On Wed, Jun 12, 2019 at 10:30 PM Miller, Jim jmiller@tkcholdings.com wrote:
-----Original Message----- From: Ian Kumlien via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: Wednesday, June 12, 2019 3:27 PM To: Rob Crittenden rcritten@redhat.com Cc: FreeIPA users list freeipa-users@lists.fedorahosted.org; Ian Kumlien ian.kumlien@gmail.com Subject: [Freeipa-users] Re: Issues with pki-tomcat - CA
On Wed, Jun 12, 2019 at 7:16 PM Rob Crittenden rcritten@redhat.com wrote:
Ian Kumlien via FreeIPA-users wrote:
On Tue, Jun 11, 2019 at 10:22 PM Rob Crittenden rcritten@redhat.com wrote:
Ian Kumlien via FreeIPA-users wrote:
[--8<--]
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca u,u,u transportCert cert-pki-kra u,u,u storageCert cert-pki-kra u,u,u auditSigningCert cert-pki-kra u,u,Pu XERCES.LAN IPA CA CT,C,C XERCES.LAN IPA CA CT,C,C XERCES.LAN IPA CA CT,C,C
You're missing all the CA certificates except the one that tomcat uses!? That includes the CA signing cert!
It should look more like (excluding the *kra certs):
caSigningCert cert-pki-ca CTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u
Do the keys for those certs exist?
# grep internal /etc/pki/pki-tomcat/password.conf internal=foo # certutil -K -d /etc/pki/pki-tomcat/alias/ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": foo
Perhaps a bunch of orphans?
Seems like it, I have three orphans and the keys for subsystemCert, caSigningCert, ocspSigningCert seems to exists
Any clue of why this happened, I have two more servers that I can look at if you need clues....
I mainly want to figure this out before my vacation starts ;)
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__getfedora.org_code-2Dof... List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_... List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_...
Sorry for butting in on this discussion, but is this an issue where the cert for that server didn't get renewed and the tomcat-pki service won't start?
I ask because that's an issue we're having and not sure how to address the issue.
Yep, It happened on four servers - I tried to reinstall one and this fails as well due to the ca server being unavailable...
--Jim
freeipa-users@lists.fedorahosted.org