p><p><b>message</b> <u>/ca/agent/ca/profileReview</u></p><p><b>description</b> <u>The requested resource is not available.</u></p><hr class="lin e"><h3>Apache Tomcat/8.0.46</h3></bod
What can I do to make pki-tomcat work? How to repair the certificate?
On 1/28/20 1:35 PM, Serge Barkov via FreeIPA-users wrote:
I have a freeipa with two nodes. I have no problem with one of them but on the other one pki-tomcat can't start. ipacts starts with --ignore-service-failure and pki-tomcatd Service: STOPPED
The first thing I found a certificate expired and I changed date back in time before expiration date. ipa-cacert-manage renew says ok but certificate for pki-tomcat doesn't work.
Hi,
"ipa-cacert-manage renew" is used to renew IPA CA certificate, but in your case the expired cert is probably a different one.
On the working node, are all the certificates valid? On the non-working node, which certificate is expired? Please provide the whole output of getcert list for both nodes, and the output of $ ipa config-show | grep "CA renewal"
Debugging tips can also be found in this blog post: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcat...
flo
getcert list shows all certificates are well but this one no: Request ID '20171110140549': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa0.domain.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=ipa0.domain.com,O=DOMAIN.COM expires: 2019-10-31 14:05:23 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
[root@ipa0 pki-tomcat]# curl https://ipa0.domain.com:8443/ca/agent/ca/profileReview
<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.46 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 404 - /ca/agent/ca/profileReview</h1><div class="line"></div><p><b>type</b> Status report</p><p><b>message</b> <u>/ca/agent/ca/profileReview</u></p><p><b>description</b> <u>The requested resource is not available.</u></p><hr class="lin
e"><h3>Apache Tomcat/8.0.46</h3></bod
What can I do to make pki-tomcat work? How to repair the certificate? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi Florence, Thank you very much for your answer. I followed the link for debugging and I found a problem: [root@ipa0 pki-tomcat]# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca' certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier.
It seems that pki-tomcat is not able to access the certificate and the private key. But I still don't know how to repai it:(
The whole output of the getcert list is below. I change my domain name to domain.com. ipa0, problem node: [root@ipa0 pki-tomcat]# getcert list Number of certificates and requests being tracked: 6. Request ID '20171110140122': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=IPA RA,O=DOMAIN.COM expires: 2021-09-21 11:05:05 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20171110140545': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=CA Audit,O=DOMAIN.COM expires: 2021-09-21 11:04:55 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171110140546': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=OCSP Subsystem,O=DOMAIN.COM expires: 2021-09-21 11:02:47 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171110140547': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=CA Subsystem,O=DOMAIN.COM expires: 2021-09-21 11:03:55 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171110140548': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=Certificate Authority,O=DOMAIN.COM expires: 2037-11-09 11:00:43 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171110140549': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa0.domain.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=ipa0.domain.com,O=DOMAIN.COM expires: 2019-10-31 14:05:23 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes [root@ipa0 pki-tomcat]#
The good node: [root@ipa1 ~]# getcert list Number of certificates and requests being tracked: 6. Request ID '20171109110125': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=CA Audit,O=DOMAIN.COM expires: 2021-09-21 11:04:55 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171109110126': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=OCSP Subsystem,O=DOMAIN.COM expires: 2021-09-21 11:02:47 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171109110127': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=CA Subsystem,O=DOMAIN.COM expires: 2021-09-21 11:03:55 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171109110128': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=Certificate Authority,O=DOMAIN.COM expires: 2037-11-09 11:00:43 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171109110129': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=IPA RA,O=DOMAIN.COM expires: 2021-09-21 11:05:05 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20171109110130': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=ipa1.domain.com,O=DOMAIN.COM expires: 2021-09-21 11:02:07 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes [root@ipa1 ~]#
[root@ipa0 pki-tomcat]# ipa config-show | grep "CA renewal" ipa: ERROR: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638945): Ticket not yet valid
Sorry, the last command I did without kinit admin. After that it's so:
[root@ipa0 pki-tomcat]# ipa config-show | grep "CA renewal" IPA CA renewal master: ipa0.domain.com
I assume this is running RHEL 6?
On both masters I'd compare the output of
$ ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p 7389 -b uid=ipara,ou=people,o=ipaca description
What date did you go back to? Are the new certificates still valid on that date?
rob
The OS is "Fedora release 25 (Twenty Five)". I compared the output from "ldapsearch -LLL...", it differs. But in order to make ipa0 work I temporarily broke connection between nodes (with iptables) so it's normal. Yhe date is [root@ipa0 ~]# date Sun Oct 20 19:46:18 MSK 2019
All the other certificates are valid. I use Let's Encrypt certificates and I rolled them back to the ones valid in October.
Serge Barkov via FreeIPA-users wrote:
The OS is "Fedora release 25 (Twenty Five)". I compared the output from "ldapsearch -LLL...", it differs. But in order to make ipa0 work I temporarily broke connection between nodes (with iptables) so it's normal. Yhe date is [root@ipa0 ~]# date Sun Oct 20 19:46:18 MSK 2019
That difference is likely the reason for the failure. What does the output look like?
rob
The output of ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p 389 (there is nothing on port 7389 so I beleive it must be 389) looks so: dn: cn=compat,dc=domain,dc=com objectClass: extensibleObject cn: compat
dn: cn=users,cn=compat,dc=domain,dc=com objectClass: extensibleObject cn: users
dn: uid=f.second,cn=users,cn=compat,dc=domain,dc=com and so on - full description of all my users
Serge Barkov via FreeIPA-users wrote:
The output of ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p 389 (there is nothing on port 7389 so I beleive it must be 389) looks so:
Ok, I was guessing the release you were using.
You are missing part of the command, add:
-b uid=ipara,ou=people,o=ipaca description
rob
Oh, I'm sorry. freeipa version is 4.4.4-1.fc25
I don't see any difference:
The problem node: [root@ipa0 ~]# ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p 389 -b uid=ipara,ou=people,o=ipaca description Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;26;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA RA,O=DOMAIN.COM
The normal one: [root@ipa1 ~]# ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p 389 -b uid=ipara,ou=people,o=ipaca description Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;26;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA RA,O=DOMAIN.COM
Serge Barkov via FreeIPA-users wrote:
Oh, I'm sorry. freeipa version is 4.4.4-1.fc25
I don't see any difference:
The problem node: [root@ipa0 ~]# ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p 389 -b uid=ipara,ou=people,o=ipaca description Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;26;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA RA,O=DOMAIN.COM
The normal one: [root@ipa1 ~]# ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p 389 -b uid=ipara,ou=people,o=ipaca description Enter LDAP Password: dn: uid=ipara,ou=people,o=ipaca description: 2;26;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA RA,O=DOMAIN.COM
IIRC the CA uses the subsystem cert to authenticate to itself. You might try comparing the ca.subsystem.cert value in /etc/pki/pki-tomcat/ca/CS.cfg between the two servers.
rob
I compared, it's the same on both nodes
It seems that the reason of the problem is in "404...The requested resource is not available" when ipa tryies to renew the certificate with request https://ipa0.domain.com:8443/ca/agent/ca/profileReview When I try it certificate is good but the result is 404...
Are there any ideas where to look?
Serge Barkov via FreeIPA-users wrote:
It seems that the reason of the problem is in "404...The requested resource is not available" when ipa tryies to renew the certificate with request https://ipa0.domain.com:8443/ca/agent/ca/profileReview When I try it certificate is good but the result is 404...
Are there any ideas where to look?
The CA is a deployed WAR file in tomcat. A 404 suggests the CA hasn't started at all. Check the logs.
rob
freeipa-users@lists.fedorahosted.org