I followed some of the steps outlined in the blog post you liked to and when I got to the part where make sure that the private key can be read using the password found in /var/lib/pki/pki-tomcat/conf/password.conf using: sudo certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca'
RESULT: certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier. So it looks like things aren't associated properly anymore. Not sure what my next steps would be though. On Fri, Oct 27, 2017 at 10:27 AM, Florence Blanc-Renaud <f...@redhat.com> wrote: > On 10/27/2017 12:55 AM, Kristian Petersen via FreeIPA-users wrote: > >> I checked the logs that turned up after running the find command >> suggested by Jochen and only a couple of them turned up anything that >> mention pki or pki-tomcat: >> >> from /var/log/audit/audit.log: >> type=SERVICE_START msg=audit(1508873851.623:163448): pid=1 uid=0 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 >> msg='unit=pki-tomcatd@pki-tomcat comm="systemd" >> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' >> >> from /var/log/messages: >> Oct 26 16:01:58 ipa1 ns-slapd: [26/Oct/2017:16:01:58.077129423 -0600] - >> ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication Manager >> cloneAgreement1-ipa2.chem.byu.edu-pki-tomcat,ou=csusers,cn=config] >> authentication mechanism [SIMPLE]: error 32 (No such object) >> Oct 26 16:01:58 ipa1 named-pkcs11[16463]: client 192.168.105.11#37937: >> request has invalid signature: TSIG DHCP_UPDATER: tsig verify failure >> (BADKEY) >> >> >> Hi, > > just a wild guess, but we saw issues during update related either to > certificates or IPv6. > - Is IPv6 enabled on your server? The server doesn't need an IPv6 address > but IPv6 should not be disabled. > - If selinux is in enforcing mode, there were known issues during > certificate renewals that could lead to pki-tomcat not able to start any > more. You can refer to this blog post [1] to check that the certificate > 'subsystemCert cert-pki-ca' is properly associated to the user > uid=pkidbuser,ou=people,o=ipaca. The certificate is stored in multiple > places (ldap server, nss dbs) and must be consistent. > > Flo > > [1] https://floblanc.wordpress.com/2017/09/11/troubleshooting- > freeipa-pki-tomcatd-fails-to-start/ > >> >> On Thu, Oct 26, 2017 at 2:32 PM, Jochen Hein <joc...@jochen.org <mailto: >> joc...@jochen.org>> wrote: >> >> Kristian Petersen via FreeIPA-users >> <freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org>> writes: >> >> > The dirsrv log just shows a bunch of the following: >> > [13/Oct/2017:14:32:07.132312021 -0600] - ERR - slapi_ldap_bind - >> Error: >> > could not bind id [cn=Replication Manager cloneAgreement1-ipa >> > 2.chem.byu.edu-pki-tomcat,ou=csusers,cn=config] authentication >> mechanism >> > [SIMPLE]: error 32 (No such object) >> > >> > That makes sense though since pki-tomcat won't start. Rob was >> asking what >> > was in the logs located at /var/log/pki/pki-tomcat/ca/debug, but >> that path >> > doesn't exist on any of my IPA servers. He said that would >> normally be the >> > first place to look. Hence, I am looking for other solutions. >> >> Brute force: reproduce the error and run "find /var/log -mmin -1 >> -type f -ls". >> This finds the files changed in the last minute - one of these might >> help. >> >> Jochen >> >> -- >> This space is intentionally left blank. >> >> >> >> >> -- >> Kristian Petersen >> System Administrator >> Dept. of Chemistry and Biochemistry >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedo >> rahosted.org >> >> > -- Kristian Petersen System Administrator Dept. of Chemistry and Biochemistry
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
