I also found that the certs don't match! LDAP and certutil return different certs when you query them. The blog post didn't suggest a method for fixing this and I don't want to make the problem worse by doing it the wrong way. Suggestions?
On Fri, Oct 27, 2017 at 1:35 PM, Kristian Petersen <nesre...@chem.byu.edu> wrote: > I followed some of the steps outlined in the blog post you liked to and > when I got to the part where make sure that the private key can be read > using the password found in /var/lib/pki/pki-tomcat/conf/password.conf > using: > sudo certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n > 'subsystemCert cert-pki-ca' > > RESULT: > certutil: Checking token "NSS Certificate DB" in slot "NSS User Private > Key and Certificate Services" > certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized > Object Identifier. > > So it looks like things aren't associated properly anymore. Not sure what > my next steps would be though. > > On Fri, Oct 27, 2017 at 10:27 AM, Florence Blanc-Renaud <f...@redhat.com> > wrote: > >> On 10/27/2017 12:55 AM, Kristian Petersen via FreeIPA-users wrote: >> >>> I checked the logs that turned up after running the find command >>> suggested by Jochen and only a couple of them turned up anything that >>> mention pki or pki-tomcat: >>> >>> from /var/log/audit/audit.log: >>> type=SERVICE_START msg=audit(1508873851.623:163448): pid=1 uid=0 >>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 >>> msg='unit=pki-tomcatd@pki-tomcat comm="systemd" >>> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' >>> >>> from /var/log/messages: >>> Oct 26 16:01:58 ipa1 ns-slapd: [26/Oct/2017:16:01:58.077129423 -0600] - >>> ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication Manager >>> cloneAgreement1-ipa2.chem.byu.edu-pki-tomcat,ou=csusers,cn=config] >>> authentication mechanism [SIMPLE]: error 32 (No such object) >>> Oct 26 16:01:58 ipa1 named-pkcs11[16463]: client 192.168.105.11#37937: >>> request has invalid signature: TSIG DHCP_UPDATER: tsig verify failure >>> (BADKEY) >>> >>> >>> Hi, >> >> just a wild guess, but we saw issues during update related either to >> certificates or IPv6. >> - Is IPv6 enabled on your server? The server doesn't need an IPv6 address >> but IPv6 should not be disabled. >> - If selinux is in enforcing mode, there were known issues during >> certificate renewals that could lead to pki-tomcat not able to start any >> more. You can refer to this blog post [1] to check that the certificate >> 'subsystemCert cert-pki-ca' is properly associated to the user >> uid=pkidbuser,ou=people,o=ipaca. The certificate is stored in multiple >> places (ldap server, nss dbs) and must be consistent. >> >> Flo >> >> [1] https://floblanc.wordpress.com/2017/09/11/troubleshooting-fr >> eeipa-pki-tomcatd-fails-to-start/ >> >>> >>> On Thu, Oct 26, 2017 at 2:32 PM, Jochen Hein <joc...@jochen.org <mailto: >>> joc...@jochen.org>> wrote: >>> >>> Kristian Petersen via FreeIPA-users >>> <freeipa-users@lists.fedorahosted.org >>> <mailto:freeipa-users@lists.fedorahosted.org>> writes: >>> >>> > The dirsrv log just shows a bunch of the following: >>> > [13/Oct/2017:14:32:07.132312021 -0600] - ERR - slapi_ldap_bind - >>> Error: >>> > could not bind id [cn=Replication Manager cloneAgreement1-ipa >>> > 2.chem.byu.edu-pki-tomcat,ou=csusers,cn=config] authentication >>> mechanism >>> > [SIMPLE]: error 32 (No such object) >>> > >>> > That makes sense though since pki-tomcat won't start. Rob was >>> asking what >>> > was in the logs located at /var/log/pki/pki-tomcat/ca/debug, but >>> that path >>> > doesn't exist on any of my IPA servers. He said that would >>> normally be the >>> > first place to look. Hence, I am looking for other solutions. >>> >>> Brute force: reproduce the error and run "find /var/log -mmin -1 >>> -type f -ls". >>> This finds the files changed in the last minute - one of these might >>> help. >>> >>> Jochen >>> >>> -- >>> This space is intentionally left blank. >>> >>> >>> >>> >>> -- >>> Kristian Petersen >>> System Administrator >>> Dept. of Chemistry and Biochemistry >>> >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedo >>> rahosted.org >>> >>> >> > > > -- > Kristian Petersen > System Administrator > Dept. of Chemistry and Biochemistry > -- Kristian Petersen System Administrator Dept. of Chemistry and Biochemistry
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
