Anthony Joseph Messina via FreeIPA-users wrote: > I am running into trouble with certmonger renewal of KRA subsystem certs on > the renewal master, and CA/KRA subsystem certs on the replica. Any help is > appreciated as my renewal window ends in 8 days. > > This is Fedora 31 with freeipa-server-4.8.4-2.fc31.x86_64 on both master and > replica. These systems have been upgraded using the recommended method of > creating new replicas since 4.6.3. > > ## The renewal master... The cert is renewed, but the ca-error below is > concerning (the same for "CN=KRA Transport Certificate" and "CN=KRA Storage > Certificate") > Request ID '20191117031707': > status: MONITORING > ca-error: Server at > "http://ipa482a.example.com:8080/ca/ee/ca/profileSubmit" replied: Missing > credential: sessionID > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-kra',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-kra',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=KRA Audit,O=EXAMPLE.COM > expires: 2022-01-01 12:37:19 CST > key usage: digitalSignature,nonRepudiation
I've cc'd one of the CA developers. > ## The replica... The cert is not renewed and the ca-error is different. > Request ID '20191117040017': > status: MONITORING > ca-error: Invalid cookie: '' > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-kra',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-kra',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MESSINET.COM > subject: CN=KRA Audit,O=MESSINET.COM > expires: 2020-01-21 20:22:24 CST > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-kra" > track: yes > auto-renew: yes The invalid cookie is BZ https://bugzilla.redhat.com/show_bug.cgi?id=1788907 Once the renewal master is able to renew the cert run `getcert resubmit -i 20191117040017` on the replica to pull in the updated cert. rob > > ## The pki-tomcat debug log on the renewal master... > 2020-01-12 15:03:21 [http-nio-8080-exec-13] SEVERE: CAProcessor: > authentication error: Missing credential: sessionID > Missing credential: sessionID > at > com.netscape.cms.servlet.common.AuthCredentials.set(AuthCredentials.java:57) > at > com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:416) > at > com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:471) > at > com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:179) > at > com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:98) > at > com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:242) > at > com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:128) > at > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:496) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) > at sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) > at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) > at > com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) > at > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) > at > org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367) > at > org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) > at > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) > at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:748) > > 2020-01-12 15:03:21 [http-nio-8080-exec-13] SEVERE: ProfileSubmitServlet: > authentication error in processing request: Missing credential: sessionID > Missing credential: sessionID > at > com.netscape.cms.servlet.common.AuthCredentials.set(AuthCredentials.java:57) > at > com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:416) > at > com.netscape.cms.servlet.processors.CAProcessor.authenticate(CAProcessor.java:471) > at > com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:179) > at > com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:98) > at > com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:242) > at > com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:128) > at > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:496) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) > at sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) > at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) > at > com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) > at > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) > at > org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367) > at > org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) > at > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) > at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:748) > > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org