On Wed, May 09, 2018 at 03:12:37AM -0000, Henery Hawk via FreeIPA-users wrote: > I've followed what I thought were the instructions to install > Let's Encrypt certs on my recent FreeIPA installation but when I > restart the services I pki-tomcatd fails to restart. > > During the installs I've tried various combinations of installing > the CA certs but they all seem to result in the same problem > > Logs are below and I tried to format to make it easier to read but > I'm afraid this submission will lose formatting. > > Any help would be greatly appreciated. Prior to these steps the > instance runs fine but requires browser user to accept the > security exception. > > Joe > > [root@prime]# cd /etc/letsencrypt/live/my.domain.org/ # I got LE certs > separately using certbot & nginx > [root@prime]# ls > cert.pem README > chain.pem fullchain.pem privkey.pem > > [root@prime]# kinit admin > Password for ad...@my.domain.org: > > [root@prime]# sudo vi DTSRootCAX3.pem #get from > https://www.identrust.com/certificates/trustid/root-download-x3.html > > [root@prime]# # I got this from the Let's Encyrpt web site ISRG Root X1 > (self-signed) > [root@prime]# curl --output ISRG_Root_X1.crt > https://letsencrypt.org/certs/isrgrootx1.pem.txt > > [root@prime]# # I got this from the Let's Encyrpt web site Let’s Encrypt > Authority X3 (IdenTrust cross-signed) > [root@prime]# curl --output LetsEncryptX3CrossSigned.crt > https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt > > [root@prime]# # I got this from the Let's Encyrpt web site Let’s Encrypt > Authority X3 (Signed by ISRG Root X1) > [root@prime]# curl --output LetsEncryptAuthX3a.crt > https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt > > [root@prime]# ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem > Installing CA certificate, please wait > CA certificate successfully installed > The ipa-cacert-manage command was successful > > [root@prime]# ipa-cacert-manage -n ISRG_Root_X1 -t C,, install > ISRG_Root_X1.crt > Installing CA certificate, please wait > CA certificate successfully installed > The ipa-cacert-manage command was successful > > [root@prime]# ipa-cacert-manage -n LetsEncryptX3CrossSigned -t C,, install > LetsEncryptX3CrossSigned.crt > Installing CA certificate, please wait > CA certificate successfully installed > The ipa-cacert-manage command was successful > > [root@prime]# ipa-cacert-manage -n LetsEncryptAuthX3a -t C,, install > LetsEncryptAuthX3a.crt > Installing CA certificate, please wait > CA certificate successfully installed > The ipa-cacert-manage command was successful > > [root@prime]# ipa-cacert-manage -n LetsEncryptX3 -t C,, install chain.pem # > this fails > Installing CA certificate, please wait > Failed to get LetsEncryptX3 > The ipa-cacert-manage command failed. > > [root@prime]# ipa-certupdate > trying https://my.domain.org/ipa/json > [try 1]: Forwarding 'ca_is_enabled/1' to json server > 'https://my.domain.org/ipa/json' > [try 1]: Forwarding 'ca_find/1' to json server > 'https://my.domain.org/ipa/json' > Systemwide CA database updated. > Systemwide CA database updated. > The ipa-certupdate command was successful > > [root@prime]# ipa-server-certinstall -w fullchain.pem privkey.pem > Directory Manager password: > Enter private key unlock password: > Please restart ipa services after installing certificate (ipactl restart) > The ipa-server-certinstall command was successful > > [root@prime]# ipactl restart > Stopping pki-tomcatd Service > Restarting Directory Service > Restarting krb5kdc Service > Restarting kadmin Service > Restarting named Service > Restarting httpd Service > Restarting ipa-custodia Service > Restarting ntpd Service > Restarting pki-tomcatd Service > Failed to restart pki-tomcatd Service > Shutting down > Hint: You can use --ignore-service-failure option for forced start in case > that a non-critical service failed > Aborting ipactl > > [root@prime]# certutil -L -d /etc/pki/pki-tomcat/alias/ > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > IPA.KKGPITT.ORG IPA CA CTu,Cu,Cu > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > Server-Cert cert-pki-ca u,u,u > DSTRootCAX3 C,, > ISRG_Root_X1 C,, > LetsEncryptX3CrossSigned C,, > LetsEncryptX3CrossSigned C,, > Is the DS TLS handshake including all the required intermediate certificates? What is the output of `certutil -d /etc/dirsrv/slapd-YOUR-REALM -L` ?
Can you provide /var/log/pki/pki-tomcat/ca/debug log file? Thanks, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
